Data protection provisions of Chocoversum GmbH

CHOCOVERSUM GmbH would like to explain to you below which data is collected, processed and used, when and for what purpose. The aim is to explain how our services work and how the protection of your personal data is guaranteed. We only collect, process and use personal data if you have consented to this or if this is permitted by law.

These data protection provisions apply to our general website (https://www.chocoversum.de), our web store (https://shop.chocoversum.de) and our ticket store (https://chocoversum.ticketfritz.de/Home/Index) .

The processing operations described here can be saved and printed out at any time at the URL https://www.chocoversum.de/en/privacy-policy/

1. General information

1. Information on the collection of personal data

In the following, we provide information about the collection of personal data when using our website.

What is "personal data"?

Personal data is information about your person that allows conclusions to be drawn about your identity or relates directly or indirectly to your person, e.g. your name, your address or your telephone number. It does not include information that does not allow conclusions to be drawn about a specific or identifiable person.

2. The controller pursuant to Art. 4 (7) of the EU General Data Protection Regulation (GDPR) is

The controller in accordance with the applicable data protection regulations is the:

CHOCOVERSUM GmbH
Meßberg 1, 20095 Hamburg
Phone: (040) 41 91 23 00
E-mail: service@CHOCOVERSUM.de

You can reach our data protection officer at

Lawyer Bertold Frick
Data Protection-Metropol GmbH
Cotton Exchange, Wachtstraße 17/24, 28195 Bremen
Tel.: (0421) 339 53 50
Fax: (0421) 339 53 55
E-Mail: frick@datenschutz-metropol.de

1. Legal basis of the processing

We collect and use the personal data of our users only to the extent necessary to provide a functional website and our content and services.

Insofar as we obtain the consent of the data subject for the processing of personal data, Article 6(1)(a) of the EU General Data Protection Regulation (GDPR) serves as the legal basis.

Article 6(1)(b) GDPR serves as the legal basis for the processing of personal data necessary for the performance of a contract to which the data subject is party. This also applies to processing operations that are necessary for the performance of pre-contractual measures.

Insofar as the processing of personal data is necessary for compliance with a legal obligation to which our company is subject, Article 6(1)(c) GDPR serves as the legal basis.

In the event that vital interests of the data subject or another natural person require the processing of personal data, Article 6(1)(d) GDPR serves as the legal basis.

If the processing is necessary to safeguard a legitimate interest of our company or a third party and if the interests, fundamental rights and freedoms of the data subject do not outweigh the former interest, Article 6(1)(f) GDPR serves as the legal basis for the processing. The legitimate interest of our company lies in the performance of our business activities.

1. Routine deletion and blocking of personal data

We process and store personal data of the data subject only for as long as is necessary to achieve the purpose of storage. Storage may also take place if this has been provided for by the European or national legislator in EU regulations, laws or other provisions to which the controller is subject. As soon as the storage purpose no longer applies or a storage period prescribed by the aforementioned regulations expires, the personal data is routinely blocked or deleted.

5. Data security

We use technical and organizational measures to protect our website and other systems against loss, destruction, access, modification or dissemination of your data by unauthorized persons. Despite regular checks, however, complete protection against all risks is not possible. The website uses the industry standard SSL (Secure Sockets Layer) for encryption in some places. This guarantees the confidentiality of your personal data over the Internet.

1. Processing on our websites
2. Log files

Each time the website is accessed, we or the website provider collect data and information using an automated system. This data is stored in the server log files.

The following data can be collected:

• Information about the browser type and version used
• The user's operating system
• The user's Internet service provider
• The IP address of the user
• Date and time of access
• Websites from which the user's system accesses our website (referrer)
• Websites that are accessed by the user's system via our website

The processing of the data serves to deliver the contents of our website, to ensure the functionality of our information technology systems and to optimize our website. This is our legitimate interest in processing the data in accordance with Art. 6 para. 1 lit. f GDPR. The log file data is always stored separately from other personal user data. The data is deleted after 14 days.

2. Contact us

We offer a contact form on our website to answer your questions personally. You must enter your personal data and a message, which will be processed by us. The required information is marked with an asterisk. The data is processed in order to process your request and to identify serious requests. Processing is based on your consent. The legal basis is Art. 6 para. 1 lit. a GDPR.

You can revoke your consent at any time and without giving reasons. To do so, please send an email to:service@chocoversum.de . You will find further contact details in the legal notice to which you can send your revocation.

We use Friendly Captcha for our contact forms. We provide detailed information on its use in Section II. 10.

If you contact us outside of the form, we will process your e-mail address and the content of the message you send us. The processing is carried out on the basis of Art. 6 para. 1 lit. b GDPR if it is in connection with pre-contractual measures (e.g. the initiation of a service) or the fulfillment of a contract. Otherwise, the processing is carried out on the basis of Art. 6 para. 1 lit. f GDPR and our legitimate interest in providing our interested parties with a fast communication channel and processing inquiries effectively.

1. Orders in the store incl. registration

• Your registration

If you use the option to register on our website, the data in the respective input mask will be transmitted to us. The data is stored by us exclusively for internal use. In addition to the data listed below, the user's IP address and the date and time of registration are stored during registration. This serves to prevent misuse of the services. The data will not be passed on to third parties. An exception is made if there is a legal obligation to pass on the data. Registered persons have the option of having the stored data deleted or amended at any time. The data subject can obtain information about the personal data stored about them at any time. Registration is based on our legitimate interests in accordance with Art. 6 para. 1 lit. f GDPR and for the processing of orders and fulfilment of contracts in accordance with Art. 6 para. 1 lit. b GDPR. With the option to register, we can offer our visitors the convenience of logging in again regularly and storing the data permanently

• What data do we collect and for what purpose?

As part of the registration process, we require an e-mail address and a password from you. The data you provide will be stored by us and used exclusively to provide the services you have requested and thus to fulfill our contracts with you, in particular the sale via our online store. The legal basis for the processing is Art. 6 para. 1 lit. b GDPR for the purpose of fulfilling and processing contracts.

For the operation of our ticket store, we use an external service provider who provides and hosts the ticket page (Beckerbillett GmbH, Fangdieckstr. 61, 22547 Hamburg, Germany). To process and manage orders and payments from our customers, we use an ERP and warehouse management system, which we use for our general store and the ticket store (Xentral ERP Software GmbH, Fuggerstr. 11, 86150 Augsburg, Germany). We have concluded an order processing agreement with each of the service providers, under which the service providers have undertaken to process our customers' personal data securely and in compliance with data protection regulations.

• Bank and credit card details

For certain fee-based offers, we also require bank or credit card details to process the contract.

If you select the "credit card" payment method, we also require your credit card details. However, this credit card data is not collected by us, but directly and exclusively via the payment service providers commissioned by us and specialized in the online area. In this way you can shop securely

Payment methods

In addition to credit card payment, we enable you to use various payment services to process your orders. In this case, the selected payment method provider is used as an intermediary and your personal data is transmitted to them for payment processing and identity verification. The data processing is carried out for contractual purposes (for the provision of services and for processing the payment) on the basis of Art. 6 para. 1 sentence 1 lit. b GDPR. The data will be deleted after expiry of the retention obligations under commercial and tax law, which are generally ten (10) years.

We provide the following payment services in our stores:

• Google Pay: Google Payment Ireland Limited, 70 Sir John Rogerson'S Quay Dublin 2, D02R296 Ireland, Ireland (data protection: )google.com/payments/apis-secure/get_legal_document?ldo=0&ldt=privacynotice&ldl=de
• Apple Pay: Apple Distribution International Ltd, Hollyhill Ln, Hollyhill Industrial Estate, Cork, T23 YK84, Ireland, Ireland (data protection: https://www.apple.com/legal/privacy/data/de/apple-pay/)
• PayPal: PayPal (Europe) S.à.r.l. & Cie. S.C.A., 22-24 Boulevard Royal, 2449 Luxembourg, Luxembourg (data protection: https://www.paypal.com/de/webapps/mpp/ua/privacy-full)
• Klarna: Klarna Bank AB (publ), Chausseestrasse 117, 10115 Berlin, Germany (data protection: https://www.klarna.com/de/datenschutz/)

• Can I shop in the online store without registering?

Shopping in our online store is also possible without registration. The data collected by us to process the purchase is recorded and stored in the store system in order to fulfill our contract with you.

1. Newsletter

On our website you have the option of subscribing to our newsletter. We need your name and e-mail address in order to send you the newsletter.

The legal basis for this is your consent (Art. 6 para. 1 lit. a GDPR). When registering for the newsletter, you consent to us sending a newsletter to your email address. When registering, you agree to the following consent text:

"I hereby consent to [name] sending e-mails to the e-mail address I have provided for the purpose of [...]. I have the right to revoke this consent at any time with effect for the future. I have taken note of the privacy policy with further information on data processing."

You can revoke this consent at any time for the future by unsubscribing from the newsletter. To do this, you will find a link at the end of every newsletter you receive, which you can use to unsubscribe from the newsletter. Your entry will then be deleted automatically.

Registration for our newsletter takes place in a so-called double opt-in procedure. This means that after registering, you will receive an e-mail asking you to confirm your registration. The time of registration and confirmation as well as the IP address are stored as proof of registration for the newsletter.

The statistical collection, analysis and logging of the registration process is carried out on the basis of legitimate interest (Art. 6 para. 1 lit. f GDPR). The legitimate interest here is the proper and technically flawless execution of the e-mail dispatch.

We only store your e-mail address, which you provided when you subscribed to the newsletter, for as long as you are subscribed to the newsletter. As soon as you unsubscribe from the newsletter, we will delete your e-mail address.

We use the Brevo CRM system for newsletter management and the systematic processing of newsletters. Your data is transmitted to the provider of the tool, Sendinblue SAS (106 Boulevard Haussmann, 75008 Paris, France). We use the tool to design the newsletter and manage subscribers. We have also concluded a corresponding data processing agreement with Sendinblue to ensure that your personal data is processed in accordance with the requirements of the GDPR.  Sendinblue is prohibited from selling your data and using it for purposes other than sending newsletters

We will not pass on the e-mail address you provide to us to third parties.

1. After sales e-mail marketing

In addition to sending newsletters, we also process your personal data to send you product-related emails if you have made a purchase in our store.

As a rule, we process your first name and date of birth in addition to your e-mail address for after-sales e-mail marketing. We process this data for sending emails following your order in our store. We have a legitimate interest in promoting our products and services to our customers, informing them about them and maintaining the customer relationship. The legal basis for processing is Art. 6 para. 1 lit. f GDPR. We send such emails until you object to the sending of advertising. You have the right to object to processing for marketing purposes at any time (Art. 21 para. 2 GDPR). At the end of each email, you will receive a corresponding option to object to the sending of further emails by clicking on a link.

6. Waiting list

If you register for a waiting list in the "Events" section, the data you provide will be collected, stored, processed and used. The legal basis for this is your consent (Art. 6 para. 1 lit. a GDPR). By registering for a waiting list, you consent to us sending an email to your email address with information about your waiting list topic.

As soon as the next information on your waiting list topic is available, you will receive an e-mail to the address you have provided. Your data will then be deleted.

You can revoke your consent to the storage of the data, the e-mail address and its use for sending the waiting list notification at any time by sending an e-mail toservice@chocoversum.de .

7. Offer forms - school classes and companies

On our website, we offer you the option of registering school classes or companies using the online form and requesting a corresponding offer. When using these forms, you enter your name, e-mail address and telephone number or, in the case of school classes, the telephone number of an accompanying adult. This data is processed on the basis of Art. 6 para. 1 lit. b GDPR for pre-contractual measures or to fulfill a contract and Art. 6 para. 1 lit. f GDPR and serves our legitimate interests in providing you with a further opportunity to make specific contact and to obtain a contact person before submitting an offer. This data is only stored to the extent that it is necessary for the preparation of the offer and the execution of the booked event.

8. Welcoming guests in our foyer

We process personal data to welcome individual guests if there are special occasions or if this is requested by guests. The name and information relating to the occasion (such as the guest's birthday and age) are displayed on a screen in the foyer.

The processing is carried out on the basis of Art. 6 para. 1 lit. f GDPR to protect our legitimate interests and the interests of the data subject. The controller would like to offer its guests a special experience and enable a pleasant stay. This also includes a personal approach to emphasize the special nature of the visit and to welcome the respective guest in a highlighted manner. This ensures our interest in providing service-oriented, customer-oriented services.

As a rule, only the employees of those responsible and the guests of the respective group have the opportunity to view the display in the foyer. Access by unauthorized third parties is generally excluded. The personal data for welcoming the guest will be deleted after the event has taken place.

9. Chatbot (moin.ai)

For service inquiries, we offer you the option of obtaining information on our website using a chat bot, having self-care solutions communicated to you and establishing contact with our messenger service.

When communicating with our chat bot, your data is transmitted to the service provider. Our technical service provider for the chat bot service is knowhere GmbH, Steinhöft 9, 20459 Hamburg. We have concluded an order processing agreement with the provider. You can find information on data protection at https://www.moin.ai/chatbots-dsgvo

No further information is required from you to use the chat bot. Log files and chat histories are stored for 30 days to optimize the chat bot's artificial intelligence.

In particular, we would like to point out that you do not have to provide any personal data. Further information can be found in our terms of use for Messenger and the chat bot.

Contract-related service requests are an exception. If you would like to make use of this service, you can provide our customer service with an e-mail address

Data processing is carried out on the basis of our legitimate interests pursuant to Art. 6 para. 1 lit. f GDPR. We have a legitimate interest in the optimization of our chat bot and the efficient, technically supported answering of your inquiries.

If you provide us with personal data in the chat process contrary to the above, the processing is based on your consent in accordance with Art. 6 para. 1 lit. a GDPR. You can revoke your consent at any time and without giving reasons by sending an email to .service@chocoversum.de

When you use the chat bot for the first time, a so-called local storage key is stored on your end device, which recognizes the user and the user dialogue, e.g. in order not to lose the context of conversations. The local storage key is stored and read on the basis of Section 25 (2) No. 2 TDDDG. It is technically necessary in order to enable the use of the chat bot you have requested. The storage takes place during the interaction with the chat bot.

10. Friendly Captcha

Our contact forms use the Friendly Captcha service, which is developed and offered by Friendly Captcha GmbH (Am Anger 3-5, 82237 Woerthsee, Germany).

When using Friendly Captcha, we process technical connection data and thus your IP address, information about your browser and operating system, the referrer URL and a count of attempts to solve cryptographic verification mechanisms. This data is sent to servers of Friendly Captcha GmbH, which are used to solve the cryptographic tasks and are hosted in the EU. We have concluded an order processing contract with the provider.

The processing is carried out to safeguard our legitimate interest in identifying non-human input and protecting our website from abusive usage scenarios or attacks. The legal basis for processing is. Art. 6 para. 1 lit. f GDPR.

11. Mintano One photo box

In our foyer, you can use a photo box from Mintano (MINTANO UG (haftungsbeschränkt), Erkrather Str. 401, 40231 Düsseldorf) to take photos of yourself and have them sent to you.

To use the photo box, you must enter your name and e-mail address in order to receive the photo by e-mail. The processing and sending of the photo is carried out by Mintano. We have concluded an order processing contract with Mintano, , to ensure that your personal data is processed securely and in compliance with the law.

We store your personal data in our CRM system. We process the data in order to send you advertising by e-mail in addition to sending you the photo. Your data will be transmitted to our Brevo CRM system (see above) for the implementation of the double check-in procedure as part of the e-mail delivery. If you agree to receive the newsletter via the double check-in procedure, we will process your data for advertising purposes based on this consent (see above).

By using the photo box, you consent to your personal data being processed for the purpose of sending you the photo and inviting you to the newsletter. The processing is based on your consent in accordance with Art. 6 para. 1 lit. a GDPR.  You can revoke your consent at any time and without giving reasons. To do so, please send an email to: .service@chocoversum.de

1. Jobs

We post job vacancies on our website for which you can apply. To apply, please send us your documents by e-mail.

In addition to the application documents (cover letter, CV, references) and the information contained therein, we process your e-mail address and the data you disclose in the e-mail.

If you send us an application, we process the data for pre-contractual purposes or to establish an employment relationship in accordance with Art. 6 para. 1 lit. b GDPR. The provision of special categories of personal data is not required and we ask you to refrain from providing this data. If you nevertheless provide us with special categories of personal data, the processing will be based on your consent in accordance with Art. 9 para. 2 lit. a GDPR.

Personal data is processed and stored for the application process and the potential establishment of an employment relationship. The data will only be forwarded to the internal departments and persons involved in the recruitment process. If your application is unsuccessful, it will be deleted after 6 months following the end of the selection process. If you are hired, your data will be processed further for the purpose of implementing the employment relationship.

• Cookies and services

Cookies are used on our website. Cookies are small text files that are stored in the cache of your Internet browser for the duration of your browser session (so-called session cookies) or for a certain period of time (so-called permanent cookies) on your hard disk. Cookies make it possible to recognize your Internet browser so that you can be provided with content tailored to your needs and wishes more quickly and in a more targeted manner on future visits to our website. We therefore use technically necessary cookies in order to be able to offer our legitimate interest in providing a website tailored to the wishes of visitors. The use of technically necessary cookies is based on Section 25 (2) No. 2 TDDDG.

If we wish to use marketing, tracking or analysis cookies in addition to the technically necessary cookies, your prior express consent is required. We ask for this via the cookie banner that appears on our website at the start of use, which informs you about our cookie policy and where you have the option of refusing or granting your consent for all or certain types of cookies.

If you give us your consent, the legal basis for the storage and reading of cookies is § 25 para. 1 TDDDG, Art. 6 para. 1 lit. a GDPR. You can change your cookie settings or revoke your consent via the data protection or cookie settings at the bottom of each website.

Below we provide you with general information about the cookies used on our websites. You can find out which specific cookies are used on a website in the consent management tool that is displayed when you access one of our websites for the first time.

1. Google Analytics 4

This website uses Google Universal Analytics, a web analytics service provided by Google Ireland Ltd, Gordon House, Barrow Street, Dublin 4, Ireland (hereinafter "Google"). Google Analytics also uses cookies.

Google Analytics places a cookie on the user's device. Google Analytics enables the website operator to analyze the behavior of website visitors. In doing so, the website operator receives various usage data, such as page views, length of visit, operating systems used and origin of the user. This data may be summarized by Google in a profile that is assigned to the respective user or their end device.

Your express consent is required for the use of Google Analytics. At the beginning of the usage process, you have the option of refusing or granting your consent via the cookie banner and informing yourself about our company's data protection rules.

If you give us your consent, the legal basis for the processing of personal data in connection with Google Analytics is Art. 6 para. 1 lit. a GDPR. The cookies are also stored and read on the basis of your consent in accordance with Section 25 (1) TDDDG.

You can withdraw your consent at any time and without giving reasons. You can withdraw your consent at any time by opening the cookie box and moving the corresponding slider to "Off".

The information generated by the cookie about your use of the website will generally be transmitted to and stored by Google on servers in the United States. We use IP anonymization on our website, which means that your IP address will be shortened beforehand by Google within member states of the European Union or in other contracting states of the Agreement on the European Economic Area. Only in exceptional cases will the full IP address be transmitted to a Google server in the USA and shortened there. There is currently an adequacy decision by the European Commission for the transfer of data to companies in the USA, provided that US companies are certified under the Data Privacy Framework Program. Google Inc. is certified under the EU-US Data Privacy Framework. Through this certification, the company has undertaken to comply with higher data protection standards than are customary in the United States and which should come close to those of the European Union. However, there is still a risk that your right to the protection of personal data in the USA will not be effectively protected. The transfer of your personal data to the USA is based on the adequacy decision pursuant to Art. 45 para. 1 GDPR.

2. Google Tag Manager

Our website uses Google Tag Manager. Google Tag Manager is a solution that allows marketers to manage website tags via an interface. The operator is Google Ireland Ltd, Gordon House, Barrow Street, Dublin 4, Ireland, Fax: +353 (1) 436 1001.

The tool triggers other tags, which in turn may collect data. Google Tag Manager does not access this data. If a deactivation has been made at domain or cookie level, this remains in place for all tracking tags that are implemented with Google Tag Manager. The Tag Manager is used to load other services on our website in a centralized manner. The Tag Manager establishes a connection to the Google servers in the USA and sends your IP address to Google. The data transfer of the IP is technically necessary.

The legal basis for the processing of your personal data in connection with the Google Tag Manager is Art. 6 para. 1 lit. a GDPR. The cookie is also stored and read on the basis of your consent in accordance with Section 25 (1) TDDDG.

You can withdraw your consent at any time and without giving reasons. You can withdraw your consent at any time by opening the cookie box and moving the corresponding slider to "Off".

The information generated by the cookie about your use of the website will generally be transmitted to and stored by Google on servers in the United States. We use IP anonymization on our website, which means that your IP address will be shortened beforehand by Google within member states of the European Union or in other contracting states of the Agreement on the European Economic Area. Only in exceptional cases will the full IP address be transmitted to a Google server in the USA and shortened there. There is currently an adequacy decision by the European Commission for the transfer of data to companies in the USA, provided that US companies are certified under the Data Privacy Framework Program. Google Inc. is certified under the EU-US Data Privacy Framework. Through this certification, the company has undertaken to comply with higher data protection standards than are customary in the United States and which are intended to come close to those of the European Union. However, there is still a risk that your right to the protection of personal data in the USA will not be effectively protected. The transfer of your personal data to the USA is based on the adequacy decision pursuant to Art. 45 para. 1 GDPR.

3. Gravatar

The Gravatar service is used on our website. The provider is. Aut O'Mattic A8C Ireland Ltd, Grand Canal Dock, 25 Herbert Pl, Dublin, D02 AY86, Ireland B ("Automattic"). Cookies are also set here.

The service enables our Internet users to leave comments on our website and use avatars. To do this, users must register with Gravatar and enter profile pictures and their e-mail address. If you are registered with Gravatar and have stored your e-mail address and a profile picture there and log in with this e-mail address, your profile picture will be displayed on our website. The email address you entered when you registered will be sent to Automattic for comparison. Due to the integration of the images stored with Gravatar on our website, Gravatar also takes note of the IP address of registered users of our website.

Your express consent is required for the use of cookies. At the beginning of the usage process, you have the option of refusing or granting your consent via the cookie banner and informing yourself about our company's data protection rules. Cookies are stored on the basis of Section 25 (1) TDDDG and therefore on the basis of your consent. The further processing of your personal data is also based on your consent. If you give us your consent, the legal basis is therefore Art. 6 para. 1 lit. a GDPR. You can revoke your consent at any time by opening the cookie settings and moving the corresponding slider to "Off".

4. Azure Application Insights

We use the Microsoft Azure Application Insights service to analyze and improve our ticket store. The provider is Microsoft Ireland Operations Ltd, One Microsoft Place, South County Business Park, Carmanhall And Leopardstown, Dublin, D18 P521, Ireland.

Azure Application Insights processes so-called telemetry data resulting from the use of the website. This service enables us to design and optimize our ticket store in line with requirements in order to make ordering as simple and efficient as possible. As a rule, the data collected for analysis purposes is the IP address, the number of page views, operating system, browser and version, screen resolution, approximate location of the user. The IP address collected is usually anonymized after the telemetry data has been evaluated. A cookie with a unique identifier is also used for analysis in order to recognize users on repeated visits over time.

The legal basis for the processing of your personal data in connection with the Google Tag Manager is Art. 6 para. 1 lit. a GDPR. The cookie is also stored and read on the basis of your consent in accordance with Section 25 (1) TDDDG.

You can withdraw your consent at any time and without giving reasons. You can withdraw your consent at any time by opening the cookie box and moving the corresponding slider to "Off".

The information generated by the cookie can be transferred to a Microsoft server in the USA and stored there. There is currently an adequacy decision by the European Commission for the transfer of data to companies in the USA, provided that US companies are certified under the Data Privacy Framework Program. Microsoft Inc. is certified under the EU-US Data Privacy Framework. Through this certification, the company has undertaken to comply with higher data protection standards than are customary in the United States and which are intended to come close to those of the European Union. However, there is still a risk that your right to the protection of personal data in the USA will not be effectively protected. The transfer of your personal data to the USA is based on the adequacy decision pursuant to Art. 45 para. 1 GDPR.

5. Pinterest Tag

We use the Pinterest Tag service in our general store, which analyzes the user behavior of website visitors for the purpose of market research and helps us to optimize our store and promote it on Pinterest. The provider is Pinterest Europe Ltd, 60 Dawson St, Dublin, D02 K330, Ireland.

Pinterest Tag analyzes your usage behavior on our website. In addition, Pinterest Tag collects technical data of the end device used, such as device information, the operating system used and the IP address. Cookies are used to analyze the data. When you visit the Pinterest network, you may also be shown advertisements placed by us if you have shown an interest in our offers. We also collect information if you have been directed to our site by a Pinterest ad.

Your express consent is required for the use of tracking and marketing cookies. At the beginning of the usage process, you have the option of refusing or granting your consent via the cookie banner and informing yourself about our company's data protection rules. Cookies are stored on the basis of Section 25 (1) TDDDG and therefore on the basis of your consent. The further processing of your personal data is also based on your consent. If you give us your consent, the legal basis is therefore Art. 6 para. 1 lit. a GDPR.

The information generated by the cookie can be transferred to a Pinterest server in the USA and stored there. There is currently an adequacy decision by the European Commission for the transfer of data to companies in the USA, provided that US companies are certified under the Data Privacy Framework Program. Pinterest is not certified under the EU-US Data Privacy Framework. Your consent is required for the transfer of data to non-certified companies in the USA. There remains a risk that your right to the protection of personal data in the USA will not be effectively protected. If you give us your consent, the transfer will take place on the basis of Art. 49 para. 1 lit. a GDPR.

You can withdraw your consent at any time and without giving reasons. You can withdraw your consent at any time by opening the cookie box and moving the corresponding slider to "Off".

6. Squarelovin

We use the "Squarelovin" tool to integrate images and videos from social networks on our website or on our Instagram channel. The tool is developed and offered by Anchor Media GmbH, Budapester Str. 47, 20359 Hamburg, Germany. We have concluded an order processing agreement with the provider.

With Squarelovin, we can have the content of Instagram posts (so-called user-generated content [UGC]) published directly on our Instagram channel @chocoversum. The integration takes place via the provider of Squarelovin and its server. We integrate images and videos that link to Chocoversum (e.g. via #chocoversum). In addition to this content, we also process your profile name.

Your consent is required for the integration of your UGC and the publication of the post on our website or our Instagram profile. In the case of UGC that is of interest to us, we ask for your consent to publish your post on our sites in a comment under your post. Without your prior consent, Squarelovin will not be used and there will be no publication. You can give your consent with #yeschocoversum in response to our comment. You can revoke your consent at any time and without giving reasons.  To do so, send an email to: .service@chocoversum.de

7. Hotjar

The CHOCOVERSUM Shop uses Hotjar, a web analysis software from Hotjar Ltd, Dragonara Business Centre, 5th Floor, Dragonara Road, Paceville St Julian's STJ 3141, Malta (hereinafter: Hotjar), to analyze data about visitor traffic on the website.

By learning how much time visitors spend on which pages, which links they click on, etc., we can better understand the needs and experiences of our visitors. This allows us to build and maintain our services with visitor feedback.

Hotjar uses cookies and other technologies to collect data about the behavior of our visitors and their devices. This includes a device's IP address (which is processed during your session and stored in anonymized form), device screen size, device type (unique device identifiers), browser information, geographic location (country only) and the preferred language in which our website is displayed. Hotjar stores this information on our behalf in a pseudonymized user profile. Hotjar is contractually prohibited from selling the data collected on our behalf.

Cookies are stored on the basis of Section 25 (1) TDDDG and therefore on the basis of your consent. The further processing of your personal data is also based on your consent. If you give us your consent, the legal basis is therefore Art. 6 para. 1 lit. a GDPR. You can revoke your consent at any time by opening the cookie settings and moving the corresponding slider to "Off".

Hotjar's privacy policy can be found at https://www.hotjar.com/legal/policies/privacy.

8. Facebook Remarketing

The remarketing function "Custom Audiences" of Meta Platforms Ltd, 4 Grand Canal Square, Grand Canal Harbour, Dublin 2, Ireland ("Facebook") is used on our website. This enables us to present interest-based advertisements ("Facebook ads") to visitors to our website when they visit the Facebook social network.

The Facebook remarketing tag (cookie) implemented on our website establishes a direct connection to the Facebook servers when you visit the website and transmits to the Facebook server that you have visited this website. Facebook assigns this information to your personal Facebook user account. For more information on the collection and use of data by Facebook and your rights and options for protecting your privacy in this regard, please refer to Facebook's privacy policy at https://www.facebook.com/about/privacy/.

Your express consent is required for the use of tracking and marketing cookies. At the beginning of the usage process, you have the option of refusing or granting your consent via the cookie banner and informing yourself about our company's data protection rules.

If you give us your consent, the legal basis for the processing of personal data in connection with Facebook Remarketing is Art. 6 para. 1 lit. a GDPR. The cookie is also stored and read on the basis of your consent in accordance with Section 25 (1) TDDDG.

You can withdraw your consent at any time and without giving reasons. You can withdraw your consent at any time by opening the cookie box and moving the corresponding slider to "Off".

You can also object to the use of cookies at any time and deactivate the remarketing function "Custom Audiences". You can also make your own settings on Facebook at the following link: https://www.facebook.com/settings/?tab=ads#_=_. You must be logged in to Facebook to do this.

9. Facebook "visitor action pixel"

Within our online offer, the so-called "visitor action pixel" of Meta Platforms Ltd, 4 Grand Canal Square, Grand Canal Harbour, Dublin 2, Ireland, is used for the purposes of analysis, optimization and economic operation of our online offer (hereinafter "Meta"). This allows the behavior of users to be tracked after they have been redirected to the provider's website by clicking on a Facebook ad. This process is used to evaluate the effectiveness of Facebook ads for statistical and market research purposes and can help to optimize future advertising measures.

The data collected is anonymous to us, so it does not allow us to draw any conclusions about the identity of the user. However, the data is stored and processed by Meta so that a connection to the respective user profile is possible and Meta can use the data for its own advertising purposes, in accordance with the Facebook Data Usage Policy (https://www.facebook.com/about/privacy/). This only applies to users who have a Facebook account and are logged into the Facebook member area. Users who are not members of Facebook are not affected by this data processing.

Your express consent is required for the use of tracking and marketing cookies. At the beginning of the usage process, you have the option of refusing or granting your consent via the cookie banner and informing yourself about our company's data protection rules.

If you give us your consent, the legal basis for the processing of personal data in connection with Facebook Pixel is Art. 6 para. 1 lit. a GDPR. The cookie is also stored and read on the basis of your consent in accordance with Section 25 (1) TDDDG.

You can revoke your consent at any time and without giving reasons. You can withdraw your consent at any time by opening the cookie box and moving the corresponding slider to "Off".

You can also object to the use of cookies at any time and deactivate the function. You can also make your own settings on Facebook under the following link: https://www.facebook.com/settings/?tab=ads#. You must be logged in to Facebook to do this.

10. Google Maps

Google Maps is used on our websites to make it easier for you to find us by means of visual map integration.

Google Maps is offered and operated by Google LLC, based in the United States (1600 Amphitheatre Parkway, Mountain View, CA 94043, USA; hereinafter "Google"). When the map service is activated and used, cookies are set, data on the use of the Maps functions, location data and other personal data (metadata) are transmitted in part to Google servers in the USA and processed there, primarily for advertising and market research purposes. As a result, Google also creates user profiles, regardless of whether you are logged in to Google or not. Further information on processing by Google Inc. and in particular the purposes of processing and your rights as a data subject can be found at https://policies.google.com/technologies/partner-sites?hl=de).

The activation and use of Google Maps and the subsequent storage of cookies or processing of personal data takes place solely on the basis of your consent in accordance with Art. 6 para. 1 lit. a GDPR.  As long as you do not give your consent, the map area will remain grayed out; no processing will then take place.

You can withdraw your consent at any time and without giving reasons. You can withdraw your consent at any time by opening the cookie box and moving the corresponding slider to "Off".

There is currently an adequacy decision by the European Commission for the transfer of data to companies in the USA, provided that US companies are certified under the Data Privacy Framework Program. Google Inc. is certified under the EU-US Data Privacy Framework. Through this certification, the company has undertaken to comply with higher data protection standards than are customary in the United States and which are intended to come close to those of the European Union. However, there is still a risk that your right to the protection of personal data in the USA will not be effectively protected. The transfer of your personal data to the USA is based on the adequacy decision pursuant to Art. 45 para. 1 GDPR.

Google Maps and Chocoversum GmbH are jointly responsible for the collection and transmission of personal data to Google. The agreement on joint responsibility can be viewed here https://privacy.google.com/intl/de/businesses/mapscontrollerterms/.

It is also possible to deactivate the "Google Maps" service across the board and thus prevent the transfer of data to Google. To do this, you must deactivate the Java Script function in your browser. However, we would like to point out that in this case you will not be able to use "Google Maps" or only to a limited extent.

Further detailed information on Google Maps can be found on the provider's website: https:

11. Integration and linking of videos via YouTube

We use the social network YouTube, provider Google Ireland Limited, Gordon House, Barrow Street, Dublin, D04 E5W5, Ireland, to embed and link videos.

We embed our videos in the so-called "extended data protection mode" in order to provide you with a privacy-friendly view. However, like most online presences, YouTube also uses cookies to collect information about visitors to its online presence. YouTube uses these to collect video statistics, prevent fraud and improve user-friendliness, among other things. This also leads to a connection being established with the Google DoubleClick network. Therefore, if you play videos on our website, this could trigger further data processing operations. Unfortunately, we have no influence over this.

If you do not want YouTube to be able to associate your visit to our online presence with your YouTube user account when you play a video, please log out of your YouTube user account before clicking on the "Play" button.

Links to the social network YouTube are also integrated into our online presence. You can recognize the YouTube links by the YouTube logo on our online presence. If you click on one of the YouTube "buttons" while you are logged into your YouTube account with the same browser, YouTube can assign the visit to our online presence to your user account. We would like to point out that, as the provider of the online presence, we have no knowledge of the content of the transmitted data or its use by YouTube.

If you give us your consent, the legal basis for the processing of personal data in connection with YouTube is Art. 6 para. 1 lit. a GDPR. The cookie is also stored and read on the basis of your consent in accordance with Section 25 (1) TDDDG. As long as you do not give your consent, the video will remain grayed out; processing will then not take place.

You can withdraw your consent at any time and without giving reasons. You can withdraw your consent at any time by opening the cookie box and moving the corresponding slider to "Off".

When you play the video, personal data may be transmitted by Google Ireland to Google Inc. in the USA and processed there by Google. This includes in particular your IP address, technical data of the end device and the information that you have accessed the corresponding subpage of our website. There is currently an adequacy decision by the European Commission for the transfer of data to companies in the USA, provided that US companies are certified under the Data Privacy Framework Program. Google Inc. is certified under the EU-US Data Privacy Framework. Through this certification, the company has undertaken to comply with higher data protection standards than are customary in the United States and which are intended to come close to those of the European Union. However, there is still a risk that your right to the protection of personal data in the USA will not be effectively protected. The transfer of your personal data to the USA is based on the adequacy decision pursuant to Art. 45 para. 1 GDPR.

If you do not want YouTube to be able to associate your visit to our online presence with your YouTube user account after clicking on one of the YouTube buttons, please log out of your YouTube user account before clicking on the YouTube "button".

Further information on the handling of your personal data when visiting the YouTube website and playing YouTube videos can be found in YouTube's privacy policy.

12. Linking to social media websites

On our website, we link to our social media presences primarily in the form of "social media buttons". We attach great importance to the protection of your data.

We have integrated the buttons for the respective platforms into our site using an HTML link (so-called "Shariff solution" from c't). Only when you click on the corresponding graphic will you be forwarded to the selected provider via an extra browser window. Only then will your data be sent to the respective provider. If you do not click on these buttons, your data will not be passed on to the respective provider via our website.

You can then interact with the network on the social media page (after entering your login data, if applicable), e.g. by liking, sharing posts or commenting. The purpose and scope of the data collection and the further processing and use of the data by the providers on their pages as well as your rights in this regard and setting options to protect your privacy can be found in the providers' data protection notices.

Facebook: Meta Platforms Ireland Limited, 4 Grand Canal Square, Dublin 2, Ireland; Website: www.facebook.com; Privacy Policy: http://www.facebook.com/policy.php.

Instagram: Meta Platforms Ireland Limited, 4 Grand Canal Square, Dublin 2, Ireland; Website: https://www.instagram.com; Privacy Policy: https://help.instagram.com/155833707900388.

Tripadvisor: TripAdvisor LLC, 400 1st Avenue, Needham, MA 02494 USA; Website: https://www.tripadvisor.de; Privacy Policy: https://tripadvisor.mediaroom.com/DE-privacy-policy.

TikTok: TikTok Technology Limited, 10 Earlsfort Terrace, Dublin, D02 T380, Ireland, Website: www.tiktok.com; Privacy Policy: https://www.tiktok.com/legal/page/eea/privacy-policy/de-DE.

Pinterest: Pinterest Inc., 635 High Street, Palo Alto, CA, 94301, USA; Website: www.pinterest.com; Privacy Policy: https://about.pinterest.com/de/privacy-policy.

13. Facebook and Instagram fan pages and Facebook Insights

We offer so-called fan pages on the social networks Facebook and Instagram. The operating company of Facebook and Instagram is Meta Platforms Inc, 1 Hacker Way, Menlo Park, CA 94025, USA. If the data subjects live or reside in the European Union, the controller for the processing of personal data is Meta Platforms Ireland Ltd, 4 Grand Canal Square, Grand Canal Harbour, Dublin 2, Ireland ("Meta Ireland"). Personal data is processed when you visit our fan pages. We and Meta Ireland are jointly responsible for the collection and transfer of personal data to Meta Ireland when you visit our Facebook fan page.

Meta also uses its "Facebook Insights" service on our Facebook pages. If you give your consent to tracking on our website by opting in, your data will be collected for our Facebook fan page. We receive anonymized data in order to gain insights into how people interact with our fan page and the associated content. This enables us to design our website in a user-friendly way and further optimize it. This is also our legitimate interest in the processing (Art. 6 para. 1 lit. f GDPR). A joint controllership agreement has been concluded with Meta Ireland regarding the transfer of personal data (Page Insights Addendum), which regulates the performance of obligations under the GDPR (https://de-de.facebook.com/legal/terms/page_controller_addendum).

You can assert your data subject rights with Meta Ireland and with us. The primary responsibility under the GDPR for the processing of Insights data lies with Meta Ireland. Meta Ireland fulfills all obligations under the GDPR with regard to the processing of Insights data and provides the essentials of the Page Insights Supplement to the data subjects (see above).

1. Disclosure of personal data

We will not disclose personal data beyond this without your express consent, unless there is a legal basis for doing so, e.g. if we are legally obliged to disclose data (information to law enforcement authorities and courts; information to public bodies that receive data on the basis of legal regulations, e.g. social insurance agencies, tax authorities, etc.) or if we involve third parties who are obliged to maintain professional secrecy in order to enforce our claims.

1. Transportation, logistics and order management

For the technical and logistical processing of the contract and for shipping, we transmit the personal data you provide to us for this purpose, such as name and address, to our processors within the scope of store operation and to shipping service providers commissioned by us to send the goods.

This data is transmitted to our processors as well as transport and logistics service providers for the purpose of technical and logistical processing of the contract and for shipping the goods. The use of external service providers and transport and logistics service providers enables us to process and handle your order efficiently.

We use Xentral ERP Software GmbH, Fuggerstr. 11, 86150 Augsburg, Germany, for the operation of the stores and the technical processing of orders and payments. For hosting the ticket store and processing ticket orders, we also use the system of Beckerbillett GmbH, Fangdieckstr. 61, 22547 Hamburg, Germany. Your personal data that you provide to us for orders will be transmitted to these service providers.

If you give us your consent for the transmission, you can revoke this at any time. You can object to the processing of your personal data at any time. However, we would like to point out that without the transmission of this data we will not be able to process your order logistically and it will therefore not be possible to execute the contract.

2. Third-party provider

As part of the use of our websites, we integrate various services about which we inform you in this data protection information. Recipients of your personal data when using third-party services may be the following companies:

• Sendinblue SAS, 106 Boulevard Haussmann, 75008 Paris, France
• knowhere GmbH, Steinhöft 9, 20459 Hamburg, Germany
• Friendly Captcha GmbH, Am Anger 3-5, 82237 Woerthsee, Germany
• Google Ireland Ltd, Gordon House, Barrow Street, Dublin 4, Ireland
• Google LLC, 1600 Amphitheatre Parkway, Mountain View, CA 94043, USA
• Microsoft Ireland Operations Ltd, One Microsoft Place, South County Business Park, Carmanhall and Leopardstown, Dublin, D18 P521, Ireland
• Microsoft Inc, One Microsoft Way Redmond Washington 98052, USA.
• Aut O'Mattic A8C Ireland Ltd, Grand Canal Dock, 25 Herbert Pl, Dublin, D02 AY86, Ireland
• Mouseflow Inc, Flaesketorvet 68, 1711 Copenhagen V, Denmark
• Hotjar Ltd, Dragonara Business Centre, 5th Floor, Dragonara Road, Paceville St Julian's STJ 3141, Malta
• Meta Platforms Ltd, 4 Grand Canal Square, Grand Canal Harbour, Dublin 2, Ireland
• Meta Platforms Inc, 1 Hacker Way, Menlo Park, CA 94025, USA
• Pinterest Europe Ltd, 60 Dawson St, Dublin, D02 K330, Ireland
• Pinterest Inc, 651 Brannan St, San Francisco, CA 94107, USA
• MINTANO UG (limited liability), Erkrather Str. 401, 40231 Düsseldorf
• Anchor Media GmbH, Budapester Str. 47, 20359 Hamburg
  

3. Third country transfer

Your personal data will generally be processed in the European Union or the European Economic Area.

If third-party services are activated or we have to use third-party services based in third countries, we will take all necessary steps to ensure an adequate level of data protection. This can be ensured, for example, by concluding standard contractual clauses, on the basis of which the data recipients are obliged to adequately protect your personal data. If adequacy decisions exist for third countries, these serve as a lawful basis for the transfer of data.

Through the use of third-party services and the activation of cookies, your personal data may be transferred to the USA.

1. Your rights as a data subject

1. General rights

You have the following rights vis-à-vis us with regard to your personal data:

1.  in accordance with Art. 15 GDPR, to request information about your personal data processed by us. In particular, you can request information about the processing purposes, the category of personal data, the categories of recipients to whom your data has been or will be disclosed, the planned storage period, the existence of a right to rectification, erasure, restriction of processing or objection, the existence of a right to lodge a complaint, the origin of your data if it was not collected by us, and the existence of automated decision-making including profiling and, if applicable, meaningful information about its details;
2. in accordance with Art. 16 GDPR, to immediately request the correction of incorrect or incomplete personal data stored by us;
3. in accordance with Art. 17 GDPR, to demand the deletion of your personal data stored by us, unless the processing is necessary to exercise the right to freedom of expression and information, to fulfill a legal obligation, for reasons of public interest or to assert, exercise or defend legal claims;
4. in accordance with Art. 18 GDPR, to demand the restriction of the processing of your personal data if the accuracy of the data is disputed by you, the processing is unlawful but you refuse to delete it and we no longer need the data, but you need it to assert, exercise or defend legal claims or you have lodged an objection to the processing in accordance with Art. 21 GDPR;
5. in accordance with Art. 20 GDPR, to receive your personal data that you have provided to us in a structured, commonly used and machine-readable format or to request that it be transmitted to another controller, and

• to lodge a complaint with a supervisory authority pursuant to Art. 77 GDPR. As a rule, you can contact the supervisory authority of your usual

place of residence or workplace or the registered office of our company.

Please contact us to assert your rights: frick@datenschutz-metropol.de

2. Right of appeal

If you wish to complain to the data protection supervisory authority responsible for the registered office of our company about the processing of your personal data by us, please contact:

The Hamburg Commissioner for Data Protection and Freedom of Information
Klosterwall 6 (Block C), 20095 Hamburg
Tel.: (040) 4 28 54 - 40 40
E-Fax: (040) 4 279 - 11811
E-Mail: mailbox@datenschutz.hamburg.de

3. Right of objection

You have the right to object, on grounds relating to your particular situation, at any time to processing of personal data concerning you which is based on point (e) or (f) of Article 6(1). In the case of direct advertising (marketing), you also have the right to object at any time to the processing of personal data concerning you for the purpose of such advertising.