Privacy Policy

Privacy Policy of herbodyplan.com

herbodyplan.com takes the protection of your personal data seriously. Protecting your privacy and data security in processing personal data is our top priority, which we consider and continuously optimize in our business processes. We process your personal data based on data protection laws, particularly the General Data Protection Regulation (GDPR). In the following privacy policy, we inform you about how we process your personal data and what rights you have.

Who is responsible for processing your personal data, and how can you contact our data protection officer?

Responsible entity:
herbodyplan.com / Lukasz Zdunek
Bismarckstraße 82
10627 Berlin
Managing Director: Lukasz Zdunek

Data Protection Officer:
Name: Lukasz Zdunek
Email address: info@herbodyplan.com

1. What personal data do we process, why do we do this, and what legal permission do we have for it? (Legal basis)

1.1. This privacy policy informs you about the type, scope, and purpose of processing personal data within our online offering and the associated websites, functions, and content (hereinafter collectively referred to as "online offering" or "website"). The privacy policy applies regardless of the domains, systems, platforms, and devices (e.g., desktop or mobile) on which the website is executed.

1.2. The terminology used, such as "personal data" or their "processing," refers to the definitions in Art. 4 of the General Data Protection Regulation (GDPR).

1.3. We process inventory data (e.g., names and addresses and contact details of customers), contract data (e.g., services used, names of contact persons, payment information) to fulfill our contractual obligations and services according to Art. 6 Para. 1 lit b. GDPR. 1.4. Users' personal data processed in the context of this online offering include inventory data (e.g., customer names and addresses), contract data (e.g., services used, names of contact persons, payment information), usage data (e.g., the web pages of our online offering visited, interest in our products), and content data (e.g., entries in the contact form).

1.5. The term "user" includes all categories of data processing subjects. They include our business partners, customers, prospects, and other visitors to our website. The terms used, such as "user," are to be understood gender-neutrally.

1.6. We process users' personal data only in compliance with the relevant data protection regulations. This means that users' data is processed only with legal permission, especially if the data processing is necessary for the provision of our contractual services (e.g., processing of orders and queries) and online services, or is required by law, users have given their consent, as well as based on our legitimate interests (i.e., interest in the analysis, optimization, and economic operation and security of our online offering in the sense of Art. 6 Para. 1 lit. f. GDPR, in particular in measuring reach, creating profiles for advertising and marketing purposes, and collecting access data and using the services of third-party providers.

1.7. We note that the legal basis for the consents is Art. 6 Para. 1 lit. a. and Art. 7 GDPR, the legal basis for processing to fulfill our services and perform contractual measures is Art. 6 Para. 1 lit. b. GDPR, the legal basis for processing to fulfill our legal obligations is Art. 6 Para. 1 lit. c. GDPR, and the legal basis for processing to protect our legitimate interests is Art. 6 Para. 1 lit. f. GDPR.

2. How do we protect personal data?

2.1. We take organizational, contractual, and technical security measures according to the state of the art to ensure that the regulations of the data protection laws are complied with and thus to protect the data processed by us against accidental or intentional manipulation, loss, destruction, or against access by unauthorized persons.

2.2. Among the security measures is, in particular, the encrypted transmission of data between your browser and our server, secured storage in protected areas, and the physical and software-side security against unwanted access by third parties or loss.

3. Disclosure to Cooperation Partners for Service Provision

3.1. We only disclose data to third parties within the scope of legal requirements. We only pass users' data to third parties if, for example, this is required for contractual purposes on the basis of Art. 6 Para. 1 lit. b) GDPR or on the basis of legitimate interests according to Art. 6 Para. 1 lit. f. GDPR in the economic and effective operation of our business.

3.2. If we use subcontractors to provide our services, we take appropriate legal precautions as well as corresponding technical and organizational measures to ensure the protection of personal data in accordance with the relevant statutory provisions.

3.3. If content, tools, or other means from other providers (hereinafter collectively referred to as "third-party providers") are used within the scope of this privacy policy and their named headquarters are located in a third country, it is to be assumed that data transfer to the states of domicile of the third-party providers takes place. Third countries are countries in which the GDPR is not a directly applicable law, i.e., basically countries outside the EU or the European Economic Area. Data transfer to third countries occurs either if there is an adequate level of data protection, user consent, or otherwise legal authorization.

4. Contacting Us

4.1. When contacting us (via contact form, phone, chat, or email), user information is processed for handling the contact request and its settlement according to Art. 6 Para. 1 lit. b) GDPR.

4.2. User information may be stored in our Customer Relationship Management System ("CRM System") or a comparable inquiry organization.

5. Security Measures

5.1. Based on our legitimate interests (i.e., interest in the analysis, optimization, and economic operation of our online offering within the meaning of Art. 6 Para. 1 lit. f. GDPR), we collect data on every access to the server on which this service is located (so-called server log files). Access data includes the name of the accessed website, file, date and time of access, transferred data volume, notification of successful access, browser type and version, the user's operating system, referrer URL (the previously visited page), IP address, and the requesting provider.

5.2. Logfile information is stored for security reasons (e.g., to investigate abuse or fraud) for a maximum period of seven days and then deleted. Data whose further retention is required for evidence purposes is exempt from deletion until the final clarification of the incident.

5.3. Database backups of the web host are made at intervals of 4 weeks, thus overwriting the old backup. This ensures that your data is not stored longer than necessary with our processor.

6. Use of Cookies & Reach Measurement

6.1. Cookies are information transferred from our web server or third-party web servers to the users' web browsers and stored for later retrieval. Cookies can be small files or other types of information storage.

6.2. We use "session cookies," which are only stored for the duration of the current visit to our online presence (e.g., to enable the storage of your login status or the shopping cart function and thus the use of our online offering at all). A session cookie stores a randomly generated unique identification number, a so-called session ID. A cookie also contains information about its origin and the retention period. These cookies cannot store any other data. Session cookies are deleted when you have finished using our online offering and, for example, log out or close the browser.

6.3. This privacy statement informs users about the use of cookies in the context of pseudonymous reach measurement.

6.4. If users do not want cookies stored on their computer, they are asked to disable the corresponding option in their browser's system settings. Stored cookies can be deleted in the browser's system settings. Excluding cookies can lead to functional restrictions of this online offering.

6.5. You can object to the use of cookies that serve to measure reach and advertising purposes via the deactivation page of the Network Advertising Initiative (http://optout.networkadvertising.org/) and additionally the US website (http://www.aboutads.info/choices) or the European website (http://www.youronlinechoices.com/uk/your-ad-choices/).

7. Use of Google Analytics for Optimal Reach

7.1. Based on our legitimate interests (i.e., interest in the analysis, optimization, and economic operation of our online offering within the meaning of Art. 6 Para. 1 lit. f. GDPR), we utilize Google Analytics, a web analytics service provided by Google LLC ("Google"). Google uses cookies, which are text files placed on your computer, to help the website analyze how users interact with the site. The information generated by the cookie about your use of this website is usually transmitted to and stored by Google on servers in the United States.

7.2. Google is certified under the Privacy Shield Agreement, which provides a guarantee to comply with European data protection law (https://www.privacyshield.gov/participant?id=a2zt000000001L5AAI&status=Active).

7.3. Google will use this information on our behalf to evaluate your use of our online offering, to compile reports on website activity, and to provide other services related to website activity and internet usage to us. In this process, pseudonymous usage profiles of the users can be created from the processed data.

7.4. We only use Google Analytics with IP anonymization enabled. This means that Google will truncate the IP address of users within Member States of the European Union or other parties to the Agreement on the European Economic Area. Only in exceptional cases will the full IP address be sent to a Google server in the USA and shortened there.

7.5. The IP address transmitted by your browser as part of Google Analytics will not be merged with other data held by Google. Users can prevent the storage of cookies by selecting the appropriate settings on their browser software; users can also prevent Google from collecting the data generated by the cookie and related to their use of the online offering, as well as the processing of this data by Google, by downloading and installing the browser plugin available at the following link: http://tools.google.com/dlpage/gaoptout?hl=de.

7.6. For more information on data usage by Google, settings and opt-out options, please visit Google's websites: https://www.google.com/intl/de/policies/privacy/partners ("Data usage by Google when you use our partners' sites or apps"), http://www.google.com/policies/technologies/ads ("Data usage for advertising purposes"), http://www.google.de/settings/ads ("Manage information Google uses to show you ads").

7.7. Further, we might use Google Analytics to display the ads placed within advertising services by Google and its partners, only to those users who have shown an interest in our online offering or who have certain characteristics (e.g., interests in specific topics or products determined by the websites visited) that we transmit to Google (so-called "remarketing" or "Google Analytics audiences"). With the help of remarketing audiences, we also wish to ensure that our ads match the potential interest of users and do not appear annoying.

8. Always Up-to-Date with Google Re/Marketing Services

8.1. Based on our legitimate interests (i.e., interest in the analysis, optimization, and economic operation of our online offering within the meaning of Art. 6 Para. 1 lit. f. GDPR), we use the marketing and remarketing services ("Google Marketing Services") of Google LLC, 1600 Amphitheatre Parkway, Mountain View, CA 94043, USA, ("Google").

8.2. Google is certified under the Privacy Shield Agreement, providing a guarantee to comply with European privacy legislation (https://www.privacyshield.gov/participant?id=a2zt000000001L5AAI&status=Active).

8.3. Google Marketing Services allows us to display advertisements for and on our website in a more targeted manner, to only present ads that potentially match users' interests. If, for example, users are shown ads for products they have shown interest in on other websites, this is referred to as "remarketing". For these purposes, when our and other websites on which Google Marketing Services are active are accessed, Google directly executes a code by Google and (re)marketing tags (invisible graphics or code, also known as "web beacons") are integrated into the website. With their help, an individual cookie, i.e., a small file, is stored on the user's device (comparable technologies can also be used instead of cookies). The cookies can be set by various domains, including google.com, doubleclick.net, invitemedia.com, admeld.com, googlesyndication.com, or googleadservices.com. This file notes which websites the user visits, what content they are interested in, and what offers they have clicked on, as well as technical information about the browser and operating system, referring websites, visiting time, and other information on the use of the online offering. The user's IP address is also recorded, whereby we inform within the framework of Google Analytics that the IP address is shortened within member states of the European Union or other contracting states of the Agreement on the European Economic Area and only in exceptional cases is it transmitted in full to a Google server in the USA and shortened there. The IP address is not merged with the user's data within other Google offers. The above information can also be combined by Google with information from other sources. If the user then visits other websites, ads tailored to the user's interests can be displayed.

8.4. The data of the users are processed pseudonymously within the framework of Google Marketing Services. That is, Google stores and processes, for example, not the name or email address of the users, but processes the relevant data cookie-related within pseudonymous user profiles. That is, from Google's perspective, the ads are not managed and displayed for a specifically identified person, but for the cookie owner, regardless of who this cookie owner is. This does not apply if a user has explicitly allowed Google to process the data without this pseudonymization. The information collected by Google Marketing Services about users is transmitted to Google and stored on Google's servers in the USA.

8.5. One of the Google marketing services we use is the online advertising program "Google AdWords". In the case of Google AdWords, each AdWords customer receives a different "conversion cookie". Cookies cannot therefore be tracked through the websites of AdWords customers. The information obtained with the help of the cookie is used to compile conversion statistics for AdWords customers who have opted for conversion tracking. AdWords customers find out the total number of users who clicked on their ad and were redirected to a page with a conversion tracking tag. However, they do not receive any information that personally identifies users.

8.6. We may include third-party advertisements based on the Google marketing service "DoubleClick". DoubleClick uses cookies that allow Google and its partner websites to serve ads based on users' visits to this website or other websites on the Internet.

8.7. Furthermore, we can use the "Google Optimizer" service. Google Optimizer allows us to understand how various changes to a website (e.g., changes to input fields, design, etc.) affect it in so-called "A/B testing". For these testing purposes, cookies are stored on users' devices. Only pseudonymous data of the users are processed.

8.8. Additionally, we can use "Google Tag Manager" to integrate and manage Google analysis and marketing services into our website.

8.9. For more information about Google's use of data for marketing purposes, see the overview page: https://www.google.com/policies/technologies/ads, Google's privacy policy is available at https://www.google.com/policies/privacy.

8.10. If you wish to opt-out of interest-based advertising through Google Marketing Services, you can use Google's setting and opt-out options: http://www.google.com/ads/preferences.

9. Facebook Custom Audiences and Facebook Marketing Services

9.1 Within our online offering, due to our legitimate interests in analysis, optimization, and economical operation of our online offering and for these purposes, the so-called "Facebook Pixel" of the social network Facebook, which is operated by Facebook Inc., 1 Hacker Way, Menlo Park, CA 94025, USA, or if you are based in the EU, Facebook Ireland Ltd., 4 Grand Canal Square, Grand Canal Harbour, Dublin 2, Ireland ("Facebook"), is used.

9.2 Facebook is certified under the Privacy Shield Agreement, providing a guarantee to comply with European data protection law (https://www.privacyshield.gov/participant?id=a2zt0000000GnywAAC&status=Active).

9.3 With the help of the Facebook Pixel, it is possible for Facebook to determine the visitors to our online offer as a target group for the display of advertisements (so-called "Facebook Ads"). Accordingly, we use the Facebook Pixel to display the Facebook Ads we have placed only to those Facebook users who have shown an interest in our online offering or who have certain characteristics (e.g., interests in specific topics or products determined by the websites they have visited), which we transmit to Facebook (so-called "Custom Audiences"). With the help of the Facebook Pixel, we also want to ensure that our Facebook Ads correspond to the potential interest of the users and do not appear annoying. With the help of the Facebook Pixel, we can further track the effectiveness of the Facebook advertisements for statistical and market research purposes by seeing whether users were redirected to our website after clicking on a Facebook advertisement (so-called "conversion").

9.4 The processing of the data by Facebook takes place within the framework of Facebook's Data Use Policy. Accordingly, general notes on the display of Facebook Ads, in the Data Use Policy of Facebook: https://www.facebook.com/policy.php. Specific information and details about the Facebook Pixel and how it works can be found in the help section of Facebook: https://www.facebook.com/business/help/651294705016616.

9.5 You can object to the collection by the Facebook Pixel and use of your data to display Facebook Ads. To set which types of ads are shown to you within Facebook, you can go to the page set up by Facebook and follow the instructions on the usage-based advertising settings: https://www.facebook.com/settings?tab=ads. The settings are platform-independent, i.e., they are applied to all devices, such as desktop computers or mobile devices.

9.6 You can also object to the use of cookies for reach measurement and advertising purposes via the deactivation page of the Network Advertising Initiative (http://optout.networkadvertising.org/) and additionally the US website (http://www.aboutads.info/choices) or the European website (http://www.youronlinechoices.com/uk/your-ad-choices/).

10. You Will Love Our Newsletters

10.1. We aim to briefly outline the registration, shipping, and statistical evaluation procedures as well as your rights of objection. By subscribing to our newsletter, you agree to receive it and the described procedures.

10.2. Content of the Newsletter: We send newsletters, emails, and other electronic notifications containing promotional information (hereinafter "newsletter") only with the consent of the recipients or a legal permission. If the contents of the newsletter are concretely described within the framework of a registration, they are decisive for the consent of the users. Our newsletter provides information about our products, offers, promotions, and our company.

10.3. Double opt-in and logging: The registration for our newsletter takes place in a so-called double opt-in procedure. This means you will receive an email after registration asking you to confirm your registration. This confirmation is necessary so no one can register with email addresses that do not belong to them. Registrations for the newsletter are logged to be able to prove the registration process according to legal requirements. This includes storing the registration and confirmation time, as well as the IP address.

10.4. The newsletter is sent via "Brevo," a newsletter distribution platform of the provider Sendinblue GmbH. The data privacy policy of the shipping service provider can be viewed here: https://www.brevo.com/de/informationen-newsletter-empfaenger/.

10.5. Furthermore, according to its own information, the shipping service provider may use this data in a pseudonymous form, i.e., without assignment to a user, to optimize or improve their own services, e.g., for the technical optimization of sending and the presentation of newsletters or for statistical purposes to determine from which countries the recipients come. However, the shipping service provider does not use the data of our newsletter recipients to write to them or pass their data on to third parties.

10.6. Registration data: To subscribe to the newsletter, it is sufficient to provide your email address. Optionally, we ask you to provide a name for the purpose of personal address in the newsletter.

10.7. The newsletters contain a so-called "web beacon," i.e., a pixel-sized file that is retrieved from the server of Brevo when the newsletter is opened. Within the scope of this retrieval, initially technical information, such as information about the browser and your system, as well as your IP address and time of retrieval, are collected. This information is used for the technical improvement of services based on the technical data or the target audiences and their reading behaviors based on their retrieval locations (which can be determined using the IP address) or access times. The statistical surveys also include determining whether the newsletters are opened, when they are opened, and which links are clicked. For technical reasons, this information can be assigned to the individual newsletter recipients. However, it is neither our intention nor that of Brevo to monitor individual users. The evaluations serve us much more to recognize the reading habits of our users and to adapt our content to them or to send different content according to the interests of our users.

10.8. The use of the shipping service provider, performance of statistical surveys and analyses, and logging of the registration procedure are carried out based on our legitimate interests according to Art. 6 Para. 1 lit. f GDPR. Our interest is in using a user-friendly and secure newsletter system that serves both our business interests and meets the expectations of users.

10.9. Cancellation/revocation - You can cancel the receipt of our newsletter at any time, i.e., revoke your consents. A link to cancel the newsletter can be found at the end of each newsletter. If users have only subscribed to the newsletter and canceled this subscription, their personal data will be deleted.

11. Purchases and Payment Processing

11.1. PayPal: We accept payments through PayPal. When processing payments, some of your data will be passed to PayPal, including information required to process or support the payment, such as the purchase total and billing information. Please refer to the PayPal Privacy Policy for more details: https://www.paypal.com/us/webapps/mpp/ua/privacy-full

11.2. Stripe: Our store accepts payments through Stripe. By using this payment service, your personal data may be stored or shared with Stripe to process payments. This includes, but is not limited to, the purchase total and billing information. For more information on Stripe's data handling, please see Stripe's Privacy Policy: https://stripe.com/de/privacy

12. Integration of Third-Party Services and Content

12.1. Within our online offering, based on our legitimate interests (i.e., interest in the analysis, optimization, and economic operation of our online offering within the meaning of Art. 6 Para. 1 lit. f. GDPR), we make use of content or service offers from third-party providers in order to integrate their content and services, such as videos or fonts (hereinafter uniformly referred to as “content”).

12.2. This always presupposes that the third-party providers of this content perceive the IP address of the users since they would not be able to send the content to their browser without the IP address. The IP address is thus required for the presentation of this content. We strive to use only content whose respective providers use the IP address solely for the delivery of the content. Third-party providers may also use so-called pixel tags (invisible graphics, also known as "web beacons") for statistical or marketing purposes. The "pixel tags" can be used to evaluate information such as visitor traffic on the pages of this website. The pseudonymous information may also be stored in cookies on the user's device and may include, but is not limited to, technical information about the browser and operating system, referring web pages, visit time, and other information regarding the use of our online offering, as well as be linked to such information from other sources.

12.3. The following presentation provides an overview of third-party providers as well as their contents, along with links to their privacy policies, which contain further information on the processing of data and, partly already mentioned here, objection opportunities (so-called opt-out):

External fonts from Google, Inc., https://www.google.com/fonts (“Google Fonts”). The integration of Google Fonts is carried out by a server call to Google (usually in the USA). Privacy Policy: https://www.google.com/policies/privacy/, Opt-Out: https://www.google.com/settings/ads/.

External code of the JavaScript framework “jQuery”, provided by the third-party jQuery Foundation, https://jquery.org.

12.4. If we should use further third-party providers and their tools or content, we will follow the same privacy protection standards and provide you with respective information and opt-out opportunities as mentioned above.

13. Retention and Deletion of Your Personal Data

13.1. Data stored by us will be deleted as soon as it is no longer required for its intended purpose and the deletion does not conflict with any statutory retention requirements. If user data is not deleted because it is necessary for other legally permissible purposes, its processing will be restricted. That is, the data is blocked and not processed for other purposes. This applies, for example, to data that must be kept for commercial or tax law reasons.

13.2. According to legal requirements, data is retained for 6 years pursuant to § 257 (1) HGB (German Commercial Code) (trading books, inventories, opening balance sheets, annual financial statements, commercial letters, accounting vouchers, etc.) and for 10 years pursuant to § 147 (1) AO (German Fiscal Code) (books, records, management reports, accounting documents, commercial and business letters, documents relevant for taxation, etc.).

14. Your Data Protection Rights

14.1. Users have the right to request confirmation as to whether the relevant data is being processed and to information about this data, as well as further information and a copy of the data in accordance with Art. 15 GDPR.

14.2. According to Art. 16 GDPR, users have the right to complete the data concerning them or to correct the incorrect data concerning them.

14.3. In accordance with Art. 17 GDPR, users have the right to demand that relevant data be deleted immediately or, alternatively, to demand a restriction on the processing of the data in accordance with Art. 18 GDPR.

14.4. Users have the right to receive the data concerning them that they have provided in accordance with Art. 20 GDPR and to request its transmission to other responsible parties.

14.5. Furthermore, according to Art. 77 GDPR, users have the right to file a complaint with the competent supervisory authority.

15. The Supervisory Authority Responsible for Us

You can reach the supervisory authority responsible for us at:

Berliner Beauftragte für Datenschutz und Informationsfreiheit
(Berlin Commissioner for Data Protection and Freedom of Information)
Friedrichstr. 219
Visitor entrance: Puttkamerstr. 16-18
10969 Berlin
Phone: 030 13889-0
Fax: 030 2155050
Email: mailbox@datenschutz-berlin.de

16. Right to Object

16.1 Users have the right to object to the processing of their personal data at any time, in accordance with legal requirements. This objection can be made especially against processing for direct marketing purposes. If the processing is based on consent, users have the right to withdraw their consent with effect for the future at any time. Moreover, users have the right to object to processing based on the balance of interests, particularly when the data processing is not essential for the performance of a contract with the user. When exercising such an objection, we ask the user to explain the reasons why we should not process their personal data as we have done. In the case of a justified objection, we will examine the situation and either stop or adjust the data processing or point out to you our compelling legitimate grounds on which we will continue processing.

Furthermore, users and data subjects have the right to object to the processing of their personal data for the purpose of direct advertising at any time. This also applies to profiling, as far as it is associated with such direct advertising. If users object to processing for direct marketing purposes, their personal data will no longer be processed for these purposes.

To exercise these rights, you can contact us directly via email at:
info@herbodyplan.com

or by mail at the following address:
herbodyplan.com / Lukasz Zdunek
Bismarckstraße 82
10627 Berlin

17. Changes to the Privacy Policy

17.1. We reserve the right to change the privacy policy to adapt it to changed legal situations, or in the event of changes to the service as well as data processing. However, this only applies to declarations of data processing. If users' consents are required or parts of the privacy policy contain provisions of the contractual relationship with the users, the changes will only be made with the consent of the users.

17.2. Users are requested to inform themselves regularly about the content of the privacy policy.