Privacy
General Information
The following information provides a simple overview of what happens to your personal data when you visit our website or use our services. It is also intended to give you an overview of which data protection measures we have in place and which rights regarding data processing are available to you.
In order to ensure the protection of your data in the future as well, in particular in light of new legal requirements and technical developments, it is necessary to adapt this privacy policy from time to time. We therefore recommend that you regularly read our information and notices on data processing.
Who processes my data?
Controller
The data processing on this website is carried out by the website operator (controller):
AEON GmbH
Raiffeisenstr. 2B
61250 Usingen
Owner: Pascal Rottmair
E-mail: info@aeon-shisha.com
Cooperation with Processors and Third Parties
We transfer your data to third parties only on the basis of a legal foundation, in cases where this is necessary for the performance of a contract (e.g. where transmission of data to third parties, such as payment service providers, is required pursuant to Art. 6 (1) (b) GDPR), where you have given consent (Art. 6 (1) (a) GDPR), where we are legally obliged to do so (Art. 6 (1) (c) GDPR), or on the basis of our legitimate interests (Art. 6 (1) (f) GDPR, e.g. the use of external services, web hosts, consultants, etc.). In all such cases, we will inform you in advance, among other things in this privacy policy. Where we instruct third parties to process data on the basis of a so-called “data processing agreement” (DPA), this is done on the basis of Art. 28 GDPR.
If we process data in a third country (i.e. outside the European Union (EU) or the European Economic Area (EEA)), this is done only on the basis of a legal foundation and only if the special requirements of Art. 44 et seq. GDPR are met. This means that processing takes place only if special safeguards are in place to ensure a level of data protection equivalent to that in the EU (e.g. “Privacy Shield” for the USA, where applicable).
What data are we talking about?
Whenever we refer to data processing, this always concerns your personal data. Personal data means any information relating to an identified or identifiable natural person. This includes all data that have a direct or indirect connection to you (whether immediate or indirect), e.g. first name, surname, addresses, e-mail addresses, user behaviour, location data, etc.
How do we collect your data?
General
On the one hand, your data are collected when you provide them to us. This may, for example, be data that you enter into a contact form.
Other data are collected automatically by our IT systems when you visit the website. These are primarily technical data (e.g. internet browser, operating system or time of access). The collection of these data takes place automatically as soon as you access our website.
Cookies
To improve user navigation, we use cookies. Most of the cookies we use are so-called “session cookies”. Session cookies are small information units that a provider stores in the working memory of the visitor’s computer. These cookies are absolutely essential for the technical provision of certain services such as the shopping cart or registration. Session cookies are deleted as soon as you end the session. Whenever we use cookies for other purposes, e.g. for analysis, or cookies from other providers (“third-party cookies”), we will inform you separately in this privacy policy.
The use of cookies takes place on the basis of our legitimate interests in the optimisation and economic operation of our online offering in accordance with Art. 6 (1) (f) GDPR.
Most browsers are set to accept cookies automatically. In general, you can prevent cookies from being stored on your hard drive by selecting “do not accept cookies” in your browser settings. You can also set your browser to ask you each time before a cookie is set whether you agree. Finally, you can delete cookies that have already been set at any time. Please refer to your browser’s instructions to see how to implement these measures.
When do we collect/process your data?
Visit to the website
Log files
We and/or our hosting provider automatically collect and store information in so-called server log files, which your browser transmits to us automatically. These are:
- Browser type and browser version
- Operating system used
- Referrer URL
- Host name of the accessing computer
- Time of the server request
- IP address
Data processing is carried out on the basis of our legitimate interest in the secure operation of the website in accordance with Art. 6 (1) (f) GDPR.
The data are deleted as soon as they are no longer required to achieve the purpose for which they were collected. This is the case after seven days at the latest. Longer storage is possible. In this case, the IP addresses of the users are deleted or anonymised so that assignment to the requesting client is no longer possible.
Web Analytics
Google Analytics
To analyse the surfing behaviour of our users, we use Google Analytics on our website. The provider is Google Inc., 1600 Amphitheatre Parkway, Mountain View, CA 94043, USA (“Google”).
Google Analytics places cookies on the users’ computers. The information generated by the cookies about the use of our online offering by users is generally transmitted to a Google server in the USA and stored there. Google will use this information on our behalf to evaluate the use of our online offering by users. Pseudonymous user profiles may be created from the processed data.
We use Google Analytics on the basis of our interest in the analysis, optimisation and economic operation of our online offering within the meaning of Art. 6 (1) (f) GDPR. In doing so, we pay particular attention to the protection of your personal data. Google is certified under the Privacy Shield agreement and thus offers a guarantee of compliance with European data protection law:
https://www.privacyshield.gov/participant?id=a2zt000000001L5AAI
Furthermore, we use Google Analytics only with IP anonymisation activated. This means that the IP address of users is shortened by Google within member states of the European Union or in other states party to the Agreement on the European Economic Area. Only in exceptional cases will the full IP address be transmitted to a server of Google in the USA and shortened there.
We have instructed Google to delete or anonymise the personal data of users after 14 months.
You can prevent the storage of cookies by adjusting your browser software accordingly. However, we point out that in this case you may not be able to use all functions of this website to their full extent.
You can also prevent the collection and processing of data by Google by downloading and installing the browser plug-in available at the following link:
http://tools.google.com/dlpage/gaoptout
Alternatively, you can prevent the collection of data by Google Analytics by clicking on the following link:
Tracking via Google Analytics on this website is currently activated. Click here to deactivate tracking.
An opt-out cookie will be set which prevents the collection of your data during future visits to this website.
Further information on the use of your data by Google Analytics can be found at:
https://www.google.com/analytics/terms/de.html and
https://support.google.com/analytics/answer/6004245?hl=de
Other Services and Plugins of Third-Party Providers
We use services from third-party providers on our site. These include, for example, services for embedding videos, fonts or content from social networks. These services are called directly from the providers’ servers. In doing so, the users’ IP addresses are transmitted to the providers for the purpose of displaying the content. Third-party providers may also store cookies on the user’s computer and collect, among other things, technical information about the browser and operating system, referring websites, visit time and additional information about the use of our online offering, and combine this with such information from other sources.
The use of these third-party providers takes place on the basis of our interest in a user-friendly design, optimisation, analysis and economic operation of our online offering within the meaning of Art. 6 (1) (f) GDPR. We pay attention to the protection of visitor data. We inform visitors accordingly and only use providers who offer sufficient guarantees regarding compliance with EU data protection standards. Providers from the USA are used only if they have a valid certification under the Privacy Shield agreement. Moreover, we take note of the providers’ privacy policies and inform our visitors to the best of our knowledge and belief about the handling of user data and existing revocation/opt-out options.
Google Fonts
To display fonts on our website, we integrate external fonts from Google Inc., https://www.google.com/fonts (“Google Fonts”). Provider is Google Inc., 1600 Amphitheatre Parkway, Mountain View, CA 94043, USA.
Google offers the possibility to object to the use of data for advertising purposes. You can find details on this page:
https://www.google.com/settings/ads/
Further information on the handling of user data can be found in Google’s privacy policy at:
https://policies.google.com/privacy?hl=de
Google Maps
To display maps on our website, we use the “Google Maps” service of Google Inc., 1600 Amphitheatre Parkway, Mountain View, CA 94043, USA.
Google offers the possibility to object to the use of data for advertising purposes. You can find details on this page:
https://www.google.com/settings/ads/
Google Tag Manager
We also use “Google Tag Manager” in order to integrate and manage the Google analytics and marketing services on our website.
Privacy Policy: https://www.google.com/policies/privacy/
Opt-out: https://adssettings.google.com/authenticated
Use of Blog Functions
Comments
In our blog, we offer users the opportunity to post comments. For the comment function, in addition to your comment, information regarding the time of creation of the comment, your e-mail address and the user name chosen by you will be stored. In addition to these data, your IP address will also be stored. The storage of the IP address is solely for the security of the provider in the event that illegal content is posted (insults, prohibited political propaganda, etc.). The legal basis for the processing of the data entered when registering is Art. 6 (1) (f) GDPR.
Contact
Contact Forms, E-mail, Telephone, Social Media
When contacting us (e.g. via contact form, e-mail, telephone or social media), the information provided by the user is processed in order to handle the contact request. User information may be stored in a customer relationship management system (CRM system) or a comparable request organisation.
The legal basis for the processing of the data transmitted via the contact form or by e-mail is Art. 6 (1) (f) GDPR. If the e-mail contact aims at the conclusion of a contract, an additional legal basis for the processing is Art. 6 (1) (b) GDPR.
We delete the data from contact requests when they are no longer necessary to achieve the purpose. This is the case when the reason for the request has been fully clarified with the user and/or the user has not responded to further inquiries for more than 9 months.
Order Processing / Performance of Contractual Services
In the course of order processing on our website, we process master data (e.g. names and addresses as well as contact details of users), contract data (e.g. services/products used, terms, names of contact persons, payment information). We process these data in order to fulfil our contractual obligations and provide our services, and to enable execution, delivery and payment.
We disclose data to third parties only as part of the order and for the purpose of brokerage, delivery, payment, as well as within the framework of statutory permissions and obligations to legal advisors and authorities. Data are processed in third countries only if this is necessary for contract performance (e.g. at the customer’s request in connection with delivery or payment).
For the execution of payments, payment data are transmitted to the respective payment service providers. If delivery is carried out by a shipping company, we transmit the data to the shipping company for the purpose of dispatch. No further transmission of data (for example for advertising purposes) takes place.
The legal basis for the data processing is Art. 6 (1) (b) GDPR, which permits the processing of data for the performance of a contract or pre-contractual measures.
Data are deleted after expiry of legal warranty and comparable obligations; the necessity of retaining the data is reviewed every three years. In the case of statutory archiving obligations, deletion takes place after their expiry (end of commercial law (6 years) and tax law (10 years) retention periods).
Accounting and Office Organisation
If you have concluded a contract with us or given us a brokerage order, we process your contract and master data within the framework of our business organisation and accounting.
Processing is carried out on the basis of our legitimate interests pursuant to Art. 6 (1) (f) GDPR as well as our legal obligations pursuant to Art. 6 (1) (c) GDPR.
We disclose or transmit data to the tax authorities and consultants such as tax advisors, as well as other fee offices and payment service providers.
Data are deleted after expiry of legal warranty and comparable obligations; the necessity of retaining the data is reviewed every three years. In the case of statutory archiving obligations, deletion takes place after their expiry (end of commercial law (6 years) and tax law (10 years) retention periods).
Business Analyses and Market Research
We process communication, master and contract data of our customers and prospects for the purpose of business analyses, marketing and market research.
Processing is carried out on the basis of Art. 6 (1) (f) GDPR.
We attach particular importance to the protection of your personal data. Analyses are carried out, where possible, anonymously and only on the basis of data that we receive from you during contract processing or your inquiry. The same retention periods apply as for contract processing and contact requests.
Newsletter
If you would like to receive the newsletter offered on our website, we require an e-mail address from you and information which allows us to verify that you are the owner of the specified e-mail address and agree to receive the newsletter. We do not collect any further data. The data provided are used exclusively for sending the requested information and are not passed on to third parties.
We process the data entered into the newsletter form exclusively on the basis of your consent (Art. 6 (1) (a) GDPR). You can revoke the consent given to the storage of the data, the e-mail address and their use for sending the newsletter at any time, for example via the “unsubscribe” link in the newsletter. The lawfulness of the data processing operations already carried out remains unaffected by the revocation.
We store the data necessary for receiving the newsletter only as long as the subscription is active. Data that we store for other purposes (e.g. e-mail addresses for the members’ area) remain unaffected.
Because we are interested in using a user-friendly and secure newsletter system that serves our business interests and meets users’ expectations, and because we must also be able to prove consent, logging of the registration process is carried out on the basis of our legitimate interests pursuant to Art. 6 (1) (f) GDPR.
By sending a start message such as “Subscribe to newsletter”, you agree to the validity of AEON GmbH’s internal data protection provisions. In particular, you consent pursuant to Art. 6 (1) (a) GDPR to your personal data (first and last name, telephone number, messenger ID, IP address, profile picture and message history) being stored, processed and used in connection with the use of the respective messenger in order to send messages to you. An active account with the respective provider is required to use the messenger service.
You are also aware that AEON GmbH uses the following company as a technical service provider and processor in order to provide this service:
SuperX GmbH
Amtsgericht Charlottenburg HRB 218902 B
VAT ID: DE333726959
Schönhauser Allee 180
10119 Berlin
Your consent to the processing of personal data can be revoked at any time; a simple notification to AEON GmbH is sufficient. Further information can be found in the respective privacy policies of AEON GmbH, the messenger services and SuperX GmbH. You can unsubscribe from receiving WhatsApp messages at any time by sending the message “Abmelden” (“unsubscribe”) to the WhatsApp number used for the newsletter.
The privacy policy of SuperX GmbH can be found here:
https://www.superchat.de/datenschutz
Responsible providers of the messenger services are:
WhatsApp Ireland Limited
4 Grand Canal Square
Grand Canal Harbour
Dublin 2
Ireland
The privacy policy of WhatsApp can be found here:
https://www.whatsapp.com/legal#privacy-policy
How long do we store your data?
The criterion for the duration of storage of personal data is the respective statutory retention period. After the period has expired, the corresponding data are routinely deleted, provided they are no longer required for the performance of a contract or for initiating a contract.
If data are not deleted because they are required for other and legally permissible purposes, their processing is restricted. This means that the data are blocked and not processed for other purposes. This applies, for example, to data that must be retained for commercial or tax law reasons.
Your Rights as a User
Right to Confirmation
You have the right to obtain confirmation as to whether personal data concerning you are being processed.
Right of Access (Art. 15 GDPR)
You have the right to obtain free information about the personal data stored concerning you and to receive a copy of this information.
Right to Rectification (Art. 16 GDPR)
You have the right to request without undue delay the rectification of inaccurate personal data concerning you.
Right to Erasure and Restriction (Right to be Forgotten) (Art. 17, 18 GDPR)
You have the right to request that personal data concerning you be erased without undue delay, or alternatively to request restriction of processing in accordance with Art. 18 GDPR.
Right to Data Portability (Art. 20 GDPR)
You have the right, in accordance with Art. 20 GDPR, to receive the personal data concerning you, which you have provided to a controller, in a structured, commonly used and machine-readable format and to transmit those data to another controller without hindrance.
Right to Withdraw Consent (Art. 13 GDPR)
You have the right to withdraw your consent to the processing of personal data at any time if the processing is based on Art. 6 (1) (a) or Art. 9 (2) (a) GDPR, without affecting the lawfulness of processing based on consent before its withdrawal.
Right to Object (Art. 21 GDPR)
You have the right, on grounds relating to your particular situation, to object at any time to the processing of personal data concerning you which is based on Art. 6 (1) (e) or (f) GDPR. This also applies to profiling based on those provisions. If personal data are processed for direct marketing purposes, you have the right to object at any time to processing of personal data concerning you for such marketing; this also applies to profiling to the extent that it is related to such direct marketing.