We, Blue Performance GmbH, take the protection of your personal data seriously, and with this Data Protection Policy, we would like to provide you with an overview of the processing of your personal data at our company.
This Data Protection Policy applies to the processing of personal data when our website www.cardeleine.com is visited both by non-registered visitors and by registered users who have set up a user account with us. In the case of registered users, we distinguish between registered users who are consumers within the meaning of section 13 of the German Civil Code (BGB), to whom the following Data Protection Policy also applies. For registered users that are companies within the meaning of section 14 BGB, we act as their data processor, and applicable is the concluded data processing contract (Annex to our General Business Terms and Conditions www.cardeleine.com/en/legal/terms).
The website www.cardeleine.com and the platform for registered users integrated on it are operated by Blue Performance GmbH, Plankenhofstr. 9, 81929 Munich, email@example.com (see our imprint www.cardeleine.com/en/legal/imprint ) – hereinafter "we" or "us".
We are thus the controller of the processing of your personal data within the meaning of the GDPR and the German Federal Data Protection Act (BDSG).
2. Collection of personal data, purposes of use, and legal basis
(1) Personal data within the meaning of the Data Protection Policy are all data about your person. They include, in particular, the following personal data (hereinafter, collectively, "data"):
- Contact and master data (such as name, address, email address, phone number),
- Data from the performance of our contractual obligations (such as order data and the purchased products and services),
- Data that we receive in certain cases from our service providers (e.g. payment service providers),
- Information with respect to interactions on our website (e.g. the date on which you set up your user account),
- Data about your behaviour in connection with the visit to our website (such as the time at which our websites are accessed),
- Log-in data (date and time when you logged in to your user account).
(2) We process your data only if you have consented to this (Article 6(1)(a) GDPR), we need them for the performance of the contract with you (Article 6(1)(b) GDPR), this is necessary for compliance with a legal obligation (Article 6(1)(c) GDPR), or we have a legitimate interest in the processing (Article 6(1)(f) GDPR). The exact legal basis for the respective processing is set forth in the following sections.
(3) We process personal data in the following cases:
- if you visit our website (No. 3)
- if you set up a user account (No. 4)
- if you place an order with us (No. 5)
- if you use our ticket system (No. 6)
- if you allow camera access (No. 7)
- for contact with us (No. 8)
If in addition we should wish to collect and process data from you, we will separately notify you of this prior to collection and processing (including explanation of the legal basis) and obtain your consent if necessary.
3. Data processing when visiting our website
(1) If you use the website merely for informational purposes, i.e. if you do not register or transmit other information to us, we collect only the personal data that your browser transmits to our server. If you would like to view our website, we collect the following data, which we require for technical reasons in order to display our website to you and to ensure stability and security:
- IP address
- Date and time of access
- Time zone difference from Greenwich Mean Time (GMT)
- Content of the request (specific page)
- Access status/HTTP status code
- Amount of data transferred
- Website from which the request came
- Operating system and its interface
- Language and version of the browser software
- Content of the response (specifically returned data)
- Installation ID (identification randomly assigned by us to recognise devices)
The foregoing data are stored as log files on the servers of our internet service provider, with whom we have concluded a contract for data processing. This is necessary in order to be able to display the website on the end device used by you, as well as to ensure stability and security. The legal basis for this is Article 6(1)(f) GDPR (legitimate interest in making the website available). The foregoing data for making our website available are stored for seven days and then erased.
Use of Google Tag Manager
1. Scope of processing of personal data
We use the Google Tag Manager (https://www.google.com/intl/de/tagmanager/) of Google LLC, 1600 Amphitheatre Parkway, Mountain View, CA 94043, USA and its representative in the Union Google Ireland Ltd., Gordon House, Barrow Street, D04 E5W5, Dublin, Ireland (Hereinafter referred to as Google). With Google Tag Manager, tags from Google and third-party services can be managed, bundled and embedded on an online presence. Tags are small code elements on an online presence that are used, among other things, to measure visitor numbers and behavior, capture the impact of online advertising and social channels, use remarketing and targeting, and test and optimize online presences. When a user visits the online presence, the current tag configuration is sent to the user's browser. It contains statements about which tags are to be triggered. Google Tag Manager triggers other tags that may themselves collect data. You will find information on this in the passages on the use of the corresponding services in this data protection declaration. Google Tag Manager does not access this data and data may be transferred to Google servers in the United States.
2. Purpose of data processing
The purpose of the processing of personal data lies in the collected and clear administration as well as an efficient integration of the services of third parties.
3. Legal basis for the processing of personal data
The legal basis for the processing of personal data is the user's given consent in accordance with Art. 6 para. 1 S.1 lit. a GDPR.
4. Duration of storage
5. Possibility of withdrawal of consent and erasure
You have the right to withdraw your declaration of consent under data protection law at any time. The withdrawal of the consent does not affect the lawfulness of the processing carried out on the basis of the consent up to the withdrawal.
You may prevent the collection and processing of your personal data by Google by preventing the storage of cookies by third parties on your computer, by using the "Do Not Track" function of a supporting browser, by deactivating the execution of script code in your browser or by installing a script blocker such as NoScript (https://noscript.net/) or Ghostery (https://www.ghostery.com) in your browser. your IP address) to Google and to prevent the processing of this data by Google by downloading and installing the browser plug-in available under the following link:
With the following link you can deactivate the use of your personal data by Google:
Further information on objection and erasure options against Google can be found at:
4. Data processing when setting up a user account
(1) For setting up the personal user account, we require, inter alia, your name, your email address, and a password chosen by you. For registration, we use the so-called "double opt-in" procedure, i.e. your registration is first completed if you previously confirmed your registration by clicking on the link contained in a confirmation email sent to you for this purpose. If your confirmation in this respect is not provided within 48 hours, your registration will be automatically deleted from our data base. Providing the aforementioned data is obligatory. You can provide all other information on a voluntary basis when using our platform.
(2) In the personal area of the user account ("My account"), the information can be updated at any time. We use these data, inter alia, for processing orders, processing payment, and making any refunds.
(3) You remain logged in to your user account until such time as you log yourself out or for 30 days since your last use of the platform. This feature enables you to use our services without having to log back in each time. However, we recommend that you expressly log out if your computer or your end device that you are utilising to use our platform is utilised by several persons.
In technical terms, a cookie is placed on your end device, whose purpose is to avoid your having to log back in to our website for subsequent visits. This features is not available to you if you have deactivated this cookie by adjusting your cookie settings or if you have deleted the cookie in your browser settings after you log out from our website.
(4) The legal basis for the data processing associated with this is in each case Article 6(1)(b) GDPR (contract performance for performing and processing contracts).
5. Data processing for processing your order
The ability to place orders on our website is available exclusively to registered users. In connection with your orders, the processing of your data serves the conclusion and performance of the contract, as well as the processing of your order, including payment. In the case of credit card payment, we receive from our payment provider the so-called "payment type ID", the last four digits of the credit card, the expiration date of the credit card, the brand of the credit card (VISA or MasterCard), the first and last name of the cardholder, the type of the credit card (credit or debit card), and the country in which the card was issued.
We use this for the purpose of authentication and allocation of your order and thus for your security. The personal data necessary to process the payment are collected directly by the payment service provider. The legal bases for the foregoing types of data processing are Article 6(1)(b) GDPR (contract performance for performing and processing contracts) and Article 6(1)(f) GDPR (balancing of interests based on our interest in offering you a secure option for credit card payment).
We store the data provided by you concerning your billing address in your user account so that you do not need to re-enter them the next time you make a purchase. You can modify these data at any time for the future.
6. Use of our ticket systems
Access to our ticket system is available exclusively to registered users. You can send us enquiries as well as error and malfunctioning reports through our ticket systems. We use the data voluntarily transmitted by you in connection with enquiries and reports only for processing your enquiry.
Your contact data are then recorded in our ticket systems for a corresponding reply to you. The data are used exclusively for use of the ticket system and processing your enquiry. The contact and access data are deleted from the ticket system, at the latest, following termination of the contractual relationship with us.
The legal basis for the processing of personal data in connection with the ticket systems is to perform our contractual obligations under Article 6(1)(b) GDPR.
7. Camera access
We require from you as registered user the authorisation to access to camera on your mobile end device. Camera access is necessary so that you as registered user can use our offered features of our products and service. With your camera, you scan the QR code to capture a digital business card. The legal basis for this is Article 6(1)(b) GDPR (contract performance for use of the offered products and services).
8. Data processing when contacting us
You have various ways of contacting us. You can reach us by email, by using the contact form, or by using the feedback feature.
In order to be able to process your concern, we collect your name, email address, phone number, customer, order, and item numbers, and other information that you transmit to us. The legal basis for this is Article 6(1)(b) GDPR (contract performance - processing of data of the user is necessary for performing the agreement on the response to questions or concerns) and Article 6(1)(f) GDPR (balancing of interest - based on our interest in processing enquiries by visitors to our website).
9. Social media
(1) No plug-ins
We do not use any social media plug-ins on our website. To the extent that our website contains symbols of social media providers (e.g. Facebook, Instagram, Twitter, Xing, and LinkedIn), we use these solely for passively linking to the sites of the respective providers.
(2) Embedding of YouTube videos
a) We have embedded YouTube videos on our website that are stored on YouTube www.youtube.com and can be played directly on our website. These are all embedded in "enhanced data protection mode", i.e. no data about you as user is transferred to YouTube if you do not play the videos. The data mentioned in subsection b) are first transferred when you play the videos. We have no influence over this data transfer.
b) When the website is visited, YouTube is notified that you have accessed the corresponding subpage of our website. In addition, the data mentioned in No. 3 of this Data Protection Policy are transferred. This takes place irrespective of whether YouTube provides a user account through which you are logged in or whether no user account exists. If you are logged in to Google, your data are allocated directly to your account. If you do not desire the allocation with your profile at YouTube, you must log out prior to activating the button. YouTube stores your data as usage profiles and uses them for the purposes of advertising, market research, and/or design of its website to meet user requirements. Such analysis is performed, in particular (even for users who are not logged in) to provide structured advertising and to notify other users of the social network about your activities on our website. You have a right to object to the creation of these user profiles, and to exercise it, you must contact YouTube.
(3) Embedding of Google Maps
a) On this website, we use the offerings of Google Maps. This enables us to display interactive maps to you directly on the website and provide you with a convenient use of the map feature.
b) When the website is visited, Google is notified that you have accessed the corresponding subpage of our website. In addition, the data mentioned in No. 3 of this Data Protection Policy are transferred. This takes place irrespective of whether Google provides a user account through which you are logged in or whether no user account exists. If you are logged in to Google, your data are allocated directly to your account. If you do not desire the allocation with your profile at Google, you must log out prior to activating the button. Google stores your data as usage profiles and use them for the purposes of advertising, market research, and/or design of its website to meet user requirements. Such analysis is performed, in particular (even for users who are not logged in) to provide structured advertising and to notify other users of the social network about your activities on our website. You have a right to object to the creation of these user profiles, and to exercise it, you must contact Google.
Under the button "Cookie settings", you can specify at any time which cookies you would like to allow and which you would not.
(3) Details about the cookies that we use:
The IP address is anonymised immediately after processing and prior to its storage.
The legal basis for the use of Matomo is your consent pursuant to Article 6(1)(a) GDPR.
As is the case with all cookies, you can withdraw your consent at any time. See No. 9 (1). In addition, you have the ability to prevent the installation of cookies by changing the setting in your browser software. We point out that in the case of a corresponding setting, all features of this website may no longer be available.
You can decide whether to permit a unique web analysis cookie to be set in your browser in order to enable the operator of the website to record and analyse various statistical data.
You can find more information about the privacy settings of the Matomo software at the following link: matomo.org/docs/privacy/ .
b) Flash cookies and HTML5 storage objects
Flash cookies that are used are not captured by your browser but instead by your Flash plug-in. In addition, we use HTML5 storage objects, which are placed on your end device. These objects store the required data irrespective of the browser you use, and they do not have any automatic expiration date. You can manage the setting and deletion of Flash cookies using the Adobe Flash Player settings manager at www.macromedia.com/support/documentation/de/flashplayer/help/settings_manager07.html
In the alternative, if you do not desire processing by Flash cookies, you can install the corresponding add-on, e.g. "Better Privacy" for Mozilla Firefox or the Adobe Flash Killer Cookie for Google Chrome. You can prevent the use of HTML5 storage objects by using your browser in private mode. We also recommend that you manually delete your cookies and browser history on a regularly basis.
11. Disclosure of data to third parties
Your data are disclosed to third parties only if this is necessary for providing our services and only on the basis of statutory permission:
- pursuant to Article 6(1)(a) GDPR, if you have consented to the transmission of your data,
- pursuant to Article 6(1)(b) GDPR, if this is necessary for contract performance,
- pursuant to Article 6(1)(c) GDPR, if this is necessary for compliance with a legal obligation, or
- pursuant to Article 6(1)(f) GDPR, based on our legitimate interest or the legitimate interest of a third party (which includes, e.g., data transmissions in connection with assignments of receivables).
In addition, we may be entitled or obligated to disclose data on the basis of statutory provisions and/or official or court orders. This may involve, in particular, the provision of information for the purposes of criminal prosecution, to ward off threats, or to enforce intellectual property rights.
12. Rights as data subject
You can at any time assert your rights as data subject against us with respect to your processed personal data using the contact data set forth in No. 1, above. You are entitled to the rights under the conditions of the respective provisions of data protection law. You are not granted any more extensive rights through the following description. As data subject, you have the right:
- to obtain from us confirmation as to whether or not personal data concerning you are being processed. If this is the case, you have the right pursuant to Article 15 GDPR of access to these personal data and to the information listed in detail in Article 15 GDPR;
- pursuant to Article 16 GDPR, to obtain without undue delay the rectification of inaccurate data stored by us or, where they are incomplete, to have them completed;
- pursuant to Article 17 GDPR, to obtain the erasure of data stored by us, if and to the extent that one of the grounds listed in Article 17 GDPR specifically applies, e.g. if the data are no longer necessary in relation to the purposes for which they were collected;
- pursuant to Article 18 GDPR, to obtain the restriction of processing of your data if one of the conditions listed in Article 18 GDPR is met, e.g. if you have objected to the processing;
- pursuant to Article 20 GDPR, to receive your data you have provided to us in a structured, commonly used and machine-readable format and to transmit them and, where technically feasible, to have them transmitted, Article 20 GDPR (data transfer);
- pursuant to Article 21 GDPR, to object to the processing, if the processing is based on Article 6(1)(e) or (f) GDPR. This is the case, in particular, if the processing is not necessary to perform a contract with you. To the extent that an objection to direct advertising is not involved, we ask that if you exercise such an objection, you explain the reasons why we should not process your data in the way we perform this. In the case of your justified objection, we will review the matter and either discontinue or adjust data processing or notify you of our mandatory, protected reasons on the basis of which we will continue the processing;
- pursuant to Article 7(3) GDPR, to withdraw your consent at any time with prospective effect, provided that you have granted same. This also applies to data protection consents that you have given to us prior to the validity of the GDPR;
- pursuant to Article 77 GDPR, to lodge a complaint with a data protection supervisory authority concerning the processing of your personal data at our company. You can assert this right with a supervisory authority in the Member State of your habitual residence, your place of work or the place of the alleged infringement.
13. Erasure of data
To the extent that no express storage period is specified in this Data Protection Policy, your personal data are erased or blocked once the purpose or legal basis for the storage no longer applies. However, storage may continue beyond the specified time in the case of an (imminent) legal dispute with you or some other legal proceedings or if storage is required by statutory provisions to which we as controller are subject. If the storage period required by statutory provisions expires, the personal data are blocked or erased unless further storage by us is necessary and there is a legal basis for this.
14. Amendment notice
As part of the continuing development of the law of data protection, as well as technical or organisational changes, our Data Protection Policy is regularly reviewed for the need for modification or supplementation. You will be notified of amendments, in particular, on our website at www.cardeleine.com .
This Data Protection Policy was last updated in October 2020.