1. Contact partner, controller and data protection officer
The contact partner and so-called “controller” for the processing of your personal data in the meaning of the
EU General Data Protection Regulation (GDPR) when visiting this website is Lillydoo (Lillydoo GmbH, Hanauer
Landstraße 147-149, 60314 Frankfurt am Main; telephone: +31 (0) 85 888 8043; email:
If you have any questions regarding the use of the website and the assertion of your rights against LILLYDOO,
please contact: email@example.com.
For any data protection-related concerns please use the above mail address with the addition of "attn. data
2. Provision of the website and generation of log files
We collect data each time our website is used. Your browser automatically transmits this data to enable your
visit to our website. In particular, this data is the
- IP address of the requesting device;
- date and time of the request;
- address of the last visited and referring website; and
- technical information about the browser and operating system used by the device.
Data processing is necessary to enable your visit to the website and to guarantee permanent functionality and
security of our systems. In addition to the purposes described above, the aforementioned data is also stored
for temporary periods in internal log files in order to prepare statistical information about the use of our
website and to enhance our website to reflect visitor habits (e.g., if there is a rise in the proportion of
page views using mobile devices) and to administrate our website in general. The legal grounds for this form
of data processing are set out in Art. 6 paragraph 1 sentence 1 points b+f GDPR.
The information stored in the log files does not permit us to make any direct deductions as to identifiable
persons. In particular, we only store IP addresses in a truncated form. The log files are stored for 30 days
and then erased.
3. IT SECURITY SERVICE PROVIDER
For IT security purposes (e.g. to increase the security of our website against fraud attacks, to ensure DDoS
protection and to protect your customer experience against the consequence of malicious bots) we use the
services of the German-based IT service provider Link11 GmbH, Lindleystraße 12, 60314 Frankfurt am Main.
When you as a user access our website, several requests are sent to us for the respective page to be visited
and we send back the content to be displayed. The request contains all the information we need to display
the relevant content to you: Browser information, which page is to be called up, any forms submitted (e.g.
in the checkout), passwords for login, etc. The requests are encrypted. Link11 can only access these
requests in order to analyse them for bots. The following data is also transmitted: IP address, access time,
access date, requested URL, user agent, referrer.
The legal basis is our legitimate interest (Art. 6 para. 1 lit. f DSGVO). We have concluded an order
processing agreement with the IT service provider Link11, which acts as an order processor for us.
The functionality of the website cannot be guaranteed without the processing by the IT security service
provider. Your personal data will be stored by the provider for as long as is necessary for the purposes
described. IP addresses are generally stored for 96 hours. You can find more information about objection and
removal options vis-à-vis the provider at:
On our website, we also use content delivery network services from Cloudflare Inc., 701 Townsend St., San Francisco, CA 94107 (USA).
With the help of a content delivery network, the content of our website is stored on the server of the service.
The server of the service provider distributes this content to you or your browser when you access our website.
Cloudflare processes for example your IP address and DNS log data.
We use Cloudflare for the purpose of defending against attacks such as, e. g. so-called "DDoS or bot attacks"
on our website. Furthermore, the aim of the data processing is to shorten the loading times of our website
in order to make the content of our pages as quickly as possible available to you.
If necessary, personal data will be transferred to third countries. In order to comprehensively guarantee the
protection of your data in such a case, there are sufficient guarantees or other instruments to ensure compliance
with the European data protection principles.
The legal basis for the use of Cloudflare is Art. 6 para. 1 lit. f GDPR based on our legitimate interest in
increasing the security and delivery speed of our website. We have concluded a data processing agreement with Cloudflare.
4. Online shop, registration
You have the option to register on our online shop in order to use the full functionality of our website and
to purchase our products. The mandatory data that you will be required to provide during registration or the
order process is evident in the input fields (first and last name, email address and password, payment
details, as well as billing and shipping address). Registration is not possible without this data, as the
data is necessary for the performance of a contract. The legal grounds for this form of processing are set
out in Art. 6 paragraph 1 sentence 1 point b GDPR.
5. Terms of payment and payment services provider
We offer you standard forms of payment, such as iDEAL, credit card, PayPal, or payment on account for
orders in our online shop. To do so, we collaborate with payment services providers from which we
receive or to which we transfer your payment data. Settlement of payment and contractual performance are
not possible without this payment data and the payment services provider. The legal grounds for this
form of processing are set out in Art. 6 paragraph 1 sentence 1 point b GDPR.
If you select payment on account as your payment method, our payment service providers will use
payolution (payolution GmbH, Am Euro Platz 2, 1120 Vienna, Austria) in order to check your
creditworthiness. You will find further information about payolution in its
6.1 Salesforce Service Cloud
We use the Service Cloud service of salesforce.com, inc. 415 Mission Street, 3rd Floor San Francisco,
CA 94105 (hereinafter "Salesforce") for users within the European Economic Area.
It is a customer relationship management ("CRM") solution that we use to provide optimal support to existing
customers, e.g., through live chat and community software, and to optimize sales processes. The joint CRM
platform enables us to optimally manage customer relationships and support a perfect customer experience. In
addition, Salesforce enables tracking measures with pixel tags and cookies (see Section 9.2) to collect
statistical information (e.g., about the type, intensity and frequency of your website usage, history of
your accessed pages, products and offers). We can thus optimize our operating processes based on the actual
or perceived interests of users. By using the service, personal data such as device type, browser ID,
contact ID, case ID, name of the customer and provided e-mail address of the customer are processed.
The legal basis for this data processing is Art. 6 para. 1 p. 1 lit. b, f DSGVO. The data is deleted as
soon as it is no longer required for the processing purposes.
According to Salesforce, the data accruing in this context is only stored on servers within the EU. We have
concluded an order processing agreement with Salesforce, which guarantees the rights of the data subjects
and in which Salesforce undertakes to process data only in accordance with the DSGVO. In the event that
personal data is transferred to the USA after all, we have concluded standard contractual clauses with
Salesforce and Salesforce has integrated "Binding Corporate Rules".
You can also find more information about data processing by Salesforce in the Salesforce
7. Newsletter and advertising mails
You have the option to order our newsletter in which we will inform you regularly about new developments in
our product range. We use the double opt-in procedure for ordering our newsletter; this means we will not
send you our newsletter by email until you have confirmed that you wish to receive our newsletter by
clicking on a link in our activation email. To do this, we store your email address, the time of
registration and the IP address used for registration (“newsletter registration”) until such time as you
unsubscribe to our newsletter. The exclusive purpose of this storage is to send you the newsletter and to
provide evidence of your registration. The legal grounds for this form of processing are set out in Art. 6
paragraph 1 point a GDPR
For certain newsletters (e.g., the #momlife newsletter), we store additional personal data (e.g., your
calculated childbirth date and your week of pregnancy for the #momlife newsletter); this information, which
we require to send you the newsletter, is evident in the input fields during registration. The legal grounds
for this form of processing are also set out in Art. 6 paragraph 1 point a GDPR.
In addition, we send you advertising mails in which we request your feedback on orders and other information.
The legal grounds for this form of processing are set out in Art. 6 paragraph 1 point f GDPR.
In order to send you our newsletter and advertising mails, we collaborate with service providers to which we
transfer your email address and your newsletter registration, among other things, in order to be able to
send you the newsletter and advertising mails. The legal grounds for this form of processing are set out in
Art. 6 paragraph 1 sentence 1 point b, f GDPR.
You are entitled to unsubscribe to our newsletter and advertising mails at any time and without charge, or to
object to their receipt. A corresponding unsubscribe link is contained in each newsletter and advertising
mail. Alternatively, you may contact us at any time.
In our newsletters and advertising mails, we use industry-standard technologies that enable us to measure
your interaction with the newsletter (e.g., opening the email, links that you click on). We use this data to
optimise and develop our content and customer communication and to be able to send you individualised
offers. Among the technologies used for this purpose are small graphic elements embedded in the messages
(so-called pixels). We are able to associate the data and IDs with your personal data. The legal grounds for
this are set out in the requirement for legitimate interest according to Art. 6 paragraph 1 sentence 1 point
f GDPR. Where you do not wish us to analyse your usage habits, you are entitled at any time to unsubscribe
to our newsletter and advertising mails without charge.
8. Loyalty and rewards programme (rewards shop) Antavo
You have the option of participating in our loyalty and rewards programme. We use the platform service
provider Antavo by Antavo Limited, 107 Cheapside, 9th Floor, EC2V 6DN London, United Kingdom in order to
implement the programme. Your data will be shared with Antavo for the purpose of receiving email
notifications concerning your current points balance and current reward promotions. This data includes your
customer number, order total, email address, name and date of birth (optional). Antavo processes this data
for the purpose of operating the programme; the service provider makes the platform available, manages the
points collected by you and operates the rewards shop. The rewards shop can only be used by customers with
an active subscription. The following data is collected in particular when using the rewards shop: log-in
data, browser data, location and the products purchased.
The legal basis for forwarding the data is the rewards programme contract pursuant to Art. 6 para. 1 sentence
1 point b) GDPR. We have concluded a data processing agreement with Antavo. Antavo stores your points
balance and when you redeem your points. In view of the impending BREXIT, we have already
concluded standard contractual clauses with Antavo in accordance with Article 46 para. 2 point c) GDPR for
the event that personal data is transferred to Antavo in the UK. For further information, refer to Section
15 (“Data transfer to third countries”).
You can also obtain further information in this regard in Antavo’s
9. Facebook Fan Page
We operate a Facebook fan page in joint responsibility on the social network by Facebook Inc., 1601 Willow
Road, Menlo Park, California, 94025, USA (“Facebook”), in order to communicate with interested persons and
followers there, as well as to provide information about our products and services.
In this context, we may receive statistics from Facebook about the use of our fan page by Facebook or the
fan page users, e.g. data about likes, comments or summarised information and statistics (e.g. about the age
or locations of our followers) that help us to learn more about interaction on our page. To learn more about
the type and scope of these statistics, visit the Facebook page statistics information, and the Facebook
page insight supplement for information about the respective controller. The legal grounds for this data
processing are set out in Art. 6 paragraph 1 sentence 1 point (b) GDPR, as well as in Art. 6 paragraph 1
sentence 1 point (f) GDPR, based on our legitimate interest as stated above.
We are unable to influence the data processed by Facebook on its own responsibility and based on the
Facebook terms and conditions of use. Please be aware that data about your usage habits on Facebook and on
the fan page is transferred to the Facebook servers when you visit the fan page. Facebook uses the
aforementioned information to compile detailed statistics and for its own market research and advertising
purposes, over which we have no influence. For further information, please refer to the Facebook privacy
policies. Facebook is subject to the terms of the EU-US Privacy Shield for the event that personal data is
transferred to the United States.
If we store the personal data of users during the operation of our fan page, the users will have the rights
simplest procedure, contact Facebook directly. Facebook is familiar with the technical operations of the
platform and the associated data processing, as well as the actual purposes of data processing, and will be
able on request to take the appropriate steps if users wish to exercise their rights. We will gladly support
you in the exercise of your rights when possible and will pass on user enquiries to Facebook.
10. Cookies and equivalent technologies
hard disk, either temporarily (“session cookies”) or for longer (“persistent cookies”). Cookies are not used
to execute programs or to install viruses on your computer. Instead, the purpose of cookies is to provide
you with a personalised offering and to make the use of our services as efficient as possible.
In their standard settings, most browsers will accept cookies. However, you can adjust the browser settings
to reject cookies, or only to accept cookies with your prior consent. You will not be able to use the full
functionality of our website if you reject cookies.
10.1. Proprietary cookies for a convenient user experience
are deleted when you close the browser. Here, session cookies are used to authenticate your login.
Among other things, we use persistent cookies to remember that information shown on our website was displayed
to you, in order that we may display it to you again when you return to our website, or to ensure that our
website recognises you and that you are not required to login again (“remember me”). Persistent cookies are
automatically deleted after a set period that may differ individually for each cookie.
These services enable you to enjoy a convenient and individual use of our offerings and are based on our
legitimate interests. The legal grounds for this form of processing are set out in Art. 6 paragraph 1
sentence 1 point f GDPR.
10.2. Cookies and equivalent technologies by third-party providers for analysis and marketing purposes
We use a variety of technologies to analyse usage behaviour and evaluate the associated data, in order to
improve our website. In particular, the collected data may include the IP address of the device, the date
and the time of access, the cookie identifier, the device identifier for mobile devices, as well as
technical data about the browser and operating system.
This data is processed for marketing purposes, for instance to display individualised advertising
messages. Before using these cookies and comparable technologies, you will be given the opportunity
to adjust the settings via our cookie banner in order to consent to the use of the respective cookies.
You can change your consent at any time in the settings of the cookie banner and withdraw your consent.
The legal grounds for this form of processing are set due to your consent after Art. 6 paragraph
1 sentence 1 point a GDPR. In the section below, we will describe these technologies and the
providers used in this context.
10.2.1. Google Analytics, Ads conversion tracking and remarketing
Our website uses Google Analytics, a web analysis service by Google Ireland Limited, Gordon House, Barrow
Street, Dublin 4, Irland („Google“). In addition, our website uses Google Ads conversion tracking and
Ads remarketing and Google Signals, which are also services by Google.
technologies in order to measure the performance of advertisements placed (so-called Ads campaigns) and
to show you individualised advertising messages on websites that collaborate with Google. Google Signals
compiles for us multi-platform data reports on Google users that have enabled personalised advertising in
their Google accounts.
The data collected in this context may be transferred by Google to a server in the United States and stored
there. For the event that personal data is transferred to the United States, Google has agreed to the
conditions of the EU-US Privacy Shield.
Google will truncate your IP address before analysis of the usage statistics, which means that conclusions
cannot be drawn as to your identity. For this purpose, the code “anonymizeIP” has been added to Google
Analytics on our website to guarantee collection of anonymised IP addresses.
On behalf of the operator of this website, Google will use this information for the purpose of evaluating
your use of the website, compiling reports on website activity and providing the website operator with other
services relating to website and Internet use.
The Google Ads conversion tracking cookies ordinarily remain enabled on your computer for around 30 days.
If you visit our website during this period, both Google and we will be informed that you saw the displayed
In case that you use a Google account, Google can, depending on the settings stored in your Google account,
associate your Internet and browser cache with your Google account and use information from your Google
account to personalise advertisements. You must sign out of your Google account before visiting our website
if you do not want this association with your Google account.
If you have enabled personalised advertising in your Google account, Google will be able to prepare data
models and reports on website habits, which show for instance on which device you first clicked on an
advertisement and on which device any eventual purchase took place. These data models and reports are based
on random samples and are pseudonymised to ensure anonymity, which means that we are unable to draw any
conclusions as to the identities of the individual Google users.
For more information in this regard, refer to the Google Privacy
10.2.2. Facebook Pixel
In addition, our website uses remarketing tabs for marketing purposes (also the “Facebook Pixel”) by Facebook
Inc., 1601 Willow Road, Menlo Park, California 94025, USA (“Facebook”). This tag establishes a connection
between your browser and a Facebook server when you visit our website. Facebook therefore receives
information that you have accessed our website with your IP address.
For the event that personal data is transferred to the United States, Facebook has agreed to the conditions
of the EU-US Privacy Shield Facebook uses this information to
send a statistical and anonymous data about the general use of our website, as well as on the efficiency of
our Facebook advertising (“Facebook Ads”).
If you are a member of Facebook and have made the appropriate privacy settings on your Facebook account,
Facebook will also be able to associate the information stored with us about your visit with your personal
account, which it can use for the targeted display of Facebook Ads.
You can access and change the Privacy
Settings for your Facebook profile at any time.
Our website also uses the remarketing technology by Criteo GmbH, Unterer Anger 3, 80331 Munich, Germany
habits among website visitors for marketing purposes.
Criteo is able to analyse Internet usage habits and on this basis to show relevant advertising banners as
targeted product recommendations. On no accounts can the anonymous the data be used to personally identify
The data collected by Criteo is used exclusively to improve the advertising service. Each banner pop-up
contains a small “i” (for information) at the bottom right corner. Hovering with the mouse and clicking on
this “i” will redirect users to a page that explains the system.
For more information on this regard, visit the Criteo Privacy
Policy, where you can also object to the
anonymous and analysis of your Internet usage habits.
We use the services of Adtriba GmbH (Veilchenweg 26b, 22529 Hamburg) on our website.
Adtriba is an analysis and tracking tool that helps us draw conclusions about the success of
our online marketing campaigns. Using this information, we can evaluate our marketing campaigns
and optimize them accordingly.
marketing campaigns. Your interactions with our advertising are also measured, e.g. your
clicks on our advertising banners.
In addition, your cookie ID, your IP address (shortened to the last octet), technical information
(browser type, operating system, device data), the marketing touchpoint (channel, source, campaign,
time of interaction) and your visits on our website (visited page, referrer URL, interaction with
the website and the time of your visit) are tracked.
You can find more information on data processing in the
data protection regulations
10.2.5 SPOTEFFECTS AND MATOMO
We use the "Spoteffects" service from XAD spoteffects GmbH (Saarstr. 7, 80797 Munich) on our website
to measure the effectiveness of our TV advertising campaigns. Spoteffects uses the analysis tool
Matomo (formerly called "Piwik") to analyze the interactions. The data about the traffic and the
number of orders are then combined with information about TV connections. This enables us to
evaluate and optimize our TV campaigns.
Matomo is an analysis tool from InnoCraft Ltd., 150 Willis St, 6011, Wellington, New Zealand (“Matomo”).
Matomo uses a cookie to analyze our website with regard to your user behavior.
The cookie that is placed on your computer when you visit our website also stores and
transmits your anonymized IP address. When data is transferred to our server, the IP
address is shortened so that we can no longer identify you. In addition, the time of
the website visit, page views, browser and browser settings used, operating system used,
screen resolution of the end device used, referrer for accessing the website, search terms
for website entry and cookie ID are recorded. The evaluation is only used to optimize
and further develop our TV campaigns.
You can find more information in the
data protection information
We use the service of trbo GmbH, Leopoldstr. On our website. 41, 80802 Munich ("Trbo").
Trbo is a tracking tool that helps us to design our website in the best possible way. By
using Trbo, we can control and improve our online offerings by measuring the use of our
online offers and the effectiveness of our online advertising. This helps us to understand which
pages and products our customers are most interested in and which individual offers we should
make to our website users.
Technically, the tracking tool uses so-called "cookies" and "web beacons" in particular to
collect the following information: which pages are searched for when, how often, and in what
order, for which products, which links or offers are clicked and which orders are placed.
The data collected and used by you in this context is only ever saved under a pseudonym
(e.g. a random identification number) and is not combined with personal data about you
(e.g. name, address etc.). If the external service providers have access to the data,
this is done exclusively on our behalf and under our control.
You can find more information on data protection at trbo here.
We use the service of sessionly, Renata Bognar, Prenzlauer Allee 186, 10405 Berlin ("sessionly")
on our website. Sessionly is an evaluation tool that helps us to conduct a survey with our
customers so that we can find out more about your satisfaction with our products. After your
order process, sessionly sets a cookie to record your purchased products and your email address.
We will then receive this information from sessionly, so that we can then send you an e-mail for
product evaluation (see also the newsletter and advertising mailings section). In this email you
have the opportunity to share your experience with us about our products via sessionly.
You can find more information about sessionly here.
On this page we use the tracking technology of Linkster GmbH, Geschwister-Scholl-Straße 52, 20251 Hamburg, to
measure and visualize insights into partnerships and advertising channels.
This is a function for measuring the efficiency of the corresponding advertising measures. Furthermore, the
information enables us to assign advertising successes for billing with corresponding
advertising partners.If you click on an advertising integration, cookies are set in your browser, which are
read out in the event of a transaction. At every touch point, your browser sends an
HTTP request to the Linkster server with which certain information is transmitted. This information includes
the URL of the website on which advertising material is placed (referrer URL),
the browser identifier (user agent) of your end device (including information about the device type and the
operating system), the IP address of the end device (This IP address is anonymized
and hashed by us before storage), HTTP header (data packet automatically transmitted by your browser with
various technical information), the time of the request and, if previously saved on the device,
the cookie with its Content.
The tracking technology stores cookies on your end device to document actions. A 24-digit, anonymous ID is
stored in the cookie. Linked tothis ID, the data is encrypted in our database on the server.
This contains information about the last touch points (i.e. when a particular advertising material was
displayed or clicked on by a device). The stored touch points can, if necessary, be combined to form
a sequence chain (user journey).
With an action request, the order number and the shopping cart value of your order are usually also
transmitted and saved by us.In addition, the following values can be transmitted and saved:
your customer number, new customer characteristic, your age and gender as well as the information you
provided in a customer survey.
The cookies saved by Linkster GmbH are deleted after 30 days at the latest. The information transmitted to
us and the cookies only serve the purpose of correctly assigning the success of an advertising
medium and the corresponding billing and is in line with our legitimate interests in accordance with Art. 6
Para. 1 S. 1 lit. f GDPR.
If you do not want cookies to be stored, you can turn this off in our cookie banner and visit the "Cookie
Settings" at any time.The collection and processing of tracking data can also be disabled by
clicking on this tracking opt-out link:
Viewing your data:
10.3. COOKIE BANNER
On our website we use the Consent Management Platform (CMP) consentmanager.de of Jaohawi AB, Håltegelvägen
72348 Västerås, Sweden ("Jaohawi"). Jaohawi's service supports us in playing out your
choice of data processing, especially in connection with third party providers
future visits to our website, Jaohawi collects your IP address, time and duration of the
visit, consent information, browser information, website visited and country.
This data processing is in our legitimate interest to tailor the use of our website to your choice of
The legal basis for this data processing is derived from Art. 6 para. 1 lit. f DSGVO.
You can find more information about Jaohawi here.
11. Salesforce Marketing Cloud
For marketing purposes (e.g., to send our newsletters and informational emails) and for analysis purposes
when you visit our website, we use the customer relationship management module "Salesforce Marketing Cloud"
from Salesforce.com Inc, The Landmark @ One Market Street, Suite 300, San Francisco, California, CA 94105,
Salesforce is used to tailor our offerings and services to your interests and to improve our advertising and
about your usage patterns on our websites. However, you can disable this at any time in the cookie settings.
Your contact data (e.g. name, address, email address, IP address) will be transferred to the Salesforce
Marketing Cloud for the purposes mentioned above. The Salesforce Marketing Cloud data is stored and
processed on Salesforce servers in the USA. Salesforce undertakes by means of binding internal data
protection rules pursuant to Art. 46 (2) b) and Art. 47 DSGVO (so-called Binding Corporate Rules) to
maintain an adequate level of data protection even when processing data outside the European Union.
Salesforce has also implemented standard contractual clauses (SCCs) in an order processing agreement.
The collection and evaluation of interactions is based on your consent pursuant to
Art. 6 para. 1 lit. a DSGVO.
For more information about the Salesforce Marketing Cloud and Service and the processed data, please visit
We use the service of Unbounce Marketing Solutions Inc., 400-401 West Georgia Street, Vancouver BC, Canada,
V6B 5A1, ("Unbounce"), which provides us with so-called "landing pages" that we create for certain
promotions . On this promotion page of our website we offer prospective customers and customers coupon
codes, discounts or other perks and enable them to be redirected to our website immediately.
The promotion page is hosted by Unbounce and records your IP address, the website you came from, the browser
used, the user agent, the date and time of your visit, the device and cookie data when you visit. Unbounce
processing is Art. 6 Para. 1 lit. a, f GDPR based on our legitimate interests. Our legitimate interest is
based on advertising our products and our interest in measuring the success rate of our advertising
You can find more information on data processing in Unbounce's
data protection provisions.
13. Address Validation
To ensure that no incorrect address data is stored in our system, we use the "Global Address" service of GB
Group PLC, The Foundation, Herons Way, Chester Business Park, Chester, CH4 9GB, United Kingdom ("Loqate")
for appropriate data validation. We have entered into an order processing agreement with Loqate.
Your address (no other personal data will be processed) will only be checked for validity by Loqate when you
enter it via the online interface and will not be stored beyond that. If an error is detected when entering
your address, an alternative address or the correct spelling of your address will be suggested. Via the
interface your data will be matched with Loqate's database, which is located in the United Kingdom. For the
United Kingdom, the Commission has issued a corresponding adequacy decision pursuant to Article 45 (1) of
the GDPR, which legitimizes the transfer to or the processing of your data in the United Kingdom.
The processing of your data itself is based on Art. 6 (1) sentence 1 lit. f GDPR. Our legitimate interest is
to ensure that valid data is maintained and that a smooth processing of customer inquiries and orders can be
For more information about data protection at Loqate, please visit: https://www.loqate.com/en-gb/products-services-privacy-notice/.
On our website, we are using the services of Typeform S.L., Carrer Bac de Roda, 163, 08018 Barcelona (“Typeform”).
Typeform is a tool for creating and realising user surveys and allows us to improve our services according to
By using Typeform, we are able to integrate user surveys (for example cancellation surveys, how do you
know LILLYDOO-questionnaire) into our website. Participating in those surveys is on entirely voluntary.
When a survey is being filled out, Typeform processes and stores the provided personal data
(for example the customer number) as well as the produced results. We entered a so-called
“data-processing-agreement” with Typeform which not only obligates Typeform to protect our customers’ data,
but which also prohibits the transmission of these data to third parties. Furthermore, the agreement commits
Typeform to comply with the rules and standard contractual clauses of Article 46 GDPR when transferring
personal data via subcontractors in the USA.
Our legitimate interest in a technically sound and optimised provision of our services in accordance with
Article 6 (1) (f) GDPR forms the legal basis for the processing of the mentioned data. Further information
regarding the data processing by Typeform can be found in
Typeform’s privacy statement.
We work with zenloop GmbH, Erich-Weinert-Straße 145, 10409 Berlin. zenloop is a business-to-business
software-as-a-service platform that allows us to collect and analyse feedback from our customers through
various channels. This allows us to align and improve our offering to the needs of our customers. In
addition, zenloop collects your survey responses.
The legal basis for the processing of data by zenloop is Art. 6 para. 1 lit. f GDPR.
We have entered into a data processing agreement with zenloop pursuant to Article 28 (3) of the GDPR and
ascertained that zenloop has implemented appropriate technical and organisational measures in such a way
that the processing complies with the requirements of the GDPR and ensures the protection of your rights.
For the purposes of customer and product evaluations by our customers and for our own quality management,
we use the personal data provided by you in the course of the purchase, such as e-mail address, to request
an evaluation of your order via the evaluation system used by us.
16. Application process
When you apply for a vacant position with us, we use your applicant data exclusively to manage the
application procedure. The legal grounds for your data processing are set forth in Art. 6 paragraph 1 point
We store your personal data when we receive your application. Where we accept your application, we store your
applicant data for three years at maximum after the end of the working relationship. Where we reject your
application, we store your applicant data for six months after rejection of your application at maximum,
except if you grant your consent for a longer period of storage by us.
We cooperate with recruitment service providers in the management of our application procedures. The legal
grounds for this form of processing are set out in Art. 6 paragraph 1 sentence 1 point b, f GDPR.
17. Inclusion of services and content from third parties
It is possible that content by third parties, for instance videos by YouTube, cartographic material by Google
Maps, RSS feeds or graphics from other websites, are embedded in our website. This is only possible if the
providers of these contents (“third-party providers”) are aware of your IP address, as without your IP
address they would not be able to send content to your browser. The IP address is therefore necessary for
the presentation of this content. The legal grounds for this form of processing are set out in Art. 6
paragraph 1 point b, f GDPR.
We make efforts to include only content from providers that use the IP address exclusively to deliver
content. Notwithstanding, we have no influence insofar as the third-party provider uses the IP addresses for
statistical or other purposes.
17.1. Integration of YouTube videos
We have integrated YouTube videos in our website that are stored on YouTube and are directly playable from
our website. YouTube is a multimedia service by by Google Ireland Limited, Gordon House, Barrow Street,
Dublin 4, Irland („Google“). For the event that personal data is transferred to the United Sates, Google and
its subsidiary YouTube have agreed to the terms of the
EU-US Privacy Shield. The legal grounds
are as set out in Art. 6 paragraph 1 sentence 1 point f GDPR, and are
defined by our legitimate interest in the integration of video and image content.
When you visit our website, YouTube receives the information that you have accessed the corresponding
sub-page of our website. This occurs regardless of whether or not you are logged onto a Google or YouTube
account. YouTube and Google use data for the purposes of advertising, market research and needs-based design
of their websites. If you access YouTube on our website while logged into your YouTube or Google profile,
YouTube and Google will be able to associate this event with your personal profile. If you do not want this
association to take place, it is necessary that you log out of your Google account before visiting our
As described above, you can adjust your browser settings in such a way that it rejects cookies, or you can
prevent the registration of data generated by the cookies about your use of this website, as well as the
processing of this data by Google, by disabling the button “Personalized ads on the web” in the
Google settings for advertising.
In this case, Google will only show you non-personalised advertising.
For further information, refer to the Google
privacy policies, which also
apply to YouTube.
17.2. Additional information about the Trusted Shop Trustbadge
We are members of Trusted Shops and use the Trusted Shop stamp of quality and ratings. The Trusted Shops
organisation has instructed us to provide the following information:
We have integrated the Trusted Shops Trustbadge on this website in order to display our Trusted Shops
Trustmark and offer the Trusted Shops products to customers after placing an order. This serves the
protection of our legitimate interests in the optimal marketing of our offer according to art. 6 (1) 1 lit f
GDPR that are overriding in the process of balancing of interests. The Trustbadge and the advertised trust
badge services are offered by Trusted Shops GmbH, Subbelrather Str. 15C, 50823 Cologne, Germany.
With every use of the Trustbadge, the web server automatically saves a so-called server log file which
contains e.g. your IP address, the date and time of the request, the volume of data transferred and the
requesting provider (access data), and documents the request. Those access data are not analysed and are
automatically overwritten no later than seven days after the end of your website visit. Other personal data
are transferred to Trusted Shops only if you decide to use or have already registered to use Trusted Shops
products after placing an order. In such a case, the contract concluded between you and Trusted Shops
18. Recipients of personal data
The data we collect will only be transferred where this is necessary for the performance of a contract, to
ensure the technical functionality of the website or online shop, or where other legal grounds apply to the
transfer of data (e.g., where we are required by law to disclose data (disclosure of information to criminal
investigation agencies and courts; disclosure of information to public sector agencies that receive data
based on statutory provisions, e.g. social insurance agencies, tax offices and suchlike), or when we are
required, for the exercise of our claims, to commission the services of third parties who are professionally
bound to duties of confidentiality).
Some of the data processing can be executed by service providers. In particular, they may include data
centers that host our website and databases, IT service providers that maintain our system, logistics and
transport service providers or marketing and customer service providers, as well as consulting companies.
Where we transfer data to service providers, they shall be entitled to use the data exclusively for the
performance of their tasks. We carefully selected and commissioned the third parties. They are contractually
bound to adhere to our instructions, obliged to maintain confidentiality, have the appropriate technical and
organizational measures in place to protect the rights of the individuals concerned, and are audited by us
a regular basis.
19. Duration of storage
As a rule, we only store your personal data for as long as is necessary for the satisfaction of our
contractual or lawful obligations for which we collected the data, after which time we will erase the data
without undue delay, except where we require the data until the end of the statutory period of limitations
for the purposes of evidence in civil law claims or based on statutory retention periods.
For example, we are required for evidential purposes to store contractual data for a period of three years
from the end of the year in which the contractual relationship with you is terminated, as any claims will
only lapse after this period at the earliest based on the regular limitation periods.
In some cases we will be required to continue storing your data, even beyond the end of the regular
limitation periods. We may be obliged to do so pursuant to statutory documentation obligations set forth in
the German Commercial Code (HGB), the German Fiscal Code (AO), the German Banking Act (KWG), the German
Anti-Money Laundering Act (GWG) and the German Securities Trading Act (WpHG). The retention periods
stipulated therein for the storage of documents are between two and ten years.
20. Your rights
You have the right at any time to information about your personal data that is processed by us. In this
context, we will explain to you the purpose of data processing and provide an overview of the personal data
stored about you.
Where the data we have stored is incorrect or no longer up-to-date, you have the right to obtain
rectification of this data.
You are also entitled to demand the erasure of your data. Where erasure is not possible in exceptional cases
due to another legal provision, the data will be blocked to ensure that it is only available for its lawful
In addition, you have the right to restrict the processing of your data, for instance if you doubt the
accuracy of the data.
You have the right to data portability, which means that we will, upon request by you to do so, send you a
copy of the personal data provided by you.
Where data processing is based on the legal grounds set out in Art.6 paragraph 1 point f GDPR, you may
object where reasons apply that relate to your particular circumstances or where you are objecting to
for reasons of direct marketing. In the latter case, your right to object shall always be valid and it
implemented by us, even if you do not provide reasons. Moreover, you have the right at any time to
consent previously granted to us. In this case, we will no longer process the data based on your
effective for the future. Withdrawal of consent does not affect the lawfulness of processing conducted
such time as consent is withdrawn.
You may use the contact data provided above to correspond with us and exercise your rights as described at
You are also entitled to lodge a complaint with the competent supervisory authority for data protection. The
competent supervisory authority in Frankfurt, our registered address, is: The
Data Protection Commissioner in the State of Hesse, Gustav-Stresemann-Ring 1, 65189 Wiesbaden,
Alternatively, you may lodge a complaint with the data protection authority at your place of residence,
which will forward your concern to the competent authority.
21. Data security
We maintain state-of-the-art technical measures to guarantee data security, in particular the protection of
your personal data against risks associated with data transfer or unauthorised access by third parties.
These technical measures are adapted to remain state-of-the-art. For the protection of the personal data
input by you on this website, we use the Secure Sockets Layer (SSL) standard, which encrypts the information
Our website uses Google reCAPTCHA, a service by Google LLC, 1600 Amphitheatre Parkway, Mountain View, CA
94043, USA. reCAPTCHA prevents automated software (so-called bots) from executing improper activities on the
website, i.e. it checks whether entries are actually made by a human.
The following data is processed to conduct this check: referrer (URL of the page on which the Captcha is
used), IP address, cookies placed by Google, the user’s input behaviour (e.g. answering the reCAPTCHA
question, speed of entries in the form fields, sequence of selecting the input fields by the user), browser
type, browser plugins, browser size and resolution, date, language settings, cascading style sheet
In addition, Google imports the cookies by other services like Gmail, Search and Analytics. You must sign out
from Google if you do not want these associations with your Google account.
This data is transferred to Google in an encrypted form. Google’s evaluation decides on how the Captcha is
shown on the page. For the event that personal data is transferred to the United States, Google has agreed
to the terms of the EU-US
For more information, refer to the Google privacy