Data protection

Privacy policy regarding data use on KAYA

Data protection is a matter of trust, and your trust is important to us. We respect your privacy and personal rights. The protection and lawful collection, processing, and use of your personal data is therefore an important concern for us. To ensure that you feel secure when visiting our website, we strictly adhere to the legal provisions when processing your personal data and would like to inform you here about our data collection and use.

1. Responsible body

The responsible body for the collection, processing, and use of your personal data within the meaning of the General Data Protection Regulation (GDPR) is kaya-international Ltd., Rüzgarlibahce Mah. Sehit Metin Kaya Sokak No. 62, 34805 Beykoz/Istanbul (hereinafter: “KAYA” or “we”). If you wish to object to the collection, processing or use of your data by KAYA in accordance with this privacy policy, either in whole or in part, you can send your objection by email, fax or letter to the following contact details:

Kaya International Ltd.

Data Protection Department

Rüzgarlibahce Mah. Sehit Metin Kaya Sokak No. 62

34805 Beykoz/Istanbul

Türkiye

E-mail: kaya@kaya-international.com

In addition, you can obtain information about the data stored by us at any time free of charge (see also section 11).

2. Data protection officer

If you have any questions and/or suggestions regarding data protection, you can contact our data protection officer directly at any time. You can reach our data protection officer at the following contact details:

nyr Law Rechtsanwaltsgesellschaft mbH

Riehler Str. 33

50668 Cologne

Fax: +49 (0) 221 980 44 997

Email: datenschutzbeauftragter@jumingo.com

3. Collection and use of general data

This website collects a range of general data and information each time a user accesses it. This general data and information is stored in the log files of our servers. This primarily includes the following data:

Browser types and versions used,
the operating system used by the accessing system,
the website from which an accessing system reaches this website (known as the referrer),
the sub-websites that are accessed via an accessing system on this website,
the date and time of access to the website,
the IP address and geolocation,
the Internet service provider of the accessing system, and
other similar data and information that serve to protect against attacks on our information technology systems.

When using this general data and information, KAYA does not draw any conclusions about the data subject. KAYA requires this general data in order to

deliver the content of this website correctly,
optimize the content of this website and the advertising for it,
ensure the long-term functionality of our information technology systems and the technology of this website, and
provide law enforcement authorities with the information necessary for prosecution in the event of a cyber attack.

This anonymously collected data and information is therefore evaluated by KAYA on the one hand statistically and on the other hand with the aim of increasing data protection and data security. The anonymous data in the server log files is stored separately from all personal data provided by a data subject. The web servers used by KAYA GmbH are located in a data center of Google Ireland Limited, Gordon House, Barrow Street, Dublin 4, Ireland. The servers are located in Germany (zone europe-west3-a, data center in Frankfurt, Germany).

4. Collection, processing, and use of personal data

4.1 Personal data

Personal data is information about the factual or personal circumstances of an identified or identifiable natural person. This includes, for example, your name, telephone number, address, and all inventory data that you provide to KAYA during the registration process or when placing an order. Statistical data that we collect when you visit our website and that cannot be directly linked to your person is not included here. This includes, for example, statistics on which pages of our website are particularly popular or how many users visit certain pages of the KAYA website.

4.2 Customer account

After receiving the initial password, we recommend that every customer create a personal password for security reasons. You can change your password at any time in your customer account under the menu item “Settings.”

You undertake to treat your personal access data confidentially and not to make it accessible to unauthorized third parties. We cannot accept any liability for misused passwords, unless we are responsible for the misuse. Unless you log out, you will remain logged in automatically for a maximum of one year. This is the lifespan of the cookie required for this purpose. Each time you visit the website, the cookie lifespan is extended and you remain logged in until you log out or have not visited our website for at least one year (end of the cookie lifespan). This feature allows you to use our services without having to log in each time.

In addition, you can view data about your completed, open, and recently shipped orders in your customer account, as well as manage your data and communication settings.

When you use our portal, we store the data required for contract fulfillment and payment details until you permanently delete your account. We also store the voluntary data you provide for the duration of your use of the portal, unless you delete it beforehand. You can manage and change all information in the protected customer area. The legal basis for this is Art. 6 (1) (b) GDPR.

4.3 Contact form

If you send us an enquiry via the contact form in our help section, via chat or by email, your details, including the contact details you provide, will be stored by us for the purpose of processing the enquiry and in the event of follow-up questions. We will not pass on this data without your consent.

The data entered in the contact form is therefore processed exclusively on the basis of your consent (Art. 6 para. 1 lit. a GDPR). You can revoke this consent at any time. To do so, simply send us an informal email. The legality of the data processing operations carried out until the revocation remains unaffected by the revocation.

The data you enter in the contact form will remain with us until you request its deletion, revoke your consent to its storage, or the purpose for which it was collected no longer applies. Mandatory legal provisions—in particular retention periods—remain unaffected by this.

To process your inquiries, we use the CRM system “Zendesk” from the provider Zendesk, Inc., 989 Market Street 300, San Francisco, CA 94102, USA, in order to be able to process inquiries more quickly and efficiently (legitimate interest pursuant to Art. 6 para. 1 lit. f. GDPR).

Due to the transfer of data to recipients in third countries (USA), additional protective measures must be taken to ensure an adequate level of data protection. We have agreed standard data protection clauses with the provider in accordance with Art. 46 (2) lit. c) GDPR and also endeavor to ensure appropriate technical and organizational protection measures and contractual commitments from the recipient in the third country with regard to data security.

Further information can be found in Zendesk's privacy policy.

4.4 Collection, processing, and use of your personal data

Data protection is very important to us. We therefore strictly adhere to the legal provisions of the Data Protection Act when collecting, processing, and using your personal data. We collect, store, and process your data for the entire processing of your order, including any subsequent warranties, for our services, technical administration, and for our own marketing purposes. Your personal data will only be passed on or transferred to third parties if this is necessary for the purpose of contract processing or billing or if you have given your prior consent. In the context of order processing, for example, the service providers we use (such as transport companies, logistics companies, banks) receive the data necessary for order and contract processing. The data passed on in this way may only be used by our service providers to fulfill their tasks. Any other use of the information is not permitted and will not be carried out by any of the service providers we commission.

We require your full shipping and delivery address for your order. We require your name, address, and payment details for invoicing purposes. We require your email address so that we can confirm receipt of your order and communicate with you. If the service you have requested requires a waybill, this will also be sent to you by email. We also use your email address for identification purposes (customer login). Your personal data will be deleted unless we are required to retain it by law or if you have asserted a right to deletion, if the data is no longer necessary for the purpose for which it was stored, or if its storage is inadmissible for other legal reasons.

4.5 Use of your data for advertising purposes

If you are already a customer of Kaya International Ltd., we will also process the contact details you provided during the ordering process to inform you about our own similar goods and services (existing customer advertising).

The legal basis for the processing of your contact data for existing customer advertising is our legitimate interest pursuant to Art. 6 para. 1 sentence 1 lit. f) GDPR in conjunction with § 7 para. 3 UWG. In addition, information on the collection and delivery of the shipments you have ordered will be sent to you by email. This can be deactivated at any time in the customer area.

You can withdraw your consent at any time with future effect by clicking on the corresponding opt-out link at the end of the email or by sending us an email to kaya@kaya-international.com informing us of your withdrawal. In this case, only your email address will be stored in a so-called “block list.” The legal basis for this is our legitimate interest pursuant to Art. 6 para. 1 sentence 1 lit. f) GDPR.

5. Cookies

Accepting cookies is not a prerequisite for visiting our website. However, we would like to point out that our website and our service offer only limited functionality if you do not allow us to set cookies.

5.1 What are cookies?

Cookies are small files that are stored on your data carrier and save certain settings and data for exchange with our system via your browser. There are two different types of cookies: session cookies, which are deleted as soon as you close your browser, and temporary/permanent cookies, which are stored on your data carrier for a longer period of time or indefinitely.

This storage helps us to design our website and our offers for you accordingly and makes it easier for you to use, for example by storing certain entries you have made so that you do not have to repeat them constantly.

5.2 Which cookies does KAYA use?

Most of the cookies we use are automatically deleted from your hard drive at the end of the browser session (end of session) (hence the term “session cookies”). Session cookies are required, for example, to offer you the shopping cart function across multiple pages. In addition, we also use cookies that remain on your hard drive. When you visit our website again, it will automatically recognize that you have already visited our website and which entries and settings you prefer. These temporary or permanent cookies (lifespan 1 month to 10 years) are stored on your hard drive and delete themselves after the specified time. These cookies in particular serve to make our offer more user-friendly, effective, and secure. Thanks to these files, it is possible, for example, to display information on the page that is specifically tailored to your interests. The sole purpose of these cookies is to tailor our offer to your wishes as best as possible and to make your visit to our website as comfortable as possible.

5.3 What data is stored in the cookies?

Only pseudonymous data is stored in the cookies used by KAYA. When the cookie is activated, it is assigned an identification number. However, your personal data is not assigned to this identification number. Your name, IP address, or similar data that would enable the cookie to be assigned to you are not stored in the cookie. Based on cookie technology, we only receive pseudonymized information, such as which pages of our website were visited, which products were viewed, etc.

5.4 What is onsite targeting?

The KAYA website uses cookie technology to collect data for the purpose of optimizing our advertising and our entire online offering. This data is not used for personal identification, but serves solely for pseudonymous evaluation of the use of our website. Your data will not be merged with the personal data stored by us at any time. This technology enables us to present you with advertising and/or special offers and services whose content is based on information we have obtained through clickstream analysis (for example, advertising that is tailored to the fact that you have only viewed sports shoes in the last few days). Our aim is to make our online offering as attractive as possible for you and to present you with offers that correspond to your areas of interest.

5.5 Are there also cookies from third-party providers (so-called third-party cookies)?

KAYA uses a number of partners to help make our online offering and our website more interesting for you. For this reason, cookies from partner companies are also stored on your hard drive when you visit the website. These are temporary/permanent cookies that are automatically deleted after the specified time. These temporary or permanent cookies (lifespan 14 days to 10 years) are stored on your hard drive and delete themselves after the specified time. The cookies of our partner companies also contain only pseudonymous, mostly even anonymous data. This includes, for example, data about which products you have viewed, whether something was purchased, which products were searched for, etc. Some of our advertising partners also collect information beyond the website about which pages you have previously visited or which products you have been interested in, for example, in order to be able to display advertising that best suits your interests. This pseudonymous data is never merged with your personal data. Its sole purpose is to enable our advertising partners to target you with advertising that may actually be of interest to you.

5.6 Retargeting

Our website uses so-called retargeting technologies. We use these technologies to make the Internet offering more interesting for you. This technology makes it possible to target Internet users who have already shown interest in our site and our services with advertising on our partners' websites. We believe that displaying personalized, interest-based advertising is generally more interesting for Internet users than advertising that has no such personal connection. These advertisements are displayed on our partners' websites based on cookie technology and an analysis of previous usage behavior. This form of advertising is completely pseudonymous. No usage profiles are merged with your personal data.

5.7 How can you prevent cookies from being stored?

You can set your browser to only accept cookies if you agree to them. If you only want to accept KAYA cookies, but not cookies from our service providers and partners, you can select the “Block third-party cookies” setting in your browser. As a rule, the help function in the menu bar of your web browser will show you how to reject new cookies and disable those that have already been received. We recommend that you always log out completely when using shared computers that are set to accept cookies.

6. Log files

Each time you access the KAYA website, usage data is transmitted by your internet browser and stored in log files, known as server log files (see section 3). The IP addresses of users are deleted or anonymized after the end of use. In the case of anonymization, the IP addresses are changed in such a way that the individual details about personal or factual circumstances can no longer be assigned to a specific or identifiable natural person, or only with a disproportionate amount of time, cost, and effort. We evaluate these log file data records in anonymized form in order to further improve our offer and our website, to make it more user-friendly, to find and correct errors more quickly, and to control server capacity.

7 Web analysis, third-party tools

7.1 Google Analytics 4

Google Analytics 4 is a service provided by Google Ireland Limited, Gordon House, Barrow Street, Dublin 4, Ireland Google LLC, (“Google”). Google Analytics uses cookies, which are text files stored on your computer that enable Google to analyze your use of our website. The information collected by the cookie about your use of our website (including your IP address) is usually transferred to a Google server in the US and stored there. We also use the User ID feature, which assigns a permanent and unique ID to one or more sessions and activities within those sessions. This allows user behavior to be analyzed across devices.

For your protection, we naturally use the anonymization function (“IP masking”), which means that Google truncates the IP addresses within the EU/EEA by the last octet. This means that your IP address will be truncated by Google within member states of the European Union or in other states party to the Agreement on the European Economic Area. Only in exceptional cases will the full IP address be transferred to a Google server in the US and shortened there. Google will use this information to evaluate your use of our website, to compile reports on website activity for us, and to provide us with other services related to website and internet usage. The IP address transmitted by your browser as part of Google Analytics will not be merged with other Google data. This data will only be transferred by Google to third parties on the basis of legal regulations or within the scope of order data processing. Under no circumstances will Google merge your data with other data collected by Google. We use Google Tag Manager to simplify the administration of the tool.

For these cases, Google has, according to its own statements, imposed a standard that corresponds to the former EU-US Privacy Shield and has thus committed itself to complying with applicable data protection laws when transferring data internationally. We have also agreed so-called standard contractual clauses with Google, the purpose of which is to ensure an adequate level of data protection in third countries.

The legal basis for the processing of your personal data is your express, active consent in accordance with Art. 6 para. 1 sentence 1 lit. a) GDPR. You have the option to revoke your consent at any time with future effect. To this end, you can prevent the collection of data generated by the cookie and related to your use of this website (including your IP address) by Google and the processing of this data by Google by downloading and installing the browser plugin available here. For more information on data protection and Google Analytics 4, please visit the following link.

7.2 Google Analytics Universal

We also use Google Analytics Universal, a web tracking service provided by Google Ireland Limited, Gordon House, Barrow Street, Dublin 4, Ireland (“Google”). The purpose of our use of this tool is to enable the analysis of user interactions on websites and in apps and to improve our offering and make it more interesting for you as a user based on the statistics and reports obtained.

We primarily collect information about your interactions with our website using cookies, device/browser data, IP addresses, and website or app activity. Google Analytics also collects your IP addresses to ensure the security of the service and to provide us, as the website operator, with information about the country, region, or location from which the respective user originates (so-called “IP location determination”). For your protection, we naturally use the anonymization function (“IP masking”), which means that Google truncates the IP addresses within the EU/EEA by removing the last octet. We use Google Tag Manager to simplify the administration of the tool.

Google acts as a processor and we have entered into a corresponding contract with Google. The information generated by the cookie and the (usually shortened) IP addresses about your use of this website are usually transferred to a Google server in the USA and processed there. In these cases, Google has, according to its own statements, imposed a standard that corresponds to the former EU-US Privacy Shield and has thus undertaken to comply with applicable data protection laws for international data transfers. We have also agreed on so-called standard contractual clauses with Google, the purpose of which is to ensure an adequate level of data protection in third countries.

The legal basis for the collection and further processing of the information (which takes place for a maximum of 14 months) is your consent (Art. 6 para. 1 sentence 1 lit. a GDPR). You may revoke your consent at any time without affecting the lawfulness of processing based on consent before its withdrawal. In apps, you can reset the advertising ID in the Android or iOS settings. The easiest way to revoke your consent is via our Consent Manager or by installing the Google browser add-on, which is available at the following link: https://tools.google.com/dlpage/gaoptout?hl=de/ For more information about the scope of Google Analytics, please visit the following link: https://marketingplatform.google.com/about/analytics/terms/de/

Google provides information about data processing when using Google Analytics at the following link: https://support.google.com/analytics/answer/6004245?hl=de/

General information on data processing, which according to Google also applies to Google Analytics, can be found in Google's privacy policy at the following link: https://www.google.de/intl/de/policies/privacy/

7.3 Google Signals

This website uses the Google Signals feature provided by Google Ireland Limited, Gordon House, Barrow Street, Dublin 4, Ireland, a European subsidiary of Google Inc., USA (“Google”). The advanced advertising feature Google Signals provides additional information about visitors to this website who use different devices. Google uses the data of users who are logged into their Google account. This feature collects visitor data from this website in Google Analytics and links it to the Google accounts of logged-in users. This data is used to provide cross-device aggregated and anonymized statistics on the behavior of users of this website. However, there is no basic cross-device (computer, smartphone, tablet) analysis of your use of this website. Cross-device reports do not provide any conclusions about the identity of individual visitors. However, if visitors to this website are logged into their Google account, Google can identify these visitors. Google may also use the user data to display personalized advertising. To receive personalized advertising, users must first agree to such a link in their Google account. If you do not wish to do so, you can disable this feature by adjusting your Google advertising settings accordingly.

Otherwise, your data will be processed as described in section 7.1 (Google Analytics 4).

7.4 Google Optimize

We use the Google Optimize analysis service to test several versions of some of our pages and optimize them using comparative statistics. Cookies are used to distinguish between anonymous test groups. The data is processed as described in Google Analytics 4 (see section 7.1); if you disable Google Analytics, your data will not be included in the comparative tests.

7.5 Google Tag Manager

We use the service provider Google Tag Manager from Google Ireland Limited, Gordon House, Barrow Street, Dublin 4, Ireland (“Google”).

Google Tag Manager is a solution that allows us to manage so-called website tags via an interface (and thus, for example, integrate Google Analytics and other Google marketing services into our online offering). The Tag Manager itself (which implements the tags) does not process any personal data of users. With regard to the processing of users' personal data, please refer to the following information on Google services. You can find the terms of use here.

7.6 Google Adwords

The website uses Google Conversion Tracking, a service provided by Google Ireland Limited, Gordon House, Barrow Street, Dublin 4, Ireland (“Google”), a European subsidiary of Google Inc., USA. Google Adwords places a cookie on your computer if you have reached our website via a Google ad.

As part of its sales activities, KAYA uses Google Adwords, i.e. ads that appear in Google search results, to draw the attention of potential customers to the offers on the website. In this context, there are a few special features to note about the cookie that Google places on your computer if you access the website via a Google ad: This cookie loses its validity once its purpose has been fulfilled and is not used for personal identification. If the user visits certain pages of the AdWords customer's website and the cookie has not yet expired, Google and the customer can recognize that the user clicked on the ad and was redirected to this page. Each AdWords customer receives a different cookie.

Cookies cannot therefore be tracked across the websites of AdWords customers. The information collected using the conversion cookie is used to compile conversion statistics for AdWords customers who have opted for conversion tracking. AdWords customers learn the total number of users who clicked on their ad and were redirected to a page tagged with a conversion tracking tag. However, they do not receive any information that can be used to personally identify users.

The legal basis for the processing of your personal data is your express, active consent in accordance with Art. 6 para. 1 sentence 1 lit. a) GDPR. You have the option to revoke your consent at any time with future effect. If you do not wish to participate in the tracking process, you can also refuse the necessary cookie by, for example, using your browser settings to disable the automatic setting of cookies. You can also disable cookies for conversion tracking by setting your browser to block cookies relevant to tracking. To do this, you must configure your browser accordingly. You can find out how to deactivate cookies for the Chrome browser here.

Due to the transfer of data to recipients in third countries (USA), additional protective measures must be taken to ensure an adequate level of data protection. We have agreed standard data protection clauses with the provider in accordance with Art. 46 (2) lit. c) GDPR and also endeavor to implement appropriate technical and organizational protective measures and contractual commitments from the recipient in the third country with regard to ensuring data security.

Google's privacy policy on conversion tracking can be found here.

7.7 Bing Ads

KAYA also uses the Microsoft service Bing Ads, a service provided by Microsoft Advertising, 1 Microsoft Way, Redmond WA 98052, USA, and uses conversion tracking to measure the effectiveness of individual ads, offers, and features and thus create personalized ad profiles. For this purpose, a cookie is set as soon as you click on an ad. This cookie is not used for personal identification, but to determine whether you return to the page with the specific offer during the validity period of the cookie.

The legal basis for the processing of your personal data is your express, active consent in accordance with Art. 6 para. 1 sentence 1 lit. a) GDPR. You can withdraw your consent at any time with future effect. You can prevent the storage of Microsoft conversion cookies by adjusting your Internet browser settings accordingly.

Due to the transfer of data to recipients in third countries (USA), additional protective measures must be taken to ensure an adequate level of data protection. We have agreed standard data protection clauses with the provider in accordance with Art. 46 (2) lit. c) GDPR and also endeavor to ensure appropriate technical and organizational protective measures and contractual commitments from the recipient in the third country with regard to data security.

Further information on Microsoft Bing Ads and data protection can be found here.

7.8 Hotjar

KAYA uses the Hotjar analysis service, a service provided by Hotjar Ltd., Dragonara Business Center, 5th Floor, Dragonara Road, Paceville St. Julian's STJ 3141, Malta, to better understand the needs of users and to optimize the offer and experience on this website. Hotjar's technology helps us to better understand our users' experiences (e.g., which links they click on, what they like and dislike, etc.) and this helps us to tailor our offering based on user feedback. Hotjar uses cookies and other technologies to collect data about our users' behavior and their devices, in particular the IP address of the device (collected and stored in anonymized form only during your use of the website), screen size, device type (unique device identifiers), information about the browser used, location (country only), preferred language for displaying our website. Hotjar stores this information on our behalf in a pseudonymized user profile. Hotjar is contractually prohibited from selling the data collected on our behalf.

The legal basis for the processing of your personal data is your express, active consent in accordance with Art. 6 para. 1 sentence 1 lit. a) GDPR. You have the right to revoke your consent at any time with future effect.

Due to the transfer of data to recipients in third countries (USA), additional protective measures must be taken to ensure an adequate level of data protection. We have agreed standard data protection clauses with the provider in accordance with Art. 46 (2) lit. c) GDPR and also endeavor to ensure data security through appropriate technical and organizational measures and contractual commitments from the recipient in the third country.

Further information can be found in the “About Hotjar” section on Hotjar's help page and in Hotjar's privacy policy.

7.9 Google Remarketing

This website uses the remarketing function of Google Ireland Limited, Gordon House, Barrow Street, Dublin 4, Ireland, a European subsidiary of Google Inc., USA (“Google”). This function is used to present interest-based advertisements to visitors to the website within the Google advertising network. The website visitor's browser stores so-called “cookies,” text files, on your computer. These enable the visitor to be recognized when they access websites that belong to the Google advertising network. On these pages, visitors may then be presented with advertisements relating to content that the visitor has previously accessed on websites that use Google's remarketing function. According to its own information, Google does not collect any personal data during this process.

The legal basis for the processing of your personal data is your express, active consent in accordance with Art. 6 para. 1 sentence 1 lit. a) GDPR. You have the option to revoke your consent at any time with future effect. If you do not wish to use Google's remarketing function, you can deactivate it by adjusting the settings here. Alternatively, you can disable the use of cookies for interest-based advertising via the Advertising Network Initiative by following the instructions here.

Due to the transfer of data to recipients in third countries (USA), additional protective measures must be taken to ensure an adequate level of data protection. We have agreed standard data protection clauses with the provider in accordance with Art. 46 (2) lit. c) GDPR and also endeavor to ensure appropriate technical and organizational security measures and contractual commitments from the recipient in the third country with regard to data security.

Further information on Google Remarketing and Google's privacy policy can be found here.

7.10 Google Maps

This website uses Google Maps for auto-complete addresses. Google Maps is operated by Google Ireland Limited, Gordon House, Barrow Street, Dublin 4, Ireland, a European subsidiary of Google Inc., 1600 Amphitheatre Parkway, Mountain View, CA 94043, USA. The legal basis for the processing of your personal data is your express, active consent in accordance with Art. 6 para. 1 sentence 1 lit. a) GDPR. You have the right to revoke your consent at any time with future effect.

Due to the transfer of data to recipients in third countries (USA), additional protective measures must be taken to ensure an adequate level of data protection. We have agreed standard data protection clauses with the provider in accordance with Art. 46 para. 2 lit. c) GDPR and also endeavor to ensure appropriate technical and organizational protective measures and contractual commitments from the recipient in the third country with regard to data security.

The terms of use for Google Maps can be found at Terms of Use for Google Maps. Detailed information can be found in Google's Privacy Center.

7.11 SendGrid

We use the services of SendGrid for sending emails. The provider is SendGrid, Inc., 1801 California Street, Suite 500, Denver, Colorado 80202, USA. SendGrid is a service that can be used, among other things, to organize and analyze the sending of emails. SendGrid is a company of the Twilio Group, which has implemented EU-approved Binding Corporate Rules regarding data protection in accordance with Art. 47 GDPR.

With the help of SendGrid, we can analyze the sending of emails. This allows us to determine whether a message has been opened and which links, if any, have been clicked on. Technical information is also collected (e.g., time of retrieval, IP address, browser type, and operating system). This information is used exclusively for statistical analysis of messages. The results of these analyses can be used to identify problems with the delivery of emails.

The service provider SendGrid is used on the basis of our legitimate interests pursuant to Art. 6 (1) lit. f GDPR and a processing agreement pursuant to Art. 28 (3) sentence 1 GDPR.

You can view SendGrid's privacy policy as part of the Twilio Group here.

7.12 New Relic

On this website, we use the New Relic service, a service provided by New Relic Inc., San Francisco, CA, 188 Spear St., USA. Data processing is carried out for the purpose of website optimization by means of statistical evaluations of the speed of the website and evaluations of page views by our users.

For this purpose, New Relic processes information about the page views of website visitors, the IP address of the website visitor, and information about the existence of a user account with New Relic.

The legal basis for the processing of your personal data is our legitimate interest in the proper operation of our website in accordance with Art. 6 para. 1 sentence 1 lit. f) GDPR.

Due to the transfer of data to recipients in third countries (USA), additional protective measures must be taken to ensure an adequate level of data protection. We have agreed standard data protection clauses with the provider in accordance with Art. 46 (2) lit. c) GDPR and also endeavor to implement appropriate technical and organizational protective measures.

Further information about the provider can be found at the following link.

7.13 Trustpilot

We participate in the review process of the provider Trustpilot A/S, Pilestræde 58, 5, 1112 Copenhagen, Denmark.

Trustpilot offers users the opportunity to rate our services. Users who have used our services are informed during the checkout process about the possibility of receiving review requests by email. To ensure that users have actually used our services, we transmit the necessary data regarding the user and the service used (including name, email address, and a reference number) to Trustpilot. This data is used solely to verify the authenticity and identity of the user.

The legal basis for processing user data as part of the review process is our legitimate interest in obtaining customer reviews for the purpose of existing customer advertising in accordance with Art. 6 (1) (f) GDPR in conjunction with § 7 (3) UWG.

To submit a review, you must create a customer account with Trustpilot. In this case, Trustpilot's terms and conditions and privacy policy apply. To ensure the neutrality and objectivity of the reviews, we have no direct influence on the reviews and cannot delete them ourselves. We ask users to contact Trustpilot for this purpose.

Furthermore, we may integrate the Trustpilot widget on our website. A widget is a functional and content element integrated into our online offering that displays variable information. Although the corresponding content is displayed within our online offering, it is retrieved from Trustpilot's servers at that moment. This is the only way to ensure that the current content is always displayed, especially the current rating. To do this, a data connection must be established from the website accessed within our online offering to Trustpilot, and Trustpilot receives certain technical data (access data, including the IP address) that is necessary for the content to be delivered. Trustpilot also receives information that users have visited our online offering. This information may be stored in a cookie and used by Trustpilot to identify which online offerings participating in the Trustpilot review process have been visited by the user. The information may be stored in a user profile and used for advertising or market research purposes.

The legal basis for processing user data in connection with the integration of the widget is our legitimate interest in informing our users about the quality of our services in accordance with Art. 6 (1) lit. f. GDPR.

Users can find further information on the processing of their data by Trustpilot, as well as their rights to object and other rights of data subjects, in Trustpilot's privacy policy at the following link:

https://de.legal.trustpilot.com/end-user-privacy-terms

7.14 LinkedIn Insight Tag

We use the LinkedIn Insight Tag, a service provided by LinkedIn Ireland Unlimited Company, Wilton Plaza, Wilton Palace, Dublin 2, Ireland, on our website.

The LinkedIn Insight Tag is a JavaScript code snippet that we add to this website to analyze the use of our website and evaluate the effectiveness of LinkedIn ads. In doing so, we receive aggregated campaign reports from the provider and can track conversions in order to retarget website visitors.

The following (personal) data is processed for the aforementioned purpose: URL, referrer URL, IP address (truncated or hashed), device and browser characteristics (user agent), and the time of your visit. Members' direct identifiers are removed within seven days to pseudonymize the data. This remaining pseudonymized data is then deleted within 180 days.

As the website operator, we only receive statistical evaluations (reports and notifications in which members are not identified) about the website's target group and the performance of the ads. By means of retargeting for visitors to our site, we can also display targeted advertising outside our website. The data collected by means of the Insight tag is not visible to us and we cannot draw any conclusions about your identity. However, LinkedIn may store and process the data for its own purposes, which may include linking it to the respective LinkedIn user profile. The provider may then use this data for its own advertising purposes. As the website operator, we have no influence on this processing. Further information on data protection at LinkedIn can be found at the following link: https://de.linkedin.com/legal/privacy-policy?

The legal basis for the processing of your personal data is your prior express consent in accordance with Art. 6 para. 1 sentence 1 lit. a) GDPR. This consent is voluntary and can be revoked at any time with effect for the future.

As a member of LinkedIn, you also have the option of blocking data processing by LinkedIn by deactivating the setting of the corresponding cookies at www.linkedin.com. You can also refuse the use of data for advertising purposes in your LinkedIn member profile.

The transfer of personal data to a third country cannot be ruled out with this provider, as the company is based in the USA. In order to ensure an adequate level of data protection, we have concluded standard data protection clauses with the provider as an appropriate guarantee in accordance with Art. 46 (2) lit. c) GDPR. These are model contracts provided by the EU Commission that ensure that data processing complies with European data protection standards even if personal data is transferred to third countries (e.g., the US) and stored there.

Further information on LinkedIn Insight Tag can be found at: https://www.linkedin.com/help/linkedin/answer/a427660

7.15 HubSpot

We use the service provided by HubSpot, a service of HubSpot Ireland Limited, 2nd Floor 30 North Wall Quay, Dublin 1, Ireland, on our website. We use the software for lead generation, marketing, and customer service purposes. This includes email marketing, social media publishing and reporting, contact management such as user segmentation and CRM, landing pages, and contact forms. HubSpot uses cookies that are stored locally in your web browser's cache on your device and enable an analysis of your user behavior on our website. The information collected in this process (including IP address, geographical location, type of browser, and duration of visit) is evaluated by HubSpot. We thus receive reports about website visitors and the pages they visit. The data is processed by HubSpot on our behalf and stored on HubSpot's servers. Data processing for marketing purposes is based on our legitimate interest in advertising to existing customers in accordance with Art. 6 (1) (f) GDPR in conjunction with § 7 (3) UWG (German Unfair Competition Act) and for the performance of the contract in accordance with Art. 6 (1) (b) GDPR.

The data will be deleted after the purpose has been fulfilled, subject to the statutory retention periods.

Due to the transfer of data to recipients in third countries (USA), additional protective measures must be taken to ensure an adequate level of data protection.

We have agreed standard data protection clauses with the provider in accordance with Art. 46 (2) lit. c) GDPR and also endeavor to ensure appropriate technical and organizational protective measures and contractual commitments from the recipient in the third country with regard to data security.

Further information on the handling of personal data at HubSpot can be found at the following link.

7.16 Fraud prevention using Risk.Ident

We use the services of Risk.Ident GmbH, Am Sandtorkai 50, 20457 Hamburg, Germany, for fraud prevention. The data you provide when placing an order is checked for atypical ordering behavior (e.g., simultaneous ordering of a large number of goods to the same address using different customer accounts). The following data is processed for this purpose:

Email domain
Internet browser
Browser language
Operating system
Provider Location (city, country)
Provider name
IP address (pseudonymized)
Billing country
Customer type (business or private customer)
Value of goods
Order value
Contents of shipment
Transaction date

Cookies and other tracking technologies are used to collect and process data for the purpose of identifying the end device used by the user to place an order during the order completion process (known as a transaction).

This data is stored by Risk.Ident in a global database for fraud prevention purposes. This database stores the above-mentioned data about end devices that have already been used to commit (attempted) fraud. This enables potential fraud attempts to be detected. However, this data is not assigned to specific users, but only to the end device used. Any IP addresses collected by Risk.Ident are encrypted.

When an order is placed on our website, we retrieve a risk assessment for the user's device from the Risk.Ident database. This risk assessment of the likelihood of an attempted fraud takes into account, among other things, whether the end device has dialed in via different service providers, whether the end device has a frequently changing geo-reference, how many transactions have been processed via the end device, and whether a proxy connection is being used.

The legal basis for processing is our legitimate interest in checking orders for fraud prevention in accordance with Article 6(1)(f) GDPR.

Further information on data protection at Risk.Ident can be found here: https://riskident.com/impressum/

8. Payment providers

8.1 PayPal

On our website, we offer payment via PayPal and services provided by PayPal. The provider of this payment service is PayPal (Europe) S.à.r.l. et Cie, S.C.A., 22-24 Boulevard Royal, L-2449 Luxembourg (hereinafter referred to as “PayPal”).

If you choose to pay via PayPal, the payment details you enter will be transmitted to PayPal.

The transmission of your data to PayPal is based on Art. 6 (1) lit. a GDPR (consent) and Art. 6 (1) lit. b GDPR (processing for the performance of a contract). You have the option to revoke your consent to data processing at any time. A revocation does not affect the validity of data processing operations that have taken place in the past.

Further information on data protection at PayPal can be found at: https://www.paypal.com/myaccount/privacy/privacyhub

8.2 Sofortüberweisung (Sofort.)

On our website, we offer, among other things, payment via “Sofort.” The provider of this payment service is Sofort GmbH, Theresienhöhe 12, 80339 Munich (hereinafter “Sofort GmbH”).

Using the “Sofortüberweisung” procedure, we receive a payment confirmation from Sofort GmbH in real time and can immediately begin fulfilling our obligations.

If you have chosen the “Sofortüberweisung” payment method, you will transmit the PIN and a valid TAN to Sofort GmbH, which the provider can use to log into your online banking account. After logging in, Sofort GmbH automatically checks your account balance and transfers the money to us using the TAN you provided. Sofort GmbH then immediately sends us a transaction confirmation. After logging in, your transactions, the credit limit of your overdraft facility, and the existence of other accounts and their balances are also automatically checked.

In addition to the PIN and TAN, the payment details you enter and your personal data will also be transmitted to Sofort GmbH. Your personal data includes your first and last name, address, telephone number(s), email address, IP address, and any other data required for payment processing. The transmission of this data is necessary to verify your identity beyond doubt and to prevent fraud.

The transmission of your data to Sofort GmbH is based on Art. 6 para. 1 lit. a GDPR (consent) and Art. 6 para. 1 lit. b GDPR (processing for the performance of a contract). You have the option to revoke your consent to data processing at any time. Revocation does not affect the validity of data processing operations that took place in the past.

The link to the privacy policy of Sofort GmbH can be found here: Privacy Policy Sofort GmbH

8.3 Credit card

On our website, we offer payment by credit card, among other methods. With this payment method, you have the option of paying with your MasterCard, VISA, or Amex credit card. The provider of this payment service is Stripe Payments Europe, Ltd., company number 513174, The One Building, 1 Grand Canal Street Lower, Dublin 2, Ireland (hereinafter “Stripe”).

If you have chosen to pay by credit card, you will transmit your credit card information, such as your first name, last name, card number, CVV, and the expiration date of your credit card, to Stripe.

The transmission of your data to Stripe is based on Art. 6 (1) lit. a GDPR (consent) and Art. 6 (1) lit. b GDPR (processing for the performance of a contract). You have the option to withdraw your consent to data processing at any time. Withdrawal does not affect the validity of data processing operations that took place in the past.

If you choose Apple Pay or Google Pay as your payment method, data may also be exchanged with these payment service providers during the payment process, which is also handled by Stripe.

Further information on the handling of your personal data can be found here: Privacy Policy Stripe Payments Europe, Ltd.

8.4 Payment on account, direct debit

For existing customers with a regular order volume, we also offer payment by invoice and/or SEPA direct debit upon request and after a prior credit check.

For the prior credit check, we use the services of the credit agency Creditsafe Deutschland GmbH, Schreiberhauer Straße 30, 10317 Berlin, Germany (hereinafter “Creditsafe”).

The legal basis for our use of Creditsafe's services is our legitimate interest pursuant to Article 6(1)(f) of the GDPR. This interest lies in minimizing default risks and thus preventing financial loss.

You have the option of revoking your consent to data processing at any time. A revocation does not affect the validity of data processing operations that have taken place in the past.

Further information can be found in the data protection information for credit agency data at www.creditsafe.com or at this link.

9. Recording of conversations with customers

In order to ensure and improve the quality of our service, we reserve the right to record individual customer conversations and convert them into service requests. Recordings will only be made with your consent.

We use the “CallOne” tool provided by CallOne GmbH, Hugo-Vogel-Str. 23, 14109 Berlin, to record conversations. CallOne GmbH is used as a processor within the meaning of Art. 28 GDPR. The CallOne tool is a VoIP telephone system and call center software.

The legal basis for the processing of the data is your consent in accordance with Art. 6 para. 1 lit. a) GDPR. A call recording will only be started if and to the extent that you have given your consent.

Personal data may be collected for identification, assignment, the content of the conversation, and in connection with metadata (phone numbers, time stamps, etc.). The data will only be made available to those employees who need it to fulfill the aforementioned purposes.

The recordings will be stored until your consent is revoked or you request deletion. If no revocation of consent has been declared or deletion requested, the data will be deleted no later than 3 years after the end of the year in which the order was placed.

The link to CallOne GmbH's privacy policy can be found here: CallOne GmbH privacy policy.

10. Secure data transmission

Your personal data is transmitted securely using encryption. This applies to your order and also to the customer login. We use the SSL (Secure Socket Layer) encryption system. Furthermore, we secure our website and other systems against loss, destruction, access, modification, or distribution of your personal data by unauthorized third parties through technical and organizational measures.

11. Deletion and blocking of personal data

KAYA processes and stores personal data only for the period necessary to achieve the purpose of storage. If the purpose of storage no longer applies, the personal data will be routinely blocked or deleted in accordance with the statutory provisions.

12. Right of access of the data subject

If you wish to exercise any of the rights mentioned in this section, you can send a message to the contact details of the controller specified in paragraph 1 at any time (e.g. by email or letter).

12.1 Right to confirmation

You have the right to request confirmation as to whether personal data concerning you is being processed by JUMiNGO.

12.2 Right to information

You have the right to obtain the following information:

the personal data stored about you;
the purposes of the processing;
the categories of personal data that are processed;
the recipients or categories of recipients to whom the personal data have been or will be disclosed;
the planned duration for which the personal data will be stored or, if this is not possible, the criteria for determining this duration;
the existence of a right to lodge a complaint with a supervisory authority;
the existence of automated decision-making;
personal data that has been transferred to a third country or to an international organization.

12.3 Right to rectification

You have the right to request the rectification of inaccurate personal data concerning you and the completion of incomplete personal data.

12.4 Right to erasure

You have the right to have personal data concerning you erased without undue delay if

the purpose for which the personal data was collected or otherwise processed is no longer applicable;
you withdraw your consent on which the processing is based and there is no other legal basis for the processing;
you object to the processing and there are no overriding legitimate grounds for the processing;
the personal data has been processed unlawfully.

12.5 Right to restriction of processing

You have the right to request the restriction of processing if

you dispute the accuracy of the personal data, for a period enabling KAYA to verify the accuracy of the personal data;
the processing is unlawful and you request the restriction of the use of the personal data instead of its erasure;
the personal data is no longer required for the purposes of processing, but you require the personal data for the assertion, exercise, or defense of legal claims;
you have objected to the processing and it is not yet clear whether your objection will result in the cessation of data processing.

12.6 Right to data portability

You have the right to receive the personal data concerning you in a structured, commonly used and machine-readable format.

You also have the right to have the personal data transmitted directly to another controller, where technically feasible and provided that this does not adversely affect the rights and freedoms of others.

12.7 Right to object

You have the right to object to the processing of personal data concerning you on grounds relating to your particular situation.

KAYA will no longer process the personal data in the event of an objection, unless there are compelling legitimate grounds for the processing which override your interests, rights and freedoms, or the processing serves to assert, exercise or defend legal claims.

In addition, you have the right to object to the processing of personal data concerning you for statistical purposes at KAYA for reasons arising from your particular situation, unless such processing is necessary for the performance of a task carried out in the public interest.

If you wish to exercise your right to object, you can send a message to the contact details specified in paragraph 1 or paragraph 2 at any time (e.g. by email, fax, letter).

12.8 Automated decisions in individual cases

You have the right not to be subject to a decision based solely on automated processing that produces legal effects concerning you or similarly significantly affects you, unless the decision is

necessary for the conclusion or performance of a contract between you and KAYA or
is authorized by Union law or national law and that law provides for appropriate measures to safeguard your rights and freedoms and your legitimate interests, or
is based on your express consent.

12.9 Right to withdraw consent to data processing

You have the right to withdraw your consent to the processing of your personal data at any time. If you wish to withdraw your consent to data protection, you can send a message to the contact details specified in paragraph 1 or paragraph 2 at any time (e.g. by email, fax, letter).

12.10 Legal basis for processing

The legal basis for data processing is the General Data Protection Regulation (GDPR) and the country-specific data protection regulations applicable to KAYA (BDSG-(new)).

If the processing of personal data is based on the consent of the data subject, Art. 6 para. 1 lit. a) EU General Data Protection Regulation (GDPR) serves as the legal basis. If the processing of personal data is necessary for the performance of a contract or for the implementation of pre-contractual measures, Art. 6 para. 1 lit. b) GDPR serves as the legal basis. If the processing of personal data is necessary for the fulfillment of a legal obligation to which KAYA is subject, Art. 6 para. 1 lit. c) GDPR serves as the legal basis. If the processing of personal data is necessary to safeguard a legitimate interest of KAYA or a third party and the interests, fundamental rights, and freedoms of the data subject do not override the interests of KAYA or a third party, Art. 6 para. 1 lit. f) GDPR serves as the legal basis for the processing.