Privacy Policy

Last updated: February 2024

This Privacy Policy describes our policies and procedures for collecting, using and disclosing your personal information when you use our website, or one of our shopping Apps are interested in our products, contact us through various channels (by phone, email, social media or other channels) or are already our customer. It informs you about your data protection rights and how the law protects you.

Controller

I. Name and contact details

The controller within the meaning of the GDPR (General Data Protection Regulation), the national data protection laws of the member states and other data protection legislation is the:

Waterdrop Microdrink GmbH
Erika-Krenn Promenade 15
1100 Vienna
Austria
E-mail: info@waterdrop.com

These data protection provisions apply to the Internet offering of Waterdrop Microdrink GmbH, which can be accessed under this domain and the various subdomains ("our websites" or "web presence") as well as our shopping Apps.

II. Data Protection Officer

For enquiries relating to data protection and the exercise of your rights (see point XXV), please contact our data protection officer at privacy@waterdrop.com or by post at the above address with the addition of "attn. data protection officer".

General information on data processing

III. What is personal data?

Personal data is any information relating to an identified or identifiable natural person ("data subject"). This includes individual details about personal or factual circumstances such as your name, address, telephone number, date of birth, e-mail address or health data (e.g. information about current or chronic illnesses, intolerances, allergies, blood sugar levels). On the other hand, information for which we cannot establish a link to your person (or can only do so with a disproportionate effort) is not personal data.

Scope of the processing of personal data

As a matter of principle, we collect and use personal data of our users only insofar as this is necessary for the provision of functional websites, our shopping Apps, and our content as well as for the provision of our services. We use your personal data to deliver our products and services, to inform you about news and offers, to answer your questions and to operate and improve our websites, apps and offers.

The collection and use of personal data of our users is only carried out according to the corresponding legal basis within the meaning of the GDPR, e.g. after consent. Further details on the various processing operations can be found below in this privacy policy under the respective processing.

Your personal data will not be used for any other purpose. Without your consent, your personal data will not be transferred to third parties or used for advertising purposes, except in the cases described below, unless we are legally obliged to disclose data.

Legal basis for the processing of personal data

Insofar as we obtain the consent of the data subject for processing operations of personal data, Art 6 (1) lit a GDPR serves as the legal basis. For the processing of health data, explicit consent is obtained in accordance with Art 9 (2) lit a GDPR (e.g. by ticking a box or selecting technical settings).

For the processing of personal data that is necessary for the performance of a contract to which the data subject is a party (e.g. ordering our products), Art 6 para 1 lit b GDPR serves as the legal basis. This also applies to processing operations that are necessary for the implementation of pre-contractual measures.

Insofar as the processing of personal data is necessary for the fulfilment of a legal obligation to which our company is subject (e.g. accounting obligation), Art 6 (1) lit c GDPR serves as the legal basis.

If the processing is necessary to protect a legitimate interest of our company or a third party (e.g. fraud prevention, direct advertising, IT security) and the interests, fundamental rights and freedoms of the data subject do not outweigh the first-mentioned interest, Art 6 (1) lit f GDPR serves as the legal basis for the processing.

Data deletion and storage period

The personal data of the data subject shall be deleted or blocked as soon as the purpose of the storage no longer applies. Storage may also take place if this has been provided for by the European or national legislator in Union regulations, laws or other provisions to which the controller is subject. The data will also be blocked or deleted if a storage period prescribed by the aforementioned standards expires, unless there is a need to continue storing the data for the conclusion or performance of a contract, or for the assertion, exercise or defence of legal claims.

Collection and use of your personal data when using our website and shopping Apps

If you wish to make use of the contents and services offered by us on our website, or shopping Apps such as ordering our products, it is necessary for you to provide further data. Details can be found below in the description of the specific data processing procedures.

VII. Provision of the websites and creation of log files

When you access our website, the browser used on your terminal device automatically sends information to our website server. This information is temporarily stored in a so-called log file.
The following information is collected and stored until automated deletion:

IP address of the requesting computer,
Date and time of access,
Name and URL of the retrieved file,
Volume of data transferred,
Message whether the retrieval was successful,
Website from which the access is made (referrer URL),
browser used and, if applicable,
the operating system of your computer as well as the
Name of your access provider.

The log files contain IP addresses or other data that allow an assignment to a user. This data is not stored together with other personal data of the user.
The above data will be processed by us for the following purposes:

Ensuring a smooth connection of the websites,
Ensuring a comfortable use of our websites,
Reviewing and ensuring system security and stability, and
for other administrative purposes.

In no case do we use the collected data to draw conclusions about your person.
The legal basis for the temporary storage of the data and the log files is Art 6 (1) lit f GDPR. Our legitimate interest follows from the aforementioned purposes of data collection. We delete this data after 30 days at the latest. The collection of this data is absolutely necessary for the operation of the website. Consequently, the user does not have the option to object.

VIII. Webshop and shopping Apps

We offer you the possibility to order our products on our websites and our shopping Apps. To process an order, we process your personal data. The data is entered in an input mask, transmitted to us and stored. The following data is collected during the ordering process:

Last name, first name
E-mail address
Country/Region
Company (optional)
Delivery address
Invoice address
Telephone number (optional)
Membership in the waterdrop® Club ("user ID" and password) (optional)
Order data (data on transactions or orders)
Payment method

We use the data you provide for ordering products exclusively for the fulfilment and processing of your order. Within the scope of your order, you will receive a corresponding confirmation as well as further documents and information by email in order to comply with our legal information obligations for an effective conclusion of a contract with you.

Your data will be passed on to the shipping company commissioned with the delivery, insofar as this is necessary for the delivery of the goods (see point XVIII below).

Payments are processed by credit institutions and payment service providers. The credit institution or payment service provider commissioned with the payment uses your payment information. These companies may only use your data for order processing and not for any other purposes (see point XVIII below). We only see which payment method you have selected.

If the processing of personal data is necessary for the performance of a contract to which the data subject is a party, Article 6 (1) lit. b GDPR serves as the legal basis. If the processing of personal data is necessary for the fulfilment of a legal obligation (e.g. fulfilment of information obligations in the case of consumer contracts or tax law retention obligations), Art 6 (1) lit c GDPR is also the legal basis for the data processing.

Your data will be kept for 3 years after your (last) order and beyond that until the statutory retention periods expire. If you use a subscription (see item 5. ABOS in our General Terms and Conditions, https://www.waterdrop.de/pages/agb), your data will be kept for 3 years after the cancellation of the subscription. The retention period begins on 01.01. of the year following the order or cancellation. After that, your data will be deleted unless you have expressly consented to its further use.

Customer reviews, comments and other contributions

In order to make our website more interactive, we offer you the opportunity to share experiences and ratings (https://www.waterdrop.de/pages/bewertungen) as well as to leave comments and other contributions and invite you to do so.
If you make a contribution, we will collect the following personal data:

First name
E-mail address
Your message

We therefore also process those personal data that you voluntarily provide to us in the context of the contribution. The processing of personal data is based on your consent in accordance with Art 6 (1) lit a GDPR. You can revoke your consent at any time free of charge without giving reasons by sending an e-mail to privacy@waterdrop.com or delete your contribution. This does not affect the lawfulness of the processing that took place until you revoked your consent.
After revocation of consent, the personal data will be stored for another 6 months for the purpose of legal defence. The legal basis for this is Art 6 (1) lit f GDPR.

In addition, the IP address of the requesting computer and other technical data are stored on the basis of our legitimate interests pursuant to Art 6 (1) lit f GDPR and deleted after 30 days at the latest (see point VII).

The stored data may be used to identify you if your posts contain illegal content (insults, harassment, hate speech, prohibited political propaganda, etc.). Your obligations with regard to the content you publish are described in more detail in our terms of use, which you can access here: https://www.waterdrop.de/pages/nutzungsbedingungen.

Collection and use of your personal data in customer relationship management

We process your personal data when you place an order or are interested in our products and contact us. Customer relationship management ("CRM") includes practices, policies and IT systems used to manage and analyse customer interactions and data throughout the customer lifecycle. Please find below the description of the specific data processing operations and further details.

Customer management, order management and processing

Within the framework of customer management and order management and processing, your personal data is processed for the following purposes:

Support and management of customers who order products via the webshop (D2C - direct to consumer) and business customers (B2B - business to business)
Managing potential customers and business opportunities
Preparation of offers
Implementation and administration of contractually agreed deliveries or services with the help of a customer database, incl. the use of merchandise management systems
Deliveries and dispatch of goods with the help of logistics service providers
Contract management
Fraud prevention
Assertion, exercise or defence of legal claims
Customer contact
Exhibition stand support
Customer contact reporting and related task management and business development reporting

The data processed can be grouped into the following categories:

Last name, first name
E-mail address
Country/Region
Company (optional)
Delivery address
Invoice address
Telephone number (optional)
Membership of the waterdrop® Club ("user ID" and password) (optional)
Purchase and order history, including data on exchange of goods and other order data (e.g. data on transactions)
Payment method
Supplementary data that you provide directly to us via questionnaires such as age, gender, household size, data on water drinking behaviour and other drinking habits (e.g. caffeine consumption, drink preferences, preferred flavours) and any relevant medical conditions (e.g. diabetes, etc.).

When processing personal data that is required for the fulfilment of a contract or for the implementation of pre-contractual measures, Art 6 (1) lit b GDPR serves as the legal basis. The legal basis for the processing of personal data when using (extended) functionalities of the customer database and other CRM software is the overriding legitimate interest of our company pursuant to Art 6 (1) lit f GDPR in the most efficient customer management possible. Technical and manual procedures for fraud prevention are carried out in order to protect us and our users from the misuse of your data, in particular through fraudulent orders. There is an overriding legitimate interest of our company in the implementation in accordance with Art 6 (1) lit f GDPR. If you voluntarily provide us with health data in surveys (questionnaires), the data processing is based on your consent in accordance with Art 6 (1) lit a in conjunction with Art 9 (2) lit a GDPR. Art 9 (2) lit a GDPR. Finally, we process your personal data for the exercise of our rights and for legal defence on the basis of our overriding legitimate interest pursuant to Art 6 (1) lit f GDPR or Art 9 (2) lit f GDPR. If you wish to exercise your right of objection, simply send an e-mail to privacy@waterdrop.com (see point XXIV).

Your data will be stored for 3 years after collection or until your justified objection, and beyond that until expiry of the statutory retention periods. In the case of an ongoing business relationship, your data will be stored until the end of the business relationship and beyond for 3 years. The retention period begins on 01.01. of the year following your collection or termination of the business relationship.

Insofar as the processing of personal data is based on your consent pursuant to Art 6 (1) lit a GDPR, you may revoke your consent at any time free of charge without stating any reasons by sending an email to privacy@waterdrop.com. The lawfulness of the processing carried out until the revocation of consent is not affected by this. After revocation of consent, the personal data will be stored for another 6 months for the purpose of legal defence. The legal basis for this is Art 6(1) lit f GDPR.

Sales, including customer loyalty and advertising measures

We process personal data for the preparation and implementation of marketing and advertising activities, in particular to advertise services offered, maintain existing business contacts and prepare the initiation of future contracts. In our sales activities, we process the following data:

Last name, first name
E-mail address
Country/Region
Company (optional)
Delivery address
Invoice address
Telephone number (optional)
Membership of the waterdrop® Club ("userID" and password) (optional)
Purchase and order history, including data on exchange of goods and other order data (e.g. data on transactions)
Payment method

The legal basis for the processing of your data is our overriding legitimate interest pursuant to Art 6 (1) lit GDPR. This consists of the acquisition of new customers and the maintenance of existing customer relationships in order to be able to market and distribute the products and services offered.

Your data will be stored for 3 years after your last contact with us or until your justified objection, and beyond that until the statutory retention periods expire. If you wish to exercise your right to object, simply send an e-mail to privacy@waterdrop.com (see point XXIV). The retention period begins on 01.01. of the year following your last contact with us.

For our customer loyalty and advertising measures that are to be regarded as direct advertising, see points XIV to XVI below.

We also process your data to compile statistics to improve our products and services. In this processing, your data is pseudonymised and not evaluated on an individual customer basis or used to predict your personal preferences. This processing is therefore based on our overriding legitimate interest (Art 6 (1) lit f GDPR). If you wish to exercise your right to object, simply send an e-mail to privacy@waterdrop.com (see point XXIV).

XII. Customer care and contact

In the context of customer support services, the processing of personal data is necessary for the following purposes:

Maintaining customer relationships
Customer advisory service
Customer communication and assistance
Customer loyalty measures and acquisition
Complaint management
Complaints and revocation management
Provision of information to data subjects and fulfilment of other rights of data subjects
Recording of customer calls for training and quality assurance purposes

You have the option of contacting us in several ways. If you contact us by e-mail, telephone or post, we use the personal data that you voluntarily provide to us in this context, as well as data about the contact (e.g. contact channel, categorisation of transactions), in order to contact you and process your enquiry.

You are welcome to contact us via the help centre on our websites (https://www.waterdrop.de/pages/hilfe-center#/). This also requires the processing of personal data. When using the contact form, we process the following data:

Name
E-mail address
Telephone number (optional)
Address (street, house number, postcode, city, country)
Details of your order (order number and additional information)
Your message to us
Additional information (optional)

The aforementioned data is processed for the purpose of responding to your enquiries. The processing is based on our legitimate interest to clarify your questions and concerns and to document the result of the processing in case of queries (Art 6 (1) lit f GDPR). If you wish to exercise your right to object, simply send an e-mail to privacy@waterdrop.com (see point XXIV).

If the enquiry serves the purpose of fulfilling, processing or initiating a contract, Art 6 (1) lit b GDPR is also the legal basis for the processing. If we are legally obliged to answer and/or document your enquiries, e.g. in the case of enquiries under data protection law, Art 6 (1) lit c GDPR is the relevant legal basis. Furthermore, we obtain your consent when recording customer calls (Art 6 (1) lit a GDPR).

Your data will be deleted after 3 years in the case of product-related enquiries, 1 year after the reply in the case of information procedures and the assertion of other data subject rights, and after the matter has been dealt with in the case of other contact enquiries via the web form.

XIII. waterdrop® group of companies

The waterdrop® group of companies ("Group") distributes its products through Waterdrop Microdrink GmbH, Waterdrop's parent company based in Austria (see item I), and through a network of distribution and joint venture companies in several other countries. The relevant companies of the group are:

Waterdrop Netherlands B.V. (Netherlands)
Waterdrop Belgium Ltd (Belgium)
Waterdrop Italia S.R.L. (Italy)
Waterdrop Microdrink Deutschland GmbH (Germany)
Waterdrop France SAS (France)
Waterdrop Microdrink Ltd (UK)
Waterdrop Microdrink LLC (USA)
Waterdrop Microdrink SEA PTE LTD (Singapore)
Waterdrop CEE s.r.o (Czech Republic)
Waterdrop ANZ Pty Limited (Australia)

Each company is responsible for collecting and storing the data of its customers and potential customers. However, these sales and joint venture companies may transfer the personal data they collect to Waterdrop Microdrink GmbH for the purpose of customer relationship management.

In these cases, the transmitted data will be processed by Waterdrop Microdrink GmbH and the respective transmitting sales or joint venture company in joint responsibility for purposes of customer relationship management.

The legal basis for the transmission of the data and its processing by Waterdrop Microdrink GmbH is the overriding legitimate interest of our group of companies in the efficient design of customer relationship management and optimisation of internal administrative processes (Art 6 (1) lit f GDPR).

To guarantee your rights and to fulfil our information obligations, we have concluded an agreement taking into account the requirements of the GDPR.
In order to receive a summary of the essential contents of the agreement on the processing of personal data in joint responsibility as well as for further enquiries or to assert your rights for the processing of these personal data within the joint responsibility, e.g. the right to object, please contact our data protection officer at privacy@waterdrop.com or by post to the address given above with the addition of "Attn. data protection officer" (see point II).

Collection and use of your personal data in our marketing activities

We offer our customers and other users of our website personalised information on various topics. In addition, you can find further content and offers on our website that serve to market our products. In order to be able to offer these, we need your personal data. Details can be found below in the description of the specific data processing procedures.

XIV. Personalised news

There is the possibility to subscribe to news free of charge. When you subscribe, the data from the input mask is transmitted to us. In order to keep you regularly updated with exciting news tailored to your personal interests, we require the following personal data in addition to your consent:

Last name, first name
Birthday (optional)
E-mail address
Delivery addressInvoice address
Telephone number
Purchase and order history, including data on exchange of goods and other order data (e.g. data on transactions)
Payment method
IP address of the requesting computerDate and time of registration
Usage behaviour (e.g. opening and click rates of newsletters, reactions to campaigns, use of our website)

As long as required by law we use the so-called double opt-in procedure for registration, i.e. we will only send you news if you first confirm your registration via a confirmation e-mail sent to you for this purpose using the link contained therein. In this way, we want to ensure that only you can register as the owner of the e-mail address you have provided. Your confirmation in this regard must be made promptly after receipt of the confirmation e-mail, otherwise your registration will be automatically deleted from our database.

If you have given us your consent, we will send you information about interesting offers, current promotions, products, services, quizzes, challenges and competitions at regular intervals by e-mail, SMS, MMS, push messages, messages via apps and messengers as well as post tailored to your interests. In addition, we may contact you for customer surveys (e.g. Post-Purchase Surveys and Customer Satisfaction Enquiries) and as part of customer care (e.g. reminders, product re-availability messages), invite you to submit reviews and wish you a happy birthday.

We optimise and personalise our information about offers, products and services as well as customer surveys and other messages as part of customer care. For the purpose of personalisation, we analyse your usage behaviour with automated data processing procedures in order to gain new insights. This procedure is data profiling according to Art 4 No. 4 GDPR. By creating a personal user profile, we want to tailor our advertising approach to your interests and make our offers more relevant to you. This means that you will only receive information compiled specifically for you. Thus, we will not send you content that is unlikely to be of interest to you.

In order to improve our website and advertising campaigns and to inform you about interesting offers, current promotions, products, services, quizzes, challenges and competitions, we work together with selected marketing partners (see point XVIII).

The processing of personal data takes place voluntarily on the basis of your consent in accordance with Art 6 (1) lit a GDPR. The data will be deleted as soon as they are no longer required to achieve the purpose for which they were collected. Accordingly, they will be stored for as long as you subscribe to our news.

You can revoke your consent at any time free of charge and without giving reasons by sending an e-mail to privacy@waterdrop.com or via the unsubscribe link in the respective message. The lawfulness of the processing carried out until the revocation of consent is not affected by this. After revocation of consent, the personal data will be stored for another 6 months for the purpose of legal defence. The legal basis for this is Art 6 (1) lit f GDPR.

Furthermore, we would like to point out that we can also keep you up to date with exciting news without your consent if you are one of our existing customers. If we have received your e-mail address in connection with the sale of a product or service and you have not objected to this, we reserve the right to regularly send you offers for similar products from our range by e-mail. This serves to protect our overriding legitimate interests in addressing our customers in an advertising manner. You can object to this use of your e-mail address at any time, free of charge and without giving reasons, by sending an e-mail to privacy@waterdrop.com or by clicking on the unsubscribe link in the respective message (see point XXIV).

Membership of the waterdrop® Club

We offer users the opportunity to register with waterdrop® Club and create a free account. Members receive exclusive offers and benefits such as club-only vouchers, collect points that can be redeemed for rewards such as unique and high-quality accessories when ordering, and take part in exclusive competitions and challenges. The account also allows you to manage your addresses and view your purchase and order history. For more information, please refer to our General Terms and Conditions, item 15. waterdrop® CLUB, available at https://www.waterdrop.de/pages/agb.

When registering, the required data is entered into an input mask and transmitted to us and stored. As long as required by law we use the so-called double opt-in procedure, i.e. your account is only created when you confirm a confirmation e-mail sent to you for this purpose via the link contained therein. This is to ensure that only you can register as the owner of the e-mail address provided. Your confirmation in this regard must be made promptly after receipt of the confirmation e-mail, otherwise your registration will be automatically deleted from our database. After your initial registration, we also offer you the so-called "Remember Me" function to recognise your account.

We collect further data in the course of your membership when you use your account and our offers. We process the following personal data:

First name, last name
Birthday (optional)
E-mail address
Delivery address
Invoice address
Telephone number
Purchase and order history, including data on exchange of goods and other order data (e.g. data on transactions)
Loyalty points
Payment method
IP address of the requesting computer
Date and time of registration (login and respective access) and password
Usage behaviour (e.g. opening and click rates of newsletters, reactions to campaigns, use of our website)

We use this data to enable you to participate in waterdrop® Club and to provide you with the associated benefits and content. We process your date of birth in order to check the minimum age required for participation in waterdrop® Club in individual cases, as well as to be able to offer you further benefits from waterdrop® Club if necessary. In addition, you will receive information that is necessary for participation in waterdrop® Club, for example a registration confirmation, updated terms and conditions of participation as well as information on the benefits granted via waterdrop® Club.

If you have given us your consent, we will send you information about interesting offers, current promotions, products, services, quizzes, challenges and competitions at regular intervals by e-mail, SMS, MMS, push messages, messages via apps and messengers and post tailored to your interests. In addition, we may contact you for customer surveys (e.g. post-purchase surveys and customer satisfaction enquiries) and as part of customer care (e.g. reminders, messages about product re-availability), invite you to submit reviews and wish you a happy birthday. Furthermore, this data is processed for the purpose of handling the customer loyalty programme as well as competitions and challenges (participation, contacting and, if applicable, notification and transmission of the prize).

We optimise and personalise our information about offers, products and services as well as customer surveys and other messages as part of customer care, customer loyalty measures, competitions and challenges. For the purpose of personalisation, we analyse your usage behaviour with automated data processing procedures in order to gain new insights. This procedure is data profiling according to Art 4 No. 4 GDPR. By creating a personal user profile, we want to tailor our advertising approach to your interests and make our offers more relevant to you. This means that you will only receive information compiled specifically for you. Thus, we will not send you content that is unlikely to be of interest to you. For the creation of personalised information, the aforementioned personal data will be merged with the data already provided and stored in your customer profile.

The processing of personal data takes place voluntarily on the basis of your consent in accordance with Art 6 (1) lit a GDPR. The data will be deleted as soon as they are no longer required to achieve the purpose for which they were collected. They will therefore be stored for as long as your membership of the waterdrop® Club remains valid.

Membership in the waterdrop® Club and consent to the processing of personal data can be revoked at any time free of charge without giving reasons by sending an e-mail to privacy@waterdrop.com. In this case, your account will be deleted and you will no longer be able to enjoy the benefits. A (further) membership in the waterdrop® Club is not (any longer) possible if you do not give or revoke your consent. In addition, your consent to be contacted for the purposes outlined above can be revoked separately via the unsubscribe link in the respective message. In this case, your membership in the waterdrop® Club will remain valid and your account will continue to exist. You can continue to collect points when shopping and for selected other activities and redeem them when placing orders, as well as manage your addresses and view your purchase and order history. However, you will no longer receive promotional messages from us. In both cases, the revocation does not affect the lawfulness of the processing until the revocation. After revocation of consent, the personal data will still be stored for 6 months for the purpose of legal defence. The legal basis for this is Art 6 (1) lit f GDPR.

Furthermore, we can detect errors in the log-in process by means of specific error codes (e.g. an account already exists where the e-mail address entered is stored, the password is incorrect or there is a technical error). Based on this, we will show you the corresponding error messages. The legal basis for the associated data processing is our overriding legitimate interest (Art 6 (1) lit f GDPR), in the security of our IT systems and customer support.

XVI. Further advertising measures

Challenges and competitions

If you participate in a challenge or competition organised by us, your personal data will be processed for the purpose of carrying out the challenge or competition. As a rule, the following data is processed for the implementation and handling of the challenge or competition (participation, contacting and, if applicable, notification and transmission of the prize):
The categories of data processed are:

First name, last name
Birthday (optional)
E-mail address
Address
Telephone number (optional)
Supplementary data (optional) that you provide directly to us such as age, gender, household size, data on water drinking behaviour and other drinking habits (e.g. caffeine consumption, drink preferences, preferred flavours) and any relevant medical conditions (e.g. diabetes, etc.).

If we cooperate with selected marketing partners for a challenge or a competition, we may pass on your data to them (see item XVIII).
The cooperation partners, the categories of personal data used in individual cases and other relevant information will be specified in the conditions of participation of the respective challenge or competition.

The processing of personal data takes place voluntarily on the basis of your consent in accordance with Art 6 (1) lit a GDPR. Your data will be deleted no later than 12 months after the end of the competition, unless a longer period is specified in the competition or a longer retention period is required by law.
You can revoke your consent at any time free of charge and without giving reasons by sending an email to privacy@waterdrop.com. The lawfulness of the processing carried out up to the revocation of consent is not affected by this. (Further) participation in the challenge or the competition is not (no longer) possible if you do not give or withdraw your consent. After revocation of consent, the personal data will be stored for another 6 months for the purpose of legal defence. The legal basis for this is Art 6 (1) lit f GDPR.

Provided you have given us your consent, your first name, surname and, if applicable, place of residence may be published on our websites or social media in the event of a win. Otherwise, publication will take place in anonymised form (for example, Martin M. from Vienna).

XVII. Web tracking, analysis and plugins

Cookies, embedded content and scripts

Our websites use a variety of technologies to provide you with an optimal user experience, in particular cookies, scripts and embedded content (hereinafter: technologies) Cookies are files that do not cause any damage to your terminal device. They are stored either temporarily for the duration of a session (session cookies) or permanently (permanent cookies) on your end device. Session cookies are automatically deleted at the end of your visit. Permanent cookies remain stored on your end device until you delete them yourself or until they are automatically deleted by your web browser.

In addition, we also use scripts on our websites to provide other functionalities, e.g. for statistical evaluation of our websites or to protect against bots.
In some cases, cookies and scripts from third-party companies may also be stored on your terminal device when you enter our site (e.g. third-party cookies). These enable us or you to use certain services of the third-party company (e.g. cookies for range measurement or integration of third-party content). In addition, we integrate third-party content in order to offer you a diverse range of services on our websites (e.g. videos, streams, etc.).

The aforementioned technologies have various functions. Many technologies are technically necessary, as certain website functions would not work without them (e.g. the shopping cart function or the display of videos). Other technologies are used to evaluate user behaviour or display advertising. Technically necessary technologies are stored on the basis of Art 6 (1) lit f GDPR, unless another legal basis is specified. The website operator has a legitimate interest in the use of these technologies for the technically error-free and optimised provision of its services.

For technically unnecessary technologies, consent is obtained (Art 6 (1) lit a GDPR). If consent to the storage of cookies has been requested, the cookies in question are stored exclusively on the basis of this consent. The consent can be revoked at any time with effect for the future. Further information on cookie consent can be found immediately below.

You can set your browser so that you are informed about the setting of cookies and only allow cookies in individual cases, exclude the acceptance of cookies for certain cases or in general and activate the automatic deletion of cookies when closing the browser. If you deactivate cookies, the functionality of our websites may be limited. You can find out about this option for the most commonly used browsers via the following links:

Microsoft Internet Explorer and Microsoft Edge: https://support.microsoft.com/de-de/help/17442/windows-internet-explorer-delete-manage-cookies
Mozilla Firefox: https://support.mozilla.org/de/kb/Cookies-blockieren
Google Chrome: https://support.google.com/chrome/answer/95647?co=GENIE.Platform%3D Desktop&hl=en
Safari: https://support.apple.com/de-de/guide/safari/sfri11471/mac

Consent with OneTrust

This website uses OneTrust's Consent Management Platform (CMP) to enable privacy-compliant use of certain cookies, scripts or embedded content. In particular, various technologies can be integrated via OneTrust and managed on the basis of legitimate interest or consent. Information on the technologies used on our websites can also be integrated via OneTrust.
The provider of this technology is OneTrust Technology Limited, 82 St John St, Farringdon, London EC1M 4JN, United Kingdom (UK), with offices in Germany at Mühldorfstraße 8, 81671 Munich, website: https://www.onetrust.de/ ("OneTrust").

When you enter our website, the following personal data is transferred to OneTrust:

Your consent(s) or the revocation of your consent(s)
Your IP address
Information about your browser
Information about your terminal
Time of your visit to the website

Furthermore, OneTrust stores a cookie in your browser in order to be able to allocate the consents granted to you or their revocation. The data collected in this way is stored until you request us to delete it, delete the OneTrust cookie yourself or the purpose for storing the data no longer applies. Mandatory legal retention obligations remain unaffected.

OneTrust is used to obtain the legally required consent for the use of certain technologies. The legal basis for this is Art 6 (1) lit c GDPR. This is subdivided into absolutely necessary cookies, performance cookies, performance cookies and targeting cookies. You can change the cookie settings at any time by clicking on "Change cookie consent" at the bottom of our web pages.

We have concluded an order processing contract with OneTrust. This is a contract required by data protection law, which ensures that OneTrust only processes the personal data of our website visitors in accordance with our instructions and in compliance with the GDPR.

Further information about the service can be found at https://www.onetrust.de/. OneTrust's privacy policy is available at https://www.onetrust.de/datenschutzerklaerung/.

Technologies used on our websites:

Information about the technologies we use, in particular about the processing purposes, legal bases, transfers and possible data transfers to third countries can be found on our OneTrust consent management platform. To do so, click on "Manage Consent Preferences" when you first access the page. You can access the information again at any time by clicking on "Change cookie consent" in the footer of our websites.

Revocation of consent and right to object:

You can revoke the consent given via OneTrust at any time with effect for the future. Please note, however, that certain functionalities may then no longer be offered. To revoke your consent, click on "Change cookie consent" in the footer of our websites and then make the desired settings.

If the processing is based on a legitimate interest, you can object via OneTrust by adjusting the settings accordingly (see above). If the corresponding settings options are not available, your right to object is limited because there are compelling reasons worthy of protection for the necessity of the processing, see Art 21 (1) sentence 2 GDPR. This is particularly the case with security-relevant services.

Analysis of website use, shopping App use and statistics

In order to understand how our websites are used, to optimise our offer and to be able to display user-specific content, we use technologies for usage analysis.
We use Google Analytics, a web tracking service provided by Google Ireland Limited, Gordon House, Barrow Street, Dublin 4, Ireland ("Google"). The purpose of our use of the tool is to enable the analysis of your user interactions on websites and in apps and to improve our offer through the statistics and reports obtained and to make it more interesting for you as a user.
We primarily record the interactions between you as a user of the website and our website using cookies, device/browser data, IP addresses and website or app activities. Google Analytics also collects your IP addresses to ensure the security of the service and to provide us, as the website operator, with information about which country, region or location the respective user comes from (so-called "IP location determination"). For your protection, however, we naturally use the anonymisation function ("IP masking"), i.e. Google truncates the IP addresses by the last octet within the EU/EEA.

Google acts as an order processor and we have concluded a corresponding contract with Google. The information generated by the cookie and the (usually shortened) IP addresses about your use of this website are usually transferred to a Google server in the USA and processed there. For these cases, Google has voluntarily joined the EU-US Data Privacy Framework, which ensures compliance with the European level of data protection on the basis of an adequacy decision by the European Commission (Art 45 GDPR). We have also agreed so-called standard contractual clauses with Google, the purpose of which is to ensure compliance with an appropriate level of data protection in the third country (see item XIX).

The legal basis for the collection and further processing of the information (which takes place for a maximum of 14 months) is your consent (Art 6 (1) lit a GDPR). The revocation of your consent is possible at any time without affecting the permissibility of the processing until the revocation. In apps, you can reset the advertising ID under the Android or iOS settings. The easiest way to revoke your consent is via our consent management platform (see above) or by installing the Google browser add-on, which can be accessed via the following link: https://tools.google.com/dlpage/gaoptout?hl=de/.

Further information on the scope of services provided by Google Analytics is available at https://marketingplatform.google.com/about/analytics/terms/de/. Google provides information on data processing when using Google Analytics at the following link: https://support.google.com/analytics/answer/6004245?hl=de/.
General information on data processing, which according to Google also applies to Google Analytics, can be found in Google's privacy policy at https://policies.google.com/privacy?hl=de&gl=de.

In order to detect, analyze and fix bugs in the App, we use Firebase Crashlytics, a service provided by Google Ireland Limited, Gordon House, 4 Barrow Street, D04 E5W5 Dublin, Ireland ("Google").

Firebase Crashlytics receives real-time crash reports detailing the state of the app, code locations, device information and recent log file messages. This information helps us to facilitate app maintenance and improve stability. If the app crashes, certain information about the crash such as time of crash, device type, operating system, and other technical data from your mobile device is sent to Firebase Crashlytics. These crash reports do not contain IP addresses or other personal data.

These services and technologies are necessary to ensure central functions of the waterdrop® Hydration App, as well as the fulfillment of contracts with users. Furthermore, we have a legitimate interest in the use of these technologies for the technically error-free and optimised provision of our service. The use is based on the legal grounds of Art 6 (1) (b) (fulfillment of contract) and Art 6 (1) (f) GDPR (overriding legitimate interests).

Google acts as an order processor and we have concluded a corresponding contract with Google. The user ID generated by Firebase Crashlytics is usually transferred to a Google server in the USA and processed there. For these cases, Google has, according to its own statements, imposed a standard on itself that corresponds to the former EU-US Privacy Shield and has promised to comply with applicable data protection laws in the international transfer of data. Google has also voluntarily joined the EU-U.S. Data Privacy Framework, a data protection agreement between the EU and the U.S. for which the European Commission has issued an adequacy decision. We have also agreed on so-called standard contractual clauses with Google, the purpose of which is to ensure compliance with an adequate level of data protection in the third country (see point XV).

Further information on data processing when using Firebase Crashlytics can be found in the Google Firebase privacy policy: https://firebase.google.com/support/privacy?hl=de.

Targeted advertising

We and our marketing partners use your data for personalised advertising presented to you on our website and on the websites and apps of other providers (onsite and in-app optimisation of ads).
We and our marketing partners use standard market internet technologies, in particular to place advertisements on social networks (e.g. Google Ads, Facebook Ads, Instagram Ads) and on advertising spaces that are referred to us via online advertising networks such as DoubleClick by Google. In this way, we can advertise in a more targeted manner in order to only present you with advertising and offers that are actually relevant to you. These technologies are only used if you have given your consent via our consent management platform in accordance with Art 6 (1) lit a GDPR (see above).
In the case of online advertising, your data may be transmitted to social network providers and other marketing partners (see item XVIII). The main technologies and services we currently use are:

Google AdSense: This website uses the online advertising service Google AdSense, through which you can be shown banner advertisements tailored to your interests in order to inform you about our products. The advertisements are recognisable by the reference "Google ads" in the respective advertisement. The legal basis for the processing of your data is Art 6 (1) lit a GDPR, i.e. the integration only takes place with your consent.

By visiting our website, Google receives the information that you have accessed our website. For this purpose, Google uses a short text in the source code of the website ("code snippet") to set a cookie on your computer. The above-mentioned basic data such as IP address and timestamp are transmitted. We allow Google to collect the information about you that is necessary for the appropriate advertisement, but otherwise have no knowledge about the scope of the data collection and storage period. If you are logged in with your Google account, your data can be directly assigned to it. If you do not wish your data to be associated with your Google profile, you must log out. It is possible that this data will be passed on to contractual partners of Google, third parties and authorities. This website does not serve third-party ads via Google AdSense.

The revocation of your consent is possible at any time without affecting the permissibility of the processing until the revocation. The easiest way to revoke is via our consent management platform or via the following functions: a) by setting your browser software accordingly, in particular the suppression of third-party cookies will result in you not receiving third-party ads; b) by deactivating Google's interest-based ads via the link www.google.com/settings/ads, which setting will be deleted when you delete your cookies; c) by disabling interest-based ads from providers that are part of the About Ads self-regulatory campaign via the link www.aboutads.info/choices, which setting will be deleted when you delete your cookies; d) by permanently disabling them in your Firefox, Internet Explorer or Google Chrome browsers at the link www.google.com/settings/ads/plugin. We would like to point out that in this case you may not be able to use all the functions of this offer to their full extent.

Google also processes your personal data in the USA. Therefore Google has voluntarily joined the EU-US Data Privacy Framework, which ensures compliance with the European level of data protection on the basis of an adequacy decision by the European Commission (Art 45 GDPR). We have also agreed so-called standard data protection clauses with Google, the purpose of which is to ensure compliance with an adequate level of data protection in the third country (see item XIX).

Further information on the purpose and scope of data processing as well as further information on your rights and setting options for protecting your privacy can be obtained from Google Ireland Limited, Gordon House, Barrow Street Dublin 4, Ireland. Available at https://policies.google.com/privacy?hl=de&gl=de, https://policies.google.com/ technologies/ads?hl=en and https://business.safety.google/adsservices/.

Google Ads: We use the Google Ads service to draw attention to our offers with the help of advertisements. If you access our website via a Google ad, Google Ads will store a cookie in your terminal device. The legal basis for the processing of your data is Art 6 (1) lit a GDPR, i.e. the integration only takes place with your consent.

The advertising material is delivered by Google via so-called "ad servers". For this purpose, we and other websites use so-called ad server cookies, which can be used to measure certain parameters for measuring success, such as the display of ads or clicks by users. The Google Ads cookies stored on our website enable us to obtain information about the success of our advertising campaigns. These cookies are not intended to identify you personally. For this cookie, the unique cookie ID, number of ad impressions per placement (frequency), last impression (relevant for post-view conversions) and opt-out information (marking that a user no longer wishes to be addressed) are usually stored as analysis values.

The cookies set by Google enable Google to recognise your internet browser. If a user visits certain pages of an Ads customer's website and the cookie stored on their computer has not yet expired, Google and the customer can recognise that the user has clicked on the ad and been redirected to that page. A different cookie is assigned to each Ads customer so that the cookies cannot be tracked across the websites of other Ads customers. Through the integration of Google Ads, Google receives the information that you have called up the corresponding part of our website or clicked on an advertisement from us. If you are registered with a Google service, Google can assign the visit to your account. Even if you are not registered with Google or have not logged in, it is possible that the provider may obtain and store your IP address.

Due to the marketing tools used, your browser automatically establishes a direct connection with the Google server. We ourselves do not independently collect personal data in the aforementioned advertising measures, but only provide Google with the opportunity to collect the data. We only receive statistical evaluations from Google that provide information about which ads were clicked on how often and at what prices. We do not receive any further data from the use of the advertising media; in particular, we cannot identify users on the basis of this information.

The revocation of your consent is possible at any time without affecting the permissibility of the processing until the revocation. The easiest way to revoke is via our consent management platform or via the following functions: a) by setting your browser software accordingly, in particular the suppression of third-party cookies will result in you not receiving third-party ads; b) by setting your browser to block cookies from the domain "www.googleadservices.com", www.google.de/settings/ads, deleting this setting when you delete your cookies; c) by disabling the interest-based ads of the providers that are part of the self-regulatory campaign "About Ads" via the link www.aboutads.info/choices, deleting this setting when you delete your cookies; d) by permanently disabling them in your Firefox, Internetexplorer or Google Chrome browsers at the link www.google.com/settings/ads/plugin. Please note that in this case you may not be able to use all the functions of this website to their full extent.

Further information on data protection at Google Ireland Limited, Gordon House, Barrow Street Dublin 4, Ireland, can be found here: https://policies.google.com/privacy?hl=de&gl=de, https://policies.google.com/technologies/ads?hl=de, and https://business.safety.google/ adsservices/.

Google Conversion Tracking: We use Google Ads with the additional application "Google Conversion Tracking". This is a procedure with which we can check the success of our advertising campaigns. For this purpose, the advertisements are provided with a technical provision, e.g. an ID, with which we can determine how a user interacts after clicking on the advertisements and whether one of our services is actually used. This provides us with information in statistical form about the total number of readers of our ads, which ads are particularly popular and, if applicable, further information about consequences from the ad.

The legal basis for the processing of your data is also Art 6 (1) lit a GDPR, i.e. the integration only takes place after your consent. You can prevent or no longer use the conversion tracking function in the same way as described above in relation to Google Ads.

Google Remarketing: We use Google Ads with the additional application "Google Remarketing". With this procedure, we can create advertisements based on existing information about you and address you again when you continue to use the internet. This is usually done by means of cookies that are set when you visit our offers, via which your usage behaviour when calling up various websites is recorded by Google and evaluated in pseudonymised form. According to its own statements, Google does not combine the data collected in the course of remarketing with your personal data, which may be stored by Google.

The legal basis for the processing of your data is also Art 6 (1) lit a GDPR, i.e. the integration only takes place with your consent. You can prevent or no longer use the remarketing function in the same way as described above in relation to Google Ads.

Google Customer Match: We use Google Ads with the additional application "Google Customer Match", among other things for "Similar Audiences" and remarketing. For the use of Customer Match, lists with encrypted user data (e.g. email addresses) are uploaded. After the upload, the system checks which data is already known and classifies these users in a list. After the customer match lists have been created, the encrypted customer data is automatically deleted again. The providers do not obtain new addresses as a result.

The legal basis for the processing of your data is also Art 6 (1) lit a GDPR, i.e. the integration only takes place with your consent. You can prevent or no longer use this function in the same way as described above in relation to Google Ads. Further information on "Customer Match" can be found at https://support.google.com/google-ads/answer/6334160.
Google Optimize: We use Google Ads with the additional application "Google Optimize" and use Google Analytics data for purposes of improving areas of our online offering and better aligning our marketing efforts with potential user interests.

Google Tag Manager: We use Google Tag Manager ("GTM"), a tag management system to manage JavaScript and HTML tags used to track and analyse websites. Tags are small elements of code used to measure traffic and visitor behaviour, among other things: to understand the impact of online advertising and social channels; to set up remarketing and targeting; and to test and optimise websites. GTM makes it easy for us to integrate and manage our tags.

The legal basis for the processing of your data is also Art 6 (1) lit a GDPR, i.e. the integration only takes place after your consent. If you have deactivated your consent, GTM will take this deactivation into account. Further information on data protection at Google Ireland Limited, Gordon House, Barrow Street Dublin 4, Ireland, can be found here: https://policies.google.com/privacy?hl=de&gl=de and https://marketingplatform.google.com/ about/analytics/tag-manager/use-policy/.

Meta: Facebook and Instagram (Pixel, Conversion Tracking and Remarketing): We use advertising measures of Meta Platforms Ireland Limited, 4 Grand Canal Square, Grand Canal Harbour, Dublin 2, Ireland ("Meta"). By integrating the so-called "Meta Pixel" on our website, we can display our advertising measures ("Facebook Ads" and "Instagram Ads") to users of our website and the social network Facebook and Instagram and measure and evaluate the success ("Conversion Tracking"). This connection between Facebook or Instagram and our website is technically carried out via the "Meta Pixel". The legal basis for the processing of your data is Art 6 (1) lit a GDPR, i.e. the integration only takes place with your consent.

Due to the marketing tools used, your browser automatically establishes a direct connection with Meta's server when you visit our website. We have no influence on the scope and further use of the data collected by Meta through the use of this tool and therefore present you with the processes known to us: Through the integration of the Meta pixel, Meta receives the information that you have called up the corresponding web page of our website or clicked on an advertisement from us. If you are registered with a Meta service, Meta can assign the visit to your account. Even if you are not registered with Facebook or Instagram or have not logged in, it is possible that the provider will learn your IP address and other identifying features and use them to create your profile.

The information collected is stored on Meta's servers, including in the USA. For these cases, Meta has voluntarily joined the EU-US Data Privacy Framework, which ensures compliance with the European level of data protection on the basis of an adequacy decision by the European Commission (Art 45 GDPR). We have also agreed so-called standard data protection clauses with Meta, the purpose of which is to ensure compliance with an appropriate level of data protection in the third country.

You can revoke your consent at any time without affecting the permissibility of the processing until revocation. The easiest way to revoke your consent is via our consent management platform. In addition, (logged-in users only) can object via the provider's platform at the following link: www.facebook.com/settings/?tab=ads#_möglich or https://help.instagram.com/ 478880589321969/?helpref=hc_fnav.

We also use the remarketing function "Custom Audiences", which also uses the Facebook Pixel and displays interest-based advertisements when you visit our website or other websites that have also integrated the Facebook Pixel. This allows us to show you advertisements that are of interest to you in order to make our website more interesting for you and to market our offer.
For more information on the Meta Pixel and how it works, see Meta's help section at https://www.facebook.com/business/help/742478679120153? id=1205376682832142 and Meta's data policy at https://www.facebook.com/ privacy/policy/?entry_point=data_policy_redirect&entry=0.

Twitter Ads: In connection with our website, we use the services of Twitter International Unlimited Company, One Cumberland Place, Fenian Street, Dublin 2, D02 AX07, Ireland, to analyse, measure the success and optimise our online offer. This connection between Twitter and our website is technically carried out via the "Twitter pixel".

We use the services to analyse and optimise the effectiveness of our advertising measures and to further develop our offer. The legal basis for the processing of your data is Art 6 (1) lit a GDPR, i.e. the integration only takes place after your consent.

Twitter also processes your personal data in the USA and has imposed a standard on itself that corresponds to the former EU-US Privacy Shield. We have also agreed so-called standard data protection clauses with Twitter, the purpose of which is to ensure compliance with an adequate level of data protection in the third country (see item XIX).

You can revoke your consent at any time, but this revocation does not affect the lawfulness of the data processing carried out up to that point. The easiest way to revoke your consent is via our consent management platform. In addition, (logged-in users only) can object via the provider's platform at the following link: https://help.twitter.com/en/safety-and-security/privacy-controls-for-tailored-ads. You may also refuse the use of cookies by selecting the appropriate settings on your browser, however please note that if you do this you may not be able to use the full functionality of this website.

You can find more detailed information on the processing of data by Twitter in the data protection declaration at https://twitter.com/en/privacy and in the supplementary data protection notices at https://help.twitter.com/en/rules-and-policies/data-processing-legal-bases, https://privacy.twitter.com/en/for-our-partners/global-dpa and https://gdpr.twitter.com/en/controller-to-controller-transfers.html.

TikTok Ads: We use the TikTok Advertising service. TikTok Advertising is an online advertising programme provided by TikTok Information Technologies UK Limited, One London Wall, London EC2Y 5EB ("TikTok"). Through the use of cookies and similar technologies such as device identifiers, information about the use of our app (e.g. information about items viewed) is collected and transmitted to TikTok by us and TikTok under joint responsibility in this context.

When using our app, we determine the device ID of your terminal device and transmit the tracking data to TikTok on this basis. The further processing of the data transmitted to TikTok is the sole responsibility of TikTok under data protection law. This information transmitted to TikTok can be assigned to your person with the help of further information that TikTok has stored about you, e.g. due to your ownership of an account on the social network "TikTok". On the basis of the information collected, you can be shown interest-related advertisements on our offers in your TikTok account (retargeting). The information collected may also be aggregated by TikTok and the aggregated information may be used by TikTok for its own advertising purposes and for the advertising purposes of third parties. For example, TikTok may infer certain interests from your browsing behaviour on this website and may also use this information to promote third party offers. TikTok may also combine the information collected with other information that TikTok has collected about you via other websites and / or in connection with the use of the social network "TikTok", so that a profile about you can be stored at TikTok. This profile may be used for advertising purposes. The legal basis for the processing of your data is Art 6 para 1 lit a GDPR, i.e. the integration only takes place after your consent.
To the extent that TikTok processes your data as the sole data controller, there is a possibility that your data will be transferred by TikTok to the USA. We have agreed with TikTok on so-called standard data protection clauses, the purpose of which is to ensure compliance with an adequate level of data protection in the third country (see point XIX).

You can find more information on data protection at TikTok in the data protection declaration: https://www.tiktok.com/legal/page/eea/privacy-policy/de-DE. Here you can also assert your data subject rights (e.g. right to erasure) with regard to the data that TikTok processes on you as a data controller. You can revoke your consent given with regard to the use of TikTok Advertising here: https://support.tiktok.com/en/account-and-privacy/personalized-ads-and-data/ personalization-and-data.

Pinterest Ads: We use the advertising services of Pinterest Europe Limited, Palmerston House, 2nd Floor, Fenian Street, Dublin, Ireland ("Pinterest"). Through the use of cookies, device identifiers or similar technologies, information about the use of our website (e.g. information about viewed articles) is collected by us and Pinterest in joint responsibility and transmitted to Pinterest.

A Pinterest pixel is integrated into our websites, which enables Pinterest to save a cookie in your browser and thus transmit tracking data from the browser. The further processing of the data transmitted to Pinterest is the sole responsibility of Pinterest under data protection law. This information transmitted to Pinterest can be assigned to your person with the help of further information that Pinterest has stored about you, e.g. due to your ownership of an account on the social network "Pinterest". The information collected on the website can be used to show you interest-related advertising on our offers in your Pinterest account (retargeting). The information collected may also be aggregated by Pinterest and the aggregated information may be used by Pinterest for its own advertising purposes as well as for advertising purposes of third parties. For example, Pinterest may infer certain interests from your browsing behaviour on our websites and may also use this information to advertise third-party offers. Pinterest may also combine the information collected via our website with other information that Pinterest has collected about you via other websites and / or in connection with the use of the social network "Pinterest", so that a profile about you can be stored on Pinterest. This profile can be used for advertising purposes. The legal basis for the processing of your data is Art 6 (1) lit a GDPR, i.e. the integration only takes place with your consent.

Insofar as Pinterest processes your data as the sole data controller, there is a possibility that your data will be transferred by Pinterest to the USA. We have agreed so-called standard data protection clauses with Pinterest, the purpose of which is to ensure compliance with an appropriate level of data protection in the third country (see item XIX).

You can find more information on data protection at Pinterest here: https://policy.pinterest.com/de/privacy-policy. Here you can also assert your data subject rights (e.g. right to deletion) with regard to the data that Pinterest processes about you as a data controller. You can revoke the consent you have given with regard to the use of Pinterest Ads here: https://help.pinterest.com/en/article/personalization-and-data.

Snapchat Ads: We use the so-called "Snap Pixel" from Snapchat, which is operated by Snap Inc., 2772 Donald Douglas, Loop North Santa Monica, CA 90405, USA ("Snapchat"), on our websites for analysis and optimisation purposes.

With the help of the Snap Pixel, it is possible for Snapchat, on the one hand, to determine the visitors to the website as the target group for the display of ads (so-called "Snapchat Ads"). Accordingly, Snapchat Pixel is used to display the switched Snapchat Ads only to those Snapchat users who have also shown an interest in our website or who have certain characteristics (e.g. interests in certain topics or products determined on the basis of the websites visited) that we transmit to Snapchat (so-called "Custom Audiences").

With the help of the Snap Pixel, we want to ensure that our Snapchat ads correspond to the potential interest of the users and do not have a harassing effect. In addition, the Snap Pixel allows us to track the effectiveness of the Snapchat ads for statistical and market research purposes by seeing whether users were redirected to the website after clicking on a Snapchat ad (so-called "conversion").

The legal basis for the processing of your data is Art 6 (1) lit a GDPR, i.e. the integration only takes place with your consent. There is a possibility that your data will be transferred by Snapchat to the USA. Snapchat has voluntarily joined the EU-US Data Privacy Framework, which ensures compliance with the European level of data protection on the basis of an adequacy decision by the European Commission (Art 45 GDPR). We have agreed so-called standard data protection clauses with Snapchat, the purpose of which is to ensure compliance with an appropriate level of data protection in the third country (see point XIX).

Snapchat's processing of data is governed by Snapchat's Data Use Policy. General guidance on the display of Snapchat ads can be found in Snapchat's data usage policy: https://values.snap.com/de-DE/privacy/privacy-center. You can revoke your consent to the use of Snap Pixel here: https://help.snapchat.com/hc/en-us/articles/7012345515796.

LinkedIn Ads: We use the so-called LinkedIn Insight tag (or LinkedIn Pixel) of LinkedIn Ireland Unlimited Company ("LinkedIn") on our websites. By integrating this JavaScript tag, you as a user of our website can be shown interest-based advertisements ("Ads") that are relevant to you when you visit the LinkedIn social network or other websites that also use the method, and we receive statistics about website visitors and demographics. Furthermore, we can evaluate your use of our LinkedIn advertising and the interest in our offers, by means of a conversion tracking function and also display LinkedIn Ads to you on other websites via retargeting. In this way, we pursue the interest of improving the effectiveness of the LinkedIn ads and making our website more interesting for you.

By integrating the LinkedIn Insight tag, your browser automatically establishes a direct connection with LinkedIn's server, both when visiting the LinkedIn website and websites that have the LinkedIn Insight tag built in. LinkedIn and we are jointly responsible for the collection of your usage data when you visit our website and the transmission to the provider, but LinkedIn is solely responsible for the relevant processing to carry out the objectives described once the data has been transmitted. We have no influence on the scope and nature of the use of the data by LinkedIn, we therefore inform you according to our state of knowledge: Through the integration of the LinkedIn Insight tag, LinkedIn receives the information that you have called up the corresponding web page of our website or clicked on an advertisement from us. If you are registered with a LinkedIn service, LinkedIn can assign the visit to your account. Even if you are not registered with LinkedIn or have not logged in, it is possible that the provider will learn your IP address, time slot and other identifying characteristics and link them to the actions assigned to you.

The deactivation of the LinkedIn Insight tag and further advertising objections are possible in the settings for advertisements at www.linkedin.com/help/linkedin/answer/ 62931?trk=microsites-frontend_legal_privacy-policy&lang=en and supplementary at www.linkedin.com/psettings/guest-controls/retargeting-opt-out. Further setting options and information can be found in the LinkedIn Privacy Center: https://privacy.linkedin.com/de-de?lr=1/.

The legal basis for the processing of your data is Art 6 (1) lit a GDPR, i.e. the integration only takes place after your consent. You can revoke your consent at any time, most easily via our consent management platform. LinkedIn also processes your personal data in the USA and has voluntarily joined the EU-US Data Privacy Framework, which ensures compliance with the European level of data protection on the basis of an adequacy decision by the European Commission (Art 45 GDPR). We have also agreed so-called standard data protection clauses with LinkedIn, the purpose of which is to ensure compliance with an adequate level of data protection in the third country (see item XIX).

Further information on data processing by LinkedIn can be obtained from the provider, LinkedIn Ireland Unlimited Company, Attn: Legal Dept. (Privacy Policy and User Agreement), Wilton Plaza, Wilton Place, Dublin 2, Ireland; information on the LinkedIn Insight tag: https://business.linkedin.com/de-de/marketing-solutions/insight-tag?lr=1/ and privacy information: https://www.linkedin.com/legal/privacy-policy?trk=homepage-basic_footer-privacy-policy/.

Microsoft Ads: Our websites use the Microsoft Advertising service. Microsoft Advertising is an online advertising programme provided by Microsoft Ireland Operations Limited (One Microsoft Place, South County Business Park, Leopardstown, Dublin 18, D18 P521). ("Microsoft").

We use so-called Universal Event Tracking (UET) within the Microsoft Advertising service, which collects and stores data on this website for marketing and optimisation purposes. For this purpose, your surfing behaviour on our website is analysed, e.g. which offers you have viewed. For this purpose, Microsoft stores a cookie in your browser. Your visits are recorded via this cookie. The cookie is used to uniquely identify your web browser and not to identify you personally. Microsoft processes the data collected about you on this website as the sole data controller.

Microsoft also processes your personal data in the USA and has voluntarily joined the EU-US Data Privacy Framework, which ensures compliance with the European level of data protection on the basis of an adequacy decision by the European Commission (Art 45 GDPR). We have also agreed so-called standard data protection clauses with Microsoft, the purpose of which is to ensure compliance with an adequate level of data protection in the third country (see item XIX).

You can find more information about Microsoft's privacy policy at: https://privacy.microsoft.com/de-DE/privacystatement. Here you can also assert the data subject rights to which you are entitled vis-à-vis Microsoft (e.g. right to deletion).

Reddit Ads: We place advertisements on the Reddit platform (Reddit, Inc. 548 Market St. #16093 San Francisco, California 94104) and use the platform's analytics and conversion tracking technology to test the effectiveness of these advertisements. The purpose of the data processing is to inform you about our offer and to make it clear and user-friendly for you.

Reddit's representative in the EU is Reddit Ireland Limited, Attn: Reddit EU Data Inquiries, Georges Quay Plaza, Floor 2 - 101, Dublin D02 F856 Ireland.
When you visit our website, a direct connection is established between your browser and the Reddit server via a "Reddit Conversion Pixel". Reddit thereby receives, among other things, the information from your browser that our website was called up from your end device. We would like to point out that we have no influence on the scope of the transmitted data and its further use by Reddit and therefore inform you according to our state of knowledge: Through the integration of Reddit conversion pixels, Reddit receives the information that you have called up the corresponding website of our website or clicked on an advertisement from us. If you are registered with a Reddit service, Reddit can assign the visit to your account. Even if you are not registered with Reddit or have not logged in, it is possible that the provider will learn and store your IP address and other identifying features.

The information collected by the pixel is used to generate conversion statistics for Reddit Ads clients who have opted in to conversion tracking. The Reddit Ads clients learn the total number of users who clicked on their ad and were redirected to a web page tagged with a conversion tracking tag.
The legal basis for the processing of your data is Art 6 (1) lit a GDPR, i.e. the integration only takes place after your consent. You can revoke your consent at any time, most easily via our consent management platform. As a logged-in user of Reddit, you can object to the storage and use of data in a Reddit cookie by accessing the link https://www.reddit.com/personalization and selecting your preferred settings. If you choose this option, a new cookie (opt-out cookie) will be set in your browser, informing Reddit that no data about your browsing behaviour may be stored. Please note that the setting must be made for all browsers you use. If all your cookies in a browser are deleted, this will also affect Reddit's opt-out cookie.

Reddit also processes your personal data in the USA. We have agreed so-called standard data protection clauses with Reddit, the purpose of which is to ensure compliance with an adequate level of data protection in the third country (see item XIX).

For more information about privacy and your choices in this regard, please see Reddit's privacy policy at https://www.reddit.com/policies/ privacy-policy.

Apple Search Ads: We use the Apple Search Ads advertising platform to optimise the effectiveness of our advertising efforts. This service is provided by Apple Distribution International Ltd, Hollyhill Industrial Estate, Hollyhill, Cork, Ireland (see https://searchads.apple.com/de/terms-of-service).

Account data, App Store data, app transaction data and contextual information (e.g. device type, iOS version, time of day, device location, search query) are used to deliver relevant ads. Apple creates segments to deliver personalised advertising in the App Store, Apple News and the Stocks app. Segments are groups of people with similar interests. Your personal information is used to determine which segments you are assigned to and which ads are served to you.

The legal basis for the processing of your data is Art 6 (1) lit a GDPR, i.e. the integration only takes place after your consent. You can revoke your consent at any time, but this revocation does not affect the lawfulness of the data processing carried out up to that point. The easiest way to revoke your consent is via our consent management platform. In addition, you can deactivate the interest-based ads as described at https://support.apple.com/en-us/HT202074.
Apple also processes your personal data in the USA. We have agreed so-called standard data protection clauses with Apple, the purpose of which is to ensure compliance with an adequate level of data protection in the third country (see item XIX).

For more information about how Apple processes data, please see Apple Search Ads and Privacy at https://searchads.apple.com/de/privacy, Apple Advertising & Privacy at https://www.apple.com/de/legal/privacy/data/de/apple-advertising/, and the Privacy Policy at https://www.apple.com/de/legal/privacy/de-ww/.

Outbrain Amplify: We use various tools on our website from Outbrain UK Ltd (5 New Bridge Street, London, EC4V6JA, UK, hereafter referred to as: "Outbrain"). Outbrain uses cookies that allow us to analyse how you use our website. We also use "Outbrain Amplify" in addition to the "Outbrain Pixel" to optimise our website. These tools allow us to analyse your usage behaviour and improve our offer.

Outbrain enables us to point you to further content on our website that may also be of interest to you, as well as to third-party websites. The reading recommendations, for example, are determined on the basis of the content you have read so far. The content displayed by Outbrain is automatically controlled and delivered by Outbrain in terms of content and technology. The display of reading recommendations by Outbrain on the basis of the information transmitted by the cookies is only pseudonymised, i.e. by a generated character string that is assigned to you. Personal data is not stored beyond this. Outbrain records the device source, browser type and anonymised IP address of the user. To anonymise the IP address, the last octet of the IP address is removed. Outbrain and we are jointly responsible for collecting your usage data when you visit our website and transmitting it to the provider, but Outbrain is solely responsible for the relevant processing to carry out the objectives described once the data has been transmitted.

The European Commission has decided that the United Kingdom offers an adequate level of protection compared to the GDPR. The transfer of data takes place on the basis of this adequacy decision (see point XIX). To the extent that data is provided to Outbrain and/or transferred to Outbrain Inc. or to another recipient outside the EU / EEA, Outbrain will ensure that the transfer complies with EU data protection laws by providing an adequate level of protection and that appropriate safeguards are in place to protect the data. See https://www.outbrain.com/legal#amplify-dpa-us.
Further information on data processing by Outbrain can be found here: https://www.outbrain.com/privacy/.

Lucky Orange: We use on our website the service of the company Lucky Orange (represented in the EU by: Lucky Orange, EU Business Partners, 10 Ashe Street, Clonakilty, County Cork, P85 E4303, Ireland, hereinafter: "Lucky Orange"). We use the web analytics tool to improve the functionality and usability of our website. Lucky Orange analyses user behaviour when visiting our website and helps us to derive and make improvements to our website on the basis of the data collected and the evaluations in the form of so-called "heat maps".

In this context, Lucky Orange stores cookies on your computer, which are used to collect information on, among other things, the start time and end of the visit, the duration of the visit, the number of visits, click, scroll and mouse movements, keystrokes as well as information transmitted by your browser such as browser and version, geo-location (country, state, city), operating system and version, language, screen resolution, referring URL (via UTM tags in the URL), behavioural characteristics triggered by Javascript or from behavioural characteristic rules, Internet service provider of the IP address, etc.
The legal basis for the processing of your data is Art 6 (1) lit a GDPR, i.e. the integration only takes place after your consent. You can revoke your consent at any time, most easily via our consent management platform. You can also prevent the use of Lucky Orange cookies by setting an opt-out cookie at the following link: https://privacy.luckyorange.com/ (click on "Do not track me").

Lucky Orange also processes your personal data in the USA and has voluntarily joined the EU-US Data Privacy Framework, which ensures compliance with the European level of data protection on the basis of an adequacy decision by the European Commission (Art 45 GDPR). We have also agreed so-called standard data protection clauses with Lucky Orange, the purpose of which is to ensure compliance with an adequate level of data protection in the third country (see item XIX).

For further information on the handling of transmitted data, please refer to the Lucky Orange privacy policy: https://www.luckyorange.com/legal/privacy.

Social networks

We maintain profile pages (also known as "fan pages") in various social networks and integrate functions of social networks into our website. These can be messenger services and so-called social plug-ins. As a rule, social networks can comprehensively analyse your user behaviour. This applies in particular if you use the corresponding networks to visit our social media sites.

We process your data based on our overriding legitimate interest pursuant to Art 6 (1) lit f GDPR in order to provide you with this functionality, to raise awareness of our company and to communicate with social networks active customers and other users (e.g. answering users' queries).

Insofar as personal data is processed by a social network and us in connection with our profile pages or content submitted by you, and we have a say in the purposes and means of this processing, we and the respective social network are joint controllers within the meaning of Art 26 GDPR (e.g. data from Facebook Page Insights).

We have no influence on the processing of personal data by social networks. It is also not possible for us to trace all of these data processing operations within the social networks and, as a rule, we also do not have access to this data. We therefore always provide you with this information with the help of the data protection declarations of the respective networks. Please refer to these for information on the purpose and scope of data collection and the further processing and use of the data by the respective provider, as well as your rights in this regard and setting options for protecting your privacy. Below you will find information on data protection and opt-out options on the respective networks.

We currently use fan pages and social plug-ins of the following social networks as well as the messenger service of WhatsApp:

Facebook (Meta Platforms Ireland Limited, 4 Grand Canal Square, Grand Canal Harbour, Dublin 2, Ireland) - privacy policy: https://www.facebook.com/about/privacy/, shared responsibility agreement with Meta for Page Insights: https://www.facebook.com/legal/terms/information_about_page_insights_data; opt-out: https://www.facebook.com/settings?tab=ads and http://www.youronlinechoices.com.
Twitter (Twitter International Unlimited Company, One Cumberland Place, Fenian Street Dublin 2, D02 AX07, Ireland) - Privacy Policy: https://twitter.com/de/privacy, Opt-Out: https://twitter.com/personalization.
Instagram (Meta Platforms Ireland Limited, 4 Grand Canal Square, Grand Canal Harbour, Dublin 2, Ireland) - Privacy Policy / Opt-Out: http://instagram.com/about/legal/privacy/.
Pinterest (Pinterest Europe Ltd., Palmerston House, 2nd Floor, Fenian Street, Dublin 2, Ireland) - privacy policy: https://policy.pinterest.com/de/privacy-policy, opt-out: https://help.pinterest.com/en/article/personalization-and-data.
TikTok (TikTok Technology Limited, 10 Earlsfort Terrace, Dublin, D02 T380, Ireland) - Privacy Policy / Opt-out: https://www.tiktok.com/legal/page/eea/privacy-policy/de-DE.
YouTube (Google Ireland Limited, Gordon House, Barrow Street, Dublin 4, Ireland) - Privacy Policy https://policies.google.com/privacy?hl=de&gl=de; Opt-Out: https://adssettings.google.com/authenticated.
LinkedIn (LinkedIn Ireland Unlimited Company, Wilton Place, Dublin 2, Ireland) - Privacy Policy https://www.linkedin.com/legal/privacy-policy, Opt-Out: https://www.linkedin.com/psettings/guest-controls/retargeting-opt-out.
WhatsApp (WhatsApp Ireland Limited, 4 Grand Canal Square, Grand Canal Harbour, Dublin 2, Ireland) - Privacy Policy https://www.whatsapp.com/legal/privacy-policy-eea, Opt-Out: https://faq.whatsapp.com/1285115568956956/ .

Profile pages:
We use the technical platform and services of the providers for these information services. We would like to point out that you use our appearances on social networks and their functions on your own responsibility. This applies in particular to the use of interactive functions (e.g. commenting, sharing, rating). When you visit our websites, the providers of the social networks collect, among other things, your IP address and other information that is stored in the form of cookies on your terminal device. This information is used to provide us, as the operator of the accounts, with statistical information about the interaction with us.

The data collected about you in this context is processed by the social networks and may be transferred to countries outside the European Union, in particular the USA. According to their own statements, all of the aforementioned providers maintain an adequate level of data protection that corresponds to that of the former EU-US Privacy Shield, some providers have voluntarily joined the EU-US Data Privacy Framework, which ensures compliance with the European level of data protection on the basis of an adequacy decision by the European Commission (Art 45 GDPR), and we have concluded the standard data protection clauses with the companies (see item XIX).

We are not aware of how the social media platforms use the data from your visit to our account and interaction with our posts for their own purposes, how long this data is stored and whether data is passed on to third parties. Data processing may differ depending on whether you are registered and logged in to the social network or visit the site as a non-registered and/or non-logged-in user. When you access a post or the account, the IP address assigned to your terminal device is transmitted to the provider of the social network. If you are currently logged in as a user, a cookie on your end device can be used to track how you have moved around the network. Buttons embedded in websites enable the platforms to record your visits to these websites and assign them to your respective profile. This data can be used to offer content or advertising tailored to you. If you want to avoid this, you should log out or deactivate the "stay logged in" function, delete the cookies on your device and restart your browser.

We, as the provider of the information service, also only process the data from your use of our service that you provide to us and that requires interaction. For example, if you ask a question that we can only answer by email, we will store your information in accordance with the general principles of our data processing, which we describe in this privacy policy. The legal basis for the processing of your data on the respective social network is Art 6 (1) lit f GDPR.

To exercise your data protection rights, you can contact both us or the social network provider. To the extent that one party is not responsible for responding or needs to obtain the information from the other party, we or the provider will forward your request to the respective partner. Please contact the social network provider directly for questions about profiling, processing of your data when using the website. For questions about the processing of your interaction with us on our site, write to the contact details we have provided (see item XX).
What information the respective social network receives and how it is used is described by the providers in their data protection declarations (see the listing above). There you will also find information on contact options as well as on the settings options for advertisements. Further information on social networks and how you can protect your data can also be found at https://www.youngdata.de/.

Social Plug-ins:

Social plug-ins are only loaded if you have previously activated the function by giving your consent. Via the plug-ins, we enable you to interact with the social networks and other users. The legal basis for the use of the plug-ins is Art 6 (1) lit a GDPR, i.e. the integration only takes place after your consent.

The respective plug-in provider stores the data collected about you as usage profiles and uses them for the purposes of advertising, market research and/or demand-oriented design of its website. Such an evaluation is carried out in particular (also for users who are not logged in) for the display of needs-based advertising and to inform other users of the social network about your activities on our website. You have the right to object to the creation of these user profiles, whereby you must contact the respective plug-in provider to exercise this right. The data transfer takes place regardless of whether you have an account with the plug-in provider and are logged in there. If you are logged in to the plug-in provider, your data collected from us will be directly assigned to your account with the plug-in provider. If you click the activated button and, for example, link to the page, the plug-in provider also saves this information in your user account and shares it publicly with your contacts. We recommend that you log out regularly after using a social network, but especially before activating the button, as this will help you avoid being assigned to your profile with the plug-in provider.

The information collected is stored on servers of the providers, in the case of international providers also outside Europe. For these cases, the providers have, according to their own statements, imposed a standard on themselves that corresponds to the former EU-US Privacy Shield and have promised to comply with applicable data protection laws in the international transfer of data. Some of the providers have voluntarily joined the EU-US Data Privacy Framework, which ensures compliance with the European level of data protection on the basis of an adequacy decision by the European Commission (Art 45 GDPR). We have also agreed so-called standard data protection clauses with the providers, the purpose of which is to ensure compliance with an appropriate level of data protection in the third country (see item XIX).

The revocation of your consent is possible at any time without affecting the permissibility of the processing until the revocation. The easiest way to revoke your consent is via our consent management platform (see above) or via the functions of the social network providers.

For more information on the purpose and scope of the data collection and its processing by the plug-in provider, please refer to the data protection declarations of these providers (see the listing above). There you will also receive further information on your rights in this regard and setting options for protecting your privacy.

Video integration

YouTube:
To optimise our website, components from YouTube are integrated on our website ("YouTube plugin"). YouTube is an internet video portal where video clips can be viewed, rated, commented on and uploaded free of charge. The processing of personal data when using YouTube is carried out by Google Ireland Limited, Gordon House, Barrow Street, Dublin 4, Ireland, as the responsible party. Further information on YouTube is available at https://www.youtube.com/yt/about/de/.

When you visit a website that contains a YouTube video, the corresponding video is loaded from YouTube. By visiting the website, YouTube receives the information that you have accessed the corresponding subpage of our website. In addition, the above-mentioned basic data such as IP address and time stamp are transmitted. We have no influence on this data transmission. The legal basis for the display of the videos is Art 6 (1) lit a GDPR, i.e. the integration only takes place with your consent.

This takes place regardless of whether YouTube provides a user account via which you are logged in or whether no user account exists. If you are logged in to Google, your data will be directly assigned to your account. If you do not want your data to be associated with your YouTube profile, you must log out before activating the button. YouTube stores your data as usage profiles and uses them for the purposes of advertising, market research and/or designing its website in line with requirements. Such an evaluation is carried out in particular (even for users who are not logged in) to provide needs-based advertising and to inform other users of the social network about your activities on our website. You have the right to object to the creation of these user profiles, and you must contact YouTube to exercise this right.

The information collected is stored on Google servers, including in the USA. For these cases, the provider has has voluntarily joined the EU-US Data Privacy Framework, which ensures compliance with the European level of data protection on the basis of an adequacy decision by the European Commission (Art 45 GDPR). ,. We have also agreed so-called standard data protection clauses with Google, the purpose of which is to ensure compliance with an appropriate level of data protection in the third country (see item XIX).

Further information on the handling of user data can be found in YouTube's privacy settings at https://www.youtube.com/intl/ALL_at/howyoutubeworks/user-settings/privacy/, at YouTube Help under the "Privacy basics in YouTube apps", available at https://support.google.com/youtube/answer/10364219?hl=de, and in Google's privacy policy at or https://policies.google.com/privacy?hl=de&gl=de. Information on a possible opt-out can be found at https://adssettings.google.com/authenticated.

Vimeo:
Our websites use plugins from the video portal Vimeo. The provider is Vimeo Inc., 555 West 18th Street, New York, New York 10011, USA.

Some of our internet pages contain videos from Vimeo. When you visit such a website, a connection to the Vimeo servers is established. This transmits to the Vimeo server which of our websites you have visited. In addition, Vimeo obtains your IP address. This also applies if you are not logged in to Vimeo or do not have a Vimeo account. We have no influence on this data transmission. The legal basis for the display of the videos is Art 6 (1) lit a GDPR, i.e. the integration only takes place with your consent.

If you are logged in to Vimeo as a member, Vimeo assigns this information to your personal user account. When you click on the start button of a video, this information can also be assigned to an existing user account. You can prevent this assignment by logging out of your Vimeo user account before using our website and deleting the corresponding cookies from Vimeo.

The information collected by Vimeo is transmitted to the Vimeo server in the USA. Vimeo has voluntarily joined the EU-US Data Privacy Framework, which ensures compliance with the European level of data protection on the basis of an adequacy decision by the European Commission (Art 45 GDPR). We have also agreed so-called standard data protection clauses with Vimeo, the purpose of which is to ensure compliance with an appropriate level of data protection in the third country (see item XIX).

Further information on the handling of user data can be found in Vimeo's privacy policy at: https://vimeo.com/privacy.

Your personal data may be transferred to third parties in the following situations

When passing on your personal data, we always ensure the highest possible level of security and therefore only work with carefully selected and contractually obligated service providers and contractual and cooperation partners.

XVIII. Recipient categories

Group of companies (waterdrop® group of companies)

The waterdrop® group of companies ("group") also operates (physical) stores. When you shop in our stores, the store employees can view your personal data (name, addresses and order history). Depending on their location at Waterdrop Microdrink GmbH, Waterdrop's parent company based in Austria (see point I), or at sales or joint venture companies (see point XIII).

Shipping company

We commission Waterdrop Fulfillment s.r.o (Czech Republic) with the delivery of goods. We also work with external shipping service providers (e.g. Austrian Post, DHL, Hermes, etc.) to deliver orders.

These service providers receive personal data from us that is necessary for the execution of the respective order. Specifically, this is your

Last name, first name
Delivery address
Postal number, if applicable (if you would like to have the order delivered to a DHL packing station).
E-mail address, if applicable (if the shipping service provider would like to inform you by e-mail about the expected delivery date).
Telephone number, if applicable (e.g. for forwarding notices).

The transmission takes place on the basis of our legitimate interest pursuant to Art 6 (1) lit f GDPR in order to also be able to offer our customers a notification service and thus to make the dispatch as customer-friendly as possible.

IT service provider

We work with technical service providers and IT tool providers to deliver our services to you. These service providers include, for example, external IT service providers that enable the technical provision of our website and shopping Apps (e.g. Shopify) and user communication (e.g. Iterable), as well as providers of various IT tools and software as a service (e.g. Klaviyo). The main service providers or suppliers are:

Web presence:

Shopify: Our web presence, including provision of the website and webshop and shopping apps, is powered by Shopify. Shopify offers a complete e-commerce platform that allows merchants to create an online shop and unify their commercial activities. Shopify (platform and apps) is also used for marketing activities (e.g. personalised messages, waterdrop® Club) and customer management and support (e.g. back in stock email, reactivation emails, web push notifications). More information on the provider and apps can be found at https://www.shopify.com/de and https://apps.shopify.com/.

Service Provider for Europe is Shopify International Limited, 2nd Floor Victoria Buildings, 1-2 Haddington Road, Dublin 4, D04 XN32, Ireland, with VAT identification number IE 3347697KH (see item 13 of Shopify's Terms and Conditions, https://www.shopify.de/legal/agb).

Your personal data (e.g. name, billing address, shipping address, email address, phone number and payment information, and information about how you access our websites, account and platform) is processed by Shopify International Limited, the Shopify company in Ireland. In the course of providing the Services, this personal data may be transferred to other regions, including Canada and the United States. Your personal data is protected by Canadian law when sent to Canada. The EU Commission has determined that this provides adequate protection for your data. If we then send that personal data to a country outside Canada (e.g. to sub-processors), that data is protected by contractual obligations similar to those in EU Commission standard contractual clauses (https://eur-lex.europa.eu/eli/dec_impl/2021/914/oj?locale=de ).

More information on the collection and use of personal data can be found in the entry "Privacy Policy for Customers (For Customers Purchasing from Shops Using Shopify)" at https://www.shopify.com/de/legal/privacy/customers, in Shopify's Privacy Policy at https://www.shopify.com/de/legal/datenschutz, and in the Data Processing Addendum at https://www.shopify.com/de/legal/dpa.

REVIEWS.io: To receive your experiences and reviews, we use REVIEWS.io. When you create a review on https://www.reviews.io/company-reviews/store/waterdrop-de, your details are collected by REVIEWS.io Limited 29 St Nicholas Place, Leicester, LE1 4LD UK and transmitted to us. Your review will then be published on our website. We may contact you by email for information or documentation to prove your experience. For further privacy information, including how to delete reviews, please see REVIEWS.io's privacy policy: https://www.reviews.io/front/user-privacy-policy.

reCaptcha: In addition, we use the Google service reCaptcha on our websites to determine whether a human or a computer is submitting a certain entry in our comment form. Google uses the following data to check whether you are a human or a computer: IP address of the terminal device used, the website you visit with us on which the captcha is embedded, the date and duration of the visit, the recognition data of the browser and operating system type used, Google account if you are logged in to Google, mouse movements on the reCaptcha areas and tasks that require you to identify images. The legal basis for the described data processing is Art 6 (1) lit f GDPR. There is a legitimate interest on our part in this data processing to ensure the security of our website and to protect us from automated entries (attacks). An overview of the basic use of data by Google can be found in the privacy policy at www.google.com/intl/de/policies/privacy/. Information on a possible opt-out can be found at https://adssettings.google.com/authenticated.

ReCharge: we use the software of ReCharge Inc, 3030 Nebraska Avenue, Los Angeles California US 90404, USA ("ReCharge") to process orders for subscriptions. The legal basis for the processing is Art. 6 para. 1 sentence 1 lit. b GDPR. We pass on information that you provide to us during the ordering process to ReCharge, in addition to information relating to your order. Your data will only be passed on for the purpose of creating and managing customer subscriptions and processing payments. ReCharge processes the information you provide during the ordering process on our behalf.

In addition, ReCharge is certified for the Privacy Shield agreement between the European Union and the USA. This means that ReCharge undertakes to comply with the standards and regulations of European data protection law. Further information can be found in ReCharge's privacy policy via the following link: https://rechargepayments.com/privacy-policy.

Customer management and support:

Klaviyo: for customer management, sending messages by e-mail and user analysis (web presence and personalised news) we use the services of Klaviyo, Inc, 125 Summer Street, Boston MA, 02111, USA ("Klaviyo"). More information about the provider can be found at https://www.klaviyo.com/legal.

Klaviyo helps us to analyse the use of our website and uses cookies for this purpose. Certain usage data such as information about end devices (IP address, operating system and web browser), information about the use of our website (access, user behaviour), purchase and order history as well as details about how individuals interact with our emails (e.g. whether the email is opened and which links in the email are clicked) are linked to your person (e.g. after entry in a registration form) and stored in our customer database ("CRM"). This enables us to send you information and offers tailored to your interests.

In the process, your personal data may also be forwarded to Klaviyo servers in the United States (USA). Klaviyo has voluntarily joined the EU-US Data Privacy Framework, which ensures compliance with the European level of data protection on the basis of an adequacy decision by the European Commission (Art 45 GDPR). In addition we have concluded a data processing agreement with Klaviyo, in which Klaviyo undertakes to protect the data of our users and in particular not to pass it on to third parties. The standard contractual clauses of the EU Commission are part of the data processing agreement (see item XIX). In addition, Klaviyo undertakes to implement supplementary measures.
More information on the collection and use of personal data can be found in Klaviyo's Privacy Policy at https://www.klaviyo.com/legal/privacy/privacy-notice, as well as in the Data Processing Agreement at https://www.klaviyo.com/legal/data-processing-agreement. You can find an overview in Klaviyo's Privacy Center: https://www.klaviyo.com/legal/privacy.

NetSuite: for customer relationship management, order management and order processing we use NetSuite CRM from Oracle Corporation, 2300 Oracle Way Austin, TX 78741 USA (https://www.oracle.com/de/corporate/contact/global.html).

Oracle reserves the right to process, transfer and retain personal data for services worldwide to the extent necessary to provide the services. To the extent that such global access involves a transfer of personal data for Services from the European Economic Area and the United Kingdom ("EEA") and/or Switzerland to Oracle affiliates or third-party sub-processors in countries outside the EEA or Switzerland that have not been subject to a binding decision by the European Commission or a competent national EEA data protection authority on an adequate level of data protection, such transfers will be subject to binding and appropriate transfer mechanisms that provide adequate protection in accordance with applicable data protection laws, such as EU standard contractual clauses (Oracle Services Privacy Policy I.7.; see also point XIX).

More information on the collection and use of personal data can be found in Oracle's privacy policy at https://www.oracle.com/de/legal/privacy/ in particular https://www.oracle.com/de/legal/privacy/services-privacy-policy.html#1-7).

Typeform: we use the service Typeform to display online surveys on our website. Typeform is operated by TYPEFORM SL, C/Bac de Roda, 163, 08018 Barcelona, Spain (https://www.typeform.com/).

In this context, the following data are collected and processed: IP address, e-mail address, duration of visit, date and time of visit and, if applicable, further data collected in the context of the survey (see points XIV and XV).

Within the scope of processing via Typeform, data may be transferred to the USA. The security of the transfer is regularly secured via so-called standard contractual clauses, which ensure that the processing of personal data is subject to a level of security that complies with the GDPR (see item XIX).

For more information on the collection and use of personal data and on the options for objecting to and removing such data from Typeform, please see Typeform's privacy policy at https://admin.typeform.com/to/dwk6gt.

Chatarmin: for customer management, sending messages via Whatsapp, SMS or other messenger services and for user analysis (personalized news) we use the services of the WhatsApp marketing tool of the company chatarmin.com GmbH, Josef Brenner-Straße 11/11, A-3400 Klosterneuburg ("Chatarmin").

Messages are sent via SMS, WhatsApp or other messenger services using the Whatsapp marketing tool Chatarmin. Your personal data (surname and first name, telephone number, Messenger ID, IP address and message history) will be processed by Chatarmin in the course of using the Messenger service. An active account with the respective provider is required to use the messenger service.

We have concluded an order processing contract with Chatarmin. This is a contract required by data protection law, which ensures that Chatarmin processes personal data only in accordance with our instructions and in compliance with the GDPR.

You can find more information on the collection and use of personal data in Chartarmin's privacy policy at https://chatarmin.com/en/privacy-policy

Payment service provider

We offer various payment options, such as payment in advance, payment by credit card and payment by PayPal. To process payments, we pass on your payment information to the credit institution or payment service provider commissioned with the payment. These companies may only use your data for order processing and not for any other purposes. For more information on the processing of personal data by these service providers, please refer to their privacy policies:

Shop Pay: We use Shop Pay, an online payment solutions service from Shopify, on our website and shopping Apps. Shopify's contracting party for Europe is Shopify International Limited, 2nd Floor Victoria Buildings, 1-2 Haddington Road, Dublin 4, D04 XN32, Ireland, with VAT identification number IE 3347697KH (see item 13 of Shopify's Terms and Conditions, https://www.shopify.de/legal/agb). Shopify processes the payment information you provide in the check-out (e.g. the number of your card used for payment or your bank account number) and other data you provide (e.g. your name, address, email address and telephone number). This may also be used to determine whether you are eligible for certain offers or payment methods. For more information about the collection and use of personal data, please see the entry "Privacy Policy for Users of Shopify Apps (For Users of the Apps, Customer-Facing Services or Shopify's Free Business Tools)" at https://www.shopify.com/de/legal/privacy/app-users, Shopify's Privacy Policy at https://www.shopify.com/de/legal/datenschutz, and Shopify's Data Processing Addendum at https://www.shopify.com/de/legal/dpa.
Amazon Pay: We enable the payment process to be handled via the payment service provider Amazon Pay (Amazon Payments Europe s.c.a., 38 avenue J.F. Kennedy, L-1855 Luxembourg). In this context, we pass on the following data to Amazon Payments: first name, last name, address, e-mail address and telephone number. Amazon Payments Europe reserves the right to run a credit check to ensure your willingness and ability to pay. For more information, please see Amazon Pay's privacy policy: https://pay.amazon.de/help/201212490?ld=NSGoogle and https://www.amazon.de/gp/help/customer/display.html?nodeId=201909010& ref_=footer_privacy&ld=NSGoogle&language=en_DE&currency=EUR.
Google Pay: We enable the payment process to be handled via the payment service provider Google Pay (Google Ireland Limited, Gordon House, Barrow Street, Dublin 4, Ireland). For the purpose of payment processing, the information you provide during the ordering process, together with information about your order, will be passed on to Google. Google reserves the right to collect, store and analyse certain transaction-specific information for each transaction made via Google Pay. In addition, Google reserves the right in its privacy policy to pass on collected data to third-party providers and subsidiaries. For more information, please refer to the Google Pay privacy notice and relevant terms of use and policies, available at https://support.google.com/googlepay/answer/9039712?hl=de.
Shopify Payments: We use the payment service provider "Shopify Payments", 3rd Floor, Europa House, Harcourt Building, Harcourt Street, Dublin 2. If you choose a payment method offered via the payment service provider Shopify Payments, in particular payment by credit and debit card, the payment processing is carried out via the technical service provider Stripe Payments Europe Ltd, 1 Grand Canal Street Lower, Grand Canal Dock, Dublin, Ireland, to whom we pass on the information you provided during the ordering process, together with information about your order (name, address, account number, bank sort code, credit card number if applicable, invoice amount, currency and transaction number) in accordance with Art 6 Para 1 lit b GDPR. Your data will only be passed on for the purpose of payment processing with Stripe Payments Europe Ltd. and only insofar as it is necessary for this purpose. You can find more information on the data protection of Shopify Payments at the following Internet address: https://www.shopify.com/legal/privacy. You can find data protection information on Stripe Payments Europe Ltd. here: https://stripe.com/de/privacy.
Klarna - Pay now or pay later: In cooperation with Klarna Bank AB (publ), Sveavägen 46, 111 34 Stockholm, Sweden, we offer several payment options. (see point 14 in our General Terms and Conditions, https://www.waterdrop.de/pages/agb).

If you choose the payment method Sofortüberweisung, you pay without additional registration via online banking with PIN and TAN. The entry of this data takes place after completion of the order on the pages of Sofort GmbH as part of the Klarna Group. We send the following personal information about your order to Klarna for the transfer: Order number, payment amount, country.
If, on the other hand, you have opted for "Klarna Invoice" or "Instalment Purchase", we require the following data for the payment processing of your purchase and an identity and credit check by Klarna: First name and surname, address, date of birth, e-mail address and data related to the order, such as invoice amount, item, delivery method. Klarna also collects and uses information on previous payment behaviour and probability values for this behaviour in the future.

In this respect, please note the General Terms and Conditions as well as the data protection notice of Klarna, available at https://www.klarna.com/de/agb/ and https://www.klarna.com/de/datenschutz/.

PayPal: When paying via PayPal, your payment data will be forwarded to PayPal (Europe) S.à r.l. et Cie, S.C.A., 22-24 Boulevard Royal, L-2449 Luxembourg (hereinafter "PayPal") as part of the payment processing. If you have opted for PayPal, you will be redirected directly to the PayPal website. Regardless of this, we send the following data to PayPal to process the order: name and first name, delivery address (in the case of a different delivery address, possibly also the name of a third party such as a neighbour), order number, payment amount.

PayPal reserves the right to conduct a credit check for the payment methods credit card via PayPal, direct debit via PayPal or - if offered - "purchase on account" via PayPal. PayPal uses the result of the credit check with regard to the statistical probability of non-payment for the purpose of deciding on the provision of the respective payment method.
For further information on data protection law, including information on the credit agencies used, please refer to PayPal's data protection declaration: https://www.paypal.com/de/webapps/mpp/ua/privacy-full.

Social networks and other marketing partners

In the context of advertising campaigns, we share your data with social network providers. You can find further information under point XVII.

We also work with other selected marketing partners to improve our website and advertising campaigns and to inform you about interesting offers, current promotions, products, services, quizzes, challenges and competitions. The main marketing partners are:

Voucher offers from Sovendus GmbH: In order to select a voucher offer that is currently of interest to you, we transmit the hash value of your e-mail address and your IP address to Sovendus GmbH, Hermann-Veit-Str. 6, 76135 Karlsruhe (Sovendus) in a pseudonymised and encrypted form (Art 6 (1) lit f GDPR). The pseudonymised hash value of the e-mail address is used by Sovendus to take into account a possible objection to advertising (Art 21 (3), Art 6 (1) lit c GDPR). The IP address is used by Sovendus exclusively for data security purposes and is usually anonymised after seven days (Art 6 (1) lit f GDPR). In addition, we transmit the order number, order value with currency, session ID, coupon code and timestamp to Sovendus in pseudonymised form for billing purposes (Art 6 (1) lit f GDPR). If you are interested in a voucher offer from Sovendus, if there is no advertising objection to your e-mail address and if you click on the voucher banner displayed only in this case, your title, name, postcode, country and e-mail address will be transmitted by us in encrypted form to Sovendus for the preparation of the voucher (Art 6 (1) lit b, f GDPR). For further information on the processing of your data by Sovendus, please refer to the online data protection information at www.sovendus.de/datenschutz.

LoyaltyLion: to enable you to join the loyalty programme, we use a service provided by LoyaltyLion Ltd, based at 165 Fleet Street London, United Kingdom ("LoyaltyLion"). LoyaltyLion is a tool through which we provide loyalty points and give our customers the opportunity to receive rewards. For more information, please visit https://loyaltylion.com/terms-of-service.

For this purpose, the data provided by you and other data required to manage your loyalty points will be passed on to LoyaltyLion so that LoyaltyLion can operate the service. The legal basis for the processing of your data is your consent to membership of the waterdrop® Club (Art 6 (1) lit a GDPR). You can revoke your consent at any time (see point XV).

The European Commission has decided that the UK offers an adequate level of protection compared to the GDPR. The transfer of data takes place on the basis of this adequacy decision (see point XIX).

Further information on data processing by LoyaltyLion and an "opt-out" option are available here: https://loyaltylion.com/privacy.

Authorities and other third parties

If we are obliged to do so by an official or court decision or if we are entitled to do so, e.g. because this is necessary for the prosecution of criminal offences or for the exercise and enforcement of our rights and claims, we will pass on your data to law enforcement agencies or other third parties if necessary.

XIX. Legal basis for the transmission

We do not transfer your personal data to third parties for purposes other than those set out in this privacy policy. We will only disclose your personal data to third parties if:

you have given your express consent in accordance with Art 6 (1) lit a GDPR (e.g. social media networks),
this is legally permissible and necessary for the processing of contractual relationships with you (e.g. shipping companies, payment service providers) in accordance with Art 6 (1) lit b GDPR,
in the event that there is a legal obligation for the disclosure pursuant to Art 6 (1) c GDPR (e.g. authorities),
the disclosure is necessary in accordance with Art 6 (1) lit f GDPR to protect legitimate interests and there is no reason to assume that you have an overriding interest worthy of protection in not disclosing your data (e.g. notification service from shipping companies; exercising and enforcing our rights and claims) or
this is carried out by a service provider (e.g. technical service provider) acting on our behalf and on our exclusive instructions, which we have carefully selected (Art 28 (1) of the GDPR) and with whom we have concluded a corresponding contract on commissioned processing (Art 28 (3) of the GDPR), which obliges our contractor, among other things, to implement appropriate security measures and grants us comprehensive control powers.

Service providers and other contractual and cooperation partners may transfer your personal data to other countries. If your data is processed outside the European Economic Area (EEA), this may result in your data being transferred to a country with a lower data protection standard than in the European Union. This may result, for example, in your data being processed by public authorities, for control and monitoring purposes, possibly also without the possibility of legal redress.

We implement appropriate safeguards, including the conclusion of EU standard data protection clauses (see the text of the contract at https://eur-lex.europa.eu/eli/dec_impl/2021/914/oj?locale=de), in the event that personal data is processed outside the EU and no adequacy decision has been taken by the European Commission.

Adequacy decisions of the European Commission are available e.g. for Canada, UK and Switzerland (see a list at https://commission.europa.eu/law/law-topic/data-protection/international-dimension-data-protection/adequacy-decisions_en).

Your rights

XX. Who can you contact?

If you have any questions, please feel free to contact us at any time (see point I). You are welcome to contact us by e-mail: privacy@waterdrop.com

XXI. Security of your personal data

The security of your personal data is important to us, but please bear in mind that no method of transmission over the internet or method of electronic storage is secure. We therefore cannot guarantee the absolute security of your personal data.

We use the widespread SSL/TLS procedure (Secure Socket Layer / Transport Layer Security) in connection with the highest encryption level supported by your browser when you visit our website. As a rule, this is 256-bit encryption. If your browser does not support 256-bit encryption, we use 128-bit v3 technology instead. You can tell whether an individual page of our website is transmitted in encrypted form by the closed display of the key or lock symbol in the status bar of your browser.

We also use appropriate technical and organisational security measures to protect your data against accidental or intentional manipulation, partial or complete loss, destruction or against unauthorised access by third parties. We continuously adapt our security measures in line with technical developments.

XXII. Links to external websites

Our service may contain links - so-called hyperlinks - to websites that are not operated by us. If you click on a link from a third party, you will be redirected from one of our websites directly to the website(s) of the other provider(s). You will recognise this by the change of URL, among other things.
We cannot accept any responsibility for the content, the confidential handling of your data or other practices on these third-party websites and services, as we have no influence over them. Please inform yourself about the handling of your personal data by these companies directly on the respective websites.

XXIII. Right of withdrawal in the case of processing on the basis of consent

If your personal data is collected on the basis of consent pursuant to Art 6 (1) lit a GDPR (see point V) (e.g. personalised news), you have the right to revoke your consent at any time without giving reasons. This has the consequence that we may no longer continue the data processing based on this consent for the future. However, the revocation of your consent does not affect the lawfulness of the processing carried out on the basis of the consent until the revocation. If you wish to exercise your right of revocation, simply send an e-mail to privacy@waterdrop.com.

XXIV. Right of objection

Insofar as your personal data is collected on the basis of legitimate interests pursuant to Art 6 (1) lit f GDPR (see point V), you have the right to object to the processing of your personal data in accordance with Art 21 GDPR, provided that there are grounds for doing so which arise from your particular situation. If your objection is directed against direct advertising, you have a general right of objection; a statement of reasons is not required for these cases. If you wish to exercise your right of objection, simply send an e-mail to privacy@waterdrop.com.

XXV. Your data subject rights

As a data subject of a processing of personal data, you have the right,

to request information about your personal data processed by us in accordance with Art. 15 GDPR. In particular, you can request information about the processing purposes, the category of personal data, the categories of recipients to whom your data has been or will be disclosed, the planned storage period, the existence of a right to rectification, erasure, restriction of processing or objection, the existence of a right of complaint, the origin of your data if it has not been collected by us, as well as the existence of automated decision-making including profiling and, if applicable, meaningful information about its details;
demand the correction of incorrect or incomplete personal data stored by us without delay in accordance with Art. 16 GDPR;
pursuant to Art. 17 GDPR to request the erasure of your personal data stored by us, unless the processing is necessary for the exercise of the right to freedom of expression and information, for compliance with a legal obligation, for reasons of public interest or for the assertion, exercise or defence of legal claims;
to request the restriction of the processing of your personal data in accordance with Art. 18 of the GDPR, insofar as you dispute the accuracy of the data, the processing is unlawful, we no longer require the data and you object to their deletion because you require them for the assertion, exercise or defence of legal claims. You also have the right under Article 18 of the GDPR if you have objected to the processing in accordance with Article 21 of the GDPR;
in accordance with Art. 20 GDPR, to receive your personal data that you have provided to us in a structured, common and machine-readable format or to request that it be transferred to another controller; and
complain to a supervisory authority in accordance with Art. 77 GDPR. As a rule, you can contact the supervisory authority of your usual place of residence or workplace or our registered office.

To exercise your data protection rights, with the exception of the right to lodge a complaint with the supervisory authority, simply send an e-mail to privacy@waterdrop.com.

XXVI. Data protection for children

Our services are not directed to persons under the age of 14. We do not knowingly collect personal information from anyone under the age of 14. If you are a parent or guardian and you know that your child has provided us with personal information, please contact us. If we become aware that we have collected personal information from anyone under the age of 14 without verifying parental consent, we will take steps to remove that information from our servers.
If we have to rely on consent as the legal basis for processing your data and your country requires the consent of a parent, we may obtain your parent's consent before collecting and using that data.

Up-to-dateness and amendment of this privacy policy

This privacy policy is current as of February 2024. We may update our privacy policy from time to time. Changes may be necessary due to the further development of our websites, apps and offers or due to changes in legal or regulatory requirements.

We will notify you of any changes by posting the new version of the privacy policy on this page. You can access and print the current version of the privacy policy at any time on this page.

We recommend that you check this privacy policy regularly for changes. Changes will take effect when they are posted on this page.