Privacy Policy

Our Privacy Policy will inform you about the processing of personal data when using our website and online shop.

The term “personal data” means information that refers to an identified or identifiable person. This includes all details that permit the deduction of your identity, for instance is your name, telephone number, address or email address.

The term “personal data” does not include statistical data, for instance that we collect when you visit our website and that cannot be associated with you personally.

You can print out or save this Privacy Policy (e.g., as a PDF file) by using the standard functions of your browser.

1. Contact partner, controller and data protection officer

The contact partner and so-called “controller” for the processing of your personal data in the meaning of the EU General Data Protection Regulation (GDPR) when visiting this website is Lillydoo (Lillydoo GmbH, Hanauer Landstraße 147-149, 60314 Frankfurt am Main; telephone: +31 (0) 85 888 8043; email: service@lillydoo.nl).

If you have any questions regarding the use of the website and the assertion of your rights against LILLYDOO, please contact: privacy@lillydoo.com.

For any data protection-related concerns please use the above mail address with the addition of "attn. data protection representative”.

2. Provision of the website and generation of log files

We collect data each time our website is used. Your browser automatically transmits this data to enable your visit to our website. In particular, this data is the

  • IP address of the requesting device;
  • date and time of the request;
  • address of the last visited and referring website; and
  • technical information about the browser and operating system used by the device.

Data processing is necessary to enable your visit to the website and to guarantee permanent functionality and security of our systems. In addition to the purposes described above, the aforementioned data is also stored for temporary periods in internal log files in order to prepare statistical information about the use of our website and to enhance our website to reflect visitor habits (e.g., if there is a rise in the proportion of page views using mobile devices) and to administrate our website in general. The legal grounds for this form of data processing are set out in Art. 6 paragraph 1 sentence 1 points b+f GDPR.

The information stored in the log files does not permit us to make any direct deductions as to identifiable persons. In particular, we only store IP addresses in a truncated form. The log files are stored for 30 days and then erased.

3. Online shop, registration

You have the option to register on our online shop in order to use the full functionality of our website and to purchase our products. The mandatory data that you will be required to provide during registration or the order process is evident in the input fields (first and last name, email address and password, payment details, as well as billing and shipping address). Registration is not possible without this data, as the data is necessary for the performance of a contract. The legal grounds for this form of processing are set out in Art. 6 paragraph 1 sentence 1 point b GDPR.

4. Terms of payment and payment services provider

We offer you standard forms of payment, such as credit card, PayPal, or payment on account for orders in our online shop. To do so, we collaborate with payment services providers from which we receive or to which we transfer your payment data. Settlement of payment and contractual performance are not possible without this payment data and the payment services provider. The legal grounds for this form of processing are set out in Art. 6 paragraph 1 sentence 1 point b GDPR.

If you select payment on account as your payment method, our payment service providers will use payolution (payolution GmbH, Am Euro Platz 2, 1120 Vienna, Austria) in order to check your creditworthiness. You will find further information about payolution in its Privacy Policy.

5. Contact

5.1 ZENDESK AND ZENDESK-CHAT 

There are various ways to get in touch with us (e.g. by email or phone). In this context, we process your contact details exclusively for communication with you. Without this data, communication with you is not possible. The legal basis for this data processing is Art. 6 para. 1 sentence 1 lit. b GDPR. 

We use Zendesk, a customer service platform from Zendesk, Inc., 1019 Market Street, San Francisco, CA 94103, USA ("Zendesk") to process customer inquiries. The data of the customer request and your contact details are recorded so that we can process your contact request. In addition, we use the Zendesk Chat service on our website to improve communication with you. If you have general or specific questions or problems with our products, the website or our company, you can send us a message via Zendesk. There will be shown whether someone is currently online to answer you immediately. If this is not the case, we will answer your request immediately during our business hours. In this context, we process the data exclusively for the purpose of communication with you.  The legal grounds for this form of processing are set out in Art. 6 paragraph 1 point b, f GDPR.

When using Zendesk, the IP address of the device and the address of the subpage from which you access Zendesk are recorded. The IP address is anonymized.Zendesk uses cookies and similar technologies. The data collected in this context may be sent to a Zendesk server in the USA and stored there. Chats are logged and saved. In the event that personal data is transmitted to Zendesk in the USA, Zendesk has submitted to the  EU-US Privacy Shield. 

You can prevent the installation of cookies by setting your browser software accordingly; however, we would like to point out that in this case you may not be able to use all functions of this website to their full extent. You can find more information on this under the "Cookies" section. 

You can find more information about Zendesk in Zendesk's privacy policy.

5.2. KLAUSAPP 

When processing our customer questions, we make sure that your inquiries are answered in accordance with our quality standard and that you receive a satisfactory answer. We use the Quality Audit program of Qualista OÜ, Telliskivi Street 60, 3rd floor, Tallinn 10412, Estonia ("Klausapp") to check our standards. Your request will be forwarded to Klausapp via Zendesk, in order to be able to determine whether our quality standard has been met when answering your request and where we can still find need for adjustment. This enables us to guarantee you a constant quality of our customer service. Klausapp receives your name, email address and telephone number. The legal basis for this data processing is Art. 6 Para. 1 lit. b, f GDPR. 

You can find more information about Klausapp  here.

6. Newsletter and advertising mails

You have the option to order our newsletter in which we will inform you regularly about new developments in our product range. We use the double opt-in procedure for ordering our newsletter; this means we will not send you our newsletter by email until you have confirmed that you wish to receive our newsletter by clicking on a link in our activation email. To do this, we store your email address, the time of registration and the IP address used for registration (“newsletter registration”) until such time as you unsubscribe to our newsletter. The exclusive purpose of this storage is to send you the newsletter and to provide evidence of your registration. The legal grounds for this form of processing are set out in Art. 6 paragraph 1 point a GDPR

For certain newsletters (e.g., the #momlife newsletter), we store additional personal data (e.g., your calculated childbirth date and your week of pregnancy for the #momlife newsletter); this information, which we require to send you the newsletter, is evident in the input fields during registration. The legal grounds for this form of processing are also set out in Art. 6 paragraph 1 point a GDPR.

In addition, we send you advertising mails in which we request your feedback on orders and other information. The legal grounds for this form of processing are set out in Art. 6 paragraph 1 point f GDPR.

In order to send you our newsletter and advertising mails, we collaborate with service providers to which we transfer your email address and your newsletter registration, among other things, in order to be able to send you the newsletter and advertising mails. The legal grounds for this form of processing are set out in Art. 6 paragraph 1 sentence 1 point b, f GDPR.

You are entitled to unsubscribe to our newsletter and advertising mails at any time and without charge, or to object to their receipt. A corresponding unsubscribe link is contained in each newsletter and advertising mail. Alternatively, you may contact us at any time.

In our newsletters and advertising mails, we use industry-standard technologies that enable us to measure your interaction with the newsletter (e.g., opening the email, links that you click on). We use this data to optimise and develop our content and customer communication and to be able to send you individualised offers. Among the technologies used for this purpose are small graphic elements embedded in the messages (so-called pixels). We are able to associate the data and IDs with your personal data. The legal grounds for this are set out in the requirement for legitimate interest according to Art. 6 paragraph 1 sentence 1 point f GDPR. Where you do not wish us to analyse your usage habits, you are entitled at any time to unsubscribe to our newsletter and advertising mails without charge.

7. Loyalty and rewards programme (rewards shop) Antavo

You have the option of participating in our loyalty and rewards programme. We use the platform service provider Antavo by Antavo Limited, 107 Cheapside, 9th Floor, EC2V 6DN London, United Kingdom in order to implement the programme. Your data will be shared with Antavo for the purpose of receiving email notifications concerning your current points balance and current reward promotions. This data includes your customer number, order total, email address, name and date of birth (optional). Antavo processes this data for the purpose of operating the programme; the service provider makes the platform available, manages the points collected by you and operates the rewards shop. The rewards shop can only be used by customers with an active subscription. The following data is collected in particular when using the rewards shop: log-in data, browser data, location and the products purchased.

The legal basis for forwarding the data is the rewards programme contract pursuant to Art. 6 para. 1 sentence 1 point b) GDPR. We have concluded a data processing agreement with Antavo. Antavo stores your points balance and when you redeem your points. In view of the impending BREXIT, we have already concluded standard contractual clauses with Antavo in accordance with Article 46 para. 2 point c) GDPR for the event that personal data is transferred to Antavo in the UK. For further information, refer to Section 15 (“Data transfer to third countries”).

You can also obtain further information in this regard in Antavo’s Privacy Policy

8. Facebook Fan Page

We operate a Facebook fan page in joint responsibility on the social network by Facebook Inc., 1601 Willow Road, Menlo Park, California, 94025, USA (“Facebook”), in order to communicate with interested persons and followers there, as well as to provide information about our products and services.

In this context, we may receive statistics from Facebook about the use of our fan page by Facebook or the fan page users, e.g. data about likes, comments or summarised information and statistics (e.g. about the age or locations of our followers) that help us to learn more about interaction on our page. To learn more about the type and scope of these statistics, visit the Facebook page statistics information, and the Facebook page insight supplement for information about the respective controller. The legal grounds for this data processing are set out in Art. 6 paragraph 1 sentence 1 point (b) GDPR, as well as in Art. 6 paragraph 1 sentence 1 point (f) GDPR, based on our legitimate interest as stated above.

We are unable to influence the data processed by Facebook on its own responsibility and based on the Facebook terms and conditions of use. Please be aware that data about your usage habits on Facebook and on the fan page is transferred to the Facebook servers when you visit the fan page. Facebook uses the aforementioned information to compile detailed statistics and for its own market research and advertising purposes, over which we have no influence. For further information, please refer to the Facebook privacy policies. Facebook is subject to the terms of the EU-US Privacy Shield for the event that personal data is transferred to the United States.

If we store the personal data of users during the operation of our fan page, the users will have the rights set out in this Privacy Policy. Users wishing to exercise additional rights towards Facebook should, as the simplest procedure, contact Facebook directly. Facebook is familiar with the technical operations of the platform and the associated data processing, as well as the actual purposes of data processing, and will be able on request to take the appropriate steps if users wish to exercise their rights. We will gladly support you in the exercise of your rights when possible and will pass on user enquiries to Facebook.

9. Cookies and equivalent technologies

It is necessary that we use cookies for some of our services. A cookie is a text file that is placed on your hard disk, either temporarily (“session cookies”) or for longer (“persistent cookies”). Cookies are not used to execute programs or to install viruses on your computer. Instead, the purpose of cookies is to provide you with a personalised offering and to make the use of our services as efficient as possible.

In their standard settings, most browsers will accept cookies. However, you can adjust the browser settings to reject cookies, or only to accept cookies with your prior consent. You will not be able to use the full functionality of our website if you reject cookies.

9.1. Proprietary cookies for a convenient user experience

We use cookies to individualise and optimise your user experience. Predominantly we use session cookies that are deleted when you close the browser. Here, session cookies are used to authenticate your login.

Among other things, we use persistent cookies to remember that information shown on our website was displayed to you, in order that we may display it to you again when you return to our website, or to ensure that our website recognises you and that you are not required to login again (“remember me”). Persistent cookies are automatically deleted after a set period that may differ individually for each cookie.

These services enable you to enjoy a convenient and individual use of our offerings and are based on our legitimate interests. The legal grounds for this form of processing are set out in Art. 6 paragraph 1 sentence 1 point f GDPR.

9.2. Cookies and equivalent technologies by third-party providers for analysis and marketing purposes

We use a variety of technologies to analyse usage behaviour and evaluate the associated data, in order to improve our website. In particular, the collected data may include the IP address of the device, the date and the time of access, the cookie identifier, the device identifier for mobile devices, as well as technical data about the browser and operating system.

This data is processed for marketing purposes, for instance to display individualised advertising messages. Before using these cookies and comparable technologies, you will be given the opportunity to adjust the settings via our cookie banner in order to consent to the use of the respective cookies. You can change your consent at any time in the settings of the cookie banner and withdraw your consent. The legal grounds for this form of processing are set due to your consent after Art. 6 paragraph 1 sentence 1 point a GDPR. In the section below, we will describe these technologies and the providers used in this context.

9.2.1. Google Analytics, Ads conversion tracking and remarketing

Our website uses Google Analytics, a web analysis service by Google Ireland Limited, Gordon House, Barrow Street, Dublin 4, Irland („Google“). In addition, our website uses Google Ads conversion tracking and Ads remarketing and Google Signals, which are also services by Google.

Google Analytics uses cookies and similar technologies to analyse and improve our website based on your usage behaviour. Google Ads conversion tracking and Ads remarketing also use cookies and similar technologies in order to measure the performance of advertisements placed (so-called Ads campaigns) and to show you individualised advertising messages on websites that collaborate with Google. Google Signals compiles for us multi-platform data reports on Google users that have enabled personalised advertising in their Google accounts.

The data collected in this context may be transferred by Google to a server in the United States and stored there. For the event that personal data is transferred to the United States, Google has agreed to the conditions of the EU-US Privacy Shield.

Google will truncate your IP address before analysis of the usage statistics, which means that conclusions cannot be drawn as to your identity. For this purpose, the code “anonymizeIP” has been added to Google Analytics on our website to guarantee collection of anonymised IP addresses.

On behalf of the operator of this website, Google will use this information for the purpose of evaluating your use of the website, compiling reports on website activity and providing the website operator with other services relating to website and Internet use.

The Google Ads conversion tracking cookies ordinarily remain enabled on your computer for around 30 days. If you visit our website during this period, both Google and we will be informed that you saw the displayed advertisement.

In case that you use a Google account, Google can, depending on the settings stored in your Google account, associate your Internet and browser cache with your Google account and use information from your Google account to personalise advertisements. You must sign out of your Google account before visiting our website if you do not want this association with your Google account.

If you have enabled personalised advertising in your Google account, Google will be able to prepare data models and reports on website habits, which show for instance on which device you first clicked on an advertisement and on which device any eventual purchase took place. These data models and reports are based on random samples and are pseudonymised to ensure anonymity, which means that we are unable to draw any conclusions as to the identities of the individual Google users.

For more information in this regard, refer to the Google Privacy Policy.

9.2.2. Facebook Pixel

In addition, our website uses remarketing tabs for marketing purposes (also the “Facebook Pixel”) by Facebook Inc., 1601 Willow Road, Menlo Park, California 94025, USA (“Facebook”). This tag establishes a connection between your browser and a Facebook server when you visit our website. Facebook therefore receives information that you have accessed our website with your IP address.

For the event that personal data is transferred to the United States, Facebook has agreed to the conditions of the EU-US Privacy Shield Facebook uses this information to send a statistical and anonymous data about the general use of our website, as well as on the efficiency of our Facebook advertising (“Facebook Ads”).

If you are a member of Facebook and have made the appropriate privacy settings on your Facebook account, Facebook will also be able to associate the information stored with us about your visit with your personal account, which it can use for the targeted display of Facebook Ads.

You can access and change the Privacy Settings for your Facebook profile at any time.

For more information, visit the Facebook Privacy Policy.

9.2.3. Criteo

Our website also uses the remarketing technology by Criteo GmbH, Unterer Anger 3, 80331 Munich, Germany (“Criteo”). Criteo uses cookies and similar technologies to collect exclusively anonymised information on Internet usage habits among website visitors for marketing purposes.

Criteo is able to analyse Internet usage habits and on this basis to show relevant advertising banners as targeted product recommendations. On no accounts can the anonymous the data be used to personally identify website visitors.

The data collected by Criteo is used exclusively to improve the advertising service. Each banner pop-up contains a small “i” (for information) at the bottom right corner. Hovering with the mouse and clicking on this “i” will redirect users to a page that explains the system.

For more information on this regard, visit the Criteo Privacy Policy, where you can also object to the anonymous and analysis of your Internet usage habits.

9.2.4 ADTRIBA 

We use the services of Adtriba GmbH (Veilchenweg 26b, 22529 Hamburg) on ​​our website.  Adtriba is an analysis and tracking tool that helps us draw conclusions about the success of our online marketing campaigns. Using this information, we can evaluate our marketing campaigns and optimize them accordingly.  For this purpose, Adtriba uses cookies to identify your points of contact with our digital marketing campaigns. Your interactions with our advertising are also measured, e.g. your clicks on our advertising banners.  In addition, your cookie ID, your IP address (shortened to the last octet), technical information (browser type, operating system, device data), the marketing touchpoint (channel, source, campaign, time of interaction) and your visits on our website (visited page, referrer URL, interaction with the website and the time of your visit) are tracked. 
You can find more information on data processing in the  data protection regulations  of Adtriba. 

9.2.5 SPOTEFFECTS AND MATOMO

We use the "Spoteffects" service from XAD spoteffects GmbH (Saarstr. 7, 80797 Munich) on our website to measure the effectiveness of our TV advertising campaigns. Spoteffects uses the analysis tool  Matomo (formerly called "Piwik") to analyze the interactions. The data about the traffic and the number of orders are then combined with information about TV connections. This enables us to evaluate and optimize our TV campaigns. 

Matomo is an analysis tool from InnoCraft Ltd., 150 Willis St, 6011, Wellington, New Zealand (“Matomo”).  Matomo uses a cookie to analyze our website with regard to your user behavior. The cookie that is placed on your computer when you visit our website also stores and transmits your anonymized IP address. When data is transferred to our server, the IP address is shortened so that we can no longer identify you. In addition, the time of the website visit, page views, browser and browser settings used, operating system used, screen resolution of the end device used, referrer for accessing the website, search terms for website entry and cookie ID are recorded. The evaluation is only used to optimize and further develop our TV campaigns.

You can find more information in the data protection information   from Matomo. 

9.2.6 TRBO 

We use the service of trbo GmbH, Leopoldstr. On our website. 41, 80802 Munich ("Trbo").  Trbo is a tracking tool that helps us to design our website in the best possible way. By using Trbo, we can control and improve our online offerings by measuring the use of our online offers and the effectiveness of our online advertising. This helps us to understand which pages and products our customers are most interested in and which individual offers we should make to our website users. 

Technically, the tracking tool uses so-called "cookies" and "web beacons" in particular to collect the following information: which pages are searched for when, how often, and in what order, for which products, which links or offers are clicked and which orders are placed. The data collected and used by you in this context is only ever saved under a pseudonym (e.g. a random identification number) and is not combined with personal data about you (e.g. name, address etc.). If the external service providers have access to the data, this is done exclusively on our behalf and under our control. 

You can find more information on data protection at trbo here.

9.2.7 SESSIONLY 

We use the service of sessionly, Renata Bognar, Prenzlauer Allee 186, 10405 Berlin ("sessionly") on our website. Sessionly is an evaluation tool that helps us to conduct a survey with our customers so that we can find out more about your satisfaction with our products. After your order process, sessionly sets a cookie to record your purchased products and your email address. We will then receive this information from sessionly, so that we can then send you an e-mail for product evaluation (see also the newsletter and advertising mailings section). In this email you  have the opportunity to share your experience with us about our products via sessionly.  

You can find more information about sessionly here.  

9.3. COOKIE BANNER 

On our website we use the Consent Management Platform (CMP) consentmanager.de of Jaohawi AB, Håltegelvägen 1b, 72348 Västerås, Sweden ("Jaohawi"). Jaohawi's service supports us in playing out your choice of data processing, especially in connection with third party providers (see section 8.2 of this Privacy Policy). To ensure that your choices remain valid during future visits to our website, Jaohawi collects your IP address, time and duration of the visit, consent information, browser information, website visited and country. Jaohawi uses cookies for this purpose.

This data processing is in our legitimate interest to tailor the use of our website to your choice of cookies. The legal basis for this data processing is derived from Art. 6 para. 1 lit. f DSGVO.

You can find more information about Jaohawi here.  

10. CROSSENGAGE 

When you visit our website, we occasionally play out interesting and suitable offers to make the use of our website even more appealing for you. We use the CRM tool CrossEngage, a service of CrossEngage GmbH, Bertha-Benz-Str. 5, 10557 Berlin ("CrossEngage") that is a cross-channel campaign management tool.  Based on your previous orders and the current use of our website, we can show you individualized offers for our products. Playing out the individualized offers is made possible by our trbo service. More information about trbo can be found in the section above. 

The legal basis for data processing is our legitimate interest according to Art. 6 para. 1 lit. f GDPR.
You can find more information on CrossEngage's data processing here. 

11. Unbounce

We use the service of Unbounce Marketing Solutions Inc., 400-401 West Georgia Street, Vancouver BC, Canada, V6B 5A1, ("Unbounce"), which provides us with so-called "landing pages" that we create for certain promotions . On this promotion page of our website we offer prospective customers and customers coupon codes, discounts or other perks and enable them to be redirected to our website immediately.

The promotion page is hosted by Unbounce and records your IP address, the website you came from, the browser used, the user agent, the date and time of your visit, the device and cookie data when you visit. Unbounce uses cookies to measure the success of our campaign page.The legal basis for the aforementioned data processing is Art. 6 Para. 1 lit. a, f GDPR based on our legitimate interests. Our legitimate interest is based on advertising our products and our interest in measuring the success rate of our advertising measures.
You can find more information on data processing in Unbounce's data protection provisions.

12. Application process

When you apply for a vacant position with us, we use your applicant data exclusively to manage the application procedure. The legal grounds for your data processing are set forth in Art. 6 paragraph 1 point b GDPR.

We store your personal data when we receive your application. Where we accept your application, we store your applicant data for three years at maximum after the end of the working relationship. Where we reject your application, we store your applicant data for six months after rejection of your application at maximum, except if you grant your consent for a longer period of storage by us.

We cooperate with recruitment service providers in the management of our application procedures. The legal grounds for this form of processing are set out in Art. 6 paragraph 1 sentence 1 point b, f GDPR.

13. Inclusion of services and content from third parties

It is possible that content by third parties, for instance videos by YouTube, cartographic material by Google Maps, RSS feeds or graphics from other websites, are embedded in our website. This is only possible if the providers of these contents (“third-party providers”) are aware of your IP address, as without your IP address they would not be able to send content to your browser. The IP address is therefore necessary for the presentation of this content. The legal grounds for this form of processing are set out in Art. 6 paragraph 1 point b, f GDPR.

We make efforts to include only content from providers that use the IP address exclusively to deliver content. Notwithstanding, we have no influence insofar as the third-party provider uses the IP addresses for statistical or other purposes.

13.1. Integration of YouTube videos

We have integrated YouTube videos in our website that are stored on YouTube and are directly playable from our website. YouTube is a multimedia service by by Google Ireland Limited, Gordon House, Barrow Street, Dublin 4, Irland („Google“). For the event that personal data is transferred to the United Sates, Google and its subsidiary YouTube have agreed to the terms of the EU-US Privacy Shield. The legal grounds are as set out in Art. 6 paragraph 1 sentence 1 point f GDPR, and are defined by our legitimate interest in the integration of video and image content.

When you visit our website, YouTube receives the information that you have accessed the corresponding sub-page of our website. This occurs regardless of whether or not you are logged onto a Google or YouTube account. YouTube and Google use data for the purposes of advertising, market research and needs-based design of their websites. If you access YouTube on our website while logged into your YouTube or Google profile, YouTube and Google will be able to associate this event with your personal profile. If you do not want this association to take place, it is necessary that you log out of your Google account before visiting our website.

As described above, you can adjust your browser settings in such a way that it rejects cookies, or you can prevent the registration of data generated by the cookies about your use of this website, as well as the processing of this data by Google, by disabling the button “Personalized ads on the web” in the Google settings for advertising. In this case, Google will only show you non-personalised advertising.

For further information, refer to the Google privacy policies, which also apply to YouTube.

13.2. Additional information about the Trusted Shop Trustbadge

We are members of Trusted Shops and use the Trusted Shop stamp of quality and ratings. The Trusted Shops organisation has instructed us to provide the following information:

We have integrated the Trusted Shops Trustbadge on this website in order to display our Trusted Shops Trustmark and offer the Trusted Shops products to customers after placing an order. This serves the protection of our legitimate interests in the optimal marketing of our offer according to art. 6 (1) 1 lit f GDPR that are overriding in the process of balancing of interests. The Trustbadge and the advertised trust badge services are offered by Trusted Shops GmbH, Subbelrather Str. 15C, 50823 Cologne, Germany.

With every use of the Trustbadge, the web server automatically saves a so-called server log file which contains e.g. your IP address, the date and time of the request, the volume of data transferred and the requesting provider (access data), and documents the request. Those access data are not analysed and are automatically overwritten no later than seven days after the end of your website visit. Other personal data are transferred to Trusted Shops only if you decide to use or have already registered to use Trusted Shops products after placing an order. In such a case, the contract concluded between you and Trusted Shops applies.

14. Recipients of personal data

The data we collect will only be transferred where this is necessary for the performance of a contract, to ensure the technical functionality of the website or online shop, or where other legal grounds apply to the transfer of data (e.g., where we are required by law to disclose data (disclosure of information to criminal investigation agencies and courts; disclosure of information to public sector agencies that receive data based on statutory provisions, e.g. social insurance agencies, tax offices and suchlike), or when we are required, for the exercise of our claims, to commission the services of third parties who are professionally bound to duties of confidentiality).

Some of the data processing can be executed by service providers. In particular, they may include data centers that host our website and databases, IT service providers that maintain our system, logistics and transport service providers or marketing and customer service providers, as well as consulting companies. Where we transfer data to service providers, they shall be entitled to use the data exclusively for the performance of their tasks. We carefully selected and commissioned the third parties. They are contractually bound to adhere to our instructions, obliged to maintain confidentiality, have the appropriate technical and organizational measures in place to protect the rights of the individuals concerned, and are audited by us on a regular basis.

15. Duration of storage

As a rule, we only store your personal data for as long as is necessary for the satisfaction of our contractual or lawful obligations for which we collected the data, after which time we will erase the data without undue delay, except where we require the data until the end of the statutory period of limitations for the purposes of evidence in civil law claims or based on statutory retention periods.

For example, we are required for evidential purposes to store contractual data for a period of three years from the end of the year in which the contractual relationship with you is terminated, as any claims will only lapse after this period at the earliest based on the regular limitation periods.

In some cases we will be required to continue storing your data, even beyond the end of the regular limitation periods. We may be obliged to do so pursuant to statutory documentation obligations set forth in the German Commercial Code (HGB), the German Fiscal Code (AO), the German Banking Act (KWG), the German Anti-Money Laundering Act (GWG) and the German Securities Trading Act (WpHG). The retention periods stipulated therein for the storage of documents are between two and ten years.

16. Your rights

You have the right at any time to information about your personal data that is processed by us. In this context, we will explain to you the purpose of data processing and provide an overview of the personal data stored about you.

Where the data we have stored is incorrect or no longer up-to-date, you have the right to obtain rectification of this data.

You are also entitled to demand the erasure of your data. Where erasure is not possible in exceptional cases due to another legal provision, the data will be blocked to ensure that it is only available for its lawful purpose.

In addition, you have the right to restrict the processing of your data, for instance if you doubt the accuracy of the data.

You have the right to data portability, which means that we will, upon request by you to do so, send you a copy of the personal data provided by you.

Where data processing is based on the legal grounds set out in Art.6 paragraph 1 point f GDPR, you may also object where reasons apply that relate to your particular circumstances or where you are objecting to processing for reasons of direct marketing. In the latter case, your right to object shall always be valid and it will be implemented by us, even if you do not provide reasons. Moreover, you have the right at any time to withdraw consent previously granted to us. In this case, we will no longer process the data based on your consent, effective for the future. Withdrawal of consent does not affect the lawfulness of processing conducted until such time as consent is withdrawn.

You may use the contact data provided above to correspond with us and exercise your rights as described at any time.

You are also entitled to lodge a complaint with the competent supervisory authority for data protection. The competent supervisory authority in Frankfurt, our registered address, is: The Data Protection Commissioner in the State of Hesse, Gustav-Stresemann-Ring 1, 65189 Wiesbaden, Germany. Alternatively, you may lodge a complaint with the data protection authority at your place of residence, which will forward your concern to the competent authority.

17. Data security

We maintain state-of-the-art technical measures to guarantee data security, in particular the protection of your personal data against risks associated with data transfer or unauthorised access by third parties. These technical measures are adapted to remain state-of-the-art. For the protection of the personal data input by you on this website, we use the Secure Sockets Layer (SSL) standard, which encrypts the information you enter.

17.1 reCaptcha

Our website uses Google reCAPTCHA, a service by Google LLC, 1600 Amphitheatre Parkway, Mountain View, CA 94043, USA. reCAPTCHA prevents automated software (so-called bots) from executing improper activities on the website, i.e. it checks whether entries are actually made by a human.

The following data is processed to conduct this check: referrer (URL of the page on which the Captcha is used), IP address, cookies placed by Google, the user’s input behaviour (e.g. answering the reCAPTCHA question, speed of entries in the form fields, sequence of selecting the input fields by the user), browser type, browser plugins, browser size and resolution, date, language settings, cascading style sheet specifications (CSS) and scripts (JavaScript).

In addition, Google imports the cookies by other services like Gmail, Search and Analytics. You must sign out from Google if you do not want these associations with your Google account.

This data is transferred to Google in an encrypted form. Google’s evaluation decides on how the Captcha is shown on the page. For the event that personal data is transferred to the United States, Google has agreed to the terms of the EU-US Privacy Shield.

For more information, refer to the Google privacy policies.

18. Amendment of the Privacy Policy

We amend this Privacy Policy from time to time, for instance if we revise our website or if the statutory requirements change.

© LILLYDOO GmbH – June 2020