Privacy Policy

Preliminary remark

We, Blue Performance GmbH, take the protection of your personal data seriously, and with this Data Protection Policy, we would like to provide you with an overview of the processing of your personal data at our company.

This Data Protection Policy applies to the processing of personal data when our website www.cardeleine.com is visited both by non-registered visitors and by registered users who have set up a user account with us. In the case of registered users, we distinguish between registered users who are consumers within the meaning of section 13 of the German Civil Code (BGB), to whom the following Data Protection Policy also applies. For registered users that are companies within the meaning of section 14 BGB, we act as their data processor, and applicable is the concluded data processing contract (Annex to our General Business Terms and Conditions www.cardeleine.com/en/legal/terms).

1. Controller

The website www.cardeleine.com and the platform for registered users integrated on it are operated by Blue Performance GmbH, Plankenhofstr. 9, 81929 Munich, hi@cardeleine.com (see our imprint www.cardeleine.com/en/legal/imprint ) – hereinafter "we" or "us".

We are thus the controller of the processing of your personal data within the meaning of the GDPR and the German Federal Data Protection Act (BDSG).

2. Collection of personal data, purposes of use, and legal basis

(1) Personal data within the meaning of the Data Protection Policy are all data about your person. They include, in particular, the following personal data (hereinafter, collectively, "data"):

• Contact and master data (such as name, address, email address, phone number),
• Data from the performance of our contractual obligations (such as order data and the purchased products and services),
• Data that we receive in certain cases from our service providers (e.g. payment service providers),
• Information with respect to interactions on our website (e.g. the date on which you set up your user account),
• Data about your behaviour in connection with the visit to our website (such as the time at which our websites are accessed),
• Log-in data (date and time when you logged in to your user account).

(2) We process your data only if you have consented to this (Article 6(1)(a) GDPR), we need them for the performance of the contract with you (Article 6(1)(b) GDPR), this is necessary for compliance with a legal obligation (Article 6(1)(c) GDPR), or we have a legitimate interest in the processing (Article 6(1)(f) GDPR). The exact legal basis for the respective processing is set forth in the following sections.

(3) We process personal data in the following cases:

• if you visit our website (No. 3)
• if you set up a user account (No. 4)
• if you place an order with us (No. 5)
• if you use our ticket system (No. 6)
• if you allow camera access (No. 7)
• for contact with us (No. 8)
• if we use cookies (No. 10)

If in addition we should wish to collect and process data from you, we will separately notify you of this prior to collection and processing (including explanation of the legal basis) and obtain your consent if necessary.

3. Data processing when visiting our website

(1) If you use the website merely for informational purposes, i.e. if you do not register or transmit other information to us, we collect only the personal data that your browser transmits to our server. If you would like to view our website, we collect the following data, which we require for technical reasons in order to display our website to you and to ensure stability and security:

• IP address
• Date and time of access
• Time zone difference from Greenwich Mean Time (GMT)
• Content of the request (specific page)
• Access status/HTTP status code
• Amount of data transferred
• Website from which the request came
• Browser
• Operating system and its interface
• Language and version of the browser software
• Content of the response (specifically returned data)
• Installation ID (identification randomly assigned by us to recognise devices)

The foregoing data are stored as log files on the servers of our internet service provider, with whom we have concluded a contract for data processing. This is necessary in order to be able to display the website on the end device used by you, as well as to ensure stability and security. The legal basis for this is Article 6(1)(f) GDPR (legitimate interest in making the website available). The foregoing data for making our website available are stored for seven days and then erased.

Use of Google Tag Manager 
 
1. Scope of processing of personal data 
 
We use the Google Tag Manager (https://www.google.com/intl/de/tagmanager/) of Google LLC, 1600 Amphitheatre Parkway, Mountain View, CA 94043, USA and its representative in the Union Google Ireland Ltd., Gordon House, Barrow Street, D04 E5W5, Dublin, Ireland (Hereinafter referred to as Google). With Google Tag Manager, tags from Google and third-party services can be managed, bundled and embedded on an online presence. Tags are small code elements on an online presence that are used, among other things, to measure visitor numbers and behavior, capture the impact of online advertising and social channels, use remarketing and targeting, and test and optimize online presences. When a user visits the online presence, the current tag configuration is sent to the user's browser. It contains statements about which tags are to be triggered. Google Tag Manager triggers other tags that may themselves collect data. You will find information on this in the passages on the use of the corresponding services in this data protection declaration. Google Tag Manager does not access this data and data may be transferred to Google servers in the United States. 

Part of the terms of use of Google Tag Manager are so-called standard data protection clauses (Art. 46 para. 2 p. 1 lit. c GDPR). These can be classified as appropriate guarantees for the protection of the transfer and processing of personal data outside the EU. 

For more information about the Google Tag Manager, please visit https://www.google.com/intl/de/tagmanager/faq.html and see Google's privacy policy: https://policies.google.com/privacy?hl=en 

2. Purpose of data processing 
 
The purpose of the processing of personal data lies in the collected and clear administration as well as an efficient integration of the services of third parties. 

3. Legal basis for the processing of personal data 
 
The legal basis for the processing of personal data is the user's given consent in accordance with Art. 6 para. 1 S.1 lit. a GDPR. 

4. Duration of storage 
 
Your personal information will be stored for as long as is necessary to fulfill the purposes described in this Privacy Policy or as required by law. Advertising data in server logs is anonymized by Google's own statements to delete parts of the IP address and cookie information after 9 and 18 months respectively. 

5. Possibility of withdrawal of consent and erasure 
 
You have the right to withdraw your declaration of consent under data protection law at any time. The withdrawal of the consent does not affect the lawfulness of the processing carried out on the basis of the consent up to the withdrawal. 
You may prevent the collection and processing of your personal data by Google by preventing the storage of cookies by third parties on your computer, by using the "Do Not Track" function of a supporting browser, by deactivating the execution of script code in your browser or by installing a script blocker such as NoScript (https://noscript.net/) or Ghostery (https://www.ghostery.com) in your browser. your IP address) to Google and to prevent the processing of this data by Google by downloading and installing the browser plug-in available under the following link: 
https://tools.google.com/dlpage/gaoptout?hl=en 
With the following link you can deactivate the use of your personal data by Google: 
https://adssettings.google.de 

Further information on objection and erasure options against Google can be found at: 
https://policies.google.com/privacy?gl=EN&hl=en 

4. Data processing when setting up a user account

(1) For setting up the personal user account, we require, inter alia, your name, your email address, and a password chosen by you. For registration, we use the so-called "double opt-in" procedure, i.e. your registration is first completed if you previously confirmed your registration by clicking on the link contained in a confirmation email sent to you for this purpose. If your confirmation in this respect is not provided within 48 hours, your registration will be automatically deleted from our data base. Providing the aforementioned data is obligatory. You can provide all other information on a voluntary basis when using our platform.

(2) In the personal area of the user account ("My account"), the information can be updated at any time. We use these data, inter alia, for processing orders, processing payment, and making any refunds.

(3) You remain logged in to your user account until such time as you log yourself out or for 30 days since your last use of the platform. This feature enables you to use our services without having to log back in each time. However, we recommend that you expressly log out if your computer or your end device that you are utilising to use our platform is utilised by several persons.

In technical terms, a cookie is placed on your end device, whose purpose is to avoid your having to log back in to our website for subsequent visits. This features is not available to you if you have deactivated this cookie by adjusting your cookie settings or if you have deleted the cookie in your browser settings after you log out from our website.

(4) The legal basis for the data processing associated with this is in each case Article 6(1)(b) GDPR (contract performance for performing and processing contracts).

5. Data processing for processing your order

The ability to place orders on our website is available exclusively to registered users. In connection with your orders, the processing of your data serves the conclusion and performance of the contract, as well as the processing of your order, including payment. In the case of credit card payment, we receive from our payment provider the so-called "payment type ID", the last four digits of the credit card, the expiration date of the credit card, the brand of the credit card (VISA or MasterCard), the first and last name of the cardholder, the type of the credit card (credit or debit card), and the country in which the card was issued.

We use this for the purpose of authentication and allocation of your order and thus for your security. The personal data necessary to process the payment are collected directly by the payment service provider. The legal bases for the foregoing types of data processing are Article 6(1)(b) GDPR (contract performance for performing and processing contracts) and Article 6(1)(f) GDPR (balancing of interests based on our interest in offering you a secure option for credit card payment).

We store the data provided by you concerning your billing address in your user account so that you do not need to re-enter them the next time you make a purchase. You can modify these data at any time for the future.

6. Use of our ticket systems

Access to our ticket system is available exclusively to registered users. You can send us enquiries as well as error and malfunctioning reports through our ticket systems. We use the data voluntarily transmitted by you in connection with enquiries and reports only for processing your enquiry.

Your contact data are then recorded in our ticket systems for a corresponding reply to you. The data are used exclusively for use of the ticket system and processing your enquiry. The contact and access data are deleted from the ticket system, at the latest, following termination of the contractual relationship with us.

The legal basis for the processing of personal data in connection with the ticket systems is to perform our contractual obligations under Article 6(1)(b) GDPR.

7. Camera access

We require from you as registered user the authorisation to access to camera on your mobile end device. Camera access is necessary so that you as registered user can use our offered features of our products and service. With your camera, you scan the QR code to capture a digital business card. The legal basis for this is Article 6(1)(b) GDPR (contract performance for use of the offered products and services).

8. Data processing when contacting us

You have various ways of contacting us. You can reach us by email, by using the contact form, or by using the feedback feature.

In order to be able to process your concern, we collect your name, email address, phone number, customer, order, and item numbers, and other information that you transmit to us. The legal basis for this is Article 6(1)(b) GDPR (contract performance - processing of data of the user is necessary for performing the agreement on the response to questions or concerns) and Article 6(1)(f) GDPR (balancing of interest - based on our interest in processing enquiries by visitors to our website).

9. Social media

(1) No plug-ins

We do not use any social media plug-ins on our website. To the extent that our website contains symbols of social media providers (e.g. Facebook, Instagram, Twitter, Xing, and LinkedIn), we use these solely for passively linking to the sites of the respective providers.

(2) Embedding of YouTube videos

a) We have embedded YouTube videos on our website that are stored on YouTube www.youtube.com and can be played directly on our website. These are all embedded in "enhanced data protection mode", i.e. no data about you as user is transferred to YouTube if you do not play the videos. The data mentioned in subsection b) are first transferred when you play the videos. We have no influence over this data transfer.

b) When the website is visited, YouTube is notified that you have accessed the corresponding subpage of our website. In addition, the data mentioned in No. 3 of this Data Protection Policy are transferred. This takes place irrespective of whether YouTube provides a user account through which you are logged in or whether no user account exists. If you are logged in to Google, your data are allocated directly to your account. If you do not desire the allocation with your profile at YouTube, you must log out prior to activating the button. YouTube stores your data as usage profiles and uses them for the purposes of advertising, market research, and/or design of its website to meet user requirements. Such analysis is performed, in particular (even for users who are not logged in) to provide structured advertising and to notify other users of the social network about your activities on our website. You have a right to object to the creation of these user profiles, and to exercise it, you must contact YouTube.

c) You can obtain further information about the purpose and scope of data collection and its processing by YouTube in the privacy policy. There you can also obtain further information about your rights and setting options for protecting your privacy. www.google.de/ intl/de/policies/privacy . We point out that Google also processes your personal data in the USA.

(3) Embedding of Google Maps

a) On this website, we use the offerings of Google Maps. This enables us to display interactive maps to you directly on the website and provide you with a convenient use of the map feature.

b) When the website is visited, Google is notified that you have accessed the corresponding subpage of our website. In addition, the data mentioned in No. 3 of this Data Protection Policy are transferred. This takes place irrespective of whether Google provides a user account through which you are logged in or whether no user account exists. If you are logged in to Google, your data are allocated directly to your account. If you do not desire the allocation with your profile at Google, you must log out prior to activating the button. Google stores your data as usage profiles and use them for the purposes of advertising, market research, and/or design of its website to meet user requirements. Such analysis is performed, in particular (even for users who are not logged in) to provide structured advertising and to notify other users of the social network about your activities on our website. You have a right to object to the creation of these user profiles, and to exercise it, you must contact Google.

c) You can obtain further information about the purpose and scope of data collection and its processing by the plug-in provider in the provider’s privacy policy. There you can also obtain further information about your rights in this respect and setting options for protecting your privacy. www.google.de/ intl/de/policies/privacy . We point out that Google also processes your personal data in the USA.

10. Cookies

(1) We use cookies on our website. Cookies are small text files that are stored on your hard drive and send certain information to the entity that placed them (here, to us). Cookies cannot execute any programs or transfer viruses to your computer. They are used to make our website as a whole more user-friendly and more effective.

Under the button "Cookie settings", you can specify at any time which cookies you would like to allow and which you would not.

(2) With regard to the use of cookies, we distinguish as a rule between various categories of cookies: So-called "session cookies" are temporarily stored for the duration of your use of the website and automatically deleted thereafter. In addition, "persistent cookies" are used whose content is limited to an identification number in order to record information about users who repeatedly access a website in order to recognise them and in some cases to be able to offer them optimised user guidance. You can configure your browser settings in accordance with your wishes and, e.g. refuse to accept third-party cookies or all cookies. In addition, when our website is accessed, you will be notified about the use of cookies for analysis purposes, and your consent will be obtained to the processing of the personal data used in this connection. We point out that you may not be able to use all features of this website if you have prevented the use of cookies by our website on your computer.

(3) Details about the cookies that we use:

a) Matomo

On our website, we use Matomo (formerly, Piwik), an open-source software for the statistical analysis of user accesses. The provider of the Matomo software is InnoCraft Ltd., 7 Waterloo Quay PO625, 6140 Wellington, New Zealand. Matomo use cookies that are stored on your computer and facilitate an analysis of your use of the website. The information generated by the cookie about your use of the website is stored on a server in Germany.

The IP address is anonymised immediately after processing and prior to its storage.

The legal basis for the use of Matomo is your consent pursuant to Article 6(1)(a) GDPR.

As is the case with all cookies, you can withdraw your consent at any time. See No. 9 (1). In addition, you have the ability to prevent the installation of cookies by changing the setting in your browser software. We point out that in the case of a corresponding setting, all features of this website may no longer be available.

You can decide whether to permit a unique web analysis cookie to be set in your browser in order to enable the operator of the website to record and analyse various statistical data.

You can find more information about the privacy settings of the Matomo software at the following link: matomo.org/docs/privacy/ .

b) Flash cookies and HTML5 storage objects

Flash cookies that are used are not captured by your browser but instead by your Flash plug-in. In addition, we use HTML5 storage objects, which are placed on your end device. These objects store the required data irrespective of the browser you use, and they do not have any automatic expiration date. You can manage the setting and deletion of Flash cookies using the Adobe Flash Player settings manager at www.macromedia.com/support/documentation/de/flashplayer/help/settings_manager07.html

In the alternative, if you do not desire processing by Flash cookies, you can install the corresponding add-on, e.g. "Better Privacy" for Mozilla Firefox or the Adobe Flash Killer Cookie for Google Chrome. You can prevent the use of HTML5 storage objects by using your browser in private mode. We also recommend that you manually delete your cookies and browser history on a regularly basis.

Customise cookie settings

11. Disclosure of data to third parties

Your data are disclosed to third parties only if this is necessary for providing our services and only on the basis of statutory permission:

• pursuant to Article 6(1)(a) GDPR, if you have consented to the transmission of your data,
• pursuant to Article 6(1)(b) GDPR, if this is necessary for contract performance,
• pursuant to Article 6(1)(c) GDPR, if this is necessary for compliance with a legal obligation, or
• pursuant to Article 6(1)(f) GDPR, based on our legitimate interest or the legitimate interest of a third party (which includes, e.g., data transmissions in connection with assignments of receivables).

In addition, we may be entitled or obligated to disclose data on the basis of statutory provisions and/or official or court orders. This may involve, in particular, the provision of information for the purposes of criminal prosecution, to ward off threats, or to enforce intellectual property rights.

12. Rights as data subject

You can at any time assert your rights as data subject against us with respect to your processed personal data using the contact data set forth in No. 1, above. You are entitled to the rights under the conditions of the respective provisions of data protection law. You are not granted any more extensive rights through the following description. As data subject, you have the right:

• to obtain from us confirmation as to whether or not personal data concerning you are being processed. If this is the case, you have the right pursuant to Article 15 GDPR of access to these personal data and to the information listed in detail in Article 15 GDPR;
• pursuant to Article 16 GDPR, to obtain without undue delay the rectification of inaccurate data stored by us or, where they are incomplete, to have them completed;
• pursuant to Article 17 GDPR, to obtain the erasure of data stored by us, if and to the extent that one of the grounds listed in Article 17 GDPR specifically applies, e.g. if the data are no longer necessary in relation to the purposes for which they were collected;
• pursuant to Article 18 GDPR, to obtain the restriction of processing of your data if one of the conditions listed in Article 18 GDPR is met, e.g. if you have objected to the processing;
• pursuant to Article 20 GDPR, to receive your data you have provided to us in a structured, commonly used and machine-readable format and to transmit them and, where technically feasible, to have them transmitted, Article 20 GDPR (data transfer);
• pursuant to Article 21 GDPR, to object to the processing, if the processing is based on Article 6(1)(e) or (f) GDPR. This is the case, in particular, if the processing is not necessary to perform a contract with you. To the extent that an objection to direct advertising is not involved, we ask that if you exercise such an objection, you explain the reasons why we should not process your data in the way we perform this. In the case of your justified objection, we will review the matter and either discontinue or adjust data processing or notify you of our mandatory, protected reasons on the basis of which we will continue the processing;
• pursuant to Article 7(3) GDPR, to withdraw your consent at any time with prospective effect, provided that you have granted same. This also applies to data protection consents that you have given to us prior to the validity of the GDPR;
• pursuant to Article 77 GDPR, to lodge a complaint with a data protection supervisory authority concerning the processing of your personal data at our company. You can assert this right with a supervisory authority in the Member State of your habitual residence, your place of work or the place of the alleged infringement.

13. Erasure of data

To the extent that no express storage period is specified in this Data Protection Policy, your personal data are erased or blocked once the purpose or legal basis for the storage no longer applies. However, storage may continue beyond the specified time in the case of an (imminent) legal dispute with you or some other legal proceedings or if storage is required by statutory provisions to which we as controller are subject. If the storage period required by statutory provisions expires, the personal data are blocked or erased unless further storage by us is necessary and there is a legal basis for this.

14. Amendment notice

As part of the continuing development of the law of data protection, as well as technical or organisational changes, our Data Protection Policy is regularly reviewed for the need for modification or supplementation. You will be notified of amendments, in particular, on our website at www.cardeleine.com .

This Data Protection Policy was last updated in October 2020.