This privacy statement applies to the processing of data by mittemitte GmbH ("Mitte", "Controller", "we" or "us") when you visit our website https://mitte.co.
The visit of our website, the creation of an account and ordering of Mitte products involves certain processing of your personal data. Personal data is any information relating to an identified or identifiable natural person, e.g. name, address, email address.
When processing your personal data, we observe the applicable data protection laws, in particular the European General Data Protection Regulation ("GDPR") and the German Federal Data Protection Act ("BDSG").
This privacy statement describes which personal data we process, for which purposes and on which legal basis.
We take the protection of your personal data very seriously. We process your data only for the purposes clearly defined in this privacy statement. If we process data for other purposes and/or pass on your data to third parties for other purposes, we will only ever do so with your explicit consent.
1 Name and Contract Details of the Controller
Responsible for the processing of your data is mittemitte GmbH, Schinkestrasse 20, 12047 Berlin, Germany, E-Mail: email@example.com.
2 Name and contact Details of our Data Protection Officer
You can reach our data protection officer at the following contact details: IITR Datenschutz GmbH, Dr Sebastian Kraska, Marienplatz 2, 80331 München, E-Mail: firstname.lastname@example.org, Telephone: 089-18917360.
3 Collection and Storage of Personal Data as well as Method and Purpose of their Processing, relevant Legal Basis and Storage Period
3.1 Visit of our Website
During the mere informative use of our website, i.e. if you do not register or otherwise transmit information to us, we only collect data that your browser transmits to our server (so-called server log files), whereby logging only takes place to the technically necessary extent. The following information is collected:
• IP address of the requesting internet-enabled device
• Date and time of access
• Name and URL of the accessed file
• Website from which the access is made (referrer URL)
• the browser you use and, if applicable, the operating system of your internet-enabled device as well as the name of the access provider.
The legal basis for the collection of this data is Art. 6 para. 1 lit. f) of the German General Data Protection Regulation (GDPR). Our legitimate interest in collecting this data results from the following purposes:
• Ensuring optimal use of our website,
• Ensure smooth connection establishment,
• Evaluation of system security and stability.
3.2 Creation of a Mitte Account and Ordering of Products
If you wish to order a product from us on our website, you may do so (i) as a guest or (ii) as a registered customer with a Mitte account. Creating a Mitte account allows you to order products from us without having to re-enter your personal information each time. In addition, you can view the status of an order at any time.
In both cases we collect the following data from you:
- Your title
- Your name
- Your address
- Your e-mail address
- Your telephone number
- Your means of payment and payment details
We will also ask you for a user name and password, which you can use to log in to your account at any time in the future.
The processing of the aforementioned data is necessary for us to fulfil the user contract on your Mitte account as well as the purchase agreement for our products that you order. The legal basis for the data processing is Art. 6 para. 1 lit. b) GDPR.
3.3 Data Processing and Personal Addressing by e-mail
If you give us your explicit consent, we will send you information about our services and offers by e-mail. For this purpose, we process your name and e-mail address. When you register for our newsletter, we use the double opt-in procedure. This means that after you have registered with your e-mail address, we will send you an e-mail to the specified e-mail address in which we ask you to confirm that you actually wish to receive the newsletter.
The legal basis for sending our information is Art. 6 para. 1 lit. a) GDPR.
3.4 Storage Period
We delete the data collected and stored in connection with the creation of your Mitte account at the latest when you delete your Mitte account. However, a premature deletion of your personal data is not possible if and to the extent that your data is still required to process an order you placed.
Irrespective of this, we store your data processed during the purchase of our products until the expiry of the statutory or possible contractual warranty rights. After the expiry of this period, we retain the information of the contractual relationship required under commercial and tax law for the periods determined by law. For this period, the data is processed again solely in the event of an audit by the tax authorities.
3.5 Website Optimization
Most browsers accept cookies automatically. However, you can set your browser so that no cookies are stored on your computer or so that a message always appears before a new cookie is set. However, we would like to point out that in this case you may not be able to use all functions of this website to their full extent.
The activation of cookies is necessary for the smooth functioning of the website. We therefore have a legitimate interest in their use. The legal basis for the associated data processing is therefore Art. 6 para. 1 lit. f) GDPR.
(b) Google Analytics und Google Tag Manager
For the analysis of your use of our website, we use "Google Analytics" together with "Google Tag Manager" and "Google Ads", services of companies of the Google LLC group, 1600 Amphitheatre Parkway, Mountain View, CA 94043, USA ("Google"), on the basis of a data processing agreement pursuant to Art. 28 GDPR.
The storage of Google Analytics cookies and the use of this analysis tool are based on your express consent pursuant to Art. 6 para. 1 lit a) GDPR. Your consent can be revoked at any time.
You have the option to prevent the storage of cookies by changing the settings of your browser accordingly. You can also prevent the collection of data generated by the cookie and related to your use of the website (including your IP address) to Google and the processing of this data by Google by downloading and installing the browser plugin available at the following link: https://tools.google.com/dlpage/gaoptout?hl=en.
(c) Microsoft Clarity
Furthermore, we use the service "Clarity" to optimize our service and the user experience. The service is provided by Microsoft Corporation, One Microsoft Way, Redmond, WA 98052-6399, USA. Clarity is a service that helps us better understand our users' experiences (e.g., how much time you spend on which pages, which links you click, what you like and do not like).
The data processing by Clarity is based on your explicit consent according to Art. 6 para. 1 lit. a) GDPR.
If you would like to read more about Microsoft Clarity and how Microsoft processes your data, please visit: https://privacy.microsoft.com/en-us/privacystatement.
4 Recipient of Personal Data
To process your personal data, we sometimes use the services of external service providers (IT providers, carriers, payment service providers, analytic tools). In part, these third parties act as Data Controllers, in part they act in the function of a Processor on our behalf and according to our instructions pursuant to Art 28 GDPR.
4.1 Payment Service Provider
If you choose a payment method offered via the payment service provider "Stripe", the payment processing will be carried out via Stripe Payments Europe Ltd., 1 Grand Canal Street Lower, Grand Canal Dock, Dublin, Ireland, to whom we will pass on your information provided during the ordering process together with the information about your order (name, address, account number, bank code, possibly credit card number, invoice amount, currency and transaction number) in accordance with Art. 6 (1) lit. b GDPR. Your data will only be passed on for the purpose of processing payments with Stripe Payments Europe Ltd. and only to the extent necessary for this purpose. You can find more information on the data protection of "Stripe" at the following Internet address: https://stripe.com/de/privacy#translation.
(b) Apple Pay
If you choose the payment method "Apple Pay" of Apple Distribution International ("Apple"), Hollyhill Industrial Estate, Hollyhill, Cork, Ireland, the payment processing is carried out via the "Apple Pay" function of your device running iOS, watchOS or macOS by charging a payment card deposited with "Apple Pay". Apple Pay uses security functions integrated into the hardware and software of your device to protect your transactions. For the release of a payment, the entry of a code previously defined by you as well as the verification by means of the "Face ID" or "Touch ID" function of your terminal device is therefore required.
For the purpose of payment processing, the information you provide during the ordering process, together with information about your order, is passed on to Apple in encrypted form. Apple then encrypts this data again with a developer-specific key before the data is transmitted to the payment service provider of the payment card stored in Apple Pay to carry out the payment. The encryption ensures that only the website through which the purchase was made can access the payment data. After the payment has been made, Apple sends your device account number and a transaction-specific, dynamic security code to the source website to confirm the success of the payment.
If personal data is processed during the described transfers, the processing is carried out exclusively for the purpose of payment processing in accordance with Art. 6 para. 1 lit. b) GDPR.
Further information on data protection with Apple Pay can be found at the following Internet address: support.apple.com/en/HT203027
We also offer you the option of payment by "purchase on account" via the service "Klarna" of Klarna AB, Sveavägen 46, 111 34 Stockholm, Sweden. If you decide to purchase on account, as part of your agreement with Klarna, you will transmit to Klarna the personal data (first and last name, address, date of birth, gender, e-mail address, IP address, telephone number) necessary for the processing of the purchase on account and an identity and credit check, as well as the data necessary for the processing of the purchase on account (number of items, item number, invoice amount and taxes). This data is collected so that Klarna can perform an identity and credit check and issue an invoice for the processing of your purchase. With regard to the identity and credit check, Klarna may obtain information from credit agencies.
In the context of deciding on the payment option purchase on account, Klarna also uses, apart from an address check, information about your past payment behavior as well as probability values about this behavior in the future. The calculation of these score values by Klarna is based on a scientifically recognized mathematical statistical method. For this purpose, Klarna will also use your address data, among other things.
The transfer of your data to Klarna takes place on the basis of Art. 6 para. 1 lit. b) GDPR for the purpose of processing your purchase with us.
4.2 Customer Support
We use the ticket system "Zendesk", a customer service platform of Zendesk Inc., 989 Market Street 300, San Francisco, CA 94102, to process customer inquiries. For this purpose, necessary data such as name, first name, address, telephone number, e-mail address are collected via our website in order to be able to answer your inquiry. We have concluded a data processing agreement with Zendesk in accordance with Art. 28 GDPR.
5 Transfer of Data to Third Party Countries
In the course of our activities, your personal data may be transferred or disclosed to other companies. These may also be located outside the European Economic Area (EEA), i.e. in third countries. This concerns the use of the following services:
(a) Google: Google LLC, 1600 Amphitheatre Parkway, Mountain View, CA 94043, USA.
(b) Microsoft: Microsoft Corporation, One Microsoft Way, Redmond, WA 98052-6399, USA.
(c) Zendesk: Zendesk Inc., 989 Market Street 300, San Francisco, CA 94102.
In the context of the transfer of personal data to a third country, we will regularly ensure through appropriate safeguards that a transfer of data to a third country only takes place on the basis of a level of protection that complies with the GDPR.
To the extent that data is transferred to a third country, in particular the USA, when using the services mentioned under this section, for which there is no adequacy decision by the Commission, this will be done on the basis of standard contractual clauses pursuant to Art. 46 para. 2 lit. c) GDPR in conjunction with appropriate technical and organizational measures to protect your data.
A copy of the standard contractual clauses or further information on the standard contractual clauses used can be found on the respective websites of the service providers we use:
(a) Google: https://privacy.google.com/businesses/processorterms/mccs/
(b) Microsoft: https://www.microsoft.com/licensing/docs/view/Microsoft-Products-and-Services-Data-Protection-Addendum-DPA
(c) Zendesk: http://www.zendesk.com/company/privacy
6 Data Security
All personal data transmitted by you is transferred using the secure and proven SSL (Secure Socket Layer) standard, which is also used for online banking, for example. We also use appropriate technical and organizational security measures to protect stored personal data against manipulation, partial or complete loss and unauthorized access by third parties. Our security measures are continuously improved in line with technological developments. In particular, we ensure that sensitive personal data is only stored on servers hosted in the EU that are certified in accordance with DIN ISO/IEC 27001 (as amended from time to time).
7 Your Rights
In relation to our processing of your personal data, you have the following rights free of charge:
7.1 Right to Information pursuant to Art. 15 GDPR
You have the right to receive information from us about whether and which data we process about you. This includes information on how long and for what purpose we process the data, the source of the data and the recipients or categories of recipients to whom we pass on the data. We can also provide you with a copy of this data.
7.2 Right to Rectification pursuant to Art. 16 GDPR
You have the right to request that we rectify information about you that is not or no longer accurate without delay. In addition, you can request that we complete your incomplete personal data. If required by law, we will also inform third parties of this rectification if we have disclosed your personal data to them.
7.3 Right to Deletion pursuant to Art. 17 GDPR
You have the right to request that we delete your personal data without delay if one of the following cases applies:
• Your data is no longer necessary for the purposes for which it was collected or otherwise processed or the purpose has been achieved;
• You withdraw your consent and there is no other legal basis for the processing;
• You object to the processing and there are no prevailing legitimate grounds for the processing; in the case of the use of personal data for direct marketing, a mere objection by you to the processing is sufficient;
• Your personal data has been processed unlawfully;
• The deletion of your personal data is necessary to comply with a legal obligation under European Union law or the law of a member state to which we are subject.
Your right to deletion may be restricted on the basis of statutory provisions. This includes in particular the restrictions listed in Article 17 GDPR and Section 35 Federal Data Protection Act (BDSG).
7.4 Right to the Restriction of Processing pursuant to Art. 18 GDPR
You have the right to request us to restrict the processing of your personal data if one of the following reasons applies:
• you dispute the correctness of your personal data for a period of time that allows us to verify the correctness of the personal data;
• the processing is unlawful and you object to the deletion of the personal data and request instead the restriction of the use of your personal data;
• we no longer need your personal data for the purposes of processing; however, you need them for the assertion, exercise or defence of legal claims, or
• you have objected to the processing as long as it has not yet been determined whether our legitimate reasons outweigh yours.
If you have obtained a restriction on processing under the above list, we will inform you before the restriction is withdrawn.
7.5 Right to Data Portability pursuant to Art. 20 GDPR
You have the right to obtain personal data concerning you that you have provided to us in a structured, commonly used and machine-readable format and to transmit this data to others. The exercise of this right does not affect your right to deletion.
7.6 Right to Object pursuant to Art. 21 GDPR
According to Art. 21 GDPR, you have in particular the right to object to the processing of your data at any time on the grounds of your particular situation, if we base this processing on legitimate interests pursuant to Art. 6 Art. 1 lit. f) GDPR. If you object, we will no longer process your personal data, except in two cases:
• We can prove that there are compelling legitimate grounds for the processing which outweigh your interests, rights and freedoms; or
• the processing serves the assertion, exertion or defence of legal claims.
In particular, if we process your personal data for direct marketing, you have the right to object at any time to the processing of your data for the purpose of such marketing. If you object to the processing of your data for direct marketing purposes, we will no longer use your personal data for this purpose.
7.7 Right of Withdrawal of Consent pursuant to Art. 7 GDPR
You can withdraw your consent given to us at any time with effect for the future. This withdrawal can be made in the form of an informal notification to the above-mentioned contact addresses. If you withdraw your consent, the legitimacy of the data processing carried out up to that point will not be affected.
7.8 Right to file a Complaint with the Supervisory Authority
If you believe that the processing of your data by us violates applicable data protection law, you have the right to file a complaint with one of the competent supervisory authorities. The supervisory authority responsible for us is:
Berlin Commissioner for Data Security and Freedom of Information (Berliner Beauftragte für Datenschutz und Informationsfreiheit)
Telephone: 030 13889-0
Fax: 030 2155050