LILLYDOO

Privacy Policy

Our Privacy Policy will inform you about the processing of personal data when using our website and online shop.

The term “personal data” means information that refers to an identified or identifiable person. This includes all details that permit the deduction of your identity, for instance is your name, telephone number, address or email address.

The term “personal data” does not include statistical data, for instance that we collect when you visit our website and that cannot be associated with you personally.

You can print out or save this Privacy Policy (e.g., as a PDF file) by using the standard functions of your browser.

1. Contact partner, controller and data protection officer

The contact partner and so-called “controller” for the processing of your personal data in the meaning of the EU General Data Protection Regulation (GDPR) when visiting this website is Lillydoo (Lillydoo GmbH, Hanauer Landstraße 147-149, 60314 Frankfurt am Main; telephone: +31 (0) 85 888 8043; email: service@lillydoo.com).

Kindly contact our Data Protection Officer (DPO) at any time if you have questions about data protection in connection with the use of our website. The DPO can be reached at the postal address above or by email to privacy@lillydoo.com.

2. Provision of the website and generation of log files

We collect data each time our website is used. Your browser automatically transmits this data to enable your visit to our website. In particular, this data is the

IP address of the requesting device;
date and time of the request;
address of the last visited and referring website; and
technical information about the browser and operating system used by the device.

Data processing is necessary to enable your visit to the website and to guarantee permanent functionality and security of our systems. In addition to the purposes described above, the aforementioned data is also stored for temporary periods in internal log files in order to prepare statistical information about the use of our website and to enhance our website to reflect visitor habits (e.g., if there is a rise in the proportion of page views using mobile devices) and to administrate our website in general. The legal grounds for this form of data processing are set out in Art. 6 paragraph 1 sentence 1 points b+f GDPR.

The information stored in the log files does not permit us to make any direct deductions as to identifiable persons. In particular, we only store IP addresses in a truncated form. The log files are stored for 30 days and then erased.

3. Online shop, registration

You have the option to register on our online shop in order to use the full functionality of our website and to purchase our products. The mandatory data that you will be required to provide during registration or the order process is evident in the input fields (first and last name, email address and password, payment details, as well as billing and shipping address). Registration is not possible without this data, as the data is necessary for the performance of a contract. The legal grounds for this form of processing are set out in Art. 6 paragraph 1 sentence 1 point b GDPR.

4. Terms of payment and payment services provider

We offer you standard forms of payment, such as credit card, PayPal, or payment on account for orders in our online shop. To do so, we collaborate with payment services providers from which we receive or to which we transfer your payment data. Settlement of payment and contractual performance are not possible without this payment data and the payment services provider. The legal grounds for this form of processing are set out in Art. 6 paragraph 1 sentence 1 point b GDPR.

If you select payment on account as your payment method, our payment service providers will use payolution (payolution GmbH, Am Euro Platz 2, 1120 Vienna, Austria) in order to check your creditworthiness. You will find further information about payolution in its Privacy Policy.

5. Contact

You have a variety of options to make contact with us (e.g., by email or telephone). In this context, we process your contact data exclusively for the purpose of communicating with you. Communication with you is not possible without this data. The legal grounds for this form of processing are set out in Art. 6 paragraph 1 sentence 1 point b GDPR.

In order to process customer enquiries, we use Zendesk, a customer services platform by Zendesk, Inc., 1019 Market Street, San Francisco, CA 94103, USA (“Zendesk”). In this process, the data contained in the customer enquiry, as well as your contact data, are collected to enable us to process your contact enquiry. The legal grounds for this form of processing are set out in Art. 6 paragraph 1 point b, f GDPR.

Zendesk uses cookies and similar technologies. The data collected in this context may be sent to a Zendesk server in the USA and stored there. Zendesk has agreed to the conditions of the EU-US Privacy Shield for the event that personal data is transmitted to Zendesk in the USA.

You can adjust your browser settings to prevent the installation of cookies. For more information in this regard, refer to “Cookies”.

You will find further information about Zendesk in its Privacy Policy.

You have the option to order our newsletter in which we will inform you regularly about new developments in our product range. We use the double opt-in procedure for ordering our newsletter; this means we will not send you our newsletter by email until you have confirmed that you wish to receive our newsletter by clicking on a link in our activation email. To do this, we store your email address, the time of registration and the IP address used for registration (“newsletter registration”) until such time as you unsubscribe to our newsletter. The exclusive purpose of this storage is to send you the newsletter and to provide evidence of your registration. The legal grounds for this form of processing are set out in Art. 6 paragraph 1 point a GDPR

For certain newsletters (e.g., the #momlife newsletter), we store additional personal data (e.g., your calculated childbirth date and your week of pregnancy for the #momlife newsletter); this information, which we require to send you the newsletter, is evident in the input fields during registration. The legal grounds for this form of processing are also set out in Art. 6 paragraph 1 point a GDPR.

In addition, we send you advertising mails in which we request your feedback on orders and other information. The legal grounds for this form of processing are set out in Art. 6 paragraph 1 point f GDPR.

In order to send you our newsletter and advertising mails, we collaborate with service providers to which we transfer your email address and your newsletter registration, among other things, in order to be able to send you the newsletter and advertising mails. The legal grounds for this form of processing are set out in Art. 6 paragraph 1 sentence 1 point b, f GDPR.

You are entitled to unsubscribe to our newsletter and advertising mails at any time and without charge, or to object to their receipt. A corresponding unsubscribe link is contained in each newsletter and advertising mail. Alternatively, you may contact us at any time.

In our newsletters and advertising mails, we use industry-standard technologies that enable us to measure your interaction with the newsletter (e.g., opening the email, links that you click on). We use this data to optimise and develop our content and customer communication and to be able to send you individualised offers. Among the technologies used for this purpose are small graphic elements embedded in the messages (so-called pixels). We are able to associate the data and IDs with your personal data. The legal grounds for this are set out in the requirement for legitimate interest according to Art. 6 paragraph 1 sentence 1 point f GDPR. Where you do not wish us to analyse your usage habits, you are entitled at any time to unsubscribe to our newsletter and advertising mails without charge.

7. Facebook Fan Page

We operate a Facebook fan page in joint responsibility on the social network by Facebook Inc., 1601 Willow Road, Menlo Park, California, 94025, USA (“Facebook”), in order to communicate with interested persons and followers there, as well as to provide information about our products and services.

In this context, we may receive statistics from Facebook about the use of our fan page by Facebook or the fan page users, e.g. data about likes, comments or summarised information and statistics (e.g. about the age or locations of our followers) that help us to learn more about interaction on our page. To learn more about the type and scope of these statistics, visit the Facebook page statistics information, and the Facebook page insight supplement for information about the respective controller. The legal grounds for this data processing are set out in Art. 6 paragraph 1 sentence 1 point (b) GDPR, as well as in Art. 6 paragraph 1 sentence 1 point (f) GDPR, based on our legitimate interest as stated above.

We are unable to influence the data processed by Facebook on its own responsibility and based on the Facebook terms and conditions of use. Please be aware that data about your usage habits on Facebook and on the fan page is transferred to the Facebook servers when you visit the fan page. Facebook uses the aforementioned information to compile detailed statistics and for its own market research and advertising purposes, over which we have no influence. For further information, please refer to the Facebook privacy policies. Facebook is subject to the terms of the EU-US Privacy Shield for the event that personal data is transferred to the United States.

If we store the personal data of users during the operation of our fan page, the users will have the rights set out in this Privacy Policy. Users wishing to exercise additional rights towards Facebook should, as the simplest procedure, contact Facebook directly. Facebook is familiar with the technical operations of the platform and the associated data processing, as well as the actual purposes of data processing, and will be able on request to take the appropriate steps if users wish to exercise their rights. We will gladly support you in the exercise of your rights when possible and will pass on user enquiries to Facebook.

8. Cookies and equivalent technologies

It is necessary that we use cookies for some of our services. A cookie is a text file that is placed on your hard disk, either temporarily (“session cookies”) or for longer (“persistent cookies”). Cookies are not used to execute programs or to install viruses on your computer. Instead, the purpose of cookies is to provide you with a personalised offering and to make the use of our services as efficient as possible.

In their standard settings, most browsers will accept cookies. However, you can adjust the browser settings to reject cookies, or only to accept cookies with your prior consent. You will not be able to use the full functionality of our website if you reject cookies.

8.1. Proprietary cookies for a convenient user experience

We use cookies to individualise and optimise your user experience. Predominantly we use session cookies that are deleted when you close the browser. Here, session cookies are used to authenticate your login.

Among other things, we use persistent cookies to remember that information shown on our website was displayed to you, in order that we may display it to you again when you return to our website, or to ensure that our website recognises you and that you are not required to login again (“remember me”). Persistent cookies are automatically deleted after a set period that may differ individually for each cookie.

These services enable you to enjoy a convenient and individual use of our offerings and are based on our legitimate interests. The legal grounds for this form of processing are set out in Art. 6 paragraph 1 sentence 1 point f GDPR.

8.2. Cookies and equivalent technologies by third-party providers for analysis and marketing purposes

We use a variety of technologies to analyse usage behaviour and evaluate the associated data, in order to improve our website. In particular, the collected data may include the IP address of the device, the date and the time of access, the cookie identifier, the device identifier for mobile devices, as well as technical data about the browser and operating system.

This data is processed for marketing purposes, for instance to display individualised advertising messages. The legal grounds for this form of processing are set out in Art. 6 paragraph 1 sentence 1 point f GDPR. In the section below, we will describe these technologies and the providers used in this context.

Where you do not wish to receive interest-based advertising banners, you can object to their use by making appropriate settings on http://preferences-mgr.truste.com/ a website that provides grouped objection options in regard to advertisers. The website by TRUSTe, Inc, 835 Market Street, San Francisco, CA 94103-1905, USA (“TRUSTe”) uses opt-out cookies to allow you to disable all banners at once, or alternatively to adjust the settings for each provider individually. Please take note that you must again place an opt-out cookie after deleting all cookies in your browser, or if you use a different browser or profile.

8.2.1. Google Analytics, Ads conversion tracking and remarketing

Our website uses Google Analytics, a web analysis service by Google Ireland Limited, Gordon House, Barrow Street, Dublin 4, Irland („Google“). In addition, our website uses Google Ads conversion tracking and Ads remarketing and Google Signals, which are also services by Google.

Google Analytics uses cookies and similar technologies to analyse and improve our website based on your usage behaviour. Google Ads conversion tracking and Ads remarketing also use cookies and similar technologies in order to measure the performance of advertisements placed (so-called Ads campaigns) and to show you individualised advertising messages on websites that collaborate with Google. Google Signals compiles for us multi-platform data reports on Google users that have enabled personalised advertising in their Google accounts.

The data collected in this context may be transferred by Google to a server in the United States and stored there. For the event that personal data is transferred to the United States, Google has agreed to the conditions of the EU-US Privacy Shield.

Google will truncate your IP address before analysis of the usage statistics, which means that conclusions cannot be drawn as to your identity. For this purpose, the code “anonymizeIP” has been added to Google Analytics on our website to guarantee collection of anonymised IP addresses.

On behalf of the operator of this website, Google will use this information for the purpose of evaluating your use of the website, compiling reports on website activity and providing the website operator with other services relating to website and Internet use.

The Google Ads conversion tracking cookies ordinarily remain enabled on your computer for around 30 days. If you visit our website during this period, both Google and we will be informed that you saw the displayed advertisement.

In case that you use a Google account, Google can, depending on the settings stored in your Google account, associate your Internet and browser cache with your Google account and use information from your Google account to personalise advertisements. You must sign out of your Google account before visiting our website if you do not want this association with your Google account.

If you have enabled personalised advertising in your Google account, Google will be able to prepare data models and reports on website habits, which show for instance on which device you first clicked on an advertisement and on which device any eventual purchase took place. These data models and reports are based on random samples and are pseudonymised to ensure anonymity, which means that we are unable to draw any conclusions as to the identities of the individual Google users.

As described earlier, you can adjust your browser settings to reject cookies, or you can prevent the collection of the data generated by the cookies in regard to your use of the website (including your IP address) and its processing by Google, by downloading and installing the browser add-on provided by Google. As an alternative to the browser add-on, or if you are using a mobile device to access our website, you can use this opt-out link. Doing so will prevent the collect ion of data by Google Analytics on this website, effective for the future (the opt-out will only work for the current browser, and only for this domain). You must click on the link once more if you delete cookies in your browser.

For more information in this regard, refer to the Google Privacy Policy.

8.2.2. Facebook Pixel

In addition, our website uses remarketing tabs for marketing purposes (also the “Facebook Pixel”) by Facebook Inc., 1601 Willow Road, Menlo Park, California 94025, USA (“Facebook”). This tag establishes a connection between your browser and a Facebook server when you visit our website. Facebook therefore receives information that you have accessed our website with your IP address.

For the event that personal data is transferred to the United States, Facebook has agreed to the conditions of the EU-US Privacy Shield Facebook uses this information to send a statistical and anonymous data about the general use of our website, as well as on the efficiency of our Facebook advertising (“Facebook Ads”).

If you are a member of Facebook and have made the appropriate privacy settings on your Facebook account, Facebook will also be able to associate the information stored with us about your visit with your personal account, which it can use for the targeted display of Facebook Ads.

You can access and change the Privacy Settings for your Facebook profile at any time. If you are not a member of Facebook, you may prevent Facebook from processing your data by clicking on the disable button for “Facebook” on the aforementioned TRUSTe website. Moreover, you can prevent data processing by clicking on the following button. Doing so will prevent the collection of data by Google Analytics on this website, effective for the future (the opt-out will only work for the current browser, and only for this domain)

For more information, visit the Facebook Privacy Policy .

8.2.3. Criteo

Our website also uses the remarketing technology by Criteo GmbH, Unterer Anger 3, 80331 Munich, Germany (“Criteo”). Criteo uses cookies and similar technologies to collect exclusively anonymised information on Internet usage habits among website visitors for marketing purposes.

Criteo is able to analyse Internet usage habits and on this basis to show relevant advertising banners as targeted product recommendations. On no accounts can the anonymous the data be used to personally identify website visitors.

The data collected by Criteo is used exclusively to improve the advertising service. Each banner pop-up contains a small “i” (for information) at the bottom right corner. Hovering with the mouse and clicking on this “i” will redirect users to a page that explains the system and that offers an opt-out. An opt-out cookie is placed to suppress display of the banner in future if you click on the opt-out.

For more information on this regard, visit the Criteo Privacy Policy, where you can also object to the anonymous and analysis of your Internet usage habits.

9. Application process

When you apply for a vacant position with us, we use your applicant data exclusively to manage the application procedure. The legal grounds for your data processing are set forth in Art. 6 paragraph 1 point b GDPR.

We store your personal data when we receive your application. Where we accept your application, we store your applicant data for three years at maximum after the end of the working relationship. Where we reject your application, we store your applicant data for six months after rejection of your application at maximum, except if you grant your consent for a longer period of storage by us.

We cooperate with recruitment service providers in the management of our application procedures. The legal grounds for this form of processing are set out in Art. 6 paragraph 1 sentence 1 point b, f GDPR.

10. Inclusion of services and content from third parties

It is possible that content by third parties, for instance videos by YouTube, cartographic material by Google Maps, RSS feeds or graphics from other websites, are embedded in our website. This is only possible if the providers of these contents (“third-party providers”) are aware of your IP address, as without your IP address they would not be able to send content to your browser. The IP address is therefore necessary for the presentation of this content. The legal grounds for this form of processing are set out in Art. 6 paragraph 1 point b, f GDPR.

We make efforts to include only content from providers that use the IP address exclusively to deliver content. Notwithstanding, we have no influence insofar as the third-party provider uses the IP addresses for statistical or other purposes.

Integration of YouTube videos

We have integrated YouTube videos in our website that are stored on YouTube and are directly playable from our website. YouTube is a multimedia service by by Google Ireland Limited, Gordon House, Barrow Street, Dublin 4, Irland („Google“). For the event that personal data is transferred to the United Sates, Google and its subsidiary YouTube have agreed to the terms of the EU-US Privacy Shield. The legal grounds are as set out in Art. 6 paragraph 1 sentence 1 point f GDPR, and are defined by our legitimate interest in the integration of video and image content.

When you visit our website, YouTube receives the information that you have accessed the corresponding sub-page of our website. This occurs regardless of whether or not you are logged onto a Google or YouTube account. YouTube and Google use data for the purposes of advertising, market research and needs-based design of their websites. If you access YouTube on our website while logged into your YouTube or Google profile, YouTube and Google will be able to associate this event with your personal profile. If you do not want this association to take place, it is necessary that you log out of your Google account before visiting our website.

As described above, you can adjust your browser settings in such a way that it rejects cookies, or you can prevent the registration of data generated by the cookies about your use of this website, as well as the processing of this data by Google, by disabling the button “Personalized ads on the web” in the Google settings for advertising. In this case, Google will only show you non-personalised advertising.

For further information, refer to the Google privacy policies, which also apply to YouTube.

Additional information about the Trusted Shop Trustbadge

We are members of Trusted Shops and use the Trusted Shop stamp of quality and ratings. The Trusted Shops organisation has instructed us to provide the following information:

We have integrated the Trusted Shops Trustbadge on this website in order to display our Trusted Shops Trustmark and offer the Trusted Shops products to customers after placing an order. This serves the protection of our legitimate interests in the optimal marketing of our offer according to art. 6 (1) 1 lit f GDPR that are overriding in the process of balancing of interests. The Trustbadge and the advertised trust badge services are offered by Trusted Shops GmbH, Subbelrather Str. 15C, 50823 Cologne, Germany.

With every use of the Trustbadge, the web server automatically saves a so-called server log file which contains e.g. your IP address, the date and time of the request, the volume of data transferred and the requesting provider (access data), and documents the request. Those access data are not analysed and are automatically overwritten no later than seven days after the end of your website visit. Other personal data are transferred to Trusted Shops only if you decide to use or have already registered to use Trusted Shops products after placing an order. In such a case, the contract concluded between you and Trusted Shops applies.

11. Recipients of personal data

The data we collect will only be transferred where this is necessary for the performance of a contract, to ensure the technical functionality of the website or online shop, or where other legal grounds apply to the transfer of data (e.g., where we are required by law to disclose data (disclosure of information to criminal investigation agencies and courts; disclosure of information to public sector agencies that receive data based on statutory provisions, e.g. social insurance agencies, tax offices and suchlike), or when we are required, for the exercise of our claims, to commission the services of third parties who are professionally bound to duties of confidentiality).

Some of the data processing can be executed by service providers. In particular, they may include data centers that host our website and databases, IT service providers that maintain our system, logistics and transport service providers or marketing and customer service providers, as well as consulting companies. Where we transfer data to service providers, they shall be entitled to use the data exclusively for the performance of their tasks. We carefully selected and commissioned the third parties. They are contractually bound to adhere to our instructions, obliged to maintain confidentiality, have the appropriate technical and organizational measures in place to protect the rights of the individuals concerned, and are audited by us on a regular basis.

12. Duration of storage

As a rule, we only store your personal data for as long as is necessary for the satisfaction of our contractual or lawful obligations for which we collected the data, after which time we will erase the data without undue delay, except where we require the data until the end of the statutory period of limitations for the purposes of evidence in civil law claims or based on statutory retention periods.

For example, we are required for evidential purposes to store contractual data for a period of three years from the end of the year in which the contractual relationship with you is terminated, as any claims will only lapse after this period at the earliest based on the regular limitation periods.

In some cases we will be required to continue storing your data, even beyond the end of the regular limitation periods. We may be obliged to do so pursuant to statutory documentation obligations set forth in the German Commercial Code (HGB), the German Fiscal Code (AO), the German Banking Act (KWG), the German Anti-Money Laundering Act (GWG) and the German Securities Trading Act (WpHG). The retention periods stipulated therein for the storage of documents are between two and ten years.

13. Your rights

You have the right at any time to information about your personal data that is processed by us. In this context, we will explain to you the purpose of data processing and provide an overview of the personal data stored about you.

Where the data we have stored is incorrect or no longer up-to-date, you have the right to obtain rectification of this data.

You are also entitled to demand the erasure of your data. Where erasure is not possible in exceptional cases due to another legal provision, the data will be blocked to ensure that it is only available for its lawful purpose.

In addition, you have the right to restrict the processing of your data, for instance if you doubt the accuracy of the data.

You have the right to data portability, which means that we will, upon request by you to do so, send you a copy of the personal data provided by you.

Where data processing is based on the legal grounds set out in Art.6 paragraph 1 point f GDPR, you may also object where reasons apply that relate to your particular circumstances or where you are objecting to processing for reasons of direct marketing. In the latter case, your right to object shall always be valid and it will be implemented by us, even if you do not provide reasons. Moreover, you have the right at any time to withdraw consent previously granted to us. In this case, we will no longer process the data based on your consent, effective for the future. Withdrawal of consent does not affect the lawfulness of processing conducted until such time as consent is withdrawn.

You may use the contact data provided above to correspond with us and exercise your rights as described at any time.

You are also entitled to lodge a complaint with the competent supervisory authority for data protection. The competent supervisory authority in Frankfurt, our registered address, is: The Data Protection Commissioner in the State of Hesse, Gustav-Stresemann-Ring 1, 65189 Wiesbaden, Germany. Alternatively, you may lodge a complaint with the data protection authority at your place of residence, which will forward your concern to the competent authority.

14. Data security

We maintain state-of-the-art technical measures to guarantee data security, in particular the protection of your personal data against risks associated with data transfer or unauthorised access by third parties. These technical measures are adapted to remain state-of-the-art. For the protection of the personal data input by you on this website, we use the Secure Sockets Layer (SSL) standard, which encrypts the information you enter.

14.1 reCaptcha

Our website uses Google reCAPTCHA, a service by Google LLC, 1600 Amphitheatre Parkway, Mountain View, CA 94043, USA. reCAPTCHA prevents automated software (so-called bots) from executing improper activities on the website, i.e. it checks whether entries are actually made by a human.

The following data is processed to conduct this check: referrer (URL of the page on which the Captcha is used), IP address, cookies placed by Google, the user’s input behaviour (e.g. answering the reCAPTCHA question, speed of entries in the form fields, sequence of selecting the input fields by the user), browser type, browser plugins, browser size and resolution, date, language settings, cascading style sheet specifications (CSS) and scripts (JavaScript).

In addition, Google imports the cookies by other services like Gmail, Search and Analytics. You must sign out from Google if you do not want these associations with your Google account.

This data is transferred to Google in an encrypted form. Google’s evaluation decides on how the Captcha is shown on the page. For the event that personal data is transferred to the United States, Google has agreed to the terms of the EU-US Privacy Shield.

For more information, refer to the Google privacy policies.

15. Amendment of the Privacy Policy

We amend this Privacy Policy from time to time, for instance if we revise our website or if the statutory requirements change.