PRIVACY POLICY

1. Access Data and Hosting

2. Data Processing for Contract Performance and Contacting Us
2.1 Data Processing for Contract Performance
2.2 Customer Account
2.3 Contacting Us
2.4 Data Processing for Appointment Booking / Reservation

3. Data Processing for Shipping Purposes

4. Data Processing for Payment Handling
4.1 Data Processing for Transaction Handling
4.2 Data Processing for Fraud Prevention and Optimization of Our Payment Processes

5. Advertising via Email and Telephone
5.1 Email Newsletter Subscription and Newsletter Tracking
5.2 Sending Review Requests via Email
5.3 Telephone Advertising

6. Cookies and Other Technologies
6.1 General Information
6.2 Use of the Wix Consent Manager Tool for Managing Consents
6.3 Information on Data Transfers to Third Countries (Non-EU Countries)

7. Use of Cookies and Other Technologies / Use of Google Services

8. Social Media
Our Online Presence on Facebook (by Meta), Instagram (by Meta), and LinkedIn

9. Contact Options and Your Rights
9.1 Your Rights
9.2 Contact Options

Controller:

Lauer & Lauer GbR

Häberlstraße 26

80337 Munich,

Germany

Email: anika@heimatoffice26.com

Phone: +49 173 4508639

We are delighted that you are interested in our online shop. Protecting your privacy is of utmost importance to us. Below we provide detailed information about how we handle your personal data in compliance with the General Data Protection Regulation (GDPR).

1. Access Data and Hosting

You may visit our website without providing any personal information. Each time a webpage is accessed, the web server automatically stores a so-called server log file, which contains, for example, the name of the requested file, your IP address, the date and time of access, the amount of data transferred, and the requesting provider (access data). This access data is used solely for the purpose of ensuring the trouble-free operation of the site and improving our services.

This processing is based on our legitimate interests in the correct presentation of our services in accordance with Article 6(1)(f) GDPR.
All access data is processed only as long as is necessary for the fulfilment of the above-mentioned purposes.

Hosting and presentation services for this website are partially provided by our service providers as part of processing on our behalf. Unless otherwise stated in this privacy policy, all access data and all data collected via the forms provided on this website are processed on their servers.

For questions about our service providers and the legal basis of our cooperation with them, please contact us using the contact details provided in this privacy policy.

Our service providers are located and/or use servers in the following countries for which the European Commission has determined an adequate level of data protection: Israel, the United Kingdom, and the United States.

The EU–US Data Privacy Framework adequacy decision serves as the basis for data transfers to the United States, provided that the respective service provider is certified under it. Certification has been obtained.

Our service providers are also located and/or use servers in Brazil, Mexico, India, and Ukraine. For these countries, no adequacy decision by the European Commission exists. Our cooperation with these providers is therefore based on the European Union’s Standard Contractual Clauses (SCCs) to ensure appropriate data protection safeguards.

2. Data Processing for Contract Performance and Contacting Us

2.1 Data Processing for Contract Performance

In order to perform a contract (including inquiries and handling of warranty and performance-related claims, as well as any statutory update obligations) under Article 6(1)(b) GDPR, we collect personal data when you voluntarily provide it to us in the context of placing an order. Mandatory fields are marked as such, as we require these data to process the contract and cannot send your order without them. The type of data collected can be seen from the respective input forms.

Further details on how we process your data, particularly regarding disclosure to our service providers for order, payment, and shipping processing, can be found in the subsequent sections of this privacy policy.

After full performance of the contract, your data will be restricted for further processing and deleted upon expiry of the statutory tax and commercial retention periods in accordance with Article 6(1)(c) GDPR, unless you have expressly consented to further use of your data under Article 6(1)(a) GDPR, or we are legally entitled to further use your data, as described in this policy.

2.2 Customer Account

Where you have given your consent under Article 6(1)(a) GDPR by choosing to open a customer account, we use your data for the purpose of creating and maintaining your customer account, as well as for storing your data for future orders on our website.

You may delete your customer account at any time by sending us a message using the contact details provided in this privacy policy, or by using the corresponding function in your account settings. After deletion of your account, your data will also be deleted unless you have expressly consented to further use under Article 6(1)(a) GDPR, or we are legally entitled to further processing as described in this policy.

2.3 Contacting Us

In the context of customer communication, we collect personal data to process your inquiries under Article 6(1)(b) GDPR when you voluntarily provide such data while contacting us (e.g., via contact form, live chat, or email). Mandatory fields are identified as such, as we require this information to respond to your inquiry. The type of data collected depends on the respective form fields.

After your inquiry has been fully processed, your data will be deleted unless you have expressly consented to further use under Article 6(1)(a) GDPR, or we are otherwise legally entitled to retain it as described in this policy.

2.4 Data Processing for Appointment Booking / Reservation

We collect personal data when you voluntarily provide it to us as part of an appointment booking or reservation. Mandatory fields are marked as such, as we require these data to process your booking or reservation and cannot proceed without them. The type of data collected can be seen from the respective form. Optional free-text fields may be completed voluntarily but are not necessary for submission. We kindly ask that you do not include sensitive personal information (e.g., health-related details) in these free-text fields.

We process your data for the purpose of appointment booking or reservation under Article 6(1)(b) GDPR. After completion of the booked appointment or reservation, your data will be restricted for further processing and deleted after the expiry of any applicable statutory retention periods under Article 6(1)(c) GDPR, unless you have expressly consented to further use under Article 6(1)(a) GDPR or we are otherwise entitled to retain it as described herein.

Appointment Booking Solution: Wix Bookings
For appointment scheduling, we use the booking solution provided by Wix.com Ltd., Yunitsman 5 St., Tel Aviv, Israel. The service provider acts as a processor on our behalf.

Our service providers are located and/or use servers in the United States, for which the European Commission has adopted an adequacy decision under the EU–US Data Privacy Framework. Certification is in place for the relevant provider.

3. Data Processing for Shipping Purposes

For the fulfilment of the contract under Article 6(1)(b) GDPR, we forward your data to the shipping service provider commissioned to deliver the goods, insofar as this is required for the delivery of the ordered goods.

Depending on which payment and shipping service provider you select during the ordering process, we may transfer the data collected for order processing to the service provider responsible for handling the delivery. In some cases, the selected shipping service providers also collect such data themselves, provided that you create an account with them. In such a case, you must log in to the respective shipping service provider with your access data during the ordering process. The privacy policy of the respective shipping provider shall apply in this regard.

4. Data Processing for Payment Handling

4.1 Data Processing for Transaction Handling

For payment processing in our online shop, we work with technical service providers, credit institutions, and payment service providers. Depending on the chosen payment method, payment data may be transmitted to these providers in order to process payments.

This data processing is carried out for the purpose of contract performance under Article 6(1)(b) GDPR.

Payment data collected by us are required to process the payment transaction, such as payment method, billing address, payment amount, and relevant transaction identifiers. The type of data depends on the payment method chosen and the payment service provider used.

4.2 Data Processing for Fraud Prevention and Optimization of Our Payment Processes

In some cases, we may forward additional data to our service providers, who process these data as processors on our behalf for the purpose of fraud prevention, payment process optimisation (e.g., invoicing or technical processing), and customer risk assessment.

Such processing is based on our legitimate interests in preventing fraud and ensuring secure, efficient payment transactions under Article 6(1)(f) GDPR.

5. Advertising via Email and Telephone

5.1 Email Newsletter Subscription and Newsletter Tracking

If you subscribe to our newsletter, we will use the data necessary for this purpose or separately provided by you to send you our email newsletter on a regular basis, based on your consent under Article 6(1)(a) GDPR.

You can unsubscribe from the newsletter at any time, either by sending a message to the contact details provided in this privacy policy or via the unsubscribe link included in each newsletter. After unsubscribing, we will delete your email address from the mailing list unless you have expressly consented to further use of your data or we are otherwise legally entitled to further use as described in this policy.

Newsletter Tracking:
Our newsletters contain so-called tracking pixels (web beacons) which allow us to recognise whether and when an email has been opened, and which links were clicked. This analysis helps us to measure the success of our email campaigns and improve our communication.

This processing is based on your consent under Article 6(1)(a) GDPR. You may revoke your consent at any time with effect for the future by unsubscribing from the newsletter.

5.2 Sending Review Requests via Email

If you have made a purchase on our website, we may send you an email asking you to rate your order and our service. This is done to improve our products and customer experience.

The sending of review requests is based on our legitimate interest in obtaining feedback and improving our services under Article 6(1)(f) GDPR, provided you have not objected. You can object to receiving such review requests at any time by sending us a message using the contact details provided.

5.3 Telephone Advertising

If you have provided your consent under Article 6(1)(a) GDPR, we may contact you by telephone to inform you about our products, services, or offers.

You can revoke your consent at any time with effect for the future. Please send your objection or withdrawal of consent to the contact details provided in this privacy policy.

6. Cookies and Other Technologies

6.1 General Information

To make visiting our website attractive and to enable the use of certain functions, we use technologies including cookies on various pages. Cookies are small text files that are automatically stored on your device.

Some of the cookies we use are deleted after your browser session ends (so-called session cookies). Other cookies remain on your device and enable us to recognise your browser upon your next visit (persistent cookies).

We use such technologies that are strictly necessary to operate the website in order to provide users with our online service. The use of these technologies and the related processing of your personal data are based on our legitimate interests in ensuring the technically flawless and optimised provision of our services under Article 6(1)(f) GDPR.

Additionally, we use technologies to analyse website usage, measure performance, and improve our content and marketing. We only use such non-essential technologies where you have granted consent under Article 6(1)(a) GDPR.

You may withdraw your consent at any time with future effect by adjusting your cookie settings through our Consent Management Tool.

6.2 Use of the Wix Consent Manager Tool for Managing Consents

On our website, we use the Wix Consent Manager Tool (provided by Wix.com Ltd., 40 Namal Tel Aviv St., Tel Aviv 6350671, Israel) to obtain and manage user consents for the use of cookies and similar technologies.

When visiting our website, the tool displays a consent banner that gives you the choice to allow or refuse certain categories of cookies and processing. The tool records your consent decisions and stores them to ensure compliance with legal obligations under Article 7(1) GDPR and to demonstrate accountability under Article 5(2) GDPR.

The processing of data in this context is based on our legal obligation to document your consent (Article 6(1)(c) GDPR). Server locations are in Israel, for which the European Commission has determined an adequate level of data protection.

6.3 Information on Data Transfers to Third Countries (Non-EU Countries)

Where we transfer personal data to recipients located in countries outside the European Union (EU) or European Economic Area (EEA), such as the United States, Israel, or other third countries, this occurs only under the conditions set out in Articles 44 et seq. GDPR.

For the United States, transfers are made based on the EU–US Data Privacy Framework where the respective service provider is certified. For other third countries without an adequacy decision, such as India or Brazil, transfers are based on Standard Contractual Clauses (SCCs) adopted by the European Commission to ensure appropriate safeguards.

7. Use of Cookies and Other Technologies

We use the following cookies and other third-party technologies on our website.
Unless otherwise stated for specific technologies, processing is carried out on the basis of your consent pursuant to Article 6(1)(a) GDPR.

Once the purpose for using each technology has ceased and we no longer employ it, the data collected in this context will be deleted.
You may withdraw your consent at any time with future effect. Further details on how to revoke consent can be found in the section “Cookies and Other Technologies.”
Additional information, including the legal basis of our cooperation with individual providers, is provided under each respective technology below.
If you have questions regarding the providers or the basis of our cooperation with them, please contact us via the details provided in this Privacy Policy.

Use of Google Services

We use the following technologies provided by Google Ireland Ltd., Gordon House, Barrow Street, Dublin 4, Ireland (“Google”).
Information automatically collected by Google technologies about your use of our website is generally transmitted to and stored on a server operated by Google LLC, 1600 Amphitheatre Parkway, Mountain View, CA 94043, USA.

Unless otherwise stated for specific technologies, data processing is carried out on the basis of an agreement on joint controllership pursuant to Article 26 GDPR.
Further information on how Google processes data can be found in Google’s Privacy Policy.

Our service providers are located and/or use servers in countries outside the EU and EEA for which the European Commission has adopted an adequacy decision confirming an appropriate level of data protection.
For service providers located in or using servers in countries without such a decision, our cooperation is based on Standard Contractual Clauses (SCCs) issued by the European Commission.

Google Analytics

For the purpose of website analytics, Google Analytics automatically collects and stores data (including IP address, visit time, device and browser information, and information about your website usage) to create pseudonymised user profiles.
Cookies may be used for this purpose.

If you visit our website from within the EU, your IP address is first stored on a server located in the EU for geolocation purposes and is then immediately deleted before traffic is transferred to other Google servers for further processing.
Data processing takes place on the basis of a data processing agreement with Google.

To optimise our website marketing, we have activated the data sharing settings for “Google Products and Services.”This allows Google to access and use data collected via Google Analytics to improve its own services.
This additional data sharing is based on a separate agreement between joint controllers, and we have no influence over Google’s subsequent data processing.

We also use the User ID feature, which allows us to assign a unique, persistent ID to your interaction data across multiple sessions and devices, providing cross-device analytics.

Additionally, the Google Signals extension of Google Analytics enables cross-device tracking (“Cross-Device Tracking”).
If your internet-enabled devices are linked to your Google account and you have enabled “personalised advertising,” Google can generate reports on cross-device user behaviour (especially aggregated user counts).
We do not process personal data for this purpose; we only receive aggregated statistics created by Google Signals.

If you do not grant consent under Article 6(1)(a) GDPR for the use of Google Analytics, no cookies will be stored or accessed on your device, and the processing described above will not take place.
To fill potential gaps in analytics, behavioural and conversion modelling is used, during which “pings” containing data (User Agent, consent behaviour, screen resolution, IP address) are sent to Google.

Google Ads

For advertising purposes within Google search results and on third-party websites, a Google Remarketing Cookie is placed when you visit our website.
This cookie automatically collects and processes data (IP address, time of visit, device and browser information, and data about your website usage) using a pseudonymous cookie ID to display interest-based advertisements based on the pages you have visited.

Further data processing takes place only if you have enabled “personalised advertising” in your Google Account.
If you are logged into Google while visiting our website, Google combines this data with Google Analytics data to create and define cross-device remarketing target groups.

For website analytics and event tracking, we also use Google Ads Conversion Tracking to measure user behaviour following an interaction with a Google Ads advertisement.
Cookies may be used, and pseudonymised usage profiles may be created based on data such as IP address, time of visit, device and browser information, and event-related actions (e.g., page visits, newsletter subscriptions).

If you do not grant consent under Article 6(1)(a) GDPR for the use of Google Ads, no cookies will be stored or accessed, and the processing described above will not take place.
To close gaps in analytics, behavioural and conversion modelling may send “pings” with data (User Agent, consent behaviour, screen resolution, IP address, page URL, ad click information) to Google.
The IP address is used solely to determine the country of access.

Google Maps

For visual display of geographic information, Google Maps collects data about your use of the map features — including your IP address and location data — which are transmitted to and processed by Google.
We have no influence over this subsequent data processing.

Google reCAPTCHA

To protect our web forms from misuse and spam by automated software (“bots”), Google reCAPTCHA collects data (IP address, time of visit, browser information, and details about your website usage).
A JavaScript element and cookies are used to analyse user interactions.
In addition, other cookies stored by Google services in your browser may also be evaluated.
No personal data entered into the form fields is read or stored.

Google Fonts

To ensure consistent presentation of content, Google Fonts uses a script code that collects data (IP address, time of visit, device and browser information) and transmits it to Google for processing.
We have no influence over this subsequent data processing.

Google Tag Manager

We use Google Tag Manager to manage and deploy analytics and marketing services on our website.
When implementing individual tags, Google may process personal data (e.g., IP address, online identifiers including cookies).
Processing is based on a data processing agreement with Google.

The Google Tag Manager allows the integration of various technologies.
If you have deactivated individual tracking services, this deactivation will remain effective for all tracking tags managed via Google Tag Manager.

Use of Wix Analytics for Website Analysis

For website analytics purposes, we use technologies provided by Wix Ltd., 40 Namal Tel Aviv St., Tel Aviv 6350671, Israel (“Wix”).
Data such as IP address, time of visit, device and browser information, location data, and information about your use of our website are automatically collected and stored, creating pseudonymised usage profiles.
Cookies may be used for this purpose.

The pseudonymised profiles are not combined with personal data about the bearer of the pseudonym without separate, explicit consent.
Wix acts as a data processor on our behalf.

Our service providers are located and/or use servers in the following countries with an adequacy decision by the European Commission: Israel, the United Kingdom, and the United States.
The adequacy decision for the United States serves as the legal basis for third-country data transfers, provided the respective service provider is certified — which is the case here.

Our service providers are also located and/or use servers in Brazil, Mexico, India, and Ukraine, for which no adequacy decision exists.
Our cooperation with these providers is based on EU Standard Contractual Clauses.

Use of Visitor Analytics for Website Analysis

For the above-mentioned analytical purposes, we use Visitor Analytics, which applies “fingerprinting” technology by evaluating technical characteristics of your device or browser to enable reliable analytics.
The pseudonymised usage profiles are not combined with personal data of the data subject without separate consent.
Visitor Analytics acts as a data processor on our behalf.

Using the Visitor Recording Tool by Visitor Analytics, we can generate anonymised statistics showing where users have scrolled and clicked on our website.
This function helps us improve usability and identify and correct technical issues.

8. Social Media

Our Online Presence on Facebook (by Meta), Instagram (by Meta), and LinkedIn

Where you have granted consent to the respective social media provider in accordance with Article 6(1)(a) GDPR, your data will be automatically collected and stored for market research and advertising purposes when you visit our online profiles on the platforms listed above.
Using pseudonymous usage profiles, these data may be used to display advertisements both within and outside the platforms that are presumed to match your interests.
Cookies are generally used for this purpose.

For detailed information regarding data processing and use by each social media operator, including contact details and your rights and options to protect your privacy, please refer to the privacy policies linked below.
If you require assistance with this, you may also contact us directly.

Facebook (by Meta)

Facebook (by Meta) is provided by Meta Platforms Ireland Ltd., Block J, Serpentine Avenue, Dublin 4, Ireland(“Meta Platforms Ireland”).
Information automatically collected by Meta Platforms Ireland about your use of our Facebook presence is typically transmitted to and stored on a server operated by Meta Platforms, Inc., 1601 Willow Road, Menlo Park, California 94025, USA.

Data processing related to the visit of a Facebook (by Meta) fan page is carried out on the basis of an agreement on joint controllership pursuant to Article 26 GDPR.
Further information (including details about “Insights Data”) is available here.

Our service providers are located and/or use servers in the following countries for which the European Commission has adopted an adequacy decision:
United States, Canada, Japan, South Korea, New Zealand, United Kingdom, Argentina.
The adequacy decision for the United States serves as the legal basis for data transfers to third countries, provided that the service provider is certified — which is the case here.

Our service providers are also located and/or use servers in:
Australia, Hong Kong, India, Indonesia, Malaysia, Singapore, Thailand, Taiwan, Brazil, and Mexico.
For these countries, no adequacy decision by the European Commission exists.
Our cooperation with these providers is based on the Standard Contractual Clauses (SCCs) issued by the European Commission.

Instagram (by Meta)

Instagram (by Meta) is also provided by Meta Platforms Ireland Ltd., Block J, Serpentine Avenue, Dublin 4, Ireland (“Meta Platforms Ireland”).
Information automatically collected by Meta Platforms Ireland about your use of our Instagram presence is generally transmitted to and stored on a server operated by Meta Platforms, Inc., 1601 Willow Road, Menlo Park, California 94025, USA.

Data processing related to the visit of an Instagram (by Meta) page is carried out on the basis of an agreement on joint controllership pursuant to Article 26 GDPR.
Further information (including details about “Insights Data”) can be found here.

Our service providers are located and/or use servers in the following countries with an adequacy decision:
United States, Canada, Japan, South Korea, New Zealand, United Kingdom, Argentina.
The adequacy decision for the United States serves as the legal basis for data transfers to third countries, provided the respective service provider is certified — which is the case here.

Our service providers are also located and/or use servers in:
Australia, Hong Kong, India, Indonesia, Malaysia, Singapore, Thailand, Taiwan, Brazil, and Mexico.
For these countries, no adequacy decision exists.
Our cooperation with such providers is based on Standard Contractual Clauses (SCCs) issued by the European Commission.

LinkedIn is provided by LinkedIn Ireland Unlimited Company, Wilton Place, Dublin 2, Ireland (“LinkedIn”).
Information automatically collected by LinkedIn about your use of our LinkedIn presence is typically transmitted to and stored on a server operated by LinkedIn Corporation, 1000 W. Maude Avenue, Sunnyvale, CA 94085, USA.

Our service providers are located and/or use servers in the United States, for which the European Commission has adopted an adequacy decision.
This adequacy decision serves as the legal basis for third-country transfers, provided the service provider is certified — which is the case here.

9. Contact Options and Your Rights

9.1 Your Rights

As a data subject, you have the following rights under the General Data Protection Regulation (GDPR):

Right of access (Article 15 GDPR): You have the right to obtain information about the personal data we process about you, the purposes of processing, the categories of data concerned, and other related details.
Right to rectification (Article 16 GDPR): You have the right to have inaccurate or incomplete personal data corrected without undue delay.
Right to erasure (Article 17 GDPR): You have the right to request deletion of your personal data unless processing is necessary:
- to exercise the right of freedom of expression and information;
- to comply with a legal obligation;
- for reasons of public interest; or
- to establish, exercise, or defend legal claims.
Right to restriction of processing (Article 18 GDPR): You have the right to request restriction of processing where:
- you contest the accuracy of the data;
- the processing is unlawful but you oppose its erasure;
- we no longer need the data, but you require it for legal claims; or
- you have objected to processing under Article 21 GDPR.
Right to data portability (Article 20 GDPR): You have the right to receive the personal data you provided to us in a structured, commonly used, and machine-readable format, or to request transmission to another controller.
Right to lodge a complaint (Article 77 GDPR): You have the right to lodge a complaint with a supervisory authority, in particular in the Member State of your habitual residence, place of work, or where the alleged infringement occurred.

Right to Object

Where we process personal data on the basis of our legitimate interests within the framework of a balancing of interests (as explained above), you have the right to object to such processing with future effect.

If the processing is carried out for direct marketing purposes, you may object at any time as described above.
If processing is carried out for other purposes, you may object only on grounds relating to your particular situation.

Upon receiving your objection, we will no longer process your personal data for the respective purposes unless we can demonstrate compelling legitimate grounds for the processing that override your interests, rights, and freedoms, or where the processing serves to establish, exercise, or defend legal claims.

This restriction does not apply to processing for direct marketing purposes — in that case, we will cease such processing immediately.

9.2 Contact Options

For any questions regarding the collection, processing, or use of your personal data, or for requests concerning access, rectification, restriction, or deletion of data, as well as for withdrawal of consent or objections to specific processing activities, please contact us directly:

Heimatoffice26
Häberlstraße 26
80337 Munich, Germany
Email: anika@heimatoffice26.com
Phone: +49 173 4508639