BestSecret BestSecret BestSecret


Save as PDF

Data Protection Statement

As of: 15/10/2020

Best Secret GmbH takes the protection of your personal data very seriously and collects and uses your personal data only in the scope of the applicable statutory provisions.

In order to let you feel safe when visiting our website, we provide you with an overview of how Best Secret GmbH ensures this protection and what kind of data we collect for what purpose below. The data protection statement is available on our website at any time.

1. Information about data processing within the Schustermann & Borenstein Group

1.1 General information

Best Secret GmbH is part of the Schustermann & Borenstein Group (hereinafter S&B Group).

As part of our business activities, it is therefore essential for data to be exchanged between branch locations and divisions on a regular basis in order to promote and facilitate cooperation within the Group. For this reason, central processes are not limited to a single Group company, but also include other Group member companies. Companies within the S&B Group therefore work together in many areas and act as so-called joint controllers within the meaning of data protection law.

1.2 Information about the primary contents of the contract in the case of joint controller authority within the S&B Group

In light of their joint role, the member companies of the S&B Group have concluded a contract as joint controllers within the meaning of sect. 26 in conjunction with sect. 4(7) GDPR to guarantee the security of processing and the effective exercise of your rights.

Without limitation, this contract addresses the following points:

  • Subject, purpose, means and scope as well as competences and responsibilities with regard to data processing
  • Providing information to data subjects
  • Fulfilment of other rights of data subjects
  • Security of processing
  • Involvement of contract data processors
  • Procedure in the event of personal data breaches
  • Other common and reciprocal obligations
  • Cooperation with supervisory authorities
  • Liability

2. Controller and Data Privacy Officer

The controller responsible for processing your personal data is the S&B Group as joint controllers. In particular, you may contact Best Secret GmbH, Margaretha-Ley-Ring 10, 85609 Aschheim, Germany (hereinafter referred to as BestSecret) in order to assert your rights. Member companies belonging to the S&B Group have each appointed a data protection officer. You may contact the controllers and the data protection officer at:

Data processing controller Data protection officer of the controller

Best Secret GmbH

represented by Marian Gradl-Schikora, Daniel Schustermann, Ralph Goedecke and Claudius Peleskei

Margaretha-Ley-Ring 10, 85609 Aschheim, Germany.

Phone: +49 (0) 89 / 357 68 04 40

Email: [email protected]

Best Secret GmbH

Data protection officer

Margaretha-Ley-Ring 10, 85609 Aschheim, Germany.

Email: [email protected]

3. Appropriate safeguards for processing personal data in third countries.

If we use service providers outside the EU or the European Economic Area (EEA), we take appropriate and suitable measures to ensure a sufficient level of data protection when transmitting personal data in accordance with Art. 44 et seq. GDPR, e.g. conclusion of EU standard contracts, additional technical and organisational measures such as encryption or anonymisation. Please note that despite the careful selection and obligation of a service provider, the latter may process data outside the EU/EEA or be subject to another jurisdiction owing to the location of its registered office and may not provide an adequate level of data protection. If the data is transferred to the USA, there is a risk that your data may be processed by US authorities for control and monitoring purposes; in such cases, it may be possible that you are not entitled to any legal remedies.

4. General data collection when calling our website

If you use our website for information only, i.e. if you do not register or otherwise submit any information to us, we will only collect the personal data your browser submits to our server. These data are technically required for us in order to show our website to you and to ensure stability and safety (the legal basis for this is our legitimate interest pursuant to sect. 6 para. 1 s. 1 lit. f GDPR).

For technical reasons, these are saved by default as logfiles (protocol files).

Data Purpose of processing Legal basis of processing Duration of storage

Technical data such as: Operating system used, browser type and version, device (e.g. phone, tablet, ...), date and time of website call

Optimised website representation

Ensuring proper website operation

Sect. 6 para. 1 s. 1 lit. f GDPR

Deletion after 21 days at most

IP address

Ensuring proper website operation

Sect. 6 para. 1 s. 1 lit. f GDPR

Deletion after 21 days at most

5. Data collection on login/registration on our website

If you log in or register at www.BestSecret.com, personal, behaviour-related and technical data will be saved.

Technical data will be saved anonymised and evaluated. Anonymised means that we cannot assign the data to a determined or determinable natural person, or that we would do so only with disproportional effort of time, costs and labour. We will evaluate these anonymised data in order to further improve the function of the shop and to make it more user-friendly.

In the scope of reconciliation of interests according to sect. 6 para. 1 lit. b GDPR, we have observed and considered our interest in provision of the data and your interest in data-protection-compatible processing of your personal data.

The following data are required for provision of our service in order to offer you our website and to ensure stability and safety, in particular to protect against abuse. Accordingly, we can - while ensuring data protection aligned with the state of the art – process these data, while appropriately considering your interest in processing them in a manner compatible with data protection.

Data Purpose of processing Legal basis of processing Duration of storage

Personal information such as: Name, email address, ...

Registration purposes

Customer communication

Sect. 6 para. 1 s. 1 lit. f GDPR

Deletion after expiration of purpose or until expiration of the obligation to preserve business records relating to commercial and tax law.

Behaviour-related data such as: Last login, registration date, visited product pages, ...

Customer communication

Measure of success

Determination of target group for advertising purposes

Sect. 6 para. 1 s. 1 lit. f GDPR

Deletion after expiration of purpose, no later than 90 days after membership ends

Collection of the data for provision of the website and recording of the data in logfiles is mandatory for operation of the website. Accordingly, the user cannot object to this.

6. Data collection and use in the scope of provision

The information that we receive from you helps us process your orders as smoothly as possible, to improve our service to you and to prevent abuse and fraud.

We use your data for the processing of orders and payments, delivery of the goods and rendering of services. In the scope of order processing, e.g. the service providers used by us here (such as transporters, logisticans, banks) will receive the data needed to process orders and purchase orders.

Whether additional data, such as the email address, should be passed on to report the specific delivery date or not can be indicated and changed in the ordering process or at any time in your personal settings.

As part of the payment processing, we will share your payment data with the respective payment service provider. Please note that many of these recipients have an independent right or obligation to process your personal data, e.g. Wirecard Bank AG (https://www.wirecardbank.com/GDPR) or AfterPay (https://documents.myafterpay.com/privacy-statement/en_de/11309). If you would like more information about the recipients, please contact [email protected].

For more detailed information on data protection on this, see our data protection information for customers that we have provided to you here: Link to information requirements

7. Tracking Technologies

7.1 General information

We use tracking technologies such as cookies in order to improve our website and to make it as user-friendly as possible. Cookies are small text files that are stored on your computer’s operating system when you access our website. Amongst other things, cookies contain a distinctive character string that enables unique identification of your browser when you return to our website. Cookies store additional information, such as your language setting, the length of your visit to our website or certain entries you may have made whilst there. This avoids having to re-enter all required data each time you use our website. Cookies also enable us to recognise your preferences and to tailor our website to match your areas of interest.

Cookies store additional information, such as your language setting, the length of your visit to our website or certain entries you may have made whilst there. This avoids having to re-enter all required data each time you use our website. Cookies also enable us to recognise your preferences and to tailor our website to match your areas of interest.

7.2 Type of tracking technologies in use

We differentiate between tracking technologies that are technically necessary for the website, tracking to optimise our website/app and tracking related to personalised advertising.

7.2.1 Technically necessary tracking technologies

We use cookies within the scope of the technically necessary tracking technologies. These cookies are necessary for the operation of a website/app and its functions. These include session cookies and cookies that store certain user preferences (e.g. shopping cart, language preferences, gender preferences, or login information), opt-out cookies, cookies from payment service providers that are stored to complete the payment process, cookies from shipping service providers that are used to track shipments, or the Google Tag Manager to manage your tracking preferences. The legal basis for the use of technically necessary tracking technologies is our legitimate interest pursuant to sect. 6 para. 1 s. 1 lit f GDPR.

However, it is possible to disable these cookies by changing the settings in your browser.

7.2.2 Tracking for purposes of website/app optimisation (optimisation & performance)

Tracking for optimisation and performance purposes aids in analysing user behaviour on the BestSecret website and app as part of a performance analysis or for statistical purposes. BestSecret can optimise the user-friendliness of the shop and correct possible errors on the basis of these evaluations.

Tracking technologies for purposes of optimisation and performance include:

  • Google Analytics & Optimize
  • Fabric (Crashlytics)
  • Firebase
  • Hotjar

The exact mode of operation, and the relevant data categories, for each individual tracking technology will be described in more detail below, starting at no. 8.

Tracking for purposes of optimisation and performance is only used if you have given us your consent in accordance with sect. 6 para. 1 s. 1 lit. a GDPR. This consent covers both the website and its mobile applications. You can revoke your consent at any time by deselecting the tracking setting 'Optimisation & performance' in the cookie settings of the footer. For technical reasons, this opt-out usually only becomes effective after 48–72 hours. When using the app, you can speed this up by restarting the app.

We use the consent management tool ‘Usercentrics Consent Management Platform’ provided by Usercentrics GmbH, Sendlinger Straße 7, 80331 Munich, Germany, to manage your tracking settings. The following data is stored as part of this process:

Data category concerned Processing purpose Legal basis for processing Retention period

Tracking setting (including consent or rejection, time)

Verification purposes

Sect. 6 para. 1 s. 1 lit. f GDPR

Three years after withdrawal of consent or deletion of the account

Device data or data from any devices in use (including shortened IP address and time)

Verification purposes

Sect. 6 para. 1 s. 1 lit. f GDPR

Three years after withdrawal of consent or deletion of the account

User Identifier

Verification purposes

Sect. 6 para 1 s. 1 lit. f GDPR

Three years after withdrawal of consent or deletion of the account

7.2.3 Tracking for purposes of personalisation

Tracking for purposes of personalised advertising is used to create personalised advertising tailored to your interests on our websites/app or on websites operated by our advertising partners as well as for other marketing purposes.

Tracking technologies for purposes of personalisation include::

  • Google Ad, Audiences and Conversion Tracking
  • Google Marketing Platform
  • Criteo
  • Salesforce
  • Facebook Custom Audiences
  • RTB House
  • Pinterest
  • Other Affiliate Pixels

The exact mode of operation for each individual tracking technology will be described in more detail below, starting at no. 8.

Tracking for purposes of personalisation is only used if you have given us your consent in accordance with sect. 6 para. 1 s. 1 lit. a GDPR. This consent covers both the website and its mobile applications. You can revoke your consent at any time by deselecting the tracking setting 'Personalisation' in the cookie settings of the footer. For technical reasons, this opt-out usually only becomes effective after 48–72 hours. When using the app, you can speed this up by restarting the app.

We use the consent management tool ‘Usercentrics Consent Management Platform’ provided by Usercentrics GmbH, Sendlinger Straße 7, 80331 Munich, Germany, to manage your tracking settings. The following data is stored as part of this process:

Data category concerned Processing purpose Legal basis for processing Retention period

Tracking setting (including consent or rejection, time)

Verification purposes

Sect. 6 para. 1 s.1 lit. f GDPR

Three years after withdrawal of consent or deletion of the account

Device data or data from any devices in use (including shortened IP address and time)

Verification purposes

Sect. 6 para. 1 s.1 lit. f GDPR

Three years after withdrawal of consent or deletion of the account

User Identifier

Verification purposes

Sect. 6 para. 1 s.1 lit. f GDPR

Three years after withdrawal of consent or deletion of the account

8. Google Tag Manager

For reasons of transparency, please note that we use Google Tag Manager. Google Tag Manager itself does not record any personal data. Tag Manager makes it easier for us to integrate and manage our tags. Tags are small code elements that serve, among others, to measure traffic and visitor behaviour, to record the effects of online advertisements and social channels, remarketing or retargeting and setting up alignment with target and testing and optimising websites. For further information on the Google Tag Manager, see https://www.google.com/analytics/tag-manager/use-policy/.

Designation of the provider Service provider type Data transfer to a third country Third country

Google Inc., 1600 Amphitheatre Parkway, Mountain View, CA 94043, USA

Contract processor

YES

USA

9. Google Analytics & Google Optimize

This website uses Google Analytics, a web analysis service of Google Inc. In addition, we use Google Optimize. Google Optimize analyses the use of different variants of our website and helps us to improve user-friendliness based on the behaviour of our users on the website. Google Optimize is a tool associated with Google Analytics.

Google Analytics and Google Optimize use “cookies”, i.e. text files that are stored on your computer and that permit analysis of your use of the website. The information produced by the cookie regarding your use of this website is usually transferred to a server of Google in the USA and saved there. Due to activation of IP anonymisation on these websites, your IP address will be abbreviated first by Google within member states of the European Union or in other contracting states of the convention on the European Economic area. Only in exceptions will your full IP address be transferred to a server of Google in the USA and abbreviated there. The IP address submitted by your browser in the scope of Google Analytics and Google Optimize will not be combined with any other data of Google. On the order of the operator of this website, Google will use this information to evaluate your use of the website, in order to compile reports on the website activities and to render further services connected to website use and internet use towards the website operator. The data sent by us and linked to cookies, user IDs (e.g. User-ID) or advertising IDs are automatically deleted after 26 months. Erasure of data the archiving period of which has expired shall take place automatically once per month. For more detailed information on usage conditions and data protection, see www.google.com/analytics/terms or under https://policies.google.com.

Designation of the provider Service provider type Data transfer to a third country Third country

Google Inc., 1600 Amphitheatre Parkway, Mountain View, CA 94043, USA

Contract processor

YES

USA


Affected data category Purpose of processing Legal basis of processing Duration of storage

Technical data such as: Operating system used, browser type and version, device (e.g. phone, tablet, ...), date and time of website call, ...

Evaluation of customer behaviour

Sect. 6 para. 1 s. 1 lit. a GDPR

Deletion after 26 months at most

Behaviour-related data such as: Registration date, visited product pages, ordered products, name of called website, ...

Evaluation of customer behaviour

Sect. 6 para. 1 s. 1 lit. a GDPR

Deletion after 26 months at most

User ID, device ID

Evaluation of user behaviour on different devices/browsers

Sect. 6 para. 1 s. 1 lit. a GDPR

Deletion after 26 months at most

10. Google AdWords, Audiences, and Conversion Tracking

In order to draw attention to our services, we place Google AdWords advertisements and use Google Conversion-Tracking and the Google Tag Manager in the scope of this for the purpose of personalised interest- and site-based online advertisements. The option of anonymising the IP-addresses is controlled via an internal setting in the Google Tag Manager that is not visible in the source of this page. This internal setting is made so that the anonymisation of IP addresses required by the Federal Data Protection Act is achieved.

The ads are displayed after search requests on websites of the Google advertising network. Detailed information on the Google advertising network can be found at https://support.google.com/adwords/answer/1752334?hl=en. We are able to combine our ads with certain search terms. We can use cookies to place ads on our website based on the previous visits of a user.

When clicking an ad, Google sets a cookie on the user's computer. Further information on the cookie technology used can also be found among the notes of Google on the website statistics under https://services.google.com/sitestats/en.html and in the data protection provisions under https://policies.google.com/privacy?hl=en.

With the help of this technology, Google and we as the customer receive information that a user clicked an ad and has been forwarded to our websites. The information acquired here is used only for a statistical evaluation for ad optimisation. We will not receive any information with which the visitors can be identified in person. The statistics provided to us by Google contain the overall number of users who clicked one of our ads and, if applicable, whether they were forwarded to a page of our website with a conversion tag. We can use these statistics to determine for which search terms our ad was clicked particularly often and which ads lead to contact by the user via the contact form.

Designation of the provider Service provider type Data transfer to a third country Third country

Google Inc., 1600 Amphitheatre Parkway, Mountain View, CA 94043, USA

Contract processor

YES

USA


Affected data category Purpose of processing Legal basis of processing Duration of storage

Technical data such as: Operating system used, browser type and version, device (e.g. phone, tablet, ...), date and time of website call, ...

Ad delivery for customer segments

Sect. 6 para. 1 s. 1 lit. a GDPR

Deletion after 26 months at most

Behaviour-related data such as: registration date, visited product pages, ordered products, name of called website, ...

Ad delivery for customer segments

Sect. 6 para. 1 s. 1 lit. a GDPR

Deletion after 26 months at most

11. Google Marketing Platform

Furthermore, we use Google Marketing Platform, a service of Google Inc. Google Marketing Platform uses cookies to place user-based ads. The cookies recognise which ad has already been shown in your browser and whether you called a website using a displayed ad. The cookies do not record any personal information and also cannot be connected to these.

For more information on how Google uses cookies, see the data protection statement of Google.

Designation of the provider Service provider type Data transfer to a third country Third country

Google Inc., 1600 Amphitheatre Parkway, Mountain View, CA 94043, USA

Contract processor

YES

USA


Affected data category Purpose of processing Legal basis of processing Duration of storage

Technical data such as: Operating system used, browser type and version, device (e.g. phone, tablet, ...), date and time of website call, ...

Ad delivery for customer segments

Sect. 6 para. 1 s. 1 lit. a GDPR

Deletion after 26 months at most

Behaviour-related data such as: Registration date, visited product pages, ordered products, name of called website, ...

Ad delivery for customer segments

Sect. 6 para. 1 s. 1 lit. a GDPR

Deletion after 26 months at most

12. Hotjar

Our website has Hotjar integrated (https://www.hotjar.com). Hotjar enables us to record and evaluate user behaviour (e.g. mouse movements, clicks, scrolling height) on our websites. For this purpose, Hotjar uses cookies on end units of the users and is able to save the data of users anonymised, e.g. concerning browser information, operating system, time spent on the page. Learn more about Hotjar under the following link: https://www.hotjar.com/privacy.

Designation of the provider Service provider type Data transfer to a third country Third country

Hotjar, 3 Lyons Range, 20 Bisazza Street, Sliema SLM 1640, Malta

Contract processor

NO

/


Affected data category Purpose of processing Legal basis of processing Duration of storage

Technical data such as: Operating system used, browser type and version, device (e.g. phone, tablet, ...), date and time of website call, ...

Analysis of customer behaviour towards website optimisation

Sect. 6 para. 1 s. 1 lit. a GDPR

Deletion after 12 months at most

Behaviour-related data such as: Visited product pages, browsing behaviour on website, visited pages ...

Analysis of customer behaviour towards website optimisation

Sect. 6 para. 1 s. 1 lit. a GDPR

Deletion after 12 months at most

13. Criteo

On our pages, we collect information on the surfing behaviour of the website visitors for marketing purposes in a pseudonymised form using the technology of Criteo; cookies and web pixels are placed for this. This way, Criteo can analyse surfing behaviour and then display targeted product recommendations as matching advertising banners when other websites are visited. For this purpose, cookies from our partner websites are also placed via pixels. In no case must the anonymised data be used to personally identify the visitor of the website. The data collected by Criteo are only used to improve the advertising offer.

You can generally learn more about the data protection statement and data protection directives at Criteo at https://www.criteo.com/privacy/.

Designation of the provider Service provider type Data transfer to a third country Third country

Criteo GmbH, Lehel Carré, Gewuerzmuehlstraße 11, 80538 Munich, Germany

Controller

NO

/


Affected data category Purpose of processing Legal basis of processing Duration of storage

Technical data such as: Operating system used, browser type and version, device (e.g. phone, tablet, ...), date and time of website call, ...

Ad delivery for customer segments

Sect. 6 para. 1 s. 1 lit. a GDPR

Deletion after 13 months at most

Behaviour-related data such as: Registration date, visited product pages, ordered products, name of called website, ...

Ad delivery for customer segments

Sect. 6 para. 1 s. 1 lit. a GDPR

Deletion after 13 months at most

User ID, device ID

Evaluation of user behaviour on different devices/browsers to deliver ads on different end devices

Sect. 6 para. 1 s. 1 lit. a GDPR

Deletion after 13 months at most

14. Salesforce

For customer support, we use the Customer Relationship Management module “Salesforce Marketing Cloud” and “Salesforce Service Cloud” by Salesforce.com Inc. The data are processed in the USA. Further information on the Salesforce Marketing Cloud and Salesforce Service Cloud and the processed data is available at https://www.salesforce.com/company/privacy/.

If you give your express consent, these technologies will also evaluate information about user behaviour on websites, mobile apps, emails, push messages, in-app messages and other communications for marketing purposes. This is done using cookies and web pixels, as well as the iGoDigital tracking service, which is part of Salesforce. The information collected in this manner will be associated with your email address and is linked to a unique ID in order to clearly associate clicks in communications with you. The purpose of the user profile is to tailor our offerings and our services to your interests and to improve or marketing offerings and communications for you.

Designation of the provider Service provider type Data transfer to a third country Third country

Salesforce.com Inc., The Landmark @ One Market Street, Suite 300, San Francisco, California, CA 94105, USA

Contract processor

YES

USA


Affected data category Purpose of processing Legal basis of processing Duration of storage

Technical data such as: Operating system used, browser type and version, device (e.g. phone, tablet, ...), date and time of website call, ...

Creation of profiles as part of the Salesforce CRM systems

Sect. 6 para. 1 s. 1 lit. a GDPR

Deletion after expiration of purpose, no later than 90 days after membership ends

Behaviour-related data such as: Registration date, visited product pages, ordered products, name of called website, Products on the wish list

  • Finding suitable product recommendations or other communication content for newsletters and special mailings and other messages such as push notifications or in-app messages
  • Improving the website and other communications

Sect. 6 para. 1 s. 1 lit. a GDPR

Deletion after expiration of purpose, no later than 90 days after membership ends

User ID, device ID

  • Finding suitable product recommendations or other communication content for newsletters and special mailings and other messages such as push notifications or in-app messages
  • Improving the website and other communications

Sect. 6 para. 1 s. 1 lit. a GDPR

Deletion after expiration of purpose, no later than 90 days after membership ends

15. Facebook Custom Audiences

In the scope of usage-based online advertisements, the project Custom Audiences by Facebook is also used on the website. A Facebook cookie is set for this. We record information on your activities on the website and behaviour-related files via Facebook pixels in the scope of this.

The cookies do not record any personal information and also cannot be connected to these.

Further information on the purpose and scope of the data collection and further processing and use of the data as well as the privacy settings can be taken from the data protection directives of Facebook.

Designation of the provider Service provider type Data transfer to a third country Third country

Facebook Inc. 1601 WILLOW ROAD MENLO PARK, CA 94025, USA

Contract processor

YES

USA


Affected data category Purpose of processing Legal basis of processing Duration of storage

Technical data such as: Operating system used, browser type and version, device (e.g. phone, tablet, ...), date and time of website call, ...

Ad delivery for customer segments

Sect. 6 para. 1 s. 1 lit. a GDPR

12 months at most, currently 6 months

Behaviour-related data such as: Registration date, visited product pages, ordered products, name of called website, ...

Ad delivery for customer segments

Sect. 6 para. 1 s. 1 lit. a GDPR

12 months at most, currently 6 months

16. RTB House

We use the technology of RTB House SA on our pages to collect information on the surfing behaviour of the website visitors for marketing purposes in a pseudonymised form by setting cookies and web pixels. This way, RTB House can analyse surfing behaviour and then display targeted product recommendations as matching advertising banners when other websites are visited. In no case must the anonymised data be used to personally identify the visitor of the website. The data collected by RTB House are only used to improve the advertising offer.

You can generally learn about the data protection statement and data protection directive at RTB House at https://www.rtbhouse.com/privacy/.

Designation of the provider Service provider type Data transfer to a third country Third country

RTB House SA, Zlota 61/101, 00-819, Warsaw, Poland

Contract processor

NO

/


Affected data category Purpose of processing Legal basis of processing Duration of storage

Technical data such as: Operating system used, browser type and version, device (e.g. phone, tablet, ...), date and time of website call, ...

Ad delivery for customer segments

Sect. 6 para. 1 s. 1 lit. a GDPR

Deletion after 13 months at most

Behaviour-related data such as: Registration date, visited product pages, ordered products, name of called website, ...

Ad delivery for customer segments

Sect. 6 para. 1 s. 1 lit. a GDPR

Deletion after 13 months at most

User ID, device ID

Evaluation of user behaviour on different devices/browsers to deliver ads on different end devices

Sect. 6 para. 1 s. 1 lit. a GDPR

Deletion after 13 months at most

17. Fabric

In our mobile applications on Android and iOS we have integrated Fabric Crash Analytics (https://fabric.io/kits/android/crashlytics) for the purposes of detecting and reporting crashes and non-fatal crashes in the app. This information is used to improve the application performance and stability. For these purposes technical data such as the mobile device id, device type, model, operating system and approximate location of the mobile device is transmitted to provide more reliable analysis, for example to determine whether the issue is specific to one device type or to multiple devices.

For more detailed information on usage conditions and data protection, see https://fabric.io/terms.

Designation of the provider Service provider type Data transfer to a third country Third country

Google LLC, 1600 Amphitheatre Parkway, Mountain View, CA 94043, USA

Contract processor

YES

USA


Affected data category Purpose of processing Legal basis of processing Duration of storage

Technical data such as: Operating system used, browser type and version, device (e.g. phone, tablet, ...), date and time of website call, ...

Evaluation of customer behaviour

Sect. 6 para. 1 s. 1 lit. a GDPR

Deletion no later than 180 days

Behaviour-related data such as: Registration date, visited product pages, ordered products, name of called website, ...

Evaluation of customer behaviour

Sect. 6 para. 1 s. 1 lit. a GDPR

Deletion no later than 180 days

User ID, device ID

Evaluation of user behaviour on different devices/browsers

Sect. 6 para. 1 s. 1 lit. a GDPR

Deletion no later than 180 days

18. Firebase

We use technology from Google Firebase (Google Ireland Limited, Gordon House, Barrow Street, Dublin 4, Ireland, “Google”) with various functionalities in our apps. Firebase uses so-called “Instance IDs” to memorise individual settings within the mobile app. Because each Instance ID is unique to a mobile app and the mobile device you are using, Firebase is able to evaluate and respond to specific events within the mobile app. Information generated by the Instance ID about your use of this mobile app on your mobile device is generally sent to a Google server in the United States and stored there. Google ensures that the IP address is anonymised immediately if the IP address is also sent.

For more information, see Firebase’s Terms of Use and and Privacy Notice.

Provider name Service provider type Data transfers to third countries Third country

Google Ireland Limited, Gordon House, Barrow Street, Dublin 4, Ireland

Processor

YES

USA


The following functionalities are used specifically:

Firebase Remote Config

Firebase Remote Config enables the configuration of app settings. We can change the behaviour and appearance of your app on the user device without having to completely reinstall it from the app store. Find out all you need to know about how Remote Config works here.

Data category concerned Processing purpose Legal basis for processing Retention period

Technical data such as: operating system in use, browser type and version, device (smartphones, tablets or other device), date and time of access, etc.

App optimisation

Sect. 6 para. 1 s. 1 lit. a GDPR

Erasure after achievement of purpose; no later than 180 days after request

Instance ID

App optimisation

Sect. 6 para. 1 s. 1 lit. a GDPR

Erasure after achievement of purpose; no later than 180 days after request

Firebase Performance Monitoring

Firebase Performance Monitoring allows us to track the performance of the app and respond to specific incidents within the app. Find out more information here.

Data category concerned Processing purpose Legal basis for processing Retention period

Technical data such as: operating system in use, browser type and version, device (smartphones, tablets or other device), date and time of access, etc.

App optimisation

Sect. 6 para. 1 s. 1 lit. a GDPR

Erasure after achievement of purpose; no later than 180 days after request

Instance ID

App optimisation

Sect. 6 para. 1 s. 1 lit. a GDPR

Erasure after achievement of purpose; no later than 180 days after request

19. Pinterest Ads

In addition, we use the Pinterest plugin provided by Pinterest Europe Limited, Palmerston House, 2nd Floor, Fenian Street, Dublin 2, Ireland. This allows us to track the behaviour of users after they have viewed a Pinterest advertisement. We can also use the Pinterest tag to measure the conversion rate of a campaign. This means that the Pinterest tag allows us to evaluate the effectiveness of a Pinterest ad, optimise future advertising campaigns and to make them more user-friendly. We are not able to identify users from the data collected. However, this data is also stored by Pinterest and can be associated with a user profile and used for marketing purposes. You can find more information about data protection at https://policy.pinterest.com/en/privacy-policy.

Data category concerned Processing purpose Legal basis for processing Retention period

Technical data such as: Device information, operating system in sue, device ID, date and time of access

Advertising display to customer segments

Sect. 6 para. 1 s. 1 lit. a GDPR

Up to 12 months

Behavioural data such as: Registration date, products visited, products ordered, name of pages accessed

Advertising display to customer segments

Sect. 6 para. 1 s. 1 lit. a GDPR

Up to 12 months

20. Affiliate Pixels

We use affiliate marketing, i.e. we provide various distribution partners (so-called affiliates) with advertising material which these affiliates then use on their websites or other channels. Affiliates are remunerated for this based on click rates, memberships and/or purchases. A pixel is placed for purposes of calculating remuneration.

The following data ist transmitted as part of this process:

Data category concerned Processing purpose Legal basis for processing Retention period

Click rate, number of new memberships, purchases, user identifiers and other relevant data

Affiliate marketing

Sect. 6 para. 1 s. 1 lit. a GDPR

Deletion after purpose no longer applies

21. Newsletter

By agreeing to receive the newsletter, you agree to regularly receive information about sales promotions, product recommendations, vouchers and VIP status at Best Secret GmbH and Schustermann & Borenstein GmbH, Margaretha-Ley-Ring 27, 85609 Aschheim, Germany.

For dispatch of the newsletter, BestSecret also uses the service Salesforce Marketing Cloud, which is operated by the company Salesforce.com Inc., The [email protected] Market Street, Suite 300, San Francisco, California, CA 94105, USA.

In order to make our newsletter even more interesting for you in future, common technologies such as cookies or counting pixels are used in our newsletter. We evaluate your clicks within the newsletter using so-called tracking pixels, i.e. invisible image files, as well as personalised links and embedded links (link wrapping). They are assigned to your email address and are linked to a dedicated ID in order to clearly link any clicks in the newsletter to your own ID. The user profile serves to coordinate the offer and our services with your interests. The legal basis for this is the legitimate interest purs. to sect. 6 para. 1 s. 1 lit. a) GDPR. We do so based on your cookie settings.

We also use certain information (e.g. gender, postcode, VIP status) to appropriately segment and personalise our newsletter. The legal basis for this is our legitimate interest according to Art. 6(1)(f) GDPR.

You may change the frequency or the content of the newsletter in your newsletter settings.

The consent to the newsletter is voluntary and can be revoked at any time. The revocation can take place in the settings in your customer account and, of course, via the logout link in every newsletter.

The following data are processed for newsletter dispatch:

Designation of the newsletter provider Service provider type Data transfer to a third country Third country

Schustermann & Borenstein GmbH, Margaretha-Ley-Ring 27, 85609 Aschheim, Germany

Controller

NO

/

Salesforce.com Inc., The [email protected] Market Street, Suite 300, San Francisco, California, CA 94105, USA

Contract Processor

YES

USA


Data Purpose of processing Legal basis of processing Duration of storage

Personal data such as: Email address, form of address, first name, last name, gender

Newsletter delivery

Sect. 6 para. 1 s. 1 lit. a GDPR

Three years after withdrawal of consent or deletion of the account

Confirmation of newsletter delivery, time of confirmation, newsletter preferences

Newsletter delivery

Sect. 6 para. 1 s. 1 lit. a GDPR

Three years after withdrawal of consent or deletion of the account

Revocation of confirmation

Proof of revocation

Sect. 6 para. 1 s. 1 lit. a GDPR

Three years after withdrawal of consent or deletion of the account

Behavioural data such as: opening and click rate

Analysis of user behaviour and/or creation of personalised advertising

Art. 6(1)(a) GDPR

Erasure after the purpose no longer applies; no later than 90 days after termination of membership

Personal data such as: gender, postcode or purchases

Segmentation or personalisation

Art. 6(1)(f) GDPR

Erasure after the purpose no longer applies; no later than 90 days after termination of membership

22. Direct mail without prior notification

If we have received your e-mail address or postal address in connection with the sale of goods or services, we reserve the right to send you regular offers for products from our assortment by e-mail or post. For purposes of postal advertising using the Salesforce Marketing Cloud, we use the Salesforce service provider Optilyz, Neue Schönhauser Str. 19, 10178 Berlin, Germany. Direct mail can be segmented based on demographic data, such as postcode or VIP status. You can object to the use of your e-mail address for the purpose of direct marketing via a link provided for this purpose in the advertising e-mail, or to the use of your postal address by sending an e-mail to [email protected].

Designation of the provider Service provider type Data transfer to a third country Third country

Salesforce.com Inc., The [email protected] Market Street, Suite 300, San Francisco, California, CA 94105, USA

Contract Processor

YES

USA

optilyz GmbH, Neue Schoenhauser Str. 19, 10178 Berlin, Germany

Contract Processor

NO

/


Data Purpose of processing Legal basis of processing Duration of storage

Personal data such as: Email address, form of address, first name, last name, gender

Marketing

Sect. 6 para. 1 s. 1 lit. f GDPR

Until objection

Demographic data such as: postcode, most recent purchase or VIP status

Sending a marketing campaign/personalisation

Art. 6(1)(f) GDPR

Until objection

Objection

Proof of objection

Sect. 6 para. 1 s. 1 lit. f GDPR

Deletion after expiry of purpose, at the latest 90 days after termination of membership

23. Push notifications, in-app messages and inbox messages in the app

23.1 Push notifications

In our app, you have the option to provide your consent to receive push notifications. Push notifications are regular on-screen messages about your membership, sales promotions and the latest trends. You can switch these notifications on and off at any time using the app settings on your mobile device, thus giving or withdrawing your consent as applicable. If you subscribe to push notifications, the device ID of your mobile device will be sent to the service that provides the push function for your operating system (for Android: Google Cloud Messaging; for iOS: Apple Push Notification Service). A so-called identifier (‘Push Notification Identifier’) is created as part of this process, which is then used for further communication with the BestSecret PushServer. The Identifier does not permit identification of the user. BestSecret uses the Salesforce Marketing Cloud service to send these messages. This service is operated by Salesforce.com Inc, The [email protected] Market Street, Suite 300, San Francisco, California, CA 94105, USA.

We also use certain information (e.g. gender, postcode, purchases) to appropriately segment and personalise our push messages and in-app messages. The legal basis for this is our legitimate interest according to Art. 6(1)(f) GDPR.

Data category concerned Processing purpose Legal basis for processing Retention period

Push Notifications Identifier

Sending the push notification

Art. 6(1)(f) GDPR

Erasure after the purpose no longer applies; no later than 90 days after termination of membership

Personal data such as: first name, last name or gender, VIP status or vouchers

Creating the push notification

Art. 6(1)(f) GDPR

Erasure after the purpose no longer applies; no later than 90 days after termination of membership

23.2 In-app and inbox messages

We also use in-app and inbox messages in our app. These messages show you information about sales promotions, vouchers or your VIP status within the app. BestSecret uses the Salesforce Marketing Cloud service to send these message. This service is operated by Salesforce.com Inc, The [email protected] Market Street, Suite 300, San Francisco, California, CA 94105, USA.

We also use certain information (e.g. gender, postcode, purchases) in in-app and inbox messages to appropriately segment and personalise our push messages and in-app messages. The legal basis for this is our legitimate interest according to Art. 6(1)(f) GDPR.

Data category concerned Processing purpose Legal basis for processing Retention period

Device ID and app ID

Creating the in-app message

Art. 6(1)(f) GDPR

Erasure after the purpose no longer applies; no later than 90 days after termination of membership

Personal data such as: first name, last name or gender, VIP status or vouchers

Creating the in-app message

Art. 6(1)(f) GDPR

Erasure after the purpose no longer applies; no later than 90 days after termination of membership

23.3 Tracking in-push notifications, in-app messages and inbox messages

In order to make our push notifications, in-app messages and inbox messages even more interesting for you in future, we evaluate what you open and click, as well as dwell time, among other things, with the aid of personalised links and embedded links (link wrapping). All data collected in this manner is linked to your subscriber ID. The purpose of the user profile is to tailor our offerings and our services to your interests. This is only done if you have given us your consent as part of the cookie opt-in in accordance with Art. 6(1)(a) GDPR.

Data category concerned Processing purpose Legal basis for processing Retention period

Behavioural data such as: open and click rate, dwell time

Analysis of user behaviour

Art. 6(1)(a) GDPR

Erasure after the purpose no longer applies; no later than 90 days after termination of membership

24. Data usage for customer feedback

We use Zenloop’s services to conduct customer satisfaction surveys. The legal basis for such use is sect. 6 para. 1 s.1 lit. f GDPR. Survey and contact data are processed for such purposes. For more information about Zenloop’s data processing practices, please see Zenloop’s Privacy Policy (https://www.zenloop.com/en/legal/privacy). If you previously decided to provide customer feedback but no longer wish to do so, you can object to further processing (by contacting us or via the link contained in the e-mail).

Provider name Service provider type Data transfer to a third country Third country

Zenloop GmbH, Brunnenstr. 196, 10119 Berlin, Germany

Contract data processor

YES

USA


Data category concerned Processing purpose Legal basis of processing Retention period

Survey data, contact information

Conducting and evaluating customer satisfaction surveys

Sect. 6 para. 1 s. 1 lit. f GDPR

Erasure after the purpose no longer applies; no later than 90 days after termination of membership

25. Shipping status notification

As part of your order, you have the option to consent to have your e-mail address and telephone number sent to the respective shipping provider in order to enable the shipping partner to send you shipment status notifications.

Your consent is voluntary and can be withdrawn at any time. To do so, all you need to do is open the My BestSecret menu under Password and Contact Details/Personal Settings and deselect the option “Delivery tracking”.

Relevant data category Processing purpose Legal basis for processing Retention period

Personal data such as: e-mail address, telephone number

Disclosure to shipping partner for purposes of delivery tracking

Sect. 6 para. 1 s. 1 lit. f GDPR

Until withdrawn

Time at which consent is provided

Delivery tracking

Sect. 6 para. 1 s. 1 lit. f GDPR

Three years after withdrawal

Time at which consent is withdrawn

Verification of withdrawal

Sect. 6 para. 1 s. 1 lit. f GDPR

Three years after withdrawal

26. Inviting friends

We offer you the opportunity to recommend our website to other prospective customers. To do this, navigate to “Invite Friends” in the menu. By clicking on the button “Invite Friends”, you will receive an exclusive invitation link that you can send via social media or by e-mail.

In addition, we store personal data of the person who recommended you. As a closed shopping community, we only accept members who have been recommended by existing members. This data is used for verification and traceability and is necessary for the implementation of the membership contract.

Data Purpose of processing Legal basis of processing Duration of storage

Personal data of invitee such as: Email address, invitation message, time of invitation

Implementation of the Membership Agreement

Sect. 6 para. 1 s. 1 lit. b GDPR

Deletion after expiration of purpose, no later than 90 days after membership ends

Personal data of the inviter: first name, surname, e-mail

Implementation of the Membership Agreement

Sect. 6 para. 1 s. 1 lit. b GDPR/p>

Deletion after expiry of purpose, at the latest 90 days after termination of membership

27. Waiting list

Since we are a closed shopping community and unfortunately can only accept a limited number of members, we offer people who are interested in joining the opportunity to be placed on a waiting list. This option is available when a member sends someone an invitation despite having run out of invitation permissions.

We store the following data in connection with the waiting list:

Data Processing purpose Legal basis for processing Retention period

Personal data of the invitee such as: First name, surname, email address, registration date and confirmation date

(pre-contractual) measures related to membership

Sect. 6 para. 1 s. 1 lit. b GDPR

Deletion once intended purpose no longer applies, no later than 30 days after rejection or unconfirmed invitation by BestSecret.

28. Competitions

For competitions (prize draws or prize competition), we use your data to inform you if you are a winner and for advertising our offers. For detailed information, see the participation conditions for the respective competitions.

Data Purpose of processing Legal basis of processing Duration of storage

Personal data of winner such as: First name, last name, email address, address, and social media contact information

Lottery execution, winning notification, delivery of prices in case of win

Sect. 6 para. 1 s. 1 lit. f GDPR

Deletion after expiration of purpose

29. Compliance with customs provisions

Based on various EU regulations (2580/2001/EC, 881/2002/EC and 753/2011/EC) and other statutory specifications, we as a company are required to reconcile our customers' data with publicly available foreign trade and embargo lists before concluding a purchasing contract. We perform this reconciliation because we have an overruling legitimate interest in compliance with legal provisions and must protect ourselves from sanctions and fines (sect. 6 para. 1 s. 1 lit. c GDPR). We only perform the reconciliation if you order goods from our website and incur a payment obligation. Only the following present data are compared: First name, name and address. The data will be deleted at once after review.

30. Data processing on our careers site

Our careers site provides information about job openings at the BestSecret ¦ Schustermann & Borenstein Group. You can find more information about data processing on the careers site here.

31. Data processing in connection with the Ambassador programme

The BestSecret Ambassador Program is for everyone who is enthusiastic about our brand and wants to promote it together. Our brand ambassadors inspire our community and earn real money through the Ambassador Program. A successful application is required for participation in the Ambassador Programme. As part of the application process, we process contact details and review whether the blog or social medial channel conforms to our requirements. The legal basis processing data as part of the application process is sect. 6 para. 1 s. 1 lit. b GDPR. If the applicant is accepted into the Ambassador Programme, invoicing and payment data, as well as information required for calculating commissions, will be processed on the basis of sect. 6 para. 1 s. 1 lit. b GDPR.

Data category concerned Processing purpose Legal basis for processing Retention period

Information about the relevant social media channel

Application/Implementation of the Ambassador Programme

Sect. 6 para. 1 s. 1 lit. b GDPR

Deletion after the relevant purpose no longer applies and/or statutory retention periods lapse.

Contact and communication data

Application/Implementation of the Ambassador Programme

Sect. 6 para. 1 s. 1 lit. b GDPR

Deletion after the relevant purpose no longer applies and/or statutory retention periods lapse.

Invoicing and payment data

Application/Implementation of the Ambassador Programme

Sect. 6 para. 1 s. 1 lit. b GDPR

Deletion after the relevant purpose no longer applies and/or statutory retention periods lapse.

Commissions from purchases made by referred persons and the resulting commissions

Application/Implementation of the Ambassador Programme

Sect. 6 para. 1 s. 1 lit. b GDPR

Deletion after the relevant purpose no longer applies and/or statutory retention periods lapse.

Data for promotional campaigns such as image or name

Application/Implementation of the Ambassador Programme

Sect. 6 para. 1 s. 1 lit. b GDPR

Deletion after the relevant purpose no longer applies and/or statutory retention periods lapse.

32. Passing on of data

32.1 Sharing data within the corporate group

Best Secret GmbH is part of the S&B Group. As part of our business activities, it is essential for data to be exchanged between branch locations on a regular basis. Exchanging data in this context is essential for BestSecret membership and contract fulfilment. Data is thus exchanged for contract performance in accordance with sect. 6 para. 1 s. 1 lit. b GDPR. The following S&B Group companies may have access to your data within the scope of Group-wide cooperation:

Controller Processing purpose Legal basis of processing

Best Secret GmbH, Margaretha-Ley-Ring 10, 85609 Aschheim

Membership management as well as the operation and provision of the BestSecret Online Shop

Sect. 6 para. 1 s. 1 lit. b

Schustermann & Borenstein GmbH, Margaretha-Ley-Ring 27, 85609 Aschheim

Establishment and defence of legal claims, security department, payment processing, linking the S&B customer card to Best Secret, participation in the S&B bonus programme

Sect. 6 para. 1 s. 1 lit. b

Schustermann & Borenstein Logistik GmbH, Parsdorfer Straße 13, 85586 Poing

Package dispatch and returns handling and processing

Sect. 6 para. 1 s. 1 lit. b

Schustermann & Borenstein Wien GmbH, Berggasse 16, 1090 Wien

S&B customer card linkage, participation in the S&B bonus programme

Sect. 6 para. 1 s. 1 lit. b

32.2. Transfers to processors

We use other service providers as contract processors in addition to the service providers expressly referred to above. They process personal data to the extent required. We carefully select and monitor these service providers. They process the data exclusively on our instructions. They include service providers such as IT service providers, marketing service providers and service providers for customer support.

32.3 Sharing data with third parties

Your personal data will only be passed on to third parties if this is required for contract processing or settlement or if you have consented to it in advance. Our business does not include selling such customer information. Data are only passed on in the scope of the presented purposes.

Your personal data will not be transferred to any third parties for any other than the purposes listed.

We shall only pass on your personal data to third parties if:

  1. you have expressly consented to this,
  2. forwarding is required for assertion, exercise or defence of legal claims and there is no reason to assume that you have an overriding protection-worthy interest in your data not being passed on,
  3. we are legally required to pass them on, and
  4. if it is legitimate by law and required for processing contractual relationships with you. In case of data transfer outside of the European Union, the high European data protection level generally does not apply. On transmission, it is possible that there is no current resolution on appropriateness of the EU commission within the meaning of sect. 45 para. 1, 3 GDPR. This means that the EU commission has not positively determined so far that the country-specific data protection level corresponds to the data protection level of the European Union due to the GDPR; therefore, we have created the above suitable guarantees.

Potential recipients include consultants, auditors, lawyers, courts or authorities.

33. Instruction on the rights of data subjects

Every data subject has the right to information according to sect. 15 GDPR, the right to rectification according to sect. 16 GDPR, the right of erasure according to section 17 GDPR, the right to restriction of processing according to sect. 18 GDPR, the right to objection from sect. 21 GDPR and the right to data portability from sect. 20 GDPR. The information right and erasure right are subject to the restrictions pursuant to §§ 34 and 35 BDSG or the respective national provisions.

34. Instructions on the complaint options

You also have the right to complain to the competent data protection supervisory authority about processing of your personal data by us.

35. Instruction on revocation of consent

You may revoke your consent granted to us for processing of personal data at any time. This shall also apply to revocation of declarations of consent that were granted to us before the application of the general data protection regulation, i.e. before 25 May 2018. Please note that the revocation will only be effective for the future. Processing that took place before the revocation is not affected by this.

36. Right in case of data processing for operation of direct marketing

You have the right according to sect. 21 para. 2 GDPR to object to processing of the personal data concerning you at any time. If you object to processing for the purpose of direct marketing, we shall no longer process your personal data for these purposes. Please note that the objection will only be effective for the future. Processing that took place before the objection is not affected by this.

37. Note on the objection rights on consideration of interests

As far as we base processing of your personal data on consideration of interests, you may object to processing. When exercising such an objection, please present the reasons why we should not process your personal data as described by us. In case of your justified objection, we will review the situation and shall either cease data processing or adjust it, or explain our mandatory grounds to be protected to you.

38. Links to other websites

Our websites may contain link to websites of other providers. Please note that this data protection statement only applies to the websites of www.BestSecret.com. We cannot influence or control whether other providers comply with the applicable data protection provisions.

39. Changes to the data protection statement

We reserve the right to change or adjust this data protection statement at any time under observation of the applicable data protection provisions.