Privacy Policy

We, the Hemro International AG, Thurgauerstrasse 80, 8050 Zürich, Switzerland (Hemro/we), thank you for visiting one of our websites and for your interest in Hemro. In the following, we provide information about the type, scope, and purpose of the collection and use of your personal data on our websites. Personal data is any information relating to an identified or identifiable natural person. This includes in particular your name, address, and email address. If provisions of the General Data Protection Regulation (GDPR) are named in this Privacy Policy, these shall apply in accordance with Art. 3 GDPR. In all other respects, the applicable statutory provisions on data protection shall apply. Please also note, in addition to the provisions below, the information provided in our cookie banner, in particular with regard to storage periods.

This Privacy Policy applies to the following websites belonging to the Hemro Group:

ditting:  https://www.ditting.com/
HeyCafé: https://www.heycafe.com/

Unless explicitly mentioned in the following provisions, these apply equally to all previously listed Hemro Group websites. Where reference is made below to “our website”/”the website,” this refers to the website you are currently visiting.

The provider of the websites listed above and the controller in terms of data protection law is

Hemro International AG
Thurgauerstrasse 80
8050 Zürich
Switzerland

Authorized representatives of the Executive Board: Dr. Marcel Lehmann, Adrian Schürmann, Ziya Boro

Tel.: +41 44 864 18 00
Email: info@hemrogroup.com

1.    Data processing to enable website usage

Every time you access content on our website, connection data is transferred to our web server. This connection data includes:

  • the IP address (Internet Protocol address) of the respective users
  • the date and time of the query
  • the referer URL
  •  device numbers such as your unique device identifier (UDID) and comparable device numbers, device information (e.g., device type)
  • the browser type/version

This connection data is neither used to determine a user’s identity nor is it combined with data from other sources. Rather, it serves to make the website available. The legal basis for processing your data is Art. 6 para. 1 sentence 1 lit. f GDPR. After no more than seven days, the connection data is anonymized by truncating the IP address at the domain level. 

2.    Data processing on request

The use of our website is generally possible without providing personal data. You are neither obliged to visit this website nor to provide any personal data. If you do not provide us with the personal data listed below, you may not be able to use certain functions or services of this website. Other than that there will be no consequences for you.

We process your personal data when you use our following services:

2.1    Dealer area

Some of our websites provide you with the opportunity to register with us as a dealer and use the dealer area on our website. We will process your data for this purpose.

When using a password, please take appropriate security measures. For example, a password should contain a minimum of 8 characters and should always consist of a combination of upper- and lowercase letters, numbers, and special characters. Trivial words such as “ABC” or keyboard sequences (e.g., “qwert” or “asdfgh”), all kinds of names (e.g., of friends, acquaintances, colleagues, family members, pets), city and building names, cartoon characters, car brands, license plates, terms, dates of birth, telephone numbers, common abbreviations, etc. are thus problematic.

Your personal data is processed based on Art. 6 para. 1 sentence 1 lit. b GDPR.

2.2    Employee login

If you are an employee of Hemro, the Hemro Group’s website provides you with the ability to access the dealer area and website administration and editing functions via the website’s login function. When you make changes on the website (e.g., edit content), we record the time when the changes are saved and the login used.

Login data must be kept strictly confidential. If a password has nevertheless been shared, for example, to enable third parties to access certain databases in an emergency, the password must be changed immediately. For your own protection, passwords that have already been used before may not be used again.

We also store your IP address and the time of access during the login process. This is necessary to ensure the security of our information technology systems.

We also set a session cookie each time you log in. This session cookie prevents automatic logout during active use of the account or related services. After the respective logout, the session cookie is automatically deleted within a few minutes.

Your personal data is processed for the purpose of the employment relationship and thus on the basis of Art. 88 GDPR in conjunction with the relevant national regulations (in German law, § 26 para 1, sentence 1 BDSG). If special categories of personal data are involved, processing is based on Article 88 GDPR in conjunction with the relevant national regulations (in German law, § 26 para 3 BDSG).

2.3    Contact form

If you use the contact form we provide to contact us, your details will be stored so that they can be used to process your query. Provision of your email address is sufficient for us to contact you. The additional voluntary information about your person serves only to personalize the address for you.

The legal basis for processing your data is Art. 6 para. 1 sentence 1 lit. f GDPR. Our legitimate interest then lies in responding to your query. 
If (pre)contractual measures are implemented, the legal basis is Art. 6 para. 1 sentence 1 lit. b GDPR. 

2.4    Newsletter

If you expressly consented to receiving our newsletter, information about company news, current events, and the latest coffee grinding product highlights will be sent regularly to the email address you provided. Provision of your email address is sufficient for us to send you the newsletter. The additional voluntary information about you is only used to personalize the newsletter for you.

In order to subscribe to our newsletter, we use the so-called double-opt-in procedure. This means that once you have subscribed, we will send you an email to the email address you provided, asking you to confirm that you want us to send you the newsletter. If you do not confirm your subscription within three months, your information will be automatically deleted.

In connection with our newsletter, we use the online marketing platform Mailchimp (“Mailchimp”), which is operated by Intuit Inc, 2700 Coast Ave, Mountain View, CA 94043, 650-944-6000, USA. Mailchimp is a service that can be used to organize the sending of newsletters, among other things. Our newsletters sent via Mailchimp allow us to analyze the behavior of newsletter recipients using a tracking pixel (so-called web beacons). It may be analyzed, for example, how many recipients have opened the newsletter message and how often links in the newsletter have been clicked. Further information about Mailchimp’s Privacy Policy is available at: https://mailchimp.com/legal/cookies/#Cookies_served_through_the_Service and https://www.intuit.com/privacy/statement/.

The legal basis for the processing of data is based on your consent, based on § 25 para. 1 sentence 1 Telecommunications Digital Services Data Protection Act (TDDDG) for the storage and access to information in terminal equipment and Art. 6 para. 1 sentence 1 lit. a GDPR for our further processing of your data. You may withdraw your consent at any time with effect for the future. The withdrawal of consent shall not affect the lawfulness of processing based on consent before its withdrawal. A link is provided at the end of each newsletter for you to exercise your right to withdraw from the newsletter and tracking. Alternatively, you can also withdraw your consent at any time, for example, by sending an email to marketing@hemrogroup.com.

Please note that Intuit Inc. is a company from the USA. However, Intuit Inc. is an active participant in the EU-U.S. Data Privacy Framework, which ensures the secure transfer of personal data to the U.S. Further information can be found here: https://www.dataprivacyframework.gov/s/participant-search/participant-detail?id=a2zt0000000TXVKAA4&status=Active.

2.5    Applications

On the Hemro Group website, you can apply centrally for a position at one of the companies listed there (in each case: “job provider”). You have the option of using our online application form. Alternatively, you can also apply by e-mail or post.

As part of the online application, you will be asked to provide personal details (e.g. name and contact details). The provision of certain data is required for the establishment and implementation of a possible employment relationship with the respective job provider. If you do not provide these data, which are marked separately as mandatory fields, your application is incomplete and cannot be considered further in the application process. The provision of other information and the upload of files or documents (e.g. CV or application photo) is not mandatory at this application stage, but optional. If you only provide mandatory information, there will be no disadvantages for your application.

Once we have received your online application, you will receive an automatic confirmation of receipt from us. Further communication regarding the application process will then take place via the respective job provider.

Your data will be processed by the respective job provider for the purpose of deciding whether to establish an employment relationship. The legal basis for data processing by the respective job provider is Art. 88 para. 1 GDPR in conjunction with the respective national regulation, in Germany § 26 para. 1 sentence 1 BDSG. If special categories of personal data are affected, the processing is governed by Art. 88 GDPR in conjunction with the national regulation, in Germany § 26 para. 3 BDSG. In the event of a rejection or the completion of the application process, your data will be deleted within 90 days.

Please note our additional data protection information in connection with an application at: https://hemro.jobs.personio.de/privacy-policy?language=en 

3.    Data processing for a needs-oriented website design

In order to make your user experience of our website as pleasant as possible, we use so-called “web tracking systems.” Cookies are generally used for this purpose. These are small text files, which are sent from a web server to your browser and stored on your computer’s hard drive. This enables us to recognize the end device you are using when you access our website. We are thus able to determine, for example, whether you are logged in, have an active shopping cart, and what the contents of your shopping cart are. The session cookies deployed for using the shop are deleted at the end of the browser session. Other cookies remain on your end device and allow us to recognize your device on your next visit.

A list of the tracking tools and other services that we use and that use cookies is provided in Section 3.1 et seq.

Most browsers are set to accept cookies by default. You can deactivate the storage of cookies in your browser and delete them from your hard drive at any time. However, you can also use your browser to prevent certain cookies (e.g., from third parties) from being set – to prevent web tracking, for example. Further information about your browser’s help function is available here.  
We would like to point out that you can also install a plug-in in your browser to protect your privacy. Plug-ins such as AdBlock, Ghostery, or NoScript can prevent tracking (please refer to the privacy policy of the respective plug-in provider).

Finally, we would like to point out that if cookies are deactivated, it may not be possible to use all functions of this website to their full extent. Please also note that deactivation may have to be carried out for each browser and each end device.

Details of the cookies used on the website can be found in the cookie banner and in the following terms and conditions. Unless otherwise stated in the following provisions in Section 3.1 ff., the legal basis for processing your data is Art. 6 para. 1 sentence 1 lit. f GDPR. Our legitimate interest lies in the needs-oriented design of the website.

3.1    Cookie consent with the cookie consent tool

The HeyCafe and Ditting websites use Usercentrics' cookie consent technology to obtain your consent to the storage of certain cookies on your end device and to document this in compliance with data protection regulations. The provider of this technology is Usercentrics GmbH, Sendlinger Straße 7, 80331 Munich, Germany, website: https://usercentrics.com/ (“Usercentrics”).

When you visit our website, the following personal data is transferred to Usercentrics:

  • Your consent(s) or the withdrawal of your consent(s)
  • your IP address
  • Information about your browser
  • Information about your end device
  • Time of your visit to the website

Furthermore, Usercentrics stores a cookie in your browser in order to be able to assign the consents given or their revocation to you. The data collected in this way is stored until you ask us to delete it, delete the Usercentrics cookie yourself or the purpose for storing the data no longer applies. Mandatory statutory retention obligations remain unaffected.

Usercentrics is used to obtain the legally required consent for the use of cookies. The legal basis for this is Art. 6 para. 1 sentence 1 lit. c GDPR.

In addition to the information in the cookie banner, please also note the following information in the Sections 3.2 ff. 

3.2    Google Analytics

Our website uses the “Google Analytics 4 (GA4)” tracking tool. This is a service provided by Google Ireland Limited, a company registered and operated in accordance with Irish law, headquartered at Gordon House, 4 Barrow Street, Dublin, Ireland (“Google”). This tracking tool helps us to make our online offers more interesting for you and to improve the user experience. Data on the use of our website is stored in pseudonymized user profiles. In addition to JavaScript and pixels, cookies can also be used for this purpose. Further information on the use of cookies can be found at: https://support.google.com/analytics/answer/11397207. The types of personal data processed include Online identifiers (including cookie identifiers), internet protocol addresses and device identifiers, identifiers assigned by the customer.

Data from different devices, sessions, and interactions can additionally be linked to a user ID. This information is generally transferred to a Google server in the USA and stored there.

As part of the evaluation, Google also uses artificial intelligence (AI) to automatically analyze, classifies, and enrich data. This is done in particular for predictive metrics on future user behavior based on structured event data, such as purchase probability, churn probability and predicted revenue. The forecast measurement values can also be used for forecast target groups. You can find out more about this at: https://support.google.com/analytics/answer/9846734.

Google uses modeling techniques to estimate online conversions that cannot be captured directly. This enables more realistic statements to be made in reports, advertising campaigns to be optimized and automatic bidding to be improved. You can find more information on this at: https://support.google.com/analytics/answer/10710245.

Finally, the data is analyzed using Analytics statistics. Google provides automatic and user-defined statistics. You can find out more about this at: https://support.google.com/analytics/answer/9443595.

By default, Google already automatically anonymizes user IP addresses when collecting user data. Google also does not log or store the IP addresses. The truncating of IP addresses does not mean that data is processed entirely in anonymized form. Thus, when Google Analytics is used, usage data is collected that is to be evaluated as personal data, such as identification features of the individual users, which also allow a link to an existing Google account, for example.

On our behalf, Google will use this information to evaluate your usage of our website, to compile reports on website activity, and to provide other services related to website and Internet usage to us. The pseudonymized user profiles are not combined with personal data about the bearer of the pseudonym unless separate consent has been obtained for this.

For more information on Google Analytics, see: https://support.google.com/analytics/answer/12017362

Please note that Google also has independent access to your data collected via Google Analytics and may also use this data for its own purposes. Google may, for example, link this data to other information about you, such as search history, personal account, usage data from other devices, and all other data that Google has about you.

The legal basis for the use of Google Analytics is based on your consent, based on § 25 para. 1 sentence 1 TDDDG for the storage and access to information in terminal equipment and Art. 6 para. 1 sentence 1 lit. a GDPR for our further processing of your data. You give your consent to this via our cookie banner. Please note that Google is a company from the USA. Information about Google's data centers locations can be found at www.google.com/about/datacenters/locations/. The new EU standard data protection clauses were agreed as appropriate safeguards to ensure an adequate level of protection for the transfer of data. In addition, Google LLC is an active participant in the EU-U.S. Data Privacy Framework, which ensures the secure transfer of personal data to the USA. You can find further information here: https://www.dataprivacyframework.gov/s/participant-search/participant-detail?id=a2zt000000001L5AAI&status=Active

3.3    Google Ads Conversion

We use the "Google Ads Conversion" service to advertise our products on external websites with the help of advertising material and to determine success of our advertising measures. These advertising materials are delivered by Google via so-called "ad servers". If you access our website via a Google ad, Google Ads will store a cookie on your end device. These cookies generally lose their validity after 30 days and are not used to identify you personally. The unique cookie ID, number of ad impressions per placement (frequency), last impression (relevant for post-view conversions) and opt-out information (marking that the user no longer wishes to be addressed) are usually stored as analysis values for this cookie.

Aforementioned cookies enable Google to recognize your internet browser. Therefore, if you have visited certain websites of an Ads customer and the cookie stored on your computer has not yet expired, Google and the Ads customer can recognize that you clicked on the ad and were redirected to this page. Cookies cannot be tracked via the websites of Ads customers. We ourselves do not collect and process any personal data in aforementioned advertising measures. We only receive statistical evaluations from Google. Based on these evaluations, we can recognize which of the advertising measures used are particularly effective. We do not receive any further data from the use of the advertising material; in particular, we cannot identify you based on this information.

The legal basis for the use of Google Ads Conversion is your consent, based on § 25 para. 1 sentence 1 TDDDG for the storage and access to information in terminal equipment and Art. 6 para. 1 sentence 1 lit. a GDPR for our further processing of your data. You give your consent to this via our cookie banner. Please note that the provider is a company from the USA. Information about Google's data center’s locations can be found at www.google.com/about/datacenters/locations/ The new EU standard data protection clauses have been agreed as suitable guarantees to ensure an appropriate level of protection when transferring data. In addition, Google LLC is an active participant in the EU-U.S. Data Privacy Framework, which guarantees the secure transfer of personal data to the USA. You can find more information here: https://www.dataprivacyframework.gov/s/participant-search/participant-detail?id=a2zt000000001L5AAI&status=Active.

Due to the marketing tools used, your browser automatically establishes a direct connection with the Google server. We have no influence on scope and further use of data collected by Google through use of this tool and therefore inform you according to our level of knowledge as follows: By integrating Ads Conversion, Google receives information that you have accessed the relevant part of our website or clicked on one of our ads. If you are registered with a Google service, Google can assign the visit to your account. Even if you are not registered with Google or have not logged in, it is possible that the provider will find out your IP address and store it.

You can find more information on data protection at Google here:
https://support.google.com/google-ads/answer/93148
https://policies.google.com/privacy

3.4    Google Marketing Platform/DoubleClick

This website uses Google Marketing Platform products, such as Google DoubleClick. DoubleClick uses cookies to present website visitors with relevant advertisements. A cookie ID is assigned to your browser to record which ads have already been sent to this browser. The DoubleClick cookie enables Google and its partner websites to display ads based on previous visits to this or other websites. In the same way, the cookie ID allows the DoubleClick cookie to record conversions related to ad impressions, for example when a user views a DoubleClick ad and later uses the same browser to visit the advertiser’s website.

The legal basis for using DoubleClick is your consent, based on Section 25 (1) Sentence 1 TDDDG for the storage of and access to information on end devices, as well as Article 6 (1) Sentence 1 (a) GDPR for our further processing of your data. You grant this consent via our cookie banner.

Please note that Google is a company based in the United States. Information on the locations of Google’s data centers can be found at www.google.com/about/datacenters/locations/. As appropriate safeguards to ensure an adequate level of data protection during data transfers, the new EU Standard Contractual Clauses have been agreed upon. In addition, Google LLC is an active participant in the EU-U.S. Data Privacy Framework, which ensures the secure transfer of personal data to the USA. Further information can be found here: https://www.dataprivacyframework.gov/s/participant-search/participant-detail?id=a2zt000000001L5AAI&status=Active

3.5    Google Tag Manager

We use Google Tag Manager "GTM". This Google service allows website tags to be managed via an interface. However, GTM only implements tags. In this respect, no cookies are used. GTM only triggers other tags, which in turn may collect data, but GTM does not access this data. Data is only analyzed in the respective tool (see the tools listed in section 3 for details). However, the GTM records your IP address and online identifiers (including cookie identifiers), which may also be transmitted to Google in the USA. You can find additional information on GTM at https://support.google.com/tagmanager/answer/6102821

The legal basis for the use of GTM is your consent, based on § 25 para. 1 sentence 1 TDDDG for the storage and access to information in terminal equipment and Art. 6 para. 1 sentence 1 lit. a GDPR for our further processing of your data. You give your consent to this via our cookie banner.

Please note that the provider is a company from the USA. Information about Google's data center’s locations can be found at www.google.com/about/datacenters/locations/ The new EU standard data protection clauses have been agreed as suitable guarantees to ensure an appropriate level of protection when transferring data. In addition, Google LLC is an active participant in the EU-U.S. Data Privacy Framework, which guarantees the secure transfer of personal data to the USA. Further information can be found here: https://www.dataprivacyframework.gov/s/participant-search/participant-detail?id=a2zt000000001L5AAI&status=Active.

3.6    Google Maps

We use Google Maps via an API on our website. This is a service provided by Google. Your IP address must be stored to use the Google Maps functions. This information is generally transferred to a Google server in the USA and stored there. We have no control over this data transfer. As part of the integration of Google Maps, additional content may be loaded from Google servers, which may include Google Fonts. These are technically required to ensure the correct display of the map content. In this process, personal data (such as your IP address and browser information) may also be transmitted to Google. We have also concluded an agreement with Google on mutual responsibility for the processing of personal data. You can view our agreement with Google by clicking the following Link. The legal basis for the use of Google Maps is based on your consent pursuant to § 25 para. 1 sentence 1 TDDDG for the storage and access to information in end devices, as well as pursuant to Art. 6 para. 1 sentence 1 lit. a GDPR for the further processing of your data. You give your corresponding consent via our cookie banner. Please note that Google is a company from the USA. The new EU standard data protection clauses have been agreed as suitable guarantees to ensure an appropriate level of protection when transferring data. In addition, Google LLC is an active participant in the EU-U.S. Data Privacy Framework, which guarantees the secure transfer of personal data to the USA. Further information can be found here: https://www.dataprivacyframework.gov/s/participant-search/participant-detail?id=a2zt000000001L5AAI&status=Active.

Further information on how user data is handled is available in Google’s Privacy Policy at: https://policies.google.com/privacy.

3.7    YouTube

Some of our websites use plug-ins from YouTube, which is operated by Google. If you visit one of our websites featuring a YouTube plug-in and actively click on the corresponding field, a connection to YouTube servers is established. Here the YouTube server is informed about which of our pages you have visited. If you’re logged in to your YouTube account, you allow YouTube to associate your browsing behavior directly with your personal profile. You can prevent this by logging out of your YouTube account. 

The legal basis for the use of YouTube is based on your consent pursuant to § 25 para. 1 sentence 1 TDDDG for the storage and access to information in end devices, as well as pursuant to Art. 6 para. 1 sentence 1 lit. a GDPR for the further processing of your data. You give your corresponding consent via our cookie banner.

Please note that the provider is a company from the USA. Information about Google's data center’s locations can be found at www.google.com/about/datacenters/locations/ The new EU standard data protection clauses have been agreed as suitable guarantees to ensure an appropriate level of protection when transferring data. In addition, Google LLC is an active participant in the EU-U.S. Data Privacy Framework, which guarantees the secure transfer of personal data to the USA. Further information can be found here: https://www.dataprivacyframework.gov/s/participant-search/participant-detail?id=a2zt000000001L5AAI&status=Active.

For more information about the handling of user data by YouTube, please visit YouTube's privacy policy at: https://policies.google.com/privacy.

3.8    Shopify Storefront API

We use the Shopify Storefront API provided by Shopify International Ltd., 2nd Floor, 1-2 Victoria Buildings, Haddington Road, Dublin 4, D04 XN32, Ireland (“Shopify”). This interface enables us to integrate customized shopping experiences into our website, apps, or other digital platforms without using the standard Shopify frontend. Through the API, the following personal data about you may be processed: IP address and technical access data, viewed products, shopping cart contents, order and payment information (encrypted), as well as shipping and billing details upon completion of a purchase.

This data processing is carried out for the purpose of providing e-commerce functions within our platforms, processing orders, and improving user experiences. The legal basis for processing your data is Article 6 (1) (b) GDPR (performance of a contract and pre-contractual measures) as well as Article 6 (1) (f) GDPR (legitimate interest in the secure and efficient operation of our online shop).

Your data may also be transferred to Shopify servers in Canada and the United States. Shopify relies on the EU-U.S. Data Privacy Framework, the adequacy decision for Canada, as well as the EU Commission’s Standard Contractual Clauses for such transfers.

3.9    Shopify Network Intelligence (Enhanced Services)

Our webshop uses Shopify Network Intelligence with the so-called “Enhanced Services.” In this context, Shopify processes personal data about your behavior in our webshop in combination with (i) data from other Shopify merchants and (ii) Shopify’s own data in order to provide you with a more personalized shopping experience, deliver more relevant advertising, and better understand interaction behavior in connection with our shop and advertisements.

Shopify processes your personal data both as a data processor and as an independent data controller.

Where Shopify acts as a data processor on our behalf, we have concluded a data processing agreement with Shopify (see: https://www.shopify.com/legal/dpa).

Where Shopify acts as an independent data controller, the agreements under https://www.shopify.com/legal/dpa#appendix-e (Appendix E) apply. Shopify states: “As part of providing the Enhanced Services, you agree that Shopify may process your customers’ personal data as a data controller or business in accordance with applicable data protection laws, to provide, develop, and improve analytics, product personalization, advertising, and other services that involve interactions and transactions of your customers with your store, other merchants, and Shopify. When Shopify processes your customers’ personal data in this way, Shopify’s Consumer Privacy Policy applies […]”. Further information on how Shopify processes your data as a controller can be found in Shopify’s Consumer Privacy Policy: https://www.shopify.com/legal/privacy/consumers

The legal basis for the use of Shopify Network Intelligence is based on your consent pursuant to § 25 para. 1 sentence 1 TDDDG for the storage and access to information in end devices, as well as pursuant to Art. 6 para. 1 sentence 1 lit. a GDPR for the further processing of your data. You give your corresponding consent via our cookie banner.

Shopify may transfer your personal data to countries outside the European Economic Area, such as Canada or the United States. These transfers are based on appropriate safeguards, in particular the Standard Contractual Clauses approved by the European Commission. Details can be found under https://www.shopify.com/legal/dpa#appendix-c (Appendix C, Clause 8).

Where Shopify acts as a controller, you can influence how Shopify processes your personal data and withdraw your consent at any time with future effect via https://privacy.shopify.com/en. Further information on data protection at Shopify can be found at https://www.shopify.com/legal/privacy.

3.10    Shopify Analytics

We use the analytics service “Shopify Analytics” provided by Shopify. Shopify Analytics enables us to evaluate user behavior in our online shop in order to optimize our offering, promote sales, and detect technical issues. Shopify Analytics may collect and process the following personal data from you: IP address, device and browser information, operating system, referrer URL (origin page), pages and products visited, session duration and timestamps, orders placed and revenue generated, as well as location data (based on IP address).

The data processing serves the purpose of statistical analysis of user behavior, improving our offering, analyzing marketing campaigns, and ensuring the functionality of our online shop. The legal basis for the use of Shopify Analytics is your consent, based on Section 25 (1) sentence 1 TDDDG for the storage of and access to information in terminal equipment, as well as Art. 6 (1) sentence 1 lit. a GDPR for our further processing of your data. You give your consent via our cookie banner.

3.11    Shopify CDN / Fastly

Our website uses the Content Delivery Network (CDN) provided by Shopify to deliver static content such as images, scripts, and stylesheets. For the technical implementation, Shopify uses the CDN provider Fastly, Inc., 475 Brannan St., Suite 300, San Francisco, CA 94107, USA. When retrieving content via the CDN, the following data is automatically processed: IP address, browser type and version, operating system, requested file and URL, date and time of access, data volume transferred, and referrer URL.

Processing is technically necessary to provide our website securely and efficiently. The legal basis for data processing is Art. 6 (1) lit. f GDPR (legitimate interest) and Section 25 (2) no. 2 TDDDG. However, certain CDN functions may also set additional cookies or IDs, for example for analysis, optimization, or personalization purposes. In such cases, the legal basis is your consent, based on Section 25 (1) sentence 1 TDDDG for the storage of and access to information in terminal equipment, as well as Art. 6 (1) sentence 1 lit. a GDPR for our further processing of your data.

3.12    Shopify Marketing

To efficiently implement marketing measures such as personalized product recommendations, email marketing campaigns, remarketing via social networks, or campaign performance analysis, we use Shopify Marketing services provided by Shopify on our website.

The following personal data may be processed: IP address, browser type and version, device type and operating system, email address (if provided by the user), user interactions on the website (e.g., clicks, purchases, cart contents), as well as location information if applicable.

The legal basis for the use of Shopify Marketing services is your consent, based on Section 25 (1) sentence 1 TDDDG for the storage of and access to information in terminal equipment, as well as Art. 6 (1) sentence 1 lit. a GDPR for our further processing of your data. You give your consent via our cookie banner.

3.13    Shopify Preferences

Our website uses Shopify Preferences from Shopify to store personal settings and preferences of our users and to improve the user experience. In this context, the following personal data may be processed: IP address, browser type and version, device type and operating system, user preferences on the website (e.g., language, layout, favorites), as well as cookies and local storage information.

The legal basis for the use of Shopify Preferences is your consent, based on Section 25 (1) sentence 1 TDDDG for the storage of and access to information in terminal equipment, as well as Art. 6 (1) sentence 1 lit. a GDPR for our further processing of your data. You give your consent via our cookie banner.

3.14    hCaptcha

We also use the “hCaptcha” tool on our website, provided by Intuition Machines Inc., 2211 Selig Dr, Los Angeles, CA 90026, United States (“IMI”).

The purpose of hCaptcha is to determine whether data input on this website (e.g., in a contact form) is made by a human or an automated program. To do this, hCaptcha analyzes the website visitor’s behavior based on various characteristics. This analysis starts automatically as soon as the user enters a website with hCaptcha enabled. For the analysis, hCaptcha evaluates various information (e.g., IP address, time spent on the website, mouse movements made by the user). The data collected during the analysis is forwarded to IMI. The hCaptcha analysis in “invisible mode” can take place entirely in the background. Website users are not informed that such an analysis is taking place if no challenge or task is displayed to them.

If your consent is requested via our cookie banner, the legal basis for the use of hCaptcha on our website is this consent, based on Section 25 (1) sentence 1 TDDDG for the storage of and access to information in terminal equipment, as well as Art. 6 (1) sentence 1 lit. a GDPR for our further processing of your data. Otherwise, the legal basis is Art. 6 (1) sentence 1 lit. f GDPR. Please note that IMI is a U.S.-based company. Appropriate safeguards to ensure an adequate level of protection during data transfers have been established by agreeing to the new EU Standard Contractual Clauses. In addition, IMI is an active participant in the EU-U.S. Data Privacy Framework, ensuring the secure transfer of personal data to the USA. Further information can be found here: https://www.dataprivacyframework.gov/s/participant-search/participant-detail?id=a2zt000000001L5AAI&status=Active

For more information on hCaptcha, please refer to the privacy policy and terms of use at the following links: https://www.hcaptcha.com/privacy, https://www.hcaptcha.com/gdpr, and https://hcaptcha.com/terms.

3.15    Cloudflare

We use the service “Cloudflare” provided by Cloudflare, Inc., 101 Townsend St., San Francisco, CA 94107, USA, on our website. This service acts as a firewall, proxy, and load balancing service, routing traffic between your browser and our website through the Cloudflare network. The following data may be collected and processed: IP address, browser type, operating system, referrer URL, internet service provider, access and performance data, so-called protocol metrics, and security fingerprints. These serve to improve the security, loading speed, and functionality of our website. Our legitimate interest in using Cloudflare is to ensure a secure and high-performance website.

Please note that Cloudflare is a U.S.-based company. Cloudflare is an active participant in the EU-U.S. Data Privacy Framework, ensuring the secure transfer of personal data to the USA. Further information can be found here: https://www.dataprivacyframework.gov/list.

3.16    Microsoft Clarity

We use the web analytics software “Microsoft Clarity” on our website. The service provider is Microsoft Ireland Operations Limited, One Microsoft Place, South County Business Park, Dublin 18, D18 P521, Ireland.

Microsoft Clarity records user interactions on our website, such as how the page is rendered, interactions like mouse movements, clicks, scrolling, and so on. The code for collecting this information is open source and available on GitHub. An overview of the data processed in connection with Microsoft Clarity can be found at: https://learn.microsoft.com/en-us/clarity/setup-and-installation/clarity-data

To ensure that your data is pseudonymized on our website, we have additionally masked HTML elements that collect user data via attribute settings.

Please note that Microsoft is an independent controller for data processing in connection with Clarity, and we have not entered into a DPA or similar agreement with Microsoft for Microsoft Clarity.

The legal basis for the use of Microsoft Clarity is your consent, based on Section 25 (1) sentence 1 TDDDG for the storage of and access to information in terminal equipment, as well as Art. 6 (1) sentence 1 lit. a GDPR for our further processing of your data. You give your consent via our cookie banner. Please note that Microsoft is a U.S.-based company. Microsoft is an active participant in the EU-U.S. Data Privacy Framework, ensuring the secure transfer of personal data to the USA. Further information can be found here: https://www.dataprivacyframework.gov/list.

Session recordings are retained by Microsoft Clarity for 30 days. All labeled or favorited sessions are retained for 13 months. Heatmap data is retained for 13 months. Data stored on Clarity servers, including backups, is deleted after the retention period expires and cannot be recovered. Details on data storage and deletion can be found at: https://learn.microsoft.com/en-us/clarity/setup-and-installation/data-retention

Further information on data protection regarding Microsoft Clarity can be found at: https://clarity.microsoft.com/terms and https://www.microsoft.com/en-US/privacy/privacystatement.

A summary of data protection and security in connection with Microsoft Clarity can be found at: https://claritystatic.blob.core.windows.net/images/Microsoft%20Clarity%20Security%20and%20Privacy%20FAQs.pdf

4.    Social media presences 

4.1    Links to social networks

Our website may contain links to social networks (Facebook, X (Twitter), Instagram, and YouTube). These websites are operated exclusively by third parties. If you click the links, the respective provider may process your personal data. Please refer to the providers’ privacy policies for further information in this regard.

4.2    Data processing by Hemro and legal basis

Our social media presences (Facebook, X (Twitter), LinkedIn, Instagram, and YouTube) are intended to provide you with information about Hemro as well as about our new developments, services, and products. Depending on the respective provider’s offer, you have the option to interact in different ways (comments, recommendations, etc.), for example, in connection with our social media presence. The interaction of users is an important criterion for us in order to carry out targeted marketing. For example, we can determine which posts users prefer to read. We therefore also use the statistics determined by the providers in this regard for our own purposes. If we process the users’ personal data, the legal basis for this is Art. 6 para. 1 sentence 1 lit. f GDPR. Our legitimate interest thus lies in particular in targeted information/advertising. The providers will inform you separately about the legal basis on which they process your data for their own purposes.

4.3    Joint responsibility

In individual cases, we may share responsibility for the processing of your personal data with social media providers. In this case, you may assert your rights both against us and against the social media provider (see Section 9). However, the first point of contact is always the social media provider.

We have concluded an agreement with Facebook Ireland Limited, 4 Grand Canal Square, Grand Canal Harbour, Dublin 2, Ireland (Facebook or Meta) on joint responsibility for the processing of personal data. This applies to the processing of so-called “insights data” – page statistics, in particular on the interactions of Facebook users. Further information on page insights is available here: https://www.facebook.com/business/pages/manage#page_insights. You can view our agreement with Google by clicking the following link: https://www.facebook.com/legal/controller_addendum

In relation to “page insights,” we have also concluded an agreement with LinkedIn Ireland on joint responsibility. With Page Insights, LinkedIn does not provide us with any personal data about you. We only have access to your aggregated data. It is not possible for us to draw conclusions about individual users by means of page insights information. Detailed information about page insights and our agreement with LinkedIn Ireland can be viewed by clicking the following link:
https://legal.linkedin.com/pages-joint-controller-addendum.

Please note that the social media providers also process your data outside the EU/EEA. Meta Platforms Inc. and LinkedIn Corporation are active participants in the EU-U.S. Data Privacy Framework, which ensures the secure transfer of personal data to the USA when data is transferred to them. Further information can be found here: https://www.dataprivacyframework.gov/s/participant-search/participant-detail?id=a2zt0000000GnywAAC&status=Active

With regard to the storage period for your data processed by us for our own purposes, please refer to our explanations provided under Section 7. Otherwise, please observe the respective social media provider’s privacy policy.

5.    Data transfer 

We will only transfer personal data to third parties or other recipients if this is necessary for the provision of services, if you have given your consent, if there is a legal obligation to do so, or if the transfer of data is permitted on another legal basis. Where necessary, we have concluded data processing agreements with the recipients of your data in accordance with Art. 28 GDPR. 

6.    Data transfer to countries outside the EU

Insofar as necessary for our purposes, we will only transfer personal data to recipients outside the EU if you have given your consent, if there is a legal obligation to do so, or if the transfer of data is permitted on another legal basis. Your data will also be transferred to recipients based in the USA within the scope of processing data. An appropriate level of data protection is ensured by the conclusion of the new so-called EU standard contractual clauses and/or the participation of the service provider in the USA in the EU-U.S. Data Privacy Framework. An overview of the participants in the EU-U.S. Data Privacy Framework can be found here: https://www.dataprivacyframework.gov/s/participant-search

7.    Storage period for personal data/criteria for determining the storage period

We will store your personal data for as long as this is necessary for the aforementioned processing purposes or in case of an objection that no compelling reasons worthy of protection exist for Hemro or in case of a withdrawal of consent if no other legal basis for data processing exists. In certain cases (e.g., if there is a legal obligation to store data), your personal data will not be deleted immediately, but rather blocked initially. For example, the storage period for messages sent via the contact form with business-related content can be ten years. 

8.    Security measures to protect your personal data

We use technical and organizational measures to protect your data from unauthorized access, loss, or destruction. Our security measures are continuously adapted in line with technical developments. Our employees and all persons involved in data processing are obliged to comply with data protection laws and to treat personal data confidentially. Our employees are trained accordingly.

To protect your personal data on this website, we use a secure online transmission procedure known as “Secure Socket Layer” (SSL) transmission. This can be recognized by the closed lock symbol displayed on the https:// address. Click on this symbol for details of the SSL certificate used. Display of this symbol depends on the browser version used.  SSL encryption guarantees the encrypted and complete transmission of your data.

9.    Your rights 

Within the framework of the legal requirements, you are in principle entitled to request from Hemro:

  • confirmation of whether Hemro is processing your personal data
  • information about this data and the circumstances of processing
  • correction if this data is incorrect
  • deletion if there is no justification for processing and no obligation to store your personal data (any longer)
  • restriction of processing in certain cases specified by law
  • objection in case of data processing based on Art. 6 para. 1 sentence 1 lit. f GDPR
  • transfer of your personal data – insofar as you have provided it – to you or a third party in a structured, common and machine-readable format

If you have given your consent to the processing of your personal data, you have the right to withdraw your consent again at any time. Processing of your personal data will then not be allowed in the future. However, this will not affect the lawfulness of the processing carried out with your consent before you withdrew your consent.

Please address your specific request to our data protection officer in writing or via email, clearly identifying your person:

krupna LEGAL
Data Protection Officer

Email: office@krupna.legal

Insofar as we use your data in joint responsibility with third parties in the sense of Art. 26 GDPR, the third party is primarily responsible for the exercise of all data subject rights. However, you are also free to assert your rights against us.

Finally, we would like to draw your attention to your right to lodge a complaint with a supervisory authority. 

10.    No automated individual decisions

We do not use your personal data to make automated individual decisions.

11.    Changes to the Privacy Policy

New legal requirements, business decisions, or technical developments may make changes to our Privacy Policy necessary. The Privacy Policy will then be amended accordingly. The latest version can always be found on our website.