Privacy Policy

1. Introduction

Below, we provide information on the processing of personal data when using GameCycle.

Personal data refers to all information relating to an identifiable natural person, such as name, email address, or IP address.

1.1. Contact

The data controller pursuant to Article 4(7) of the EU General Data Protection Regulation (GDPR) is GameCycle recommerce GmbH, Erkelenzdamm 11-13, 10999 Berlin, Germany, email: support@gamecycle.de. We are legally represented by Dr. Philipp Gattner and Marcel Erian.

Our Data Protection Officer can be reached via an external service provider. You can contact us regarding data protection–related matters through the contact form on our website.

1.2. Scope of Data Processing, Purposes of Processing, and Legal Bases

The scope of personal data processing, the purposes of processing, and the underlying legal bases are explained in detail below. The following provisions generally serve as possible legal bases for data processing:

  • Article 6(1), sentence 1, letter (a) of the GDPR serves as the legal basis for processing operations for which we obtain consent.
  • Article 6(1), sentence 1, letter (b) of the GDPR is the legal basis insofar as the processing of personal data is necessary for the performance of a contract, for example when a website visitor purchases a product from us or when we provide a service for them. This legal basis also applies to processing operations that are necessary for pre-contractual measures, such as inquiries about our products or services.
  • Article 6(1), sentence 1, letter (c) of the GDPR applies when we process personal data in order to comply with a legal obligation, for example as may be required under tax law.
  • Article 6(1), sentence 1, letter (f) of the GDPR serves as the legal basis when we rely on legitimate interests to process personal data, for example for cookies that are necessary for the technical operation of our website.
1.3. Data Processing Outside the European Economic Area (EEA)

Insofar as we transfer personal data to service providers or other third parties outside the EEA, the security of the data is ensured by adequacy decisions of the European Commission pursuant to Article 45(3) of the GDPR, provided such decisions exist, for example for countries like the United Kingdom, Canada, or Israel.

When personal data is transferred to service providers in the USA, the data transfer is carried out on the basis of an adequacy decision by the European Commission, provided that the service provider is additionally certified under the EU-US Data Privacy Framework.

In cases where no adequacy decision by the European Commission exists, data transfer is generally carried out on the basis of standard contractual clauses. These clauses, adopted by the European Commission, are part of the contract with the respective service provider and ensure an appropriate level of protection for the transferred data in accordance with Article 46(2), letter (b) of the GDPR.

Many service providers also offer additional contractual safeguards that protect the data beyond the standard contractual clauses. These include, for example, measures for encrypting the data or obligations for the service provider to inform data subjects if law enforcement authorities gain access to the data.

1.4. Storage Duration

Unless otherwise stated in this privacy policy, personal data at GameCycle will be deleted as soon as it is no longer necessary for its intended purpose (e.g., to fulfill statutory or contractual warranty and guarantee rights) and no legal retention obligations prevent deletion.

If data is not deleted because it is required for other legally permissible or mandated purposes, the processing will be restricted. This means that the data will be blocked and may not be used for other purposes.

Werden Daten nicht gelöscht, weil sie für andere gesetzlich zulässige oder angeordnete Zwecke benötigt werden, wird die Verarbeitung eingeschränkt. Das bedeutet, dass die Daten gesperrt werden und nicht für andere Zwecke verwendet werden dürfen.

1.5. Rights of Data Subjects

Data subjects have the following rights in relation to their personal data:

  • Right to Access
  • Right to Rectification or Erasure
  • Right to Restriction of Processing
  • Right to Object to Processing
  • Right to Data Portability
  • Right to Withdraw Consent at Any Time
Data subjects have the right to lodge a complaint with a competent data protection supervisory authority regarding the processing of their personal data. Contact details for the supervisory authorities can be found at the following link: https://www.bfdi.bund.de/DE/Service/Anschriften/Laender/Laender-node.html

1.6. Obligation to Provide Data

Customers, prospective customers, or other third parties are obliged to provide us only with the personal data that is necessary for establishing, performing, or terminating a business relationship or other relationship, or whose collection is required by law.

If this data is not provided, GameCycle may generally refuse to establish a contract or provide a service, or may be unable to continue an existing business relationship.

Mandatory information on our website or in forms is clearly marked as such.

1.7. No Automated Individual Decision-Making

GameCycle generally does not use fully automated decision-making within the meaning of Article 22 of the GDPR for establishing or performing a business relationship or any other relationship. If such a procedure is applied in individual cases, we will inform you separately, as required by law.

1.8. Contact

When contacting GameCycle, for example via email, contact form, or telephone, the data you provide—including your entries, contact details (e.g., email address, phone number), basic information (e.g., name), and metadata (e.g., date and time)—is stored in order to process and respond to your inquiry.

The legal basis for processing is our legitimate interest pursuant to Article 6(1), sentence 1, letter (f) of the GDPR, namely to respond to inquiries in a structured and efficient manner.

With your consent in accordance with Article 6(1)(a) of the GDPR, which you provide via our cookie banner, you can use not only the contact options but also our live chat and the call function on the website. For this purpose, cookies and similar technologies are used.

You can revoke your consent at any time by adjusting your settings in the cookie banner. The withdrawal of consent does not affect the lawfulness of the processing carried out before the withdrawal.

If you contact GameCycle by phone or via the call function on our website, individual calls may be recorded. This is done exclusively with your express consent in accordance with Article 6(1)(a) of the GDPR (opt-in procedure).

Consent to call recording is obtained before the start of the call via the website or during the call through the appropriate interaction (e.g., pressing a button).

Recorded calls are used exclusively for quality assurance and for the internal improvement of our customer service, and are automatically deleted after 30 days.

You can withdraw your consent at any time. The withdrawal does not affect the lawfulness of the processing carried out up to the point of withdrawal.

If a user chooses to provide feedback on their interaction with our customer service after their request has been handled, we process the information they provide, along with the associated case ID, based on our legitimate interest in accordance with Article 6(1)(f) of the GDPR, in order to optimize our customer service.
The employee whose performance was evaluated then automatically receives a system-generated email summarizing the results of the customer satisfaction survey.

GameCycle uses the CRM system “Zendesk” provided by Zendesk, Inc., USA, based on our legitimate interests, to process user inquiries efficiently and promptly.
In addition, we use our own internal services for managing customer relationships. The legal basis for processing personal data is Article 6(1)(f) of the GDPR. Our legitimate interest lies in maintaining an organized overview of customer data and handling user inquiries efficiently and quickly.
1.9. Contests / Sweepstakes

Occasionally, GameCycle offers contests via the website or through other means. The personal data collected for this purpose is used exclusively to determine and notify the winners. Afterwards, this data is deleted.

If contests are offered exclusively to existing customers, we process only the name to determine the winners and the contact information to notify them.

The legal basis for the processing is Article 6(1)(f) of the GDPR, as our legitimate interest lies in conducting contests to attract new customers or to engage with our existing customers.

1.10. Customer Surveys

From time to time, GameCycle conducts customer surveys to better understand our customers and their needs. Only the data requested in each survey is processed.

The legal basis for the processing is Article 6(1)(f) of the GDPR, as our legitimate interest lies in gaining a better understanding of our customers and their needs. After the survey results have been evaluated, the collected data is deleted.

1.11. Investigation and Prosecution of Criminal Offenses

For the purpose of investigating criminal offenses, we may, in individual cases and only where there is a legitimate interest, disclose the data required for the investigation to the competent law enforcement authorities or other parties involved in the investigation upon request.

The legal basis for this is our legitimate interest pursuant to Article 6(1)(f) of the GDPR and Recital 47 of the GDPR, according to which the processing of personal data is permissible to the extent that it is strictly necessary for the prevention or investigation of criminal offenses.

The internal processing of personal data for the purpose of fraud detection is also based on the same legitimate interest pursuant to Article 6(1)(f) of the GDPR and Recital 47 of the GDPR.

1.12. Data Analysis for Analytics and Marketing Purposes

GameCycle evaluates pseudonymized user profiles for analytics and marketing purposes and may rely on the support of processors for this.
The legal basis for this processing is Article 6(1)(f) of the GDPR, as our legitimate interest lies in gaining a better understanding of our customers and their needs and in optimizing our offerings.

2. Newsletter

GameCycle reserves the right to inform customers who have already used our services or purchased goods from time to time via email or other electronic means about offers similar to those they have purchased in the past. In addition, customer satisfaction may be surveyed after a purchase, provided no objection has been raised.

The legal basis for this data processing is Article 6(1)(f) of the GDPR in conjunction with Section 7(3) of the German Act Against Unfair Competition (UWG). Our legitimate interest lies in direct marketing (Recital 47 of the GDPR) as well as in gaining a better understanding of our customers and their needs.

Customers can object to the use of their email address for marketing purposes at any time without incurring any costs other than the transmission costs at the basic rates—for example, via an unsubscribe link in every email or through the contact form on our website.

Interested parties have the option to subscribe to a free newsletter from GameCycle. Newsletters, emails, and other electronic notifications containing promotional information are sent only with the consent of the recipients or on the basis of a legal authorization.

The data provided when signing up for the newsletter is processed solely for the purpose of sending the newsletter. Registration takes place by selecting the corresponding field on our website, by ticking a box on a paper form, or through another clear action by which consent to data processing is given.
Based on the consent of the recipients (Article 6(1)(a) of the GDPR), we measure the open and click rates of our newsletters to analyze which content is particularly relevant to our recipients.

We send the aforementioned messages using the Salesforce tool provided by salesforce.com Germany GmbH, Erika-Mann-Straße 31-37, 80636 Munich (Privacy Policy: https://www.salesforce.com/company/privacy/)

3. Data Processing on Our Website

3.1. Notice for Website Visitors from Germany

Our website stores information on the devices of visitors (e.g., cookies) or accesses information that is already stored on the devices (e.g., IP addresses). The specific information that is processed is described in the following sections.

The storage of and access to information on users' end devices is based on the following provisions:

  • To the extent that this storage or access is strictly necessary for us to provide a service on our website explicitly requested by the visitor (e.g., to operate a chatbot used by the visitor or to ensure the IT security of our website), it is carried out on the basis of Section 25(2) No. 2 of the German Telecommunications and Telemedia Data Protection Act (TDDDG).
  • Otherwise, this storage or access is based on the consent of the website visitors (Section 25(1) TDDDG).
The subsequent data processing is carried out in accordance with the following sections and based on the provisions of the GDPR.

3.2. Informational Use of the Website

When our website is used purely for informational purposes, meaning that visitors do not submit any additional information, GameCycle collects the personal data that the browser automatically transmits to our server. This serves to ensure the stability and security of our website.

This data includes:
  • IP address
  • Date and time of the request
  • Time zone difference from Greenwich Mean Time (GMT)
  • Content of the request (specific page)
  • Access status / HTTP status code
  • Amount of data transferred
  • Website from which the request originates
  • Browser
  • Operating system and its interface
  • Language and version of the browser software
This data is also stored in log files. It is deleted when its storage is no longer necessary, and at the latest after 30 days.

3.3. Web Hosting and Provision of the Website

Our website is hosted via Amazon AWS. The provider is Amazon Web Services EMEA Sàrl, Luxembourg. In doing so, the provider processes the personal data transmitted via the website—such as content, usage, meta/communication data, or contact information—within the EU.

It is our legitimate interest to provide a website, so the legal basis for the described data processing is Article 6(1)(f) of the GDPR.
We use the CloudFront content delivery network (Amazon AWS) for our website. The provider is Amazon Web Services, Inc., P.O. Box 81226, Seattle, WA 98108-1226, USA. In doing so, the provider processes the personal data transmitted via the website—such as content, usage, meta/communication, or contact data—in the USA. Further information can be found in the provider’s privacy notice at https://d1.awsstatic.com/legal/privacypolicy/AWS_Privacy_Notice__German_Translation.pdf.

We have a legitimate interest in using sufficient storage and delivery capacities to ensure optimal data throughput even during high traffic peaks. The legal basis for the described data processing is therefore Article 6(1)(f) of the GDPR.

The legal basis for the transfer of personal data to countries outside the EEA is standard contractual clauses. The security of data transferred to third countries is ensured by the standard data protection clauses issued in accordance with Article 93(2) of the GDPR (Article 46(2)(c) of the GDPR), which GameCycle has agreed upon with the respective provider.
3.4. Reviews

Visitors to the GameCycle website can leave reviews of our products. Reviews are published under the first name and the initial of the last name. Users also have the option to upload their own photos of the purchased product.

In doing so, we process not only the submitted data but also meta and communication data. GameCycle has a legitimate interest in receiving feedback on our offerings. The legal basis for this processing is Article 6(1)(f) of the GDPR.

3.5. Customer Account

Visitors to the GameCycle website can create a customer account. The data requested in this process is processed to fulfill the respective user agreement. The legal basis for this is Article 6(1)(b) of the GDPR.

If no statutory retention rights or obligations exist, the data is deleted when users delete their customer account.

As part of a customer account, the following data is processed, among others:

  • The data you provide in the context of a purchase or sale, as well as related details, such as:
  • The data generated in connection with your use of our services, such as:
For the management and sending of transactional emails (e.g., order and shipping confirmations, reminders), GameCycle uses the Postmark service, provided by ActiveCampaign, LLC, USA.

To enable sending, the email address stored in the customer account is transmitted to the provider. The processing is carried out to fulfill contractual obligations in accordance with Article 6(1)(b) of the GDPR.

GameCycle has concluded a contract with the provider containing EU standard contractual clauses. These obligate the provider to process user data solely in accordance with our instructions and to maintain the EU level of data protection.

Using the email address provided during the purchase process, GameCycle automatically checks whether an order processing account already exists in the system. If this is the case, the stored data is merged into a single order processing account.

The legal basis for this processing is Article 6(1)(f) of the GDPR. This is carried out on the basis of our legitimate interest, as multiple accounts for a single person could burden storage capacities and significantly impair the efficiency of fraud detection and any necessary post-processing of purchases.

Furthermore, the unified data storage complies with the principle of data minimization pursuant to Article 5(1)(c) of the GDPR. If you do not wish for such a merging of data, please contact our customer service before making another purchase.

When paying via PayPal Express or making a purchase through a marketplace used by GameCycle (e.g., eBay, Amazon), an order processing account is created for the user in our backend system based on Article 6(1)(b) of the GDPR in order to process the order.

The account is automatically created after the purchase is completed on the marketplace or at the time the payment is released in the PayPal account. For the creation of the account, the data provided to us by the marketplace or PayPal is used. The transfer of this data is also based on Article 6(1)(b) of the GDPR.

When making a payment via PayPal Express, it is possible to access the order processing account afterwards. This is only possible if the user voluntarily sets a personal password.

After the order processing account is created, the user receives an email with the option to set a password. The processing of the password is based on the user’s voluntary consent in accordance with Article 6(1)(a) of the GDPR.

The setting of a password can be revoked at any time without providing a reason. In this case, access to the order processing account is no longer possible.

3.6. Single Sign-On (SSO)

Visitors to the GameCycle website can log in using a Single Sign-On (SSO) process. This allows them to use login credentials that have already been created with another provider. The prerequisite is that the visitor is registered with the respective provider.

When a visitor uses the SSO process, GameCycle receives information from the provider that the user is logged in, and the provider receives information that the SSO process is being used on our website. Depending on the user’s settings with the provider, additional information may be provided.

The legal basis for this processing is Article 6(1)(f) of the GDPR, as it is in the legitimate interest of the users to log in quickly and conveniently.

The providers of the procedure are:

  • Apple Inc., Infinite Loop, Cupertino, CA 95014, USA
  • Meta Platforms Ireland Ltd., 4 Grand Canal Square, Dublin 2, Irland („Facebook“)
  • PayPal (Europe) S.à r.l. et Cie, S.C.A., 22–24 Boulevard Royal, L‑2449 Luxembourg
  • Google Ireland Limited, Gordon House, Barrow Street, Dublin 4, Irland
3.7. Buyback-Feature

Users can receive a reminder by email when it’s time to resell purchased media. Open and click rates are tracked to determine the effectiveness of the message.

Users may receive an email reminder when it is time to resell purchased media. Open and click rates are monitored to evaluate the effectiveness of the message.

The legal basis for the processing is Art. 6(1) sentence 1(a) GDPR. The processing is carried out on the basis of the users’ voluntary consent.

Consent can be revoked at any time, for example by clicking the corresponding link in the email or by sending a notice to our email address provided above. The processing of data up to the time of revocation remains lawful even after the revocation.

3.8. Offer of goods

GameCycle offers the purchase and sale of goods through the website. In the context of buying and selling, the following data is processed:

  • Name
  • Email Adress
  • Password
  • Telephone(optional)
  • Shipping and billing address
  • Payment data (varies depending on the chosen payment method)
The processing of the data is carried out to fulfill the contract concluded with the respective user (Art. 6(1) sentence 1(b) GDPR).

The email address is additionally processed on the basis of Art. 6(1)(c) GDPR in conjunction with § 312i(1) No. 3 BGB, in order to send an electronic order confirmation after a purchase. This data processing is legally required.

To the extent that the serial number or IMEI of the respective device is collected in the context of a purchase, the processing is based on our legitimate interest pursuant to Art. 6(1)(f) GDPR.

This legitimate interest serves to ensure a smooth purchase process, to prevent rejected devices from being offered for sale again, and to detect potential cases of fraud.

The buying and selling is handled by our subsidiaries. These are the following companies:

  • GameCycle Services GmbH & Co. KG, Kanalstr. 139, 12357 Berlin (Media division)
  • These are the following companies: GameCycle Services GmbH & Co. KG, Kanalstr. 139, 12357 Berlin (Media division).
For the transport of orders placed by customers, GameCycle uses various shipping providers, including:

For the execution of the transport and to ensure shipment tracking, including delivery notifications, GameCycle transmits the data belonging to an order to the respective chosen shipping provider.

o carry out the transport and ensure shipment tracking, including delivery notifications, GameCycle forwards the order-related data to the selected shipping provider.

In the event that a device you have offered for sale is lost during shipping, GameCycle also reserves the right to forward the serial number or IMEI of the device to the respective shipping provider. This serves to clarify potential cases of fraud. The legal basis for this transfer is our legitimate interest pursuant to Art. 6(1)(f) GDPR.

Device insurance

As part of our cooperation with Evy Brokerage S.A.S. and Protect Re S.A.S., both located at 38 rue des Mathurins, 75008 Paris, France (hereinafter 'Evy'), GameCycle offers the option to purchase optional insurance products for selected devices directly during the checkout process.

For this purpose, GameCycle transmits personal data to Evy so that the insurance policy can be issued and the contract concluded.

The transfer only takes place if you actively choose an insurance offer during the purchase. The legal basis is the performance of the insurance contract pursuant to Art. 6(1)(b) GDPR.

In particular, the following data is transmitted:

  • The following data is transmitted in particular:
  • Contract/device data: IMEI or serial number, product name and ID, purchase price, purchase date and currency of the device to be insured, as well as the selected insurance package.
Evy processes this data under its own data protection responsibility in accordance with Art. 4(7) GDPR. Evy alone is responsible for any further processing after the transfer.

For the processing of data by GameCycle, we are your point of contact. For the processing by Evy, Evy itself is responsible. Please contact the company that processes the data or to whose processing your inquiry relates.

Further information on the processing of personal data by Evy can be found in Evy's privacy policy, which is included in the insurance contract information sheet.
3.9. Purchase alert

We give our customers the option to set a purchase alert for all items we offer. When a purchase alert is set, the customer receives an email notification as soon as the desired item becomes available for purchase. For this purpose, we process the customer ID and the customer’s email address to perform a pre-contractual service within the meaning of Art. 6(1)(b) GDPR.

3.10. Referral program

A requirement for participating in the referral program is that you are a registered GameCycle customer with at least one completed order.

If you meet these requirements, you can participate in the referral program through our website and request an individual discount voucher. You can share this discount voucher with up to 5

Each customer may only open one customer account in the GameCycle online shop, both as a referring and as a referred customer. Each customer can participate in the referral program only once in their role as either referrer or referee. In case of violations, we reserve the right to close the respective customer accounts. Discount vouchers used in connection with improperly created customer accounts are invalid. GameCycle also reserves the right to reclaim benefits obtained through improperly used discount vouchers.

To register for GameCycle’s referral program, providing your email address is sufficient. Registration is carried out using a double opt-in procedure, meaning that after registering, you will receive an email asking you to confirm your registration. This confirmation is necessary to ensure that no one can register using someone else’s email address. The personal data collected in the context of the referral program is processed based on your consent in accordance with Art. 6(1)(a) GDPR. Registrations are logged to be able to legally verify participation. This includes your email address, the time the discount voucher was issued, the number of times the voucher has been used, and the status of vouchers issued to you after successfully referring a person.
The sending of emails within the framework of the referral program is carried out via the provider Salesforce Germany GmbH, Erika-Mann-Straße 31-37, 80636 Munich. The personal data is processed exclusively for the purpose of administering the referral program.

Based on the recipients’ consent (Art. 6(1) sentence 1(a) GDPR), emails sent as part of the referral program contain a pixel-sized file through which it can be determined when the email was opened, on which device it was opened, and which email program was used. Technically, this information can be linked to individual recipients. However, the goal is not to monitor individual users, but to analyze reading habits in order to better tailor content for the recipients.

3.11. Payment service providers

For the processing of payments, we use payment service providers who are themselves data controllers within the meaning of Art. 4(7) GDPR. To the extent that they receive personal and payment data transmitted by us during the ordering process, this is done to fulfill the contract concluded with our customers (Art. 6(1) sentence 1(b) GDPR).

These payment service providers are:

  • Klarna Bank AB (publ), Sweden ('Klarna on Invoice' and 'Klarna Pay Now')
  • Mastercard Europe SA, Belgium
  • These payment service providers include: Mastercard Europe SA, Belgium.
  • Visa Europe Services Inc., United Kingdom
Adyen N.V., Simon Carmiggeltstraat 6-50, 1011 DJ, Netherlands – used for payment processing and acting on the basis of a data processing agreement for GameCycle.

For payouts in the context of purchases, when PayPal is chosen as the payout method, Hyperwallet, a service of PayPal (Europe) S.à r.l. et Cie, S.C.A., Luxembourg, is used. The processing is carried out to fulfill contractual obligations pursuant to Art. 6(1)(b) GDPR.

The data is deleted as soon as the purpose for which it was collected no longer applies and there is no statutory retention obligation. Further information on the processing can be found in the privacy policy of the respective provider.
3.12. Technically necessary cookies

Our GameCycle website uses cookies. Cookies are small text files that are stored in the web browser on a visitor’s device. They help make the website more user-friendly, efficient, and secure.

To the extent that these cookies are required for the operation of our website or its functions (hereinafter 'technically necessary cookies'), the legal basis for processing is Art. 6(1) sentence 1(f) GDPR. We have a legitimate interest in providing customers and other site visitors with a fully functional website.

Specifically, we use technically necessary cookies for the following purposes:

  • Cookies that store the shopping cart and
  • Cookies that store login data
3.13. Third parties

3.13.1. Awin

We use Awin for affiliate marketing. The provider is AWIN AG, Landsberger Allee 104 BC, 10249 Berlin. Awin processes usage data (e.g., visited websites, interest in content, access times), contact data (e.g., email addresses, phone numbers), and meta/communication data (e.g., device information, IP addresses) within the EU.
The legal basis for the processing is Art. 6(1) sentence 1(a) GDPR. The processing is carried out on the basis of your consent. Data subjects can revoke their consent at any time by adjusting the settings in the cookie banner. The revocation does not affect the lawfulness of processing up to the time of revocation.

The data is deleted as soon as the purpose for which it was collected no longer applies and no statutory retention obligations prevent this. Further information can be found in the provider’s privacy policy at https://www.awin.com/de/datenschutzerklarung.

3.13.2. Datadog

The legal basis for the processing is Art. 6(1) sentence 1(f) GDPR. The processing is carried out on the basis of our legitimate interest in ensuring the stability, security, and functionality of our applications and website.

The data is deleted as soon as the purpose for which it was collected no longer applies and there are no statutory retention obligations. Further information can be found in the provider’s privacy policy at https://www.datadoghq.com/privacy/.

The data is archived once the purpose for which it was collected has expired. All customer data archived in backups is stored separately and excluded from any further processing, unless required by law. Further information can be found in the provider’s privacy policy at https://www.datadoghq.com/legal/privacy/#sharing-of-information.

3.13.3. TrustedShops

The Trusted Shops widgets on this website are only displayed if you have given your consent in accordance with Art. 6(1) sentence 1(a) GDPR. They are used to display Trusted Shops services (e.g., trust badges, collected reviews) and to present Trusted Shops products to buyers after a purchase.

Within the framework of joint responsibility between us and Trusted Shops, please direct any data protection questions and the exercise of your rights primarily to Trusted Shops using the contact options provided in their privacy information: https://www.trustedshops.de/impressum-datenschutz/. Regardless, you can contact either controller at any time. If necessary, your request will be forwarded to the other controller for response.
Data processing when integrating the Trustbadge / other widgets

The Trustbadge is provided by a U.S.-based CDN provider (Content Delivery Network).

An adequate level of data protection is ensured in each case by an adequacy decision of the European Commission. Service providers from the U.S. are generally certified under the EU-U.S. Data Privacy Framework (DPF).
Data processing when integrating the Trustbadge / other widgets

When the Trustbadge is accessed, the web server automatically stores a so-called server log file, which contains information such as the IP address, date and time of access, the amount of data transferred, and the requesting provider. The IP address is anonymized immediately after collection, so that no personal data is stored. The anonymized data is used primarily for statistical purposes and error analysis.

An adequate level of data protection is ensured in each case by an adequacy decision of the European Commission. Service providers from the U.S. are generally certified under the EU-U.S. Data Privacy Framework (DPF).
Data processing after order completion

If you have given your consent, the Trustbadge accesses order information stored on your device (such as order total, order number, and, if applicable, purchased product) as well as your email address after you complete your order. The email address is hashed using a cryptographic one-way function. The hash value is then transmitted together with the order information to Trusted Shops based on your consent (Art. 6(1) sentence 1(a) GDPR). This serves to verify whether you are already registered for Trusted Shops services. If you are, further processing is carried out in accordance with the contractual agreement between you and Trusted Shops. If you are not yet registered or do not consent to automatic recognition via the Trustbadge, you will subsequently have the option to manually register for the services or to secure coverage under your existing user agreement, if applicable.

For this purpose, the Trustbadge accesses the following information stored on your device after you complete your order: order total, order number, and email address. This is necessary to offer you buyer protection. Data is only transmitted to Trusted Shops once you actively choose to complete the buyer protection by clicking the appropriately labeled button in the so-called Trustcard. If you choose to use the services, further processing is carried out in accordance with the contractual agreement with Trusted Shops pursuant to Art. 6(1)(b) GDPR, in order to complete your registration for buyer protection, secure the order, and, if applicable, subsequently send you review invitations by email.
3.13.4. CookieScript

We use CookieScript to manage consent. The provider is Objectis Ltd., Žalgirio St. 88, LT-09303 Vilnius, Lithuania. The provider processes meta and communication data (e.g., device information, IP addresses) within the EU.

The legal basis for the processing is Art. 6(1) sentence 1(c) GDPR. The processing is necessary to comply with a legal obligation to which we are subject.

The data is deleted as soon as the purpose for which it was collected no longer applies and no statutory retention obligations remain. Further information can be found in the provider’s privacy policy at https://cookie-script.com/privacy-policy.html.

3.13.5. Criteo

The legal basis for the processing is Art. 6(1) sentence 1(a) GDPR. The processing is carried out on the basis of your consent. You can revoke your consent at any time, for example via the settings in the cookie banner. The revocation does not affect the lawfulness of processing up to the time of revocation.

The data is deleted as soon as the purpose for which it was collected no longer applies and no retention obligation prevents this. Further information is available in the provider’s privacy policy.

The data is stored for a maximum of 13 months from the date of collection. Further information can be found in the provider’s privacy policy at https://www.criteo.com/de/privacy/.

3.13.6. Adtriba

We use Adtriba for marketing automation and analysis. The provider is Adtriba GmbH, Veilchenweg 26b, 22529 Hamburg. Adtriba processes usage data (e.g., visited websites, interest in content, access times) and meta/communication data (e.g., device information, IP addresses) within the EU. Based on this data, Adtriba creates cross-channel online marketing reports and enables us to conduct detailed analysis of the customer journey.

The legal basis for processing is Art. 6 Para. 1 Sentence 1 lit. a GDPR. The processing is based on your consent. You can revoke your consent at any time by adjusting the settings in the cookie banner. The revocation does not affect the lawfulness of the processing carried out until that point.

The data will be deleted as soon as the purpose of its collection no longer applies and no legal retention obligations exist. Further information can be found in the provider's privacy policy at https://www.adtriba.com/de/datenschutzhinweise.

3.13.7. Amplitude

The legal basis for processing is Art. 6 Para. 1 Sentence 1 lit. a GDPR. The processing is based on your consent. You can revoke your consent at any time by adjusting the settings in the cookie banner. The revocation does not affect the lawfulness of the processing up to the time of revocation.

The processing is based on your consent (Art. 6 Para. 1 lit. a GDPR) or our legitimate interest (Art. 6 Para. 1 lit. f GDPR). Amplitude captures and analyzes your usage behavior, e.g., pages accessed, duration of stay, approximate location, and interactions (clicks, purchases). This serves to optimize our website and improve your user experience.

Amplitude enables us to recognize you as a visitor and create usage profiles. If you have not given consent, your visit can only be assigned based on a device ID assigned by Amplitude, but no usage profile will be created.

Based on the data collected by Amplitude, we additionally evaluate the performance of our advertising channels using aggregated usage data. For this analysis, we use the service provider Adtriba GmbH, Veilchenweg 26b, 22529 Hamburg, which acts on our behalf based on a data processing agreement.

We use Amplitude to record user sessions. This helps us better understand visitor behavior and optimize our website in a targeted manner.
We store this data until the purpose no longer applies. With Amplitude, user logs are automatically deleted after 36 months.

Further information can be found at: https://amplitude.com/privacy. In the cookie settings, you can object to data processing at any time or revoke your consent for the future.

3.13.8. Pinterest Conversion Tag

We use the Pinterest Conversion Tag for conversion tracking. The provider is Pinterest Inc., 505 Brannan Street, San Francisco, CA 94107, USA. The provider processes usage data (e.g., visited websites, interest in content, access times), contact data (e.g., email addresses, phone numbers), and meta/communication data (e.g., device information, IP addresses) in the USA.

The legal basis for processing is Art. 6 Para. 1 Sentence 1 lit. a GDPR. The processing is based on your consent. You can revoke your consent at any time by adjusting the settings in the cookie banner. The revocation does not affect the lawfulness of the processing up to the time of revocation.

The legal basis for the transfer to a country outside the EEA are the standard contractual clauses approved by the EU Commission. This ensures the security of the data transferred to the third country. The standard data protection clauses were issued in accordance with Art. 93 Para. 2 GDPR and constitute an appropriate safeguard measure pursuant to Art. 46 Para. 2 lit. c GDPR, which we have contractually agreed upon with the respective provider.

The collected data will be deleted as soon as the purpose of its collection no longer applies and no legal retention obligations exist. Further information on data processing by Pinterest can be found in the provider's privacy policy.

3.13.9. Google Conversion Tag

The legal basis for processing is Art. 6 Para. 1 Sentence 1 lit. a GDPR. The processing is based on consent. Data subjects can revoke their consent at any time by adjusting the settings in the cookie banner. The revocation does not affect the lawfulness of the processing up to the revocation.
The legal basis for processing is Art. 6 Para. 1 Sentence 1 lit. a GDPR. The processing is based on your consent. Data subjects can revoke this consent at any time by adjusting the settings in the cookie banner. The revocation does not affect the lawfulness of the processing carried out until that point.

The legal basis for the transfer to a third country (outside the EEA) are the standard contractual clauses adopted by the EU Commission. The security of the data transferred to the third country is ensured by these clauses in accordance with Art. 46 Para. 2 lit. c GDPR, which we have agreed upon with the respective provider.

The data will be deleted as soon as the purpose of its collection no longer applies and no legal retention obligation exists. Further information is available in the provider's privacy policy: Google Privacy Policy and Google Tag Manager Support.
3.13.10. Meta Pixel

The legal basis for processing is Art. 6 Para. 1 Sentence 1 lit. a GDPR. The processing is based on consent. Data subjects can revoke their consent at any time by adjusting the settings in the cookie banner. The revocation does not affect the lawfulness of the processing up to the revocation.

The processing of personal data via the Meta Pixel is based on your consent in accordance with Art. 6 Para. 1 Sentence 1 lit. a GDPR. Data subjects can revoke their consent at any time by adjusting the settings in the cookie banner. The revocation does not affect the lawfulness of the processing up to the revocation. Data collected via the Meta Pixel may be transferred to third countries, particularly to the USA. The security of the transfer is ensured by standard contractual clauses in accordance with Art. 46 Para. 2 lit. c GDPR. The data will be deleted as soon as the purpose of its collection no longer applies and no legal retention obligations exist. Further information can be found in Meta's privacy policy: https://www.facebook.com/about/privacy.
The transfer of personal data to a country outside the European Economic Area (EEA) is based on standard contractual clauses. These clauses were issued in accordance with the examination procedure pursuant to Art. 93 Para. 2 GDPR and ensure that the level of data protection when processing data in the third country corresponds to that of the EU (Art. 46 Para. 2 lit. c GDPR). We have contractually agreed upon these standard data protection clauses with the respective provider.

The personal data will be deleted as soon as the purpose of its collection no longer applies and no legal retention obligations exist. Further information on processing by the provider can be found in its privacy policy at: https://www.facebook.com/policy.php

3.13.11. TikTok

I notice you've sent me the English translation that I just provided. Did you need something else with this text, or do you have a new German text that you'd like me to translate?

The legal basis for the transfer to a country outside the EEA are standard contractual clauses. The security of the data transferred to the third country is ensured by standard data protection clauses agreed upon in accordance with Art. 46 Para. 2 lit. c GDPR.

The data will be deleted as soon as the purpose of its collection no longer applies and no retention obligation exists. Further information can be found in the provider's privacy policy.

Exactly. The stored data will be deleted as soon as the purpose of collection no longer applies and no legal retention obligations exist. Detailed information on data processing by TikTok can be found here: TikTok Privacy Policy.

3.13.12. Reddit Conversion Pixel

The legal basis for processing is Art. 6 Para. 1 Sentence 1 lit. a GDPR. The processing is based on your consent, which you can revoke at any time by adjusting the settings in the cookie banner. The revocation does not affect the lawfulness of the processing up to the revocation.

The legal basis for the transfer to a country outside the EEA are standard contractual clauses. The security of the data transferred to the third country (i.e., a country outside the EEA) is ensured by standard data protection clauses issued in accordance with the examination procedure pursuant to Art. 93 Para. 2 GDPR (Art. 46 Para. 2 lit. c GDPR), which we have agreed upon with the provider.

The data will be deleted as soon as the purpose of its collection no longer applies and no legal retention obligation exists. Further information can be found in the provider's privacy policy.

Exactly, the personal data processed via the Reddit Conversion Pixel will be deleted as soon as the purpose of collection no longer applies and no retention obligation exists. Detailed information can be found in Reddit's privacy policy at: https://www.reddit.com/policies/privacy-policy.

3.13.13. Facebook Conversion API

The legal basis for processing is Art. 6 Para. 1 Sentence 1 lit. a GDPR. The processing is based on your consent, which you can revoke at any time via the settings in the cookie banner. The revocation does not affect the lawfulness of the processing up to the revocation.

The data will be deleted as soon as the purpose of its collection no longer applies and no legal retention obligation exists. Further information is available in the provider's privacy policy at https://www.facebook.com/policy.php.