BestSecret uses Cookies to provide you with the best possible service. If you continue browsing our page you are agreeing to comply with our Cookie usage policy.

BestSecret BestSecret BestSecret


Save as PDF

Data Protection Statement

As of: 11/07/2018

Best Secret GmbH takes the protection of your personal data very seriously and collects and uses your personal data only in the scope of the applicable statutory provisions.

In order to let you feel safe when visiting our website, we provide you with an overview of how Best Secret GmbH ensures this protection and what kind of data we collect for what purpose below. The data protection statement is available on our website at any time.

1. Controller and Data Privacy Officer

The Controller for processing of your personal data is Best Secret GmbH, Margaretha-Ley-Ring 10, D-85609 Aschheim, Germany, hereinafter: BestSecret. BestSecret has designated a data protection officer:

 
Data processing controller Data protection officer of the controller

Best Secret GmbH

represented by Marian Schikora, Daniel Schustermann and Georg Griesemann

Margaretha-Ley-Ring 10, 85609 Aschheim, Germany.

Phone: +49 (0) 89 / 357 68 04 40

Email: service@bestsecret.com

Best Secret GmbH

Data protection officer

Margaretha-Ley-Ring 10, 85609 Aschheim, Germany.

Email: datenschutz@bestsecret.com

2. General data collection when calling our website

If you use our website for information only, i.e. if you do not register or otherwise submit any information to us, we will only collect the personal data your browser submits to our server. These data are technically required for us in order to show our website to you and to ensure stability and safety (the legal basis for this is our legitimate interest pursuant to sect. 6 para. 1 s. 1 lit. f GDPR).

For technical reasons, these are saved by default as logfiles (protocol files).

Data Purpose of processing Legal basis of processing Duration of storage

Technical data such as: Operating system used, browser type and version, device (e.g. phone, tablet, ...), date and time of website call

Optimised website representation

Ensuring proper website operation

Sect. 6 para. 1 s. 1 lit. f GDPR

Deletion after 21 days at most

IP address

Ensuring proper website operation

Sect. 6 para. 1 s. 1 lit. f GDPR

Deletion after 21 days at most

3. Data collection on login/registration on our website

If you log in or register at www.BestSecret.com, personal, behaviour-related and technical data will be saved.

Technical data will be saved anonymised and evaluated. Anonymised means that we cannot assign the data to a determined or determinable natural person, or that we would do so only with disproportional effort of time, costs and labour. We will evaluate these anonymised data in order to further improve the function of the shop and to make it more user-friendly.

In the scope of reconciliation of interests according to sect. 6 para. 1 lit. f GDPR, we have observed and considered our interest in provision of the data and your interest in data-protection-compatible processing of your personal data.

The following data are required for provision of our service in order to offer you our website and to ensure stability and safety, in particular to protect against abuse. Accordingly, we can - while ensuring data protection aligned with the state of the art – process these data, while appropriately considering your interest in processing them in a manner compatible with data protection.

Data Purpose of processing Legal basis of processing Duration of storage

Personal information such as: Name, email address, ...

Registration purposes

Customer communication

Sect. 6 para. 1 s. 1 lit. f GDPR

Deletion after expiration of purpose or until expiration of the obligation to preserve business records relating to commercial and tax law.

Behaviour-related data such as: Last login, registration date, visited product pages, ...

Customer communication

Measure of success

Determination of target group for advertising purposes

Sect. 6 para. 1 s. 1 lit. f GDPR

Deletion after expiration of purpose, no later than 90 days after membership ends

 

Collection of the data for provision of the website and recording of the data in logfiles is mandatory for operation of the website. Accordingly, the user cannot object to this.

4. Data collection and use in the scope of provision

The information that we receive from you helps us process your orders as smoothly as possible, to improve our service to you and to prevent abuse and fraud.

We use your data for the processing of orders and payments, delivery of the goods and rendering of services. In the scope of order processing, e.g. the service providers used by us here (such as transporters, logisticians, banks) will receive the data needed to process orders and purchase orders.

Whether additional data, such as the email address, should be passed on to report the specific delivery date or not can be indicated and changed in the ordering process or at any time in your personal settings.

In the scope of processing of payments, we will pass on your payment data to the charged service provider (i) TeleCash GmbH & Co. KG, (ii) Wirecard Bank AG and (iii) PayPal Deutschland GmbH. For more detailed information on data protection at these providers, also see their websites.

For more detailed information on data protection on this, see our data protection information for customers that we have provided to you here: Link to information requirements

5. Cookies

We use cookies in order to improve our advertising offer and to optimise it. Cookies are small text files that are stored on your computer's operating system when you call our website. Cookies contain, among others, a characteristic character sequence that permits unique identification of the browser when calling the website again.

Cookies save further information, such as your language settings, the duration of the visit to our website or specific input made there. This avoids having to enter all the required data again for every use. Cookies also enable to us to recognise your preferences and to align our website with your areas of interest.

5.1 Type of cookies used

  • a) Technically necessary cookies

    We use cookies in order to make our website more user-friendly. Some elements of our website require identification of the calling browser even after a page change.

    Technically necessary cookies are not necessarily required to display the website. Some functions of the website, such as the shopping basket, contact form, etc. cannot be used properly without this cookie, however. Therefore, the user has no way to object to this; deactivation of these cookies can take place by setting the respective browser.

  • b) Cookies for range measurement and marketing purposes

    Based on a cookie technology, data are collected for optimisation of our advertisements and the entire online offer. These data are not used to identify you personally, but serve only for pseudonymised evaluation of use of the website. Your data will never be combined with the personal data stored by us. With this technology, we can present relevant contents to you (advertisements and/or special offers and services). Our target here is to make our offers as attractive as possible to you and to present products and services that correspond to your areas of interest.

    Our websites also use additional retargeting technologies. We use these technologies in order to make the online offer more interesting for you. This technology enables us to place personalised advertisements to you on the websites of our partners. We are certain that the display of personalised, interest-specific advertisements for the internet user is more interesting than advertisements that do not have any such personal references. These advertising media on the sites of our partners are displayed based on cookie technology and analysis of the previous usage behaviour. This form of advertising takes place entirely pseudonymised. No personal data are stored and no user profiles are combined with your personal data. Most browsers accept cookies automatically. If you want to prevent storage of cookies, you can select “Do not accept cookies” in your browser settings. How this works in detail can be taken from the instructions of your browser provider. You can delete cookies that are filed on your computer at any time. However, please note that our online offer can only be used with restrictions without cookies.

    The legal basis for this is our legitimate interest pursuant to sect. 6 para. 1 s. 1 lit. f GDPR.

Below, we name the currently used services and technologies in detail:

6. Optimizely

We use the software Optimizely for improving the user experience on our websites. We can use Optimizely to test how changes to our websites (e.g. images, texts) affect user behaviour. Optimizely uses cookies on end devices of the users for this purpose only. Optimizely does not store any IP addresses or personal data of users. Learn more about data processing by Optimizely at https://www.optimizely.com/privacy. You can deactivate tracking of Optimizely for your end device at any time by following the steps described in https://www.optimizely.com/opt_out.

Designation of the provider Service provider type Data transfer to a third country Third country Guarantees pursuant to sect. 44 et seqq. GDPR

Optimizely, 631 Howard Street, Suite 100 San Francisco, CA 94105, USA

Contract processor

YES

USA

EU-US Privacy Shield


Affected data category Purpose of processing Legal basis of processing Duration of storage

Technical data such as: Operating system used, browser type and version, device (e.g. phone, tablet, ...), date and time of website call, name and variation of website browsed, device ID

A/B test evaluation

Sect. 6 para. 1 s. 1 lit. f GDPR

12 months at most, currently 30 days

7. Google Tag Manager

For reasons of transparency, please note that we use Google Tag Manager. Google Tag Manager itself does not record any personal data. Tag Manager makes it easier for us to integrate and manage our tags. Tags are small code elements that serve, among others, to measure traffic and visitor behaviour, to record the effects of online advertisements and social channels, remarketing or retargeting and setting up alignment with target and testing and optimising websites. For further information on the Google Tag Manager, see https://www.google.com/analytics/tag-manager/use-policy/.

Designation of the provider Service provider type Data transfer to a third country Third country Guarantees pursuant to sect. 44 et seqq. GDPR

Google Inc., 1600 Amphitheatre Parkway, Mountain View, CA 94043, USA;

Contract processor

YES

USA

EU-US Privacy Shield

8. Google Analytics

This website uses Google Analytics, a web analysis service of Google Inc.

Google Analytics uses “cookies”, i.e. text files that are stored on your computer and that permit analysis of your use of the website. The information produced by the cookie regarding your use of this website is usually transferred to a server of Google in the USA and saved there. Due to activation of IP anonymisation on these websites, your IP address will be abbreviated first by Google within member states of the European Union or in other contracting states of the convention on the European Economic area. Only in exceptions will your full IP address be transferred to a server of Google in the USA and abbreviated there. The IP address submitted by your browser in the scope of Google Analytics will not be combined with any other Data of Google. On the order of the operator of this website, Google will use this information to evaluate your use of the website, in order to compile reports on the website activities and to render further services connected to website use and internet use towards the website operator. These purposes also constitute our justified interest in data processing. The legal basis for use of Google Analytics is § 15 para. 3 TMG or sect. 6 para. 1 lit. f GDPR. The data sent by us and linked to cookies, user IDs (e.g. User-ID) or advertising IDs are automatically deleted after 14 months. Erasure of data the archiving period of which has expired shall take place automatically once per month. For more detailed information on usage conditions and data protection, see www.google.com/analytics/terms or under https://policies.google.com.

You may prevent saving of the cookies by making the corresponding settings in your browser software; however, note that you may be unable to fully use all functions of the website in such a case. You may furthermore prevent recording of the data generated by the cookie and referring to your use of the website (incl. your Internet Protocol address) by Google and processing of these personal data by Google by downloading and installing a browser add-on. Opt-out cookies prevent the future recording of your personal data when visiting this website.

Designation of the provider Service provider type Data transfer to a third country Third country Guarantees pursuant to sect. 44 et seqq. GDPR

Google Inc., 1600 Amphitheatre Parkway, Mountain View, CA 94043, USA

Contract processor

YES

USA

EU-US Privacy Shield

 
 
Affected data category Purpose of processing Legal basis of processing Duration of storage

Technical data such as: Operating system used, browser type and version, device (e.g. phone, tablet, ...), date and time of website call, ...

Evaluation of customer behaviour

Sect. 6 para. 1 s. 1 lit. f GDPR

Deletion after 26 months at most

Behaviour-related data such as: Registration date, visited product pages, ordered products, name of called website, ...

Evaluation of customer behaviour

Sect. 6 para. 1 s. 1 lit. f GDPR

Deletion after 26 months at most

User ID, device ID

Evaluation of user behaviour on different devices/browsers

Sect. 6 para. 1 s. 1 lit. f GDPR

Deletion after 26 months at most

9. Google AdWords, Audiences, and Conversion Tracking

In order to draw attention to our services, we place Google AdWords advertisements and use Google Conversion-Tracking and the Google Tag Manager in the scope of this for the purpose of personalised interest- and site-based online advertisements. The option of anonymising the IP-addresses is controlled via an internal setting in the Google Tag Manager that is not visible in the source of this page. This internal setting is made so that the anonymisation of IP addresses required by the Federal Data Protection Act is achieved.

The ads are displayed after search requests on websites of the Google advertising network. Detailed information on the Google advertising network can be found at https://support.google.com/adwords/answer/1752334?hl=en. We are able to combine our ads with certain search terms. We can use cookies to place ads on our website based on the previous visits of a user.

When clicking an ad, Google sets a cookie on the user's computer. Further information on the cookie technology used can also be found among the notes of Google on the website statistics under https://services.google.com/sitestats/en.html and in the data protection provisions under https://policies.google.com/privacy?hl=en.

With the help of this technology, Google and we as the customer receive information that a user clicked an ad and has been forwarded to our websites. The information acquired here is used only for a statistical evaluation for ad optimisation. We will not receive any information with which the visitors can be identified in person. The statistics provided to us by Google contain the overall number of users who clicked one of our ads and, if applicable, whether they were forwarded to a page of our website with a conversion tag. We can use these statistics to determine for which search terms our ad was clicked particularly often and which ads lead to contact by the user via the contact form.

If you do not wish this, you can prevent storage of the cookie required for these technologies, e.g. in the settings of your browser. In this case, your visit will not be included in the user statistics.

You are also able to select the types of Google ads or deactivate interest-related ads on Google in the ad settings (see https://www.google.com/settings/ads/anonymous?hl=en).

However, we and Google continue to receive the statistical information on how many users visited the page when. If you do not want to be included in this statistic either, you may prevent this by using additional programs for your browser.

Designation of the provider Service provider type Data transfer to a third country Third country Guarantees pursuant to sect. 44 et seqq. GDPR

Google Inc., 1600 Amphitheatre Parkway, Mountain View, CA 94043, USA

Contract processor

YES

USA

EU-US Privacy Shield


Affected data category Purpose of processing Legal basis of processing Duration of storage

Technical data such as: Operating system used, browser type and version, device (e.g. phone, tablet, ...), date and time of website call, ...

Ad delivery for customer segments

Sect. 6 para. 1 s. 1 lit. f GDPR

Deletion after 26 months at most

Behaviour-related data such as: Registration date, visited product pages, ordered products, name of called website, ...

Ad delivery for customer segments

Sect. 6 para. 1 s. 1 lit. f GDPR

Deletion after 26 months at most

10. Google DoubleClick

Furthermore, we use DoubleClick, a service of Google Inc. DoubleClick uses cookies to place user-based ads. The cookies recognise which ad has already been shown in your browser and whether you called a website using a displayed ad. The cookies do not record any personal information and also cannot be connected to these.

If you do not want to receive any user-based advertisements you can deactivate placement of ads using the ad settings of Google.

For more information on how Google uses cookies, see the data protection statement of Google.

Designation of the provider Service provider type Data transfer to a third country Third country Guarantees pursuant to sect. 44 et seqq. GDPR

Google Inc., 1600 Amphitheatre Parkway, Mountain View, CA 94043, USA

Contract processor

YES

USA

EU-US Privacy Shield


Affected data category Purpose of processing Legal basis of processing Duration of storage

Technical data such as: Operating system used, browser type and version, device (e.g. phone, tablet, ...), date and time of website call, ...

Ad delivery for customer segments

Sect. 6 para. 1 s. 1 lit. f GDPR

Deletion after 26 months at most

Behaviour-related data such as: Registration date, visited product pages, ordered products, name of called website, ...

Ad delivery for customer segments

Sect. 6 para. 1 s. 1 lit. f GDPR

Deletion after 26 months at most

11. Hotjar

Our website has Hotjar integrated (https://www.hotjar.com). Hotjar enables us to record and evaluate user behaviour (e.g. mouse movements, clicks, scrolling height) on our websites. For this purpose, Hotjar uses cookies on end units of the users and is able to save the data of users anonymised, e.g. concerning browser information, operating system, time spent on the page. Learn more about Hotjar under the following link: https://www.hotjar.com/privacy. You may prevent data processing by Hotjar at any time by following the steps described in https://www.hotjar.com/opt-out.

Designation of the provider Service provider type Data transfer to a third country Third country Guarantees pursuant to sect. 44 et seqq. GDPR

Hotjar, 3 Lyons Range, 20 Bisazza Street, Sliema SLM 1640, Malta

Contract processor

YES

/

Not necessary


Affected data category Purpose of processing Legal basis of processing Duration of storage

Technical data such as: Operating system used, browser type and version, device (e.g. phone, tablet, ...), date and time of website call, ...

Analysis of customer behaviour towards website optimisation

Sect. 6 para. 1 s. 1 lit. f GDPR

Deletion after 12 months at most

Behaviour-related data such as: Visited product pages, browsing behaviour on website, visited pages ...

Analysis of customer behaviour towards website optimisation

Sect. 6 para. 1 s. 1 lit. f GDPR

Deletion after 12 months at most

12. Criteo

On our pages, we collect information on the surfing behaviour of the website visitors for marketing purposes in a pseudonymised form using the technology of Criteo; cookies and web pixels are placed for this. This way, Criteo can analyse surfing behaviour and then display targeted product recommendations as matching advertising banners when other websites are visited. For this purpose, cookies from our partner websites are also placed via pixels. In no case must the anonymised data be used to personally identify the visitor of the website. The data collected by Criteo are only used to improve the advertising offer.

Every displayed banner has a small “i” at the lower right (for information), which will open with mouse-over and lead to a page when clicked, on which the system is explained and an opt-out is offered. When clicking opt-out, an “Opt-Out” cookie is set, which will prevent the display of these banners in future. There will be no other use or forwarding to third parties. You can generally learn more about the data protection statement and data protection directives at Criteo and object to pseudonymised analysis of your surfing behaviour at https://www.criteo.com/privacy/ (opt-out).

Designation of the provider Service provider type Data transfer to a third country Third country Guarantees pursuant to sect. 44 et seqq. GDPR

Criteo GmbH, Lehel Carré, Gewürzmühlstraße 11, 80538 München, Deutschland

Contract processor

NO

/

Not necessary


Affected data category Purpose of processing Legal basis of processing Duration of storage

Technical data such as: Operating system used, browser type and version, device (e.g. phone, tablet, ...), date and time of website call, ...

Ad delivery for customer segments

Sect. 6 para. 1 s. 1 lit. f GDPR

Deletion after 13 months at most

Behaviour-related data such as: Registration date, visited product pages, ordered products, name of called website, ...

Ad delivery for customer segments

Sect. 6 para. 1 s. 1 lit. f GDPR

Deletion after 13 months at most

User ID, device ID

Evaluation of user behaviour on different devices/browsers to deliver ads on different end devices

Sect. 6 para. 1 s. 1 lit. f GDPR

Deletion after 13 months at most

13. Salesforce

For customer support, we use the Customer Relationship Management module “Salesforce Marketing Cloud” and “Salesforce Service Cloud” by Salesforce.com Inc. Salesforce Service Cloud is an administration service for user databases. Salesforce Marketing Cloud is an administration service for electronic customer communication. The data are processed in the USA. Salesforce.com had these services certified in the scope of the EU-US-Privacy Shield rules. Further information on the Salesforce Marketing Cloud and Salesforce Service Cloud and the processed data is available at https://www.salesforce.com/company/privacy/.

These technologies are also used to collect information on the surfing behaviour of the website visitors for marketing purposes in a pseudonymised form. This uses cookies and webpixels, as well as the Tracking Service iGoDigital, which is part of Salesforce. We use these technologies to improve our advertising offer to you.

Designation of the provider Service provider type Data transfer to a third country Third country Guarantees pursuant to sect. 44 et seqq. GDPR

Salesforce.com Inc., The Landmark @ One Market Street, Suite 300, San Francisco, California, CA 94105, USA

Contract processor

YES

USA

EU-Standard Contract Clauses /

EU-US Privacy Shield


Affected data category Purpose of processing Legal basis of processing Duration of storage

Technical data such as: Operating system used, browser type and version, device (e.g. phone, tablet, ...), date and time of website call, ...

Creation of profiles as part of the Salesforce CRM systems

Sect. 6 para. 1 s. 1 lit. f GDPR

Deletion after expiration of purpose, no later than 90 days after membership ends

Behaviour-related data such as: Registration date, visited product pages, ordered products, name of called website, ...

Finding appropriate product recommendations for newsletter and special emails

Sect. 6 para. 1 s. 1 lit. f GDPR

Deletion after expiration of purpose, no later than 90 days after membership ends

User ID, device ID

Finding appropriate product recommendations for newsletter and special emails

Sect. 6 para. 1 s. 1 lit. f GDPR

Deletion after expiration of purpose, no later than 90 days after membership ends

14. Facebook Custom Audiences

In the scope of usage-based online advertisements, the project Custom Audiences by Facebook is also used on the website. A Facebook cookie is set for this. We record information on your activities on the website and behaviour-related files via Facebook pixels in the scope of this.

The cookies do not record any personal information and also cannot be connected to these.

Further information on the purpose and scope of the data collection and further processing and use of the data as well as the privacy settings can be taken from the data protection directives of Facebook. If you want to object to the use of Facebook Custom Audiences, you can do that at https://www.facebook.com/ads/website_custom_audiences/.

Designation of the provider Service provider type Data transfer to a third country Third country Guarantees pursuant to sect. 44 et seqq. GDPR

Facebook Inc. 1601 WILLOW ROAD MENLO PARK, CA 94025, USA

Contract processor

YES

USA

EU-US Privacy Shield


Affected data category Purpose of processing Legal basis of processing Duration of storage

Technical data such as: Operating system used, browser type and version, device (e.g. phone, tablet, ...), date and time of website call, ...

Ad delivery for customer segments

Sect. 6 para. 1 s. 1 lit. f GDPR

12 months at most, currently 6 months

Behaviour-related data such as: Registration date, visited product pages, ordered products, name of called website, ...

Ad delivery for customer segments

Sect. 6 para. 1 s. 1 lit. f GDPR

12 months at most, currently 6 months

15. Facebook Connect

We offer the function “Facebook Connect” offered by Facebook Inc. optionally to compile your customer account and for logging into our website and applications. You can also use Facebook Connect to recommend BestSecret or our offer to your Facebook friends.

If you want to use this function, you will first be forwarded to Facebook. There, you will be asked to log on with your user name and password. Of course, we will not take note of your login data. If you are already logged in to Facebook, this step will be skipped.

Subsequently, Facebook will inform you about which data are submitted to us (public profile, friend list, email address and current place of residence). Confirm this with the button “OK”. We use the submitted data to compile your customer account. Your friend list will, of course, not be saved by us. When logging in to BestSecret by Facebook Login a unique token generated by Facebook (a long character sequence of letters and numbers) is also saved that is exchanged during the login process for safe authentication with Facebook.

For the purpose and scope of data collection and further processing and use of the personal data by Facebook, as well as your rights and setting options to that extent to protect your privacy, see the data privacy notes of Facebook under https://www.facebook.com/policy.php and its usage terms under https://www.facebook.com/legal/terms.

Designation of the provider Service provider type Data transfer to a third country Third country Guarantees pursuant to sect. 44 et seqq. GDPR

Facebook Inc. 1601 WILLOW ROAD MENLO PARK, CA 94025, USA

Contract processor

YES

USA

EU-US Privacy Shield


Affected data category Purpose of processing Legal basis of processing Duration of storage

Technical data such as: Device, date and time of website call, ...

Simplified registration and login

Invitation of other customers

Sect. 6 para. 1 s. 1 lit. f GDPR

Deletion after expiration of purpose, no later than 90 days after membership ends

16. Adobe

Adobe Analytics, the web analytics service from Adobe Systems Inc., is used on our website. Adobe Analytics uses cookies. If website use information generated by cookies is sent to an Adobe Systems Inc. server, our settings guarantee that the IP address is rendered anonymous before geotargeting, and that it is replaced with a generic IP address before it is saved. Adobe will process this information on behalf of the operator of this website, in order to analyse website use, to produce reports on website activity, and to provide additional services relating to website use and internet use for the website operator. The IP address sent by your browser as part of the Adobe Analytics services is not merged with other Adobe data. You can prevent Adobe from collecting and processing information generated by cookies (including your IP address) by downloading and installing the browser plug-in that is available via the following link: https://www.adobe.com/uk/privacy/opt-out.html.    

Designation of the provider Service provider type Data transfer to a third country Third country Guarantees pursuant to sect. 44 et seqq. GDPR

Adobe Systems Inc. 345 Park Avenue, San Jose, CA 95110-2704, USA

Contract processor

YES

USA

EU-US Privacy Shield


 
Affected data category Purpose of processing Legal basis of processing Duration of storage

Technical data such as: Operating system used, browser type and version, device (e.g. phone, tablet, ...), date and time of website call, ...

Evaluation of customer behaviour

Sect. 6 para. 1 s. 1 lit. f GDPR

Deletion after 37 months at most

Behaviour-related data such as: Registration date, visited product pages, ordered products, name of called website, ...

Evaluation of customer behaviour

Sect. 6 para. 1 s. 1 lit. f GDPR

Deletion after 37 months at most

User ID, device ID

Evaluation of customer behaviour

Sect. 6 para. 1 s. 1 lit. f GDPR

Deletion after 37 months at most

17. RTB House

We use the technology of RTB House SA on our pages to collect information on the surfing behaviour of the website visitors for marketing purposes in a pseudonymised form by setting cookies and web pixels. This way, RTB House can analyse surfing behaviour and then display targeted product recommendations as matching advertising banners when other websites are visited. In no case must the anonymised data be used to personally identify the visitor of the website. The data collected by RTB House are only used to improve the advertising offer.

Every displayed banner has a small “ = ” at the lower left (for information), which will open with mouse-over and lead to a page when clicked, on which the system is explained and an opt-out is offered. When clicking opt-out (https://www.rtbhouse.com/optout-page/), an &ldquoOpt-Out” cookie is set, which will prevent displaying of these banners in future. There will be no other use or forwarding to third parties. You can generally learn about the data protection statement and data protection directive at RTB House at https://www.rtbhouse.com/privacy/.

Designation of the provider Service provider type Data transfer to a third country Third country Guarantees pursuant to sect. 44 et seqq. GDPR

RTB House SA, Zlota 61/101, 00-819, Warsaw, Poland

Contract processor

NO

/

Not necessary


Affected data category Purpose of processing Legal basis of processing Duration of storage

Technical data such as: Operating system used, browser type and version, device (e.g. phone, tablet, ...), date and time of website call, ...

Ad delivery for customer segments

Sect. 6 para. 1 s. 1 lit. f GDPR

Deletion after 13 months at most

Behaviour-related data such as: Registration date, visited product pages, ordered products, name of called website, ...

Ad delivery for customer segments

Sect. 6 para. 1 s. 1 lit. f GDPR

Deletion after 13 months at most

User ID, device ID

Evaluation of user behaviour on different devices/browsers to deliver ads on different end devices

Sect. 6 para. 1 s. 1 lit. f GDPR

Deletion after 13 months at most

18. Fabric

In our mobile applications on Android and iOS we have integrated Fabric Crash Analytics (https://fabric.io/kits/android/crashlytics) for the purposes of detecting and reporting crashes and non-fatal crashes in the app. This information is used to improve the application performance and stability. For these purposes technical data such as the mobile device id, device type, model, operating system and approximate location of the mobile device is transmitted to provide more reliable analysis, for example to determine whether the issue is specific to one device type or to multiple devices. The legal basis for this is our legitimate interest pursuant to sect. 6 para. 1 s. 1 lit. f GDPR.

For more detailed information on usage conditions and data protection, see https://fabric.io/terms.

Regardless of the specific opt-out options provided by the above services, BestSecret also offers a blanket solution for preventing the analysis of user behaviour with a single click. For this, you just have to disable the “Diagnostics & behaviour tracking” option in the My BestSecret menu under the item Password and Contact information / Personal Settings.

Designation of the provider Service provider type Data transfer to a third country Third country Guarantees pursuant to sect. 44 et seqq. GDPR

Google LLC, 1600 Amphitheatre Parkway, Mountain View, CA 94043, USA

Contract processor

YES

USA

EU-US Privacy Shield


Affected data category Purpose of processing Legal basis of processing Duration of storage

Technical data such as: Operating system used, browser type and version, device (e.g. phone, tablet, ...), date and time of website call, ...

Evaluation of customer behaviour

Sect. 6 para. 1 s. 1 lit. f GDPR

Deletion no later than 180 days

Behaviour-related data such as: Registration date, visited product pages, ordered products, name of called website, ...

Evaluation of customer behaviour

Sect. 6 para. 1 s. 1 lit. f GDPR

Deletion no later than 180 days

User ID, device ID

Evaluation of user behaviour on different devices/browsers

Sect. 6 para. 1 s. 1 lit. f GDPR

Deletion no later than 180 days

 

19. Opt-out from the range measurement / tracking for marketing purposes

Independently of special opt-out possibilities for the above services, BestSecret also offers a general way to withdraw from all retargeting services controlled by tracking with one click. These services are specifically the personalised advertisements on Google, Facebook, Criteo and Salesforce.

For this, it is sufficient to unselect the option “personalised advertisements” in the My BestSecret menu, under Password and Contact information / Personal Settings.

Unselection (opt-out) usually only takes effect after 48-72 hours for technical reasons.

20. Opt-Out from User Behaviour Analysis

A user behaviour analysis is carried out for the purposes of website optimisation and user experience improvement and is implemented using the services of Google Analytics, Fabrics and Hotjar.

Regardless of the specific opt-out options provided by the above services, BestSecret also offers a blanket solution for preventing the analysis of user behaviour with a single click.

For this, you just have to disable the “Diagnostics & behaviour tracking” option in the My BestSecret menu under the item Password and Contact information / Personal Settings.

Unselection (opt-out) usually only takes effect after 48-72 hours for technical reasons.

21. Newsletter

By accepting to receive the newsletter you agree to receive information on products and promotions of Best Secret GmbH and Schustermann & Borenstein GmbH on a regular basis. This information may be mailed by Best Secret GmbH, Schustermann & Borenstein GmbH or Agnitas AG.

For dispatch of the newsletter, BestSecret also uses the service Salesforce Marketing Cloud, which is operated by the company Salesforce.com Inc., The Landmark@One Market Street, Suite 300, San Francisco, California, CA 94105, USA.

In order to make our newsletter even more interesting for you in future, common technologies such as cookies or counting pixels are used in our newsletter. We evaluate your clicks in newsletters with tracking pixels, i.e. invisible picture files and personalised links. They are assigned to your email address and are linked to a dedicated ID in order to clearly link any clicks in the newsletter to your own ID. The user profile serves to coordinate the offer and our services with your interests. The legal basis for this is the legitimate interest purs. to sect. 6 para. 1 sentence 1 lit. f) GDPR.

The consent to the newsletter is voluntary and can be revoked at any time. The revocation can take place in the settings in your customer account and, of course, via the logout link in every newsletter.

The following data are processed for newsletter dispatch:

 
Designation of the newsletter provider Service provider type Data transfer to a third country Third country Guarantees pursuant to sect. 44 et seqq. GDPR

Agnitas GmbH, Werner-Eckert-Straße 6, 81829 München, Germany

Contract Processor

NO

/

Not necessary

Schustermann & Borenstein GmbH, Margaretha-Ley-Ring 27, 85609 Aschheim, Germany

Contract Processor

NO

/

Not necessary

Salesforce.com Inc., The Landmark@One Market Street, Suite 300, San Francisco, California, CA 94105, USA

Contract Processor

YES

USA

EU Standard Contract Clauses /

EU-US Privacy Shield


Data Purpose of processing Legal basis of processing Duration of storage

Personal data such as: Email address, form of address, first name, last name, gender

Newsletter delivery

Sect. 6 para. 1 s. 1 lit. a GDPR

Until revocation/objection

Confirmation of newsletter delivery, time of confirmation, newsletter preferences

Newsletter delivery

Sect. 6 para. 1 s. 1 lit. a GDPR

3 years after deletion of personal data

Revocation of confirmation

Proof of revocation

Sect. 6 para. 1 s. 1 lit. a GDPR

3 years after deletion of personal data

22. Inviting friends

We offer the option of recommending our website to interested persons. For this, you need to enter the email address of the desired person into the corresponding form, along with an optional personal message. Please note that you are responsible for the messages sent out by email and that you must only indicated the email address if the data subject has consented to this.

When using this function, we will save the dispatch date of the recommendation email in addition to the email address of the recipient. The data are stored to protect from abuse of this function. The legal basis for this is the legitimate interest purs. to sect. 6 para. 1 s. 1 lit. f GDPR.

Data Purpose of processing Legal basis of processing Duration of storage

Personal data of invitee such as: Email address, language, invitation message, time of invitation

Delivery of personal invitation to invitee

Sect. 6 para. 1 s. 1 lit. f GDPR

Deletion after expiration of purpose, no later than 90 days after membership ends

23. Lotteries

For lotteries, we use your data to inform you if you are a winner and for advertising our offers. For detailed information, see the participation conditions for the respective lottery.

Data Purpose of processing Legal basis of processing Duration of storage

Personal data of winner such as: First name, last name, email address, address, and social media contact information

Lottery execution, winning notification, delivery of prices in case of win

Sect. 6 para. 1 s. 1 lit. f GDPR

Deletion after expiration of purpose

24. Creditworthiness check

In order to offer you the best possible payment options, we need to protect you and ourselves from abuse. Therefore, we submit the personal data needed for a creditworthiness check, including your address data, to Wirecard Bank AG, Einsteinring 35, D-85609 Aschheim, Germany, depending on the payment method chosen.

It will evaluate the probability of payment default based on a mathematical-statistical procedure. We will use this information for a balanced decision on the payment options to be granted to you.

In the scope of the payment process, you will be informed that and which data will be transmitted before transfer of the personal data and you can cancel the process if necessary.

25. Compliance with customs provisions

Based on various EU regulations (2580/2001/EC, 881/2002/EC and 753/2011/EC) and other statutory specifications, we as a company are required to reconcile our customers' data with publicly available foreign trade and embargo lists before concluding a purchasing contract. We perform this reconciliation because we have an overruling legitimate interest in compliance with legal provisions and must protect ourselves from sanctions and fines. We only perform the reconciliation if you order goods from our website and incur a payment obligation. Only the following present data are compared: First name, name and address. The data will be deleted at once after review.

26. Passing on of data

Your personal data will only be passed on to third parties if this is required for contract processing or settlement or if you have consented to it in advance. Our business does not include selling such customer information. Data are only passed on in the scope of the presented purposes.

Your personal data will not be transferred to any third parties for any other than the purposes listed.

We shall only pass on your personal data to third parties if:

  • you have expressly consented to this,
  • forwarding is required for assertion, exercise or defence of legal claims and there is no reason to assume that you have an overriding protection-worthy interest in your data not being passed on,
  • we are legally required to pass them on, and
  • if it is legitimate by law and required for processing contractual relationships with you.

In case of data transfer outside of the European Union, the high European data protection level generally does not apply. On transmission, it is possible that there is no current resolution on appropriateness of the EU commission within the meaning of sect. 45 para. 1, 3 GDPR. This means that the EU commission has not positively determined so far that the country-specific data protection level corresponds to the data protection level of the European Union due to the GDPR; therefore, we have created the above suitable guarantees.

Possible risks that may not be completely excluded in connection with data transmission specifically include:

  • Your personal data may be processed beyond their actual purpose.
  • Additionally, it is possible that you cannot sustainably assert and enforce your rights under data protection law, such as your right to information, rectification, erasure or data portability.
  • There may also be a higher likelihood that there may be incorrect data processing and the production of the personal data does not fully correspond to the requirements of the GDPR in quantity and quality.

27. Instruction on the rights of data subjects

Every data subject has the right to information according to sect. 15 GDPR, the right to rectification according to sect. 16 GDPR, the right of erasure according to section 17 GDPR, the right to restriction of processing according to sect. 18 GDPR, the right to objection from sect. 21 GDPR and the right to data portability from sect. 20 GDPR. The information right and erasure right are subject to the restrictions pursuant to §§ 34 and 35 BDSG or the respective national provisions.

28. Instructions on the complaint options

You also have the right to complain to the competent data protection supervisory authority about processing of your personal data by us.

29. Instruction on revocation of consent

You may revoke your consent granted to us for processing of personal data at any time. This shall also apply to revocation of declarations of consent that were granted to us before the application of the general data protection regulation, i.e. before 25 May 2018. Please note that the revocation will only be effective for the future. Processing that took place before the revocation is not affected by this.

30. Right in case of data processing for operation of direct marketing

You have the right according to sect. 21 para. 2 GDPR to object to processing of the personal data concerning you at any time. If you object to processing for the purpose of direct marketing, we shall no longer process your personal data for these purposes. Please note that the objection will only be effective for the future. Processing that took place before the objection is not affected by this.

31. Note on the objection rights on consideration of interests

As far as we base processing of your personal data on consideration of interests, you may object to processing. When exercising such an objection, please present the reasons why we should not process your personal data as described by us. In case of your justified objection, we will review the situation and shall either cease data processing or adjust it, or explain our mandatory grounds to be protected to you.

32. Links to other websites

Our websites may contain link to websites of other providers. Please note that this data protection statement only applies to the websites of www.BestSecret.com. We cannot influence or control whether other providers comply with the applicable data protection provisions.  

33. Changes to the data protection statement

We reserve the right to change or adjust this data protection statement at any time under observation of the applicable data protection provisions.