cadooz Privacy Policy.

I. Preamble

This Privacy Policy is intended to provide you with clear, transparent and comprehensive information about how we, cadooz GmbH (‘cadooz’ for short), process your personal data in connection with the use of our websites and/or online services and how we protect your privacy. Personal data is deleted as soon as possible and is never used or shared for advertising purposes without your consent. Should the following information be insufficient or unclear, please do not hesitate to contact our data protection officer using the contact details provided below.

 

II. Controller / data protection officer

The controller responsible for the processing of your personal data within the meaning of Art. 4(7) of the EU General Data Protection Regulation is:

Controller

cadooz GmbH
Osterbekstraße 90b
22083 Hamburg
Represented by the directors Stefan Grimm, Marc Ehler, Dr. Samareh Khosravi
Email: business@cadooz.de

Data protection officer

cadooz GmbH has appointed a data protection officer pursuant to Art. 37 GDPR. You can reach the data protection officer of cadooz GmbH using the following contact details:

cadooz GmbH
Persönlich/vertraulich an den Datenschutzbeauftragten
Osterbekstraße 90b
22083 Hamburg
Email: datenschutz@cadooz.de

 

III. General principles / information

1. Purposes and lawful bases

The term ‘personal data’ is defined in the General Data Protection Regulation (GDPR). According to the GDPR, personal data is any information relating to an identified or identifiable natural person, such as your name, address or telephone number, but also online identifiers (e.g. IP address). We collect and use the personal data of our users only to the extent necessary to provide and deliver our services and to make our web or online services available (including mobile apps).

If you use our services, we process your personal data based on different lawful bases:

We process your personal data to fulfil contractual obligations (Art. 6(1)(b) GDPR). In particular, this includes

  • processing and fulfilling orders,
  • managing your user account,
  • contacting you regarding relevant information about your order or when you make enquiries with us.

We also process your data based on our legitimate interests (Art. 6(1)(f) GDPR), i.e. for the purpose of compiling statistics to improve our products and services,

  • for the purpose of preventing, investigating and reporting crimes (e.g. fraud, credit card abuse, identity theft),
  • for asserting legal claims, or
  • for advertising, provided you have consented to your data being used for this purpose.

We process your data based on your consent (Art. 6(1)(a) GDPR) for specific purposes, such as

  • enabling personalized use of the website, personalizing our offerings and optimizing our website and online platforms
  • compiling statistics to improve products and services
  • conducting analysis to improve our offerings for you
  • sending out newsletters and customer surveys

If you have given us your consent, you can withdraw it at any time without having to provide reasons. The withdrawal of consent is only effective going forward and does not affect the lawfulness of data processing performed before the time of withdrawal.

2. Potential recipients of personal data

To provide our web and/or online services, we sometimes use service providers who act on our behalf and according to our instructions (processors). These service providers may receive or come into contact with personal data in the course of providing their services and are considered third parties or recipients within the meaning of the GDPR. In such cases, we ensure that our service providers offer sufficient guarantees that appropriate technical and organizational measures are in place and that data processing is carried out in a way that is in compliance with the GDPR requirements and ensures the protection of the rights of data subjects (see Art. 28 GDPR).

If personal data is transferred to third parties and/or recipients outside of a data processing agreement, we ensure that this is done solely in accordance with the GDPR requirements and only if a corresponding lawful basis exists.

We use service providers from the following areas:

  • IT service providers (e.g. maintenance providers, hosting providers)
  • Document and data destruction services
  • Printing services
  • Consulting and advisory services, auditors
  • Sales and marketing services
  • Logistics providers

3. Processing of data in ‘third countries’

Your personal data is generally processed within the EU or the European Economic Area (EEA). Only in exceptional cases (e.g. in connection with the use of service providers for web analytics services) may information be sent to what are known as ‘third countries’. If data is transferred to a recipient outside the EEA, an adequate level of data protection for the transfer abroad is ensured through appropriate security measures. If the transmitted information also includes personal data, we ensure before the transfer that an adequate level of data protection is guaranteed in the respective third country and by the respective recipient, and that you have given your consent or there is another lawful basis for the transfer. An adequate level of data protection can be ensured through an ‘adequacy decision’ by the European Commission or by applying the ‘EU Standard Contractual Clauses’ (Art. 46(2)(c) GDPR).

4. Data deletion and retention periods

Personal data is deleted or blocked as soon as the purpose for processing it no longer applies. Data will only be retained after the original purpose no longer applies if this is required by European or national legislation in EU regulations, laws or other provisions that apply to our company (e.g. to meet legal retention obligations and/or if there is a legitimate interest in storing the data, such as during limitation periods for legally defending against claims). Data will also be blocked or deleted when the retention period prescribed by the aforementioned regulations expires, unless the data needs to be stored beyond that for the conclusion of a contract or for other purposes.

 

IV. Data processing in connection with our website

1. Automated data processing

When visiting a website, including ours, certain data is automatically processed. When you access our website, the browser used on your device will automatically send information to our website server. This information is temporarily stored in ‘server log files’. The following information is collected without any action on your part and stored until it is automatically deleted:

  • IP address of the requesting computer (in anonymized form)
  • Date and time of access
  • Name and URL of the retrieved file
  • Website from which the access occurs (referrer URL)
  • Browser used and, if applicable, the operating system of your computer, smartphone, etc., and the name of your access provider
  • Location (country)
  • We process this data for the following purposes:
  • Ensuring trouble-free connection to our website
  • Ensuring comfortable use of our website
  • Analysing security and stability
  • Setting correct prices (including taxes)
  • Other administrative purposes

2. Cookies

To make our website more attractive to visitors and enable the use of certain functions, we use ‘cookies’ from selected third-party providers. Cookies are small text files that are stored on your device (desktop PC, laptop, tablet, smartphone, console, etc.) when you visit our website. Cookies do not harm your device and do not contain viruses, trojans or other malware. Cookies store information that is related to the specific device being used. However, this does not mean we can use them to identify you directly. The data that is stored might include the login status on a website, for example, or the contents of a shopping cart. Some of these cookies are deleted again after you close your browser (‘session cookies’). Other cookies remain on your device and enable us or our partner companies to recognize your browser on your next visit (‘persistent cookies’). Most browsers accept cookies automatically. However, you can configure your browser to prevent cookies from being stored on your computer or to notify you each time before a new cookie is set. However, you may not be able to use all the functions of our website if you fully disable cookies. Cookies can be divided into different categories.

The following categories of cookies are used:

Essential cookies
These cookies are necessary to ensure the basic functionality of the website. For example, they are required when you add a product to your shopping cart, then continue browsing other pages and come back later to pay. These cookies prevent the shopping cart from being emptied even if you close your browser window.

cookieHintProvides the tool for cookie management.2 monthscadooz.com
hmt_idThis cookie is used for essential anonymous service-related statistics and other technical purposes, such as accessibility support.30 dayswww.hcaptcha.com
Reese84This functional cookie is used for the security of the site.30 daysImperva
nlbi_This functional cookie is used for the security of the site.Expires when the browser is closedImperva
JSESSIONIDThis essential cookie is used to maintain an anonymous user session by the server in Java™ 2 Platform Enterprise Edition web applications. It is a strictly necessary cookie that expires at the end of a session.SessionShop domain
Session_idThis cookie is used to maintain an anonymous user session by the server in Java™ 2 Platform Enterprise Edition web applications. It is a strictly necessary cookie that expires at the end of a session.SessionShop domain
Incap_ses_#protection & web application firewall: This cookie relates to HTTP requests associated with a specific session (also called a visit). Restarting the browser and accessing the same website is identified as a separate visit to maintain the current session.SessionImperva
visid_incap_#Incapsula DDoS protection & web application firewall: This cookie associates sessions with a specific visitor (where a visitor represents a particular computer) to identify clients who have already visited Incapsula.1 yearImperva

How to delete cookies

You are generally free to choose whether cookies may be set and how. Irrespective of which service or website the cookies originate from, you always have the option to delete, disable or only partially allow cookies. For example, you can block cookies from third-party providers but allow all other cookies. In your browser settings, you can check which cookies have been stored in your browser, change your cookie settings and delete cookies.

 

V. Registration / creating a user account

For certain services and offers that we provide through our website and online services, it is necessary to register and create a personal user account. During this process, we collect and store certain personal information (mandatory details). This data is not shared with third parties. Mandatory details include:

  • Username
  • Password
  • User’s work email address
  • First name, surname, title
  • Company (if applicable)
  • Address
  • Country, state and town where the company is located

At the time of registration, we also store the user’s IP address, along with the date and time of registration. You can also provide optional details, such as phone number, fax number, mobile number or additional company information (e.g. employee number). Mandatory details required for registration are marked as such in the input form. The registration cannot be completed without accurately and truthfully filling out these mandatory fields. The registration will only be complete once you click the link in the confirmation email that we send you. Optional details may be used to improve our services.

 

VI. Web analytics for marketing and website security

To optimize our websites and adapt to the evolving habits and technical requirements of our users, we use web analytics tools. These tools help us measure which elements users visit, whether they can easily find the information they are looking for, etc. This information becomes meaningful and valuable only when analyzed in the context of a larger group of users. The collected data is aggregated, i.e combined into larger units.

This allows us to adapt the design of pages or optimize content if we discover, for example, that a significant proportion of visitors are using new technologies or struggling to find specific information.

Within our web and online services, we conduct the following analyses and use the following web analytics tools:

1. Analysis of log data

Log data is only used for analysis purposes on an anonymous basis. In particular, it is not linked to personal data of the user and/or with an IP address or a cookie. Therefore, this analysis of log data is not subject to the data protection provisions of the GDPR.

2. E-tracker

The provider of this website uses services from etracker GmbH, based in Hamburg, Germany (www.etracker.com), to analyze usage data. We do not use cookies for web analytics as standard. If we do use analytics and optimization cookies, we will obtain your explicit consent separately in advance. If you agree, cookies will be used to perform a statistical reachability analysis of this website, to measure the success of our online marketing activities, and to conduct testing (e.g. of different versions of our online services or their components for the purpose of optimizing them). Cookies are small text files that the browser stores automatically on the user’s device. etracker cookies do not contain any information that could be used to identify a user.

The data generated by etracker is processed and stored exclusively in Germany on behalf of the provider of this website. This means it is subject to strict German and European data protection laws and standards. etracker has been independently audited, certified and awarded the data protection seal of approval ePrivacyseal .

The data processing is conducted in accordance with the legal provisions of Art. 6(1)(f) (legitimate interest) of the General Data Protection Regulation (GDPR). Our legitimate interest under the GDPR lies in the optimization of our website and online services. Since the privacy of our visitors is important to us, any data that could potentially be linked to an individual, such as IP addresses, login information or device identifiers, is anonymized or pseudonymized as early as possible. The data is not used for any other purposes, combined with other data, or shared with third parties.

You can object to the described data processing at any time by clicking on the slider. Objecting will not have any adverse consequences. If no slider is displayed, it means that data collection has already been blocked by other measures.

More information about data protection at etracker can be found here

 

VII. Newsletter

Within our web and online services, we also offer the option of subscribing to our newsletter.

1. Newsletter subscription

If you wish to subscribe to our newsletter, we require a valid email address from you. To verify that you are the owner of the provided email address, or that its owner consents to receiving the newsletter, we will send an automated email to the specified address after the initial subscription step (‘double opt-in’). Only after confirming the newsletter subscription through a link in the confirmation email will, we add the provided email address to our mailing list. We do not collect any data other than the email address and the details needed to confirm the subscription. Your data is processed exclusively for the purpose of sending the newsletter you have subscribed to.

2. Distribution of newsletter

To distribute our newsletters, we use the services and tools of Inxmail GmbH, Wetzinger Straße 17, 79106 Freiburg. The data you provide for the purpose of subscribing to the newsletter is processed on Inxmail’s servers.

We analyze our sent newsletters and newsletter campaigns using Inxmail’s tools. For example, we analyze whether a newsletter was opened and which links within it were clicked. Furthermore, we analyze whether specific predefined actions were taken after clicking or opening the newsletter. Among other things, this tracking allows us to determine whether you made a purchase in one of our shops or our partners’ shops after clicking on links within the newsletter. This tracking includes the following in particular:

  • Opening an email
  • Clicking on text and image links
  • Downloading pictures in an email program

We use Inxmail’s personalized tracking, which allows us to directly link a recipient’s behaviour to their unique identifier.

Storage duration

The data you provide to us for the purpose of subscribing to our newsletter will be stored by us until you unsubscribe from the newsletter with us or the newsletter service provider. After you unsubscribe from the newsletter or when the processing purpose no longer applies, your data will be deleted from the newsletter distribution list. We reserve the right to delete or block email addresses from our newsletter distribution list at our own discretion within the scope of our legitimate interest pursuant to Art. 6(1)(f) GDPR. This will not affect data stored by us for other purposes.

If you do not wish to have your data analyzed by Inxmail, you can unsubscribe from the newsletter using the link provided in each newsletter message. After you unsubscribe from the newsletter distribution list, your email address will be placed on a blacklist by us or the newsletter service provider to prevent the newsletter from being sent out to you in future. The data from the blacklist will only be used for this purpose and will not be merged with other data.

The privacy policy of Inxmail can be found at: https://www.inxmail.de/datenschutz.

3. Use of personal data for advertising and marketing / customer surveys

Your personal data will only be used for advertising and marketing purposes or for conducting customer satisfaction surveys if you have given the appropriate consent or if another lawful basis exists that also permits advertising and marketing communications without consent. For advertising and marketing activities by email for the purpose of direct advertising of own similar goods or services, the lawful basis is Art. 7(3) UWG (German Act against Unfair Competition); this requires that (i) we have obtained your email address in connection with the sale of a product or service, (ii) you have not objected to the use of your email address for direct advertising purposes, and (iii) we clearly and explicitly inform you at the time of collecting your email address and with each use that you can object at any time to your email being used in this way.

 

 

VIII. Contact form and email contact

You can contact us by post, phone, fax or email. To contact us by post, please use the following address. XXX. If you contact us by phone, your phone number and any additional data provided during the call (e.g. your name, email address, the time of the call, details of your enquiry) will be processed. If you contact us by fax, your fax number or sender identification and the data contained in the fax will be processed. Our website also contains a contact form that visitors can use to contact us electronically. If you choose to use this contact form, the data you enter in the input fields will be transmitted to us and stored. This data is as follows:

  • Company*
  • First name*
  • Surname*
  • Enquiry type
  • Order or serial number
  • Telephone number
  • Email address*
  • Comments field*
  • Postcode*
  • Country
  •  

*Mandatory details that are needed when contacting us are marked with an asterisk (*), including in the input field.

At the point that the message is sent, the following data is also processed and stored:

  • User’s IP address
  • Transmission date and time

Alternatively, you can contact us using the email address provided on our website. In this case, the personal data transmitted with the email will be stored. Under no circumstances will the data be shared with third parties, except when we need to involve third parties to process your request. Your personal data is processed in accordance with the provisions of the General Data Protection Regulation (GDPR). If you contact us using the contact form on our website, this is done based on Art. 6(1)(f) GDPR, which permits processing on the basis of legitimate interests. Our legitimate interest lies in responding to your enquiry and communicating with you. In cases where your enquiry is aimed at performing a contract or pre-contractual measures, Art. 6(1)(b) GDPR serves as the lawful basis for processing your data.

Storage and deletion of data

The data you provide as part of your enquiry or contacting us will be stored only for as long as is necessary to process your enquiry. Once your enquiry has been resolved and the data is no longer needed, it will be deleted. If we have a legal obligation to retain your data for longer, it will be stored for the duration of the legal retention period, but no longer than necessary.

Voluntariness of information

Using the contact form on our website is entirely voluntary. You are not obliged to provide your data via the contact form, and this will not affect your ability to use our website.

 

IX. Fraud prevention

To prevent fraud, we utilize the services of Risk Ident GmbH, Am Sandtorkai 50, 20457 Hamburg, when operating our website.

Risk Ident collects and processes data using cookies and other tracking technologies for the purpose of identifying the user’s device and gathering additional information about website usage. This data is not linked to any specific user. If Risk Ident collects IP addresses, they are immediately encrypted.

The data collected by Risk Ident is stored in a database for fraud prevention. The database also stores data that we have provided to Risk Ident about devices involved in attempted or actual fraudulent activities. This data is not linked to any specific users either.

During the order process on our website, we obtain a risk assessment of the user’s device from Risk Ident’s database. This risk assessment evaluates the likelihood of a fraud attempt by considering factors such as whether the device has connected through different service providers, if it frequently changes geographic locations, the number of transactions made using the device, and whether a proxy connection is being used.

To protect our website from distributed denial-of-service (DDoS) attacks, we use the web application firewall and other services of Imperva (Imperva Inc., One Curiosity Way, Suite 203, San Mateo, CA 94403).

A web application firewall (WAF) makes it possible to filter, monitor and block malicious HTTP traffic to and from a web service. Imperva WAF functions as a reverse proxy, routing all web traffic from cadooz through the Imperva network, so that Imperva can inspect each request to identify and block malicious activities. Imperva identifies malicious requests based on predefined patterns for web application attacks (e.g. XSS, SSRF, XXE, etc.). Imperva’s reverse proxy also includes patterns for detecting personal data and performs real-time data masking. In the event of a malicious request, Imperva generates an event containing the client’s IP address, allowing us to review and analyze the request. The stored IP address is deleted after 10 weeks or once the analysis, resolution and clarification of the security-related incident are complete.

A DDoS attack is an attempt to overwhelm an internet service with a large number of targeted requests in order to stop it from functioning. During a DDoS attack on a website, the site can no longer be accessed.

Imperva’s service helps us detect and defend against such attacks on our website. To achieve this, a reverse proxy server is placed in front of the website to be protected. This server intercepts requests from the internet on behalf of the website, filters out ‘malicious’ requests, and forwards only ‘safe’ requests to the website’s servers. In connection with this, Imperva processes the IP addresses of website visitors to determine whether a request is an attack. The data is usually stored on servers located in countries within the European Union. In exceptional cases, data may be stored on servers in the USA. As a user of our website, you have the option to block cookies at any time in your browser settings. You can also object to any future tracking of your user behaviour on our website; instructions on how to disable cookies on your computer can be found at the following link: https://www.imperva.com/legal/privacy-policy/.

 

X. Rights of data subjects

As a data subject, you have the following rights in connection with the processing of your personal data:

  • Right to be informed: You can ask us at any time for confirmation of whether we process any personal data concerning you and, if so, which data. This information will be provided to you free of charge. In the case of clearly unfounded or, in particular, frequent and excessive requests by a data subject, cadooz will either charge a reasonable fee to cover the administrative expenses associated with informing or notifying the data subject or implementing the requested measure, or it may refuse to act on the request. A right to be informed does not exist or may be restricted if disclosing the information would reveal confidential data, such as information protected by professional secrecy (Art. 15 GDPR).
  • Right to rectification: If your personal data held by us is inaccurate or incomplete, you have the right to request at any time that we correct it (Art. 16 GDPR).
  • Right to erasure: You have the right to request that we delete your personal data if it is no longer needed for the purposes for which it was collected, or if you have withdrawn your consent on which the processing is based. In such cases, we must cease processing your personal data and remove it from our IT systems and databases. A right to erasure does not exist if the data cannot be deleted due to a legal obligation or if processing is necessary for establishing, exercising or defending legal claims (Art. 17 GDPR).
  • Right to restrict processing: You have the right to request that the processing of your personal data be restricted if the accuracy of the data is contested, if the processing is unlawful, if the data is needed for legal claims, or if an objection to the processing is currently being reviewed (Art.18 GDPR).
  • Right to data portability: You have the right to request that the data that you provided to us be made available to you in a structured, commonly used and machine-readable format, as well as the right to have this data transferred to another controller. This right only exists if you have provided us with the data on the basis of your consent or as part of a contract concluded with you and the processing is carried out by automated means. (Art. 20 GDPR).
  • Right to object to processing: If your data is processed on the basis of Art. 6(1)(f) GDPR, you have the right to object to the processing at any time.
  • You may also withdraw your consent at any time, which will prevent us from continuing to process the data based on that consent (Art. 7(3) GDPR).

If you wish to exercise any of the aforementioned rights, you can contact us using the contact details provided above. In addition, you have the right to lodge a complaint with the relevant data protection supervisory authority if you believe that the processing of your personal data is unlawful (Art. 77 GDPR).

 

XI. Version / changes to this Privacy Policy

This Privacy Policy is valid as of July 2024.

Due to the ongoing development of our website and services, this Privacy Policy may need to be amended from time to time. The latest version of the Privacy Policy can be accessed at any time on the website at https://www.cadooz.com/datenschutz/.