BestSecret BestSecret BestSecret
Data Protection Statement
As of: 10/02/2020
Best Secret GmbH takes the protection of your personal data very seriously and collects and uses your personal data only in the scope of the applicable statutory provisions.
In order to let you feel safe when visiting our website, we provide you with an overview of how Best Secret GmbH ensures this protection and what kind of data we collect for what purpose below. The data protection statement is available on our website at any time.
1. Information about data processing within the Schustermann & Borenstein Group
1.1 General information
Best Secret GmbH is part of the Schustermann & Borenstein Group (hereinafter S&B Group).
As part of our business activities, it is therefore essential for data to be exchanged between branch locations and divisions on a regular basis in order to promote and facilitate cooperation within the Group. For this reason, central processes are not limited to a single Group company, but also include other Group member companies. Companies within the S&B Group therefore work together in many areas and act as so-called joint controllers within the meaning of data protection law.
1.2 Information about the primary contents of the contract in the case of joint controller authority within the S & B Group
In light of their joint role, the member companies of the S&B Group have concluded a contract as joint controllers within the meaning of Art. 26 in conjunction with Art. 4(7) GDPR to guarantee the security of processing and the effective exercise of your rights.
Without limitation, this contract addresses the following points:
- Subject, purpose, means and scope as well as competences and responsibilities with regard to data processing
- Providing information to data subjects
- Fulfilment of other rights of data subjects
- Security of processing
- Involvement of contract data processors
- Procedure in the event of personal data breaches
- Other common and reciprocal obligations
- Cooperation with supervisory authorities
- Liability
2. Controller and Data Privacy Officer
The controller responsible for processing your personal data is the Schustermann & Borenstein Group as joint controllers. In particular, you may contact Best Secret GmbH, Margaretha-Ley-Ring 10, 85609 Aschheim, Germany (hereinafter referred to as BestSecret) in order to assert your rights. Member companies belonging to the Schustermann & Borenstein Group have each appointed a data protection officer. You may contact the controllers and the data protection officer at:
| Data processing controller | Data protection officer of the controller |
|---|---|
| Best Secret GmbH represented by Marian Gradl-Schikora, Daniel Schustermann, Thomas Helmreich and Ralph Goedecke Margaretha-Ley-Ring 10, 85609 Aschheim, Germany. Phone: +49 (0) 89 / 357 68 04 40 Email: [email protected] | Best Secret GmbH Data protection officer Margaretha-Ley-Ring 10, 85609 Aschheim, Germany. Email: [email protected] |
3. General data collection when calling our website
If you use our website for information only, i.e. if you do not register or otherwise submit any information to us, we will only collect the personal data your browser submits to our server. These data are technically required for us in order to show our website to you and to ensure stability and safety (the legal basis for this is our legitimate interest pursuant to sect. 6 para. 1 s. 1 lit. f GDPR).
For technical reasons, these are saved by default as logfiles (protocol files).
| Data | Purpose of processing | Legal basis of processing | Duration of storage |
|---|---|---|---|
| Technical data such as: Operating system used, browser type and version, device (e.g. phone, tablet, ...), date and time of website call | Optimised website representation Ensuring proper website operation | Sect. 6 para. 1 s. 1 lit. f GDPR | Deletion after 21 days at most |
| IP address | Ensuring proper website operation | Sect. 6 para. 1 s. 1 lit. f GDPR | Deletion after 21 days at most |
4. Data collection on login/registration on our website
If you log in or register at www.BestSecret.com, personal, behaviour-related and technical data will be saved.
Technical data will be saved anonymised and evaluated. Anonymised means that we cannot assign the data to a determined or determinable natural person, or that we would do so only with disproportional effort of time, costs and labour. We will evaluate these anonymised data in order to further improve the function of the shop and to make it more user-friendly.
In the scope of reconciliation of interests according to sect. 6 para. 1 lit. f GDPR, we have observed and considered our interest in provision of the data and your interest in data-protection-compatible processing of your personal data.
The following data are required for provision of our service in order to offer you our website and to ensure stability and safety, in particular to protect against abuse. Accordingly, we can - while ensuring data protection aligned with the state of the art – process these data, while appropriately considering your interest in processing them in a manner compatible with data protection.
| Data | Purpose of processing | Legal basis of processing | Duration of storage |
|---|---|---|---|
| Personal information such as: Name, email address, ... | Registration purposes Customer communication | Sect. 6 para. 1 s. 1 lit. f GDPR | Deletion after expiration of purpose or until expiration of the obligation to preserve business records relating to commercial and tax law. |
| Behaviour-related data such as: Last login, registration date, visited product pages, ... | Customer communication Measure of success Determination of target group for advertising purposes | Sect. 6 para. 1 s. 1 lit. f GDPR | Deletion after expiration of purpose, no later than 90 days after membership ends |
Collection of the data for provision of the website and recording of the data in logfiles is mandatory for operation of the website. Accordingly, the user cannot object to this.
5. Data collection and use in the scope of provision
The information that we receive from you helps us process your orders as smoothly as possible, to improve our service to you and to prevent abuse and fraud.
We use your data for the processing of orders and payments, delivery of the goods and rendering of services. In the scope of order processing, e.g. the service providers used by us here (such as transporters, logisticans, banks) will receive the data needed to process orders and purchase orders.
Whether additional data, such as the email address, should be passed on to report the specific delivery date or not can be indicated and changed in the ordering process or at any time in your personal settings.
As part of the payment processing, we will share your payment data with the respective payment service provider. Please note that many of these recipients have an independent right or obligation to process your personal data, e.g. Wirecard Bank AG (https://www.wirecardbank.com/GDPR) or AfterPay (https://documents.myafterpay.com/privacy-statement/en_de/11309). If you would like more information about the recipients, please contact [email protected].
For more detailed information on data protection on this, see our data protection information for customers that we have provided to you here: Link to information requirements
6. Cookies
We use cookies in order to improve our advertising offer and to optimise it. Cookies are small text files that are stored on your computer's operating system when you call our website. Cookies contain, among others, a characteristic character sequence that permits unique identification of the browser when calling the website again.
Cookies save further information, such as your language settings, the duration of the visit to our website or specific input made there. This avoids having to enter all the required data again for every use. Cookies also enable to us to recognise your preferences and to align our website with your areas of interest.
6.1 Type of cookies used
a) Technically necessary cookies
We use cookies in order to make our website more user-friendly. Some elements of our website require identification of the calling browser even after a page change.Technically necessary cookies are not necessarily required to display the website. Some functions of the website, such as the shopping basket, contact form, etc. cannot be used properly without this cookie, however. Therefore, the user has no way to object to this; deactivation of these cookies can take place by setting the respective browser.
b) Cookies for range measurement and marketing purposes
Based on a cookie technology, data are collected for optimisation of our advertisements and the entire online offer. These data are not used to identify you personally, but serve only for pseudonymised evaluation of use of the website. Your data will never be combined with the personal data stored by us. With this technology, we can present relevant contents to you (advertisements and/or special offers and services). Our target here is to make our offers as attractive as possible to you and to present products and services that correspond to your areas of interest.
Our websites also use additional retargeting technologies. We use these technologies in order to make the online offer more interesting for you. This technology enables us to place personalised advertisements to you on the websites of our partners. We are certain that the display of personalised, interest-specific advertisements for the internet user is more interesting than advertisements that do not have any such personal references. These advertising media on the sites of our partners are displayed based on cookie technology and analysis of the previous usage behaviour. This form of advertising takes place entirely pseudonymised. No personal data are stored and no user profiles are combined with your personal data. Most browsers accept cookies automatically. If you want to prevent storage of cookies, you can select “Do not accept cookies” in your browser settings. How this works in detail can be taken from the instructions of your browser provider. You can delete cookies that are filed on your computer at any time. However, please note that our online offer can only be used with restrictions without cookies.
The legal basis for this is our legitimate interest pursuant to sect. 6 para. 1 s. 1 lit. f GDPR.
Below, we name the currently used services and technologies in detail:
7. Google Tag Manager
For reasons of transparency, please note that we use Google Tag Manager. Google Tag Manager itself does not record any personal data. Tag Manager makes it easier for us to integrate and manage our tags. Tags are small code elements that serve, among others, to measure traffic and visitor behaviour, to record the effects of online advertisements and social channels, remarketing or retargeting and setting up alignment with target and testing and optimising websites. For further information on the Google Tag Manager, see https://www.google.com/analytics/tag-manager/use-policy/.
| Designation of the provider | Service provider type | Data transfer to a third country | Third country | Guarantees pursuant to sect. 44 et seqq. GDPR |
|---|---|---|---|---|
| Google Inc., 1600 Amphitheatre Parkway, Mountain View, CA 94043, USA; | Contract processor | YES | USA | EU-US Privacy Shield |
8. Google Analytics & Google Optimize
This website uses Google Analytics, a web analysis service of Google Inc. In addition, we use Google Optimize. Google Optimize analyses the use of different variants of our website and helps us to improve user-friendliness based on the behaviour of our users on the website. Google Optimize is a tool associated with Google Analytics.
Google Analytics and Google Optimize use “cookies”, i.e. text files that are stored on your computer and that permit analysis of your use of the website. The information produced by the cookie regarding your use of this website is usually transferred to a server of Google in the USA and saved there. Due to activation of IP anonymisation on these websites, your IP address will be abbreviated first by Google within member states of the European Union or in other contracting states of the convention on the European Economic area. Only in exceptions will your full IP address be transferred to a server of Google in the USA and abbreviated there. The IP address submitted by your browser in the scope of Google Analytics and Google Optimize will not be combined with any other Data of Google. On the order of the operator of this website, Google will use this information to evaluate your use of the website, in order to compile reports on the website activities and to render further services connected to website use and internet use towards the website operator. These purposes also constitute our justified interest in data processing. The legal basis for use of Google Analytics and Google Optimize is § 15 para. 3 TMG or sect. 6 para. 1 lit. f GDPR. The data sent by us and linked to cookies, user IDs (e.g. User-ID) or advertising IDs are automatically deleted after 26 months. Erasure of data the archiving period of which has expired shall take place automatically once per month. For more detailed information on usage conditions and data protection, see www.google.com/analytics/terms or under https://policies.google.com.
You may prevent saving of the cookies by making the corresponding settings in your browser software; however, note that you may be unable to fully use all functions of the website in such a case. You may furthermore prevent recording of the data generated by the cookie and referring to your use of the website (incl. your Internet Protocol address) by Google and processing of these personal data by Google by downloading and installing a browser add-on. Opt-out cookies prevent the future recording of your personal data when visiting this website.
| Designation of the provider | Service provider type | Data transfer to a third country | Third country | Guarantees pursuant to sect. 44 et seqq. GDPR |
|---|---|---|---|---|
| Google Inc., 1600 Amphitheatre Parkway, Mountain View, CA 94043, USA | Contract processor | YES | USA | EU-US Privacy Shield |
| Affected data category | Purpose of processing | Legal basis of processing | Duration of storage |
|---|---|---|---|
| Technical data such as: Operating system used, browser type and version, device (e.g. phone, tablet, ...), date and time of website call, ... | Evaluation of customer behaviour | Sect. 6 para. 1 s. 1 lit. f GDPR | Deletion after 26 months at most |
| Behaviour-related data such as: Registration date, visited product pages, ordered products, name of called website, ... | Evaluation of customer behaviour | Sect. 6 para. 1 s. 1 lit. f GDPR | Deletion after 26 months at most |
| User ID, device ID | Evaluation of user behaviour on different devices/browsers | Sect. 6 para. 1 s. 1 lit. f GDPR | Deletion after 26 months at most |
9. Google AdWords, Audiences, and Conversion Tracking
In order to draw attention to our services, we place Google AdWords advertisements and use Google Conversion-Tracking and the Google Tag Manager in the scope of this for the purpose of personalised interest- and site-based online advertisements. The option of anonymising the IP-addresses is controlled via an internal setting in the Google Tag Manager that is not visible in the source of this page. This internal setting is made so that the anonymisation of IP addresses required by the Federal Data Protection Act is achieved.
The ads are displayed after search requests on websites of the Google advertising network. Detailed information on the Google advertising network can be found at https://support.google.com/adwords/answer/1752334?hl=en. We are able to combine our ads with certain search terms. We can use cookies to place ads on our website based on the previous visits of a user.
When clicking an ad, Google sets a cookie on the user's computer. Further information on the cookie technology used can also be found among the notes of Google on the website statistics under https://services.google.com/sitestats/en.html and in the data protection provisions under https://policies.google.com/privacy?hl=en.
With the help of this technology, Google and we as the customer receive information that a user clicked an ad and has been forwarded to our websites. The information acquired here is used only for a statistical evaluation for ad optimisation. We will not receive any information with which the visitors can be identified in person. The statistics provided to us by Google contain the overall number of users who clicked one of our ads and, if applicable, whether they were forwarded to a page of our website with a conversion tag. We can use these statistics to determine for which search terms our ad was clicked particularly often and which ads lead to contact by the user via the contact form.
If you do not wish this, you can prevent storage of the cookie required for these technologies, e.g. in the settings of your browser. In this case, your visit will not be included in the user statistics.
You are also able to select the types of Google ads or deactivate interest-related ads on Google in the ad settings (see https://www.google.com/settings/ads/anonymous?hl=en).
However, we and Google continue to receive the statistical information on how many users visited the page when. If you do not want to be included in this statistic either, you may prevent this by using additional programs for your browser.
| Designation of the provider | Service provider type | Data transfer to a third country | Third country | Guarantees pursuant to sect. 44 et seqq. GDPR |
|---|---|---|---|---|
| Google Inc., 1600 Amphitheatre Parkway, Mountain View, CA 94043, USA | Contract processor | YES | USA | EU-US Privacy Shield |
| Affected data category | Purpose of processing | Legal basis of processing | Duration of storage |
|---|---|---|---|
| Technical data such as: Operating system used, browser type and version, device (e.g. phone, tablet, ...), date and time of website call, ... | Ad delivery for customer segments | Sect. 6 para. 1 s. 1 lit. f GDPR | Deletion after 26 months at most |
| Behaviour-related data such as: Registration date, visited product pages, ordered products, name of called website, ... | Ad delivery for customer segments | Sect. 6 para. 1 s. 1 lit. f GDPR | Deletion after 26 months at most |
10. Google DoubleClick
Furthermore, we use DoubleClick, a service of Google Inc. DoubleClick uses cookies to place user-based ads. The cookies recognise which ad has already been shown in your browser and whether you called a website using a displayed ad. The cookies do not record any personal information and also cannot be connected to these.
If you do not want to receive any user-based advertisements you can deactivate placement of ads using the ad settings of Google.
For more information on how Google uses cookies, see the data protection statement of Google.
| Designation of the provider | Service provider type | Data transfer to a third country | Third country | Guarantees pursuant to sect. 44 et seqq. GDPR |
|---|---|---|---|---|
| Google Inc., 1600 Amphitheatre Parkway, Mountain View, CA 94043, USA | Contract processor | YES | USA | EU-US Privacy Shield |
| Affected data category | Purpose of processing | Legal basis of processing | Duration of storage |
|---|---|---|---|
| Technical data such as: Operating system used, browser type and version, device (e.g. phone, tablet, ...), date and time of website call, ... | Ad delivery for customer segments | Sect. 6 para. 1 s. 1 lit. f GDPR | Deletion after 26 months at most |
| Behaviour-related data such as: Registration date, visited product pages, ordered products, name of called website, ... | Ad delivery for customer segments | Sect. 6 para. 1 s. 1 lit. f GDPR | Deletion after 26 months at most |
11. Hotjar
Our website has Hotjar integrated (https://www.hotjar.com). Hotjar enables us to record and evaluate user behaviour (e.g. mouse movements, clicks, scrolling height) on our websites. For this purpose, Hotjar uses cookies on end units of the users and is able to save the data of users anonymised, e.g. concerning browser information, operating system, time spent on the page. Learn more about Hotjar under the following link: https://www.hotjar.com/privacy. You may prevent data processing by Hotjar at any time by following the steps described in https://www.hotjar.com/opt-out.
| Designation of the provider | Service provider type | Data transfer to a third country | Third country | Guarantees pursuant to sect. 44 et seqq. GDPR |
|---|---|---|---|---|
| Hotjar, 3 Lyons Range, 20 Bisazza Street, Sliema SLM 1640, Malta | Contract processor | NO | / | Not necessary |
| Affected data category | Purpose of processing | Legal basis of processing | Duration of storage |
|---|---|---|---|
| Technical data such as: Operating system used, browser type and version, device (e.g. phone, tablet, ...), date and time of website call, ... | Analysis of customer behaviour towards website optimisation | Sect. 6 para. 1 s. 1 lit. f GDPR | Deletion after 12 months at most |
| Behaviour-related data such as: Visited product pages, browsing behaviour on website, visited pages ... | Analysis of customer behaviour towards website optimisation | Sect. 6 para. 1 s. 1 lit. f GDPR | Deletion after 12 months at most |
12. Criteo
On our pages, we collect information on the surfing behaviour of the website visitors for marketing purposes in a pseudonymised form using the technology of Criteo; cookies and web pixels are placed for this. This way, Criteo can analyse surfing behaviour and then display targeted product recommendations as matching advertising banners when other websites are visited. For this purpose, cookies from our partner websites are also placed via pixels. In no case must the anonymised data be used to personally identify the visitor of the website. The data collected by Criteo are only used to improve the advertising offer.
Every displayed banner has a small “i” at the lower right (for information), which will open with mouse-over and lead to a page when clicked, on which the system is explained and an opt-out is offered. When clicking opt-out, an “Opt-Out” cookie is set, which will prevent the display of these banners in future. There will be no other use or forwarding to third parties. You can generally learn more about the data protection statement and data protection directives at Criteo and object to pseudonymised analysis of your surfing behaviour at https://www.criteo.com/privacy/ (opt-out).
| Designation of the provider | Service provider type | Data transfer to a third country | Third country | Guarantees pursuant to sect. 44 et seqq. GDPR |
|---|---|---|---|---|
| Criteo GmbH, Lehel Carré, Gewürzmühlstraße 11, 80538 München, Deutschland | Controller | NO | / | Not necessary |
| Affected data category | Purpose of processing | Legal basis of processing | Duration of storage |
|---|---|---|---|
| Technical data such as: Operating system used, browser type and version, device (e.g. phone, tablet, ...), date and time of website call, ... | Ad delivery for customer segments | Sect. 6 para. 1 s. 1 lit. f GDPR | Deletion after 13 months at most |
| Behaviour-related data such as: Registration date, visited product pages, ordered products, name of called website, ... | Ad delivery for customer segments | Sect. 6 para. 1 s. 1 lit. f GDPR | Deletion after 13 months at most |
| User ID, device ID | Evaluation of user behaviour on different devices/browsers to deliver ads on different end devices | Sect. 6 para. 1 s. 1 lit. f GDPR | Deletion after 13 months at most |
13. Salesforce
For customer support, we use the Customer Relationship Management module “Salesforce Marketing Cloud” and “Salesforce Service Cloud” by Salesforce.com Inc. Salesforce Service Cloud is an administration service for user databases. Salesforce Marketing Cloud is an administration service for electronic customer communication. The data are processed in the USA. Salesforce.com had these services certified in the scope of the EU-US-Privacy Shield rules. Further information on the Salesforce Marketing Cloud and Salesforce Service Cloud and the processed data is available at https://www.salesforce.com/company/privacy/.
These technologies are also used to collect information on the surfing behaviour of the website visitors for marketing purposes in a pseudonymised form. This uses cookies and webpixels, as well as the Tracking Service iGoDigital, which is part of Salesforce. We use these technologies to improve our advertising offer to you.
| Designation of the provider | Service provider type | Data transfer to a third country | Third country | Guarantees pursuant to sect. 44 et seqq. GDPR |
|---|---|---|---|---|
| Salesforce.com Inc., The Landmark @ One Market Street, Suite 300, San Francisco, California, CA 94105, USA | Contract processor | YES | USA | EU-Standard Contract Clauses / EU-US Privacy Shield |
| Affected data category | Purpose of processing | Legal basis of processing | Duration of storage |
|---|---|---|---|
| Technical data such as: Operating system used, browser type and version, device (e.g. phone, tablet, ...), date and time of website call, ... | Creation of profiles as part of the Salesforce CRM systems | Sect. 6 para. 1 s. 1 lit. f GDPR | Deletion after expiration of purpose, no later than 90 days after membership ends |
| Behaviour-related data such as: Registration date, visited product pages, ordered products, name of called website, ... | Finding appropriate product recommendations for newsletter and special emails | Sect. 6 para. 1 s. 1 lit. f GDPR | Deletion after expiration of purpose, no later than 90 days after membership ends |
| User ID, device ID | Finding appropriate product recommendations for newsletter and special emails | Sect. 6 para. 1 s. 1 lit. f GDPR | Deletion after expiration of purpose, no later than 90 days after membership ends |
14. Facebook Custom Audiences
In the scope of usage-based online advertisements, the project Custom Audiences by Facebook is also used on the website. A Facebook cookie is set for this. We record information on your activities on the website and behaviour-related files via Facebook pixels in the scope of this.
The cookies do not record any personal information and also cannot be connected to these.
Further information on the purpose and scope of the data collection and further processing and use of the data as well as the privacy settings can be taken from the data protection directives of Facebook. If you want to object to the use of Facebook Custom Audiences, you can do that at https://www.facebook.com/ads/website_custom_audiences/.
| Designation of the provider | Service provider type | Data transfer to a third country | Third country | Guarantees pursuant to sect. 44 et seqq. GDPR |
|---|---|---|---|---|
| Facebook Inc. 1601 WILLOW ROAD MENLO PARK, CA 94025, USA | Contract processor | YES | USA | EU-US Privacy Shield |
| Affected data category | Purpose of processing | Legal basis of processing | Duration of storage |
|---|---|---|---|
| Technical data such as: Operating system used, browser type and version, device (e.g. phone, tablet, ...), date and time of website call, ... | Ad delivery for customer segments | Sect. 6 para. 1 s. 1 lit. f GDPR | 12 months at most, currently 6 months |
| Behaviour-related data such as: Registration date, visited product pages, ordered products, name of called website, ... | Ad delivery for customer segments | Sect. 6 para. 1 s. 1 lit. f GDPR | 12 months at most, currently 6 months |
15. RTB House
We use the technology of RTB House SA on our pages to collect information on the surfing behaviour of the website visitors for marketing purposes in a pseudonymised form by setting cookies and web pixels. This way, RTB House can analyse surfing behaviour and then display targeted product recommendations as matching advertising banners when other websites are visited. In no case must the anonymised data be used to personally identify the visitor of the website. The data collected by RTB House are only used to improve the advertising offer.
Every displayed banner has a small “ = ” at the lower left (for information), which will open with mouse-over and lead to a page when clicked, on which the system is explained and an opt-out is offered. When clicking opt-out (https://www.rtbhouse.com/optout-page/), an &ldquoOpt-Out” cookie is set, which will prevent displaying of these banners in future. There will be no other use or forwarding to third parties. You can generally learn about the data protection statement and data protection directive at RTB House at https://www.rtbhouse.com/privacy/.
| Designation of the provider | Service provider type | Data transfer to a third country | Third country | Guarantees pursuant to sect. 44 et seqq. GDPR |
|---|---|---|---|---|
| RTB House SA, Zlota 61/101, 00-819, Warsaw, Poland | Contract processor | NO | / | Not necessary |
| Affected data category | Purpose of processing | Legal basis of processing | Duration of storage |
|---|---|---|---|
| Technical data such as: Operating system used, browser type and version, device (e.g. phone, tablet, ...), date and time of website call, ... | Ad delivery for customer segments | Sect. 6 para. 1 s. 1 lit. f GDPR | Deletion after 13 months at most |
| Behaviour-related data such as: Registration date, visited product pages, ordered products, name of called website, ... | Ad delivery for customer segments | Sect. 6 para. 1 s. 1 lit. f GDPR | Deletion after 13 months at most |
| User ID, device ID | Evaluation of user behaviour on different devices/browsers to deliver ads on different end devices | Sect. 6 para. 1 s. 1 lit. f GDPR | Deletion after 13 months at most |
16. Fabric
In our mobile applications on Android and iOS we have integrated Fabric Crash Analytics (https://fabric.io/kits/android/crashlytics) for the purposes of detecting and reporting crashes and non-fatal crashes in the app. This information is used to improve the application performance and stability. For these purposes technical data such as the mobile device id, device type, model, operating system and approximate location of the mobile device is transmitted to provide more reliable analysis, for example to determine whether the issue is specific to one device type or to multiple devices. The legal basis for this is our legitimate interest pursuant to sect. 6 para. 1 s. 1 lit. f GDPR.
For more detailed information on usage conditions and data protection, see https://fabric.io/terms.
Regardless of the specific opt-out options provided by the above services, BestSecret also offers a blanket solution for preventing the analysis of user behaviour with a single click. For this, you just have to disable the “Diagnostics & behaviour tracking” option in the My BestSecret menu under the item Password and Contact information / Personal Settings.
| Designation of the provider | Service provider type | Data transfer to a third country | Third country | Guarantees pursuant to sect. 44 et seqq. GDPR |
|---|---|---|---|---|
| Google LLC, 1600 Amphitheatre Parkway, Mountain View, CA 94043, USA | Contract processor | YES | USA | EU-US Privacy Shield |
| Affected data category | Purpose of processing | Legal basis of processing | Duration of storage |
|---|---|---|---|
| Technical data such as: Operating system used, browser type and version, device (e.g. phone, tablet, ...), date and time of website call, ... | Evaluation of customer behaviour | Sect. 6 para. 1 s. 1 lit. f GDPR | Deletion no later than 180 days |
| Behaviour-related data such as: Registration date, visited product pages, ordered products, name of called website, ... | Evaluation of customer behaviour | Sect. 6 para. 1 s. 1 lit. f GDPR | Deletion no later than 180 days |
| User ID, device ID | Evaluation of user behaviour on different devices/browsers | Sect. 6 para. 1 s. 1 lit. f GDPR | Deletion no later than 180 days |
17. Firebase
We use technology from Google Firebase (Google Ireland Limited, Gordon House, Barrow Street, Dublin 4, Ireland, “Google”) with various functionalities in our apps. Firebase uses so-called “Instance IDs” to memorise individual settings within the mobile app. Because each Instance ID is unique to a mobile app and the mobile device you are using, Firebase is able to evaluate and respond to specific events within the mobile app. Information generated by the Instance ID about your use of this mobile app on your mobile device is generally sent to a Google server in the United States and stored there. Google ensures that the IP address is anonymised immediately if the IP address is also sent. The legal basis for the use of Firebase is Art. 6(1)(f) GDPR. You can object to the use of Firebase at any time by deselecting the option “Use & Analysis” in the menu under Password and Contact Data/Personal Settings.
For more information, see Firebase’s Terms of Use (https://firebase.google.com/terms/) and Privacy Notice (https://firebase.google.com/support/privacy/).
| Provider name | Service provider type | Data transfers to third countries | Third country | Guarantees according to Art. 44 et seq. GDPR |
|---|---|---|---|---|
| Google Ireland Limited, Gordon House, Barrow Street, Dublin 4, Ireland | Processor | YES | USA | EU-US Privacy Shield |
The following functionalities are used specifically:
Firebase Remote Config
Firebase Remote Config enables the configuration of app settings. We can change the behaviour and appearance of your app on the user device without having to completely reinstall it from the app store. Find out all you need to know about how Remote Config works here.
| Data category concerned | Processing purpose | Legal basis for processing | Retention period |
|---|---|---|---|
| Technical data such as: operating system in use, browser type and version, device (smartphones, tablets or other device), date and time of access, etc. | App optimisation | Art. 6(1)(f) GDPR | Erasure after achievement of purpose; no later than 180 days after request |
| Instance ID | App optimisation | Art. 6(1)(f) GDPR | Erasure after achievement of purpose; no later than 180 days after request |
Firebase Performance Monitoring
Firebase Performance Monitoring allows us to track the performance of the app and respond to specific incidents within the app. Find out more information here.
| Data category concerned | Processing purpose | Legal basis for processing | Retention period |
|---|---|---|---|
| Technical data such as: operating system in use, browser type and version, device (smartphones, tablets or other device), date and time of access, etc. | App optimisation | Art. 6 Abs. 1 S. 1 lit. f DS-GVO | Erasure after achievement of purpose; no later than 180 days after request |
| Instance ID | App optimisation | Art. 6 Abs. 1 S. 1 lit. f DS-GVO | Erasure after achievement of purpose; no later than 180 days after request |
18. Pinterest Ads
In addition, we use the Pinterest plugin provided by Pinterest Europe Limited, Palmerston House, 2nd Floor, Fenian Street, Dublin 2, Ireland. This allows us to track the behaviour of users after they have viewed a Pinterest advertisement. We can also use the Pinterest tag to measure the conversion rate of a campaign. This means that the Pinterest tag allows us to evaluate the effectiveness of a Pinterest ad, optimise future advertising campaigns and to make them more user-friendly. We are not able to identify users from the data collected. However, this data is also stored by Pinterest and can be associated with a user profile and used for marketing purposes. You can find more information about data protection at https://policy.pinterest.com/en/privacy-policy.
You may object to having Pinterest process your data at any time by following the steps described in https://help.pinterest.com/en/article/personalization-and-data.
| Data category concerned | Processing purpose | Legal basis for processing | Retention period |
|---|---|---|---|
| Technical data such as: Device information, operating system in sue, device ID, date and time of access | Advertising display to customer segments | Art. 6(1)(f) GDPR | Up to 12 months |
| Behavioural data such as: Registration date, products visited, products ordered, name of pages accessed | Advertising display to customer segments | Art. 6(1)(f) GDPR | Up to 12 months |
19. Opt-out from the range measurement / tracking for marketing purposes
Independently of special opt-out possibilities for the above services, BestSecret also offers a general way to withdraw from all retargeting services controlled by tracking with one click. These services are specifically the personalised advertisements on Google, Facebook, Criteo and Salesforce.
For this, it is sufficient to unselect the option “personalised advertisements” in the My BestSecret menu, under Password and Contact information / Personal Settings.
Unselection (opt-out) usually only takes effect after 48-72 hours for technical reasons.
20. Opt-Out from User Behaviour Analysis
A user behaviour analysis is carried out for the purposes of website optimisation and user experience improvement and is implemented using the services of Google Analytics, Fabrics and Hotjar.
Regardless of the specific opt-out options provided by the above services, BestSecret also offers a blanket solution for preventing the analysis of user behaviour with a single click.
For this, you just have to disable the “Diagnostics & behaviour tracking” option in the My BestSecret menu under the item Password and Contact information / Personal Settings.
Unselection (opt-out) usually only takes effect after 48-72 hours for technical reasons.
21. Newsletter
By accepting to receive the newsletter you agree to receive information on products and promotions of Best Secret GmbH and Schustermann & Borenstein GmbH on a regular basis. This information may be mailed by Best Secret GmbH, Schustermann & Borenstein GmbH or Agnitas AG.
For dispatch of the newsletter, BestSecret also uses the service Salesforce Marketing Cloud, which is operated by the company Salesforce.com Inc., The [email protected] Market Street, Suite 300, San Francisco, California, CA 94105, USA.
In order to make our newsletter even more interesting for you in future, common technologies such as cookies or counting pixels are used in our newsletter. We evaluate your clicks in newsletters with tracking pixels, i.e. invisible picture files and personalised links. They are assigned to your email address and are linked to a dedicated ID in order to clearly link any clicks in the newsletter to your own ID. The user profile serves to coordinate the offer and our services with your interests. The legal basis for this is the legitimate interest purs. to sect. 6 para. 1 sentence 1 lit. f) GDPR.
You may change the frequency or the content of the newsletter in your newsletter settings.
The consent to the newsletter is voluntary and can be revoked at any time. The revocation can take place in the settings in your customer account and, of course, via the logout link in every newsletter.
The following data are processed for newsletter dispatch:
| Designation of the newsletter provider | Service provider type | Data transfer to a third country | Third country | Guarantees pursuant to sect. 44 et seqq. GDPR |
|---|---|---|---|---|
| Agnitas GmbH, Werner-Eckert-Straße 6, 81829 München, Germany | Contract Processor | NO | / | Not necessary |
| Schustermann & Borenstein GmbH, Margaretha-Ley-Ring 27, 85609 Aschheim, Germany | Controller | NO | / | Not necessary |
| Salesforce.com Inc., The [email protected] Market Street, Suite 300, San Francisco, California, CA 94105, USA | Contract Processor | YES | USA | EU Standard Contract Clauses / EU-US Privacy Shield |
| Data | Purpose of processing | Legal basis of processing | Duration of storage |
|---|---|---|---|
| Personal data such as: Email address, form of address, first name, last name, gender | Newsletter delivery | Sect. 6 para. 1 s. 1 lit. a GDPR | Until revocation/objection |
| Confirmation of newsletter delivery, time of confirmation, newsletter preferences | Newsletter delivery | Sect. 6 para. 1 s. 1 lit. a GDPR | 3 years after deletion of personal data |
| Revocation of confirmation | Proof of revocation | Sect. 6 para. 1 s. 1 lit. a GDPR | 3 years after deletion of personal data |
22. Direct mail without prior notification
If we have received your e-mail address or postal address in connection with the sale of goods or services, we reserve the right to send you regular offers for products from our assortment by e-mail or post. You can object to the use of your e-mail address for the purpose of direct marketing via a link provided for this purpose in the advertising e-mail, or to the use of your postal address by sending an e-mail to [email protected]
| Designation of the provider | Service provider type | Data transfer to a third country | Third country | Guarantees pursuant to sect. 44 et seqq. GDPR |
|---|---|---|---|---|
| Agnitas GmbH, Werner-Eckert-Straße 6, 81829 München, Germany | Contract Processor | NO | / | Not necessary |
| Salesforce.com Inc., The [email protected] Market Street, Suite 300, San Francisco, California, CA 94105, USA | Contract Processor | YES | USA | EU Standard Contract Clauses / EU-US Privacy Shield |
| optilyz GmbH, neue Schönhauser Str. 19, 10178 Berlin | Contract Processor | NO | / | Not necessary |
| Data | Purpose of processing | Legal basis of processing | Duration of storage |
|---|---|---|---|
| Personal data such as: Email address, form of address, first name, last name, gender | Marketing | Sect. 6 para. 1 s. 1 lit. f GDPR | Until objection |
| Objection | Proof of objection | Sect. 6 para. 1 s. 1 lit. f GDPR | Deletion after expiry of purpose, at the latest 90 days after termination of membership |
23. Data usage for customer feedback
We use Zenloop’s services to conduct customer satisfaction surveys. The legal basis for such use is Art. 6(1)(f) GDPR. Survey and contact data are processed for such purposes. For more information about Zenloop’s data processing practices, please see Zenloop’s Privacy Policy (https://www.zenloop.com/en/legal/privacy). If you previously decided to provide customer feedback but no longer wish to do so, you can object to further processing (by contacting us or via the link contained in the e-mail).
| Provider name | Service provider type | Data transfer to a third country | Third country | Guarantees according to Art. 44 et seq. GDPR |
|---|---|---|---|---|
| zenloop GmbH, Brunnenstr. 196, 10119 Berlin | Contract data processor | YES | USA | EU-US Privacy Shield |
| Data category concerned | Processing purpose | Legal basis of processing | Retention period |
|---|---|---|---|
| Survey data, contact information | Conducting and evaluating customer satisfaction surveys | Art. 6(1)(f) GDPR | Erasure after the purpose no longer applies; no later than 90 days after termination of membership |
24. Personalised services
We wish to offer you a personalised shopping experience. Accordingly, we process your data, so that we can provide offerings tailored to your individual needs. As a result of this personalisation process, you are primarily shown content that may be of interest to you. Of course, you still have access to all other data.
For example, we process your clothing size in order to primarily present you with products in your size.
| Recipient | Service provider type | Data transfers to third countries | Third country | Guarantees according to Art. 44 et seq. GDPR |
|---|---|---|---|---|
| Service provider | Processor | YES | USA | EU-US Privacy Shield |
| Data category concerned | Processing purpose | Legal basis for processing | Retention period |
|---|---|---|---|
| Personal data such as: customer number, products purchased, clothing size, vouchers | Personalised display | Art. 6(1)(f) GDPR | Erasure after the purpose no longer applies, no later than 90 days after termination of membership |
25. Shipping status notification
As part of your order, you have the option to consent to have your e-mail address and telephone number sent to the respective shipping provider in order to enable the shipping partner to send you shipment status notifications.
Your consent is voluntary and can be withdrawn at any time. To do so, all you need to do is open the My BestSecret menu under Password and Contact Details/Personal Settings and deselect the option “Delivery tracking”.
| Relevant data category | Processing purpose | Legal basis for processing | Retention period |
|---|---|---|---|
| Personal data such as: e-mail address, telephone number | Disclosure to shipping partner for purposes of delivery tracking | Art. 6(1)(a) GDPR | Until withdrawn |
| Time at which consent is provided | Delivery tracking | Art. 6(1)(a) GDPR | Three years after withdrawal |
| Time at which consent is withdrawn | Verification of withdrawal | Art. 6(1)(a) GDPR | Three years after withdrawal |
26. Inviting friends
We offer you the opportunity to recommend our website to other prospective customers. To do this, navigate to “Invite Friends” in the menu. By clicking on the button “Invite Friends”, you will receive an exclusive invitation link that you can send via social media or by e-mail.
In addition, we store personal data of the person who recommended you. As a closed shopping community, we only accept members who have been recommended by existing members. This data is used for verification and traceability and is necessary for the implementation of the membership contract.
| Data | Purpose of processing | Legal basis of processing | Duration of storage |
|---|---|---|---|
| Personal data of invitee such as: Email address, invitation message, time of invitation | Implementation of the Membership Agreement | Art. 6 Para. 1 s. 1 lit. b GDPR | Deletion after expiration of purpose, no later than 90 days after membership ends |
| Personal data of the inviter: first name, surname, e-mail | Implementation of the Membership Agreement | Art. 6 Para. 1 1st sentence 1 lit. b DSGVO | Deletion after expiry of purpose, at the latest 90 days after termination of membership |
27. Waiting list
Since we are a closed shopping community and unfortunately can only accept a limited number of members, we offer people who are interested in joining the opportunity to be placed on a waiting list. This option is available when a member sends someone an invitation despite having run out of invitation permissions.
We store the following data in connection with the waiting list:
| Data | Processing purpose | Legal basis for processing | Retention period |
|---|---|---|---|
| Personal data of the invitee such as: First name, surname, email address, registration date and confirmation date | (pre-contractual) measures related to membership | Art. 6(1)(b) GDPR | Deletion once intended purpose no longer applies, no later than 30 days after rejection or unconfirmed invitation by BestSecret. |
28. Competitions
For competitions (prize draws or prize competition), we use your data to inform you if you are a winner and for advertising our offers. For detailed information, see the participation conditions for the respective competitions.
| Data | Purpose of processing | Legal basis of processing | Duration of storage |
|---|---|---|---|
| Personal data of winner such as: First name, last name, email address, address, and social media contact information | Lottery execution, winning notification, delivery of prices in case of win | Sect. 6 para. 1 s. 1 lit. f GDPR | Deletion after expiration of purpose |
29. Compliance with customs provisions
Based on various EU regulations (2580/2001/EC, 881/2002/EC and 753/2011/EC) and other statutory specifications, we as a company are required to reconcile our customers' data with publicly available foreign trade and embargo lists before concluding a purchasing contract. We perform this reconciliation because we have an overruling legitimate interest in compliance with legal provisions and must protect ourselves from sanctions and fines (Art. 6 (1) (f) GDPR). We only perform the reconciliation if you order goods from our website and incur a payment obligation. Only the following present data are compared: First name, name and address. The data will be deleted at once after review.
30. Passing on of data
30.1 Sharing data within the corporate group
Best Secret GmbH is part of the S&B Group. As part of our business activities, it is essential for data to be exchanged between branch locations on a regular basis. Exchanging data in this context is essential for Best Secret membership and contract fulfilment. Data is thus exchanged for contract performance in accordance with Art. 6(1)(b) GDPR. The following S&B Group companies may have access to your data within the scope of Group-wide cooperation:
| Controller | Processing purpose | Legal basis of processing |
|---|---|---|
| Best Secret GmbH, Margaretha-Ley-Ring 10, 85609 Aschheim | Membership management as well as the operation and provision of the Best Secret Online Shop | Art. 6(1)(b) GDPR |
| Schustermann & Borenstein GmbH, Margaretha-Ley-Ring 27, 85609 Aschheim | Establishment and defence of legal claims, security department, payment processing, linking the S&B customer card to Best Secret, participation in the S&B bonus programme | Art. 6(1)(b) GDPR |
| Schustermann & Borenstein Logistik GmbH, Parsdorfer Straße 13, 85586 Poing | Package dispatch and returns handling and processing | Art. 6(1)(b) GDPR |
| Schustermann & Borenstein Wien GmbH, Berggasse 16, 1090 Wien | S&B customer card linkage, participation in the S&B bonus programme | Art. 6(1)(b) GDPR |
30.2. Transfers to processors
We use other service providers as contract processors in addition to the service providers expressly referred to above. They process personal data to the extent required. We carefully select and monitor these service providers. They process the data exclusively on our instructions. They include service providers such as IT service providers, marketing service providers and service providers for customer support.
30.3 Sharing data with third parties
Your personal data will only be passed on to third parties if this is required for contract processing or settlement or if you have consented to it in advance. Our business does not include selling such customer information. Data are only passed on in the scope of the presented purposes.
Your personal data will not be transferred to any third parties for any other than the purposes listed.
We shall only pass on your personal data to third parties if:
- you have expressly consented to this,
- forwarding is required for assertion, exercise or defence of legal claims and there is no reason to assume that you have an overriding protection-worthy interest in your data not being passed on,
- we are legally required to pass them on, and
- if it is legitimate by law and required for processing contractual relationships with you. In case of data transfer outside of the European Union, the high European data protection level generally does not apply. On transmission, it is possible that there is no current resolution on appropriateness of the EU commission within the meaning of sect. 45 para. 1, 3 GDPR. This means that the EU commission has not positively determined so far that the country-specific data protection level corresponds to the data protection level of the European Union due to the GDPR; therefore, we have created the above suitable guarantees.
Potential recipients include consultants, auditors, lawyers, courts or authorities.
30.4 Data transmission outside the European Union
In case of data transfer outside of the European Union, the high European data protection level generally does not apply. On transmission, it is possible that there is no current resolution on appropriateness of the EU commission within the meaning of sect. 45 para. 1, 3 GDPR. This means that the EU commission has not positively determined so far that the country-specific data protection level corresponds to the data protection level of the European Union due to the GDPR; therefore, we have created the above suitable guarantees.
Possible risks that may not be completely excluded in connection with data transmission specifically include:
- Your personal data may be processed beyond their actual purpose.
- Additionally, it is possible that you cannot sustainably assert and enforce your rights under data protection law, such as your right to information, rectification, erasure or data portability.
- There may also be a higher likelihood that there may be incorrect data processing and the production of the personal data does not fully correspond to the requirements of the GDPR in quantity and quality.
If your data is transferred to a country outside the European Union, we will ensure that your data is adequately protected by means of appropriate and suitable safeguards, such as adequacy decisions and/or EU standard agreements.
31. Instruction on the rights of data subjects
Every data subject has the right to information according to sect. 15 GDPR, the right to rectification according to sect. 16 GDPR, the right of erasure according to section 17 GDPR, the right to restriction of processing according to sect. 18 GDPR, the right to objection from sect. 21 GDPR and the right to data portability from sect. 20 GDPR. The information right and erasure right are subject to the restrictions pursuant to §§ 34 and 35 BDSG or the respective national provisions.
32. Instructions on the complaint options
You also have the right to complain to the competent data protection supervisory authority about processing of your personal data by us.
33. Instruction on revocation of consent
You may revoke your consent granted to us for processing of personal data at any time. This shall also apply to revocation of declarations of consent that were granted to us before the application of the general data protection regulation, i.e. before 25 May 2018. Please note that the revocation will only be effective for the future. Processing that took place before the revocation is not affected by this.
34. Right in case of data processing for operation of direct marketing
You have the right according to sect. 21 para. 2 GDPR to object to processing of the personal data concerning you at any time. If you object to processing for the purpose of direct marketing, we shall no longer process your personal data for these purposes. Please note that the objection will only be effective for the future. Processing that took place before the objection is not affected by this.
35. Note on the objection rights on consideration of interests
As far as we base processing of your personal data on consideration of interests, you may object to processing. When exercising such an objection, please present the reasons why we should not process your personal data as described by us. In case of your justified objection, we will review the situation and shall either cease data processing or adjust it, or explain our mandatory grounds to be protected to you.
36. Links to other websites
Our websites may contain link to websites of other providers. Please note that this data protection statement only applies to the websites of www.BestSecret.com. We cannot influence or control whether other providers comply with the applicable data protection provisions.
37. Changes to the data protection statement
We reserve the right to change or adjust this data protection statement at any time under observation of the applicable data protection provisions.