Privacy policy of geobra Brandstätter Stiftung & Co.KG

We welcome you to our website and are pleased about your interest in our company. We take the protection of your personal data very seriously. We process your data in accordance with the applicable legal provisions for the protection of personal data, in particular the EU General Data Protection Regulation (EU-GDPR) and the country-specific implementation laws applicable to us. With the help of this privacy policy, we would like to inform you comprehensively about the processing of your personal data by geobra Brandstätter Stiftung & Co.KG and of your rights. Personal data means the information that makes it possible to identify a natural person. This includes, in particular, your name, date of birth, address, telephone number and email address but also your IP address.
Data are anonymous if no personal reference to the user can be established.

Mailing address in the UK
Instadecor Ltd
B2/B3 Portland Close
Houghton Regis
LU5 5AW

Contact us
www.lechuza.co.uk
Phone: 0203 929 3489
E-Mail: lechuzauk@instadecor.co.uk

Data protection officer contact: dsb@instadecor.co.uk

First of all, we would like to inform you about your rights as the data subject. These rights are set out in Art. 15 - 22 EU GDPR. This includes:

• The right to information (Art. 15 EU GDPR),
• The right to erasure (Art. 17 EU GDPR),
• The right to correction (Art. 16 EU GDPR),
• The right to data portability (Art. 20 EU GDPR),
• The right to restrict data processing (Art. 18 EU GDPR),
• The right to object to data processing (Art. 21 EU GDPR).

To exercise these rights, please contact us at: dsb@instadecor.co.uk. The same applies if you have any questions about data processing in our company or wish to revoke any consent you have given. You also have a right to lodge a complaint with a data protection supervisory authority.

Please note the following in connection with your rights of objection:
If we process your personal data for the purpose of direct advertising, you have the right to object to this data processing at any time without giving reasons. This also applies to profiling, insofar as it is related to direct advertising.
If you object to processing for direct advertising purposes, we will no longer process your personal data for these purposes. The objection is free of charge and can be made informally, if possible to: dsb@instadecor.co.uk.
In the event that we process your data to protect legitimate interests, you can object to this processing at any time for reasons arising from your particular situation; this also applies to profiling based on these provisions.
We will then no longer process your personal data unless we can prove compelling reasons for processing worthy of protection that outweigh your interests, rights and freedoms or the processing serves to assert, exercise or defend legal claims.

When processing your personal data, the provisions of the EU GDPR and all other applicable data protection regulations are observed. The legal basis for data processing is derived in particular from Art. 6 EU GDPR.
We use your data for business initiation, to fulfil contractual and legal obligations, to implement the contractual relationship, to offer products and services and to strengthen the customer relationship, which may also include analyses for marketing purposes and direct advertising.
Your consent also constitutes a permission under data protection law. Here we inform you about the purposes of data processing and your right of withdrawal. Should your consent also refer to the processing of special categories of personal data, we will expressly point this out in the consent declaration.
Processing of special categories of personal data in the sense of Art. 9 para. 1 EU GDPR is only carried out if this is necessary due to legal provisions and there is no reason to assume that your legitimate interest in excluding processing outweighs your legitimate interest in protection.

We will only pass on your data to third parties within the framework of the legal regulations or with the appropriate consent. Otherwise the data will not be passed on to third parties, unless we are obliged to do so by mandatory legal provisions (passing on to external bodies such as supervisory authorities or law enforcement agencies).

Within our company we make sure that your data is only disclosed to persons who need this data to meet contractual or legal obligations.
In specific cases service-providers support our departments in the performance of their duties. Our website is hosted by geobra Brandstätter Stiftung & Co. KG (Brandstätterstrasse 2-10, 90513 Zirndorf, Germany, dsb@lechuza.com). During the hosting process and for the purpose of hosting as well as during the course of order processing and for order processing purposes, where relevant, your data may be transferred to geobra Brandstätter Stiftung & Co. KG. The contracts required by data protection legislation have been concluded with all service providers.”

Data will only be transferred to third countries (outside the European Union or the European Economic Area) if this is technically necessary, required for the performance of the contractual relationship, required by law or if you have given us your consent.

We transfer your personal data to a service provider or to group companies outside the European Economic Area: Salesforce (United States and Asia-Pacific.) You can read Salesforce's privacy policy here https://www.salesforce.com/company/privacy/

To secure our website we use a service of the company Cloudflare Inc. For more information about data processing please click here: Securing our website through Cloudflare (Art. 6 para. 1 f) EU GDPR). Cloudflare is a certified participant of the EU-US Privacy Shield Framework. Cloudflare has committed itself to handling all personal data contained in the Member States of the European Union (EU) in accordance with the Privacy Shield Framework and in line with its applicable principles. For more information about the Privacy Shield Framework, see the Privacy Shield List of the US Department of Commerce at https://www.privacyshield.gov.

Provided you give us your consent for the services of AWIN (see Marketing procedure Awin (Art. 6 para. 1 a) EU GDPR), we will transfer your personal data to our service provider or to Group companies outside the European Economic Area: AWIN (USA, Brazil, Australia).
When we transfer personal data to companies in our Group or to service providers in countries that have not already been granted an adequate level of protection by an adequacy decision of the EU Commission, we have entered into specific contracts with the standard contractual clauses of the EU Commission (the "EU Standard Contractual Clauses") to ensure that personal data are handled by all parties in a manner that is compatible with and respects data protection laws, in particular the Data Protection Regulation.
You can read AWIN's privacy policy here: https://www.awin.com/de/datenschutzerklarung .

Provided you give us your consent for the services of Google (see Conversion tracking and remarketing with Google Ads and Google Tag Manager (Art. 6 para. 1 a) EU GDPR) we transfer data to Google. Google is a certified member of the EU-US Privacy Shield Framework and has committed itself to handling all personal data contained in the Member States of the European Union (EU) in accordance with the Privacy Shield Framework and in line with its applicable principles. For more information about the Privacy Shield Framework, see the Privacy Shield List of the US Department of Commerce at https://www.privacyshield.gov.

Provided that you give us your consent for the services of Microsoft (see Microsoft Bing Ads (Art. 6 para. 1 a) EU GDPR)), we transfer data to the Microsoft Cooperation. Microsoft is a certified participant of the EU-US Privacy Shield Framework. Microsoft has committed itself to handling all personal data contained in the Member States of the European Union (EU) in accordance with the Privacy Shield Framework and in line with its applicable principles. For more information about the Privacy Shield Framework, see the Privacy Shield List of the US Department of Commerce at https://www.privacyshield.gov.

We store your data for as long as they are needed for the respective processing purpose. Please note that numerous retention periods require that data continue to be (must be) stored. This concerns in particular commercial or tax retention obligations (e.g. German Commercial Code, Tax Code, etc.). Provided that there are no further storage obligations, the data are routinely deleted after the purpose has been achieved.
In addition, we may retain data if you have given us permission to do so or if legal disputes arise and we use evidence within the scope of legal limitation periods, which can be up to thirty years; the regular limitation period is three years.

In order to protect the data stored with us against accidental or intentional manipulation, loss, destruction or access by unauthorized persons in the best possible way, we use appropriate technical and organisational security measures. The security levels are continuously reviewed in cooperation with security experts and adapted to new security standards.
The data exchange from and to our website is always encrypted. We offer HTTPS as the transfer protocol for our website, in each case using the latest encryption protocols.
In addition, we offer our users content encryption as part of the contact forms. Only we can decrypt these data. It is also possible to use alternative means of communication (e.g. by post).

Various personal data are necessary for the establishment, execution and termination of the debt relationship and the fulfilment of the contractual and legal obligations associated therewith. The same applies to the use of our website and the various functions it provides.
We have summarised details of this for you in the above point. In certain cases data must also be collected or made available due to legal regulations. Please note that it is not possible to process your enquiry or perform the underlying contractual relationship without providing these data.

Which data we process is determined by the respective context: This depends on whether you place an order online, for example, or enter an inquiry in our contact form.
Please note that we may also provide information for special processing situations separately in a suitable place, e.g. in case of a contact request

When you visit our website, we collect and process the following data:

• Name of the internet service provider
• Information about the website from which you visit us
• Web browser and operating system used
• The IP address assigned by your internet service provider
• Requested files, transferred data volume, downloads/file export
• Information about the web pages that you access on our website including date and time
• We process further data via cookies and tools, see here: Visit to our website (Art. 6 para. 1 f) EU GDPR) and the following points

When you establish contact, we collect and process the following data:

• Name, first name
• Address
• Email address
• Salutation
• Information about requests and interests

Within the scope of the ordering process, we process the following data:

• Salutation
• Name, first name
• Company name
• Date of birth
• Delivery address
• Billing address
• Email address
• Phone number
• Data that may legitimately be processed from other sources

For newsletters, we collect and process the following data:

• Name, first name
• Email address
• Salutation
• Postcode
• Tracking data from newsletter evaluation
  (we analyse, among other things, the click and open rate of the newsletter, as well as the purchasing behaviour of our newsletter subscribers via our service provider Econda GmbH)

For competitions, we collect and process the following data:

• Name, first name
• Address
• Email address
• Date of birth
• Country

When our website is called up, the following data are automatically recorded by our web server: Name of your internet service provider, information about the website from which you are visiting us, the web browser and operating system used, the IP address assigned by your internet service provider, files requested, data volume transferred, downloads/file exports and information about the websites you visit from our website, including date and time.
This data processing is technically necessary so that the contents of our website can be delivered to your end device. Your IP address must therefore also necessarily be collected and stored for the duration of the respective session. The same applies to other data whose processing is necessary for the correct display of our website. The storage of data in the so-called log files also serves to further optimise the site, to ensure its functionality, to guarantee the security of our applications and for legal protection (e.g. recognition and defence of attacks on our website). The legal basis for this data processing and temporary data storage is our legitimate interest as a website operator (Art. 6 para. 1 f) EU GDPR).
The storage period of the data is limited and deletion takes place as soon as the data no longer need to be kept for processing purposes. In the case of the survey for the correct display of our website, this is the case after the end of the session. When the data are stored in log files, the data are deleted or made anonymous after 37 days.

On our website we use the content delivery network service of Cloudflare Inc. (101 Townsend St San Francisco, CA 94107). Technically speaking, the connection from your device to our website is routed through Cloudflare's network. With it, Cloudflare is, for example, able to recognise attacks on our website. However, Cloudflare has no access to the data you enter due to the TLS encryption, which is always activated on our website. When you access our website, Cloudflare cookies are set in your web browser. Cloudflare collects statistical data about the visit to this website. The access data include: name of the website accessed, file, date and time of the call, amount of data transferred, notification of successful retrieval, browser type and version, the user's operating system, referrer URL (the previously visited site), IP address and the requesting provider.
Cloudflare uses the log data for statistical evaluations for the purpose of operation, security and optimisation of the offer (e.g. for the identification and defence of mass abusive access in the context of Denial of Service attacks (DDoS) or for the identification of several legitimate accesses of different devices using one IP address). Please read also the data protection regulations of Cloudflare which can be found here https://www.cloudflare.com/de-de/privacypolicy/ are retrievable. We use this service to ensure the availability of our website, to protect ourselves from attacks and to optimise the loading times of our website.
The use of the tool is based on our legitimate interest according to Art. 6 para. 1 f) EU GDPR.
Your data will be transferred to Cloudflare for evaluation and thus to a third country. See here: Third country transfer / Third country transfer intention. We have concluded a corresponding agreement with Cloudflare based on the EU GDPR for order processing. Cloudflare is used by Salesforce to ensure the smooth operation of the online shop.

We use the Fraud Detection Tool of Arvato Financial Solutions (Arvato infoscore GmbH, Rheinstraße 99, 76532 Baden-Baden, Germany) for the ordering process of our online shop. The profile tracking solution tool uses a JavaScript code and a tracking pixel to assign a unique device ID to your device based on the device information it determines. The tracking tag is set when the checkout process starts, i.e. when the address data are entered.
The following data are recorded: IP address, browser used, screen resolution, browser add-ins, operating system used and language settings. These are converted into a hash ID. It is also possible that your end device will be recognised with a certain probability on further visits (by comparing the generated Hash-ID). Separately, your personal data (object of purchase, name, postal address, email address, delivery address, method of payment and bank details, etc.) are recorded. These data form the basis for an automated analysis to identify suspicious activities. We use this tool exclusively to protect ourselves and our customers from fraudulent activities and fraudulent acts. We do not process these data for any other purpose. If there is a suspicion of misuse, one of our employees checks the results of the automated evaluation and the underlying indications. If the conclusion of a contract is refused, we will inform you of this and, on request, the main reasons for the decision. You will then be given the opportunity to make your point of view known here dsb@instadecor.co.uk, whereupon we will review the decision once again by a member of staff.
The use of the tool is based on our legitimate interest according to Art. 6 para. 1 f) EU GDPR and is also required for the fulfilment of the contract in the case of payment on account. Your device and purchase data are processed to infoscore Consumer Data GmbH, Rheinstraße 99 76532 Baden-Baden. There is no transfer to third countries. We have concluded corresponding contract processing agreements (AVV) with the companies involved. The data obtained via this procedure are deleted as soon as they are no longer required for our purposes.
See also: Payment systems (Art. 6 para. 1 a), b) EU GDPR), credit assessment (Art. 6 para. 1 f) EU GDPR) and Automated individual case decisions

Our website uses services from Salesforce Commerce Cloud (formerly Demandware) (salesforce.com Germany GmbH, Erika-Mann-Str.31, 80636 Munich). This safeguards the functionality of our online shop (display of the correct currency, shopping basket function, wish list function). For this purpose, it is necessary for cookies to be set in your browser, which assign an individual ID to you and save corresponding actions (placing articles in the shopping basket, placing articles on the wish list). The data are only stored in your browser. A link to your customer data will only be made after you have logged in with your user account.
The use of this procedure is necessary to ensure the basic technical functions of the online shop and is required for the implementation of pre-contractual measures Art. 6 para. 1 b) EU GDPR.
Data will not be transferred to third parties within the scope of providing the basic functionality of the online shop. A third country transfer is also carried out in this respect (unlike for the performance of the obligation, see: Third country transfer / Third country transfer intention). The data obtained via this procedure are deleted as soon as they are no longer required for our purposes. The storage period of the cookie for user information, shopping basket contents and e-commerce-related information is 6 months.

We use the marketing tool Salesforce-Einstein from Salesforce Commerce Cloud (formerly Demandware) (salesforce.com Germany GmbH, Erika-Mann-Str.31, 80636 Munich, Germany) on our website. Salesforce-Einstein collects, stores, and systematically evaluates data on the customer's purchasing behaviour. The following data, among others, are recorded: Products viewed or added to the shopping basket and articles read; we also record social media activities. We use this tool to offer you attractive and individual shopping experiences. This enables us, for example, to give you personalised (product) recommendations on the basis of the information collected and to provide you with even better advice when selecting products in our online shop.

The tool is used on the basis of your consent pursuant to Art. 6 para. 1 a) EU GDPR. You can revoke your consent at any time by clicking here . The revocation only applies to the device and the web browser on which it was set, please repeat the process on all devices if necessary. If you delete the opt-out cookie, you will be asked again for your consent to the transfer of data. Your data are transferred to Salesforce for analysis. A transfer to a third country takes place (see: Third country transfer / Third country transfer intention). The data obtained via this procedure are deleted as soon as they are no longer required for our purposes. In our case this is the case after 13 months.

On our website we use a tracking tool by the company econda GmbH (Zimmerstr. 6, 76137 Karlsruhe). This is used to record, store and systematically evaluate interactions of visitors to our website using cookies, tracking pixels and JavaScript code on our website. The following data are recorded: Collection of IP address (abbreviated), information on the end device used, pages viewed during the visit, customer master data and data from the ordering process. These data are used to create user profiles across several websites. We use this tool to collect information about the use of our website and to be able to use these data to analyse, optimise and calculate recommendations on our website in line with requirements.
The tool is used on the basis of your consent pursuant to Art. 6 para. 1 a) EU GDPR. You can revoke your consent at any time by clicking here https://www.econda.de/widerruf-zur-datenspeicherung/. The revocation only applies to the device and the web browser on which it was set, please repeat the process on all devices if necessary. If you delete the opt-out cookie, you will be asked again for your consent to the transfer of data.

If you do not give your consent, we will process the session ID on the basis of our legitimate interest (Art. 6 para. 1 f) EU GDPR) in being able to operate our online shop for profit. The session ID is written to the session storage for the duration of the session. Further personal data such as IP address or additional user data are not collected, so no user profiles are created. Each visit to our website is recorded as a new visit. From this information we receive marketing reports such as sales per marketing channel, assortment analyses, purchasing process analyses.

If you object to the processing of the Session ID, please click https://www.econda.de/widerruf-zur-datenspeicherung/. The revocation only applies to the device and the web browser on which it was set, please repeat the process on all devices if necessary. If you delete the opt-out cookie, you will be asked again for your consent to the transfer of data.

Your data will be transferred to Econda for evaluation. There is no transfer to third countries. The data obtained via this procedure are deleted as soon as they are no longer required for our purposes. In our case this is the case at the latest after 24 months.

We use the Google Ads (formerly Google AdWords) advertising service provided by Google LLC (1600 Amphitheatre Parkway, Mountain View, CA 94043, USA; "Google"). If you are a resident of the European Economic Area or Switzerland, Google Ireland Limited (Gordon House, Barrow Street, Dublin 4, Ireland) is the data controller for your data collected in these procedures. Our active types Display Network, Shopping and Search are used to measure your interactions with ads placed on Google. For this purpose, a cookie is stored in your browser when you click on one of our web ads placed by Google. This is used to track your further activity on the product advertised in the ad (conversion tracking). These data allow us to measure the effectiveness of our advertising campaigns. The following data are collected from you: a unique ID, the number/frequency of ads delivered to you (ad impressions) and the actions/clicks you perform.

We also use the remarketing function within the Google Ads service. With the remarketing function, we can present users to our website with ads based on their interests on other websites within the Google advertising network (in Google search or on YouTube, so-called "Google ads" or on other websites). For this purpose, user interaction on our website is analysed, e.g. which offers the user was interested in, in order to be able to display targeted advertising to the users on other pages even after they have visited our website. Google does this by storing a number in the browsers of users who visit certain Google services or web pages on the Google Display Network. This number, known as a "cookie", is used to record the visits of these users. This number is used to uniquely identify a web browser on a particular device and not to identify a person.

The Google Tag Manager is used to manage and control various tags. For this purpose a cookie is created in your browser. The Tag Manager only manages other tags and does not collect any data itself.
The use of the Google tools is based on your consent in accordance with Art. 6 para. 1 a) EU GDPR. You can revoke your consent at any time by clicking here https://adssettings.google.com. The revocation only applies to the device and the web browser on which it was set, please repeat the process on all devices if necessary. If you delete the opt-out cookie, you will be asked again for your consent to the transfer of data.
You can also configure your browser to prevent third-party ads. Also via a corresponding plug-in for the common web browsers, which you can download here: https://support.google.com/ads/answer/7395996. By installing this, you can permanently disable Google's tracking.
Your data will be transferred to Google for evaluation. If you have an account with Google, Google can also merge the data obtained from tracking. A transfer to a third country takes place, see: Third country transfer / Third country transfer intention. We have concluded a corresponding agreement with Google on the basis of the EU GDPR for order processing.
The data obtained via this procedure are deleted as soon as they are no longer required for our purposes. In our case this is the case after 24 months. You can find more information about Google and the Google privacy policy at: https://policies.google.com/technologies/ads.

We use Bing-Ads, an advertising service from Microsoft Corporation (One Microsoft Way, Redmond, WA 98052-6399, USA) on our website. For this purpose, three cookies are set in your browser, which are used for targeted advertising to you and measure valid clicks on advertisements of the Microsoft network. The following data are collected: a universal ID for event tracking, a Microsoft Bing Ads ID to measure your interactions with the ads. We use this tool to promote our products and measure the effectiveness of our advertisements.
The tool is used on the basis of your consent pursuant to Art. 6 para. 1 a) EU GDPR. You can revoke your consent at any time by clicking here http://choice.microsoft.com/de/opt-out. The revocation only applies to the device and the web browser on which it was set, please repeat the process on all devices if necessary. If you delete the opt-out cookie, you will be asked again for your consent to the transfer of data. Your data will be transferred to Microsoft for evaluation (see Third country transfer / Third country transfer intention). Together with Microsoft we are jointly responsible for data processing. A so-called joint control agreement was concluded.
The data obtained via this procedure are deleted as soon as they are no longer required for our purposes. In our case this is the case after 180 days.

This website uses the so-called "Facebook pixel" of the social network Facebook, which is operated by Facebook Inc, 1 Hacker Way, Menlo Park, CA 94025, USA, or if you are resident in the EU, Facebook Ireland Ltd, 4 Grand Canal Square, Grand Canal Harbour, Dublin 2, Ireland.

The data processing is based on the legal basis of your consent in accordance with Art. 6 para. 1 a) GDPR.

If necessary, Facebook Inc. will transfer personal data to the USA. However, Facebook is certified under the Privacy Shield Agreement (https://www.privacyshield.gov/participant?id=a2zt0000000GnywAAC&status=Active). Facebook thereby commits itself to comply with the EU's data protection standards.

On the one hand, the Facebook pixel enables Facebook to determine the visitors of our online offer as a target group for the presentation of ads (so-called "Facebook ads"). Accordingly, we use the Facebook pixel to display the Facebook ads placed by us only to those Facebook or Instagram users who have also shown an interest in our online offering or who exhibit certain characteristics (e.g. interests in certain topics or products determined on the basis of the websites visited) that we transfer to Facebook (so-called "Custom Audiences").

The Facebook pixel is integrated directly by Facebook when you call up our websites and can store a so-called cookie on your device. If you subsequently log in to Facebook or when logged in, your visit to our online offer will be noted in your profile. This information can be assigned to your person with the help of other information that Facebook has stored about you, e.g. due to the ownership of an account on the social network "Facebook".

The Facebook pixel also allows us to track the effectiveness of Facebook ads for statistical and market research purposes by seeing whether users have been redirected to our website after clicking on a Facebook ad (so-called "Conversion").

The information collected via the pixel or cookie can also be aggregated by Facebook and the aggregated information can be used by Facebook for its own advertising purposes as well as for advertising purposes of third parties. For example, Facebook can infer certain interests from your online behaviour on this website and also use this information to advertise offers from third parties. Facebook may also combine the pixel or cookie information with other information that Facebook has collected about you from other websites and/or in connection with your use of the "Facebook" social network, so that a profile about you can be stored with Facebook Ireland Limited. This profile can be used for advertising purposes.

The Facebook pixel can also be used to track your behaviour across multiple web pages after you see or click on a Facebook ad. This process is used to evaluate the effectiveness of Facebook ads for statistical and market research purposes and can help optimise future advertising efforts.

Furthermore, when using the Facebook pixel, we use the additional function "extended matching". Here, data for the formation of target groups ("Custom Audiences" or "Look Alike Audiences") is transferred to Facebook in encrypted form.

We also use the "Custom Audiences from File" procedure of the social network Facebook. In this case, the email addresses of the newsletter recipients are uploaded to Facebook. The upload process is encrypted. The upload is used solely to determine recipients of our Facebook ads. We do this to ensure that the ads are only displayed to users who have an interest in our information and services.

The processing of the data by Facebook is carried out within the framework of the Facebook Data Use Policy https://www.facebook.com/policy. . Specific information about the Facebook pixel and how it works can be found here https://www.facebook.com/business/help/651294705016616.

You may opt out of the collection by the Facebook pixel and use of your information to display advertisements. https://www.facebook.com/settings?tab=ads

There is a contact form on our website which can be used for electronic contact. If you write to us via the contact form, we process the data you provide in the contact form to contact you and answer your questions and requests.
Here the principle of data economy and data avoidance is observed, in that you only have to provide the data that we absolutely need to contact you. These are your email address, salutation, first name, last name, subject and the message field itself. In addition, your IP address is processed for technical reasons and for legal protection. All other data are voluntary fields and can be entered optionally (e.g. to answer your questions more individually).
If you contact us by email, we will process the personal data provided in the email solely for the purpose of processing your request.

You can subscribe to a free newsletter on our website. The email address you enter when registering for the newsletter and your name will be used to send you the personalised newsletter. The postcode is used for regionally interesting newsletters.
Here the principle of data economy and data avoidance is observed, as only the email address, name and postcode are marked as mandatory fields. For technical reasons and for legal reasons, your IP address is also processed when you order the newsletter.
You can of course cancel your subscription at any time using the unsubscribe option provided in the newsletter and thus revoke your consent.
We use the so-called double opt-in procedure for sending newsletters by email. This means that you will only receive advertising by email if you have expressly confirmed that you want us to activate the newsletter service. We do this by sending you a notification email and asking you to confirm that you wish to receive our newsletter at that email address by clicking on a link contained in that email.
Through integrated tracking pixels we measure the opening rate of our newsletters and your interaction with our newsletter mails (e.g. clicks). If you click on one of the links contained in the newsletters, this is also monitored by tracking mechanisms of Econda GmbH (Zimmerstr. 6, 76137 Karlsruhe). The use of this function is based on your consent according to Art. 6 para. 1 a) EU GDPR which you gave when ordering the newsletter. You can revoke your consent at any time. For this purpose you only have to unsubscribe from the newsletter reception.

On our website you have the option to participate in our competition. If you fill out the competition form, we process the data provided there exclusively for the purpose of carrying out the competition.
The principle of data economy and data avoidance is observed, in that you only have to provide the data that we absolutely need to carry out the competition and notify you of winning. This is e.g. your name, email address, title, address and country.
The mandatory fields are marked with an (*). For technical reasons and for legal reasons, your IP address is also processed. The remaining fields are optional and can be filled in if you wish. Without the mandatory fields we unfortunately cannot carry out the competition. Participation is then not possible.
Within the framework of the competition screen, you also have the option to give us your advertising consent. Of course, it is also possible to participate in the lottery without giving the advertising consent. If you give us your consent by ticking the respective checkbox, we will also process your data to provide you with information and offers about our products / services (products and (exclusive) offers of the brand LECHUZA of geobra Brandstätter Stiftung & Co. KG) by mail.
You can withdraw your consent at any time without giving reasons by calling 0203 929 3489, by email to lechuzauk@instadecor.co.uk or by post to Instadecor Ltd, B2/B3 Portland Close, Houghton Regis, LU5 5AW.

We process the data you provide in the order form only for the purpose of implementing or processing the contractual relationship, unless you agree to further use.
The principle of data economy and data avoidance is observed in that you only have to provide us with the data that we absolutely need in order to execute the contract or to fulfil our contractual obligations (i.e. your name, address, email address and the payment data required for the selected payment method) or that we are legally obliged to collect.
In addition, your IP address is processed for technical reasons and for legal protection. Without these data, we will unfortunately have to refuse to conclude the contract, as we will then not be able to carry it out or may have to terminate an existing contract. Of course, you can also provide more data of your own accord if you wish.
For further processing within the online shop see: Fraud detection via ARVATO's Profile Tracking Solution (Art. 6 para. 1 f) EU GDPR), Online shop functions of Salesforce (Art. 6 para. 1 b) EU GDPR)

On our website we offer users the option to register by providing personal data. The advantage is that you can view your order history in particular and that the data you entered for the order form is saved. With your next order, you do not have to enter these again.
Registration is therefore either necessary or possible for the fulfilment of a contract (via our online shop) with you or for the implementation of pre-contractual measures, if guest access is also provided.
The principle of data economy and data avoidance is observed, as only the data required for registration are marked with an asterisk (*) as a mandatory field. These are e.g. the email address and password including password repetition.
For the order in our online shop, we also need information on the billing address (title, first name, last name, address, telephone number) for delivery. If the delivery address differs from the invoice address, the above-mentioned information for the delivery address must also be provided.
By registering on our website, the user's IP address, the date and the time of registration are also saved (technical background data). By clicking the button "Register now", you give your consent to the processing of your data.
Please note: The password you have assigned is stored by us in encrypted form. Employees of our company cannot read this password. Therefore they cannot give you any information if you have forgotten your password.
In this case, use the "Forgot password" function, which will send you an automatically generated new password by email. No employee is authorised to request your password from you by telephone or in writing. Therefore please never give your password if you receive such requests.
With the completion of the registration process, your data is stored with us for the use of the protected customer area. As soon as you log on to our website using your email address as your user name and password, these data are made available on our website for actions you carry out (e.g. for orders in our online shop). Completed orders can be tracked in the order history. You can change the billing or delivery address here.
Registered persons are free to make changes / corrections to the billing or delivery address in the order history independently. Our customer service will also be happy to make changes / corrections if you contact them. Of course you can also cancel or delete the registration or your customer account (under "My customer account", "Delete customer account").

In our online shop you can pay by invoice, credit card, PayPal, cash on delivery or direct debit (SEPA direct debit). For this purpose, the respective payment-relevant data are collected in order to be able to process your order and payment. In addition, your IP address is processed for technical reasons and for legal protection.
The principle of data economy and data avoidance is observed by requiring you to provide us only with the data that we absolutely need to carry out the payment processing and thus the execution of the contract or that we are legally obliged to collect.
Without these data, we will unfortunately have to refuse to conclude the contract, as we will not be able to carry it out.
The payment system used by us uses TLS encryption for the protected transfer of your data.

Note on payment on account: If you select the payment method "on account" by phone or in our online shop, we will perform a credit check. For this purpose, Arvato obtains the relevant information that is necessary to determine your creditworthiness and risk of default. The credit check is only carried out in those countries where payment on account is possible, i.e. Germany, Austria and Switzerland.
The Arvato companies differ as follows:

Germany: informa Solutions GmbH
Austria: Credify Information Services GmbH
Switzerland: Credify Information Services GmbH

Privacy policy for Arvato: We transfer your data (name, address and, if applicable, date of birth) for the purpose of credit assessment, obtaining information to assess the risk of non-payment based on mathematical-statistical methods using address data, and to verify your address (check for deliverability), to infoscore Consumer Data GmbH, Rheinstr. 99, 76532 Baden-Baden; if your order was placed from Austria or Switzerland to Credify Informationsdienstleistung GmbH.
The legal basis for these transfers is Art. 6 para. 1 b) and Art. 6 para. 1 f) GDPR. Transfers on the basis of these provisions may only take place to the extent that this is necessary to safeguard the legitimate interests of our company or third parties and does not outweigh the interests of the fundamental rights and freedoms of the persons concerned, which require the protection of personal data. Detailed information on the ICD in the sense of Art. 14 European General Data Protection Regulation ("EU GDPR"), i.e. information on the business purpose, the purposes of data storage, the data recipients, the right of self-disclosure, the right to deletion or correction, etc., can be found in the Annex or under the following link (https://finance.arvato.com/icdinfoblatt).

If the conclusion of a contract is refused, we will inform you of this and, on request, the main reasons for the decision. You will then be given the opportunity to make your point of view known here dsb@instadecor.co.uk, whereupon we will review the decision once again by a member of staff.
Technical background information can be found here: Fraud detection via ARVATO's Profile Tracking Solution (Art. 6 para. 1 f) EU GDPR)

Note on credit card payment: As usual with credit card payments, the credit card details are checked and a credit assessment is carried out.

Note about PayPal: PayPal is a company which is part of PayPal (Europe) S.à r.l. et Cie, S.C.A. 22-24 Boulevard Royal , L-2449 Luxembourg. If the data subject selects "PayPal" as a payment option in our online shop during the ordering process, data of the data subject is automatically transferred to PayPal.
By selecting this payment option, the data subject consents to the transfer of personal data required for the processing of payments. Personal information submitted to PayPal is typically the first name, last name, address, email address, IP address, phone number, mobile phone number, or other information necessary to process payment.
For the processing of the sales contract, personal data which relate to the respective order are also necessary. Details about PayPal's privacy policy can be found at: https://www.paypal.com/de/webapps/mpp/ua/privacy-prev.

Note on direct debit procedure: As usual with direct debit, your account details (IBAN, account holder) are collected to debit the corresponding amount from your account.

We process the data you provide in the order form only for the purpose of carrying out or processing the dispatch of the catalogue, unless you agree to further use.
Here the principle of data economy and data avoidance is observed, in that you only have to provide us with the data that we absolutely need to carry out the order (i.e. salutation first name, surname, shipping address, email address, telephone number).
In addition, your IP address is processed for technical reasons and for legal protection.

The geobra Brandstätter Stiftung & Co. KG is interested in maintaining the customer relationship with you and to send you information and offers about our products / services (catalogues and newsletter). Therefore we process your data to send you corresponding information and offers by email and post.
If you do not wish this, you can at any time object to the use of your personal data for the purpose of direct advertising; this also applies to profiling, insofar as it is related to direct advertising. If you object, we will no longer process your data for this purpose.
The objection can be made free of charge and without form and without giving reasons and should be sent to 0203 929 3489, by email to lechuzauk@instadecor.co.uk or by post to Instadecor Ltd, B2/B3 Portland Close, Houghton Regis, LU5 5AW.

We use purely automated processing to make decisions in the following cases:
If you select the payment method "on account" by phone or in our online shop, we will perform a credit check. For this purpose, Arvato obtains the relevant information that is necessary to determine your creditworthiness and risk of default. You can find further information here: Fraud detection via ARVATO's Profile Tracking Solution (Art. 6 para. 1 f) EU GDPR)
If the conclusion of a contract is refused, we will inform you of this and, on request, the main reasons for the decision. You will then be given the opportunity to make your point of view known here dsb@instadecor.co.uk, whereupon we will review the decision once again by a member of staff.
You can read Arvato's privacy policy here: https://finance.arvato.com/de/datenschutz/

If you have any questions regarding this process or would like to speak to us about the results, please contact us at dsb@instadecor.co.uk.

The company geobra Brandstätter Stiftung & Co. KG maintains various appearances in "social media" in order to communicate with the users registered there and to inform them about our services.
We wish to point out that you are responsible for your use of these platforms and their included features. This applies in particular to your specific usage behaviour on these platforms. This is especially the case if you use interactive features (e.g. commenting, sharing, rating).
With regard to the processing of your personal data, however, we have a shared responsibility with Facebook towards all existing customers, prospective customers and users. We are aware of this responsibility and the protection of your data is important to us. Unfortunately, we are unable to fully meet our responsibilities in this context because Facebook does not provide us with the necessary transparency and the information required to fulfil the above-mentioned information obligations. Nevertheless, we strive to take all necessary measures to protect your data.
We further point out that when you use these platforms, your data may be processed outside the European Union. As a result of being certified under the EU-US Privacy Shield, US providers guarantee that EU data protection standards will be respected, including when data are processed in the United States.
In addition, your usage and user-related information may be processed for market-research and promotional purposes. For example, user profiles may be generated on the basis of your usage behaviour and associated interests. This makes it possible to activate ads both within and outside these platforms. As a general rule, cookies are stored on your device for this purpose. Regardless of this, the usage profiles may also be used to store data that is not collected directly from your device (especially if you are a member of the respective platforms and are logged in to them).
In addition, as the provider of this information service, we do not collect and process data resulting from your use of our service.
Our processing of users' personal data is based on our legitimate interest in effectively informing and communicating with users in accordance with. Art. 6 (1f) GDPR. If you are asked to consent to data processing by the respective providers (e.g. by checking a box or clicking on a button), the legal basis for the processing is Art. 6 (1a) and Art. 7 GDPR.

Right of objection
If you are a member of a social network and do not want the network to collect information about you via our website, or to link it to your stored membership data on the respective network, you must log out of the respective network before visiting our website delete the existing cookies stored on your device and close and reopen your browser.

The next time you log in, however, you will be recognised by the network again as a specific user.
For a detailed description of the respective processing and your right of objection (opt-out), please refer to the provider's information via the links below.

Should you wish to submit requests for information or to assert your rights as a data subject, we wish to point out that you should contact the providers directly. This is because only the providers have access to users' data and can respond directly to your requests and provide information. However, should you still need assistance, then please feel free to contact us.

• Facebook (Facebook Ireland Ltd., 4 Grand Canal Square, Grand Canal Harbour, Dublin 2, Ireland) – privacy policy: https://www.facebook.com/about/privacy/, 0pt-out: https://www.facebook.com/settings?tab=ads and http://www.youronlinechoices.com, Privacy Shield: https://www.privacyshield.gov/participant?id=a2zt0000000GnywAAC&status=Active.
• Google / YouTube (Google LLC, 1600 Amphitheatre Parkway, Mountain View, CA 94043, USA) - Privacy Policy: https://policies.google.com/privacy, opt-out: https://adssettings.google.com/authenticated, Privacy Shield: https://www.privacyshield.gov/participant?id=a2zt000000001L5AAI&status=Active.
• Instagram (Instagram Inc., 1601 Willow Road, Menlo Park, CA, 94025, USA) – privacy policy/opt-out: http://instagram.com/about/legal/privacy/.
• Twitter (Twitter Inc., 1355 Market Street, Suite 900, San Francisco, CA 94103, USA) – privacy policy: https://twitter.com/de/privacy, opt-out: https://twitter.com/personalization, Privacy Shield: https://www.privacyshield.gov/participant?id=a2zt0000000TORzAAO&status=Active.

Should you wish to publish images, texts, plans, videos, music, etc. on our website, please be aware that you may be required to assign all associated usage rights to the network, which could ultimately have legal consequences for you if you are not the author or rights holder.

Persons under 16 years of age may not transfer any personal data to us or submit a declaration of consent without the consent of a parent or guardian. We encourage parents and guardians to actively participate in their children's online activities and interests.

Our website also contains - clearly visible - links to the websites of other companies. As far as links to websites of other providers are available, we have no influence on their contents. Therefore, no guarantee and liability can be assumed for these contents. The respective provider or operator of these sites is always responsible for the contents of these sites.
The linked pages were checked for possible legal violations and recognisable infringements at the time of linking. Illegal contents were not recognisable at the time of linking. A permanent control of the contents of the linked pages is not reasonable without concrete evidence of a violation of the law. If we become aware of any infringements, such links will be removed immediately.