Thank you for visiting our Website and your interest in our company. The protection of your personal data is an important concern for us. Below, in accordance with Articles 12 and 13 of the General Data Protection Regulation (GDPR), we would like to provide you with information about how we handle your personal data when you use our Website https://spilanthox.shop (hereinafter: the “Website”).
Personal data means individual details of the personal or material circumstances of an identified or identifiable natural person. This includes information such as their name, address, telephone number and date of birth.
NB Green Cosmetics GmbH
(Nikki Benett Green Group)
22765 Hamburg, Germany
- Purposes and legal bases of data processing when using the Website
2.1 Informational use of the Website
You can visit our Website without providing any personal information. If you use our Website for informational purposes only, i.e. you do not register for a customer account or newsletter, place an order or otherwise provide us with information about you, we do not process any personal data, with the exception of the data transmitted by your browser to enable you to visit the Website as well as information that is transmitted to us through the cookies used.
2.2 Technical provision of the Website
For the purpose of the technical provision of the Website, our system (i.e. the web server) automatically collects information from your browser every time you visit the Website.
It is necessary for our system to store your IP address temporarily to enable the Website to be transmitted to your computer. For this purpose, the user’s IP address must be stored for the duration of the session.
IP addresses are stored in log files to guarantee the functionality of our Website. We also use this data to improve the Website and to guarantee the security of our IT systems (e.g. detection of attacks).
The following information is thereby collected:
- IP address;
- Browser type/version (e.g. Firefox 59.0.2 (64 bit));
- Browser language (e.g. German);
- Operating system used (e.g.: Windows 10);
- Internal resolution of the browser window;
- Screen resolution;
- Java on/off;
- Cookies enabled/disabled;
- Colour depth;
- Time of access;
- The previous website from which you accessed ours.
We process your personal data for the technical provision of our Website on the following legal bases:
- For the technical provision of our Website in accordance with Section 25(2)(2) of the German Telecommunications Data Protection Act (Teledienstedatenschutzgesetz, TTDSG) because it is absolutely necessary to process the aforementioned data so that we can enable you to use our Website as expressly desired (i.e. including with or without cookies);
- For the performance of a contract or for the implementation of pre-contractual measures in accordance with Article 6(1)(b) GDPR, if you visit our Website to find out about our products;
- In our legitimate interests in accordance with Article 6(1)(f) GDPR, in order to make the Website available to you securely from a technical point of view.
2.3.1 CookieFirst Consent Manager
The CookieFirst Consent Manager processes your personal data in order to record your decision on whether to allow cookies and to store this for any further visits to our Website. This includes the relevant cookie with your choice of consent and other usage data such as your IP, the browser used, the language and country, and the website visited.
Specifically, the CookieFirst Consent Manager includes the following cookies:
Shopify. Used in conjunction with the customer login.
This cookie contains information on the currency in which the website visitor would like to pay.
The cookie is used for the secure checkout and payment function on the Website. This function is provided by shopify.com.
The cookie is used for the secure checkout and payment function on the Website. This function is provided by shopify.com.
This cookie is usually provided by Shopify and used in conjunction with a purchased item.
This cookie stores your cookie settings for this Website. You can change these or withdraw your consent at any time.
This cookie contains your unique ID so that CookieFirst can identify specific visitors to this Website.
Shopify Analytics in relation to marketing and recommendations.
This cookie is linked to the Shopify analytics suite.
Shopify Analytics in relation to marketing and recommendations.
This cookie is used to track, report and analyse landing pages.
Registers a unique ID in order to store statistics on which YouTube videos the user has watched.
YouTube can use this cookie to monitor bandwidth usage.
Cookies from third-party providers These provide certain Google functions and can store certain settings based on patterns of use and personalise the ads that appear in Google search queries.
Provider: Google Inc
This cookie is used to monitor user localisation.
We process your personal data for the technical provision of our Website on the basis of the following legal principles:
- with your consent in accordance with Section 25(1) TTDSG in respect of the initial storage and reading of data, where advertising and tracking cookies are concerned;
- for the technical provision of CookieFirst consent management in accordance with Section 25(2)(2) TTDSG because it is absolutely necessary to process the aforementioned data so that we can enable you to use our Website as expressly desired (with or without cookies);
- in our legitimate interests in accordance with Article 6(1)(f) GDPR, in order to make the Website available to you from a technical point of view;
- to comply with a legal obligation under the GDPR in accordance with Article 6(1)(c) GDPR in respect of the provision of an option to give consent and the documentation of your decision.
When you visit our Website, your browsing behaviour may be statistically analysed. This is mainly done using cookies and what are known as analytics programs. This enables us to improve the quality of our Website and its content. We learn how the Website is used and are thus able to constantly optimise our online presence. More detailed information on this is provided below.
We process your personal data on the following legal bases:
- with your consent in accordance with Section 25(1) TTDSG in respect of the initial storage and reading of data;
- with your consent in accordance with Article 6(1)(a) GDPR for further data processing (e.g. provision of functions, analytics, tracking, optimisation).
You can withdraw your consent via our CookieFirst Consent Manager at any time with effect for the future. You can access the CookieFirst Consent Manager from any page with just one click and withdraw your consent by adjusting your settings accordingly. To withdraw your consent and/or adjust your cookie settings, you can also open the CookieFirst Consent Manager via the following link:
Adjust cookie settings/withdraw consent
220.127.116.11 GOOGLE ANALYTICS
We have activated the IP anonymisation function on this Website. This means that your IP address will be shortened by Google within Member States of the European Union or in other contracting states of the Agreement on the European Economic Area prior to transfer to the USA. Only in exceptional cases will the full IP address be transferred to a Google server in the USA and shortened there. Google uses this information on behalf of the operator of this Website to analyse your use of the Website in order to compile reports on website activities and provide other services related to website and Internet use to the website operator. The IP address sent by your browser within the scope of Google Analytics will not be linked to any other data held by Google.
You can stop cookies being stored via the corresponding settings in your browser software; however, please note that if you do so, you may not be able to use all the functions of this Website to their full extent. You can also stop the data generated by the cookies about your use of the Website (including your IP address) being transferred to Google and being processed by Google by downloading and installing the browser plug-in available via the following link: https://tools.google.com/dlpage/gaoptout?hl=de.
Objecting to data collection
You can stop Google Analytics collecting your data by clicking the following link. An opt-out cookie is installed that prevents the collection of your data when you visit this Website in future:
18.104.22.168 GOOGLE ADS REMARKETING
We use Google Ads Remarketing from Google Ireland Limited, Gordon House, 4 Barrow St, Dublin, D04 E5W5, Ireland (“Google Ireland”) on our Website.
Google Ads Remarketing analyses your user behaviour on our Website (e.g. whether you click certain products/ads) to assign you to certain advertising target groups. The remarketing function enables us to display ads to users of our Website within the Google network based on their interests.
Google Ads Remarketing also enables the advertising target groups that are created to be linked up with the multi-device functions from Google Ireland. This means that personalised ads related to your interests that have been adapted based on your previous usage and browsing behaviour on one of your devices can also be displayed on another of your devices.
Google Ads Remarketing is used on the basis of the consent you give to us in accordance with Article 6(1)(a) GDPR.
Google Ireland receives this data as an independent controller, not a service provider.
The information collected via Google Ads is erased after 9 to 18 months (https://policies.google.com/technologies/ads).
The use of Google Ads Remarketing involves transferring your data to the USA. The European Commission has not made an adequacy decision in respect of data transfers to the USA. Data is transferred on the basis of standard contractual clauses that are considered appropriate safeguards for the protection of personal data which we have agreed with Google Ireland in a data processing agreement. These can be viewed at: https://business.safety.google/adscontrollerterms/
You can prevent the transfer of data to Google Ireland by downloading and installing the browser plug-in available via the following link: https://support.google.com/My-Ad-Center-Help/answer/12155656. If you have a Google account, you can object to personalised marketing via the following link: https://adssettings.google.com/.
22.214.171.124 GOOGLE ADS CONVERSION TRACKING
We use Google Ads Conversion Tracking from Google Ireland Limited, Gordon House, 4 Barrow St, Dublin, D04 E5W5, Ireland (“Google Ireland”) on our Website.
Google Ads Conversion Tracking enables us and Google Ireland to detect whether you have performed certain actions. For example, it enables us to analyse which fields on our Website are clicked and how frequently, and which products are viewed or purchased particularly frequently. This information is used to compile conversion statistics. This tells us the total number of users that have clicked our ads and which actions they performed. If you are registered with a Google Ireland service, Google Ireland can assign the visit to your account. Even if you are not registered with Google Ireland or are not logged in, Google Ireland may discover and store your IP address.
Google Ads Conversion Tracking is used on the basis of the consent you give to us in accordance with Article 6(1)(a) GDPR.
Google Ireland receives this data as an independent controller, not a service provider.
The information collected via Google Ads Conversion Tracking is erased after 9 to 18 months (https://policies.google.com/technologies/ads).
The use of Google Ads Conversion Tracking involves transferring your data to the USA. The European Commission has not made an adequacy decision in respect of data transfers to the USA. Data is transferred on the basis of, among other things, standard contractual clauses that are considered appropriate safeguards for the protection of personal data which we have agreed upon with Google Ireland in a data processing agreement. These can be viewed at: https://business.safety.google/adscontrollerterms/
You can prevent the transfer of data to Google Ireland by downloading and installing the browser plug-in available via the following link: https://support.google.com/My-Ad-Center-Help/answer/12155656.
126.96.36.199 META PIXEL
We use the “Meta Pixel” from the social network Meta from Meta Platforms Ireland Ltd., 4 Grand Canal Square, Dublin 2, Ireland (“Meta Ireland”) on our Website.
The Meta Pixel loads when you visit our Website. The Meta Pixel allows us to assign visitors to our Website to certain target groups to enable us to display appropriate ads to them on Meta. This pixel collects information on your browser session, particularly the banners and links you have clicked, a hashed version of your Meta ID and the URL viewed. If you have a Meta account and are logged in, your visit to this Website is assigned to your Meta user account. More detailed information on the Meta Pixel and how it works can be found in the Meta help section: https://www.facebook.com/business/help/651294705016616.
The Meta Pixel is used on the basis of the consent you give to us in accordance with Article 6(1)(a) GDPR.
We are responsible for the use of the Meta Pixel together with Meta Ireland. You can access the agreement on our shared responsibility in accordance with Article 26 GDPR via the following link: https://de-de.facebook.com/legal/terms/page_controller_addendum.
The use of the Meta Pixel involves transferring your data to the USA. The European Commission has not made an adequacy decision in respect of data transfers to the USA. Data is transferred on the basis of, among other things, standard contractual clauses considered appropriate safeguards for the protection of personal data, which can be viewed at: In addition to the standard contractual clauses, Meta has also implemented the following technical and organisational measures in order to protect your data: https://www.facebook.com/legal/terms/data_security_terms.
188.8.131.52 GOOGLE TAG MANAGER
We use Google Tag Manager from Google on our Website. Google Tag Manager is a solution that allows marketers to manage website tags through an interface. The Google Tag Manager service itself (which implements the tags) is a cookie-less domain and does not collect any personal data. The Google Tag Manager service triggers other tags which themselves may collect data. Google Tag Manager does not access this data. If disabled at the domain or cookie level, it will remain disabled for all tracking tags implemented with Google Tag Manager.
We integrate videos from the service YouTube provided by Google Ireland Ltd., Gordon House, Barrow Street, Dublin 4, Ireland (a subsidiary of Google Inc., 1600 Amphitheatre Parkway, Mountain View, CA 94043, USA; “Google”). To enable videos to be displayed, the data that is required for technical reasons is processed by Google. Google is responsible for this processing. Further information on how Google handles your personal data can be found at: https://policies.google.com/privacy?hl=de.
The legal basis for the initial reading and/or storage of data is Section 25(2)(2) TTDSG because it is absolutely necessary to process the data so that we can enable you to use our Website as expressly desired (i.e. with YouTube videos). The legal basis for the initial reading and/or storage of other data that is not required for technical reasons is your consent in accordance with Section 25(1) TTDSG. Further data processing is necessary when integrating YouTube to ensure that our Website is designed as required. We also have a legitimate interest in data processing for this purpose in accordance with Article 6(1)(f) GDPR.
2.4 Active use of the Website
Aside from the purely informational use of our Website, you can also actively use our Website to order one of our products, to subscribe to a newsletter or to contact us. In addition to the aforementioned processing of your personal data during purely informational use, we also process further personal data concerning you that we need to process your order, for example.
2.4.1 User queries
To enable us to handle and respond to queries you send us, e.g. to our e-mail address or via the integrated customer chat function on the Website, we process the data you have shared with us in this regard. This includes your first name and surname, your e-mail address and order number, which we need to send you a reply, as well as other information that you send us in your message.
We process your data for the purpose of responding to your query on the following legal basis:
- If you contact us in relation to a contract to which you are a party or with regard to the implementation of pre-contractual measures, the legal basis is Article 6(1)(b) GDPR;
- To safeguard our legitimate interests in accordance with Article 6(1)(f) GDPR; we have a legitimate interest in responding to customer queries appropriately.
2.4.2 Registering for a customer account and using our online shop
On our Website, you have the option to create a customer account in order to access a restricted area for registered users where you can view and manage your orders and your delivery address. To do so, you have to register with your first name and surname, your e-mail address and a password, which you choose yourself. During the registration process, we process the data you enter into the registration form as well as your e-mail address and the password you have chosen yourself as login details. After submitting your registration details, you have to confirm your registration by means of what is known as the ‘double opt-in’ method by clicking on a link sent by e-mail. Users can change their passwords at any time under ‘Account’.
We process your data when you create a customer account on the basis of Article 6(1)(b) GDPR (formulation and performance of a contract or pre-contractual measures).
When you register, we initially store your personal data for the duration of our business relationship, specifically for the length of time for which you have a customer account. This also includes the initiation of a contract (pre-contractual legal relationship) and the execution of a contract.
On the Website, you can order products from our range. To do so, you can put items from our range in the shopping basket on the Website. The shopping basket stores all the items and the quantities of them. To make placing an order easier, we also store any incomplete orders for you so that you can complete these when you next visit.
In order to carry out the order process and implement the contract, we process the data that you provide to us when ordering. We process your data for the above purpose on the following legal basis:
- For the performance of a contract or for the implementation of pre-contractual measures in accordance with Article 6(1)(b) GDPR;
- In respect of data processing for and storage of shopping baskets also in accordance with Section 25(2)(2) TTDSG because it is absolutely necessary to process the relevant data so that we can enable you to use our Website as expressly desired (i.e. the shopping basket).
We give you various payment options on our Website when placing an order, such as payment by Visa, Mastercard, American Express, PayPal and Klarna Pay Now. For this purpose, payment data may be transferred to the payment service providers we work with. You can find further information on how payment service providers process your personal data in the relevant payment service providers’ privacy policies:
2.4.3 Shipping companies
We work with external shipping companies (e.g. DHL) to deliver orders. In order for these shipping companies to do so, we give them the following data:
- Your name
- Your delivery address
- Your Post Number (if you would like your order to be delivered to a DHL Packstation)
- Your e-mail address (in case the shipping company wants to send you an expected delivery date by e-mail).
2.4.4 Compliance with statutory regulations
We process your personal data in order to fulfil other legal obligations. This may concern order processing or business communication, for example. This includes in particular retention periods applicable under commercial, trade or tax law.
In these cases, we process your personal data on the following legal basis:
- To fulfil a legal obligation to which we are subject in accordance with Article 6(1)(c) GDPR in connection with commercial, trade or tax law, insofar as we are obliged to record and store your data.
2.4.5 Legal enforcement
We also process your personal data in order to assert our rights and enforce our legal claims. We likewise process your personal data to be able to defend ourselves against legal claims. Finally, we process your personal data to the extent that this is necessary to defend against or prosecute criminal offences.
We process your personal data for these purposes on the following legal basis:
- To safeguard our legitimate interests in accordance with Article 6(1)(f) GDPR, insofar as we assert legal claims or defend ourselves in legal disputes, or we prevent or investigate criminal offences; and/or
- Article 17(3)(e) GDPR for the establishment, exercise or defence of legal claims in the case of a potential obligation to erase personal data.
2.4.6 Promotional purposes (newsletter)
With your consent, we use your data for promotional purposes, including to send you our newsletter. To subscribe to the newsletter, we collect your e-mail address as mandatory data.
If you have given us your e-mail address when purchasing goods, we may then use this to send you a newsletter. In such a case, the newsletter will only contain direct marketing for similar goods or services to the one(s) you have purchased.
We process your data to send newsletters on the following legal bases:
- If you have given us your consent, in accordance with Article 6(1)(a) GDPR;
- If you have given us your e-mail address when purchasing goods or services or if we send you personalised marketing; to safeguard our legitimate interests in accordance with Article 6(1)(f) GDPR in conjunction with Article 7(3) of the Act against Unfair Competition (Gesetz gegen den unlauteren Wettbewerb, UWG); our legitimate interest is based on our economic interest in carrying out marketing measures and targeted advertising.
Right to object in the case of use when entering into a contract
If we receive your e-mail address when you enter into a contract with us and we supply you with our products and you have not objected to this, we reserve the right to regularly send you offers for similar products from our range by e-mail. You can object to such use of your e-mail address at any time by sending a message using the contact details below or via a link provided for this purpose in the newsletter; this does not result in any costs other than the transmission costs in accordance with the basic tariffs.
Some sections of our Website contain links to third-party websites, e.g. to ads for YouTube videos. All third-party websites are subject to their own data privacy rules. We are not responsible for the operation of these, including how they handle data. If you send information to or through such third-party sites, you should review the privacy policies of those sites before providing them with any personally identifiable information.
- Categories of recipients
Initially, only our employees gain knowledge of your personal data.
In principle, your data is only shared with third parties if this is permitted or required by law or if you have given your consent to this. We also share your data with the service providers we use, insofar at is necessary to do so to enable us to provide our services. In this case, we restrict the sharing of data to what is absolutely necessary to provide our services for you. In some cases, our service providers receive your data as processors and are then strictly bound by our instructions when handling your data. In some cases, the recipients act independently with your data that we transfer to them.
Below is a list of the categories of recipients of your data:
- E-commerce platform provider Shopify for using the online shop
- IT service providers and IT consultants for operating and hosting the Website
- Banks and payment service providers in respect of payment processing
- External service providers (e.g. logistics companies) for shipping the goods ordered
- Debt collection agencies and legal advisers for the assertion of our claims
- Public bodies and institutions insofar as we are legally obliged to do so
- Service providers for sending out the newsletter.
We do not share your data with any other third parties besides these.
- Transfers to third countries
If service providers in third countries are used and we are able to exert any influence over them, in addition to our written instructions we also place them under obligation to comply with the level of data protection in Europe by agreeing to EU standard contractual clauses. Alternatively, we may transfer data on the basis of binding corporate rules or an adequacy decision.
Apart from this, we do not transfer your personal data to countries outside the EU or EEA or to international organisations.
- Duration of storage
6.1 Informational use of the Website
When you use our Website for purely informational purposes, we store your personal data on our servers solely for the duration of your visit to our Website. After you have left our Website and closed your browser, your personal data is immediately erased.
Cookies installed by us based on your consent are erased after a storage period of up to 24 months. With regard to Google cookies, it may be the case that the storage period is reset to the aforementioned period if further actions are carried out. If a cookie is used for identification, you can erase this yourself at any time via your browser settings.
6.2 Active use of the Website
In the case of active use of our Website, we initially store your personal data for the duration of our business relationship. This also includes the potential future and actual initiation of a contract (pre-contractual legal relationship) and the execution of a contract.
For security reasons and for support queries, the log files created when you log in are stored for 90 days and then erased.
We process your data for the period for which your are subscribed to our newsletter or until you withdraw your consent to the newsletter being sent to you. This also includes the initiation of a contract (pre-contractual legal relationship) and the execution of a contract.
In addition, we store your personal data until any legal claims arising from the relationship with you become statute-barred, in order to use it as evidence if necessary. The limitation period is usually between 1 and 3 years, but can also be up to 30 years.
When the statute of limitations comes into effect, we delete your personal data, unless there is a legal obligation to keep records, for example, under the German Commercial Code (Sections 238, 257(4) HGB) or the German Fiscal Code (Section 147(3)(4) AO). These retention obligations can be between 2 to 10 years. During this period, the data is only used again in the event of an audit by the financial authorities.
- Your rights as a data subject
If personal data concerning you is processed, you are a ‘data subject’ within the meaning of the GDPR. You have the following rights in relation to us at the controller:
- Right of access
You can obtain information on whether we are processing personal data concerning you. Where that is the case, you have the right of access to this personal data as well as to further information related to the processing of this data (Article 15 GDPR). Please note that this right of access may be restricted or excluded in certain cases.
- Right to rectification
In the event that personal data concerning you is not accurate (any more) or is incomplete, you can demand the rectification and, if applicable, the completion of this data (Article 16 GDPR).
- Right to erasure or restriction of processing
If the statutory conditions are met, you can demand the erasure of your personal data (Article 17 GDPR) or the restriction of processing of this data (Article 18 GDPR). However, the right to erasure in accordance with Article 17(1) and (2) GDPR is not granted if, among other things, processing personal data is necessary for compliance with a legal obligation (Article 17(3)(b) GDPR).
- Right to object
As a data subject, you have the right to object to the processing of data concerning you at any time on grounds relating to your particular situation (Article 21 GDPR). If the statutory conditions are met, we will then cease processing your personal data.
- Right to data portability
In accordance with Article 20 GDPR, you are entitled to demand that we provide you with the personal data concerning you, which you have provided to us, namely in a structured, commonly used and machine-readable format.
- Right to withdraw your consent
You have the right to withdraw your consent at any time. The withdrawal applies only for the future; this means that the withdrawal does not affect the lawfulness of the processing carried out on the basis of consent prior to withdrawal.
- Right to lodge a complaint with a supervisory authority
Without prejudice to any other administrative or judicial remedy, the data subject (you) has the right to lodge a complaint with a supervisory authority — particularly in the Member State of your habitual residence — if you consider the processing of your personal data by us to infringe the GDPR.
The supervisory authority responsible for us is:
Der Hamburgische Beauftrage für Datenschutz und Informationsfreiheit
Ludwig-Erhard Straße 22
However, we recommend that you always send a complaint to us first (e.g. by e-mail).
- Scope of your obligations to provide data
In principle, you are not obliged to provide us with your personal data. If you do not, however, you may not be able to access our Website or we may not be able to send you any information or enter into a contract with you, for example.
- Profiling and automated decision-making
We do not perform profiling or employ any purely automated decision-making procedures in accordance with Article 22 GDPR. If we intend to employ any other procedures in a particular case in the future, we will inform you of this separately.
Version dated: May 2022