Privacy policy

Data Controller

Julia Schäfer
Hermann-Proske-Street
49716 Meppen, Germany

Email: heart.essence.sisters@web.de

Overview of Data Processing

The following summary lists the types of data processed and the purposes of their processing, and refers to the affected individuals.

Types of Data Processed

  • Inventory data.
  • Payment data.
  • Contact data.
  • Content data.
  • Contract data.
  • Usage data.
  • Meta, communication, and procedural data.

Categories of Affected Individuals

  • Customers.
  • Prospects.
  • Communication partners.
  • Users.
  • Business and contract partners.

Purposes of Processing

  • Provision of contractual services and customer service.
  • Handling contact inquiries and communication.
  • Security measures.
  • Direct marketing.
  • Reach measurement.
  • Tracking.
  • Office and organizational procedures.
  • Conversion measurement.
  • Management and response to inquiries.
  • Feedback.
  • Marketing.
  • Profiles with user-related information.
  • Providing our online services and user-friendliness.
  • Information technology infrastructure.

Herein, you will find an overview of the legal bases of the GDPR on which we process personal data. Please note that, in addition to the provisions of the GDPR, national data protection regulations in your or our country of residence may apply. If more specific legal bases are relevant in individual cases, we will inform you in our privacy policy.

Consent (Art. 6 (1) s. 1 lit. a GDPR) - The data subject has given their consent to the processing of their personal data for one specific purpose or several defined purposes. Contract performance and pre-contractual inquiries (Art. 6 (1) s. 1 lit. b GDPR) - Processing is necessary for the fulfillment of a contract to which the data subject is a party, or for pre-contractual measures taken at the request of the data subject. Legal obligation (Art. 6 (1) s. 1 lit. c GDPR) - Processing is necessary to fulfill a legal obligation to which the controller is subject. Legitimate interests (Art. 6 (1) s. 1 lit. f GDPR) - Processing is necessary to protect the legitimate interests of the controller or a third party unless the interests or fundamental rights and freedoms of the data subject requiring the protection of personal data prevail.

In addition to the GDPR's data protection regulations, national data protection regulations apply in Germany. This includes, in particular, the Federal Data Protection Act (BDSG), which provides specific rules on the right to information, the right to deletion, the right to object, the processing of special categories of personal data, processing for other purposes, transmission, and automated individual decision-making, including profiling. It also governs data processing for employment purposes (§ 26 BDSG), especially regarding the establishment, execution, or termination of employment relationships and the consent of employees. Furthermore, state data protection laws of individual federal states may apply.

Security Measures

In accordance with legal requirements, considering the state of technology, implementation costs, and the nature, scope, circumstances, and purposes of the processing, as well as different likelihoods and severity of risks to the rights and freedoms of natural persons, we take appropriate technical and organizational measures to ensure a level of protection appropriate to the risk.

These measures include ensuring the confidentiality, integrity, and availability of data by controlling physical and electronic access to the data as well as relevant access, input, disclosure, ensuring availability, and segregating them. Furthermore, we have established procedures to ensure the exercise of data subject rights, data deletion, and response to data threats. We also consider data protection during the development or selection of hardware, software, and procedures, according to the principle of data protection through technology design and data-protection-friendly presets.

Transfer of Personal Data

In the course of processing personal data, it may be transferred to or disclosed to other entities, companies, legally independent organizational units, or persons. Recipients of this data may include service providers tasked with IT functions or providers of services and content integrated into a website. In such cases, we observe legal requirements and conclude contracts or agreements with the recipients of your data that serve to protect your data.

Data Processing in Third Countries

If we process data in a third country (i.e., outside the European Union (EU) or European Economic Area (EEA)) or this occurs when using third-party services or disclosing or transmitting data to other persons, bodies, or companies, this is done in accordance with legal requirements.

Unless there is explicit consent or a contractual or legal necessity for the transfer, we process, or have the data processed, only in third countries with a recognized level of data protection, contractual obligations through so-called standard protection clauses of the EU Commission, the presence of certifications, or binding internal data protection regulations (Art. 44 to 49 GDPR, EU Commission information page: https://ec.europa.eu/info/law/law-topic/data-protection/international-dimension-data-protection_en).

Data Deletion

The data we process will be deleted in accordance with legal requirements as soon as consents allowed for processing are revoked or other permissions end (e.g., if the purpose for processing this data no longer exists or they are not required for the purpose). If data is not deleted because it is necessary for other legally permissible purposes, its processing will be limited to these purposes. This means the data is blocked and not processed for other purposes. This applies, for instance, to data that must be retained for commercial or tax reasons or whose storage is necessary to assert, exercise or defend legal claims or to protect the rights of another natural or legal person.

Our privacy notices may also contain further information on the retention and deletion of data, which primarily applies to the respective processing.

Using Cookies

Cookies are small text files or other storage notes that save information on end devices and read information from them. For instance, they save login statuses in a user account, shopping cart contents in an e-shop, accessed content, or used features of an online service. Cookies can also be used for various purposes, such as functionality, security, and convenience of online offers, and to create analyses of visitor flows.

Consent Notice: We use cookies in accordance with legal regulations. Therefore, we obtain prior consent from users unless it's not legally required. Consent is particularly unnecessary when the storage and retrieval of information, including from cookies, are essential to provide users with the expressly desired telemedia service (i.e., our online service). This typically includes cookies with functions related to the display and operability of the online offer, load balancing, security, saving user preferences, or other main and ancillary functions of the online service requested by users. The revocable consent is clearly communicated to users and contains information about the specific cookie usage.

Data Protection Legal Bases: The data protection legal basis on which we process users' personal data with cookies depends on whether we ask users for consent. If users agree, the legal basis for processing their data is the declared consent. Otherwise, data processed with cookies is based on our legitimate interests (e.g., efficient operation of our online offer and improving its usability), or when this is part of fulfilling our contractual obligations, or when the use of cookies is essential to meet our contractual obligations. We clarify the purposes for which we process cookies in this privacy policy or as part of our consent and processing processes.

Storage Duration: Regarding storage duration, we differentiate between the following types of cookies:

  • Temporary Cookies (also session cookies): They are deleted after a user leaves an online service and closes their device (e.g., browser or app).
  • Permanent Cookies: These remain stored even after closing the device. For example, they can save login status or display preferred content when the user revisits a website. They can also be used for reach measurement. Unless we provide explicit information about the type and storage duration of cookies (e.g., when obtaining consent), users should assume that cookies are permanent and can last up to two years.

General Notes on Revocation and Objection (Opt-Out): Users can revoke their consent at any time and object to processing based on legal requirements in Art. 21 GDPR. Users can also declare their objection via their browser settings, e.g., by deactivating the use of cookies (which may also limit our online services' functionality). Objections to the use of cookies for online marketing can also be declared via the websites https://optout.aboutads.info and https://www.youronlinechoices.com/.

Legal Bases: Legitimate interests (Art. 6 Para. 1 S. 1 lit. f GDPR). Business Services

We process data from our contractual and business partners, e.g., customers and prospects (collectively referred to as "contractual partners"), within contractual or similar legal relationships and related actions and within communication with contractual partners (or pre-contractually), e.g., to answer inquiries.

We process this data to fulfill our contractual obligations, especially to provide agreed-upon services, updates, and remedy any service disruptions. Additionally, we process the data to safeguard our rights and for administrative tasks associated with these duties and company organization. We also process the data based on our legitimate interests in proper and efficient business management and security measures to protect our contractual partners and our business from misuse, threats to their data, secrets, information, and rights (e.g., involving telecommunications, transport, and other auxiliary services, subcontractors, banks, tax and legal advisors, payment service providers, or financial authorities). Under current law, we only share the data of contractual partners with third parties if necessary for the aforementioned purposes or to fulfill legal obligations. Contractual partners are informed about other processing forms, e.g., for marketing purposes, in this privacy policy.

We inform contractual partners about the necessary data for the aforementioned purposes before or during data collection, e.g., in online forms, through special marking (e.g., colors) or symbols (e.g., asterisks), or in person.

We delete the data after the expiry of legal warranty and similar obligations. In principle, this is after 4 years, unless the data is stored in a customer account, e.g., as long as they need to be kept for legal archiving reasons. The legal retention period for tax-relevant documents and for ledgers, inventories, opening balances, annual financial statements, instructions and other organizational documents, and booking receipts is ten years. For received commercial and business letters and copies of sent commercial and business letters, it's six years. The period begins at the end of the calendar year in which the last entry was made in the book, the inventory, opening balance, annual financial statement, or management report was prepared, the commercial or business letter was received or sent, or the booking receipt was created.

If we use third-party providers or platforms to provide our services, the terms and conditions and privacy notices of the respective third-party providers or platforms apply in the relationship between the users and the providers.

Provision of the online offering and web hosting

We process user data to be able to provide our online services to them. For this purpose, we process the user's IP address, which is necessary to transmit the content and functions of our online services to the user's browser or device.

Processed types of data: Usage data (e.g., visited web pages, interest in content, access times); Meta, communication, and procedural data (e.g., IP addresses, timestamps, identification numbers, consent status). Affected individuals: Users (e.g., website visitors, users of online services). Purposes of processing: Provision of our online offering and user-friendliness; Information technology infrastructure (operation and provision of information systems and technical devices, such as computers, servers, etc.); Security measures. Legal bases: Legitimate interests (Art. 6 para. 1 sentence 1 lit. f) GDPR). Our website is hosted by Shopify. The provider is Shopify International Limited, Victoria Buildings, 2nd Floor, 1-2 Haddington Road, Dublin 4, D04 XN32, Ireland. The provider processes personal data transmitted via the website, e.g. content, usage, meta/communication data, or contact details, within the EU. Further information can be found in the provider's privacy policy at https://www.shopify.de/legal/datenschutz.

It is our legitimate interest to provide a website, thus the legal basis for the described data processing is Art. 6 para. 1 sentence 1 lit. f GDPR.

Contact Form: When users contact us via our contact form, email, or other means of communication, we process the data provided to address the concerns shared. Legal basis: Contractual performance and preliminary contractual inquiries (Art. 6 para. 1 s. 1 lit. b GDPR), Legitimate interests (Art. 6 para. 1 s. 1 lit. f GDPR).

Newsletter and Electronic Notifications

We only send newsletters, emails, and other electronic notifications (hereinafter "Newsletter") with the consent of the recipients or a legal permission. If the content of a newsletter is specifically described during registration, it determines the users' consent. Our newsletters generally contain information about our services and us.

To subscribe to our newsletters, providing your email address is usually sufficient. However, we might ask you for a name for a personalized salutation or other details, if necessary, for the purposes of the newsletter.

Double-Opt-In Procedure: The newsletter registration generally follows a so-called Double-Opt-In procedure. This means, after registration, you will receive an email asking you to confirm your subscription. This confirmation is required to prevent unauthorized sign-ups with foreign email addresses. Newsletter registrations are logged to prove the registration process according to legal requirements. This includes logging the time of registration, confirmation, and the IP address. Any changes to your data stored with the mailing service provider are also documented.

Deletion and Restriction of Processing: We may store deregistered email addresses for up to three years based on our legitimate interests before deleting them to prove a previously granted consent. Processing of these data is limited to the potential defense of claims. An individual deletion request is always possible, provided the former existence of consent is confirmed. In case of obligations for permanent observation of objections, we reserve the right to store the email address for this purpose in a blocklist ("Blocklist").

Logging of the registration process is based on our legitimate interests to prove its proper execution. If we commission a service provider for email dispatch, it is based on our legitimate interests in an efficient and secure shipping system.

Content: Information about us, our services, promotions, and offers.

Processed Data Types: Inventory data (e.g., names, addresses); contact data (e.g., email, phone numbers); meta, communication, and procedure data (e.g., IP addresses, timestamps, identification numbers, consent status); usage data (e.g., visited websites, interest in content, access times). Affected Persons: Communication partners. Purposes of Processing: Direct marketing (e.g., via email or post). Legal Basis: Consent (Art. 6 para. 1 s. 1 lit. a GDPR). Opt-Out Option: You can cancel our newsletter subscription at any time, i.e., revoke your consent or object to further receipt. A link to cancel the newsletter can be found at the end of each newsletter or use one of the contact options provided, preferably email.

Additional information on processing procedures, methods, and services:

Measurement of Open and Click Rates: Newsletters contain a so-called "web-beacon", i.e., a pixel-sized file retrieved from our server or that of our mailing service provider when the newsletter is opened. In this process, technical information, such as browser details, your system, IP address, and retrieval time, are collected. These details are used to technically improve our newsletters based on the technical data or target groups and their reading behavior. The analysis also determines when newsletters are opened and which links are clicked. This information is associated with individual newsletter recipients and stored in their profiles until deletion. The evaluations help us understand our users' reading habits and adjust or send different content according to our users' interests.

Advertising Communication via Email, Mail, Fax, or Phone

We process personal data for advertising communications, which can be carried out through various channels, e.g., email, phone, mail, or fax, in accordance with legal requirements.

Recipients have the right to revoke consents at any time or to object to advertising communication at any time.

After revocation or objection, we store the data necessary to prove the previous authorization for contacting or sending for up to three years after the end of the year of revocation or objection based on our legitimate interests. The processing of these data is limited to the potential defense of claims. Based on the legitimate interest to permanently consider the revocation or objection of users, we also store the data required to avoid renewed contact (e.g., email address, phone number, name depending on the communication channel).

Processed Data Types: Inventory data (e.g., names, addresses); contact data (e.g., email, phone numbers). Affected Persons: Communication partners. Purposes of Processing: Direct marketing (e.g., via email or post). Legal Basis: Consent (Art. 6 para. 1 s. 1 lit. a GDPR); Legitimate interests (Art. 6 para. 1 s. 1 lit. f GDPR).

Web Analysis, Monitoring, and Optimization

Web analysis (also referred to as "reach measurement") is used to evaluate the visitor flows of our online offer and can encompass behavior, interests, or demographic information about visitors, such as age or gender, as pseudonymous values. With the help of reach analysis, for instance, we can determine the times when our online offer or its features or content are most frequently used or invite repeat usage. We can also identify areas in need of optimization.

In addition to web analysis, we also employ testing methods to, for example, test and optimize different versions of our online offer or its components.

Unless stated otherwise, for these purposes, profiles, i.e., data consolidated into a single use case, can be created, and information can be stored and read from a browser or device. Information collected includes especially visited web pages and their elements, as well as technical details like the browser used, the computer system used, and details about usage times. If users have consented to the collection of their location data to us or to the providers of the services we use, location data can also be processed.

IP addresses of users are also saved. However, we use an IP masking method (i.e., pseudonymization by shortening the IP address) to protect users. Generally, clear data of users (e.g., email addresses or names) are not stored within the context of web analysis, A/B testing, and optimization, but rather pseudonyms. This means that neither we nor the software providers we use know the actual identity of the users, but only the information stored in their profiles for the respective processes.

Data Processed: Usage data (e.g., visited web pages, interest in content, access times); meta-, communication- and process data (e.g., IP addresses, timestamps, identification numbers, consent status). Affected Individuals: Users (e.g., website visitors, users of online services). Processing Purposes: Reach measurement (e.g., access statistics, detection of returning visitors); profiles with user-related information (creation of user profiles); tracking (e.g., interest/behavioral profiling, use of cookies); provision of our online offer and user-friendliness. Safety Measures: IP masking (pseudonymization of the IP address). Legal Basis: Consent (Art. 6 Para. 1 S. 1 lit. a GDPR).

[Note: Due to the length and complexity of the original text, this translation might not cover all details or nuances. The translation continues with details about Google's services and ends at online marketing. Further translations can be provided upon request.]

Online Marketing

We process personal data for online marketing purposes, which can particularly include the marketing of advertising spaces or the presentation of promotional and other content (collectively referred to as "content") based on potential user interests and the measurement of its effectiveness.

For these purposes, user profiles are created and stored in a file (so-called "cookie") or similar methods are used through which the data relevant for the presentation of the aforementioned content is stored for the user. This information can include viewed content, visited web pages, online networks used, communication partners, technical data, such as the browser used, the computer system, details about usage times, and used features. If users have consented to the collection of their location data, this can also be processed.

IP addresses of users are also stored. However, we use available IP masking methods (i.e., pseudonymization by shortening the IP address) to protect users. In general, within the context of online marketing procedures, clear data of users (e.g., email addresses or names) are not stored, but rather pseudonyms. This means neither we nor the providers of online marketing procedures know the actual identity of users, but only the information stored in their profiles.

Information in profiles is usually stored in cookies or by similar methods. These cookies can later be read and analyzed for content presentation on other websites using the same online marketing procedure and supplemented with further data and stored on the online marketing procedure provider's server.

In exceptional cases, clear data can be assigned to the profiles. This is the case when users, for example, are members of a social network whose online marketing procedures we use, and the network links the users' profiles with the aforementioned data. We kindly ask you to note that users can make additional agreements with providers, e.g., by giving consent during registration.

We typically only gain access to aggregated information about the success of our advertisements. However, through so-called conversion measurements, we can check which of our online marketing procedures led to a so-called conversion, i.e., for example, a contract conclusion with us. Conversion measurement is used solely for analyzing the success of our marketing measures.

Unless stated otherwise, please assume that used cookies are stored for a period of two years.

Types of data processed:
Usage data (e.g., websites visited, interest in content, access times); Meta, communication, and process data (e.g., IP addresses, time details, identification numbers, consent status). Affected individuals: Users (e.g., website visitors, users of online services). Purpose of processing: Reach measurement (e.g., access statistics, recognition of returning visitors); Tracking (e.g., interest/behavior-related profiling, use of cookies); Marketing; Profiles with user-related information (creation of user profiles); Conversion measurement (measurement of the effectiveness of marketing measures). Security measures: IP masking (pseudonymization of the IP address). Legal bases: Consent (Art. 6 Para. 1 S. 1 lit. a GDPR); Legitimate interests (Art. 6 Para. 1 S. 1 lit. f GDPR). Possibility to object (Opt-Out): We refer to the privacy notices of the respective providers and the objection options (so-called "Opt-Out") provided for the providers. If no explicit opt-out option has been given, there is, on the one hand, the possibility to switch off cookies in the settings of your browser. However, this can limit the functions of our online offer. We, therefore, additionally recommend the following opt-out options, which are offered in summary for specific areas: a) Europe: https://www.youronlinechoices.eu. b) Canada: https://www.youradchoices.ca/choices. c) USA: https://www.aboutads.info/choices. d) Cross-regional: https://optout.aboutads.info. Further notes on processing processes, procedures, and services:

Google Ads and Conversion Tracking: An online marketing method aiming to display content and advertisements within the service provider's advertising network (e.g., in search results, videos, on web pages, etc.) to users who presumably have an interest in these ads. Additionally, we measure the conversion of the advertisements, i.e., whether users have been prompted to interact with the ads and to use the promoted offers (so-called conversion). However, we only receive anonymous information and no personal information about individual users. Service Provider: Google Ireland Limited, Gordon House, Barrow Street, Dublin 4, Ireland; Legal Basis: Consent (Art. 6 Para. 1 S. 1 lit. a GDPR), Legitimate Interests (Art. 6 Para. 1 S. 1 lit. f GDPR); Website: https://marketingplatform.google.com; Privacy Policy: https://policies.google.com/privacy; Further Information: Types of processing and processed data: https://privacy.google.com/businesses/adsservices; Data processing terms between controllers and standard contract clauses for third country data transfers: https://business.safety.google/adscontrollerterms.

Google AdSense with Personalized Ads: We use the Google AdSense service with personalized ads, which displays advertisements within our online offer, and we receive compensation for their display or other use. Service Provider: Google Ireland Limited, Gordon House, Barrow Street, Dublin 4, Ireland; Legal Basis: Consent (Art. 6 Para. 1 S. 1 lit. a GDPR); Website: https://marketingplatform.google.com; Privacy Policy: https://policies.google.com/privacy; Further Information: Types of processing and processed data: https://privacy.google.com/businesses/adsservices; Data processing terms for Google advertising products and standard contract clauses for third country data transfers: https://business.safety.google/adscontrollerterms.

Google AdSense with Non-Personalized Ads: We use the Google AdSense service with non-personalized ads, which displays advertisements within our online offer, and we receive compensation for their display or other use. Service Provider: Google Ireland Limited, Gordon House, Barrow Street, Dublin 4, Ireland; Legal Basis: Consent (Art. 6 Para. 1 S. 1 lit. a GDPR); Website: https://marketingplatform.google.com; Privacy Policy: https://policies.google.com/privacy; Further Information: Types of processing and data processed: https://privacy.google.com/businesses/adsservices; Google Ads Controller-Controller Data Protection Terms and standard contractual clauses for data transfers to third countries: https://business.safety.google/adscontrollerterms.

Amendment and Update of the Privacy Policy

We kindly ask you to regularly inform yourself about the content of our privacy policy. We will adjust the privacy policy as soon as changes to the data processing we perform make this necessary. We will inform you as soon as the changes require an action on your part (e.g., consent) or another individual notification.

Please note that if we provide addresses and contact information of companies and organizations in this privacy policy, addresses might change over time, and we ask you to verify details before making contact.

Rights of the Affected Individuals

As a data subject according to the GDPR, you have various rights, especially arising from Art. 15 to 21 GDPR:

  • Right to Object: You have the right to object at any time, for reasons arising from your particular situation, to the processing of personal data concerning you, which is based on Art. 6 Para. 1 lit. e or f GDPR; this also applies to profiling based on these provisions. If the personal data concerning you are processed for direct marketing purposes, you have the right to object at any time to the processing of the personal data concerning you for such advertising; this also applies to profiling, as far as it is associated with such direct advertising.

  • Right to Withdraw Consent: You have the right to withdraw your consent at any time.

  • Right of Access: You have the right to request confirmation whether relevant data are processed and to be informed about these data and to receive further information and a copy of the data in accordance with legal requirements.

  • Right to Rectification: You have the right to request the completion of data concerning you or the correction of inaccurate data concerning you, according to legal requirements.

  • Right to Erasure and Restriction of Processing: You have the right to request that data concerning you be deleted immediately or, alternatively, to demand a restriction on the processing of the data in accordance with legal requirements.

  • Right to Data Portability: You have the right to receive data concerning you, which you have provided to us, in a structured, commonly used, and machine-readable format or to request their transmission to another controller.

  • Right to Complain: Without prejudice to any other administrative or judicial remedy, you have the right to lodge a complaint with a supervisory authority, in particular in the Member State of your habitual residence, your place of work or the place of the alleged infringement if you believe that the processing of personal data concerning you violates the provisions of the GDPR.