Privacy policy for website visitors / webshop
The protection of your personal data is important to us.
This privacy policy informs you about how we process your data in connection with the use of our online shop.
Our offer is aimed exclusively at business customers (B2B) in the EU.
§ 1 Information on the collection of personal data
(1) In the following, we provide information about the processing of personal data when using our website. Personal data is all data that can be related to you personally, e.g. name, address, email addresses, user behaviour. We hereby wish to inform you about our processing procedures and at the same time fulfil our legal obligations, in particular those arising from the EU General Data Protection Regulation (GDPR).
(2) The controller pursuant to Art. 4 (7) GDPR is HIOKI EUROPE GmbH, Helfmann-Park 2, 65760 Eschborn, Germany, e-mail hioki[at]hioki[dot]eu (see our imprint). You can contact our data protection officer at datenschutz[at]aklsite[dot]de or at our postal address with the addition "the data protection officer".
(3) When you contact us by e-mail or via a contact form, the data you provide (your e-mail address, your name and telephone number if applicable) will be stored by us in order to answer your questions. If the enquiry is assigned to a contract, we delete the data arising in this context after the contract period, otherwise after the storage is no longer required, or restrict the processing if there are statutory retention obligations.
(4) If we use contracted service providers for individual functions of our offer or wish to use your data for advertising purposes, we will always carefully select and monitor these service providers and inform you in detail below about the respective processes. In doing so, we also specify the defined criteria for the storage period.
§ 2 Processing of personal data when visiting our website
When using the website for information purposes, i.e. simply viewing it without registering and without providing us with any other information, we process the personal data that your browser transmits to our server. The data described below is technically necessary for us to display our website to you and to ensure stability and security and must therefore be processed by us. The legal basis is Art. 6 para. 1 sentence 1 lit. f GDPR:
- IP address
- Date and time of the enquiry
- Time zone difference to Greenwich Mean Time (GMT)
- Content of the request (page visited)
- Access status/HTTP status code
- Amount of data transferred in each case
- Previously visited page
- Browser
- Operating system
- Language and version of the browser software.
§ 3 Orders via our webshop (only for business customers in the EU)
Orders in our webshop are placed via selfregistration with a VAT ID check.
We use an online shop from shopware AG to process your order. We have concluded an order processing contract with shopware AG.
Further information on data protection and your rights regarding the use of the ordering system can be found at:
1. Scope of the processing of personal data
Registration in the webshop
Your personal data is entered into an input mask and transmitted to us and stored. If you place an order via our webshop, we first collect the following data when you register in the shop:
- Company name
- Company address
- Name of the contact person
- E-mail address of the contact person
- Telephone number (optional)
- Value added tax identification number (VAT ID)
Value added tax validation
We check the VAT ID you have provided manually in a two-stage process: via Vies on-the-Web - European Commission (europa.eu) we check the validity of the VAT ID, via Google the match of VAT ID and registered company data.
Free text field for items in the shopping basket (visurel.com)
Our online shop offers the option of using free text fields for individual information in the shopping basket. The data you enter will be stored for further processing and fulfilment of your order.
Blog
Our online shop also offers a blog via shop-studio.io. If you register for the blog area or leave comments, we collect data such as:
- Name
- E-Mail address
- Comments
2. Purpose of data processing
- To ensure authorisation to use our B2B offering
- In order to process, fulfil and process your order
- For correspondence with you
- To manage the blog: Grant access and moderate comments
- For invoicing
- For the settlement of any liability claims and the assertion of any claims against you
- To ensure the technical administration of our web shop
- To manage our customer data
3. Legal basis for data processing
The data processing takes place in response to your order and/or registration and is required in accordance with Art. 6 para. 1 sentence 1 lit. b GDPR (fulfilment of contract) for the purposes mentioned under 2. for the appropriate processing of your order and for the mutual fulfilment of obligations arising from the purchase contract.
The legal basis for the administration of the blog is Art. 6 para. 1 lit. f GDPR (legitimate interest to enable the exchange in the blogs).
The legal basis for the presentation of your company to the public is Art. 6 para. 1 lit. a GDPR (consent).
4. Disclosure of data
Your personal data will only be disclosed to third parties who are involved in the processing of contracts, the operation or optimisation of our online shop. These service providers (listed below) are contractually obliged to treat your data confidentially and to process it exclusively within the scope of the agreed purposes (order processing agreement – OPA, where necessary). Depending on the service, processing is carried out on the basis of Art. 6 (1) lit. b GDPR (contract fulfilment), Art. 6 (1) lit. f GDPR (legitimate interest in secure and efficient operation) or Art. 6 (1) lit. a GDPR (consent).
Categories of data processed
Depending on the service, the following data in particular may be passed on: contact details (name, address, email, telephone number), contract and order data, payment information, technical usage data (e.g. IP address, browser information, operating system) and content that you provide to us via forms or input fields.
Technical basis / hosting
- STRATO AG, Pascalstraße 10, 10587 Berlin – domain and hosting provider (including server logs, DPA concluded).
- Shopware AG, Schöppingen – shop system (DPA concluded).
Communication / IT / Hosting
- Microsoft Ireland Operations Ltd., Dublin – Mail provider (Microsoft 365 / Exchange Online; data processing agreement concluded; data transfer to the USA based on the EU-US Data Privacy Framework and standard contractual clauses).
- datatronic Software AG, Augsburg – IT service provider with system access (data processing agreement concluded).
- Bauknecht Softfolio.sys GmbH, Stuttgart – web development / plugins and hosting (via subcontractor hostNET Medien GmbH, Hamburg; data processing agreement concluded).
Shop and web service providers
Our website uses various service providers and plugin providers who support the technical operation, design and functional enhancement of our web shop. Where necessary, data processing agreements (DPA) have been concluded. The providers listed below process personal data exclusively within the scope of the agreed purposes or locally within our Shopware system.
- digitvision creative websolutions, Cologne – Agency (technical support, AVV concluded where applicable).
- Internet & Advertising Agency Valkanis IWV, Bayreuth – Agency (technical support, AVV concluded where applicable).
- BlueWolf Produktion GmbH, Fellbach – B2B registration plugin (local processing, no data transfer to the provider).
- visurel GmbH, Ansbach – Free text fields (plugin development, local processing, no data transfer to the provider).
- Shop Studio GmbH, Cologne – blog system (plugin/integration, local processing, no data transfer to the provider).
- ACRIS E-Commerce GmbH, Linz (AT) – discounts/surcharges (plugin/integration, local processing, no data transfer to the provider).
Note:
The plugins mentioned are operated locally within our Shopware system. No personal data is transferred to the respective providers.
A data processing agreement (DPA) is therefore not usually required. If a provider is granted access to productive data as part of support or maintenance services,
a DPA is concluded or an anonymised test system is provided.
Payment & Shipping
- Stripe Payments Europe Ltd., Dublin – payment service provider (data transfer to the USA based on the EU-US Data Privacy Framework and standard contractual clauses). The following data in particular is transferred to Stripe as part of the payment process: company name, billing information and payment transaction data. Stripe processes this data on its own responsibility. Further information on data processing by Stripe can be found at https://stripe.com/de/privacy. Your payment data will be stored until the order has been processed, including refunds, debt management and fraud prevention. Statutory retention periods are up to 10 years (§ 147 AO / § 257 HGB). Legal basis: Art. 6(1)(b) GDPR (performance of a contract).
- PayPal (Europe) S.à r.l. et Cie, Luxembourg – payment service provider (data transfer to the USA based on the EU-US Data Privacy Framework and standard contractual clauses).
- UPS Deutschland S.à r.l. & Co. OHG, Neuss – logistics company.
- DSV Air & Sea Germany GmbH, Wiesbaden – logistics company.
Analysis, marketing & tracking
The following services are used for web analysis, performance measurement or marketing control. They are only activated with your express consent in accordance with Art. 6 (1) (a) GDPR. Details on the respective data processing can be found in the section ‘Use of cookies and similar technologies’.
- Google Analytics, Google Tag Manager, Google Ads (conversion/remarketing) – Google Ireland Ltd., Dublin
- Hotjar Ltd., Malta – usage analysis (heat maps, session replay)
- Shopware Analytics – integrated tracking
- Trusted Shops GmbH, Cologne – customer reviews / seal of approval
- YouTube LLC, San Bruno (USA) / Google Ireland Ltd. – product videos
Storage period
The data we transmit will only be stored for as long as is necessary to achieve the respective processing purposes. In addition, there are statutory retention obligations, e.g. under commercial or tax law (regularly up to 10 years for contract and payment data). Technical usage data (e.g. server logs) is usually deleted after 30 days, provided there are no security concerns.
For shipments to a specific person, we pass on the name of the person to the respective logistics company. In all cases where personal data is transferred to third parties, the scope is always limited to the minimum necessary.
We have concluded order processing agreements with Shopware AG and other service providers. The order processors are obliged to ensure that their subcontractors comply with the same data protection and security standards as those specified in the main contract.
The contracted logistics companies (DSV, UPS) and payment service providers (Stripe, PayPal) process the data on their own responsibility.
Where data is transferred to the USA, this is done on the basis of the EU-US Data Privacy Framework and, in addition, the standard contractual clauses of the EU Commission.
Use of cookies and similar technologies
In addition to traditional cookies, we also use so-called ‘similar technologies’ on our website to provide certain functions and analyse the use of our services. These technologies serve the same purposes as cookies – e.g. to recognise users or store settings – but do not store any information in the form of cookies in the browser.
These technologies include, among others:
- Local storage/session storage: storage in the browser, e.g. for language settings
- Fingerprinting: recognition of devices by analysing browser or system characteristics
- Tracking pixels: Invisible graphics for counting page views or interactions
- Web beacons/tags: JavaScript-based trackers, similar to pixels
- Server-side tracking: Analysis via server logs instead of via the browser
- SDKs (in apps): Tracking in mobile apps via software development kits
Cookiebot (Consent Management)
We use the ‘Cookiebot’ service provided by Usercentrics A/S (Havnegade 39, 1058 Copenhagen, Denmark) to manage the consent of our website visitors to the storage of certain cookies. Cookiebot checks and classifies all cookies used on the website and stores the consents given in a consent ID. Technical data such as IP address (anonymised), browser information, date and time of consent are processed in the process.
Data processing is carried out on the basis of Art. 6 (1) lit. c GDPR (legal obligation) and Art. 6 (1) lit. f GDPR (legitimate interest in the legally compliant collection and documentation of consent). Where necessary, processing is carried out with your consent in accordance with Art. 6 (1) lit. a GDPR.
We have concluded a data processing agreement (DPA) with Usercentrics A/S in accordance with Art. 28 GDPR. Further information can be found at https://www.cookiebot.com/de/privacy-policy/ and in the DPA at https://www.cookiebot.com/de/dpa/.
Consent is stored for 12 months, after which it is requested again.
The following services use cookies or similar technologies and are only activated with your express consent in accordance with Art. 6 (1) (a) GDPR. You can revoke or adjust your consent at any time via the cookie settings on our website.
Google Analytics
We use Google Analytics, a web analytics service provided by Google Ireland Ltd. (Gordon House, Barrow Street, Dublin 4, Ireland). Google Analytics uses cookies to evaluate the use of our website and to compile reports on website activity. Among other things, IP addresses (anonymised), browser information, operating system, length of stay and interactions are recorded. The information is usually transferred to Google servers in the USA. We have concluded a data processing agreement with Google. The legal basis is your consent (Art. 6(1)(a) GDPR). Opt-out: https://tools.google.com/dlpage/gaoptout
Google Tag Manager
Google Tag Manager (Google Ireland Ltd.) does not process any personal data itself, but enables the management and integration of tracking tags. Technical data such as IP addresses and browser information may be transmitted to Google. Transmission to the USA is possible. The legal basis is your consent (Art. 6 (1) (a) GDPR).
Google Ads (conversion/remarketing)
We use Google Ads to measure the effectiveness of advertising campaigns (conversion tracking) and to display interest-based advertising (remarketing). This involves setting cookies and processing data such as IP addresses, browser information and interactions with our website. The legal basis for this is your consent (Art. 6(1)(a) GDPR). Opt-out: https://www.google.com/settings/ads/
Hotjar
Our website uses Hotjar, an analysis service provided by Hotjar Ltd. (Dragonara Business Centre, 5th Floor, St. Julians STJ 3141, Malta). Hotjar creates heat maps and session replays to better understand user behaviour. This involves collecting IP addresses (anonymised), device type, operating system and browser information, among other things. We have concluded a data processing agreement with Hotjar. The legal basis is your consent (Art. 6(1)(a) GDPR). Opt-out: https://www.hotjar.com/legal/compliance/opt-out
Trusted Shops
Trusted Shops Easy Integration (Trusted Shops GmbH, Cologne) is integrated to display the Trusted Shops seal of approval and customer reviews. In particular, technical data such as IP address and browser information as well as order data in connection with orders are processed. Data is transferred exclusively within the EU. The legal basis is your consent (Art. 6 (1) (a) GDPR).
YouTube
Videos from the YouTube platform (Google Ireland Ltd. / YouTube LLC, USA) are integrated into our website. When a video is played, the IP address, browser information and, if applicable, account information are transmitted to YouTube. Data may be transferred to the USA. The legal basis is your consent (Art. 6 (1) (a) GDPR). Opt-out via: https://myaccount.google.com/privacycheckup
Shopware Analytics
We use Shopware Analytics (Shopware AG, Schöppingen), an integrated statistics tool of our shop system. It uses cookies to evaluate the use of the web shop. Among other things, technical usage data such as IP address, browser information and interactions with the shop are recorded. The legal basis for this is your consent (Art. 6 (1) (a) GDPR).
Storage period for cookies and tracking data
The data collected by cookies and similar technologies is only stored for as long as is necessary for the purposes mentioned or until you withdraw your consent. In addition, statutory retention periods apply where relevant. Technical usage data (e.g. server logs) is usually deleted after 30 days, unless there is a security-related need for longer storage.
5. Data transfer to third countries
Your data is only transferred to third countries when necessary for fulfilment or with your consent.
Stripe may process data outside the EU, but ensures that appropriate data protection standards are complied with (EU-U.S. Data Privacy Framework, Swiss-U.S. Data Privacy Framework, UK Extension to the EU-U.S. Data).
§ 4 Your rights / right to lodge a complaint with the supervisory authority
(1) You have the following rights vis-à-vis the controller with regard to your personal data:
- Information about the personal data processed by us (Art. 15 GDPR)
- Correction of incorrect data (Art. 16 GDPR)
- Deletion of your data (Art. 17 GDPR), provided there are no statutory retention obligations to the contrary
- Objection to the processing (Art. 21 GDPR)
- Data portability (Art. 20 GDPR).
You may contact us at any time to exercise your rights.
(2) If you believe that the processing of your data violates the GDPR, you have the right to complain to a data protection supervisory authority about the processing of your personal data by us.
§ 5 Changes to the privacy policy
We reserve the right to amend this privacy policy if necessary in order to adapt it to changes in the legal framework or new services. The latest version is available on our website.
§ 6 Contact
If you have any questions or concerns about this privacy policy or the processing of your personal data, please contact us using the contact details provided under § 1 (2).