BestSecret BestSecret BestSecret
Data Protection Statement
As of: 15/10/2020
Best Secret GmbH takes the protection of your personal data very seriously and collects and uses your personal data only in the scope of the applicable statutory provisions.
In order to let you feel safe when visiting our website, we provide you with an overview of how Best Secret GmbH ensures this protection and what kind of data we collect for what purpose below. The data protection statement is available on our website at any time.
1. Information about data processing within the Schustermann & Borenstein Group
1.1 General information
Best Secret GmbH is part of the Schustermann & Borenstein Group (hereinafter S&B Group).
As part of our business activities, it is therefore essential for data to be exchanged between branch locations and divisions on a regular basis in order to promote and facilitate cooperation within the Group. For this reason, central processes are not limited to a single Group company, but also include other Group member companies. Companies within the S&B Group therefore work together in many areas and act as so-called joint controllers within the meaning of data protection law.
1.2 Information about the primary contents of the contract in the case of joint controller authority within the S&B Group
In light of their joint role, the member companies of the S&B Group have concluded a contract as joint controllers within the meaning of sect. 26 in conjunction with sect. 4(7) GDPR to guarantee the security of processing and the effective exercise of your rights.
Without limitation, this contract addresses the following points:
- Subject, purpose, means and scope as well as competences and responsibilities with regard to data processing
- Providing information to data subjects
- Fulfilment of other rights of data subjects
- Security of processing
- Involvement of contract data processors
- Procedure in the event of personal data breaches
- Other common and reciprocal obligations
- Cooperation with supervisory authorities
- Liability
2. Controller and Data Privacy Officer
The controller responsible for processing your personal data is the S&B Group as joint controllers. In particular, you may contact Best Secret GmbH, Margaretha-Ley-Ring 10, 85609 Aschheim, Germany (hereinafter referred to as BestSecret) in order to assert your rights. Member companies belonging to the S&B Group have each appointed a data protection officer. You may contact the controllers and the data protection officer at:
| Data processing controller | Data protection officer of the controller |
|---|---|
| Best Secret GmbH represented by Marian Gradl-Schikora, Daniel Schustermann, Ralph Goedecke and Claudius Peleskei Margaretha-Ley-Ring 10, 85609 Aschheim, Germany. Phone: +49 (0) 89 / 357 68 04 40 Email: [email protected] | Best Secret GmbH Data protection officer Margaretha-Ley-Ring 10, 85609 Aschheim, Germany. Email: [email protected] |
3. Appropriate safeguards for processing personal data in third countries.
If we use service providers outside the EU or the European Economic Area (EEA), we take appropriate and suitable measures to ensure a sufficient level of data protection when transmitting personal data in accordance with Art. 44 et seq. GDPR, e.g. conclusion of EU standard contracts, additional technical and organisational measures such as encryption or anonymisation. Please note that despite the careful selection and obligation of a service provider, the latter may process data outside the EU/EEA or be subject to another jurisdiction owing to the location of its registered office and may not provide an adequate level of data protection. If the data is transferred to the USA, there is a risk that your data may be processed by US authorities for control and monitoring purposes; in such cases, it may be possible that you are not entitled to any legal remedies.
4. General data collection when calling our website
If you use our website for information only, i.e. if you do not register or otherwise submit any information to us, we will only collect the personal data your browser submits to our server. These data are technically required for us in order to show our website to you and to ensure stability and safety (the legal basis for this is our legitimate interest pursuant to sect. 6 para. 1 s. 1 lit. f GDPR).
For technical reasons, these are saved by default as logfiles (protocol files).
| Data | Purpose of processing | Legal basis of processing | Duration of storage |
|---|---|---|---|
| Technical data such as: Operating system used, browser type and version, device (e.g. phone, tablet, ...), date and time of website call | Optimised website representation Ensuring proper website operation | Sect. 6 para. 1 s. 1 lit. f GDPR | Deletion after 21 days at most |
| IP address | Ensuring proper website operation | Sect. 6 para. 1 s. 1 lit. f GDPR | Deletion after 21 days at most |
5. Data collection on login/registration on our website
If you log in or register at www.BestSecret.com, personal, behaviour-related and technical data will be saved.
Technical data will be saved anonymised and evaluated. Anonymised means that we cannot assign the data to a determined or determinable natural person, or that we would do so only with disproportional effort of time, costs and labour. We will evaluate these anonymised data in order to further improve the function of the shop and to make it more user-friendly.
In the scope of reconciliation of interests according to sect. 6 para. 1 lit. b GDPR, we have observed and considered our interest in provision of the data and your interest in data-protection-compatible processing of your personal data.
The following data are required for provision of our service in order to offer you our website and to ensure stability and safety, in particular to protect against abuse. Accordingly, we can - while ensuring data protection aligned with the state of the art – process these data, while appropriately considering your interest in processing them in a manner compatible with data protection.
| Data | Purpose of processing | Legal basis of processing | Duration of storage |
|---|---|---|---|
| Personal information such as: Name, email address, ... | Registration purposes Customer communication | Sect. 6 para. 1 s. 1 lit. f GDPR | Deletion after expiration of purpose or until expiration of the obligation to preserve business records relating to commercial and tax law. |
| Behaviour-related data such as: Last login, registration date, visited product pages, ... | Customer communication Measure of success Determination of target group for advertising purposes | Sect. 6 para. 1 s. 1 lit. f GDPR | Deletion after expiration of purpose, no later than 90 days after membership ends |
Collection of the data for provision of the website and recording of the data in logfiles is mandatory for operation of the website. Accordingly, the user cannot object to this.
6. Data collection and use in the scope of provision
The information that we receive from you helps us process your orders as smoothly as possible, to improve our service to you and to prevent abuse and fraud.
We use your data for the processing of orders and payments, delivery of the goods and rendering of services. In the scope of order processing, e.g. the service providers used by us here (such as transporters, logisticans, banks) will receive the data needed to process orders and purchase orders.
Whether additional data, such as the email address, should be passed on to report the specific delivery date or not can be indicated and changed in the ordering process or at any time in your personal settings.
As part of the payment processing, we will share your payment data with the respective payment service provider. Please note that many of these recipients have an independent right or obligation to process your personal data, e.g. Wirecard Bank AG (https://www.wirecardbank.com/GDPR) or AfterPay (https://documents.myafterpay.com/privacy-statement/en_de/11309). If you would like more information about the recipients, please contact [email protected].
For more detailed information on data protection on this, see our data protection information for customers that we have provided to you here: Link to information requirements
7. Tracking Technologies
7.1 General information
We use tracking technologies such as cookies in order to improve our website and to make it as user-friendly as possible. Cookies are small text files that are stored on your computer’s operating system when you access our website. Amongst other things, cookies contain a distinctive character string that enables unique identification of your browser when you return to our website. Cookies store additional information, such as your language setting, the length of your visit to our website or certain entries you may have made whilst there. This avoids having to re-enter all required data each time you use our website. Cookies also enable us to recognise your preferences and to tailor our website to match your areas of interest.
Cookies store additional information, such as your language setting, the length of your visit to our website or certain entries you may have made whilst there. This avoids having to re-enter all required data each time you use our website. Cookies also enable us to recognise your preferences and to tailor our website to match your areas of interest.
7.2 Type of tracking technologies in use
We differentiate between tracking technologies that are technically necessary for the website, tracking to optimise our website/app and tracking related to personalised advertising.
7.2.1 Technically necessary tracking technologies
We use cookies within the scope of the technically necessary tracking technologies. These cookies are necessary for the operation of a website/app and its functions. These include session cookies and cookies that store certain user preferences (e.g. shopping cart, language preferences, gender preferences, or login information), opt-out cookies, cookies from payment service providers that are stored to complete the payment process, cookies from shipping service providers that are used to track shipments, or the Google Tag Manager to manage your tracking preferences. The legal basis for the use of technically necessary tracking technologies is our legitimate interest pursuant to sect. 6 para. 1 s. 1 lit f GDPR.
However, it is possible to disable these cookies by changing the settings in your browser.
7.2.2 Tracking for purposes of website/app optimisation (optimisation & performance)
Tracking for optimisation and performance purposes aids in analysing user behaviour on the BestSecret website and app as part of a performance analysis or for statistical purposes. BestSecret can optimise the user-friendliness of the shop and correct possible errors on the basis of these evaluations.
Tracking technologies for purposes of optimisation and performance include:
- Google Analytics & Optimize
- Fabric (Crashlytics)
- Firebase
- Hotjar
The exact mode of operation, and the relevant data categories, for each individual tracking technology will be described in more detail below, starting at no. 8.
Tracking for purposes of optimisation and performance is only used if you have given us your consent in accordance with sect. 6 para. 1 s. 1 lit. a GDPR. This consent covers both the website and its mobile applications. You can revoke your consent at any time by deselecting the tracking setting 'Optimisation & performance' in the cookie settings of the footer. For technical reasons, this opt-out usually only becomes effective after 48–72 hours. When using the app, you can speed this up by restarting the app.
We use the consent management tool ‘Usercentrics Consent Management Platform’ provided by Usercentrics GmbH, Sendlinger Straße 7, 80331 Munich, Germany, to manage your tracking settings. The following data is stored as part of this process:
| Data category concerned | Processing purpose | Legal basis for processing | Retention period |
|---|---|---|---|
| Tracking setting (including consent or rejection, time) | Verification purposes | Sect. 6 para. 1 s. 1 lit. f GDPR
| Three years after withdrawal of consent or deletion of the account |
| Device data or data from any devices in use (including shortened IP address and time) | Verification purposes | Sect. 6 para. 1 s. 1 lit. f GDPR
| Three years after withdrawal of consent or deletion of the account |
| User Identifier | Verification purposes | Sect. 6 para 1 s. 1 lit. f GDPR
| Three years after withdrawal of consent or deletion of the account |
7.2.3 Tracking for purposes of personalisation
Tracking for purposes of personalised advertising is used to create personalised advertising tailored to your interests on our websites/app or on websites operated by our advertising partners as well as for other marketing purposes.
Tracking technologies for purposes of personalisation include::
- Google Ad, Audiences and Conversion Tracking
- Google Marketing Platform
- Criteo
- Salesforce
- Facebook Custom Audiences
- RTB House
- Other Affiliate Pixels
The exact mode of operation for each individual tracking technology will be described in more detail below, starting at no. 8.
Tracking for purposes of personalisation is only used if you have given us your consent in accordance with sect. 6 para. 1 s. 1 lit. a GDPR. This consent covers both the website and its mobile applications. You can revoke your consent at any time by deselecting the tracking setting 'Personalisation' in the cookie settings of the footer. For technical reasons, this opt-out usually only becomes effective after 48–72 hours. When using the app, you can speed this up by restarting the app.
We use the consent management tool ‘Usercentrics Consent Management Platform’ provided by Usercentrics GmbH, Sendlinger Straße 7, 80331 Munich, Germany, to manage your tracking settings. The following data is stored as part of this process:
| Data category concerned | Processing purpose | Legal basis for processing | Retention period |
|---|---|---|---|
| Tracking setting (including consent or rejection, time) | Verification purposes | Sect. 6 para. 1 s.1 lit. f GDPR
| Three years after withdrawal of consent or deletion of the account |
| Device data or data from any devices in use (including shortened IP address and time) | Verification purposes | Sect. 6 para. 1 s.1 lit. f GDPR
| Three years after withdrawal of consent or deletion of the account |
| User Identifier | Verification purposes | Sect. 6 para. 1 s.1 lit. f GDPR
| Three years after withdrawal of consent or deletion of the account |
8. Google Tag Manager
For reasons of transparency, please note that we use Google Tag Manager. Google Tag Manager itself does not record any personal data. Tag Manager makes it easier for us to integrate and manage our tags. Tags are small code elements that serve, among others, to measure traffic and visitor behaviour, to record the effects of online advertisements and social channels, remarketing or retargeting and setting up alignment with target and testing and optimising websites. For further information on the Google Tag Manager, see https://www.google.com/analytics/tag-manager/use-policy/.
| Designation of the provider | Service provider type | Data transfer to a third country | Third country |
|---|---|---|---|
| Google Inc., 1600 Amphitheatre Parkway, Mountain View, CA 94043, USA | Contract processor | YES | USA |
9. Google Analytics & Google Optimize
This website uses Google Analytics, a web analysis service of Google Inc. In addition, we use Google Optimize. Google Optimize analyses the use of different variants of our website and helps us to improve user-friendliness based on the behaviour of our users on the website. Google Optimize is a tool associated with Google Analytics.
Google Analytics and Google Optimize use “cookies”, i.e. text files that are stored on your computer and that permit analysis of your use of the website. The information produced by the cookie regarding your use of this website is usually transferred to a server of Google in the USA and saved there. Due to activation of IP anonymisation on these websites, your IP address will be abbreviated first by Google within member states of the European Union or in other contracting states of the convention on the European Economic area. Only in exceptions will your full IP address be transferred to a server of Google in the USA and abbreviated there. The IP address submitted by your browser in the scope of Google Analytics and Google Optimize will not be combined with any other data of Google. On the order of the operator of this website, Google will use this information to evaluate your use of the website, in order to compile reports on the website activities and to render further services connected to website use and internet use towards the website operator. The data sent by us and linked to cookies, user IDs (e.g. User-ID) or advertising IDs are automatically deleted after 26 months. Erasure of data the archiving period of which has expired shall take place automatically once per month. For more detailed information on usage conditions and data protection, see www.google.com/analytics/terms or under https://policies.google.com.
| Designation of the provider | Service provider type | Data transfer to a third country | Third country |
|---|---|---|---|
| Google Inc., 1600 Amphitheatre Parkway, Mountain View, CA 94043, USA | Contract processor | YES | USA |
| Affected data category | Purpose of processing | Legal basis of processing | Duration of storage |
|---|---|---|---|
| Technical data such as: Operating system used, browser type and version, device (e.g. phone, tablet, ...), date and time of website call, ... | Evaluation of customer behaviour | Sect. 6 para. 1 s. 1 lit. a GDPR | Deletion after 26 months at most |
| Behaviour-related data such as: Registration date, visited product pages, ordered products, name of called website, ... | Evaluation of customer behaviour | Sect. 6 para. 1 s. 1 lit. a GDPR | Deletion after 26 months at most |
| User ID, device ID | Evaluation of user behaviour on different devices/browsers | Sect. 6 para. 1 s. 1 lit. a GDPR | Deletion after 26 months at most |
10. Google AdWords, Audiences, and Conversion Tracking
In order to draw attention to our services, we place Google AdWords advertisements and use Google Conversion-Tracking and the Google Tag Manager in the scope of this for the purpose of personalised interest- and site-based online advertisements. The option of anonymising the IP-addresses is controlled via an internal setting in the Google Tag Manager that is not visible in the source of this page. This internal setting is made so that the anonymisation of IP addresses required by the Federal Data Protection Act is achieved.
The ads are displayed after search requests on websites of the Google advertising network. Detailed information on the Google advertising network can be found at https://support.google.com/adwords/answer/1752334?hl=en. We are able to combine our ads with certain search terms. We can use cookies to place ads on our website based on the previous visits of a user.
When clicking an ad, Google sets a cookie on the user's computer. Further information on the cookie technology used can also be found among the notes of Google on the website statistics under https://services.google.com/sitestats/en.html and in the data protection provisions under https://policies.google.com/privacy?hl=en.
With the help of this technology, Google and we as the customer receive information that a user clicked an ad and has been forwarded to our websites. The information acquired here is used only for a statistical evaluation for ad optimisation. We will not receive any information with which the visitors can be identified in person. The statistics provided to us by Google contain the overall number of users who clicked one of our ads and, if applicable, whether they were forwarded to a page of our website with a conversion tag. We can use these statistics to determine for which search terms our ad was clicked particularly often and which ads lead to contact by the user via the contact form.
| Designation of the provider | Service provider type | Data transfer to a third country | Third country |
|---|---|---|---|
| Google Inc., 1600 Amphitheatre Parkway, Mountain View, CA 94043, USA | Contract processor | YES | USA |
| Affected data category | Purpose of processing | Legal basis of processing | Duration of storage |
|---|---|---|---|
| Technical data such as: Operating system used, browser type and version, device (e.g. phone, tablet, ...), date and time of website call, ... | Ad delivery for customer segments | Sect. 6 para. 1 s. 1 lit. a GDPR | Deletion after 26 months at most |
| Behaviour-related data such as: registration date, visited product pages, ordered products, name of called website, ... | Ad delivery for customer segments | Sect. 6 para. 1 s. 1 lit. a GDPR | Deletion after 26 months at most |
11. Google Marketing Platform
Furthermore, we use Google Marketing Platform, a service of Google Inc. Google Marketing Platform uses cookies to place user-based ads. The cookies recognise which ad has already been shown in your browser and whether you called a website using a displayed ad. The cookies do not record any personal information and also cannot be connected to these.
For more information on how Google uses cookies, see the data protection statement of Google.
| Designation of the provider | Service provider type | Data transfer to a third country | Third country |
|---|---|---|---|
| Google Inc., 1600 Amphitheatre Parkway, Mountain View, CA 94043, USA | Contract processor | YES | USA |
| Affected data category | Purpose of processing | Legal basis of processing | Duration of storage |
|---|---|---|---|
| Technical data such as: Operating system used, browser type and version, device (e.g. phone, tablet, ...), date and time of website call, ... | Ad delivery for customer segments | Sect. 6 para. 1 s. 1 lit. a GDPR | Deletion after 26 months at most |
| Behaviour-related data such as: Registration date, visited product pages, ordered products, name of called website, ... | Ad delivery for customer segments | Sect. 6 para. 1 s. 1 lit. a GDPR | Deletion after 26 months at most |
12. Hotjar
Our website has Hotjar integrated (https://www.hotjar.com). Hotjar enables us to record and evaluate user behaviour (e.g. mouse movements, clicks, scrolling height) on our websites. For this purpose, Hotjar uses cookies on end units of the users and is able to save the data of users anonymised, e.g. concerning browser information, operating system, time spent on the page. Learn more about Hotjar under the following link: https://www.hotjar.com/privacy.
| Designation of the provider | Service provider type | Data transfer to a third country | Third country |
|---|---|---|---|
| Hotjar, 3 Lyons Range, 20 Bisazza Street, Sliema SLM 1640, Malta | Contract processor | NO | / |
| Affected data category | Purpose of processing | Legal basis of processing | Duration of storage |
|---|---|---|---|
| Technical data such as: Operating system used, browser type and version, device (e.g. phone, tablet, ...), date and time of website call, ... | Analysis of customer behaviour towards website optimisation | Sect. 6 para. 1 s. 1 lit. a GDPR | Deletion after 12 months at most |
| Behaviour-related data such as: Visited product pages, browsing behaviour on website, visited pages ... | Analysis of customer behaviour towards website optimisation | Sect. 6 para. 1 s. 1 lit. a GDPR | Deletion after 12 months at most |
13. Criteo
On our pages, we collect information on the surfing behaviour of the website visitors for marketing purposes in a pseudonymised form using the technology of Criteo; cookies and web pixels are placed for this. This way, Criteo can analyse surfing behaviour and then display targeted product recommendations as matching advertising banners when other websites are visited. For this purpose, cookies from our partner websites are also placed via pixels. In no case must the anonymised data be used to personally identify the visitor of the website. The data collected by Criteo are only used to improve the advertising offer.
You can generally learn more about the data protection statement and data protection directives at Criteo at https://www.criteo.com/privacy/.
| Designation of the provider | Service provider type | Data transfer to a third country | Third country |
|---|---|---|---|
| Criteo GmbH, Lehel Carré, Gewuerzmuehlstraße 11, 80538 Munich, Germany | Controller | NO | / |
| Affected data category | Purpose of processing | Legal basis of processing | Duration of storage |
|---|---|---|---|
| Technical data such as: Operating system used, browser type and version, device (e.g. phone, tablet, ...), date and time of website call, ... | Ad delivery for customer segments | Sect. 6 para. 1 s. 1 lit. a GDPR | Deletion after 13 months at most |
| Behaviour-related data such as: Registration date, visited product pages, ordered products, name of called website, ... | Ad delivery for customer segments | Sect. 6 para. 1 s. 1 lit. a GDPR | Deletion after 13 months at most |
| User ID, device ID | Evaluation of user behaviour on different devices/browsers to deliver ads on different end devices | Sect. 6 para. 1 s. 1 lit. a GDPR | Deletion after 13 months at most |
14. Salesforce
For customer support, we use the Customer Relationship Management module “Salesforce Marketing Cloud” and “Salesforce Service Cloud” by Salesforce.com Inc. The data are processed in the USA. Further information on the Salesforce Marketing Cloud and Salesforce Service Cloud and the processed data is available at https://www.salesforce.com/company/privacy/.
If you give your express consent, these technologies will also evaluate information about user behaviour on websites, mobile apps, emails, push messages, in-app messages and other communications for marketing purposes. This is done using cookies and web pixels, as well as the iGoDigital tracking service, which is part of Salesforce. The information collected in this manner will be associated with your email address and is linked to a unique ID in order to clearly associate clicks in communications with you. The purpose of the user profile is to tailor our offerings and our services to your interests and to improve or marketing offerings and communications for you.
| Designation of the provider | Service provider type | Data transfer to a third country | Third country |
|---|---|---|---|
| Salesforce.com Inc., The Landmark @ One Market Street, Suite 300, San Francisco, California, CA 94105, USA | Contract processor | YES | USA |
| Affected data category | Purpose of processing | Legal basis of processing | Duration of storage |
|---|---|---|---|
| Technical data such as: Operating system used, browser type and version, device (e.g. phone, tablet, ...), date and time of website call, ... | Creation of profiles as part of the Salesforce CRM systems | Sect. 6 para. 1 s. 1 lit. a GDPR | Deletion after expiration of purpose, no later than 90 days after membership ends |
| Behaviour-related data such as: Registration date, visited product pages, ordered products, name of called website, Products on the wish list |
| Sect. 6 para. 1 s. 1 lit. a GDPR | Deletion after expiration of purpose, no later than 90 days after membership ends |
| User ID, device ID |
| Sect. 6 para. 1 s. 1 lit. a GDPR | Deletion after expiration of purpose, no later than 90 days after membership ends |
15. Facebook Custom Audiences
In the scope of usage-based online advertisements, the project Custom Audiences by Facebook is also used on the website. A Facebook cookie is set for this. We record information on your activities on the website and behaviour-related files via Facebook pixels in the scope of this.
The cookies do not record any personal information and also cannot be connected to these.
Further information on the purpose and scope of the data collection and further processing and use of the data as well as the privacy settings can be taken from the data protection directives of Facebook.
| Designation of the provider | Service provider type | Data transfer to a third country | Third country |
|---|---|---|---|
| Facebook Inc. 1601 WILLOW ROAD MENLO PARK, CA 94025, USA | Contract processor | YES | USA |
| Affected data category | Purpose of processing | Legal basis of processing | Duration of storage |
|---|---|---|---|
| Technical data such as: Operating system used, browser type and version, device (e.g. phone, tablet, ...), date and time of website call, ... | Ad delivery for customer segments | Sect. 6 para. 1 s. 1 lit. a GDPR | 12 months at most, currently 6 months |
| Behaviour-related data such as: Registration date, visited product pages, ordered products, name of called website, ... | Ad delivery for customer segments | Sect. 6 para. 1 s. 1 lit. a GDPR | 12 months at most, currently 6 months |
16. RTB House
We use the technology of RTB House SA on our pages to collect information on the surfing behaviour of the website visitors for marketing purposes in a pseudonymised form by setting cookies and web pixels. This way, RTB House can analyse surfing behaviour and then display targeted product recommendations as matching advertising banners when other websites are visited. In no case must the anonymised data be used to personally identify the visitor of the website. The data collected by RTB House are only used to improve the advertising offer.
You can generally learn about the data protection statement and data protection directive at RTB House at https://www.rtbhouse.com/privacy/.
| Designation of the provider | Service provider type | Data transfer to a third country | Third country |
|---|---|---|---|
| RTB House SA, Zlota 61/101, 00-819, Warsaw, Poland | Contract processor | NO | / |
| Affected data category | Purpose of processing | Legal basis of processing | Duration of storage |
|---|---|---|---|
| Technical data such as: Operating system used, browser type and version, device (e.g. phone, tablet, ...), date and time of website call, ... | Ad delivery for customer segments | Sect. 6 para. 1 s. 1 lit. a GDPR | Deletion after 13 months at most |
| Behaviour-related data such as: Registration date, visited product pages, ordered products, name of called website, ... | Ad delivery for customer segments | Sect. 6 para. 1 s. 1 lit. a GDPR | Deletion after 13 months at most |
| User ID, device ID | Evaluation of user behaviour on different devices/browsers to deliver ads on different end devices | Sect. 6 para. 1 s. 1 lit. a GDPR | Deletion after 13 months at most |
17. Fabric
In our mobile applications on Android and iOS we have integrated Fabric Crash Analytics (https://fabric.io/kits/android/crashlytics) for the purposes of detecting and reporting crashes and non-fatal crashes in the app. This information is used to improve the application performance and stability. For these purposes technical data such as the mobile device id, device type, model, operating system and approximate location of the mobile device is transmitted to provide more reliable analysis, for example to determine whether the issue is specific to one device type or to multiple devices.
For more detailed information on usage conditions and data protection, see https://fabric.io/terms.
| Designation of the provider | Service provider type | Data transfer to a third country | Third country |
|---|---|---|---|
| Google LLC, 1600 Amphitheatre Parkway, Mountain View, CA 94043, USA | Contract processor | YES | USA |
| Affected data category | Purpose of processing | Legal basis of processing | Duration of storage |
|---|---|---|---|
| Technical data such as: Operating system used, browser type and version, device (e.g. phone, tablet, ...), date and time of website call, ... | Evaluation of customer behaviour | Sect. 6 para. 1 s. 1 lit. a GDPR | Deletion no later than 180 days |
| Behaviour-related data such as: Registration date, visited product pages, ordered products, name of called website, ... | Evaluation of customer behaviour | Sect. 6 para. 1 s. 1 lit. a GDPR | Deletion no later than 180 days |
| User ID, device ID | Evaluation of user behaviour on different devices/browsers | Sect. 6 para. 1 s. 1 lit. a GDPR | Deletion no later than 180 days |
18. Firebase
We use technology from Google Firebase (Google Ireland Limited, Gordon House, Barrow Street, Dublin 4, Ireland, “Google”) with various functionalities in our apps. Firebase uses so-called “Instance IDs” to memorise individual settings within the mobile app. Because each Instance ID is unique to a mobile app and the mobile device you are using, Firebase is able to evaluate and respond to specific events within the mobile app. Information generated by the Instance ID about your use of this mobile app on your mobile device is generally sent to a Google server in the United States and stored there. Google ensures that the IP address is anonymised immediately if the IP address is also sent.
For more information, see Firebase’s Terms of Use and and Privacy Notice.
| Provider name | Service provider type | Data transfers to third countries | Third country |
|---|---|---|---|
| Google Ireland Limited, Gordon House, Barrow Street, Dublin 4, Ireland | Processor | YES | USA |
The following functionalities are used specifically:
Firebase Remote Config
Firebase Remote Config enables the configuration of app settings. We can change the behaviour and appearance of your app on the user device without having to completely reinstall it from the app store. Find out all you need to know about how Remote Config works here.
| Data category concerned | Processing purpose | Legal basis for processing | Retention period |
|---|---|---|---|
| Technical data such as: operating system in use, browser type and version, device (smartphones, tablets or other device), date and time of access, etc. | App optimisation | Sect. 6 para. 1 s. 1 lit. a GDPR | Erasure after achievement of purpose; no later than 180 days after request |
| Instance ID | App optimisation | Sect. 6 para. 1 s. 1 lit. a GDPR | Erasure after achievement of purpose; no later than 180 days after request |
Firebase Performance Monitoring
Firebase Performance Monitoring allows us to track the performance of the app and respond to specific incidents within the app. Find out more information here.
| Data category concerned | Processing purpose | Legal basis for processing | Retention period |
|---|---|---|---|
| Technical data such as: operating system in use, browser type and version, device (smartphones, tablets or other device), date and time of access, etc. | App optimisation | Sect. 6 para. 1 s. 1 lit. a GDPR | Erasure after achievement of purpose; no later than 180 days after request |
| Instance ID | App optimisation | Sect. 6 para. 1 s. 1 lit. a GDPR | Erasure after achievement of purpose; no later than 180 days after request |
19. Pinterest Ads
In addition, we use the Pinterest plugin provided by Pinterest Europe Limited, Palmerston House, 2nd Floor, Fenian Street, Dublin 2, Ireland. This allows us to track the behaviour of users after they have viewed a Pinterest advertisement. We can also use the Pinterest tag to measure the conversion rate of a campaign. This means that the Pinterest tag allows us to evaluate the effectiveness of a Pinterest ad, optimise future advertising campaigns and to make them more user-friendly. We are not able to identify users from the data collected. However, this data is also stored by Pinterest and can be associated with a user profile and used for marketing purposes. You can find more information about data protection at https://policy.pinterest.com/en/privacy-policy.
| Data category concerned | Processing purpose | Legal basis for processing | Retention period |
|---|---|---|---|
| Technical data such as: Device information, operating system in sue, device ID, date and time of access | Advertising display to customer segments | Sect. 6 para. 1 s. 1 lit. a GDPR | Up to 12 months |
| Behavioural data such as: Registration date, products visited, products ordered, name of pages accessed | Advertising display to customer segments | Sect. 6 para. 1 s. 1 lit. a GDPR | Up to 12 months |
20. Affiliate Pixels
We use affiliate marketing, i.e. we provide various distribution partners (so-called affiliates) with advertising material which these affiliates then use on their websites or other channels. Affiliates are remunerated for this based on click rates, memberships and/or purchases. A pixel is placed for purposes of calculating remuneration.
The following data ist transmitted as part of this process:
| Data category concerned | Processing purpose | Legal basis for processing | Retention period |
|---|---|---|---|
| Click rate, number of new memberships, purchases, user identifiers and other relevant data | Affiliate marketing | Sect. 6 para. 1 s. 1 lit. a GDPR
| Deletion after purpose no longer applies |
21. Newsletter
By agreeing to receive the newsletter, you agree to regularly receive information about sales promotions, product recommendations, vouchers and VIP status at Best Secret GmbH and Schustermann & Borenstein GmbH, Margaretha-Ley-Ring 27, 85609 Aschheim, Germany.
For dispatch of the newsletter, BestSecret also uses the service Salesforce Marketing Cloud, which is operated by the company Salesforce.com Inc., The [email protected] Market Street, Suite 300, San Francisco, California, CA 94105, USA.
In order to make our newsletter even more interesting for you in future, common technologies such as cookies or counting pixels are used in our newsletter. We evaluate your clicks within the newsletter using so-called tracking pixels, i.e. invisible image files, as well as personalised links and embedded links (link wrapping). They are assigned to your email address and are linked to a dedicated ID in order to clearly link any clicks in the newsletter to your own ID. The user profile serves to coordinate the offer and our services with your interests. The legal basis for this is the legitimate interest purs. to sect. 6 para. 1 s. 1 lit. a) GDPR. We do so based on your cookie settings.
We also use certain information (e.g. gender, postcode, VIP status) to appropriately segment and personalise our newsletter. The legal basis for this is our legitimate interest according to Art. 6(1)(f) GDPR.
You may change the frequency or the content of the newsletter in your newsletter settings.
The consent to the newsletter is voluntary and can be revoked at any time. The revocation can take place in the settings in your customer account and, of course, via the logout link in every newsletter.
The following data are processed for newsletter dispatch:
| Designation of the newsletter provider | Service provider type | Data transfer to a third country | Third country |
|---|---|---|---|
| Schustermann & Borenstein GmbH, Margaretha-Ley-Ring 27, 85609 Aschheim, Germany | Controller | NO | / |
| Salesforce.com Inc., The [email protected] Market Street, Suite 300, San Francisco, California, CA 94105, USA | Contract Processor | YES | USA |
| Data | Purpose of processing | Legal basis of processing | Duration of storage |
|---|---|---|---|
| Personal data such as: Email address, form of address, first name, last name, gender | Newsletter delivery | Sect. 6 para. 1 s. 1 lit. a GDPR | Three years after withdrawal of consent or deletion of the account |
| Confirmation of newsletter delivery, time of confirmation, newsletter preferences | Newsletter delivery | Sect. 6 para. 1 s. 1 lit. a GDPR | Three years after withdrawal of consent or deletion of the account |
| Revocation of confirmation | Proof of revocation | Sect. 6 para. 1 s. 1 lit. a GDPR | Three years after withdrawal of consent or deletion of the account |
| Behavioural data such as: opening and click rate | Analysis of user behaviour and/or creation of personalised advertising | Art. 6(1)(a) GDPR | Erasure after the purpose no longer applies; no later than 90 days after termination of membership |
| Personal data such as: gender, postcode or purchases | Segmentation or personalisation | Art. 6(1)(f) GDPR | Erasure after the purpose no longer applies; no later than 90 days after termination of membership |
22. Direct mail without prior notification
If we have received your e-mail address or postal address in connection with the sale of goods or services, we reserve the right to send you regular offers for products from our assortment by e-mail or post. For purposes of postal advertising using the Salesforce Marketing Cloud, we use the Salesforce service provider Optilyz, Neue Schönhauser Str. 19, 10178 Berlin, Germany. Direct mail can be segmented based on demographic data, such as postcode or VIP status. You can object to the use of your e-mail address for the purpose of direct marketing via a link provided for this purpose in the advertising e-mail, or to the use of your postal address by sending an e-mail to [email protected].
| Designation of the provider | Service provider type | Data transfer to a third country | Third country |
|---|---|---|---|
| Salesforce.com Inc., The [email protected] Market Street, Suite 300, San Francisco, California, CA 94105, USA | Contract Processor | YES | USA |
| optilyz GmbH, Neue Schoenhauser Str. 19, 10178 Berlin, Germany | Contract Processor | NO | / |
| Data | Purpose of processing | Legal basis of processing | Duration of storage |
|---|---|---|---|
| Personal data such as: Email address, form of address, first name, last name, gender | Marketing | Sect. 6 para. 1 s. 1 lit. f GDPR | Until objection |
| Demographic data such as: postcode, most recent purchase or VIP status | Sending a marketing campaign/personalisation | Art. 6(1)(f) GDPR | Until objection |
| Objection | Proof of objection | Sect. 6 para. 1 s. 1 lit. f GDPR | Deletion after expiry of purpose, at the latest 90 days after termination of membership |
23. Push notifications, in-app messages and inbox messages in the app
23.1 Push notifications
In our app, you have the option to provide your consent to receive push notifications. Push notifications are regular on-screen messages about your membership, sales promotions and the latest trends. You can switch these notifications on and off at any time using the app settings on your mobile device, thus giving or withdrawing your consent as applicable. If you subscribe to push notifications, the device ID of your mobile device will be sent to the service that provides the push function for your operating system (for Android: Google Cloud Messaging; for iOS: Apple Push Notification Service). A so-called identifier (‘Push Notification Identifier’) is created as part of this process, which is then used for further communication with the BestSecret PushServer. The Identifier does not permit identification of the user. BestSecret uses the Salesforce Marketing Cloud service to send these messages. This service is operated by Salesforce.com Inc, The [email protected] Market Street, Suite 300, San Francisco, California, CA 94105, USA.
We also use certain information (e.g. gender, postcode, purchases) to appropriately segment and personalise our push messages and in-app messages. The legal basis for this is our legitimate interest according to Art. 6(1)(f) GDPR.
| Data category concerned | Processing purpose | Legal basis for processing | Retention period |
|---|---|---|---|
| Push Notifications Identifier | Sending the push notification | Art. 6(1)(f) GDPR | Erasure after the purpose no longer applies; no later than 90 days after termination of membership |
| Personal data such as: first name, last name or gender, VIP status or vouchers | Creating the push notification | Art. 6(1)(f) GDPR | Erasure after the purpose no longer applies; no later than 90 days after termination of membership |
23.2 In-app and inbox messages
We also use in-app and inbox messages in our app. These messages show you information about sales promotions, vouchers or your VIP status within the app. BestSecret uses the Salesforce Marketing Cloud service to send these message. This service is operated by Salesforce.com Inc, The [email protected] Market Street, Suite 300, San Francisco, California, CA 94105, USA.
We also use certain information (e.g. gender, postcode, purchases) in in-app and inbox messages to appropriately segment and personalise our push messages and in-app messages. The legal basis for this is our legitimate interest according to Art. 6(1)(f) GDPR.
| Data category concerned | Processing purpose | Legal basis for processing | Retention period |
|---|---|---|---|
| Device ID and app ID | Creating the in-app message | Art. 6(1)(f) GDPR | Erasure after the purpose no longer applies; no later than 90 days after termination of membership |
| Personal data such as: first name, last name or gender, VIP status or vouchers | Creating the in-app message | Art. 6(1)(f) GDPR | Erasure after the purpose no longer applies; no later than 90 days after termination of membership |
23.3 Tracking in-push notifications, in-app messages and inbox messages
In order to make our push notifications, in-app messages and inbox messages even more interesting for you in future, we evaluate what you open and click, as well as dwell time, among other things, with the aid of personalised links and embedded links (link wrapping). All data collected in this manner is linked to your subscriber ID. The purpose of the user profile is to tailor our offerings and our services to your interests. This is only done if you have given us your consent as part of the cookie opt-in in accordance with Art. 6(1)(a) GDPR.
| Data category concerned | Processing purpose | Legal basis for processing | Retention period |
|---|---|---|---|
| Behavioural data such as: open and click rate, dwell time | Analysis of user behaviour | Art. 6(1)(a) GDPR | Erasure after the purpose no longer applies; no later than 90 days after termination of membership |
24. Data usage for customer feedback
We use Zenloop’s services to conduct customer satisfaction surveys. The legal basis for such use is sect. 6 para. 1 s.1 lit. f GDPR. Survey and contact data are processed for such purposes. For more information about Zenloop’s data processing practices, please see Zenloop’s Privacy Policy (https://www.zenloop.com/en/legal/privacy). If you previously decided to provide customer feedback but no longer wish to do so, you can object to further processing (by contacting us or via the link contained in the e-mail).
| Provider name | Service provider type | Data transfer to a third country | Third country |
|---|---|---|---|
| Zenloop GmbH, Brunnenstr. 196, 10119 Berlin, Germany | Contract data processor | YES | USA |
| Data category concerned | Processing purpose | Legal basis of processing | Retention period |
|---|---|---|---|
| Survey data, contact information | Conducting and evaluating customer satisfaction surveys | Sect. 6 para. 1 s. 1 lit. f GDPR | Erasure after the purpose no longer applies; no later than 90 days after termination of membership |
25. Shipping status notification
As part of your order, you have the option to consent to have your e-mail address and telephone number sent to the respective shipping provider in order to enable the shipping partner to send you shipment status notifications.
Your consent is voluntary and can be withdrawn at any time. To do so, all you need to do is open the My BestSecret menu under Password and Contact Details/Personal Settings and deselect the option “Delivery tracking”.
| Relevant data category | Processing purpose | Legal basis for processing | Retention period |
|---|---|---|---|
| Personal data such as: e-mail address, telephone number | Disclosure to shipping partner for purposes of delivery tracking | Sect. 6 para. 1 s. 1 lit. f GDPR | Until withdrawn |
| Time at which consent is provided | Delivery tracking | Sect. 6 para. 1 s. 1 lit. f GDPR | Three years after withdrawal |
| Time at which consent is withdrawn | Verification of withdrawal | Sect. 6 para. 1 s. 1 lit. f GDPR | Three years after withdrawal |
26. Inviting friends
We offer you the opportunity to recommend our website to other prospective customers. To do this, navigate to “Invite Friends” in the menu. By clicking on the button “Invite Friends”, you will receive an exclusive invitation link that you can send via social media or by e-mail.
In addition, we store personal data of the person who recommended you. As a closed shopping community, we only accept members who have been recommended by existing members. This data is used for verification and traceability and is necessary for the implementation of the membership contract.
| Data | Purpose of processing | Legal basis of processing | Duration of storage |
|---|---|---|---|
| Personal data of invitee such as: Email address, invitation message, time of invitation | Implementation of the Membership Agreement | Sect. 6 para. 1 s. 1 lit. b GDPR | Deletion after expiration of purpose, no later than 90 days after membership ends |
| Personal data of the inviter: first name, surname, e-mail | Implementation of the Membership Agreement | Sect. 6 para. 1 s. 1 lit. b GDPR/p> | Deletion after expiry of purpose, at the latest 90 days after termination of membership |
27. Waiting list
Since we are a closed shopping community and unfortunately can only accept a limited number of members, we offer people who are interested in joining the opportunity to be placed on a waiting list. This option is available when a member sends someone an invitation despite having run out of invitation permissions.
We store the following data in connection with the waiting list:
| Data | Processing purpose | Legal basis for processing | Retention period |
|---|---|---|---|
| Personal data of the invitee such as: First name, surname, email address, registration date and confirmation date | (pre-contractual) measures related to membership | Sect. 6 para. 1 s. 1 lit. b GDPR | Deletion once intended purpose no longer applies, no later than 30 days after rejection or unconfirmed invitation by BestSecret. |
28. Competitions
For competitions (prize draws or prize competition), we use your data to inform you if you are a winner and for advertising our offers. For detailed information, see the participation conditions for the respective competitions.
| Data | Purpose of processing | Legal basis of processing | Duration of storage |
|---|---|---|---|
| Personal data of winner such as: First name, last name, email address, address, and social media contact information | Lottery execution, winning notification, delivery of prices in case of win | Sect. 6 para. 1 s. 1 lit. f GDPR | Deletion after expiration of purpose |
29. Compliance with customs provisions
Based on various EU regulations (2580/2001/EC, 881/2002/EC and 753/2011/EC) and other statutory specifications, we as a company are required to reconcile our customers' data with publicly available foreign trade and embargo lists before concluding a purchasing contract. We perform this reconciliation because we have an overruling legitimate interest in compliance with legal provisions and must protect ourselves from sanctions and fines (sect. 6 para. 1 s. 1 lit. c GDPR). We only perform the reconciliation if you order goods from our website and incur a payment obligation. Only the following present data are compared: First name, name and address. The data will be deleted at once after review.
30. Data processing on our careers site
Our careers site provides information about job openings at the BestSecret ¦ Schustermann & Borenstein Group. You can find more information about data processing on the careers site here.
31. Data processing in connection with the Ambassador programme
The BestSecret Ambassador Program is for everyone who is enthusiastic about our brand and wants to promote it together. Our brand ambassadors inspire our community and earn real money through the Ambassador Program. A successful application is required for participation in the Ambassador Programme. As part of the application process, we process contact details and review whether the blog or social medial channel conforms to our requirements. The legal basis processing data as part of the application process is sect. 6 para. 1 s. 1 lit. b GDPR. If the applicant is accepted into the Ambassador Programme, invoicing and payment data, as well as information required for calculating commissions, will be processed on the basis of sect. 6 para. 1 s. 1 lit. b GDPR.
| Data category concerned | Processing purpose | Legal basis for processing | Retention period |
|---|---|---|---|
| Information about the relevant social media channel | Application/Implementation of the Ambassador Programme | Sect. 6 para. 1 s. 1 lit. b GDPR | Deletion after the relevant purpose no longer applies and/or statutory retention periods lapse. |
| Contact and communication data | Application/Implementation of the Ambassador Programme | Sect. 6 para. 1 s. 1 lit. b GDPR | Deletion after the relevant purpose no longer applies and/or statutory retention periods lapse. |
| Invoicing and payment data | Application/Implementation of the Ambassador Programme | Sect. 6 para. 1 s. 1 lit. b GDPR | Deletion after the relevant purpose no longer applies and/or statutory retention periods lapse. |
| Commissions from purchases made by referred persons and the resulting commissions | Application/Implementation of the Ambassador Programme | Sect. 6 para. 1 s. 1 lit. b GDPR | Deletion after the relevant purpose no longer applies and/or statutory retention periods lapse. |
| Data for promotional campaigns such as image or name | Application/Implementation of the Ambassador Programme | Sect. 6 para. 1 s. 1 lit. b GDPR | Deletion after the relevant purpose no longer applies and/or statutory retention periods lapse. |
32. Passing on of data
32.1 Sharing data within the corporate group
Best Secret GmbH is part of the S&B Group. As part of our business activities, it is essential for data to be exchanged between branch locations on a regular basis. Exchanging data in this context is essential for BestSecret membership and contract fulfilment. Data is thus exchanged for contract performance in accordance with sect. 6 para. 1 s. 1 lit. b GDPR. The following S&B Group companies may have access to your data within the scope of Group-wide cooperation:
| Controller | Processing purpose | Legal basis of processing |
|---|---|---|
| Best Secret GmbH, Margaretha-Ley-Ring 10, 85609 Aschheim | Membership management as well as the operation and provision of the BestSecret Online Shop | Sect. 6 para. 1 s. 1 lit. b |
| Schustermann & Borenstein GmbH, Margaretha-Ley-Ring 27, 85609 Aschheim | Establishment and defence of legal claims, security department, payment processing, linking the S&B customer card to Best Secret, participation in the S&B bonus programme | Sect. 6 para. 1 s. 1 lit. b |
| Schustermann & Borenstein Logistik GmbH, Parsdorfer Straße 13, 85586 Poing | Package dispatch and returns handling and processing | Sect. 6 para. 1 s. 1 lit. b |
| Schustermann & Borenstein Wien GmbH, Berggasse 16, 1090 Wien | S&B customer card linkage, participation in the S&B bonus programme | Sect. 6 para. 1 s. 1 lit. b |
32.2. Transfers to processors
We use other service providers as contract processors in addition to the service providers expressly referred to above. They process personal data to the extent required. We carefully select and monitor these service providers. They process the data exclusively on our instructions. They include service providers such as IT service providers, marketing service providers and service providers for customer support.
32.3 Sharing data with third parties
Your personal data will only be passed on to third parties if this is required for contract processing or settlement or if you have consented to it in advance. Our business does not include selling such customer information. Data are only passed on in the scope of the presented purposes.
Your personal data will not be transferred to any third parties for any other than the purposes listed.
We shall only pass on your personal data to third parties if:
- you have expressly consented to this,
- forwarding is required for assertion, exercise or defence of legal claims and there is no reason to assume that you have an overriding protection-worthy interest in your data not being passed on,
- we are legally required to pass them on, and
- if it is legitimate by law and required for processing contractual relationships with you. In case of data transfer outside of the European Union, the high European data protection level generally does not apply. On transmission, it is possible that there is no current resolution on appropriateness of the EU commission within the meaning of sect. 45 para. 1, 3 GDPR. This means that the EU commission has not positively determined so far that the country-specific data protection level corresponds to the data protection level of the European Union due to the GDPR; therefore, we have created the above suitable guarantees.
Potential recipients include consultants, auditors, lawyers, courts or authorities.
33. Instruction on the rights of data subjects
Every data subject has the right to information according to sect. 15 GDPR, the right to rectification according to sect. 16 GDPR, the right of erasure according to section 17 GDPR, the right to restriction of processing according to sect. 18 GDPR, the right to objection from sect. 21 GDPR and the right to data portability from sect. 20 GDPR. The information right and erasure right are subject to the restrictions pursuant to §§ 34 and 35 BDSG or the respective national provisions.
34. Instructions on the complaint options
You also have the right to complain to the competent data protection supervisory authority about processing of your personal data by us.
35. Instruction on revocation of consent
You may revoke your consent granted to us for processing of personal data at any time. This shall also apply to revocation of declarations of consent that were granted to us before the application of the general data protection regulation, i.e. before 25 May 2018. Please note that the revocation will only be effective for the future. Processing that took place before the revocation is not affected by this.
36. Right in case of data processing for operation of direct marketing
You have the right according to sect. 21 para. 2 GDPR to object to processing of the personal data concerning you at any time. If you object to processing for the purpose of direct marketing, we shall no longer process your personal data for these purposes. Please note that the objection will only be effective for the future. Processing that took place before the objection is not affected by this.
37. Note on the objection rights on consideration of interests
As far as we base processing of your personal data on consideration of interests, you may object to processing. When exercising such an objection, please present the reasons why we should not process your personal data as described by us. In case of your justified objection, we will review the situation and shall either cease data processing or adjust it, or explain our mandatory grounds to be protected to you.
38. Links to other websites
Our websites may contain link to websites of other providers. Please note that this data protection statement only applies to the websites of www.BestSecret.com. We cannot influence or control whether other providers comply with the applicable data protection provisions.
39. Changes to the data protection statement
We reserve the right to change or adjust this data protection statement at any time under observation of the applicable data protection provisions.