Collection, Processing, and Use of your Data
Personal data, such as your first/last name, address, birthdate, telephone number, and email address, is only collected when you provide such data voluntarily while placing an order, opening a customer account or registering for our newsletter. Your data will only be used without your express permission for the processing of your order and for distributing our catalogues/mailings. When registering for the newsletter, your email address will be used with your consent for our advertising purposes until you unsubscribe from the newsletter.
We store your data insofar as necessary for business and permissible within the framework of the Federal Data Protection Act (BDSG 2018) and the EU General Data Protection Regulation (DSGVO).
The data processing procedures in detail:
On our website, we offer you the opportunity to register by providing personal data. The data is entered in an online form and transmitted to us and stored. The following data is collected as part of the registration process:
The other personal data that are processed during the submission process serve to prevent misuse of the registration form and to ensure the security of our information technology systems.
The data will be deleted as soon as they are no longer required to achieve the purpose for which they were collected.
This is the case for the data collected during the registration process if the registration on our website is cancelled or modified.
The additional personal data collected during the sending process will be deleted at the latest after a period of 30 days.
As a user, you have the option of cancelling your registration at any time. You can have the data stored about you changed at any time.
On our website, we offer you the opportunity to order products by providing personal data. During the ordering process, data is entered into an online form and transmitted to us and stored. The following data is collected as part of the registration process:
The other personal data that are processed during the submission process serve to prevent misuse of the ordering form and to ensure the security of our information technology systems.
The data will be deleted as soon as they are no longer required to achieve the purpose for which they were collected.
After the purchase contract has been fulfilled, your data will be deleted, unless we are obliged to store the data beyond this due to commercial and/or tax law regulations.
The additional personal data collected during the sending process will be deleted at the latest after a period of 30 days.
1. Description and scope of data processing
We offer our customers various payment options for processing their order. Depending on the payment option, we redirect customers to the platform of the corresponding payment service provider. After completion of the payment process, we receive the customers' payment data from the payment service providers or our bank and process them in our systems for the purposes of invoicing and accounting.
Credit card payment
It is possible to complete the payment process by credit card. If you have chosen payment by credit card, payment data will be passed on to payment service providers for payment processing. All payment service providers comply with the specifications of the "Payment Card Industry (PCI) Data Security Standards" and have been certified by an independent PCI Qualified Security Assessor.
The following data is regularly transferred for credit card payments:
Payment data is passed on to the following payment service providers:
Other payment options
It is possible to process the payment via PayPal. For this purpose, we use the payment service provider Unzer (formerly Heidelpay). In addition to the PayPal payment method, Unzer also offers credit card payments. Unzer is Unzer GmbH, Vangerowstraße 18, 69115 Heidelberg. If you choose to pay via PayPal, the payment service provider Unzer will first automatically transfer your data that is required for the payment process to PayPal. This involves the following data:
The data transferred to Unzer and thus also to PayPal may be transferred to credit reference agencies by PayPal. This transfer is required for the identity and creditworthiness check.
2. Purpose of data processing
The transfer of payment data to payment service providers serves to process the payment, e.g. when you purchase a product.
3. Legal basis for data processing
The legal basis for data processing is Art. 6 section 1 sentence 1 lit. b of the EU GDPR, because data processing is indispensable for implementing the closed purchase contract.
4. Duration of storage
All payment data as well as data on possible chargebacks will only be stored for as long as they are needed for payment processing, possible processing of chargebacks, debt collection as well as for combating misuse. Furthermore, payment data may be stored beyond this if and as long as this is necessary to comply with statutory retention periods or to prosecute a specific case of misuse. Your personal data will be deleted after the expiry of statutory retention obligations, i.e. after 10 years at the latest.
5. Possibility of objection and removal
You can revoke your consent to the processing of your payment data at any time by notifying the responsible person or the payment service provider used. However, the payment service provider used may still be entitled to process your payment data if and as long as this is necessary for the contractual processing of payments.
Transfer of Personal Data
In order for the shipment of your order to be tracked, we use the services of PAQATO GmbH, Johann-Krane-Weg 6, 48149 Münster (“Paqato”). Paqato sends shipping notifications and status updates to the shipment in our name. In accordance with Art. 6 section 1 f) of the EU GDPR, after we ship a package we pass on customer data (mailing address, first and last name and address) and the tracking number to Paqato in accordance with our justified interest in effective and informative customer communication as well as the customer’s interest in transparent and reliable shipping processes. This data will not be passed on to third-parties by Paqato and will be used exclusively for the purposes named above. Paqato’s data protection policies can be read here: https://www.paqato.com/en/datenschutzerklaerung/.
Guarantee claim / warranty claim / repair order
The legal basis for this required data transfer is based on Article 6 para. 1 lit. b DSGVO.
For the processing of returns we use "Trusted Returns", a service of Trusted Returns GmbH, Peter-Joseph-Lenné-Str. 5, D-51377 Leverkusen. By integrating the service, you have the option of initiating a returns process directly on our website (www.rosebikes.com). For this purpose, customer data (first name, surname, address, e-mail address), data about the order and return as well as about dispatch and delivery are processed via the form provided and personal data are transferred to Trusted Returns on the basis of our legitimate interest in the efficient processing of the return. Based on the entries made and using the software provided by Trusted Returns, we check the returns authorisation and work out the optimum returns solution for you.
2. Legal basis for data processing
The legal basis for this required data transfer is based on Art. 6 para. 1 lit. b GDPR and Art. 6 para. 1 lit. f GDPR on the basis of our legitimate interest in effective and appropriate returns management.
3. Duration of storage
4. Possibility of objection and removal
You have the right to object at any time, on grounds relating to your particular situation, to the processing of personal data concerning you which is carried out on the basis of Art. 6 para. 1 pg. 1 lit. e or f of the GDPR.
If payment is delayed, we will transfer the necessary data to a company commissioned to collect the debt, provided that all other legal requirements are met. The legal basis of this processing activity is Art. 6 para. 1 lit. b) and lit. f) GDPR. Any claim based on a contractual obligation is a legitimate interest as defined by the latter regulation. If the legal requirements are met, we will transmit information about the delay in payment or any bad debt to Axactor Germany GmbH, Am Parkplatz 20 in 69126 Heidelberg, Germany. The legal basis of this processing activity is in particular Art. 6 para. 1 lit.f) GDPR. The legitimate interest required by this results from our interest as well as the interest of third parties in reducing contractual risks for future contracts.
Your legitimate interests with regard to data protection are taken into account at all times in accordance with legal provisions. If your data is processed by our service partners who help us provide a high level of customer service and delivery, the scope of the data transmitted for this purpose shall be restricted to the necessary minimum. In case we provide your data to contractual partners or cooperation partners (direct delivery) in order to fulfil the contractual obligations with regards to order processing, prize draws or partner offers, we will inform you accordingly. Our contractual partners and cooperation partners have been carefully chosen and have committed themselves to confidentiality in accordance with the legal provisions of Art. 28 of the EU GDPR, as well as to compliance with our own data protection standards. In particular, our contractual partners and cooperation partners are not permitted to pass the data of our customers on to third parties for advertising purposes. Our contractual partners and cooperation partners may only use the data provided to fulfil their function to process your order.
Appointments Use of eAppointment
The use of eTermin serves to arrange appointments.
Basically, the following information is required to book an appointment via eTermin (appointment details (date and time, type of appointment), title, first name, last name, address, telephone number and e-mail address). The specific data required for your appointment may require further information not included in this list. After completing the appointment booking, you will receive a confirmation email to your email address, which you can use to change or cancel the booked appointment. The confirmation email is sent unencrypted and contains recorded appointment data to the extent set by the service provider. The appointment data can be sent in plain text or partially anonymised.
An order processing contract has been concluded with this service provider. The service provider processes the data on our behalf and is bound by instructions. The processing of the data takes place exclusively in the territory of Switzerland and/or in a member state of the European Union or in another state party to the Agreement on the European Economic Area.
The processing of the data entered by you via eTermin takes place on the basis of Art. 6 para. 1 lit. b of the EU GDPR, insofar as your request is related to the fulfilment of a contract or is necessary for the implementation of pre-contractual measures, e.g. a consultation appointment to prepare an offer or for a workshop appointment/repair order. In all other cases, the processing is based on our legitimate interest in a proper, uncomplicated and quick processing of appointments (Art. 6 para. 1 lit. f of the EU GDPR).
Further information on data processing by the service provider can be found here: https://www.etermin.net/en/online-appointment-scheduling-privacy-policy.
Fraud prevention and Abuse Detection Measures
In order to secure the ordering process against fraudulent and/or abusive behaviour, we automatically check during the ordering process whether there are any anomalies in the specific order for the contract. For this reason, the 1) data for the execution of the contract (e.g. object of purchase, name, postal address, email address, delivery address, payment method and bank information) and 2) usage data of the website visits of this online shop (e.g. details on the beginning, end and scope of the visited websites as well as click paths) together with a cookie and/or a visitor ID, each of which may contain anonymous data about the end devices used when visiting the websites (e.g. the screen resolution or the operating system version) and which has some probability of being recognised via the end devices on future visits, are processed by this ROSE BIKES online shop with the purpose of enabling your user account to be used in the future. The ROSE BIKES online shop processes this data for the purpose of managing your user account, the websites that you visit and the services that you use on the website at [https://www. rosebikes.com] against fraud (e.g. through the takeover of user accounts, the automated creation of fake user accounts by bots, the use of stolen identities or payment data or incorrect ratings for services), for product optimisation and further development, or against misuse (e.g. through attacks on the IT infrastructure, "man-in-the-middle" attacks, brute force attacks or the use of malware) on the basis of legitimate interest pursuant to Art. 6 Section 1 f) of the EU GDPR in conjunction with Recital 47. The ROSE BIKES online shop also transmits the previously named data to the Device Transaction Pool (DTP) and stores it there. The purpose of the DTP is to protect the member companies participating in the DTP from abuse and from bad debts due to fraud, which can occur while providing commercial, remunerated telecommunications services or telemedia services to contract partners who are unwilling or unable to pay, especially due to fraud. In the case of a request from a member company to the DTP, only the results of the suspicion check on the request are transmitted to this member company. Positive data can also be used, meaning, for example, that an end device used to make frequent and punctual payments can be rated positively. Results data for individual member companies, beyond the specific case of an particular use, are not stored. The DTP is operated by infoscore Profile Tracking GmbH (IPT), Kaistraße 7, 40221 Düsseldorf, Germany as the data processing company of the member company. The data is automatically deleted after five months. The ROSE BIKES online shop has contracted infoscore Tracking Solutions GmbH, Kaistraße 7, 40221 Düsseldorf, Germany with conducting the fraud prevention and abuse detection measures in accordance with Art. 28 of the EU GDPR. Recipients of the data are exclusively contractual partners of the ROSE BIKES online shop. In this case, the recipients are infoscore Tracking Solutions GmbH, Kaistraße 7, 40221 Düsseldorf, Germany; infoscore Profile Tracking GmbH, Kaistraße 7, 40221 Düsseldorf, Germany; infoscore Tracking Technology GmbH, Kaistraße 7, 40221 Düsseldorf, Germany; as well as data centre service providers that are tasked with storing the data. If fraud or misuse is suspected, a ROSE BIKES employee examines the results and the evidence on which they are based. If a contract is declined, this will be communicated to you and also, if requested, the principal reasons for this decision. You then have the opportunity to make your case by contacting firstname.lastname@example.org, whereupon a ROSE BIKES employee will reexamine the decision.
You have the right at any time, within the framework of the applicable legal provisions and at no extra cost, to receive information about your stored personal data, its origin and recipient and the purpose of the data processing and, if applicable, a right to correction, blocking or deletion of this data.
You have the right to have data that is automatically processed on the basis of your consent or in performance of a contract handed over to you or to a third party in a common, machine-readable format. If you request the direct transfer of the data to another controller, this will only be done insofar as it is technically feasible.
You have the right to request the restriction of the processing of your personal data. You can contact us at any time for this purpose. The right to the restriction of processing exists in the following cases:
- If you dispute the accuracy of your personal data held by us, we will usually need time to verify this. For the duration of the review, you have the right to request the restriction of the processing of your personal data.
- If the processing of your personal data happened/is happening unlawfully, you can request the restriction of data processing instead of erasure.
- If we no longer need your personal data, but you need it to exercise, defend or enforce legal claims, you have the right to request restriction of the processing of your personal data instead of deletion.
- If you have lodged an objection pursuant to Art. 21 (1) DSGVO, then an assessment must be conducted weighing your interests versus our own. As long as it has not yet been determined whose interests prevail, you have the right to request the restriction of the processing of your personal data.
- If you have restricted the processing of your personal data, those data may - apart from being stored - only be processed with your consent or for the establishment, exercise or defence of legal claims or for the protection of the rights of another natural or legal person or for reasons of important public interest of the European Union or a Member State.
If the data processing is based on Art. 6 (1) e) or f) DSGVO, you have the right to object in accordance with Art. 21 DSGVO. If you object to your data being processed, this will not take place in the future unless the controller can demonstrate compelling legitimate grounds for further processing that outweigh the data subject's interest in objecting.
If the data processing is based on consent pursuant to Art. 6 (1) a) DSGVO, you may revoke your consent at any time for future processing without affecting the lawfulness of the previous processing.
With our free newsletter you can stay-up-to-date on our latest offers, customer events, prize draws and trade shows.
We use the ‘double opt-in’ process for newsletter subscription, which means that we will only send you a newsletter, if you click the confirmation link in the confirmation email to confirm your subscription. Please note that we need your email address for subscription. You will only receive a personalised newsletter, if you share your personal data when registering as a new customer. We only ask for your title and name to personally address you in the newsletter. You can unsubscribe at any time. You can find a respective unsubscribe link in every newsletter email. Alternatively, you can get in touch with us using the provided contact data.
By confirming your newsletter subscription, you also agree to the analysis of your newsletter usage behaviour. For the analysis of such usage data, our emails have an embedded tracking pixel to track open rates. A tracking pixel is an image file measuring one pixel by one pixel and creating a link to our website to allow us to analyse data on the usage of the newsletter. Therefore, we use the data entered for newsletter subscription as well as the tracking pixels that are assigned to your email address and linked to a unique ID. This data is combined with data about your use of our website. To make sure the newsletter is displayed correctly, we collect information about the type of device you use to open the newsletter. Based on the links you click and the open rates of the newsletter emails, we can determine which topics you are interested in. The data collected serves to create personal user profiles. In this way, we try to continuously improve our newsletter and to provide you with more individual topics about ROSE Bikes.
The information collected is stored by the newsletter provider Inxmail GmbH, Wentzingerstr. 17, 79106 Freiburg, Germany (“Inxmail”) on their server in Germany. The tracking mechanism is not supported when images are disabled in your emails by default. However in this case, the newsletter is not displayed correctly and you may not be able to use all functions. If you manually click on ‘display images’, tracking is supported, unless you have objected to the analysis of usage data. The legal ground for processing personal data is your consent in accordance with Art. 6 Section 1 a) of the EU GDPR. You may object to the analysis of your newsletter usage data in writing at any time. Simply use the contact information provided.
For our newsletter, we use software from epoq internet services GmbH, Am Rüppurer Schloß 1, 76199 Karlsruhe, Germany („epoq“). With the software from epoq, we are able to offer you targeted and individual product recommendations within the scope of our newsletter. The product recommendations are displayed on the basis of an analysis of previous and current click and purchase behaviour. Provided the information collected is personally identifiable, it can be processed in accordance with Art. 6 Section 1 f) of the EU GDPR based on our justified interest in displaying personalized advertising and conducting market analysis. You can object to this advertisement at any time in the newsletter by clicking on the opt-out link or by sending us a message. As a result of the opt-out, individual product recommendations will no longer be displayed.
To unsubscribe (from receiving newsletters, magazines or offer mailings) you can also contact: ROSE Bikes GmbH, 46393 Bocholt or email@example.com or call 00 800 22 77 55 55.
Thank you for your interest in our survey. As part of the survey, you have the opportunity to answer questions about our products and services. Your answers will be evaluated by us in order to optimise the quality of the services provided by Rose Bikes GmbH. We cannot guarantee complete anonymity of the survey due to the possibility of linking the individual answers with each other or, for example, with your IP address, which is processed when you call up the website with the survey. This means that a connection to your person cannot be completely ruled out. However, we would like to assure you that we do not actively make that kind of connection or plan on doing so. Your details will always be processed confidentially and in accordance with the provisions of the German Data Protection Regulation (DS-GVO/GDPR) and the German Federal Data Protection Act (BDSG). If you have any further questions about the protection of your personal data, you can contact us at any time using the contact details provided.
I. Processing of your personal data within the framework of our survey
We use Microsoft Forms to conduct the survey. Microsoft Forms is a service of Microsoft Corporation, One Microsoft Way, Redmond, WA 98052-6399, USA and its agent in the European Union: Microsoft Ireland Operations, Ltd, One Microsoft Place, South County Business Park, Leopardstown, Dublin 18, D18 P52) (hereinafter: called Microsoft).
The survey results are evaluated on the basis of the anonymous responses. Nevertheless, we cannot rule out the possibility that the linking of the personal data listed below will enable a connection to your person:
• IP address
• Day and time you tried to reach us (optional)
• Your age
• Your personal data, which you voluntarily provide in the context of the question (optional information)
• Microsoft account details (only if you are logged in with a Microsoft account while completing the survey form. To minimise the risk of establishing a personal connection, we recommend that you log out of your Microsoft account before completing the survey questionnaire.)
We would like to ask you not to enter any personal data in the free text field of our survey. Personal data of the participants entered in the free text field will not be taken into account by us within the framework of the evaluation.
For more information on how Microsoft processes your personal data, click here:
II. Purpose and legal basis for data processing
1. Your personal data will be processed for the following purposes:
• Our entrepreneurial interest to optimise the quality of our services and products
• Our entrepreneurial interest in determining the individual needs as well as the general satisfaction of our customers with our services and products
• For market research
2. Legal basis for the data processing:
Processing on the basis of consent. Your participation in our survey is voluntary. Your data will only be evaluated if you give your express consent in advance. The legal basis in this case is Art. 6 para. 1 sentence 1 lit. a in conjunction with Art. 7 GDPR. For the possible transfer of your personal data to other Microsoft locations in third countries (including the USA), we use Art. 49 (1) lit. a GDPR).
III. Recipients of your personal data
Within our company, only those departments and employees will have access to your personal data who need it to fulfil the stated purposes.
An active transfer of your personal data to a third country or to an international organisation does not take place and is not planned. Please note, however, that Microsoft may process your personal data through the Forms application in countries outside the EU/EEA, such as the USA. In particular, this means that it cannot be ruled out that third parties (such as the responsible regulatory authorities in the USA) could have unrestricted access to your personal data. We have concluded an order processing agreement with Microsoft in accordance with Art. 28 EU GDPR and Microsoft is certified under the EU-US Data Privacy Framework. For the data processing in the USA, there is thus a cooperation agreement with the European Commission pursuant to Art. 45 EU GDPR.
IV. Duration of the storage of your personal data
We will delete your personal data as soon as the stated purposes for storing it no longer apply. This will be done at the latest with the final evaluation of the results from our survey. Furthermore, we will delete your personal data if you revoke your previously given consent.