Your personal data (e.g. title, name, address, e-mail address, telephone number, bank details, credit card number) will only be processed by us in accordance with the provisions of German data protection law and the data protection law of the European Union (EU). In addition to the purposes of processing, recipients, legal bases, storage periods, the following regulations also inform you about your rights and the person responsible for your data processing. This privacy policy applies only to our websites. If you are redirected to other pages via links on our pages, please inform yourself there about the respective handling of your data. This website uses SSL or TLS encryption for security reasons and to protect the transmission of confidential content, such as inquiries you send to us. You can recognize an encrypted connection by the fact that the address bar of your browser changes from 'http://' to 'https://' and by the lock symbol in your browser line. Data that you transmit to us cannot be read by third parties if encryption is activated. § 2 Data processing for the performance of a contract
(1) Purpose of processing Your personal data, which you provide to us during the ordering process, is necessary for the conclusion of a contract with us. You are not obliged to provide your personal data. However, we cannot send you the goods without providing your address. For some payment methods, we need the necessary payment data in order to pass it on to a payment service provider commissioned by us (PayPal). The processing of your data entered during the order process is therefore carried out for the purpose of fulfilling the contract. If you send us an inquiry by e-mail, via a contact form, etc. before the conclusion of the contract, we will process the data obtained in this way for the implementation of pre-contractual measures and answer e.g. Your questions about our products. In the event of opening a customer account, your data (esp. name, address, payment method, e-mail and password) for the registration and creation of a customer login. With the stored data, you can shop with us faster and gain insight into your orders at any time. You can remove the account by sending us a message or using a delete function. (2) Legal basis The legal basis for this processing is Art. 6 para. 1 b) GDPR. (3) Categories of recipients Payment service providers (PayPal, Amazon Pay, Klarna), shipping service providers (DHL, DPD), hosting providers (lima-city), if applicable, merchandise management system, suppliers (dropshipping). (4) Storage period Contract data: up to the expiry of the statutory warranty periods (usually 2 years) and, if applicable, contractual warranty periods (up to 3 years). Commercial and tax data: 6 to 10 years (§ 257 HGB, § 147 AO). Pre-contractual data (e.g. enquiries): after 6 months at the latest, unless a contract is concluded. Customer data in the customer account: as long as the account exists; in the event of deletion without delay, unless there are any statutory retention obligations to the contrary. § 3 Comments
(1) Purpose of processing It is possible to write a comment. Your data (e.g. name/pseudonym, e-mail address, website) will then only be processed for the purpose of publishing your comment. (2) Legal basis The legal basis for this processing is Art. 6 para. 1 f) GDPR. (3) Legitimate interest Our legitimate interest is the public exchange of user opinions on certain topics and products. The publication serves, among other things, transparency and opinion-forming. Your interest in data protection is preserved, as you can publish your comment under a pseudonym. (4) Storage period Comments are saved as long as they are visible. On request or at the latest after 2 years of inactivity, we will delete the comments, provided that there are no legal obligations to the contrary. (5) RIGHT TO OBJECT You have the right to object at any time to data processing that is carried out on the basis of Art. 6 (para. 1 f) GDPR and is not used for direct marketing purposes for reasons arising from your particular situation. In the case of direct marketing, on the other hand, you can object to the processing at any time without giving reasons. § 4 PayPal Transactions
Please note that all PayPal transactions are subject to the PayPal Privacy Policy: https://www.paypal.com/myaccount/privacy/privacyhub?locale.x=en_GB Storage period: regulated by PayPal; We only store our own payment data for as long as necessary for processing, after that for a maximum of 10 years within the framework of statutory retention obligations.
§ 4a Payments in advance For the processing of advance payments, your personal data required for this purpose will be processed exclusively for the purpose of performing the contract in accordance with Art. 6 (1) (b) GDPR. The data will be deleted after the expiry of statutory retention periods, provided that there are no further legal obligations to store it.
§ 4b Payment via Amazon Pay
If you choose the Amazon Pay payment method during the ordering process, the payment will be processed by the payment service provider Amazon Payments Europe S.C.A., 38 avenue J.F. Kennedy, L-1855 Luxembourg ("Amazon Payments").
As part of the payment process, the data you provide as well as the data about your order will be transmitted to Amazon Payments. This is necessary to verify your identity, process the payment and prevent cases of abuse. The transfer takes place on the basis of Art. 6 (1) (b) GDPR (contract processing) and Art. 6 (1) (f) GDPR (legitimate interest in secure payment processing). Storage period: regulated by Amazon Pay; We only store our own payment data for as long as necessary for processing, after that for a maximum of 10 years within the framework of statutory retention obligations.
We also offer payment processing via Klarna. Klarna Bank AB (publ), Sveavägen 46, 111 34 Stockholm, Sweden ("Klarna").
Klarna offers different payment methods (e.g. purchase on account, instant payment, installment purchase). If you choose Klarna as your payment service provider, the personal data you enter (e.g. name, address, email address, IP address, payment data, order data) will be transmitted to Klarna so that the payment can be processed and Klarna can carry out a credit and identity check.
The data transfer takes place on the basis of Art. 6 (1) (b) GDPR (performance of the contract) and – if credit checks are carried out – on the basis of Art. 6 (1) (f) GDPR (legitimate interest in avoiding payment defaults). Storage period: regulated by Klarna; We only store our own payment data for as long as necessary for processing, after that for a maximum of 10 years within the framework of statutory retention obligations.
When using the payment methods offered by us (e.g. Amazon Pay, Klarna, PayPal, prepayment), personal data (e.g. name, address, e-mail address, payment information, transaction data) necessary for the processing of the payment is transmitted to the respective payment service provider. The data is processed there exclusively for the purpose of payment processing and, if necessary, for identity and credit checks.
We store this data for the duration of the statutory retention periods in accordance with § 147 AO and § 257 HGB (usually 10 years for data relevant to tax and commercial law). After that, the data will be deleted, provided that there are no further legal retention obligations or the data is no longer required for the performance of the contract.
§ 5 Web analysis with Google Analytics
(1) Purpose of processing This website uses Google Analytics 4, a web analytics service provided by Google Ireland Limited, Gordon House, Barrow Street, Dublin 4, Ireland ("Google"). Google Analytics 4 uses so-called "cookies", text files that are stored in your device and that enable us to analyse your use of the website. According to Google, Google Analytics 4 does not log or store individual IP addresses. Analytics doesn't provide accurate location data. Instead, the following metadata is derived from IP addresses: "city" (and the city's inferred latitude and longitude), "continent", "country", "region", "subcontinent" (and the ID-based equivalents). In the case of accesses originating from the EU, IP addresses are only used to derive location data and are then deleted immediately. They are not logged, are not accessible, and are not used for other use cases. When collecting metrics in Analytics, all IP lookups are performed on EU-based servers before traffic is routed to Analytics servers for processing. These servers are also located outside the EU. On behalf of the operator of this website, Google will use this information to evaluate your use of the website, to compile reports on website activity and to provide other services related to website activity and internet use to the website operator. (2) Legal basis "The use of Google Analytics only takes place with prior consent, in compliance with data protection regulations in accordance with the GDPR and in compliance with IP anonymization." The legal basis for this processing is your consent in accordance with Art. 6 para. 1a) GDPR. (3) Categories of recipients Google and its affiliates. 4. Transfer to a third country Google Ireland Limited is an affiliate of Google LLC. Google LLC is located in the USA (1600 Amphitheatre Parkway, Mountain View, CA 94043). The basis for the transfer of personal data from the EU to the US is the EU-US data protection framework. (5) Storage period 14 months (6) RIGHT OF WITHDRAWAL You can revoke your consent at any time with effect for the future via our cookie banner or via our website under "Manage cookies". You can also prevent the storage of cookies in general by setting your browser software accordingly; however, we would like to point out that in this case you may not be able to use all the functions of this website to their full extent. You can also prevent the collection of the data generated by the cookie and related to your use of the website by Google and the processing of this data by Google by downloading and installing the browser plugin available at the following link: Opt out § 6 Web analysis
Microsoft Clarity, Microsoft Corporation (One Microsoft Way, Redmond, WA 98052-6399, USA) (1)Purpose of processing Microsoft Clarity processes your data for the following purposes: Improving the usability of our websiteAnalysing user behaviour to better tailor content and features to visitors' needsDetecting and resolving technical problems on the websiteThe data collected is used exclusively for these purposes and not to personally identify individual users. Storage period: maximum 12 months; personal data is deleted or anonymised as soon as it is no longer needed for analysis purposes. (2)Legal basis Your data is processed on the basis of your consent in accordance with Art. 6 (1) (a) GDPR. This consent is given by your active behaviour, for example clicking on "Accept" in the cookie banner. You can revoke your consent at any time with effect for the future under "Manage cookies". (3)Data transfer to third countries The data can be transmitted to servers in the USA. The basis is the EU-US Data Privacy Framework. There is a Data Processing Agreement (DPA) with Microsoft for Clarity. The use is in accordance with the GDPR.
(4)Right to object You have the right to object to the processing of your personal data at any time. To withdraw your consent or object to data processing by Microsoft Clarity, you can: Configure your browser settings so that no data is collected (e.g., by enabling the "Do Not Track" setting). Revisit the cookie banner on our website and change the appropriate settings. Contact us (see section 1) for further assistance. Please note that the objection has no effect on processing that has already taken place. § 7 Information about cookies
"To obtain and manage consent to the use of cookies, we use the Gambio Cookie Consent Panel. With this tool, we ensure that cookies that are not technically necessary are only set after the explicit consent of the visitors, and we log all consents in accordance with the legal requirements."
(1) Purpose of processing Technically necessary cookies are used on this website. These are small text files that are stored in or from your internet browser on your computer system. These cookies make it possible, for example, to add several products to a shopping cart. (2) Legal basis The legal basis for this processing is Art. 6 para. 1 f) GDPR. (3) Legitimate interest Our legitimate interest is the functionality of our website. The user data collected by technically necessary cookies is not used to create user profiles. This safeguards your interest in data protection. (4) Storage period The technically necessary cookies are usually deleted when the browser is closed. Persistently stored cookies have a different lifespan of a few minutes to several years. Storage period: - Session cookies: until the end of the session. - Shopping cart cookies: up to 30 days. - Analytics cookies (e.g. Google Analytics): up to 14 months. - Marketing cookies: 30 days to 6 months.
(5) RIGHT TO OBJECT If you do not want these cookies to be stored, please disable the acceptance of these cookies in your internet browser. However, this may result in a functional restriction of our website. You can also delete permanently stored cookies at any time via your browser. § 8 Gravatar (only when used)
Purpose of processing To display avatars in the comments section, we may use the Gravatar service from Automattic Inc., 60 29th Street #343, San Francisco, CA 94110, USA. A hash is formed from your email address and transmitted to Gravatar. Storage period: as long as consent is given; immediately deleted after revocation.
Legal basis "The use of Gravatar only takes place after your explicit consent via our cookie banner in accordance with Art. 6 (1) (a) GDPR; no connection to Gravatar's servers will be established without appropriate consent. Recipient categories Automattic Inc., 60 29th Street #343, San Francisco, CA 94110, USA Withdrawal You can revoke your consent at any time with effect for the future by calling up the cookie banner "Manage cookies" again and adjusting the settings." Alternatively, you can use a pseudonym and an email address not associated with Gravatar in the comments section.
§ 9 Google Conversion Tracking
Purpose of processing This website uses Google Ads Conversion Tracking, a service provided by Google Ireland Limited, Gordon House, Barrow Street, Dublin 4, Ireland. If a user arrives at our website via a Google ad, a cookie is set for conversion tracking. This allows us to see how many users have taken a certain action (e.g. purchase, form filling). Storage period: Cookies are usually stored for up to 30 days. Legal basis The processing is carried out on the basis of your consent in accordance with Art. 6 (1) (a) GDPR. Recipient categories Google Ireland Limited, possibly Google LLC (USA). Data transfer to third countries The data can be transmitted to servers in the USA. The basis is the EU-US Data Privacy Framework. Withdrawal You can withdraw your consent at any time via our cookie banner.
§ 10 Google Tag Manager
Purpose of processing "Google Tag Manager itself does not process any personal data; however, processing takes place as soon as services that collect personal data are loaded via Tag Manager. These services are only activated after your express consent via our cookie banner in accordance with Art. 6 (1) (a) GDPR. Storage period: no storage of personal data by the Tag Manager itself; for integrated services, the respective storage periods apply (e.g. Analytics 14 months). Legal basis Art. 6 (1) (a) GDPR Recipient categories Google Ireland Limited, possibly Google LLC (USA). Withdrawal If you object to the use of analytics or marketing services, this will also be implemented via the Tag Manager. You can revoke your consent at any time with effect for the future by calling up the cookie banner under "Manage cookies" again and adjusting the settings."
§ 11 Google reCAPTCHA
Purpose of processing To protect against misuse of our forms (e.g. by bots), we use Google reCAPTCHA. Among other things, IP address, mouse movements, dwell time and, if necessary, other data are recorded. Storage duration: Data is only stored for as long as it is necessary for analysis, usually a few minutes to hours. Legal basis Art. 6 (1) (a) GDPR (consent) Recipient categories Google Ireland Limited, possibly Google LLC (USA). Data transfer to third countries United States; Secured via EU-US data protection framework. Withdrawal The consent can be revoked at any time under "Manage cookies".
§ 12 Adobe Fonts
Purpose of processing We use so-called web fonts, which are provided by Adobe, for the uniform display of fonts. When you call up a page, your browser loads the required web fonts directly from the Adobe servers. Storage period: no storage of personal data by us; Adobe can store log data for a maximum of 30 days. Legal basis The processing is carried out on the basis of your consent in accordance with Art. 6 (1) (a) GDPR. Recipient categories Adobe Systems Software Ireland Limited, 4-6 Riverwalk, Citywest Business Campus, Dublin 24, Ireland. Data transfer to third countries United States; The basis is the EU-U.S. Data Privacy Framework. Withdrawal You can withdraw your consent at any time via our cookie banner under "Manage cookies".
§ 13 YouTube (with extended data protection mode)
Purpose of processing Our website embeds videos from the YouTube platform (Google Ireland Limited). Advanced privacy mode prevents YouTube from storing data without your active interaction. However, when a video is played, data (e.g. IP address, usage information) is transmitted to YouTube . Storage period: as long as you play the video and according to the storage periods of YouTube/Google. Legal basis Your consent in accordance with Art. 6 (1) (a) GDPR. Recipient categories Google Ireland Limited, possibly Google LLC (USA). Data transfer to third countries United States; The basis is the EU-US Data Privacy Framework. Withdrawal Consent can be withdrawn at any time via our cookie banner under "Manage cookies".
§ 14 Communication via WhatsApp Business Chat
Purpose of processing For customer communication, we offer WhatsApp (WhatsApp Ireland Limited, 4 Grand Canal Square, Grand Canal Harbour, Dublin 2, Ireland). If you contact us via WhatsApp, we will store your mobile number and communication history. Storage period: Communication data is deleted after the end of the communication, at the latest after 6 months, unless there are statutory retention obligations. Legal basis Your voluntary contact is considered consent in accordance with Art. 6 (1) (a) GDPR. Recipient categories WhatsApp Ireland Ltd. and, if applicable, Meta Platforms Inc. (USA)
Data transfer to third countries WhatsApp regularly transfers metadata to the USA. Secured via EU-US Data Privacy Framework. Withdrawal You can revoke your consent at any time with effect for the future by calling up the cookie banner under "Manage cookies" again and adjusting the settings."
§ 15 Redirects to Facebook, Instagram and LinkedIn
On our website you will find links to our company pages in the social networks Facebook, Instagram and LinkedIn. If you click on the corresponding logo or link, you will be redirected directly to our respective presence. Data transfer to the platform operators only takes place when you actively click on the link. Storage period: no storage by us; Storage periods depend on the respective providers.
Legal basis
"We only use simple links, no social media plugins with automatic data transfer." The link is based on Art. 6 para. 1 lit. f GDPR (legitimate interest in an appealing external presentation as well as the possibility of communicating with customers and interested parties).
Recipient Categories
- Meta Platforms Ireland Ltd., 4 Grand Canal Square, Dublin 2, Ireland (for Facebook and Instagram)- LinkedIn Ireland Unlimited Company, Wilton Place, Dublin 2, Ireland
Data transfer to third countries It cannot be ruled out that data will be transferred to the USA. The basis is the EU-U.S. Data Privacy Framework, as long as the providers are certified.
(1) Purpose of processing When you register for the newsletter, your e-mail address will be used for advertising purposes, i.e. within the framework of the newsletter, we will inform you in particular about products from our range. For statistical purposes, we can evaluate which links are clicked in the newsletter. It is not clear to us which specific person clicked. You have given the following consent separately or, if applicable, expressly in the course of the ordering process: Subscribe to the newsletter. (2) Legal basis The legal basis for this processing is Art. 6 para. 1 a) GDPR. (3) Categories of recipients If applicable, newsletter dispatch provider (Gambio) (4) Storage period Storage period: during active login. After deregistration, storage for up to 3 years to prove consent (Art. 7 para. 1 GDPR). (5) Double opt-in procedure In order to record your consent to receive our newsletter in a legally compliant and comprehensible manner, we use the so-called double opt-in procedure. After registering via our online form, you will receive a confirmation email to the email address provided. Only when you click on the confirmation link contained in this e-mail will your registration be fully completed. This ensures that only you, as the owner of the email address, can subscribe to the newsletter.
(6) Right of withdrawal You can revoke your consent at any time with effect for the future. If you no longer wish to receive the newsletter, you can unsubscribe as follows: Via an unsubscribe link in the newsletter § 17 Note on order processing agreements for third-party services
To provide our services, we use external service providers (e.g. forhosting (lima-city), newsletter dispatch (Gambio) or web analysis). This ensures that these third-party providers process personal data exclusivelyon the basis of our instructions and within the framework of a contractually agreed order processing agreement (DPA) in accordance with Art. 28 GDPR. This ensures that your data is protected in accordance with the high requirements of data protection. Such a contract regulates the processing purposes, data security and compliance with legal requirements, among other things. Storage period: according to the respective service provider, no independent storage by us.
§ 18 Your rights as a data subject
If your personal data is processed, you are a data subject within the meaning of the GDPR and you have the following rights vis-à-vis us as the controller: 1. Right to information You can request information about your personal data processed by us within the framework of Art. 15 GDPR. 2. Right to rectification If the information concerning you is not (or no longer) accurate, you can request correction in accordance with Art. 16 GDPR. If your data is incomplete, you can request that it be completed. 3. Right to erasure You can request the deletion of your personal data under the conditions of Art. 17 GDPR. 4. Right to restriction of processing Within the framework of the requirements of Art. 18 GDPR, you have the right to demand a restriction of the processing of data concerning you. 5. Right to data portability In accordance with Art. 20 GDPR, you have the right to receive the personal data concerning you that you have provided to us in a structured, commonly used and machine-readable format or to request that it be transmitted to another controller. 6. Right to revoke the declaration of consent under data protection law In accordance with Art. 7 (3) GDPR, you have the right to revoke your declaration of consent under data protection law at any time. This does not affect the lawfulness of the processing carried out on the basis of consent before its revocation. 7. Right to lodge a complaint with a supervisory authority If you believe that the processing of personal data concerning you violates the GDPR, you have the right to lodge a complaint with a supervisory authority (in particular in the Member State of your residence, your place of work or the place of the alleged infringement) in accordance with Art. 77 GDPR. Please also note your right to object according to Art. 21 GDPR: a) General: reasoned objection required Is the processing of personal data concerning you - to safeguard our overriding legitimate interest (legal basis according to Art. 6 para. 1 f) GDPR) or - in the public interest (legal basis according to Art. 6 para. 1 e) GDPR), you have the right to object to processing at any time on grounds relating to your particular situation; this also applies to profiling based on the provisions of the GDPR. In the event of an objection, we will no longer process the personal data concerning you, unless we can demonstrate compelling legitimate grounds for the processing that outweigh your interests, rights and freedoms, or the processing serves to assert, exercise or defend legal claims. b) Special case of direct advertising: simple objection is sufficient If the personal data concerning you is processed for the purpose of direct marketing, you have the right to object to such processing at any time and without giving any reason; this also applies to profiling, insofar as it is related to such direct advertising. If you object to the processing for direct marketing purposes, the personal data concerning you will no longer be processed for these purposes.
Data protection supervisor A data protection officer is not required for our company according to the legal requirements. We do not process personal data to an extent that would make it necessary to appoint a mandatory data protection officer under the German Federal Data Protection Act (BDSG) or the General Data Protection Regulation (GDPR). Our data processing processes are designed in accordance with legal requirements and are regularly reviewed. If the legal framework changes or the requirements for the appointment of a data protection officer are met, we will of course take the necessary measures immediately.
Data Controller: Florian Lau
Hydromot S.à r.l.
5, rue du Stade
L-6580 Rosport / LUXEMBOURG
Telephon: +352 267 43 080
shop@hydromot.lu