Privacy policy

Preamble

In the following privacy policy, we would like to inform you about the types of your personal data (hereinafter also referred to as "data" for short) that we process, for what purposes and to what scope. The privacy policy applies to all processing of personal data carried out by us, both as part of the provision of our services and, in particular, on our websites, in mobile applications and within external online presences, such as our social media profiles (hereinafter collectively referred to as the "online service").

As a German-based company, we are obliged to comply with the requirements of the EU GDPR. With regard to users of our online service in the United Kingdom, in particular our store at https://www.uk.plantura.garden/, we also comply with the requirements of the UK GDPR (both legal provisions in the following referred to as "GDPR").

1. General information on data processing

1.1 Controller

Responsible for the entire processing of personal data in connection with the use of our online service is

Plantura GmbH
Brienner Str. 41
80333 München
Germany
E-mail address: 

contact@plantura.garden

1.2 Data Protection Officer

We have appointed an external data protection officer through Simpliant. Simpliant also consults us in the implementation and maintenance of our data protection management system. For more information about Simpliant, please visit https://www.simpliant.eu

You can reach our appointed data protection officer at: privacy@plantura.garden

1.3 Data subject rights and supervisory authority

You may exercise the following rights:

  • Right to information about your data stored by us and its processing (Art. 15 GDPR),
  • Right to rectification of inaccurate personal data (Art. 16 GDPR),
  • Right to have your data stored by us deleted (Art. 17 GDPR),
  • Right to restriction of data processing if we are not yet allowed to delete your data due to legal obligations (Art. 18 GDPR),
  • Right to portability of data if you have consented to the data processing or have concluded a contract with us (Art. 20 GDPR),
  • Right to object to the processing of your data by us (Art. 21 GDPR),
  • If we process your data on the basis of your consent, you have the right to revoke your consent at any time with effect for the future (Art. 7 para. 3 GDPR).

To exercise your rights, you can contact us by email at privacy@plantura.garden.

For identification purposes, please provide the following information:

  • First and last name
  • E-mail address

In individual cases, further information may be required for unique identification. The processing of your request and the identification of your person is based on Art. 6 para. 1 c) GDPR.

You may at any time file a complaint with a supervisory authority, e.g. with the competent supervisory authority of the state in which you live or with the authority responsible for us.

The following link provides a list and contact information for all German data protection authorities:
https://www.bfdi.bund.de/DE/Service/Anschriften/Laender/Laender-node.html.

The contact information for the supervisory authority responsible for you in the United Kingdom can be found here: https://ico.org.uk/. To lodge a complaint, follow the link: https://ico.org.uk/make-a-complaint/data-protection-complaints/data-protection-complaints/.

1.4 Processing of data, legal basis

The legal basis of all our processing activities is based on Art. 6 para. 1 GDPR. You will receive further information in the context of the presentation of the individual processing activities.

1.5 Storage duration

We will take all reasonable steps to ensure that your personal data is processed only for the period required by the purpose of processing in each case. If the storage period is not specified below, your personal data will be deleted or blocked as soon as the purpose or legal basis for storage ceases to apply. Personal data will not be deleted if storage is required by law. Furthermore, we may retain your personal data until the expiry of the statutory limitation periods (usually three years; in individual cases, however, up to 10 years or longer), provided that this is necessary for the assertion, exercise or defense of legal claims.

1.6 Data security

To protect the security of your data during transmission, we use technical and organizational security measures, in particular encryption technology to prevent unauthorized access by third parties. An HTTPS or TLS encrypted connection is always used. Our security measures are continuously improved and adapted according to technological developments.

1.7 Transmission to service providers

We use service providers regarding our offers. These service providers act only according to our instructions and are contractually obligated to comply with the provisions of the GDPR. 

1.8 Data transfer to third countries

Unless otherwise stated below, your data will not be transferred outside the UK or the EU/EEA, for which there is an adequacy regulation in place. Your personal data will only be transferred to other third countries other than the EU/EEA, if the requirements of Art. 44 - 49 GDPR are met, in particular standard data protection clauses, binding corporate rules, adequacy decisions, as well as - if necessary - other required safeguards (in particular so-called transfer impact assessments).

1.9 No obligation to provide data / No profiling

There is no legal or contractual obligation to provide us with data. However, some services can only be provided if the required data is provided by you. Your personal data will not be used for automated individual decision-making including profiling.

2. Processing activities of our online services

2.1 Server logs / web hosting

Nature and purpose of data processing:

When you access our website, information of a general nature is automatically collected. This information, known as server log files, includes:

  • IP address
  • Name of the access provider
  • Browser type, browser software version and browser language
  • Operating system
  • Date and time of access
  • Access content
  • Amount of data transferred
  • Access status (successful transmission/error)
  • Web page(s) to which the access was redirected
  • Visited websites

The processing is carried out for the following purposes:

  • Ensuring a trouble-free connection
  • Ensuring smooth use
  • Assessment of system safety and stability

Legal basis:

The processing is carried out pursuant to Art. 6 para. 1 lit. f GDPR based on our legitimate interest to host the website and to improve and monitor the security, stability and functionality of the website.

Recipients:

Recipients of the data are the following IT service providers who have been engaged to operate and support our online service. As processors, these third-party providers are obliged to process the data only within the scope of our instructions.

  • Amazon Web Services (AWS): Services in the field of providing information technology infrastructure and related services (e.g., storage space and/or computing capacity); service provider: Amazon Web Services EMEA SARL, 38 avenue John F. Kennedy, L-1855, Luxembourg.
  • HostEurope: services in the field of provision of information technology infrastructure and related services (e.g., storage space and/or computing capacity); service provider: Host Europe GmbH, Hansestraße 111, 51149 Cologne, Germany.
  • Cloudflare: Content delivery network (CDN) - service with the help of which content of an online offering, in particular large media files, such as graphics or program scripts can be delivered faster and more securely with the help of regionally distributed servers connected via the Internet; service provider: Cloudflare, Inc., 101 Townsend St, San Francisco, CA 94107, USA.

Transmission to third countries:

Under certain circumstances, data may be transferred to third countries such as the USA. The data processing agreements with the service providers contain standard data protection clauses pursuant to Art. 46 GDPR. In addition, a transfer impact assessment ensures that appropriate safeguards are in place that the data protection obligations will be met.

Retention period:

The server log files are deleted after 30 days at the latest.

2.2 Consent management

Nature and purpose of data processing:

Our website uses cookies and similar technologies for various processing activities for which your consent is required. In order to obtain and store such consent, we use a so-called "cookie banner". Users with an existing account have the option to give their consent cross-device. As part of this, a cookie - a small text file - is set on your terminal device to register your selection/consent. For this purpose, we process your IP address, among other things.

Legal basis:

The data processing is carried out according to Art. 6 para. 1 lit. f GDPR.

Recipient:

Recipient of the data is Didomi SAS, 137 Boulevard de Sébastopol, 75002 Paris, France (“Didomi”). Didomi provides a consent management tool. Change consent settings.

Further information can be found under "Cookies".

2.3 Customer account

Nature and purpose of data processing:

Customers can create an account within our online service (e.g. customer or user account, in short "customer account"). If registration of a customer account is required, customers will be informed as well as of the information required for registration. In the course of registration and subsequent logins and use of the customer account, we store the name, e-mail address and, if applicable, other contact data, as well as the IP addresses of the customers and the times of access, in order to provide evidence of registration and to prevent any misuse of the customer account.

Legal basis:

We process your data in accordance with Art. 6 para. 1 lit. b GDPR in order to be able to provide you with our customer services and in accordance with Art. 6 para. 1 lit. f GDPR due to our legitimate interest in protection against misuse and other unauthorized use.

Recipient:

Recipients of the data are the following IT service providers. As processors, these third-party providers are obliged to process the data only within the scope of our instructions.

  • Ory: Identity management platform; service provider: Ory Corp., 132-A Veterans Lane, Suite 128, Doylestown, PA 18901, USA
  • Shopify: E-commerce platform; service provider: Shopify International Limited, Victoria Buildings, 2. Etage,1-2 Haddington Road, Dublin 4, D04 XN32, Ireland

Transfer to third countries:

In the context of the use of the IT service provider, your personal data may be transferred to the USA. The respective third-party provider has committed himself to comply with appropriate safeguards pursuant to Art. 44-49 GDPR and has concluded standard data protection clauses. In addition, a transfer impact assessment ensures that appropriate safeguards are in place that the data protection obligations will be met.

Retention period:

If customers have deleted their customer accounts, the related data will also be deleted, unless their retention is required for legal reasons.

2.4 Payment

Nature and purpose of data processing:

As part of the checkout process, we offer an efficient and secure payment option. The processed data includes master data, such as the name and address, bank data, contract data and usage data.

To protect ourselves from fraudulent orders, we use a technical and manual process. For this purpose, purchasing data and ordering habits are automatically analyzed for each order and compared with previous usage and ordering habits. In addition, a comparison is also made with general data sets of orders placed with Plantura, which offer conclusions about fraudulent behavior. In some cases, the potential risk of fraud is considered to be very high, resulting in the customer's account being deactivated and the order being cancelled. This process is then carried out by manual processing.

Legal basis:

We process your data in accordance with Art. 6 para. 1 lit. b and f GDPR for the performance of the contract.

Recipients:

Recipients of the data are the following IT service providers. As processors, these third-party providers are obliged to process the data only within the scope of our instructions.

  • Amazon Payments: Payment services (technical connection of online payment methods); service provider: Amazon Payments Europe S.C.A. 38 avenue J.F. Kennedy, L-1855 Luxembourg.
  • Apple Pay: payment services (technical connection of online payment methods); service provider: Apple Inc, Infinite Loop, Cupertino, CA 95014, USA.
  • Google Pay: payment services (technical connection of online payment methods); service provider: Google Ireland Limited, Gordon House, Barrow Street, Dublin 4, Ireland.
  • Klarna / Sofortüberweisung: payment services (technical connection of online payment methods); service provider: Klarna Bank AB (publ), Sveavägen 46, 111 34 Stockholm, Sweden.
  • Mastercard: payment services (technical connection of online payment methods); service provider: Mastercard Europe SA, Chaussée de Tervuren 198A, B-1410 Waterloo, Belgium.
  • PayPal: payment services (technical connection of online payment methods) (e.g. PayPal, PayPal Plus, Braintree); service provider: PayPal (Europe) S.à r.l. et Cie, S.C.A., 22-24 Boulevard Royal, L-2449 Luxembourg.
  • Shop Pay (Shopify): Payment services (technical connection of online payment methods); service provider: Shopify International Limited, Victoria Buildings, 2nd Floor,1-2 Haddington Road, Dublin 4, D04 XN32, Ireland.
  • Visa: payment services (technical connection of online payment methods); service provider: Visa Europe Services Inc, London Branch, 1 Sheldon Square, London W2 6TT, UK.

Transmission to third countries:

In the context of the use of the IT service provider, your personal data may be transferred to third countries such as the USA. The respective third-party provider has committed himself to comply with appropriate safeguards pursuant to Art. 44-49 GDPR and has concluded standard data protection clauses. In addition, a transfer impact assessment ensures that appropriate safeguards are in place that the data protection obligations will be met.

2.5 Contact and request management

Nature and purpose of data processing:

When you contact us for the first time (e.g. by mail, contact form, e-mail, telephone or via social media) as well as in the context of an existing user or business relationship, your data, such as name, e-mail address, telephone number as well as other data depending on your concern is processed.

Legal basis:

We process your data pursuant to Art. 6 para. 1 lit. f GDPR based on our legitimate interest in communicating effectively with you.

Recipients:

Recipients of the data are the following IT service providers. As processors, these third-party providers are obliged to process the data only within the scope of our instructions.

  • Kustomer: Kustomer is a software tool that manages customer requests; service provider: Kustomer, LLC, 1601 Willow Rd, Menlo Park, CA 94025, USA.
  • Aircall: Cloud-based telephone system; service provider: Aircall SAS, 11-15, rue Saint Georges, 75009 Paris, France.

Transmission to third countries:

Under certain circumstances, usage data, such as IP addresses, may occasionally be transferred to third countries such as the USA. The data processing agreement with the service provider contains standard data protection clauses pursuant to Art. 46 GDPR. In addition, a transfer impact assessment ensures that appropriate safeguards are in place that the data protection obligations will be met.

2.6 Contract fulfillment and management

Nature and purpose of data processing:

In the course of our business activities and for the contract management, we process your data both to fulfill our contractual obligations and to provide the best possible service. In doing so, we process master data (e.g. names, addresses), payment data (e.g. bank details, invoices, payment history), contact data (e.g. e-mail, telephone numbers), content data (e.g. entries in online forms), contract data (e.g. subject matter of the contract, term, customer category).

Legal basis:

We process your data in accordance with Art. 6 para. 1 lit. b GDPR for the performance of the contract or in accordance with Art. 6 para. 1 lit. c GDPR due to a legal obligation.

Recipients:

Recipients of the data are the following IT service providers. As processors, these third-party providers are obliged to process the data only within the scope of our instructions.

  • Amazon: Online marketplace for e-commerce; service provider: Amazon EU S.à r.l. (Société à responsabilité limitée), 38 avenue John F. Kennedy, L-1855 Luxembourg.
  • Odoo: Odoo is a suite of business management software tools that includes, for example, CRM, e-commerce, invoicing, accounting, manufacturing, warehousing, project management, and inventory management; service provider: Odoo S.A., Chaussée de Namur, 40, 1367 Grand Rosière, Belgium.
  • DATEV: Software for accounting, communication with tax advisors as well as authorities and with document storage; service provider: DATEV eG, Paumgartnerstr. 6 - 14, 90429 Nuremberg, Germany.
  • Shippy Pro: Using ShippyPro, deliveries are handled to ensure a better customer experience; service provider: ShippyProVia Ricasoli 950122 Firenze, Italy.
  • LogBase: Using LogBase's ShipEasy app, delivery costs are calculated based on the products included in the shopping cart and the delivery address; service provider: LogBase Technologies, LLP Old no. 30, Maniyam Velappar Street, 6th Street, Kuppakonan Pudur, Coimbatore - 641038, Tamil Nadu, India.

Another recipient of the data is a fulfillment service provider who delivers the ordered goods to our customers. 

Transmission to third countries:

In the context of the use of the IT service provider, your personal data may be transferred to third countries such as the USA. The respective third-party provider has committed himself to comply with appropriate safeguards pursuant to Art. 44-49 GDPR and has concluded standard data protection clauses. In addition, a transfer impact assessment ensures that appropriate safeguards are in place that the data protection obligations will be met.

2.7 Newsletter

Nature and purpose of data processing:

As part of our online service, we offer you the opportunity to sign up for a newsletter with regular product news and updates. For this purpose, we process your e-mail address in order to be able to contact you. If necessary, we may still ask you to provide a name or further details.

Legal basis:

We process your data in accordance with Art. 6 para. 1 lit. a GDPR based on your consent.

Recipients:

Recipients of the data are the following IT service providers. As processors, these third-party providers are obliged to process the data only within the scope of our instructions.

  • Mailchimp: email sending and email marketing platform; service provider: Rocket Science Group, LLC, 675 Ponce De Leon Ave NE #5000, Atlanta, GA 30308, USA.
  • Klaviyo: email and SMS marketing platform; service provider: Klaviyo, 225 Franklin St., Boston, Massachusetts 02110, USA

Transmission to third countries:

In the context of the use of the IT service provider, your personal data may be transferred to third countries such as the USA. The respective third-party provider has committed himself to comply with appropriate safeguards pursuant to Art. 44-49 GDPR and has concluded standard data protection clauses. In addition, a transfer impact assessment ensures that appropriate safeguards are in place that the data protection obligations will be met.

2.8 Promotional communication to existing customers

Nature and purpose of data processing:

We process personal data for the purposes of promotional communication, which may be via various channels, such as e-mail, telephone or mail. In this context, inventory data (e.g. names, addresses) as well as contact data (e.g. e-mail, telephone numbers) are processed.

Legal basis:

We process your data in accordance with Art. 6 para. 1 lit. a GDPR based on your consent. If you are an existing customer, we may also process your data pursuant to Art. 6 para. 1 lit. f GDPR based on our legitimate interest in direct marketing.

Recipients:

Recipients of the data are the following IT service providers. As processors, these third-party providers are obliged to process the data only within the scope of our instructions.

  • Mailchimp: E-mail sending and e-mail marketing platform; service provider: Rocket Science Group, LLC, 675 Ponce De Leon Ave NE #5000, Atlanta, GA 30308, USA.
  • Klaviyo: email and SMS marketing platform; service provider: Klaviyo, 225 Franklin St., Boston, Massachusetts 02110, USA.

Transfer to third countries:

In the course of using the above-mentioned IT applications, your personal data may be transferred to the USA. The respective third-party providers have committed themselves to comply with sufficient safeguards pursuant to Art. 44 et seq. GDPR, such as standard data protection clauses.

2.9 Prize draw and contests

Nature and purpose of data processing:

We process personal data such as master data (e.g. names, addresses) and content data (e.g. entries in online forms) of participants in prize draws and contests.

If participants' entries are published as part of the prize draws, names of the participants may also be published in this context. Participants may object to this at any time.

If the prize draw takes place within an online platform or a social network (e.g. Facebook or Instagram, hereinafter referred to as "online platform"), the general terms and conditions as well as privacy policies of the respective platforms shall also apply. In these cases, we are responsible for the information provided by the participants as part of the prize draws. Inquiries regarding the prize draws should be directed to us.

Legal basis:

We process your data based on your consent according to Art. 6 para. 1 lit. a GDPR.[f]

Recipient:

Recipient of the data is the following IT service provider. As a processor, the third-party provider is obliged to process the data only within the scope of our instructions.

  • Commentpicker: random generator for comments on a Facebook sweepstakes or contest; service provider: Front Web (Comment Picker, Haarlem, The Netherlands, Business registration number (KvK): 73576492).

Retention period:

Participants' data will be deleted as soon as the prize draws or contests have ended, and the data is no longer required to inform the winners or answer further questions about the prize draws. In principle, the participants' data will be deleted no later than 6 months after the end of the prize draws. Winners' data may be retained for longer in order, for example, to answer questions about the prizes or to be able to fulfill the prize services; in this case, the retention period depends on the type of prize and is up to three years for items or services, for example, in order to be able to process warranty claims.

2.10 Surveys and Interviews

Nature and purpose of data processing:

We conduct surveys and interviews in order to collect information for the respective communicated survey or interview purpose (e.g. collecting feedback via online form). The following data is processed: contact data (e.g. e-mail, telephone numbers); content data (e.g. entries in online forms); user data (e.g. websites visited, interest in content, access times). The surveys and interviews are evaluated anonymously.

Legal basis:

We process your data in accordance with Art. 6 para. 1 lit. a GDPR based on your consent.[g]

Recipients:

Recipients of the data are the following IT service providers. As processors, these third-party providers are obliged to process the data only within the scope of our instructions.

  • Google Form: Creation and analysis of online forms, surveys, feedback forms, etc.; service provider: Google Ireland Limited, Gordon House, Barrow Street, Dublin 4, Ireland.
  • Hotjar Ask: software for analyzing and optimizing online offerings based on feedback functions, which may include feedback forms and surveys in particular; service provider: Hotjar Ltd., 3 Lyons Range, 20 Bisazza Street, Sliema SLM 1640, Malta.
  • Typeform: creation of forms as well as surveys and management of participant contributions; service provider: Typeform SL, Carrer Bac de Roda, 163, local, 08018 - Barcelona, Spain.

2.11 Affiliate programs and affiliate links

Nature and purpose of data processing:

In our online service, we include so-called affiliate links or other references (which may include, for example, search masks, widgets or discount codes) to the offers and services of third-party providers (collectively referred to as "affiliate links"). If users follow the affiliate links, or subsequently take advantage of the offers, we may receive a commission or other benefits from those third parties (collectively, "commission").

For the purposes of the aforementioned assignment of the affiliate links, the affiliate links may be supplemented by certain values that are a component of the link or may be stored elsewhere, e.g. in a cookie. The values may include the source website (referrer), the time, an online identifier of the operator of the website on which the affiliate link was located, an online identifier of the respective offer, the type of link used, the type of offer and an online identifier of the user.

The following data is processed in this context: contract data (e.g. subject matter of the contract, term, customer category); user data (e.g. websites visited, interest in content, access times); meta, communication and procedural data (e.g. IP addresses, time information, identification numbers, consent status).

Legal basis:

The processing, including the transmission of personal data to partners, is based on our legitimate interest to provide the user with an expressly requested offer pursuant to Art. 6 para. 1 lit. f GDPR.

Recipient:

The recipient of the data is the following IT service provider. As a processor, the third-party provider is obliged to process the data only within the scope of our instructions.

  • Amazon Affiliate Program: Affiliate Partner Program (Amazon and the Amazon logo are trademarks of Amazon.com, Inc. or one of its affiliates); service provider: Amazon EU S.à r.l. (Société à responsabilité limitée), 38 avenue John F. Kennedy, L-1855 Luxembourg.

2.12 Customer reviews and rating procedures

Nature and purpose of data processing:

We participate in review and rating procedures in order to evaluate, optimize and promote our services. If users rate us via the participating rating platforms or procedures, the general terms and conditions and the privacy policies of the providers also apply. Usually the rating also requires the user to register with the respective providers.

In order to ensure that the persons who rate us actually used our services, we transmit the data required for this to the respective rating platform (including name, e-mail address and order number or item number). This data is used solely to verify the authenticity of the user.

Legal basis:

The data is processed pursuant to Art. 6 para. 1 lit. a GDPR based on your consent.

Recipients:

  • Okendo: Okendo is a software tool that sends customer reviews and rating requests and embeds them on the website by means of various integrations; service provider: Okendo Pty Ltd. (ACN 165 005 989, 333 George St, Sydney NSW 2000, Australia.

Transfer to third countries:

In the context of the use of the above-mentioned IT applications, your personal data may be transferred to a third country, such as the USA. The respective third-party provider has committed himself to comply with sufficient guarantees pursuant to Art. 44 et seq. GDPR, such as standard data protection clauses.

2.13 Website analysis

Nature and purpose of data processing:

Web analytics is used to evaluate the visitor flow related to our online service and may include behavior, interests or demographic information about visitors, such as age or gender, in the form of pseudonymous data. With the help of web analytics, we can recognize, for example, at what time our online service or its functions or content are most frequently used. Likewise, we can understand which areas need to be optimized.

In addition to web analytics, we may also use testing procedures, for example, to test and optimize different versions of our online service or its components. We also process personal data for online marketing purposes.

If not otherwise stated below, profiles (i.e. data collected for a specific user activity) can be created for these purposes and information can be stored in a browser or in a terminal and read from it. The information collected includes, in particular, websites visited and elements used there, as well as technical information such as the browser, the computer system, and the time of use. If users have agreed to the collection of their location data from us or from the providers of the services we use, location data may also be processed. We also use cross-device features for reporting, remarketing and conversion. This means that session data from our onlineservice can be linked to third-party accounts of users, provided that the users are logged into their third-party account while using our online service and have activated personalized advertising.

The IP addresses of the users are also stored. However, we use an IP masking procedure (i.e., pseudonymization by shortening the IP address) to protect users. Generally, in the context of web analysis, A/B testing and optimization, no clear data of the users (such as e-mail addresses or names) are stored, but pseudonyms. This means that we, as well as the providers of the software used, do not know the actual identity of the users, but only the information stored in their profiles for the purposes of the respective procedures.

We analyze sources and user actions based on an extension of web addresses referring to us with an additional parameter, the UTM parameter. For example, a UTM parameter "utm_source=platformX &utm_medium=video" can tell us that a person clicked the link on platform X within a video. The UTM parameters provide information about the source of the link, the medium used (e.g. social media, website, newsletter), the type of campaign or the content of the campaign (e.g. posting, link, image and video). With the help of this information, we can, for example, check our visibility on the internet or the effectiveness of our campaigns.

Legal basis:

Data processing is carried out in accordance with Art. 6 para. 1 lit. a GDPR based on your consent.

Recipients:

Recipients of the data are the following IT service providers. As processors, these third-party providers are obliged to process the data only within the scope of our instructions.

  • Google Analytics with Google Signals feature: Google Analytics is a web analytics tool. The Google Signals feature enables cross-device tracking; service provider Google Ireland Limited, Gordon House, Barrow Street, Dublin 4, Ireland.
  • Google Tag Manager: Google Ireland Limited, Gordon House, Barrow Street, Dublin 4, Ireland.
  • Fullstory: Fullstory, Inc, 818 Marietta Street, Atlanta, GA 30318, USA.
  • Supermetrics: Supermetrics Oy, Company ID: 2552282-5, Mikonkatu 700100 Helsinki, Finland.
  • RetentionX: RetentionX, Lessingstr. 11, 80336 Munich, Germany
  • Hotjar: Hotjar Ltd, 3 Lyons Range, 20 Bisazza Street, Sliema SLM 1640, Malta

2.14 Online marketing

Nature and purpose of data processing:

We use cookies and similar technologies that help us deliver more effective and personalized advertising. This allows us to target visitors to our online service for the display of advertisements (so-called "targeted advertising"). In addition, we can track the effectiveness of our online advertising by seeing whether users were redirected to our online service after clicking on such advertising (so-called "conversion tracking"). We may also use service providers to identify users who have visited our website as potential customers and recipients of online advertising (so-called "retargeting").

Legal basis:

Data processing is carried out in accordance with Art. 6 para. 1 lit. a GDPR based on your consent.

Recipients:

Recipients of the data are the following IT service providers. As processors, these third-party providers are obliged to process the data only within the scope of our instructions.

  • Google Ads and conversion measurement: Service provider: Google Ireland Limited, Gordon House, Barrow Street, Dublin 4, Ireland.
  • YouTube Video: Video content; service provider: Google Ireland Limited, Gordon House, Barrow Street, Dublin 4, Ireland.
  • Bing Ads: online marketing method for the purpose of placing content and ads within the service provider's advertising network (e.g., in search results, in videos, on web pages, etc.). service provider: Microsoft Ireland Operations Limited, One Microsoft Place, South County Business Park, Leopardstown, Dublin 18, D18 P521, Ireland.
  • Amazon: Marketing of advertising media and advertising space; service provider: Amazon EU S.à r.l. (Société à responsabilité limitée), 38 avenue John F. Kennedy, L-1855 Luxembourg.
  • Facebook Ads: placement of ads within the Facebook platform and evaluation of ad results; service provider: Meta Platforms Ireland Limited, 4 Grand Canal Square, Grand Canal Harbour, Dublin 2, Ireland.
  • Instagram ads: placement of ads within the Instagram platform and evaluation of the ad results; service provider: Meta Platforms Ireland Limited, 4 Grand Canal Square, Grand Canal Harbour, Dublin 2, Ireland.
  • Outbrain: Display of personalized advertisements; service provider: Outbrain United Kingdom Limited, 175 High Holborn, London WC1V 7AA, United Kingdom.
  • Pinterest tag: Interest- and behavior-based measurement and analysis of user interaction with our online services; service provider: Pinterest Europe Limited, 2nd Floor, Palmerston House, Fenian Street, Dublin 2, Ireland.

Data transfer to third countries:

In the course of using the above-mentioned IT applications, your personal data may be transferred to third countries, such as the USA. In this regard, the respective third-party providers have committed themselves to comply with sufficient safeguards pursuant to Art. 44 et seq. GDPR, such as standard data protection clauses.

2.15 Single sign-on registration

Nature and purpose of data processing:

"Single sign-on" or "single sign-on registration or "authentication" are procedures that allow users to register with a provider of single sign-on procedures (e.g., a social network), including our online service. Single sign-on requires that users are registered with the respective single sign-on provider and enter the required data in the online form provided for this purpose.

In the course of an authentication, we receive a user ID that cannot be used by us for other purposes. Whether additional data is transmitted to us depends solely on the single sign-on procedure used, on the data that has been selected for authentication and also on the data that users have released in the privacy settings of their user account with the single sign-on provider. It can be different data depending on the single sign-on provider and the user's choice, usually it is the e-mail address and the username.

The following data can be processed: master data (e.g., names, addresses); contact data (e.g., e-mail, phone numbers); usage data (e.g., web pages visited, interest in content, access times); meta, communication, and procedural data (e.g., IP addresses, time information, identification numbers, consent status); event data (Facebook; "event data" is data that is collected e.g. via Facebook Pixel (via apps or other ways) can be transmitted by us to Facebook and relate to persons or their actions; the data includes, for example, information about website visits, interactions with content, functions, installations of apps, purchases of products, etc.; the event data is processed for the purpose of forming target groups for content and advertising information.

Legal basis:

The processing is based on our legitimate interests (Art. 6 para. 1 lit. f GDPR to provide the user with an explicitly requested service and to enable easy identification of a user.

Recipients:

Recipients of the data are the following IT service providers. As processors, these third-party providers are obliged to process the data only within the scope of our instructions.

  • Apple Single-Sign-On: authentication service; service provider: Apple Inc, Infinite Loop, Cupertino, CA 95014, USA.
  • Facebook Single-Sign-On: Authentication service of the Facebook platform; service provider: Meta Platforms Ireland Limited, 4 Grand Canal Square, Grand Canal Harbour, Dublin 2, Ireland.
  • Google Single-Sign-On: Authentication service; service provider: Google Ireland Limited, Gordon House, Barrow Street, Dublin 4, Ireland.
  • Amazon Web Services (AWS): services in the field of providing information technology infrastructure and related services (e.g., storage space and/or computing capacity); service provider: Amazon Web Services EMEA SARL, 38 avenue John F. Kennedy, L-1855, Luxembourg.
  • Ory: Middleware for single sign-on process; service provider: Ory Corp., 132-A Veterans Lane, Suite 128, Doylestown, PA 18901, USA.

Data transfer to third countries:

In the course of using the above-mentioned IT services, your personal data may be transferred to a third country, such as the USA. In this regard, the respective third-party providers have committed themselves to comply with sufficient safeguards pursuant to Art. 44 et seq. GDPR, such as standard data protection clauses.

3. Specific information about the App

3.1 Registration, login and user account

Nature and purpose of data processing:

Users of the App can create a user account. The processed data includes in particular the login information (username, password as well as an e-mail address).

As part of the registration and login, we store the IP address, universal and unique identifier (UUID) and the time of the respective user activity.

The UUID is generated when the App is installed (but is not associated with the device, so it is not a device identifier) and is stored between the launch of the App as well as its updates and is deleted when users remove the App from their device.

Legal basis:

We process your data in accordance with Art. 6 para. 1 lit. b GDPR in order to provide you with our contractual services and also in accordance with Art. 6 para. 1 lit. f GDPR due to our legitimate interest in protection against misuse and other unauthorized use.

Recipient:

Recipient of the data is the following IT service provider. As a processor, this third-party provider is obliged to process the data only within the scope of our instructions.

  • Amazon Web Services (AWS): services in the field of providing information technology infrastructure and related services (e.g., storage and/or computing capacity); service provider: Amazon Web Services EMEA SARL, 38 avenue John F. Kennedy, L-1855, Luxembourg.

Retention period:

If users have deleted their user accounts, their data concerning their user accounts will be deleted, unless permitted by law.

3.2 Plant identifier

Nature and purpose of data processing:

Our App features a plant identifier function. For this purpose, pictures and/or video recordings (audio recordings are also included) of users (and of other persons captured by the recordings) are processed by accessing the camera functions or storage. Access to the camera functions or stored recordings requires an authorization by the users that can be withdrawn at any time.

Legal basis:

We process your data in accordance with Art. 6 para. 1 lit. b GDPR to provide our contractual service.

Recipient:

The recipient of the data is the following IT service provider. As a processor, the third-party provider is obliged to process the data only within the scope of our instructions.

  • Plant.id: Plant.id is a service offered by the company FlowerChecker s.r.o. This service makes it possible via the app to identify plants based on photos. Service provider: FlowerChecker, Hrnčířská 813/23, Brno 602 00, Czech Republic

3.3 Push notifications

Nature and purpose of data processing:

We may send users so-called "push notifications". These are messages that are displayed on the users’ screens, mobile devices or browsers, even if our online service is not being actively used at the time.

In order to sign up for the push notifications, users must confirm their browser or device's request to receive the push notifications. This consent is documented and stored. The storage is necessary to recognize whether users have agreed to receive the push notifications and to be able to prove the consent. For these purposes, a pseudonymous identifier of the browser (so-called "push token") or the device ID is stored.

Users can change the settings for push notifications at any time.

The following data is processed: user data (e.g. websites visited, interest in content, access times); meta, communication and procedural data (e.g. IP addresses, time information, identification numbers, consent status); location data (information on the geographical position of a device or a person); content data (e.g. entries in online forms).

Legal basis:

The processing of personal data is based on the consent of the user (Art. 6 para. 1 lit. a GDPR).

Recipients:

The recipient of the data is the following IT service provider. As a processor, the third-party provider is obligated to process the data only within the scope of our instructions.

  • Expo: 650 Industries, Inc. Expo, 624 University Ave, Fl 1, Palo Alto, California 94301, USA.
  • Firebase: Firebase is a development platform for mobile and web applications; service provider: Google Cloud EMEA Limited, 70 Sir John Rogerson's Quay, Dublin 2, Ireland.

Data transfer to third countries:

In the course of using the above-mentioned IT services, your personal data may be transferred to a third country, such as the USA. In this regard, the respective third-party providers have committed themselves to comply with sufficient safeguards pursuant to Art. 44 et seq. GDPR, such as standard data protection clauses.

3.4 Product improvement, usage analysis of the App

Nature and purpose of data processing:

Our App uses technology to help us better understand how our App is used. We do this by compiling reports on activity in the App that do not identify specific individuals but use IP address and usage behavior data.

Legal basis:

We process your data pursuant to Art. 6 para. 1 lit. a GDPR based on your consent.

Recipients:

Recipient of the data is the following IT service provider. As a processor, the third-party provider is obliged to process the data only within the scope of our instructions.

    • Amplitude: Amplitude is an offering that enables data analysis of app users to be evaluated; service provider: Amplitude Inc, 501 2nd Street, Suite 100, San Francisco, CA 94107, USA.
    • Firebase: Firebase is a development platform for mobile and web applications; service provider: Google Cloud EMEA Limited, 70 Sir John Rogerson's Quay, Dublin 2, Ireland.
    • Google Analytics: Google Ireland Limited, Gordon House, Barrow Street, Dublin 4, Irland

      Data transfer to third countries:

      In the course of using the above-mentioned IT service, your personal data may be transferred to a third country, such as the USA. In this regard, the respective third-party provider hascommitted himself to comply with sufficient safeguards pursuant to Art. 44 et seq. GDPR, such as standard data protection clauses.

      3.5 App security and stability

      Nature and purpose of data processing:

      We process user data (IP addresses, server logs) to ensure the technical stability of our service. System stability is to be improved by monitoring and identifying code errors.

      Legal basis:

      We process your data pursuant to Art. 6 para. lit. f GDPR based on our legitimate interest to improve and monitor the security, stability and functionality of the App.

      Recipients:

      Recipient of the data is the following IT service provider. As a processor, the third-party provider is obliged to process the data only within the scope of our instructions.

        • Bugsnag: Stability and error monitoring for applications; service provider: Bugsnag, Inc, 110 Sutter St, Suite 1000, San Francisco, California 94104, USA.
        • Amplitude: Amplitude is an offering that enables data analysis of app users to be evaluated; service provider: Amplitude Inc, 501 2nd Street, Suite 100, San Francisco, CA 94107, USA.

          Data transfer to third countries:

          In the course of using the above-mentioned IT service, your personal data may be transferred to a third country, such as the USA. In this regard, the respective third-party provider has committed himself to comply with sufficient safeguards pursuant to Art. 44 et seq. GDPR, such as standard data protection clauses.

          4. Data processing on our social media accounts

          Via social media we can communicate with you and provide you with interesting information. Through your comments, shared images, messages and reactions, we may receive further data from you, which we process to communicate with you. If you use social media on multiple devices, data may be analyzed cross-devices.

          In addition, social media platform providers may also use cookies and tracking technologies to analyze and improve their services.

          Data processing is carried out with your consent or for the purpose of responding to your inquiry (Art. 6 para. 1 lit. a, b GDPR) or on the basis of legitimate interest in improving services and publicity (Art. 6 para.1 lit. f GDPR).

          We have accounts on the following social media platforms:

          • Facebook: facebook.com or mobile app of Meta Platforms Ireland Limited, 4 Grand Canal Square, Grand Canal Harbour, Dublin 2, Ireland, see at: https://www.facebook.com/policy.php,

          When you visit our social media pages, data is processed both by us and by the respective social media provider as the responsible party.

          The respective social media provider is responsible for the data protection obligations towards you as a user, such as providing information about data processing, and is the contact for your rights. This results from the fact that such a provider has direct access to the relevant information on the social media platform and the processing of your data.

          When using Facebook, Instagram, Twitter, LinkedIn or Reddit, the data may also be processed outside the EU.

          5. Changes to our privacy policy

          We reserve the right to change this privacy policy at any time. The current version of the privacy policy applies.

          placeholderimage