Privacy Policy

of the Manufactum GmbH, Hiberniastraße 5, 45731 Waltrop, Germany, last updated: 28/11/2024

As of 25 May 2018, data processing in Europe is subject to the uniform provisions of the EU General Data Protection Regulation GDPR. The following Privacy Policy provides you with information about the processing of personal data by Manufactum GmbH, Hiberniastraße 5, 45731 Waltrop, Germany (“Manufactum”, “we” and/or “us”) within the context of using our website at www.manufactum.com (“website/page(s)”) and our applications in compliance with the GDPR and the German Data Protection Act (BDSG).

Please read our privacy policy carefully and thoroughly. If you have any questions or comments about our Privacy Policy, please contact us at datenschutzbeauftragter@manufactum.de

Contents:

1 Controller’s name and contact information
2 Data protection officer’s contact information
3 Purposes of data processing, legal bases and legitimate interests pursued by the controller or a third party as well as categories of recipients and origin of data
3.1 Using our website / applications
3.1.1 Log files
3.1.2 Cookies, tracking, social media plugins
3.2 Justification, implementation and / or termination of contract
3.2.1 Data processing for conclusion of contract
3.2.2 Use of data for fraud prevention purposes
3.2.3 Transmitting data to transport service providers
3.2.4 Processors
3.2.5 Securing the credit card payment / 3D-Secure
3.3 Data processing for advertising purposes
3.3.1 Postal advertising (incl. online advertising)
3.3.2 Newsletter and analysis of your user behaviour
3.3.3 Contests
3.4. Online presence and website optimisation (using cookies) including consents
3.4.1 Cookies – general information and requirement to obtain consent
3.4.2 Intervention options / browser settings
3.4.3. Consents for the use of individual online services / the collection of tracking data
3.4.3.1 Onsite targeting
3.4.3.2. Consent for Meta retargeting (website custom audience)
3.4.3.3 Consent for Pinterest retargeting (Pinterest tag)
3.4.3.4 Consent for Google Analytics
3.4.3.5 Consent for Google Remarketing
3.4.3.6 Withdrawal of all consents
3.4.4. Further processing of tracking data for legitimate interests
3.4.4.1 Manufactum internal tracking
3.4.5 Objection / opt-out option
3.5 Customer account / user account
3.5.1 General information on customer account
3.5.2. Protection of the customer account
3.5.3 Spoofing, spam and phishing warning
3.6 Establishing contact
3.7 Applications
3.8 Origin of data
4 Recipients within and outside of the European Union
5 Your rights
5.1 Overview
5.2 Your rights in detail
5.3 Right to object
5.4 Right to withdraw consent
6 Duration of storage
7 Automated decision-making including profiling (art. 22 GDPR)
8 No obligation to provide us with your data

1 Controller’s name and contact information

This Privacy Policy applies to data processing by the
Manufactum GmbH
Hiberniastraße 5
45731 Waltrop
Telephone: +49 2309 93900
Email address: info@manufactum.com

Represented by: Alexander Peters, Kai Steffan
Chairman of the Advisory Board: Sergio Bucher

2 Data protection officer’s contact information

You can reach our data protection officer using the following contact information:
Dr. Thorsten B. Behling
WTS Legal Rechtsanwaltsgesellschaft mbH
Sachsenring 83
50677 Cologne
Email: datenschutzbeauftragter@manufactum.de

3 Purposes of data processing, legal bases and legitimate interests pursued by the controller or a third party as well as categories of recipients and origin of data

3.1 Using our website/applications

3.1.1 Log files

When visiting websites/opening applications, the respective Internet browser on your end device sends information to the server hosting our website and temporarily saves this information in log files. The datasets saved in the process contain the following data, which is stored until automatically erased:

  • Date and time accessed
  • Name of the accessed page
  • IP address of the requesting device
  • Referrer URL (URL of the page which directed you to our website)
  • Data volume transferred
  • Loading time
  • Product and version information of the respective browser being used, your operating system, and the name of your access provider.

The legal basis for processing the IP address is art. 6 sec 1 f) GDPR. Our legitimate interest results from

  • ensuring a good connection,
  • ensuring convenient use of our website/application,
  • analyzing system security and stability.

This information does not enable us to, nor do we attempt to identify you directly. You can object to the processing of your personal data in our legitimate interests at any time as defined in sec. 5.3.

Data is stored and automatically erased after achieving the specified purposes. The defined periods for erasure are based on the criterion of necessity.

3.1.2 Cookies, tracking, social media plugins

Our website uses so-called cookies, tracking tools, targeting methods and social media plugins. The precise methods and how your data is used for this purpose is detailed in sec. 3.4 below.

3.2 Justification, implementation and/or termination of contract

3.2.1 Data processing for conclusion of contract

When registering on our website and / or concluding an additional contract with us, we process the data required for conclusion, performance and /or termination of the contract with you. This includes:

  • first name, last name
  • billing and delivery address
  • email address
  • billing and payment data
  • telephone number
  • bank details and
  • if applicable, date of birth.

The legal basis for this is art. 6 sec. 1 b) GDPR, i.e. the data is provided by you based on the respective contractual relationship (e.g. maintaining your customer / user account, fulfilling a sales contract) between you and us. Furthermore, we are obligated to compare your data with personal sanctions lists / embargoes (in particular financial sanctions against listed persons) in order to provide non-economic resources or funding to listed persons and to ensure compliance with foreign trade law (Article 6 (1) c) GDPR). Furthermore, when placing a purchase order through our website we are, according to statutory provisions of the German Civil Code (BGB), obligated to send you an electronic order confirmation and therefore, obligated to process your email address (art. 6 sec. 1 c) GDPR).

Provided this data will not be used by us for advertising purposes (refer to 2.3. below), the data collected for performance of contract is stored for the term of the contract and until statutory or possible contractual warranty and guarantee rights expire. Upon expiry of this period, the information arising from the contractual relationship required under commercial and tax law is stored for the periods specified by law. During this period the data will solely be processed again in the event of a tax audit.

Moreover, fulfilling a sales contract through our website / applications also requires the following processing of data:
We transmit your payment data to payment service providers assigned by us to process the payment(s). We transmit your delivery address to logistics companies and shipping partners assigned by us. To ensure that the delivery of goods meets your wishes, we transmit your email address insofar as it is required and, if necessary, the telephone number to the logistics company and/or shipping partner assigned by us to carry out delivery. These may contact you prior to delivery, to coordinate delivery with you. The respective data is solely transmitted for the specified purposes and erased after the goods have been delivered.

3.2.2 Use of data for fraud prevention purposes

The data you provide in connection with a purchase order can be used to verify if the order process is abnormal (e.g. simultaneous order for a variety of products to the same address using different customer accounts). This review fundamentally constitutes our legitimate interest. The legal basis for processing is art. 6 sec. 1 f) GDPR. Our legitimate interest results from the ability to prevent fraud attempts at our expense, thus preventing economic disadvantages for us.

To prevent fraud, we also use the services of Risk.Ident GmbH, Am Sandtorkai 50, 20457 Hamburg, Germany, to operate our website.

Risk.Ident uses cookies and other tracking technologies to collect and process data to determine the end device used by the user and other data about the use of the website. This data is not assigned to a specific user. If IP addresses are collected by Risk.Ident, they are immediately encrypted.

The data is stored by Risk.Ident in a database for fraud prevention. The database also stores data transmitted by us to Risk.Ident on end devices that have already been used for (attempted) fraud offences. In this respect, too, no allocation to specific users takes place.

As part of an order process on our website, we retrieve a risk assessment of the user's end device from the Risk.Ident database. This risk assessment on the probability of a fraud attempt takes into account, among other things, whether the end device has dialled in via different service providers, whether the end device has a frequently changing geo-reference, how many transactions have been made via the end device and whether a proxy connection is used.

The legal basis for processing the data for the purpose of fraud prevention is Article 6 (1) (f) GDPR.

3.2.3 Transmitting data to transport service providers

We work with logistics providers/transport companies and/or shipping partners for the purpose of delivering the goods ordered: The following data can be transmitted to these for the purpose of delivering the goods ordered or of notifying you: First name, last name, postal address, email address, telephone number (e.g. notification by the forwarding agent).
The legal basis for processing is art. 6 sec. 1 b) GDPR.

3.2.4 Processors

We use processors in line with processing your data. A processor is a natural person or legal entity, public authority, agency or other body, who/which processes personal data on behalf of the controller. Processors do not use the data for their own purposes but merely process the data for the controller. Example: If you purchase an item from us, you transmit your email address to us, among other things, for the purpose of our sending you an order confirmation. Therefore, we are the controller for this data processing. Your email address is then transmitted to a service provider, for the purpose of sending an order confirmation. This service provider then sends you the order confirmation for the item purchased. To do so, the service provider processes your email address on our behalf.

3.2.5 Securing the credit card payment / 3D-Secure

To secure the payment process regarding a credit card payment we use the 3D Secure procedure. As part of this process, certain data relating to your order are transmitted to the card-issuing bank via our contractor. This way, the authorized use of the credit card you are using can be verified. The technically required data for the verification (merchant ID/transaction ID) as well as the buyer´s data or recipient´s data will be transmitted. To this end, we process the first name, last name and, if applicable, the company name of each of these persons at the time of purchase. Additionally, we transmit the buyer's e-mail address. Based on this data, the card-issuing bank will check the authorization to use the credit card you are using. To the extent that the card-issuing bank cannot sufficiently verify the authorized use of the credit card, the card-issuing bank may request an additional security feature (e.g. password/TAN), depending on the type of card (e.g. Visa or MasterCard). This must then be entered. As a result of the check, we receive the information about the success of the payment. We won´t receive any further data.

The legal basis for this data processing is Sec. 6 para 1 letter f GDPR. We are legitimately interested in this type of data processing and want to make payment transactions by credit card secure, user- and customer-friendly. The card-issuing bank is also justifiably interested in securing the credit card payment.

3.3 Data processing for advertising purposes

3.3.1 Postal advertising (incl. online advertising)

We generally have a legitimate interest in using your data, which we have collected in line with entering into a contractual relationship with you, for marketing purposes (e.g. postal advertising, newsletter as well as other online advertising). We process the following data for our own marketing purposes and for third-party marketing purposes: First name, last name, title, postal address, if necessary year of birth and/or information regarding your registration, your first order and, if applicable, your last order with us as well as information on previously sent newsletters.

Furthermore, we are entitled to store additional personal data, collected in compliance with the law, along with said data for our own marketing purposes and for third-party marketing purposes. For instance, this additional data can include categories of goods (e.g. “clothing”) that you purchased from us. The goal is to provide you with advertising based solely on your actual or assumed needs and not to inconvenience you with useless advertising.

The additional data stored is not transmitted to third parties. Manufactum also pseudonymises/anonymises your personal data collected for the purpose of using the pseudonymised/anonymised data for their own marketing purposes and third-party marketing purposes (advertisers).

The pseudonymised/anonymised data can also be used to show you online advertisements tailored to your needs, in which case the advertising can be controlled by third-party service providers and/or agencies. The legal basis for using personal data for marketing purposes is art. 6 sec. 1 f) GDPR. Our legitimate interest is in enabling us to provide you with advertising tailored to your needs and therefore, presenting our company to you in accordance with your personal preferences.

Information regarding the right to object

You can object to your personal data being used for the aforementioned marketing purposes at any time free of charge with future effect by contacting info@manufactum.com.

Upon objecting, your data will be blocked from further data processing for the purpose of advertising. Please note, in some cases we may still temporarily send you advertisements after receiving your objection. This is due to technical reasons because a lead time is required during selection. This does not mean your objection has not been implemented.

3.3.2 Newsletter and analysis of your user behaviour

We offer you the option of subscribing to our newsletters on our website/applications as well as third-party websites (e.g. Facebook). A newsletter is not sent to you until you have consented to receiving it and indicated your email address. The wording of the consent that indicates the scope of the consent to be given, is as follows:

“I would like to receive the newsletter from Manufactum GmbH and be informed via email of new product lines, special offers, events, trends, advice as well as campaigns and personal advantages offered by Manufactum. This consent can be withdrawn at any time with future effect by writing to info@manufactum.com or clicking the unsubscribe link at the end of every newsletter. I have read and understood the Privacy Policy.”

We use the so-called double opt-in method (DOI method), to verify no mistakes occurred when entering the email address: After entering your email address in the registration field and consenting to receive our newsletters, we will send a confirmation link to the address provided. Your email will not be added to our newsletter distribution list until the confirmation link has been clicked. In each case, the legal basis for this data processing is art. 6 sec. 1 a) GDPR.

If you subscribe to our newsletter via third-party websites (e.g. Facebook), the respective website operator transmits the data you provided during the subscription process (e.g. email address) to us. In each case, the legal basis for this data processing is art. 6 sec. 1 a) GDPR. Insofar as the website operator of the third-party website uses the information you provided in line with the subscription process for its own purposes, the website operator is responsible for that. You can receive more detailed information on data processing by the website operator in its privacy policies. Furthermore, in addition to your email address we also store the time at which you gave us your consent as well as the wording of the consent, to verify your consent. The legal basis for this data processing is art. 6 sec. 1 f) GDPR.

Moreover, in connection with sending newsletters, we can also use the types of data defined in sec. 3.3.1.

Our newsletters include an image one pixel in size (web beacon), which the server retrieves when opening the newsletter. Retrieving this results in the collection of technical information such as information about your browser or system as well as your IP address and the time of access. This information is used to make technical improvements to our services. These statistical measures include determining whether the newsletters are opened, when they are opened and which links are clicked. This serves the purpose of determining the reading behaviours of our users and tailoring our contents to them or of delivering different contents based on the interests of our users.

The legal basis for this data processing is art. 6 sec. 1 f) GDPR.

If you do not want us to process usage data related to our newsletters you receive as described above, you can prevent us from receiving this respective information and therefore, exercise your right to object or withdraw – notwithstanding the information provided in sec. 5.3 and 5.4:

  • Information about newsletter delivery:
    Unsubscribing to the newsletter (refer to information below)

  • Information about opening the newsletter:
    Deactivating the downloading of images in your email client. The help function of your email client usually provides detailed information related to this topic.

  • Information on clicking within the newsletter:

Avoid clicking images and links in a newsletter.

  • Your surfing behaviour on our website after clicking an offer in a newsletter:
  1. Configure your browser so it will not store any cookies. You can obtain more detailed information in sec. 3.4.2. Please note that if your browser does not accept any cookies, you may not be able to make full use of the functions on our website.
  2. Alternatively, you can object to the tracking of your surfing behaviour here (external link)
    .
  • End device used including email client and operating system:
    Deactivating the downloading of images in your email client as well as preventing images and links from being clicked on in a newsletter. Please note that even after taking these measures, we still receive information about your operating system when visiting our website.

Information on right to withdraw

You may withdraw your consent at any time with future effect by writing to info@manufactum.com or clicking the unsubscribe link at the end of every newsletter.

3.3.3 Contests

If you enter a contest held by Manufactum, we will use the data provided when entering for the purpose of implementing the participation contract, particularly to notify winners and, where applicable, to advertise our offers and/or offers of our contest partners. For detailed information please refer to the eligibility requirements for the respective contest. The legal bases for this data processing are art. 6 sec. 1 a) GDPR, art. 6 sec. 1 b) GDPR and art. 6 sec. 1 f) GDPR.

3.4 Online presence and website optimization (using cookies) including consents

Brief summary

As the operator of the manufactum.com platform, Manufactum collects data on user behaviour on the named platform (tracking data). Among other things, this includes which subpages (detailed item page) were accessed. For this purpose, cookies, among other things, can be placed in the browser used by the respective user by Manufactum and/or by partners of Manufactum. Collecting tracking data is strictly only permissible if you consented to this in advance (§ 25 (1) S. 1 TDDDG). You can give such consent by clicking on the “OK” button in the “cookie banner” displayed at manufactum.com. However, giving consent for the processing of such tracking data required for the website Manufactum.com is not necessary (§ 25 (2) Nr. 2 TDDDG). This includes, for example, the setting of cookies for the purpose of displaying the shopping basket. Among other things, Manufactum can use the information on your user behaviour to show you offers on manufactum.com that are interesting to you or to solicit you on other websites using personalized content (e.g. retargeting). Insofar as personal data about your user behaviour at manufactum.com is also used by other suppliers, e.g. for the purpose of “accumulation of own information”, such a use does not take place in these cases until you have given consent to do so. In such cases, any further processing of the data collected on manufactum.com generally takes place under the sole responsibility of the providers. Providers may transfer data to the US as part of this further processing. The European Court of Justice has ruled that the USA is a country with an insufficient level of data protection. In particular, there is a risk that your data will be processed by American institutions/authorities for control and monitoring purposes without you having an adequate legal remedy. Tracking data that Manufactum collects and stores itself is solely processed by Manufactum in a pseudonymised manner. This prevents a direct allocation of the data to your identity. If you would like to delete individual cookies that were placed in your browser or want to find out which service providers/suppliers placed cookies in your browser, you can find this/carry this out via a “preference manager”. Such a manager is, for example, accessible at www.youronlinechoices.com Furthermore, you have the option of setting your browser in a manner that prevents cookies from being placed or only permits the placement of certain types of cookies. You can find details on the option of changing the settings of common browser types (among others Google-Chrome, Firefox) in sec. 3.4.2. (Intervention options / browser settings) of this Privacy Policy.

3.4.1. Cookies – general information and requirement to obtain consent

This website uses cookies and pixels. Cookies are small text files automatically generated by your browser and saved to your end device (laptop, tablet, smartphone or the like). In each case, information related to the specific end device used is saved to the cookie. However, this does not mean it provides us with direct knowledge concerning your identity. Some of the cookies we use are deleted at the end of the browser session (so-called session cookies). For instance, these allow us to show you your basket on different pages, which on the other hand shows you how many items are currently in your cart and what the current purchase value of the cart is. Other cookies remain on your computer and allow us to recognise your computer the next time you visit our website (so-called permanent or persistent cookies). Among other things, particularly these cookies help us make our website more appealing to you. Thanks to these files, it is for example possible for you to have information displayed to you on the manufactum.com website that is specifically tailored to your interests.
According to the legal regulations, saving information on end devices (desktops, mobile phones, tablets or the like) - e.g. by placing cookies - as well as accessing information from end devices (tracking) is fundamentally only permitted if you have given prior consent to do so. The legal basis for this is § 25 (1) S. 1 TDDDG. Consent is not required, however, if such storage/retrieval is necessary for the website's services. The legal basis for this is § 25 (2) Number 2 TDDDG. Necessity is given e.g. in regard to ensuring the following functionalities/fulfilling the following purposes:

  • Provision of individual "features" (display of the shopping basket, display of the wish list, enabling and maintaining log-in, integration of payment service providers, etc.).
  • Ensuring system security / recognising and preventing fraud
  • Checking the functionality of the service
  • Settlement of accounts (e.g. billing of partners)
  • Fulfilment of legal requirements (including documentation of the granting / revocation of tracking opt-ins)
  • General coverage analysis.

You have no right to object to data processing that is necessary for the operation of the website.

Note

You can use the manufactum.com website without data from your end device being accessed for such purposes or data being stored on the website, which is not required for the offer on the manufactum.com website. Therefore, merely “basic tracking” is activated when using the manufactum.com website - if you did not give any further consent.

The aforementioned pixels are a matter of pixel-size images, which are integrated into our HTML code of our website. These enable – similar to cookies – collecting access to our website and information in connection with the specifically used end device. These pixels are also only used – within the scope as described as follows – if you have given prior consent to do so.

3.4.2. Intervention options/browser settings

You can certainly configure your browser to block our cookies from being saved to your end device. The help function in the menu bar of most browsers explains how to prevent your browser from accepting new cookies, to have your browser notify you of new cookies, or how to delete existing cookies and block all future cookies.

Use the following steps to do so:

In Internet Explorer:

  1. In the "Extras" menu, select "Internet Options".
  2. Click on the "Privacy" tab.
  3. You can now change the security settings for the Internet zone. Here you can configure if and which cookies to accept or block.
  4. Click "OK" to confirm your settings.

In Firefox:

  1. In the "Extras" menu, select Options.
  2. Click "Privacy & Security".
  3. In the drop-down menu, select “Custom".
  4. You can now configure whether to accept cookies, how long the cookie will be stored and add exceptions for websites, for which you always or never want to allow cookies.
  5. Click "OK" to confirm your settings.

In Google Chrome:

  1. Click on the Chrome menu in the browser toolbar.
  2. Now click "Settings".
  3. Click "Advanced".
  4. Under "Privacy and Security" click "Content settings".
  5. Click "Cookies" for the following settings:
  • Deleting cookies
  • Blocking all cookies
  • Always delete website data when exiting the browser
  • Allowing cookies from specific websites or domains

If you would like to delete individual cookies that were placed in your browser or want to find out which service providers/suppliers placed cookies in your browser, you can find this/carry this out via a “preference manager”. Such a manager is accessible at https://www.youronlinechoices.com e.g.

3.4.3. Consents for the use of individual online services / the collection of tracking data

Note

As already stated in sec. 3.4.1 of this Privacy Policy, Manufactum collects and processes tracking data, in part based on consent. You give this consent by clicking on the “OK” button in a banner that is linked to the wording of this consent on the manufactum.com website. By clicking the “OK” button, you give your consent for Manufactum storing data on your end device (e.g. by placing cookies) or accesses data from your end device. Data (tracking data) collected in this manner is, on the one hand, further processed for purposes based on Manufactum’s legitimate interest and your interest in not having this data further processed does not outweigh the legitimate interests of Manufactum (balancing of interests). You can find detailed explanations regarding this further processing in the information in sec. 3.4.4 of this Privacy Policy. Furthermore, by clicking the “OK” button you also give consent for the use of certain third-party advertising functions, the use of which requires consent. Data processing in connection with these advertising functions is described below (sec. 3.4.3.1 to sec. 3.4.3.5 of this Privacy Policy).

All data processing conducted in line with your clicking on the “OK” button and in doing so, giving us consent, serve the same purpose and that is “advertising”.

3.4.3.1 Onsite targeting

Note

With the help of cookies, data to optimize product recommendations is collected and analyzed on this website. This data includes e.g. information about which products you viewed on our website. The data is only collected and analyzed in a pseudonymised manner and does not allow us to identify you. In particular, this data is not merged with your personal data. This data allows us to show you offers tailored to your specific interests based on your past user behaviour.
The legal basis for this processing is art. 6 sec. 1 a) GDPR (consent).

3.4.3.2. Consent for Meta retargeting (website custom audience)

Note

A Meta Platforms Ireland Limited is integrated into this website (website custom audience pixel). This pixel allows the collectively responsible Manufactum (GmbH) and Meta Platforms Ireland Limited to collect information about your use of this website (e.g. data on products viewed) and to transmit it to Meta Platforms Ireland Limited.
We also share information with Meta about your most recent orders (conversions). In addition, we transmit your e-mail address stored in your customer account to Meta as a hash value if we recognise you when you are logged in and you give your consent to this data transmission via the banner solution used on this website. The hash value of the e-mail address is used by Meta exclusively for the recognition of website visitors in the context of the display of personalised advertisements. The same applies to the transmission / use of your IP address and your user agent.
This data can be allocated to you personally with the help of additional data, which Meta Platforms Ireland Limited has e.g. stored based on your having an account on the social network “Facebook”. Based on the data collected by the pixel, you can be shown interest-related pop-up ads in your Facebook account that pertain to our offers (retargeting) in your Facebook account. Furthermore, the data collected by the pixel can be aggregated by Meta Platforms Ireland Limited and the aggregated data can be used by Meta Platforms Ireland Limited for its own advertising purposes as well as for third-party advertising purposes. For instance, Meta Platforms Ireland Limited can deduce certain interests from your surfing habits on this website and can also use this data to advertise offers from third parties. Meta Platforms Ireland Limited can also link the data collected by the pixel with additional data Meta Platforms Ireland Limited collected on you via other websites and/or in connection with the use of the social network “Facebook”, so that your personal profile can be stored at Meta Platforms Ireland Limited. This profile can be used for advertising purposes. At the same time, it is also possible that Meta Platforms Ireland Limited uses the data to display advertising to you or other persons, who have similar profiles. Meta Platforms Ireland Limited is solely responsible for the permanent storage and the described further processing of the tracking data collected by the website custom audience pixel used on this website. In connection with this, Meta Platforms Ireland Limited, as the sole data controller, may store data about you in the USA. The European Court of Justice has ruled that the USA is a country with an insufficient level of data protection. In particular, there is a risk that your data will be processed by American institutions/authorities for control and monitoring purposes without you having an adequate legal remedy. The legal basis for this processing is art. 6 sec. 1 a) GDPR (consent).

You can get more detailed information regarding data privacy at Meta Platforms Ireland Limited here: https://www.facebook.com/policy.php. You can also find the option of asserting your rights as a data subject (e.g. right to erasure) against Meta Platforms Ireland Limited here. You can withdraw your consent for the transmission of data to Meta Platforms Ireland Limited by using the pixel on this website here (external link) or refuse to give consent for the use of Facebook retargeting.

3.4.3.3. Consent for Pinterest retargeting (Pinterest tag)

Note

A Pinterest Europe Ltd. (Palmerston House, 2nd Floor, Fenian Street, Dublin 2, Ireland) pixel (Pinterest tag) is integrated on this website. This pixel allows the collectively responsible Manufactum (GmbH) and Pinterest Europe Limited to collect information about your use of this website (e.g. data on products viewed) and to transmit it to Pinterest Europe Limited. Solely Pinterest Europe Limited is responsible for data privacy regarding the further processing of the data transmitted to Pinterest Europe Limited. This data transmitted to Pinterest Europe Limited can be allocated to you personally with the help of additional data, which Pinterest Europe Limited has e.g. stored based on your having an account on the social network “Pinterest”. Based on the data collected by the pixel, you can be shown interest-related pop-up ads in your Pinterest account that pertain to our offers (retargeting). Furthermore, the data collected by the pixel can be aggregated by Pinterest Europe Limited and the aggregated data can be used by Pinterest Europe Limited for its own advertising purposes as well as for third-party advertising purposes. For instance, Pinterest Europe Limited can deduce certain interests from your surfing habits on this website and can also use this data to advertise offers from third parties. Pinterest Europe Limited can also link the data collected by the pixel with additional data Pinterest Europe Limited collected on you via other websites and/or in connection with the use of the social network “Pinterest”, so that your personal profile can be stored at Pinterest Europe Limited. At the same time, it is also possible that Pinterest Europe Limited uses the data to display advertising to you or other persons, who have similar profiles. This profile can be used for advertising purposes. At the same time, it is also possible that Pinterest Europe Limited uses the data to display advertising to you or other persons, who have similar profiles. This profile can be used for advertising purposes. Where Pinterest Europe Limited is the sole controller of your data, it is possible that your data will be transferred to the USA by Pinterest Europe Limited. The European Court of Justice has ruled that the USA is a country with an insufficient level of data protection. In particular, there is a risk that your data will be processed by American institutions/authorities for control and monitoring purposes without you having an adequate legal remedy. The legal basis for this processing is art. 6 sec. 1 a) GDPR (consent).

You can get more detailed information regarding data privacy at Pinterest Europe Limited here: https://policy.pinterest.com/de/privacy-policy. You can also assert your rights as a data subject (e.g. right to erasure) regarding the data Pinterest Europe Limited processes in regard to your person as the party responsible for data privacy. You can withdraw your consent for the use of Pinterest retargeting here (external link) or refuse to give consent for the use of Pinterest retargeting.

3.4.3.4 Consent for Google Analytics

Note

Manufactum also uses Google Analytics on the basis of consent for the purpose of demand-oriented design and continuous optimization of manufactum.com. Google Analytics is a web analytics service provided by Google Ireland Limited, Gordon House, Barrow Street, Dublin 4, Ireland ("Google"). Google Analytics uses, among other things, so-called "cookies" (text files) and similar technologies that are stored on your end device and enable your use of the website to be analyzed. This information is used to evaluate your use of the website, to compile reports on website activity and to optimize the display of advertising. The processing of the data after its transmission by Manufactum to Google Ireland Limited is performed by Google as the sole controller under data protection law. In this context, Google Ireland Limited, as the sole controller under data protection law, may store data about you in the USA. The European Court of Justice has ruled that the USA is a country with an insufficient level of data protection. In particular, there is a risk that your data will be processed by American institutions/authorities for control and monitoring purposes without you having an adequate legal remedy. The legal basis for this processing is Art. 6 (1) lit. a) GDPR (consent). Further information about Google Analytics and Google's privacy policy is available here and here. You are entitled to revoke your consent to the use of Google Analytics here.

3.4.3.5 Consent for Google Remarketing

Note

Our platform uses the Google Remarketing service. Google Remarketing is an online advertising program of Google Ireland Limited, Gordon House, Barrow Street, Dublin 4, Ireland ("Google"). We use the remarketing function within the Google Ads service. The remarketing function allows us to present you with adverts based on your interests on other websites / apps within the Google advertising network. This involves analyzing your surfing behaviour on our website, e.g. which offers you have viewed (tracking data). This allows us to show you personalised advertising on the online search engine Google itself, known as "Google Ads", and on other websites / apps even after you have visited our website. This involves Google storing a cookie in your browser when you visit Google services or websites in the Google advertising network. This cookie is used to record your visits. The cookie is used to uniquely identify your web browser and not to identify you personally. In addition, we share information with Google in relation to your most recent orders (conversions).
In addition, we transmit your email address stored in your customer account to Google as a hash value if we recognise you when you are logged in and you give your consent to this data transmission via the banner solution used on this website. The hash value of the email address is used by Google exclusively to recognise website visitors in the context of displaying personalised advertisements.
It is possible that Google may also use the data collected about your usage behaviour via the manufactum.com website for its own purposes or for the purposes of other Google customers (e.g. to display individualised third-party advertisements). Such further processing of the data and the processing of the data after it has been transmitted by Manufactum to Google is undertaken by Google Ireland Limited as the sole controller under data protection law. In this context, Google Ireland Limited, as the sole controller under data protection law, may store data about you in the USA. The European Court of Justice has ruled that the USA is a country with an insufficient level of data protection. In particular, there is a risk that your data will be processed by American institutions/authorities for control and monitoring purposes without you having an adequate legal remedy. The legal basis for this processing is Art. 6 (1) lit. a) GDPR (consent).

More information about Google Remarketing and Google's privacy policy is available here and here. This is where you are also able to assert your rights as a data subject (e.g. right to erasure) with regard to the data that Google processes as the controller under data protection law. Here you can withdraw your consent to the use of Google Remarketing.

3.4.3.6 Withdrawal of all consents

Withdrawal of all consents

Your consent given for the aforementioned data processing (sec. 3.4.3.1. to sec. 3.4.3.5) can be fully withdrawn here.

3.4.4. Further processing of tracking data for legitimate interests

Manufactum has the right to further process tracking data that was collected based on legitimate interests after consent has been given to do so. This further processing is on the legal basis in art. 6 sec. 1 f) GDPR /(balancing of interests). Insofar as Manufactum further processes tracking data on the legal basis in art. 6 sec. 1 f) GDPR, this is solely conducted for purposes for which Manufactum has a legitimate interest. Among other things, these legitimate interests include processing tracking data for purposes of displaying individualized advertising on third-party sites as well as suggesting products on Manufactum.com. Manufactum does not process any data in connection with this further processing of tracking data, which are classified by law as particularly sensitive in art. 9 GDPR (e.g. health-related data). Furthermore, Manufactum does not use the tracking data to create analysis data, which can be allocated to particularly protected areas by art. 9 GDPR. Moreover, Manufactum does not make any automated decisions based on tracking data, which can have a legal effect on you as a user of the Manufactum.com website or which significantly affect you in a similar manner (e.g. individualized price adjustments based on your user behaviour). Manufactum also subjects the tracking data - depending on its volume and the risks resulting your rights to be protected from the processing of tracking data - to pseudonymization, which prevents the data from being allocated to your identity.

3.4.4.1 Manufactum internal tracking

Manufactum has developed its own web tracking technology or uses external tracking technology, which is offered as part of the data processing relationship. The data concerning your usage of the manufactum.com (tracking data) website is collected through the use of this technology on the basis of granted consent and is processed for various purposes by Manufactum. These purposes, pursued by Manufactum with legitimate interest, include the following: targeted product recommendations on manufactum.com/Newsletter; analysing the functionality of the website manufactum.com; improving search results on manufactum.com; recognising potential for improvement or campaign optimisation.
The data collected by Manufactum’s own web tracking technology is processed exclusively in pseudonymised form or using a pseudonym. This means that it is not possible to trace the data directly back to your person without using separately stored information.
The legal basis for further data processing is Article 6 Paragraph 1 Letter f) GDPR (legitimate interest). You can object to the collection and further processing of data by Manufactum here. Manufactum will then implement your objection and ensure it is communicated and passed on to service providers involved in creating targeted personalised adverts on third-party websites, which are based on data collected through Manufactum's web tracking system. The objection also means that the mentioned services will no longer collect any data from the end device you used when entering the objection at manufactum.com for the purposes mentioned.

3.4.5 Objection/opt-out option

In addition to the disabling options described above, you can also block the specified technologies in general by changing the cookie settings in your browser. You also have the option of disabling preference-based advertising with the help of the preference manager accessible here (external link).

3.5 Customer account/user account

3.5.1 General information on customer account

To make matters as convenient as possible for you, we offer you the possibility of permanently storing your personal data in a password-protected customer account/user account.

Creating a customer account is basically voluntary. When creating a customer account, the data collected in this respect is processed based on art. 6 sec. 1 b) GDPR. After creating a customer account you do not need to re-enter your data. You can view and change the personal data saved in your customer account at any time.

Creating a customer account is only required for performance of contract when placing an order through our website/application.

You can delete your customer account at any time. To do so, please contact us or our data security officer. Please refer to sec. 1 and sec. 2 for the respective contact information. However, please note if you have already purchased from us, this will not delete the data shown in the customer account. Your data is deleted after the expiration of the retention periods under commercial and tax law to which we are subject. The legal basis for this further processing of data is art. 6 sec. 1 c) GDPR and art. 6 sec. 1 f) GDPR, with our legitimate interest being retaining the data for any applicable legitimate reasons for storage.

3.5.2. Protection of the customer account

You must choose a password when creating a customer account. Together with your email address, this password will grant you access to your customer account. However, your data can only be protected effectively if keep your access data in a safe place and protect it against unauthorized third-party access. Users often use the same password for different services. This should be strictly avoided. Furthermore, there is the phenomena that third parties try obtaining log-in data and other information (e.g. credit card information) without authorization using so-called “phishing mails”. Please check requests for their authenticity that want you to specify personal data, particularly if these requests are sent via email. We can inform you if significant changes are made to your customer account (e.g. change in postal address or email address), so that you can check whether these changes are legitimate or have been made by an unauthorized third party. Please also observe that you will automatically remain logged in after leaving our website unless you log out of your account.
Please observe all information below in connection with protecting your data:

The following basically applies: Protect your customer account and your computer, laptop or mobile device using secure passwords and PIN codes that only you know! Furthermore, always remember to log off our website after every online purchase.

Make sure that you only use your passwords for one account! Never use just one password for different suppliers or portals. Check whether the password you selected for our website may also be in use for other websites. If this is the case, we strongly advise you change all passwords immediately.

Do not write down the passwords in a place freely accessible to others. Here, also make sure that only you have access to the passwords.

How to create a secure password!
You should choose passwords that cannot be easily guessed, i.e. no common everyday words, your own name or the name of relatives for instance. To make a password even more secure, it is recommended to use a combination of upper and lower case letters, numbers and special characters.

Is there anything else I need to observe?
If you ever use a publicly accessible computer, always make sure that you log off after visiting our website.

3.5.3. Spoofing, spam and phishing warning

Unfortunately, even Manufactum can be misused as the supposed sender in this scam. Specifically this means that consumers could receive fake emails on behalf of Manufactum. These emails often even comply with the sender’s brand layout and under circumstances, it can be extremely difficult to distinguish these from real emails from Manufactum.

These cybercriminals or hackers want to exploit the position of trust between us and our customers and in doing so, steal sensitive data (e.g. log-in, customer data, payment information) or install malware (such as viruses or Trojans) on your computer or smartphone.

The creation and sending of these emails is not carried out by Manufactum, even if our name should be used as the sender. Unfortunately, we do not have any influence on the sending of these illegal emails.

How to properly deal with spam, phishing and spoof emails properly:

  • We recommend you immediately delete suspicious emails.
  • Never open links or attachments included in suspicious emails and do not reveal any personal data.
  • However, if you accidentally clicked on links in the email, immediately change your Manufactum password in My Account. Furthermore, we recommend you scan your computer for viruses.
  • In the event that the email contains unusual or suspicious information regarding orders or your customer information, log-in under My Account. There, you can find a list of all orders your actually placed and you can check the order status and the respective invoice numbers. To do so, enter the address www.manufactum.com manually in your browser’s address bar. This prevents you from being led to fraudulent websites when using the link in the email.

Our tip and service for you: If you should ever be in doubt, please send us an email to: info@manufactum.com.

3.6 Establishing contact

You have different options of contacting us. Via email, telephone, using the contact form, or by post. If you contact us, we use the personal data you voluntarily provide us with in this respect for the sole purpose of contacting you and processing your inquiry.
The legal basis for this data processing is art. 6 sec. 1 a), art. 6 sec. 1 b), art. 6 sec. 1 c) GDPR and art. 6 sec. 1 f) GDPR. When processing data based on art. 6 sec. 1 f) our required legitimate interest for responding to your inquiry is to allow us to present our company in a positive light and ensure a high level of satisfaction among customer/prospective customers.

3.7 Applications

If you decide to apply for a vacancy posted under “Jobs” by post or email, we will process your basic personal data (e.g. title and name), your contact data (e.g. email address, telephone number), your address data and your application data (e.g. cover letter, CV, diplomas/certificates), to determine whether to employ you and, where applicable, to justify, implement and terminate said employment. We will only process data beyond the above types of data if and where suitable, to establish your qualification for the position. The legal basis for this is art. 88 GDPR in conjunction with § 26 sec. 1 sentence 1 German Data Protection Act (BDSG).

When submitting your application by email (preferably in PDF format), please ensure it is encrypted adequately, as data transmission by email is not secure and can therefore be intercepted by third parties. Please also note the maximum file size of 7MB.

When submitting application documents for another person, e.g. acting as a recruitment consultant, you are obligated to comply with all requirements related to data protection laws. For details please refer to sec. 3.9.

3.8 Origin of data

We basically only collect your personal data from you. In the case of exceptions where this is not the case, we will notify you separately. However, we may also receive data from another person, namely the person entering it in the respective areas on our website (e.g. creating an account, using the contact form).

If you transmit personal data concerning a third party to us through our website, you are obligated to comply with all the requirements under data protection laws, particularly under art. 5 to 9 as well as 12 GDPR. Otherwise we do not have your consent for collection with respect to the data provided and reserve the right to take legal action against you.

4 Recipients within and outside of the European Union

In some cases your personal data may also be shared with specific recipients. In the process, your data, without prejudice to other information related to recipients in this Privacy Policy, can be transmitted to the following bodies:

  • Public authorities to which data must be transmitted by virtue of statutory provisions (e.g. fiscal and supervisory authorities)
  • Internal departments involved in carrying out tasks (e.g. Sales, IT, IT Security)
  • Processors (e.g. IT service providers) (also refer to sec. 3.2.4)
  • Shipping partners (e.g. forwarding agents)
  • If applicable, partners we use to display advertisements (e.g. Facebook, Pinterest - also refer to sec. 3.4.3.2 and 3.4.3.3).
  • Our data protection officer

With the exception of processing, for which we explain the possibility of transmitting data to recipients domiciled outside the EU in this information regarding data privacy, we do not share your data with recipients domiciled outside the European Union or the European Economic Area. Data is transmitted based on the so-called Standard Contractual Clauses of the EU commission.

5 Your rights

5.1 Overview

Brief summary

You have data subject rights in connection with us processing your personal data. For example, you have the right to demand information regarding your personal data that we store. You also have the right to withdraw consents given us and to object to individual types of data processing. Furthermore, you have the right to the rectification of incorrect data and can request us to transmit specific data to you in a common electronic format. You also have the right to request we erase your personal data stored by us. In this regard, please observe that we may still be legally obligated to continue to store the data despite your assertion of your right to erasure. In individual constellations, we also have an interest in continuing to store your data, which outweighs your interest in having said data erased (e.g. if we still have outstanding payments from you).

5.2 Your rights in detail

You can assert your rights against us stated in sec. 5 directly against us or against our data protection officer. Please refer to sec. 1 and sec. 2 for the respective contact information.

In addition to the right to withdraw your consents you have granted us, you are entitled to the following additional rights if the respective legal requirements apply:

  • the right to obtain information about your personal data stored by us (art. 15 GDPR) particularly, information about the processing purposes, the personal data category, the categories of recipients to whom the personal data has been or will be disclosed, the planned storage duration, the origin of your data if the personal data was not collected directly from you;
  • the right to rectification of inaccurate personal data (art. 16 GDPR),
  • the right to erasure of your personal data stored by us (art. 17 GDPR), unless required by us to comply with statutory or contractual retention periods or other legal obligations or rights to further storage,
  • the right to restriction of processing of your data (art. 18 GDPR), provided the accuracy of the personal data is contested by you, the processing is unlawful but you oppose to the erasure thereof; we no longer need the data but you need it for the establishment, exercise or defence of legal claims or you have objected to processing pursuant to art. 21 GDPR,
  • the right to data portability pursuant to art. 20 GDPR, i.e. the right to have your personal data transmitted to you in a common, machine-readable format or to request transmission to another controller,
  • the right to lodge a complaint with a supervisory authority. You can typically contact the supervisory authority responsible for your usual residence, place of work or our place of business.

5.3 Right to object

Right to object

You have the right to object to data processing on grounds relating to your particular situation subject to the requirements of art. 21 sec. 1 GDPR.
The preceding general right to object applies to all processing purposes specified in this Privacy Policy on the basis of art. 6 sec. 1 f) GDPR. Unlike the special right to object related to data processing for advertising purposes, the GDPR stipulates that we are only obligated to implement such a general objection if you provide us with reasons of overriding importance (e.g. possible hazards to life or limb).

5.4 Right to withdraw consent

Provided we are processing data based on your consent, you have the right to withdraw the consent given at any time. Withdrawing your consent does not invalidate data processing based on consent prior to withdrawal.

6 Duration of storage

The period for which we store the data we collect about you depends on the purpose for which we process the data. The data is stored for as long as is necessary to achieve the intended purpose. If we are required to store certain categories of data for a certain period of time due to legal obligations (e.g. tax obligations), the data will continue to be stored exclusively for the purpose of fulfilling the legal obligation after it is no longer required for achieving its intended purpose. In this case, access to the data is blocked.

8 No obligation to provide us with your data

You are under no obligation to provide us with your data. However, we may require your data for performance of contract, e.g. if you wish to purchase one or multiple products from our website. Without the required personal data outlined in this Privacy Policy, which you will be prompted to provide, we may not be able to enter into the contract with you or execute a previously concluded contract.

Moreover, should you use e.g. technical measures to prevent us from receiving data required to use our website (in particular, refer to sec. 3.4), you may not be able to use our website or use it to its full extent.

In other cases in which you do not provide us with the data required (e.g. in line with establishing contact or participating in a contest), we will also not be able to provide you with the respective service.