––––––––––––––––––––
Privacy Policy
––––––––––––––––––––
1) Introduction and Contact Details of the Controller
1.1 We are pleased that you are visiting our website and thank you for your interest. In the following, we inform you about the handling of your personal data when using our website. Personal data refers to all data with which you can be personally identified.
1.2 The controller for data processing on this website in the sense of the General Data Protection Regulation (GDPR) is TIMM UG (haftungsbeschränkt), Drosselgasse 21, 04509 Krostitz, Germany, Tel.: +4934295839957, E-Mail: info@candledeko.com. The controller for the processing of personal data is the natural or legal person who alone or jointly with others determines the purposes and means of the processing of personal data.
2) Data Collection when Visiting Our Website
2.1 When using our website for informational purposes only, i.e., if you do not register or otherwise provide us with information, we only collect the data that your browser transmits to the page server (so-called "server log files"). When you access our website, we collect the following data, which are technically necessary for us to display the website to you:
- Our visited website
- Date and time of access
- Amount of data sent in bytes
- Source/referrer from which you accessed the page
- Browser used
- Operating system used
- IP address used (if applicable: in anonymized form)
Processing is carried out in accordance with Art. 6 Para. 1 lit. f GDPR on the basis of our legitimate interest in improving the stability and functionality of our website. No disclosure or other use of the data takes place. However, we reserve the right to subsequently check the server log files if there are concrete indications of illegal use.
2.2 This website uses SSL or TLS encryption for security reasons and to protect the transmission of personal data and other confidential content (e.g., orders or inquiries to the controller). You can recognize an encrypted connection by the string "https://" and the lock symbol in your browser line.
3) Hosting & Content Delivery Network
For the hosting of our website and the display of page content, we use a provider who performs its services itself or through selected subcontractors exclusively on servers within the European Union.
All data collected on our website is processed on these servers.
We have concluded a data processing agreement with the provider, which ensures the protection of our site visitors' data and prohibits unauthorized disclosure to third parties.
4) Cookies
To make visiting our website attractive and to enable the use of certain functions, we use cookies, which are small text files stored on your device. Some of these cookies are automatically deleted after closing the browser (so-called "session cookies"), while others remain on your device for a longer period and enable the storage of page settings (so-called "persistent cookies"). In the latter case, you can find the storage duration in the overview of your web browser's cookie settings.
If personal data is also processed by individual cookies used by us, the processing takes place either pursuant to Art. 6 Para. 1 lit. b GDPR for the performance of the contract, pursuant to Art. 6 Para. 1 lit. a GDPR in the case of a granted consent, or pursuant to Art. 6 Para. 1 lit. f GDPR to safeguard our legitimate interests in the best possible functionality of the website and a customer-friendly and effective design of the website visit.
You can set your browser so that you are informed about the setting of cookies and can decide individually about their acceptance or exclude the acceptance of cookies for certain cases or generally.
Please note that if cookies are not accepted, the functionality of our website may be limited.
5) Contacting Us
5.1 WhatsApp Business
You have the option to contact us via the messaging service WhatsApp from WhatsApp Ireland Limited, 4 Grand Canal Square, Grand Canal Harbour, Dublin 2, Ireland. For this purpose, we use the so-called "Business version" of WhatsApp.
If you contact us via WhatsApp regarding a specific transaction (e.g., an order placed), we store and use your mobile phone number used on WhatsApp and – if provided – your first and last name in accordance with Art. 6 Para. 1 lit. b GDPR to process and respond to your inquiry. Based on the same legal basis, we may ask you via WhatsApp to provide further data (order number, customer number, address, or email address) to assign your inquiry to a specific process.
If you use our WhatsApp contact for general inquiries (e.g., about our range of services, availability, or our website), we store and use your mobile phone number used on WhatsApp and – if provided – your first and last name in accordance with Art. 6 Para. 1 lit. f GDPR based on our legitimate interest in providing the requested information efficiently and promptly.
Your data will always be used only to answer your inquiry via WhatsApp. No disclosure to third parties takes place.
Please note that WhatsApp Business gains access to the address book of the mobile device we use for this purpose and automatically transfers phone numbers stored in the address book to a server of the parent company Meta Platforms Inc. in the USA. For the operation of our WhatsApp Business account, we use a mobile device whose address book exclusively stores the WhatsApp contact data of users who have also contacted us via WhatsApp.
This ensures that every person whose WhatsApp contact data is stored in our address book has already consented to the transmission of their WhatsApp phone number from the address books of their chat contacts in accordance with Art. 6 Para. 1 lit. a GDPR when they first use the app on their device by accepting the WhatsApp terms of use. The transmission of data of users who do not use WhatsApp and/or have not contacted us via WhatsApp is thus excluded.
For the purpose and scope of data collection and the further processing and use of data by WhatsApp, as well as your related rights and setting options for protecting your privacy, please refer to WhatsApp's privacy policy: https://www.whatsapp.com/legal/?eea=1#privacy-policy
We have concluded a data processing agreement with the provider, which protects the data of our site visitors and prohibits disclosure to third parties.
In the context of the aforementioned processing operations, data transfers to Meta Platforms Inc. servers in the USA may occur.
For data transfers to the USA, the provider has joined the EU-US Data Privacy Framework, which ensures compliance with European data protection standards on the basis of an adequacy decision by the European Commission.
5.2 When you contact us (e.g., via contact form or email), personal data is collected. Which data is collected when using a contact form can be seen from the respective contact form. This data is stored and used exclusively for the purpose of answering your request or for contacting you and the associated technical administration.
The legal basis for the processing of this data is our legitimate interest in answering your request in accordance with Art. 6 Para. 1 lit. f GDPR. If your contact aims at concluding a contract, the additional legal basis for processing is Art. 6 Para. 1 lit. b GDPR. Your data will be deleted after your request has been finally processed. This is the case when it can be inferred from the circumstances that the matter concerned has been conclusively clarified and provided that no statutory retention obligations conflict with this.
6) Data Processing for Opening a Customer Account
In accordance with Art. 6 Para. 1 lit. b GDPR, personal data will continue to be collected and processed to the extent necessary if you provide us with this information when opening a customer account. Which data is required for opening an account can be seen from the input mask of the corresponding form on our website.
Your customer account can be deleted at any time by sending a message to the above-mentioned address of the controller. After deleting your customer account, your data will be deleted, provided that all contracts concluded through it have been fully processed, no statutory retention periods conflict with this, and we no longer have a legitimate interest in further storage.
7) Use of Customer Data for Direct Marketing
Subscription to our e-mail newsletter
If you subscribe to our e-mail newsletter, we will regularly send you information about our offers. The only mandatory information for sending the newsletter is your e-mail address. The provision of further data is voluntary and will be used to address you personally. For sending the newsletter, we use the so-called double opt-in procedure. This means that we will only send you an e-mail newsletter if you have explicitly confirmed to us that you consent to receiving newsletters. We will then send you a confirmation e-mail asking you to confirm that you wish to receive the newsletter in the future by clicking on a corresponding link.
By activating the confirmation link, you give us your consent for the use of your personal data in accordance with Art. 6 Para. 1 lit. a GDPR. When subscribing to the newsletter, we store your IP address entered by the Internet Service Provider (ISP) as well as the date and time of subscription, in order to be able to trace a possible misuse of your e-mail address at a later time. The data collected by us when subscribing to the newsletter will be used exclusively for advertising purposes by means of the newsletter. You can unsubscribe from the newsletter at any time via the link provided in the newsletter or by sending a corresponding message to the controller mentioned at the beginning. After unsubscribing, your e-mail address will be immediately deleted from our newsletter distribution list, unless you have expressly consented to further use of your data or we reserve the right to further data use that is legally permitted and about which we inform you in this declaration.
8) Data Processing for Order Fulfillment
8.1 To the extent necessary for contract fulfillment for delivery and payment purposes, the personal data collected by us will be transferred to the commissioned transport company and the commissioned credit institution in accordance with Art. 6 Para. 1 lit. b GDPR.
If we owe you updates for goods with digital elements or for digital products based on a corresponding contract, we process the contact data you provided during the order to inform you personally within the framework of our legal information obligations in accordance with Art. 6 Para. 1 lit. c GDPR. Your contact data will be used strictly for the purpose of communicating updates owed by us and will only be processed by us to the extent necessary for the respective information.
To process your order, we also cooperate with the following service provider(s), who support us in whole or in part in the execution of concluded contracts. Certain personal data will be transferred to these service providers in accordance with the following information.
8.2 Transfer of personal data to shipping service providers
- DHL
As a transport service provider, we use the following provider: DHL Paket GmbH, Sträßchensweg 10, 53113 Bonn, Germany
We transfer your email address and/or phone number in accordance with Art. 6 Para. 1 lit. a GDPR to the provider before delivery of the goods for the purpose of coordinating a delivery date or for delivery notification, provided you have given your explicit consent for this during the ordering process. Otherwise, for the purpose of delivery, we only transfer the recipient's name and delivery address to the provider in accordance with Art. 6 Para. 1 lit. b GDPR. The transfer only takes place to the extent necessary for the delivery of the goods. In this case, prior coordination of the delivery date with the provider or delivery notification is not possible.
Consent can be revoked at any time with effect for the future towards the controller mentioned above or towards the provider. - Hermes
As a transport service provider, we use the following provider: Hermes Logistik Gruppe Deutschland GmbH, Essener Straße 89, 22419 Hamburg, Germany
We transfer your email address and/or phone number in accordance with Art. 6 Para. 1 lit. a GDPR to the provider before delivery of the goods for the purpose of coordinating a delivery date or for delivery notification, provided you have given your explicit consent for this during the ordering process. Otherwise, for the purpose of delivery, we only transfer the recipient's name and delivery address to the provider in accordance with Art. 6 Para. 1 lit. b GDPR. The transfer only takes place to the extent necessary for the delivery of the goods. In this case, prior coordination of the delivery date with the provider or delivery notification is not possible.
Consent can be revoked at any time with effect for the future towards the controller mentioned above or towards the provider.
8.3 Use of Payment Service Providers - Paypal
One or more online payment methods from the following provider are available on this website: PayPal (Europe) S.a.r.l. et Cie, S.C.A., 22-24 Boulevard Royal, L-2449 Luxembourg
If you select a payment method from the provider where you pay in advance, your payment data communicated during the order process (including name, address, bank and payment card information, currency, and transaction number) as well as information about the content of your order will be transmitted to this provider in accordance with Art. 6 Para. 1 lit. b GDPR. The transmission of your data in this case is solely for the purpose of payment processing with the provider and only to the extent necessary for this.
If you select a payment method where we pay in advance, you will also be asked during the ordering process to provide certain personal data (first and last name, street, house number, postal code, city, date of birth, email address, phone number, possibly data for an alternative payment method).
In such cases, to safeguard our legitimate interest in determining your solvency, we forward this data to the provider in accordance with Art. 6 Para. 1 lit. f GDPR for the purpose of a credit check. The provider checks, based on the personal data you provide and other data (such as shopping cart, invoice amount, order history, payment experiences), whether the payment option you selected can be granted with regard to payment and/or default risks.
The credit report may contain probability values (so-called score values). Insofar as score values are included in the result of the credit report, they are based on a scientifically recognized mathematical-statistical procedure. Among other things, but not exclusively, address data is included in the calculation of the score values.
You can object to this processing of your data at any time by sending a message to us or to the provider. However, the provider may still be entitled to process your personal data if this is necessary for contractual payment processing.
8.4 We reserve the right to transfer your data to the collection service provider Diagonal Inkasso GmbH, 21244 Buchholz, Bremer Strasse 11, if our payment claim has not been settled despite prior reminder. In this case, the claim will be collected directly by the collection service provider.
The transfer of your data serves the fulfillment of the contract in accordance with Art. 6 Para. 1 S. 1 lit. b GDPR as well as the safeguarding of our overriding legitimate interests in an effective assertion or enforcement of our payment claim in accordance with Art. 6 Para. 1 S. 1 lit. f GDPR as part of a balancing of interests.
9) Rights of the Data Subject
9.1 The applicable data protection law grants you, in relation to the controller, the following data subject rights (rights of access and intervention) regarding the processing of your personal data, with reference to the stated legal basis for the respective exercise requirements:
- Right of access in accordance with Art. 15 GDPR;
- Right to rectification in accordance with Art. 16 GDPR;
- Right to erasure in accordance with Art. 17 GDPR;
- Right to restriction of processing in accordance with Art. 18 GDPR;
- Right to notification in accordance with Art. 19 GDPR;
- Right to data portability in accordance with Art. 20 GDPR;
- Right to withdraw given consents in accordance with Art. 7 (3) GDPR;
- Right to lodge a complaint in accordance with Art. 77 GDPR.
9.2 RIGHT TO OBJECT
IF WE PROCESS YOUR PERSONAL DATA WITHIN THE FRAMEWORK OF A BALANCING OF INTERESTS BASED ON OUR OVERRIDING LEGITIMATE INTEREST, YOU HAVE THE RIGHT TO OBJECT TO THIS PROCESSING AT ANY TIME FOR REASONS ARISING FROM YOUR PARTICULAR SITUATION, WITH EFFECT FOR THE FUTURE.
IF YOU EXERCISE YOUR RIGHT TO OBJECT, WE WILL CEASE PROCESSING THE AFFECTED DATA. FURTHER PROCESSING IS RESERVED IF WE CAN DEMONSTRATE COMPELLING LEGITIMATE GROUNDS FOR THE PROCESSING THAT OVERRIDE YOUR INTERESTS, FUNDAMENTAL RIGHTS AND FREEDOMS, OR IF THE PROCESSING SERVES THE ASSERTION, EXERCISE OR DEFENCE OF LEGAL CLAIMS.
IF YOUR PERSONAL DATA IS PROCESSED BY US FOR DIRECT MARKETING PURPOSES, YOU HAVE THE RIGHT TO OBJECT AT ANY TIME TO THE PROCESSING OF PERSONAL DATA CONCERNING YOU FOR THE PURPOSE OF SUCH MARKETING. YOU CAN EXERCISE THE RIGHT TO OBJECT AS DESCRIBED ABOVE.
IF YOU EXERCISE YOUR RIGHT TO OBJECT, WE WILL CEASE PROCESSING THE AFFECTED DATA FOR DIRECT MARKETING PURPOSES.
10) Duration of storage of personal data
The duration of storage of personal data is determined by the respective legal basis, the purpose of processing and – if applicable – additionally by the respective statutory retention period (e.g. commercial and tax law retention periods).
When personal data is processed on the basis of explicit consent in accordance with Art. 6 (1) lit. a GDPR, the data concerned will be stored until you revoke your consent.
If there are statutory retention periods for data that is processed within the framework of legal or quasi-legal obligations on the basis of Art. 6 (1) lit. b GDPR, this data will be routinely deleted after the retention periods have expired, provided that it is no longer required for contract fulfilment or contract initiation and/or we no longer have a legitimate interest in continued storage.
When personal data is processed on the basis of Art. 6 (1) lit. f GDPR, this data will be stored until you exercise your right to object in accordance with Art. 21 (1) GDPR, unless we can demonstrate compelling legitimate grounds for the processing that override your interests, rights and freedoms, or the processing serves the assertion, exercise or defence of legal claims.
When personal data is processed for the purpose of direct marketing on the basis of Art. 6 (1) lit. f GDPR, this data will be stored until you exercise your right to object in accordance with Art. 21 (2) GDPR.
Unless otherwise stated in the other information in this declaration about specific processing situations, stored personal data will otherwise be deleted when it is no longer necessary for the purposes for which it was collected or otherwise processed.
Copyright notice: This privacy policy was created by the specialist lawyers of IT-Recht Kanzlei and is protected by copyright (https://www.it-recht-kanzlei.de)