Privacy policy
Privacy Policy
1. Data protection at a glance
General information
The following notes provide a simple overview of what happens to your personal data when you visit this website. “Personal data” means any data that can be used to personally identify you. For detailed information on data protection, please refer to the full Privacy Policy set out below.
Data collection on this website
Who is responsible for data collection on this website?
Data processing on this website is carried out by the website operator. Their contact details can be found in the section “Note on the Controller” in this Privacy Policy.
How do we collect your data?
Some data is collected when you provide it to us, for example by entering information into a contact form.
Other data is collected automatically or with your consent when you visit the website by our IT systems. This mainly includes technical data (e.g., browser, operating system, time of page access). This data is collected automatically as soon as you enter this website.
What do we use your data for?
Part of the data is collected to ensure the website is provided without errors. Other data may be used to analyze user behavior.
What rights do you have regarding your data?
You have the right at any time to receive free information about the origin, recipients, and purpose of your stored personal data. You also have the right to request rectification or deletion of this data. If you have given consent to data processing, you may withdraw this consent at any time with effect for the future. You also have the right, under certain circumstances, to request restriction of processing of your personal data. Furthermore, you have the right to lodge a complaint with the competent supervisory authority.
You can contact us at any time regarding this and any other questions on the subject of data protection.
Analytics and third-party tools
When visiting this website, your browsing behavior may be statistically evaluated, primarily using analytics programs. Detailed information can be found below in this Privacy Policy.
2. Hosting and Content Delivery Networks (CDN)
Shopify
We host our website with Shopify International Limited, Victoria Buildings, 1–2 Haddington Road, Dublin 4, D04 XN32, Ireland (“Shopify”).
Shopify is a tool for creating and hosting websites. When you visit our website, Shopify collects your IP address as well as information about the device and browser you use. Shopify also analyzes visitor numbers, traffic sources, and customer behavior, and compiles user statistics. If you make a purchase on our website, Shopify collects your name, email address, shipping and billing addresses, payment data, and other purchase-related information (e.g., phone number, order amounts, etc.). For analytics, Shopify stores cookies in your browser.
For details, see Shopify’s Privacy Policy: https://www.shopify.de/legal/datenschutz.
The use of Shopify is based on Art. 6(1)(f) GDPR. We have a legitimate interest in the most reliable presentation of our website. Where consent is requested, processing is carried out exclusively on the basis of Art. 6(1)(a) GDPR; consent can be withdrawn at any time.
Data Processing Agreement
We have concluded a data processing agreement with Shopify. This contract is required under data protection law and ensures that Shopify processes the personal data of our website visitors only in accordance with our instructions and in compliance with the GDPR.
3. General notes and mandatory information
Data protection
We take the protection of your personal data very seriously. We treat your personal data confidentially and in accordance with the statutory data protection regulations and this Privacy Policy.
When you use this website, various personal data is collected. This Privacy Policy explains what data we collect and what we use it for, and how and for what purpose this happens.
Please note that data transmission on the internet (e.g., when communicating by email) may have security gaps. Complete protection of data against access by third parties is not possible.
Note on the Controller
The Controller for data processing on this website is:
Susie Meyer
Wild & Schön Flower Workshop
Bismarckstraße 35a
56740 Bad Marienberg
Phone: +49 151 54700149
Email: blumenwerkstatt@wildundschoen.de
The Controller is the natural or legal person who, alone or jointly with others, determines the purposes and means of the processing of personal data (e.g., names, email addresses, etc.).
Storage period
Unless a more specific storage period is stated in this Privacy Policy, your personal data will remain with us until the purpose for data processing no longer applies. If you assert a justified request for deletion or revoke your consent to processing, your data will be deleted unless we have other legally permissible reasons for storing your personal data (e.g., retention periods under tax or commercial law); in the latter case, deletion will take place after these reasons cease to apply.
Note on data transfers to the USA and other third countries
Our website integrates tools from companies based in the USA or other non-EU/EEA countries that are not considered to have an adequate level of data protection. If these tools are active, your personal data may be transferred to and processed in these countries. Please note that these countries may not guarantee a level of data protection comparable to that of the EU. For example, US companies may be obliged to hand over personal data to security authorities without you being able to take legal action. We cannot rule out that US authorities (e.g., intelligence services) process, evaluate, and permanently store your data located on US servers. We have no influence on these processing activities.
Withdrawal of your consent to data processing
Many processing operations are only possible with your express consent. You can withdraw consent at any time. The lawfulness of processing carried out before withdrawal remains unaffected.
Right to object to processing in specific cases and to direct marketing (Art. 21 GDPR)
IF PROCESSING IS BASED ON ART. 6(1)(E) OR (F) GDPR, YOU HAVE THE RIGHT AT ANY TIME, ON GROUNDS RELATING TO YOUR PARTICULAR SITUATION, TO OBJECT TO THE PROCESSING OF YOUR PERSONAL DATA; THIS ALSO APPLIES TO PROFILING BASED ON THESE PROVISIONS. THE APPLICABLE LEGAL BASIS FOR EACH PROCESSING OPERATION IS SET OUT IN THIS PRIVACY POLICY. IF YOU OBJECT, WE WILL NO LONGER PROCESS YOUR PERSONAL DATA CONCERNED UNLESS WE CAN DEMONSTRATE COMPELLING LEGITIMATE GROUNDS FOR THE PROCESSING WHICH OVERRIDE YOUR INTERESTS, RIGHTS, AND FREEDOMS OR THE PROCESSING SERVES THE ESTABLISHMENT, EXERCISE, OR DEFENSE OF LEGAL CLAIMS (OBJECTING PURSUANT TO ART. 21(1) GDPR).
IF YOUR PERSONAL DATA IS PROCESSED FOR DIRECT MARKETING PURPOSES, YOU HAVE THE RIGHT TO OBJECT AT ANY TIME TO THE PROCESSING OF PERSONAL DATA CONCERNING YOU FOR SUCH MARKETING; THIS ALSO APPLIES TO PROFILING INSOFAR AS IT IS RELATED TO SUCH DIRECT MARKETING. IF YOU OBJECT, YOUR PERSONAL DATA WILL NO LONGER BE USED FOR DIRECT MARKETING PURPOSES (OBJECTING PURSUANT TO ART. 21(2) GDPR).
Right to lodge a complaint with a supervisory authority
In the event of breaches of the GDPR, data subjects have the right to lodge a complaint with a supervisory authority, in particular in the Member State of their habitual residence, place of work, or place of the alleged infringement. This right exists without prejudice to any other administrative or judicial remedies.
Right to data portability
You have the right to receive data that we process on the basis of your consent or in performance of a contract in a commonly used, machine-readable format, and to have it transmitted to you or a third party. If you request the direct transfer of the data to another controller, this will only be done where technically feasible.
SSL/TLS encryption
For security reasons and to protect the transmission of confidential content (e.g., orders or inquiries you send to us), this site uses SSL/TLS encryption. You can recognize an encrypted connection by the browser’s address line changing from “http://” to “https://” and the lock icon in your browser. When encryption is active, data you transmit to us cannot be read by third parties.
Encrypted payment transactions on this website
If, after entering into a fee-based contract, there is an obligation to transmit your payment data (e.g., account number for direct debit), this data is required for payment processing. Payment transactions via common means of payment (Visa/Mastercard, direct debit) are carried out exclusively via an encrypted SSL/TLS connection. With encrypted communication, your payment data cannot be read by third parties.
Access, deletion, and correction
Within the framework of applicable legal provisions, you have the right at any time to free access to your stored personal data, its origin and recipients, the purpose of data processing, and, if applicable, a right to rectification or deletion of this data. You can contact us at any time regarding this and other questions about personal data.
Right to restriction of processing
You have the right to request restriction of the processing of your personal data. You can contact us at any time to exercise this right. The right to restriction applies in the following cases:
-
If you contest the accuracy of your personal data stored by us, we usually need time to verify this. For the duration of the verification, you have the right to request restriction of processing.
-
If processing is/was unlawful, you may request restriction instead of deletion.
-
If we no longer need your personal data, but you require it for the establishment, exercise, or defense of legal claims, you have the right to request restriction instead of deletion.
-
If you have objected pursuant to Art. 21(1) GDPR, a balance of interests must be carried out. Until it is determined whose interests prevail, you have the right to request restriction of processing.
If processing is restricted, such data—apart from storage—will only be processed with your consent or for the establishment, exercise, or defense of legal claims or for the protection of the rights of another natural or legal person or for reasons of important public interest of the European Union or a Member State.
4. Data collection on this website
Cookies
Our website uses cookies. Cookies are small text files that do not harm your device. They are either stored temporarily for the duration of a session (session cookies) or permanently (persistent cookies) on your device. Session cookies are automatically deleted after your visit. Persistent cookies remain stored until you delete them or your browser deletes them automatically.
Third-party cookies may also be stored on your device when you enter our site. These allow us or you to use certain services of the third party (e.g., cookies for payment services).
Cookies have various functions. Many cookies are technically necessary as certain website functions would not work without them (e.g., the cart function or video display). Other cookies serve to analyze user behavior or display advertising.
Cookies necessary for electronic communication (necessary cookies), for providing certain functions you request (functional cookies, e.g., cart), or for optimizing the website (e.g., audience measurement) are stored on the basis of Art. 6(1)(f) GDPR, unless another legal basis is specified. The website operator has a legitimate interest in storing cookies for the technically error-free and optimized provision of services. Where consent to store cookies has been requested, storage is based exclusively on Art. 6(1)(a) GDPR; consent can be withdrawn at any time.
You can set your browser to inform you about the setting of cookies and to allow cookies only in individual cases, to exclude the acceptance of cookies for certain cases or in general, and to activate the automatic deletion of cookies when closing the browser. Disabling cookies may limit the functionality of this website.
Where third-party cookies or analytics cookies are used, we will inform you separately within this Privacy Policy and, if necessary, request consent.
Requests by email, phone, or fax
If you contact us by email, phone, or fax, your inquiry, including all personal data arising therefrom (name, inquiry), will be stored and processed by us for the purpose of handling your request. We do not pass on this data without your consent.
Processing is based on Art. 6(1)(b) GDPR if your request is related to the performance of a contract or necessary for pre-contractual measures. In all other cases, processing is based on our legitimate interest in the effective handling of inquiries (Art. 6(1)(f) GDPR) or on your consent (Art. 6(1)(a) GDPR), if requested.
Data transmitted via contact requests remain with us until you request deletion, revoke your consent to storage, or the purpose for storage no longer applies (e.g., after your request has been completed). Mandatory statutory provisions—especially retention periods—remain unaffected.
Communication via WhatsApp
We use WhatsApp to communicate with customers and other third parties. Provider: WhatsApp Ireland Limited, 4 Grand Canal Square, Grand Canal Harbour, Dublin 2, Ireland.
Communication uses end-to-end encryption (peer-to-peer) preventing WhatsApp or third parties from accessing content. However, WhatsApp receives metadata generated during communication (e.g., sender, recipient, time). WhatsApp states it shares personal data of its users with its US-based parent company Facebook. For details, see WhatsApp’s Privacy Policy: https://www.whatsapp.com/legal/#privacy-policy.
Use of WhatsApp is based on our legitimate interest in fast and effective communication with customers, prospects, and other business partners (Art. 6(1)(f) GDPR). Where consent is requested, processing is based solely on Art. 6(1)(a) GDPR; consent can be withdrawn at any time.
WhatsApp messages remain with us until you request deletion, revoke consent, or the purpose of storage no longer applies (e.g., after completion of your request). Statutory retention obligations remain unaffected.
We use the “WhatsApp Business” version.
Data transfers to the USA are based on the EU Commission’s Standard Contractual Clauses. Details: https://www.whatsapp.com/legal/business-data-transfer-addendum.
5. Analytics and advertising
Google Tag Manager
Provider: Google Ireland Limited, Gordon House, Barrow Street, Dublin 4, Ireland.
Google Tag Manager enables us to integrate and manage tracking/statistics tools and other technologies on our website. The Tag Manager itself does not create user profiles, store cookies, or perform independent analyses. It only manages the tools integrated via it. However, Google Tag Manager collects your IP address, which may also be transferred to Google’s parent company in the United States.
Use of Google Tag Manager is based on Art. 6(1)(f) GDPR. We have a legitimate interest in quick and uncomplicated integration and management of various tools. Where consent is requested, processing is based solely on Art. 6(1)(a) GDPR; consent can be withdrawn at any time.
Google Analytics
This website uses functions of Google Analytics (Google Ireland Limited, Gordon House, Barrow Street, Dublin 4, Ireland).
Google Analytics allows analysis of website visitor behavior (e.g., page views, time on site, operating systems, origin). Google may combine this data into a profile assigned to the respective user/device. Google Analytics uses technologies (e.g., cookies, device fingerprinting) that enable recognition of users for the purpose of analyzing behavior. Information generated is usually transferred to a Google server in the USA and stored there.
Use of this tool is based on Art. 6(1)(f) GDPR. We have a legitimate interest in analyzing user behavior to optimize our web offering and advertising. Where consent is requested (e.g., cookie consent), processing is based exclusively on Art. 6(1)(a) GDPR; consent can be withdrawn at any time.
Data transfers to the USA are based on the EU Commission’s Standard Contractual Clauses. Details: https://privacy.google.com/businesses/controllerterms/mccs/.
IP anonymization
We have activated IP anonymization on this website. Your IP address is shortened by Google within EU/EEA member states before transmission to the USA; only in exceptional cases is the full IP address transmitted to a US server and shortened there. On our behalf, Google uses this information to evaluate website use, compile reports on website activity, and provide other services related to website and internet use. The IP address transmitted by your browser as part of Google Analytics will not be merged with other Google data.
Browser plugin
You can prevent Google’s collection and processing of your data by downloading and installing the browser plugin available at: https://tools.google.com/dlpage/gaoptout?hl=de.
More information on how Google Analytics handles user data: https://support.google.com/analytics/answer/6004245?hl=de.
Data Processing Agreement
We have concluded a data processing agreement with Google and fully implement the strict requirements of the German data protection authorities when using Google Analytics.
Google Analytics e-commerce tracking
This website uses Google Analytics “E-commerce Tracking” to analyze purchasing behavior (orders placed, average order values, shipping costs, time from view to purchase). Google may aggregate these data under a transaction ID assigned to the user/device.
Retention period
User- and event-level data linked to cookies, user IDs, or advertising IDs (e.g., DoubleClick cookies, Android Advertising ID) are anonymized or deleted after 14 months. Details: https://support.google.com/analytics/answer/7667196?hl=de
Facebook (Meta) Pixel
This website uses the Facebook (Meta) visitor action pixel (Facebook Ireland Limited, 4 Grand Canal Square, Dublin 2, Ireland). According to Facebook, data may also be transferred to the USA and other third countries.
This allows us to track the behavior of visitors after they click on a Facebook ad and are redirected to our website, to evaluate the effectiveness of ads for statistical/market research purposes and optimize future advertising.
The collected data are anonymous to us as website operator; we cannot draw conclusions about users’ identities. However, Facebook stores and processes the data, enabling a connection to the respective user profile and use for Facebook’s own advertising purposes in accordance with Facebook’s data policy, allowing Facebook to place ads on and outside Facebook. We cannot influence this use.
Use of the Meta Pixel is based on Art. 6(1)(f) GDPR (our legitimate interest in effective advertising including social media). Where consent is requested (e.g., for cookies), processing is based exclusively on Art. 6(1)(a) GDPR; consent can be withdrawn at any time.
Data transfers to the USA are based on the EU Commission’s Standard Contractual Clauses. Details:
https://www.facebook.com/legal/EU_data_transfer_addendum and https://de-de.facebook.com/help/566994660333381.
Where personal data are collected on our website using this tool and transmitted to Facebook, we and Facebook Ireland Limited are joint controllers for this processing (Art. 26 GDPR) limited to collection and transmission. Subsequent processing by Facebook is not part of joint controllership. Our mutual obligations are set out in the Joint Controller Addendum: https://www.facebook.com/legal/controller_addendum. Under this agreement, we are responsible for providing data protection information and implementing the tool in a privacy-compliant manner; Facebook is responsible for the security of Facebook products. Data subject rights regarding data processed by Facebook can be asserted directly with Facebook. If asserted with us, we are obliged to forward them to Facebook.
Further information on protecting your privacy can be found in Facebook’s data policy: https://de-de.facebook.com/about/privacy/.
You can disable the “Custom Audiences” remarketing feature in ad settings: https://www.facebook.com/ads/preferences/?entry_product=ad_settings_screen (requires Facebook account).
If you do not have a Facebook account, you can disable usage-based advertising from Facebook via the European Interactive Digital Advertising Alliance: http://www.youronlinechoices.com/de/praferenzmanagement/.
6. eCommerce and payment providers
Processing of data (customer and contract data)
We collect, process, and use personal data only insofar as necessary for establishing, structuring, or changing the legal relationship (inventory data) pursuant to Art. 6(1)(b) GDPR (performance of a contract or pre-contractual measures). Personal data regarding the use of this website (usage data) is collected, processed, and used only to the extent necessary to enable the user to use the service or to bill for it.
Customer data collected are deleted after completion of the order or termination of the business relationship. Statutory retention obligations remain unaffected.
Data transmission upon contract conclusion for online shops, merchants, and shipping
We transmit personal data to third parties only as necessary for contract performance, e.g., to companies entrusted with delivery or the credit institution entrusted with payment processing. Further transmission does not take place unless you have expressly consented. Your data will not be transferred to third parties for advertising purposes without consent.
Processing is based on Art. 6(1)(b) GDPR.
Payment services
We integrate payment services of third-party companies. When you make a purchase, your payment data (e.g., name, amount, account or card details) are processed by the payment service provider to handle the transaction. The respective providers’ contractual and privacy provisions apply. Use of payment service providers is based on Art. 6(1)(b) GDPR (contract performance) and our legitimate interest in smooth, convenient, and secure payment (Art. 6(1)(f) GDPR). Where consent is requested for specific actions, Art. 6(1)(a) GDPR is the legal basis; consent can be withdrawn at any time.
We use the following payment services/providers on this website:
PayPal
Provider: PayPal (Europe) S.à.r.l. et Cie, S.C.A., 22–24 Boulevard Royal, L-2449 Luxembourg (“PayPal”).
Data transfers to the USA are based on the EU Commission’s Standard Contractual Clauses: https://www.paypal.com/de/webapps/mpp/ua/pocpsa-full
Privacy Policy: https://www.paypal.com/de/webapps/mpp/ua/privacy-full
Apple Pay
Provider: Apple Inc., Infinite Loop, Cupertino, CA 95014, USA.
Privacy: https://www.apple.com/legal/privacy/de-ww/
Google Pay
Provider: Google Ireland Limited, Gordon House, Barrow Street, Dublin 4, Ireland.
Privacy: https://policies.google.com/privacy