Privacy policy

Privacy Policy

1. Information on the Collection of Personal Data (1) In the following, we inform you about the collection of personal data when using our website and in the context of our services and offerings. Personal data refers to all data that can be personally related to you, e.g., name, address, email addresses, and user behavior.

(2) The controller according to Art. 4 (7) of the EU General Data Protection Regulation (GDPR) is:

H.C.C. Hanseatic Coffee Company GmbH, Luruper Chaussee 125, 22761 Hamburg, Germany, +49 408908430, info@hanseatic-coffee.com

Further contact options can be found in our provider identification ("Impressum").

(3) When you contact us via email or through a contact form, the data you provide (your email address, your name, and telephone number if applicable) will be stored by us to respond to your inquiries. We delete the data that arises in this context once the storage is no longer necessary, or limit the processing if legal retention obligations exist.

(4) If we need to rely on commissioned service providers for individual functions of our offering or wish to use your data for advertising purposes, we will inform you in detail below about the respective processes. In doing so, we will also specify the criteria for the storage duration.

2. Your Rights (1) You have the following rights regarding your personal data towards us:

  • Right of access,
  • Right to rectification or erasure,
  • Right to restriction of processing,
  • Right to object to processing,
  • Right to data portability.

(2) You also have the right to lodge a complaint with a data protection supervisory authority regarding the processing of your personal data by us.

3. Collection of Personal Data When Visiting Our Website (1) If you use our website purely for informational purposes, i.e., if you do not register or otherwise transmit information to us, we only collect the personal data that your browser transmits to our server. If you wish to view our website, we collect the following data, which is technically necessary for us to display our website to you and ensure stability and security (the legal basis is Art. 6 (1) sentence 1 lit. f GDPR):

  • IP address,
  • Date and time of the request,
  • Time zone difference to Greenwich Mean Time (GMT),
  • Content of the request (specific page),
  • Access status/HTTP status code,
  • Amount of data transmitted,
  • Website from which the request originates,
  • Browser,
  • Operating system and its interface,
  • Language and version of the browser software.

(2) In addition to the aforementioned data, cookies are stored on your computer when you use our website. Cookies are small text files that are stored on your hard drive assigned to the browser you are using and through which certain information flows to the entity setting the cookie (in this case, us). Cookies cannot execute programs or transfer viruses to your computer. They serve to make the internet offering more user-friendly and effective overall.

(3) Use of Cookies:

Our websites use cookies and similar technologies. Cookies are small text files stored by the internet browser on the user’s device. A cookie usually contains a characteristic string that allows the browser to be uniquely identified when returning to the website.

Cookies are used to make the website more user-friendly, optimize the website’s functions and services, and provide you with tailored content.

The purpose of using technically necessary cookies is to enable and simplify the use of the website and the functions provided by it. Some functions of this website cannot be offered without the use of cookies. The user data collected by technically necessary cookies is not used to create user profiles.

Additionally, with your separate consent, cookies can be used to provide external media, such as videos and maps, and to analyze website usage and offer additional functions.

You can disable or restrict the use of cookies by changing your browser settings. Stored cookies can be deleted at any time. This can also be done automatically. If cookies are disabled for our website, it may no longer be possible to fully use all functions of the website.

The legal basis for processing personal data using technically necessary cookies is Art. 6 (1) lit. f GDPR, where the legitimate interest of the controller lies in the secure, stable, and efficient provision of the website’s functions and the information available through it. If the controller fulfills a contractual obligation towards you with the respective function, the legal basis is Art. 6 (1) lit. b GDPR.

The legal basis for processing personal data using cookies for analysis and other non-technically necessary processing purposes is, in the event of user consent, Art. 6 (1) lit. a GDPR in conjunction with § 25 TTDSG.

Shopify

We use the Shopify system provided by Shopify International Limited, Victoria Buildings, 2nd Floor, 1-2 Haddington Road, Dublin 4, D04 XN32, Ireland (“Shopify”) for hosting and displaying the online shop based on processing on our behalf. All data collected on our website is processed on Shopify’s servers. As part of these services provided by Shopify, data may also be transmitted for further processing to Shopify Inc., 150 Elgin St, Ottawa, ON K2P 1L4, Canada, Shopify Data Processing (USA) Inc., Shopify Payments (USA) Inc., or Shopify (USA) Inc. In the event of data transmission to Shopify Inc. in Canada, an adequate level of data protection is ensured by the European Commission’s adequacy decision. Further information about Shopify’s data protection can be found on the following website: https://www.shopify.com/legal/privacy.

4. Inquiries/Orders/Transactions

In addition to purely informational use of our services, you can send us inquiries and place orders. Typically, you must provide additional personal data, which we process to handle your request, respond to your inquiries, fulfill contracts concluded with you, and manage any resulting tasks, such as handling warranty cases, asserting claims, or responding to reviews. Additionally, we process personal data as needed to meet legal obligations, such as our tax and commercial documentation and retention obligations.

Data is only shared with third parties to the extent necessary to fulfill our contractual obligations to you (Art. 6 (1) sentence 1 lit. b GDPR), such as forwarding your address to a logistics partner or shipping company so that they can ship the goods you ordered. Additionally, we share personal data if required to process payments or fulfill legal obligations.

The legal basis for processing your data is your consent under Art. 6 (1) lit. a GDPR. If processing is necessary for fulfilling a contract to which the data subject is a party or for taking pre-contractual steps, the legal basis for processing the data is Art. 6 (1) lit. b GDPR. We process personal data to handle non-contractual requests or to respond appropriately to reviews to maintain effective communication, evaluate reviews, improve our customer service, optimize our offerings, and maintain customer relationships, as well as to resolve technical issues. These purposes constitute our legitimate interests under Art. 6 (1) lit. f GDPR. When processing personal data to fulfill a legal obligation, the legal basis is Art. 6 (1) lit. c GDPR.

We also reserve the right to process personal data in individual cases if it is necessary, for example, to pursue abusive or fraudulent actions, trace and resolve functional or security issues. These purposes then constitute our legitimate interest under Art. 6 (1) lit. f GDPR.

Registration

On our website, users can register by providing personal data. The data is entered into a form and transmitted to us and stored. Data is only shared with third parties to the extent necessary to fulfill our contractual obligations to you (Art. 6 (1) sentence 1 lit. b GDPR). The registration form’s information is stored during the registration process. The legal basis for processing the data is user consent under Art. 6 (1) lit. a GDPR. If registration is for fulfilling a contract to which the user is a party or for taking pre-contractual measures, the legal basis for processing the data is Art. 6 (1) lit. b GDPR.

When entering into a contractual relationship on our website, we ask for the following personal data:

  • Data that identifies you personally, such as your name and email address.
  • Additional personal data that we are legally required or permitted to collect and process for your authentication, identification, or verification of the data we collect.

The aforementioned data is processed to manage the contractual relationship. Processing is carried out based on Art. 6 (1) lit. b GDPR. The retention period is limited to the contractual purpose and, where applicable, legal and contractual retention obligations.

Paypal

We use the PayPal Checkout payment service provided by PayPal (Europe) S.à.r.l. et Cie, S.C.A., (22-24 Boulevard Royal L-2449, Luxembourg; “PayPal”) on our website. The data processing serves the purpose of providing you with the payment service. When you select and use payment via PayPal, credit card via PayPal, direct debit via PayPal, or “Pay Later” via PayPal, the data required for payment processing is transmitted to PayPal to fulfill the contract with you using the chosen payment method. This processing is based on Art. 6 (1) lit. b GDPR.

Credit Card via PayPal, Direct Debit via PayPal & "Pay Later" via PayPal

For certain payment methods like credit card via PayPal, direct debit via PayPal, or "Pay Later" via PayPal, PayPal reserves the right to obtain a credit report based on mathematical-statistical procedures using credit bureaus. For this purpose, PayPal transmits the personal data required for a credit check to a credit bureau and uses the received information about the statistical probability of a payment default to make a balanced decision on the establishment, execution, or termination of the contractual relationship. The credit report may include probability values (score values) based on scientifically recognized mathematical-statistical procedures, which include address data in their calculation. Your legitimate interests are taken into account in accordance with legal regulations. The data processing serves the purpose of credit checks for initiating a contract. The processing is based on Art. 6 (1) lit. f GDPR from our overriding legitimate interest in protecting against payment defaults when PayPal advances payment.

You have the right to object at any time, for reasons arising from your particular situation, to this processing of your personal data based on Art. 6 (1) lit. f GDPR by notifying PayPal. The provision of data is necessary for concluding the contract with your desired payment method. Failure to provide the data may result in the contract not being concluded using the desired payment method.

Third-Party Providers

When paying via a third-party provider’s payment method, the data required for payment processing is transmitted to PayPal. This processing is based on Art. 6 (1) lit. b GDPR. To process this payment method, PayPal may forward the data to the relevant provider. This processing is based on Art. 6 (1) lit. b GDPR. Local third-party providers may include:

  • Sofort (SOFORT GmbH, Theresienhöhe 12, 80339 Munich, Germany)
  • giropay (Paydirekt GmbH, Stephanstr. 14-16, 60313 Frankfurt am Main, Germany)

Purchase on Account via PayPal

When paying via the purchase on account payment method, the data required for payment processing is first transmitted to PayPal. PayPal then forwards the data to Ratepay GmbH (Franklinstraße 28-29, 10587 Berlin; “Ratepay”) to fulfill the contract with you using the chosen payment method. This processing is based on Art. 6 (1) lit. b GDPR. Ratepay may conduct a credit check using mathematical-statistical procedures (probability or score values) with credit bureaus as previously described. The data processing serves the purpose of credit checks for contract initiation. The processing is based on Art. 6 (1) lit. f GDPR from our overriding legitimate interest in protecting against payment defaults when Ratepay advances payment. More information on data protection and which credit bureaus Ratepay uses can be found at https://www.ratepay.com/legal-payment-dataprivacy/ and https://www.ratepay.com/legal-payment-creditagencies/.

Further information on data processing when using PayPal can be found in the associated privacy policy at https://www.paypal.com/de/webapps/mpp/ua/privacy-full.

Klarna Payment Options

To offer you Klarna’s payment options, we will transmit personal data, such as contact details and order details, to Klarna. This allows Klarna to assess whether you can use the payment options offered through Klarna and tailor them to your needs. General information on Klarna is available at https://www.klarna.com/de/. Your personal information will be handled by Klarna in accordance with applicable data protection regulations and as detailed in Klarna’s privacy policy at https://cdn.klarna.com/1.0/shared/content/legal/terms/0/de_de/privacy.

Stripe

All Stripe transactions are subject to the Stripe privacy policy, which can be found at https://stripe.com/de/privacy.

5. Objection or Withdrawal of Consent to Data Processing (1) If you have given consent to process your data, you can withdraw it at any time. Such a withdrawal affects the permissibility of processing your personal data after you have expressed it to us.

(2) Where we base the processing of your personal data on a balancing of interests, you may object to the processing. This is the case if the processing is not necessary, in particular, to fulfill a contract with you, which is described in the following function descriptions. If you exercise such an objection, we ask that you explain why we should not process your personal data as we have done. In the event of a justified objection, we will review the situation and either stop or adjust the data processing or show you our compelling legitimate grounds on which we continue the processing.

(3) You can, of course, object to the processing of your personal data for advertising and data analysis purposes at any time. You can inform us of your objection to advertising using the contact details provided above.

6. Web Tracking and Advertising Google Tag Manager

We use Google Tag Manager, a service provided by Google Ireland Limited, Gordon House, Barrow Street, Dublin 4, Ireland.

Google Tag Manager is a tool that allows us to embed tracking or analytics tools and other technologies on our website. Google Tag Manager itself does not create user profiles, store cookies, or carry out independent analyses. It is merely used to manage and display the tools integrated via it. However, Google Tag Manager collects your IP address, which may be transmitted to Google’s parent company in the United States.

The use of Google Tag Manager is based on Art. 6 (1) lit. f GDPR. The website operator has a legitimate interest in a quick and uncomplicated integration and management of various tools on their website. If appropriate consent has been requested, the processing is carried out exclusively based on Art. 6 (1) lit. a GDPR and § 25 (1) TTDSG, as far as the consent includes the storage of cookies or access to information on the user’s device (e.g., device fingerprinting) within the meaning of TTDSG. The consent can be withdrawn at any time.

Google Analytics

This website uses functions of the web analytics service Google Analytics. The provider is Google Ireland Limited (“Google”), Gordon House, Barrow Street, Dublin 4, Ireland.

Google Analytics allows the website operator to analyze the behavior of website visitors. In doing so, the website operator receives various usage data, such as page views, duration of visits, operating systems used, and the origin of users. This data is assigned to the respective user’s device. No association with a user ID occurs.

We can also use Google Analytics to record your mouse and scroll movements and clicks. Google Analytics also uses various modeling approaches to supplement the collected data sets and employs machine learning technologies in the data analysis.

Google Analytics uses technologies that enable the recognition of the user for the purpose of analyzing user behavior (e.g., cookies or device fingerprinting). The information collected by Google about the use of this website is generally transmitted to and stored on a Google server in the USA.

The use of this service is based on your consent according to Art. 6 (1) lit. a GDPR and § 25 (1) TTDSG. The consent can be withdrawn at any time.

The data transfer to the USA is based on the EU Commission’s standard contractual clauses. Details can be found here: https://privacy.google.com/businesses/controllerterms/mccs/.

Browser Plugin

You can prevent the collection and processing of your data by Google by downloading and installing the browser plugin available at the following link: https://tools.google.com/dlpage/gaoptout?hl=en.

More information on how Google Analytics handles user data can be found in Google’s privacy policy: https://support.google.com/analytics/answer/6004245?hl=en.

Google Analytics E-Commerce Tracking

This website uses the "e-commerce tracking" feature of Google Analytics. E-commerce tracking allows the website operator to analyze the purchasing behavior of website visitors to improve their online marketing campaigns. Information such as the orders placed, average order values, shipping costs, and the time from viewing to purchasing a product is collected. This data can be summarized by Google under a transaction ID associated with the respective user or their device.

Google Ads

The website operator uses Google Ads, an online advertising program from Google Ireland Limited (“Google”), Gordon House, Barrow Street, Dublin 4, Ireland.

Google Ads allows us to display advertisements in the Google search engine or on third-party websites when the user enters specific search terms in Google (keyword targeting). Additionally, targeted advertisements can be displayed based on the user’s data available with Google (e.g., location data and interests) (audience targeting). We can evaluate this data quantitatively by analyzing which search terms led to displaying our advertisements and how many ads resulted in clicks.

The use of this service is based on your consent according to Art. 6 (1) lit. a GDPR and § 25 (1) TTDSG. The consent can be withdrawn at any time.

Data transfer to the USA is based on the EU Commission’s standard contractual clauses. Details can be found here: https://policies.google.com/privacy/frameworks and https://privacy.google.com/businesses/controllerterms/mccs/.

Google Ads Remarketing

This website uses the features of Google Ads Remarketing. The provider is Google Ireland Limited (“Google”), Gordon House, Barrow Street, Dublin 4, Ireland.

Google Ads Remarketing allows us to categorize people who interact with our online offering into certain target groups so that they can be subsequently shown interest-based advertising within the Google advertising network (remarketing or retargeting).

Furthermore, the advertising target groups created with Google Ads Remarketing can be linked with the cross-device features of Google. This allows interest-based, personalized advertising messages that have been adapted to you based on your previous usage and browsing behavior on one device (e.g., mobile phone) to be displayed on another of your devices (e.g., tablet or PC).

If you have a Google account, you can opt-out of personalized advertising at the following link: https://www.google.com/settings/ads/onweb/.

The use of this service is based on your consent according to Art. 6 (1) lit. a GDPR and § 25 (1) TTDSG. The consent can be withdrawn at any time.

Further information and the privacy policy can be found in Google’s privacy policy at: https://policies.google.com/technologies/ads?hl=en.

Google Conversion Tracking

This website uses Google Conversion Tracking. The provider of this service is Google Ireland Limited (“Google”), Gordon House, Barrow Street, Dublin 4, Ireland.

With the help of Google Conversion Tracking, Google and we can recognize whether the user has performed certain actions. For example, we can evaluate which buttons on our website were clicked and which products were particularly frequently viewed or purchased. This information is used to create conversion statistics. We learn the total number of users who clicked on our ads and what actions they took. We do not receive any information that personally identifies the user. Google itself uses cookies or comparable recognition technologies for identification purposes.

The use of this service is based on your consent according to Art. 6 (1) lit. a GDPR and § 25 (1) TTDSG. The consent can be withdrawn at any time.

More information about Google Conversion Tracking can be found in Google’s privacy policy: https://policies.google.com/privacy?hl=en.

META-PIXEL (formerly: Facebook Pixel)

This website uses the Facebook/Meta visitor action pixel for conversion measurement. The provider of this service is Meta Platforms Ireland Limited, 4 Grand Canal Square, Dublin 2, Ireland. According to Facebook, the data collected is also transferred to the USA and other third countries.

This allows the behavior of site visitors to be tracked after they click on a Facebook advertisement and are redirected to the provider’s website. This allows the effectiveness of Facebook advertisements to be evaluated for statistical and market research purposes and future advertising measures to be optimized.

The collected data is anonymous to us as the operator of this website; we cannot draw any conclusions about the identity of users. However, the data is stored and processed by Facebook, enabling a connection to the respective user profile and allowing Facebook to use the data for its advertising purposes, as specified in the Facebook data use policy (https://www.facebook.com/about/privacy/). This allows Facebook to display advertisements on Facebook pages as well as outside of Facebook. This data usage cannot be influenced by us as the site operator.

The use of this service is based on your consent according to Art. 6 (1) lit. a GDPR and § 25 (1) TTDSG. The consent can be withdrawn at any time.

Where personal data is collected on our website using the tool described above and forwarded to Facebook, we and Meta Platforms Ireland Limited, 4 Grand Canal Square, Grand Canal Harbour, Dublin 2, Ireland are jointly responsible for this data processing (Art. 26 GDPR). Joint responsibility is limited solely to the collection of the data and its transmission to Facebook. The processing by Facebook after forwarding is not part of joint responsibility. The obligations we share were set out in an agreement on joint processing. The wording of the agreement can be found here: https://www.facebook.com/legal/controller_addendum. According to this agreement, we are responsible for providing the privacy information when using the Facebook tool and for the legally compliant implementation of the tool on our website. Facebook is responsible for the data security of Facebook products. Data subject rights (e.g., access requests) regarding data processed by Facebook can be asserted directly with Facebook. If you assert the rights with us, we are obliged to forward them to Facebook.

Data transfer to the USA is based on the EU Commission’s standard contractual clauses. Details can be found here: https://www.facebook.com/legal/EU_data_transfer_addendum and https://www.facebook.com/help/566994660333381.

Further information on data protection can be found in Facebook’s privacy policy: https://www.facebook.com/about/privacy/.

You can also disable the “Custom Audiences” remarketing feature in the ad settings section at https://www.facebook.com/ads/preferences/?entry_product=ad_settings_screen. You need to be logged into Facebook to do this.

If you do not have a Facebook account, you can opt out of usage-based advertising from Facebook on the European Interactive Digital Advertising Alliance website: http://www.youronlinechoices.com/de/praferenzmanagement/.

8. Newsletters and Email Messages (1) With your consent, you can subscribe to our newsletter (if offered) to be informed about our current interesting offers. The services and products advertised are specified in the consent declaration.

(2) For registration to our newsletter, we use the so-called double opt-in procedure. This means that after your registration, we will send you an email to the specified email address, asking you to confirm that you wish to receive the newsletter. If you do not confirm your registration within 24 hours, your information will be locked and automatically deleted after one month. Additionally, we store your IP addresses used and the times of registration and confirmation. The purpose of this procedure is to prove your registration and, if necessary, clarify any possible misuse of your personal data.

(3) The only mandatory information required to send the newsletter is your email address. Providing additional, separately marked data is voluntary and used to address you personally. After your confirmation, we store your email address to send you the newsletter. The legal basis is Art. 6 (1) sentence 1 lit. a GDPR.

(4) You can withdraw your consent to receive the newsletter at any time and unsubscribe from the newsletter. You can declare your withdrawal by clicking on the link provided in every newsletter email or by sending a message to the contact details provided in the legal notice.

(5) As an existing customer, you will also receive individual product recommendations from us via email, independent of a subscribed newsletter. We use the email address you provided during purchase. To inform you about suitable products and services, we use your order data or link it with your customer account, provided you have created one with us. The legal basis for these product recommendations is Art. 6 (1) lit. f GDPR in conjunction with § 7 (3) UWG. If you no longer wish to receive individual product recommendations from us, you can deactivate this service at any time in your customer account, use the unsubscribe function at the end of each recommendation email, or send us an email at info@hanseatic-coffee.com to unsubscribe.

(6) This website uses Brevo (formerly Sendinblue) for sending newsletters and promotional emails. The provider is Sendinblue GmbH, Köpenicker Str. 126, 10179 Berlin, Germany. Brevo is a service used to organize and analyze newsletter distribution. The data you provide for the purpose of subscribing to the newsletter (e.g., email address) is stored on Brevo’s servers in Germany.

Our newsletters sent via Brevo allow us to analyze the behavior of newsletter recipients. For example, it can be analyzed how many recipients opened the newsletter message and how often which link was clicked within the newsletter. Conversion tracking can also be used to analyze whether a predefined action (e.g., purchasing a product on our website) took place after clicking a link in the newsletter.

Data processing is based on your consent (Art. 6 (1) lit. a GDPR). You can withdraw this consent at any time by unsubscribing from the newsletter. The legality of the data processing carried out remains unaffected by the withdrawal.

If you do not want Brevo to analyze your usage, you must unsubscribe from the newsletter. We provide a corresponding link in every newsletter message. You can also unsubscribe directly on the website.

The data you provide to receive the newsletter will be stored by us until you unsubscribe from the newsletter and will be deleted from both our servers and Brevo’s servers after you unsubscribe. Data that is stored for other purposes with us remains unaffected.

For more details, please refer to Brevo’s privacy policy at: https://www.brevo.com/de/legal/privacypolicy/.

9. Linked Content / Sharing Features Our website contains links to third-party websites. The respective privacy policies and data protection notices of the respective operators of the linked websites apply. We point out that we are not responsible for data processing practices on third-party platforms outside our own control.

10. Data Protection for Applications and in the Application Process The controller collects and processes the personal data of applicants for the purpose of managing the application process.

Personal data processing as part of the application process generally occurs electronically.

For employment relationships and other activities for the controller: If the controller concludes an employment contract with an applicant, the transmitted data will be stored for the purpose of managing the employment relationship in compliance with legal provisions. If the controller does not conclude an employment contract with the applicant, the application documents will be automatically deleted four months after the rejection decision, unless deletion conflicts with other legitimate interests of the controller. Other legitimate interest in this sense could be, for example, a duty to provide evidence in proceedings under the General Equal Treatment Act (AGG). The legal basis for processing personal data from applicants is § 26 of the Federal Data Protection Act (BDSG) in conjunction with Art. 6 (1) lit. b, 88 GDPR, and, where processing is necessary to meet legal requirements, Art 6. (1) lit. c GDPR, and where the data subject's consent forms the basis of the processing, Art. 6 (1) lit. a GDPR in conjunction with § 26 BDSG.

If the application is not successful, the personal data will be deleted after a period of four months. With separately obtained consent from the data subject, storage for a longer period for later consideration for vacancies may occur.

11. Service Providers We partially use external service providers (data processors) to process your data. These have been carefully selected and commissioned by us, are bound by our instructions, and are regularly monitored.

If our service providers or partners are based in a country outside the European Economic Area (EEA), we inform you of the consequences of this circumstance in the description of the offer.

12. Deletion Unless otherwise stated in the specific information above, the controller processes personal data according to legal regulations for the respective purposes described here and only as long as a personal identification of the data subject is required for the respective purpose. Subsequently, deletion or data protection-compliant neutralization/anonymization takes place.

Status: November 2023