cadooz Privacy Policy.

I. Preamble

The following data protection information is intended to explain to you in a clear, transparent and concise manner how we at Cadooz GmbH, cadooz for short, process your personal data in connection with the use of our websites and/or online offers and protect your privacy. Personal data will be deleted as soon as possible and will never be used or passed on for advertising purposes without your consent. If the following information is insufficient or not comprehensible, please do not hesitate to contact our data protection officer using the contact details provided below.

II. Responsible body/data protection officer

The controller within the meaning of Article 4(7) of the EU General Data Protection Regulation for the processing of your personal data is:

Responsible body

cadooz GmbH

Osterbekstraße 90b

22083 Hamburg

Represented by the managing directors Marc Ehler & Dr. Samareh Khosravi

Email: business@cadooz.de

Data Protection Officer

Cadooz GmbH has appointed a data protection officer in accordance with Art. 37 GDPR. You can contact the Cadooz GmbH data protection officer using the following contact details:

cadooz GmbH

Personal/Confidential for the attention of the Data Protection Officer

Osterbekstraße 90b

22083 Hamburg

Email: datenschutz@cadooz.de or dpo@euronetworldwide.com

III. General principles/information

1. Purposes and legal bases

The term personal data is defined in the General Data Protection Regulation (GDPR). According to this, personal data is any information relating to an identified or identifiable natural person – i.e. for example your name, address or telephone number, but also online identifiers such as IP addresses. We collect and use our users’ personal data only to the extent necessary to provide and deliver our services and to provide our web or online offers (including mobile apps).

If you take advantage of our offers, we process your personal data on the basis of different legal principles:

We process your personal data to fulfill contractual obligations (Art. 6 para. 1, p. 1 lit. b) GDPR). This includes in particular

– the processing of orders,

– for managing your user account,

– for contacting you if it concerns relevant information about your order with us or if you send us inquiries.

We also process your data to protect our legitimate interests (Art. 6 (1) (1) (f) GDPR), i.e. for the purposes of creating statistics to improve our products and services,

for the purposes of preventing, investigating and reporting criminal offences, e.g. fraud, credit card misuse or identity fraud,

for the assertion of legal claims or

advertising, provided you have consented to the use of your data.

We process your data on the basis of your consent (Art. 6 (1) (a) GDPR) for certain purposes, such as

personalized use of the website and personalized offers, as well as optimization of the website

for the purpose of creating statistics to improve products and services

for analytical purposes, to optimize our offer for you.

for sending newsletters and customer surveys.

You can revoke the consent you have given us at any time without having to give us the reasons for doing so. The revocation of your consent is only effective for the future and does not affect the legality of the data processed up to the point of revocation.

2. Possible recipients of personal data

In order to provide our web and/or online offers, we sometimes use service providers who, in the course of providing services, work on our behalf and according to our instructions (contract processors). These service providers may receive personal data or come into contact with personal data in the course of providing services and represent third parties or recipients within the meaning of the GDPR. In such a case, we ensure that our service providers offer sufficient guarantees that appropriate technical and organizational measures are in place and that processing is carried out in accordance with the requirements of the GDPR and ensure the protection of the rights of the data subject (see Art. 28 GDPR).

If personal data is transferred to third parties and/or recipients outside of order processing, we ensure that this is done exclusively in accordance with the requirements of the GDPR and only if there is a corresponding legal basis.

We use service providers from the following areas:

IT service providers (e.g. maintenance service providers, hosting service providers)

Service providers for file and data destruction

– Printing services

– Consultancy and consulting, auditors

– Service providers for marketing or sales

– Logistics service providers

3. Processing of data in so-called third countries

As part of our online services, we use tools from Meta Platforms Ireland Limited (Meta) and Google LLC (Google Analytics), among others. Both companies have their headquarters in the United States of America (USA), a so-called third country outside the European Union (EU) or the European Economic Area (EEA).

When using these services, personal data may be transferred to the USA. Since July 10, 2023, there has been an adequacy decision by the European Commission within the framework of the EU-U.S. Data Privacy Framework (DPF), which guarantees an adequate level of data protection for certified companies such as Meta and Google.

If no such adequacy decision or certification exists, data transfers are based on the Standard Contractual Clauses (SCCs) approved by the European Commission, which ensure appropriate data protection guarantees within the meaning of the GDPR.

Despite the measures taken, it cannot be completely ruled out that US authorities may gain access to the transferred data without the data subjects being able to assert comprehensive legal remedies. The transfer therefore only takes place on the basis of your express consent within the framework of our cookie consent declaration in accordance with Art. 6 para. 1 lit. a GDPR.

Further information on Meta’s data protection practices can be found at:

https://www.facebook.com/privacy/policy 

Information about Google and Google Analytics can be found at:

https://policies.google.com/privacy

4. data deletion and storage period

Personal data will be deleted or blocked as soon as the purpose of the processing no longer applies. Storage after the purpose of the processing no longer applies shall only take place if this is provided for by the European or national legislator in EU regulations, laws or other provisions to which our company is subject (e.g. to fulfill statutory retention obligations and/or if there are legitimate interests in storage, e.g. during the course of limitation periods for the purpose of legal defense against any claims). The data will also be blocked or deleted if a storage period prescribed by the aforementioned standards expires, unless there is a need for further storage of the data for the conclusion of a contract or for other purposes.

IV. Data processing in connection with our website

1. Automatic data processing

When you visit a website, certain data is automatically processed, and this also applies to our website. When you access our website, the browser used on your device automatically sends information to our website’s server (so-called server log files). This information is temporarily stored in a so-called log file. The following information is collected without any action on your part and stored until it is automatically deleted:

IP address of the requesting computer (in anonymized form),

Date and time of access

Name and URL of the retrieved file

Website from which access is made (referrer URL)

Browser used and, if applicable, the operating system of your computer, smartphone, etc., as well as the name of your access provider

– Location (country).

– This data is processed by us for the following purposes:

– Ensuring a smooth connection to the website

– Ensuring a comfortable use of our website

– Evaluation of system security and stability,

– Determining the correct price (including taxes) and

– for other administrative purposes.

Under no circumstances do we use the collected data for the purpose of drawing conclusions about you as a person.

2. Cookies

We only use the etracker analysis tool on our main domain (cadooz.com). We deliberately refrain from using cookies. Data processing is carried out on the basis of Art. 6 (1) lit. f GDPR (legitimate interest) in pseudonymized form.

We use additional cookies on our subdomains, for example for session management, login functions, or web analysis. You can find more detailed information on the type, purpose, and legal basis of these cookies directly on the respective subdomains in the cookie banner integrated there and also in this privacy policy in the description of the analysis and marketing cookies.

These are small text files that are stored on your end device (desktop PC, laptop, tablet, smartphone, console, etc.) when you visit our website. Cookies do not cause any damage to your device and do not contain any viruses, Trojans or other malware. Information is stored in cookies that arises in connection with the specific device used. However, this does not mean that we obtain direct knowledge of your identity as a result. The information stored may include, for example, the login status on a website or the shopping cart. Some of these cookies are deleted after you close your browser (so-called session cookies). Other cookies remain stored on your device and enable us or our partner companies to recognize your browser on your next visit (so-called persistent cookies). Most browsers automatically accept cookies. However, you can configure your browser so that no cookies are stored on your computer or so that a message always appears before a new cookie is created. However, disabling cookies completely may mean that you cannot use all the features of our website. Cookies can be divided into different categories.

The following cookie categories are used:

Necessary cookies

These cookies are necessary to ensure basic website functionality. For example, these cookies are necessary if you add a product to your shopping cart, then continue surfing on other pages and only click through to the payment page later. These cookies ensure that the shopping cart is not deleted even if you close your browser window.

Marketing- and analysis cookies

These cookies collect information about user behavior and whether the website visitor receives any error messages. In addition, these cookies are also used to measure the loading time and the behavior of the website in different browsers. They also ensure a better user experience. For example, the locations entered, font sizes or form data are stored.

We also use these cookies for marketing purposes. The data is used to create the option to display personalized advertisements tailored to user behavior and user interest.

How can I delete cookies?

You are free to decide how and whether you want to allow cookies to be set. Regardless of the service or website the cookies come from, you always have the option to delete, disable or only partially allow cookies. For example, you can block third-party cookies but allow all other cookies. If you want to check which cookies have been stored in your browser, change your cookie settings or delete cookies, you can find this in your browser settings:

Chrome: Delete, activate and manage cookies

Safari: Manage cookies and website data with Safari

Firefox: Delete cookies to remove data that websites have stored on your computer

Internet Explorer: Delete and manage cookies

Microsoft Edge: Delete and manage cookies

3. Cookie management

Cookie consent tool

To enable you to control the use of cookies, an extension has been installed on the website that provides a cookie consent tool. The extension “Cookie Hint” from Medienwerft – Agentur für digitale Medien und Kommunikation GmbH, Wendenstraße 130, 20537 Hamburg, Germany, displays information that is structured according to function groups and explains the purpose of the cookie function groups.

For the use of the extension “Cookie Hint” of Medienwerft – Agentur für digitale Medien und Kommunikation GmbH, Wendenstraße 130, 20537 Hamburg, the storage of a cookie is technically necessary.

Settings via the Cookie Consent Tool

When you visit our website for the first time, the cookie consent tool of Medienwerft – Agentur für digitale Medien und Kommunikation GmbH, Wendenstraße 130, 20537 Hamburg, will be displayed as a pop-up window on our website. Here you can activate or deactivate the cookies, which are divided into function groups, by clicking the corresponding box. Please note that the necessary cookies (see our description above) are already stored when you access the website and the relevant box is preset.

V. Registration / creating a user account

For certain services and offers that we provide through our website and online services, it is necessary to register and create a personal user account. During this process, we collect and store certain personal information (mandatory details). This data is not shared with third parties. Mandatory details include:

• Username
• Password
• User’s work email address
• First name, surname, title
• Company (if applicable)
• Address
• Country, state and town where the company is located

At the time of registration, we also store the user’s IP address, along with the date and time of registration. You can also provide optional details, such as phone number, fax number, mobile number or additional company information (e.g. employee number). Mandatory details required for registration are marked as such in the input form. The registration cannot be completed without accurately and truthfully filling out these mandatory fields. The registration will only be complete once you click the link in the confirmation email that we send you. Optional details may be used to improve our services.

VI. Web analytics for marketing and website security

To optimize our websites and adapt to the evolving habits and technical requirements of our users, we use web analytics tools. These tools help us measure which elements users visit, whether they can easily find the information they are looking for, etc. This information becomes meaningful and valuable only when analyzed in the context of a larger group of users. The collected data is aggregated, i.e combined into larger units.

This allows us to adapt the design of pages or optimize content if we discover, for example, that a significant proportion of visitors are using new technologies or struggling to find specific information.

Within our web and online services, we conduct the following analyses and use the following web analytics tools:

1. Analysis of log data

Log data is only used for analysis purposes on an anonymous basis. In particular, it is not linked to personal data of the user and/or with an IP address or a cookie. Therefore, this analysis of log data is not subject to the data protection provisions of the GDPR.

2. E-tracker

The provider of this website uses services from etracker GmbH, based in Hamburg, Germany (www.etracker.com), to analyze usage data. We do not use cookies for web analytics as standard. If we do use analytics and optimization cookies, we will obtain your explicit consent separately in advance. If you agree, cookies will be used to perform a statistical reachability analysis of this website, to measure the success of our online marketing activities, and to conduct testing (e.g. of different versions of our online services or their components for the purpose of optimizing them). Cookies are small text files that the browser stores automatically on the user’s device. etracker cookies do not contain any information that could be used to identify a user.

The data generated by etracker is processed and stored exclusively in Germany on behalf of the provider of this website. This means it is subject to strict German and European data protection laws and standards. etracker has been independently audited, certified and awarded the data protection seal of approval ePrivacyseal .

The data processing is conducted in accordance with the legal provisions of Art. 6(1)(f) (legitimate interest) of the General Data Protection Regulation (GDPR). Our legitimate interest under the GDPR lies in the optimization of our website and online services. Since the privacy of our visitors is important to us, any data that could potentially be linked to an individual, such as IP addresses, login information or device identifiers, is anonymized or pseudonymized as early as possible. The data is not used for any other purposes, combined with other data, or shared with third parties.

You can object to the described data processing at any time by clicking on the slider. Objecting will not have any adverse consequences. If no slider is displayed, it means that data collection has already been blocked by other measures.

More information about data protection at etracker can be found here

VII. Newsletter

Within our web and online services, we also offer the option of subscribing to our newsletter.

1. Newsletter subscription

If you wish to subscribe to our newsletter, we require a valid email address from you. To verify that you are the owner of the provided email address, or that its owner consents to receiving the newsletter, we will send an automated email to the specified address after the initial subscription step (‘double opt-in’). Only after confirming the newsletter subscription through a link in the confirmation email will, we add the provided email address to our mailing list. We do not collect any data other than the email address and the details needed to confirm the subscription. Your data is processed exclusively for the purpose of sending the newsletter you have subscribed to.

2. Distribution of newsletter

To distribute our newsletters, we use the services and tools of Inxmail GmbH, Wetzinger Straße 17, 79106 Freiburg. The data you provide for the purpose of subscribing to the newsletter is processed on Inxmail’s servers.

We analyze our sent newsletters and newsletter campaigns using Inxmail’s tools. For example, we analyze whether a newsletter was opened and which links within it were clicked. Furthermore, we analyze whether specific predefined actions were taken after clicking or opening the newsletter. Among other things, this tracking allows us to determine whether you made a purchase in one of our shops or our partners’ shops after clicking on links within the newsletter. This tracking includes the following in particular:

• Opening an email
• Clicking on text and image links
• Downloading pictures in an email program

We use Inxmail’s personalized tracking, which allows us to directly link a recipient’s behaviour to their unique identifier.

Storage duration

The data you provide to us for the purpose of subscribing to our newsletter will be stored by us until you unsubscribe from the newsletter with us or the newsletter service provider. After you unsubscribe from the newsletter or when the processing purpose no longer applies, your data will be deleted from the newsletter distribution list. We reserve the right to delete or block email addresses from our newsletter distribution list at our own discretion within the scope of our legitimate interest pursuant to Art. 6(1)(f) GDPR. This will not affect data stored by us for other purposes.

If you do not wish to have your data analyzed by Inxmail, you can unsubscribe from the newsletter using the link provided in each newsletter message. After you unsubscribe from the newsletter distribution list, your email address will be placed on a blacklist by us or the newsletter service provider to prevent the newsletter from being sent out to you in future. The data from the blacklist will only be used for this purpose and will not be merged with other data.

The privacy policy of Inxmail can be found at: https://www.inxmail.de/datenschutz.

3. Use of personal data for advertising and marketing / customer surveys

Your personal data will only be used for advertising and marketing purposes or for conducting customer satisfaction surveys if you have given the appropriate consent or if another lawful basis exists that also permits advertising and marketing communications without consent. For advertising and marketing activities by email for the purpose of direct advertising of own similar goods or services, the lawful basis is Art. 7(3) UWG (German Act against Unfair Competition); this requires that (i) we have obtained your email address in connection with the sale of a product or service, (ii) you have not objected to the use of your email address for direct advertising purposes, and (iii) we clearly and explicitly inform you at the time of collecting your email address and with each use that you can object at any time to your email being used in this way.

VIII. Contact form and email contact

You can contact us by post, phone, fax or email. To contact us by post, please use the following address. XXX. If you contact us by phone, your phone number and any additional data provided during the call (e.g. your name, email address, the time of the call, details of your enquiry) will be processed. If you contact us by fax, your fax number or sender identification and the data contained in the fax will be processed. Our website also contains a contact form that visitors can use to contact us electronically. If you choose to use this contact form, the data you enter in the input fields will be transmitted to us and stored. This data is as follows:

• Company*
• First name*
• Surname*
• Enquiry type
• Order or serial number
• Telephone number
• Email address*
• Comments field*
• Postcode*
• Country
•  

*Mandatory details that are needed when contacting us are marked with an asterisk (*), including in the input field.

At the point that the message is sent, the following data is also processed and stored:

• User’s IP address
• Transmission date and time

Alternatively, you can contact us using the email address provided on our website. In this case, the personal data transmitted with the email will be stored. Under no circumstances will the data be shared with third parties, except when we need to involve third parties to process your request. Your personal data is processed in accordance with the provisions of the General Data Protection Regulation (GDPR). If you contact us using the contact form on our website, this is done based on Art. 6(1)(f) GDPR, which permits processing on the basis of legitimate interests. Our legitimate interest lies in responding to your enquiry and communicating with you. In cases where your enquiry is aimed at performing a contract or pre-contractual measures, Art. 6(1)(b) GDPR serves as the lawful basis for processing your data.

Storage and deletion of data

The data you provide as part of your enquiry or contacting us will be stored only for as long as is necessary to process your enquiry. Once your enquiry has been resolved and the data is no longer needed, it will be deleted. If we have a legal obligation to retain your data for longer, it will be stored for the duration of the legal retention period, but no longer than necessary.

Voluntariness of information

Using the contact form on our website is entirely voluntary. You are not obliged to provide your data via the contact form, and this will not affect your ability to use our website.

IX. Fraud prevention

To prevent fraud, we utilize the services of Risk Ident GmbH, Am Sandtorkai 50, 20457 Hamburg, when operating our website.

Risk Ident collects and processes data using cookies and other tracking technologies for the purpose of identifying the user’s device and gathering additional information about website usage. This data is not linked to any specific user. If Risk Ident collects IP addresses, they are immediately encrypted.

The data collected by Risk Ident is stored in a database for fraud prevention. The database also stores data that we have provided to Risk Ident about devices involved in attempted or actual fraudulent activities. This data is not linked to any specific users either.

During the order process on our website, we obtain a risk assessment of the user’s device from Risk Ident’s database. This risk assessment evaluates the likelihood of a fraud attempt by considering factors such as whether the device has connected through different service providers, if it frequently changes geographic locations, the number of transactions made using the device, and whether a proxy connection is being used.

To protect our website from distributed denial-of-service (DDoS) attacks, we use the web application firewall and other services of Imperva (Imperva Inc., One Curiosity Way, Suite 203, San Mateo, CA 94403).

A web application firewall (WAF) makes it possible to filter, monitor and block malicious HTTP traffic to and from a web service. Imperva WAF functions as a reverse proxy, routing all web traffic from cadooz through the Imperva network, so that Imperva can inspect each request to identify and block malicious activities. Imperva identifies malicious requests based on predefined patterns for web application attacks (e.g. XSS, SSRF, XXE, etc.). Imperva’s reverse proxy also includes patterns for detecting personal data and performs real-time data masking. In the event of a malicious request, Imperva generates an event containing the client’s IP address, allowing us to review and analyze the request. The stored IP address is deleted after 10 weeks or once the analysis, resolution and clarification of the security-related incident are complete.

A DDoS attack is an attempt to overwhelm an internet service with a large number of targeted requests in order to stop it from functioning. During a DDoS attack on a website, the site can no longer be accessed.

Imperva’s service helps us detect and defend against such attacks on our website. To achieve this, a reverse proxy server is placed in front of the website to be protected. This server intercepts requests from the internet on behalf of the website, filters out ‘malicious’ requests, and forwards only ‘safe’ requests to the website’s servers. In connection with this, Imperva processes the IP addresses of website visitors to determine whether a request is an attack. The data is usually stored on servers located in countries within the European Union. In exceptional cases, data may be stored on servers in the USA. As a user of our website, you have the option to block cookies at any time in your browser settings. You can also object to any future tracking of your user behaviour on our website; instructions on how to disable cookies on your computer can be found at the following link: https://www.imperva.com/legal/privacy-policy/.

X. Rights of data subjects

As a data subject, you have the following rights in connection with the processing of your personal data:

• Right to be informed: You can ask us at any time for confirmation of whether we process any personal data concerning you and, if so, which data. This information will be provided to you free of charge. In the case of clearly unfounded or, in particular, frequent and excessive requests by a data subject, cadooz will either charge a reasonable fee to cover the administrative expenses associated with informing or notifying the data subject or implementing the requested measure, or it may refuse to act on the request. A right to be informed does not exist or may be restricted if disclosing the information would reveal confidential data, such as information protected by professional secrecy (Art. 15 GDPR).
• Right to rectification: If your personal data held by us is inaccurate or incomplete, you have the right to request at any time that we correct it (Art. 16 GDPR).
• Right to erasure: You have the right to request that we delete your personal data if it is no longer needed for the purposes for which it was collected, or if you have withdrawn your consent on which the processing is based. In such cases, we must cease processing your personal data and remove it from our IT systems and databases. A right to erasure does not exist if the data cannot be deleted due to a legal obligation or if processing is necessary for establishing, exercising or defending legal claims (Art. 17 GDPR).
• Right to restrict processing: You have the right to request that the processing of your personal data be restricted if the accuracy of the data is contested, if the processing is unlawful, if the data is needed for legal claims, or if an objection to the processing is currently being reviewed (Art.18 GDPR).
• Right to data portability: You have the right to request that the data that you provided to us be made available to you in a structured, commonly used and machine-readable format, as well as the right to have this data transferred to another controller. This right only exists if you have provided us with the data on the basis of your consent or as part of a contract concluded with you and the processing is carried out by automated means. (Art. 20 GDPR).
• Right to object to processing: If your data is processed on the basis of Art. 6(1)(f) GDPR, you have the right to object to the processing at any time.
• You may also withdraw your consent at any time, which will prevent us from continuing to process the data based on that consent (Art. 7(3) GDPR).

If you wish to exercise any of the aforementioned rights, you can contact us using the contact details provided above. In addition, you have the right to lodge a complaint with the relevant data protection supervisory authority if you believe that the processing of your personal data is unlawful (Art. 77 GDPR).

XI. Version / changes to this Privacy Policy

This Privacy Policy is valid as of July 2024.

Due to the ongoing development of our website and services, this Privacy Policy may need to be amended from time to time. The latest version of the Privacy Policy can be accessed at any time on the website at https://www.cadooz.com/datenschutz/.