DATA PROTECTION

Privacy Policy

We welcome you to our website and appreciate your interest. Protecting your personal data is an important concern for us. Therefore, we conduct our activities in compliance with applicable legal regulations regarding the protection of personal data and data security. Below, we would like to inform you about which data from your visit is used for which purposes.

Controller for Processing under the GDPR

The controller within the meaning of the General Data Protection Regulation and other data protection laws applicable in the member states of the European Union, as well as other regulations related to data protection, is:

G-IN GmbH
Marienstr. 37
70178 Stuttgart
https://www.olakala.de/
support@olakala.de

Data Protection Officer

Nils Möllers
Keyed GmbH
Siemensstraße 12
48341 Altenberge, Westfalen
info@keyed.de
+49 (0) 2505 - 639797
https://keyed.de

What Are Personal Data?

The term "personal data" is defined in the Federal Data Protection Act (BDSG) and the EU General Data Protection Regulation (GDPR). According to these regulations, personal data refer to individual details about the personal or factual circumstances of a specific or identifiable natural person. This includes, for example, your legal name, address, phone number, or date of birth. You can learn more about what data protection means [here].

Scope of Anonymous Data Collection and Processing

Unless otherwise stated in the following sections, no personal data is generally collected, processed, or used when visiting our website. However, through the use of analytics and tracking tools, we obtain certain technical information based on data transmitted by your browser (such as browser type/version, operating system used, pages visited on our website including duration of visit, and the previously visited website). These data are analyzed solely for statistical purposes.

Relevant Legal Bases for Processing Personal Data

If we obtain the consent of the data subject for processing personal data, Article 6(1)(a) of the EU General Data Protection Regulation (GDPR) serves as the legal basis for processing.

For the processing of personal data necessary for the performance of a contract to which the data subject is a party, Article 6(1)(b) GDPR serves as the legal basis. This also applies to processing operations required for pre-contractual measures.

If the processing of personal data is necessary to fulfill a legal obligation to which our company is subject, Article 6(1)(c) GDPR serves as the legal basis.

In cases where processing personal data is necessary to protect the vital interests of the data subject or another natural person, Article 6(1)(d) GDPR serves as the legal basis.

If processing is necessary for the purposes of the legitimate interests of our company or a third party, and these interests are not overridden by the interests, fundamental rights, or freedoms of the data subject, Article 6(1)(f) GDPR serves as the legal basis for processing.

Use of Cookies

The websites of G-IN GmbH use cookies. Cookies are data stored by the web browser on the user's computer system. These cookies can be transmitted to our website when a page is accessed, allowing for user identification. Cookies help to simplify the use of websites for users.

It is possible to object to the use of cookies at any time by adjusting the settings in the web browser. Stored cookies can also be deleted. Please note that disabling cookies may result in some features of our website not functioning fully. The user data collected in this manner is pseudonymized through technical measures, making it impossible to link the data to the accessing user. The data is not stored together with other personal data of users.

When visiting our website, users are informed via an info banner about the use of cookies for analytical purposes and are referred to this privacy policy. Users are also informed on how to prevent the storage of cookies through their browser settings.

The legal basis for processing personal data using technically necessary cookies is Article 6(1)(f) GDPR. The legal basis for processing personal data using cookies for analytical purposes, if the user has given consent, is Article 6(1)(a) GDPR. Details on the use and scope of cookies on our website can be found in our cookie banner and the relevant sections of this privacy policy.

Creation of Log Files

Each time the website is accessed, G-IN GmbH collects data and information through an automated system. This data is stored in server log files and is also saved within our system logs. These data are not stored together with other personal data of the user.

The following data may be collected:

  1. Information about the browser type and version
  2. The user's operating system
  3. The user's internet service provider
  4. The user's IP address
  5. Date and time of access
  6. Websites from which the user's system accessed our website (referrer)
  7. Websites accessed by the user's system through our website

Duration of Personal Data Storage

Personal data is stored for the duration of the respective statutory retention period. After this period expires, the data is routinely deleted unless it is required for contract initiation or contract fulfillment.

Newsletter

If you subscribe to our company's newsletter, the data entered in the respective input field will be transmitted to the data controller. The subscription to our newsletter follows a double opt-in process. This means that after subscribing, you will receive an email asking you to confirm your subscription. This confirmation is necessary to prevent unauthorized subscriptions using third-party email addresses.

When subscribing to the newsletter, the user's IP address and the date and time of registration are stored. This helps prevent the misuse of services or the user's email address. The data is not shared with unauthorized third parties. However, necessary data may be transmitted to appropriate service providers for the purpose of sending the newsletter. An exception to this occurs when there is a legal obligation to disclose the data.

The data is used exclusively for sending the newsletter. The subscription can be canceled by the user at any time. Similarly, consent for storing personal data can be revoked at any time. A corresponding unsubscribe link is included in every newsletter.

The legal basis for processing data after newsletter registration is Article 6(1)(a) GDPR, provided that the user has given consent. The legal basis for sending newsletters in connection with the sale of goods or services is § 7(3) UWG (German Act Against Unfair Competition).

Online Store

We use your personal data to process your online purchases (including handling orders and returns via our online services) and to send you notifications regarding the delivery status or any issues with the shipment of your items.

Additionally, we use your personal data to process payments, handle complaints, and manage product warranty claims. Your data is also used to verify your identity, ensure that you have reached the legal minimum age for online purchases, and match your address with external partners.

To offer multiple payment methods, we conduct analyses to determine which payment options are available to you, including reviewing your payment history and credit checks.

Data Sharing with Online Payment Service Providers

If you choose to pay using one of the online payment service providers offered during the checkout process, your contact details will be transmitted to the selected payment provider.

The legality of this data transfer is based on Article 6(1)(b) GDPR, as it is necessary for processing the selected payment method, and Article 6(1)(f) GDPR, as it serves our legitimate interest in enabling a user-friendly and efficient payment process.

The personal data transmitted to the payment service provider typically includes:

  • First and last name
  • Address
  • IP address
  • Email address
  • Other information required for order processing
  • Data related to the service, such as service type, recipient identity, invoice amount, applicable taxes, and billing details

This transfer is necessary to process payments using your selected method, particularly for identity verification, payment administration, and customer relationship management.

Please note that personal data may also be shared with service providers, subcontractors, or affiliated companies by the payment provider if necessary to fulfill contractual obligations or to process the data on their behalf.

Depending on the selected payment method (e.g., invoice or direct debit), personal data may be transmitted by the provider to credit rating agencies to assess identity and creditworthiness.

For details on which credit agencies are involved and which data is collected, processed, stored, and shared, please refer to the privacy policies of the respective providers:

Data Transfer to Third Countries

We inform you that your personal data may be transferred to servers located in third countries and processed outside the EU.

Data Retention

Your data is deleted as soon as it is no longer necessary for its intended purpose. Additionally, data is deleted when you withdraw your consent or request deletion of your personal data.

Registration on Our Website

If a user registers on our website by providing personal data, the information entered into the registration form is transmitted to and stored by the data controller for internal use only. The data is deleted once it is no longer required for its intended purpose.

During registration, the IP address, date, and time of registration are recorded to prevent misuse of the services. The data is not shared with third parties unless a legal obligation requires it.

Registered users may modify or delete their stored data at any time. Users also have the right to request informationabout their stored personal data.


Routine Deletion and Blocking of Personal Data

The data controller processes and stores personal data only as long as necessary for the purpose of storage. Storage may also occur if required by European or national laws or other regulations to which the controller is subject.

Once the storage purpose no longer applies or a legally prescribed retention period expires, personal data is routinely blocked or deleted.


Rights of the Data Subject

If your personal data is processed, you are considered a data subject under the GDPR, and you have the following rights:

Right of Access (Article 15 GDPR)

You have the right to obtain confirmation from the controller as to whether your personal data is being processed. If such processing exists, you have the right to access the following information:

  • The purposes of the processing
  • The categories of personal data being processed
  • The recipients or categories of recipients to whom your data has been or will be disclosed
  • The planned storage period or the criteria used to determine this period
  • The existence of rights to rectification, erasure, restriction, or objection
  • The existence of a complaint right to a supervisory authority
  • Information about data sources if the data was not collected from you
  • The existence of automated decision-making including profiling (Article 22 GDPR)

If your data is transferred to a third country or an international organization, you have the right to be informed about the appropriate safeguards (Article 46 GDPR) in place.

Right to Rectification (Article 16 GDPR)

You have the right to demand correction or completion of your personal data if it is incorrect or incomplete. The controller must make the correction without undue delay.

Right to Erasure (Article 17 GDPR)

(1) Right to Request Deletion

You have the right to request that the controller erase your personal data without undue delay, and the controller is obliged to delete such data immediately if one of the following conditions applies:

  • The personal data concerning you is no longer necessary for the purposes for which it was collected or otherwise processed.
  • You withdraw your consent on which the processing is based in accordance with Article 6(1)(a) or Article 9(2)(a) GDPR, and there is no other legal basis for the processing.
  • You object to the processing in accordance with Article 21(1) GDPR, and there are no overriding legitimate grounds for the processing, or you object to the processing pursuant to Article 21(2) GDPR.
  • Your personal data has been unlawfully processed.
  • The deletion of your personal data is required to comply with a legal obligation under Union law or the law of the Member States to which the controller is subject.
  • Your personal data was collected in relation to offered services of the information society in accordance with Article 8(1) GDPR.

(2) Obligation to Inform Third Parties

If the controller has made your personal data public and is obligated to delete it pursuant to Article 17(1) GDPR, the controller shall take reasonable steps, including technical measures, taking into account available technology and implementation costs, to inform other data controllers processing your personal data that you have requested the deletion of all links to, or copies or replications of, this personal data.

3) Exceptions to the Right to Erasure

The right to erasure does not apply if the processing is necessary:

  • To exercise the right to freedom of expression and information.
  • To comply with a legal obligation that requires processing under Union or Member State law to which the controller is subject, or for the performance of a task carried out in the public interest or in the exercise of official authority vested in the controller.
  • For reasons of public interest in the field of public health in accordance with Article 9(2)(h) and (i) and Article 9(3) GDPR.
  • For archival purposes in the public interest, scientific or historical research purposes, or statistical purposespursuant to Article 89(1) GDPR, insofar as the right to erasure is likely to render impossible or seriously impair the achievement of the objectives of that processing.
  • For the establishment, exercise, or defense of legal claims.

Right to Restriction of Processing (Article 18 GDPR)

You have the right to request the restriction of the processing of your personal data under the following conditions:

  • If you contest the accuracy of your personal data for a period that enables the controller to verify the accuracy of the data.
  • If the processing is unlawful, but you oppose the erasure of the personal data and instead request the restriction of its use.
  • If the controller no longer needs the personal data for processing purposes, but you require it for the establishment, exercise, or defense of legal claims.
  • If you have objected to processing pursuant to Article 21(1) GDPR and it has not yet been determined whether the controller’s legitimate grounds override your reasons.

If the processing of your personal data has been restricted, such data—apart from storage—may only be processed with your consent or for the establishment, exercise, or defense of legal claims, for the protection of the rights of another natural or legal person, or for reasons of important public interest of the Union or a Member State.

If the restriction of processing has been imposed under the above conditions, you will be informed by the controller before the restriction is lifted.

Right to Notification (Article 19 GDPR)

If you have exercised your right to rectification, erasure, or restriction of processing against the controller, the controller is obligated to inform all recipients to whom your personal data has been disclosed about the correction, deletion, or restriction of processing, unless this proves impossible or involves disproportionate effort.

You also have the right to be informed about these recipients by the controller.

Right to Data Portability (Article 20 GDPR)

You have the right to receive the personal data that you have provided to the controller in a structured, commonly used, and machine-readable format. You also have the right to transmit this data to another controller without hindrance from the controller to whom the personal data was provided, provided that:

  • The processing is based on consent in accordance with Article 6(1)(a) GDPR or Article 9(2)(a) GDPR, or on a contract in accordance with Article 6(1)(b) GDPR; and
  • The processing is carried out using automated means.

In exercising this right, you also have the right to have your personal data transferred directly from one controller to another, where technically feasible. This must not adversely affect the freedoms and rights of others.

The right to data portability does not apply to processing necessary for the performance of a task carried out in the public interest or in the exercise of official authority vested in the controller.

Right to Object (Article 21 GDPR)

You have the right to object at any time, on grounds relating to your particular situation, to the processing of your personal data that is based on Article 6(1)(e) or (f) GDPR. This also applies to profiling based on these provisions.

The controller will no longer process your personal data unless they can demonstrate compelling legitimate grounds for processing that override your interests, rights, and freedoms, or if the processing is necessary for the establishment, exercise, or defense of legal claims.

If your personal data is processed for direct marketing purposes, you have the right to object at any time to the processing of your personal data for such marketing, including profiling related to direct marketing.

If you object to processing for direct marketing purposes, your personal data will no longer be processed for these purposes.

You also have the option to exercise your right to object through automated procedures that use technical specifications, particularly in connection with the use of information society services, regardless of Directive 2002/58/EC.

Right to Withdraw Consent (Article 7(3) GDPR)

You have the right to withdraw your consent for data processing at any time. The withdrawal of consent does not affect the lawfulness of processing based on consent before its withdrawal.

Right to Lodge a Complaint with a Supervisory Authority (Article 77 GDPR)

Without prejudice to any other administrative or judicial remedy, you have the right to lodge a complaint with a supervisory authority, particularly in the Member State of your residence, workplace, or place of the alleged infringement, if you believe that the processing of your personal data violates the GDPR.

The supervisory authority handling the complaint will inform the complainant about the status and outcome of the complaint, including the possibility of seeking a judicial remedy under Article 78 GDPR.

Automated Individual Decision-Making, Including Profiling

You have the right not to be subject to a decision based solely on automated processing, including profiling, which produces legal effects concerning you or significantly affects you in a similar manner.

This does not apply if the decision:

  • Is necessary for entering into or performing a contract between you and the controller;
  • Is authorized by Union or Member State law, to which the controller is subject, and that law contains suitable measures to safeguard your rights, freedoms, and legitimate interests; or
  • Is based on your explicit consent.

However, such decisions must not be based on special categories of personal data under Article 9(1) GDPR, unless Article 9(2)(a) or (g) GDPR applies and suitable measures to safeguard your rights and freedoms have been implemented.

Regarding cases (a) and (c), the controller must implement appropriate measures to protect your rights, including at least the right to obtain human intervention, to express your point of view, and to contest the decision.

Description and Purpose

This website may include third-party content, such as videos, fonts, or graphics from external websites. This always requires that the providers of this content ("third-party providers") recognize the user’s IP address, as they would not be able to send the content to the user’s browser without it. The IP address is therefore necessary for displaying this content.

We strive to use only content from providers who use the IP address solely for delivering the content. However, we have no influence over whether third-party providers store the IP address for statistical purposes. If we become aware of this, we will inform users accordingly. These integrations aim to enhance and improve our online offerings.

Legal Basis

The legal basis for embedding third-party services and content is Article 6(1)(f) GDPR. Our overriding legitimate interest lies in ensuring the proper display of our online presence and providing user-friendly and economically efficient services. Further details can be found in the respective privacy policies of the third-party providers.

Contractual or Legal Obligation for Providing Personal Data

The provision of personal data is neither legally nor contractually required, nor is it necessary for entering into a contract. Users are not obliged to provide personal data. However, failure to provide this data may result in limited functionality of the respective features.

Data Transfer to Third Countries

The controller may transfer personal data to a third country. In general, the controller ensures an adequate level of protection for such processing through various appropriate safeguards, such as:

  • Adequacy decisions
  • Binding corporate rules
  • Approved codes of conduct
  • Standard contractual clauses
  • Approved certification mechanisms

pursuant to Article 46(2)(a)–(f) GDPR.

If the controller transfers data to a third country based on Article 49(1)(a) GDPR, users will be informed of the potential risks associated with such data transfers.

There is a risk that the recipient country may not provide the same level of data protection as in the European Union. For example, this could be the case if:

  • The EU Commission has not issued an adequacy decision for the respective third country.
  • Certain agreements between the EU and the respective third country have been declared invalid.
  • The country has surveillance laws that do not sufficiently protect EU fundamental rights (e.g., USA).

In such cases, it is the responsibility of the controller and recipient to evaluate whether the rights of affected individuals are sufficiently protected and effectively enforceable in the third country.

The General Data Protection Regulation (GDPR) ensures that the level of protection for natural persons remains consistent across the EU, even when personal data is transferred to controllers, processors, or other recipients in third countries or international organizations.

Additional Website Features

Shopify International Ltd.

Description and Purpose

We use Shopify, a service provided by Shopify International Limited, Victoria Buildings, 2nd Floor, 1-2 Haddington Road, Dublin 4, D04 XN32, Ireland, to create and host our website.

When you visit our website, Shopify collects your IP address, information about your device and browser, as well as visitor numbers, sources, and customer behavior to generate user statistics.

If you make a purchase on our website, Shopify also collects:

  • Your name
  • Your email address
  • Your shipping and billing addresses
  • Your payment details
  • Other purchase-related data (e.g., phone number, transaction amount, etc.)

Shopify uses cookies to analyze visitor behavior.

Legal Basis

The legal basis for processing your personal data is your consent (Article 6(1)(a) GDPR).

Additionally, processing may also occur based on our legitimate interest (Article 6(1)(f) GDPR), which is to ensure the efficient and visually appealing presentation of content on our website.

Recipient

The recipient of your personal data is:

Shopify International Limited
Victoria Buildings, 2nd Floor,
1-2 Haddington Road,
Dublin 4, D04 XN32, Ireland.

Data Transfer to Third Countries

No personal data is transferred to a third country. However, we are aware of our responsibility and regularly monitor regulatory and legal changes.

If a data transfer to a third country takes place, we will update this information as soon as possible.

Duration of Data Storage

Your data will be deleted as soon as it is no longer required for the purpose for which it was collected. Additionally, data will be deleted if you exercise your right to erasure in accordance with Article 17(1) GDPR.

Right to Withdraw Consent

You have the right to withdraw your consent at any time, as per Article 7(3) sentence 1 GDPR. This can be done informally and without providing any reasons, and it takes effect for the future. The withdrawal of consent does not affect the lawfulness of processing carried out before the withdrawal.

For more information, please refer to the section "Rights of the Data Subjects" in this privacy policy.

Right to Object

According to Article 21(1) GDPR, you have the right to object at any time to the processing of your personal data. If you exercise this right, processing for this purpose will no longer take place.

For more information, please refer to the section "Rights of the Data Subjects" in this privacy policy.

Contractual and Legal Obligation

There is no contractual or legal obligation to provide your data.

Additional Privacy Information

For further details on the processing of your personal data, please visit:
🔗 Shopify Privacy Policy

Google Analytics and Conversion Tracking

Description and Purpose

This website uses the Google Analytics service provided by Google LLC to analyze website usage. This service uses cookies—text files stored on your device. The information collected by these cookies is generally sent to and stored on a Google server in the USA.

If necessary, Google Analytics is used with the "gat._anonymizeIp();" function on this website to enable IP anonymization (IP masking).

IP Anonymization

The IP address of users is truncated within EU member states and the European Economic Area (EEA). This removes the direct personal reference of your IP address.

As part of data processing agreements with website operators, Google LLC compiles reports on website usage and online activity and provides related internet usage services.

Legal Basis

The legal basis for processing your personal data is Article 6(1)(a) GDPR, unless IP anonymization ("gat._anonymizeIp();") is applied.

If IP anonymization is used, the processing is based on Article 6(1)(f) GDPR, as our legitimate interest lies in the hosting of this website.

Recipient

The recipient of your personal data is:

Google LLC
📍 1600 Amphitheatre Parkway, Mountain View, CA 94043, USA

Data Transfer to Third Countries

Your personal data is transferred to the USA. The transfer is subject to appropriate safeguards in accordance with Article 46 GDPR.

Additionally, we recognize our responsibility and implement further necessary measures to ensure the protection of personal data and safeguard the rights and freedoms of natural persons.

Duration of Data Storage

Your data will be deleted as soon as it is no longer needed for the purpose of its collection. Additionally, data will be deleted if you exercise your right to erasure in accordance with Article 17(1) GDPR.

Right to Withdraw and Object

🔹 You have the right to withdraw your consent to non-anonymized data collection at any time, in accordance with Article 7(3) sentence 1 GDPR. This can be done informally and without providing any reasons, and it takes effect for the future.

🔹 The withdrawal of consent does not affect the lawfulness of processing carried out before the withdrawal.

For further details, please refer to the section "Rights of the Data Subjects" in this privacy policy.

If data is anonymized, you have the right to object to the processing of your personal data at any time, in accordance with Article 21(1) GDPR. If you exercise this right, processing for this purpose will no longer take place.

For further details, please refer to the section "Rights of the Data Subjects" in this privacy policy.

Contractual and Legal Obligation

There is no contractual or legal obligation to provide your data.

Additional Privacy Information

For further details on the processing of your personal data, please visit:
🔗 Google Privacy Policy