Data protection

Table of contents for the privacy policy:

1. Introduction and overview
2. scope of application
3. Legal basis
4. Contact details of the person responsible
5. Storage period
6. Rights under the General Data Protection Regulation
7. communication
8. Registration
9. Payment providers

1. Introduction and overview
We have written this privacy policy (version 05.12.2023-312191807) to explain to you, in accordance with the requirements of the General Data Protection Regulation (EU) 2016/679 and applicable national laws, which personal data (data for short) we as the responsible party - and the processors commissioned by us (e.g. providers) - process, will process in the future and what legal options you have. The terms used are to be understood as gender-neutral.
In short: We provide you with comprehensive information about the data we process about you.

2. Scope
This privacy policy applies to all personal data processed by us in the company and to all personal data processed by companies commissioned by us (contract processors). By personal data we mean information within the meaning of Art. 4 No. 1 GDPR, such as a person's name, email address and postal address. The processing of personal data ensures that we can offer and bill for our services and products, whether online or offline. The scope of this privacy policy includes:

All online presences (websites, online shops) that we operate
Social media presence and email communication
mobile apps for smartphones and other devices
In short: This privacy policy applies to all areas in which personal data is processed in a structured manner within the company via the channels mentioned. If we enter into legal relationships with you outside of these channels, we will inform you separately if necessary.

3. Legal basis
In the following privacy policy we provide you with transparent information on the legal principles and regulations, i.e. the legal basis of the General Data Protection Regulation, which enable us to process personal data.
As far as EU law is concerned, we refer to REGULATION (EU) 2016/679 OF THE EUROPEAN PARLIAMENT AND OF THE COUNCIL of 27 April 2016. You can of course read this EU General Data Protection Regulation online on EUR-Lex, the gateway to EU law, at https://eur-lex.europa.eu/legal-content/EN/ALL/?uri=celex%3A32016R0679.

We only process your data if at least one of the following conditions applies:

Consent (Article 6 paragraph 1 letter a GDPR): You have given us your consent to process data for a specific purpose. An example would be the storage of the data you entered in a contact form.
Contract (Article 6 paragraph 1 letter b GDPR): We process your data in order to fulfil a contract or pre-contractual obligations with you. For example, if we conclude a purchase contract with you, we need personal information in advance.
Legal obligation (Article 6 paragraph 1 letter c GDPR): We process your data if we are subject to a legal obligation. For example, we are legally obliged to keep invoices for accounting purposes. These usually contain personal data.
Legitimate interests (Article 6 paragraph 1 letter f GDPR): In the case of legitimate interests that do not restrict your fundamental rights, we reserve the right to process personal data. For example, we need to process certain data in order to be able to operate our website securely and economically efficiently. This processing is therefore a legitimate interest.
Other conditions such as the taking of recordings in the public interest and the exercise of public authority as well as the protection of vital interests do not generally apply to us. If such a legal basis should be applicable, it will be indicated in the appropriate place.

In addition to the EU regulation, national laws also apply:

In Austria, this is the Federal Act on the Protection of Natural Persons with regard to the Processing of Personal Data (Data Protection Act), or DSG for short.
In Germany, the Federal Data Protection Act, or BDSG for short, applies.
If other regional or national laws apply, we will inform you about them in the following sections.

4. Contact details of the person responsible
If you have any questions about data protection or the processing of personal data, you will find the contact details of the responsible person or body below:
Sino´s Trade World Berlin GmbH
Adam-von-Trott-Strasse 10
13627 Berlin, Germany

Email: info@vapehaus.de
Phone:
Imprint: https://www.vapehaus.de/pages/impressum/

5. Storage period
Our general rule is that we only store personal data for as long as it is absolutely necessary to provide our services and products. This means that we delete personal data as soon as the reason for data processing no longer exists. In some cases, we are legally obliged to store certain data even after the original purpose no longer applies, for example for accounting purposes.

If you wish to have your data deleted or withdraw your consent to data processing, the data will be deleted as quickly as possible and unless there is an obligation to store it.

We will inform you below about the specific duration of each data processing operation, provided we have further information on this.

6. Rights under the General Data Protection Regulation
In accordance with Articles 13 and 14 of the GDPR, we inform you of the following rights to which you are entitled in order to ensure fair and transparent data processing:

According to Article 15 GDPR, you have the right to know whether we process data about you. If this is the case, you have the right to receive a copy of the data and to be informed of the following information:
for what purposes we carry out the processing;
the categories, i.e. the types of data that are processed;
who receives this data and, if the data is transferred to third countries, how security can be guaranteed;
how long the data is stored;
the existence of the right to rectification, erasure or restriction of processing and the right to object to processing;
that you can complain to a supervisory authority (links to these authorities can be found below);
the origin of the data if we did not collect it from you;
whether profiling is carried out, i.e. whether data is automatically evaluated in order to create a personal profile of you.
You have the right to rectification of data according to Article 16 GDPR, which means that we must correct data if you find any errors.
According to Article 17 GDPR, you have the right to erasure (“right to be forgotten”), which specifically means that you can request that your data be deleted.
According to Article 18 GDPR, you have the right to restrict processing, which means that we may only store the data but not use it any further.
According to Article 20 GDPR, you have the right to data portability, which means that we will provide you with your data in a common format upon request.
According to Article 21 GDPR, you have the right to object, which, once enforced, will result in a change in the processing.
If the processing of your data is based on Article 6 Paragraph 1 Letter e (public interest, exercise of official authority) or Article 6 Paragraph 1 Letter f (legitimate interest), you can object to the processing. We will then check as quickly as possible whether we can legally comply with this objection.
If data is used to conduct direct advertising, you can object to this type of data processing at any time. We may no longer use your data for direct marketing after this.
If data is used to carry out profiling, you can object to this type of data processing at any time. We may no longer use your data for profiling after this.
According to Article 22 GDPR, you may have the right not to be subjected to a decision based solely on automated processing (e.g. profiling).
According to Article 77 of the GDPR, you have the right to complain. This means that you can complain to the data protection authority at any time if you believe that the processing of personal data violates the GDPR.
In short: you have rights – do not hesitate to contact the responsible body listed above!

If you believe that the processing of your data violates data protection law or that your data protection rights have been violated in any other way, you can complain to the supervisory authority. For Austria, this is the Data Protection Authority, whose website you can find at https://www.dsb.gv.at/. In Germany, there is a data protection officer for each federal state. For more information, you can contact the Federal Commissioner for Data Protection and Freedom of Information (BfDI). The following local data protection authority is responsible for our company:

Berlin Data Protection Authority
State Commissioner for Data Protection: Maja Smoltczyk
Address: Friedrichstrasse 219, 10969 Berlin
Telephone number: 030/138 89-0
Email address: mailbox@datenschutz-berlin.de
Website: https://www.datenschutz-berlin.de/

7. Communication
Communication Summary
👥 Affected persons: All those who communicate with us by phone, email or online form
📓 Data processed: e.g. telephone number, name, email address, entered form data. You can find more details in the contact type used
🤝 Purpose: Handling communication with customers, business partners, etc.
📅 Storage period: Duration of the business case and the legal regulations
⚖️ Legal basis: Art. 6 Para. 1 lit. a GDPR (consent), Art. 6 Para. 1 lit. b GDPR (contract), Art. 6 Para. 1 lit. f GDPR (legitimate interests)
If you contact us and communicate by telephone, email or online form, personal data may be processed.

The data will be processed to process and handle your question and the related business transaction. The data will be stored for as long as required by law.

Affected people
The above-mentioned processes affect everyone who contacts us via the communication channels we provide.

phone
When you call us, the call data is stored pseudonymously on the respective device and by the telecommunications provider used. In addition, data such as name and telephone number can be sent by email afterwards and stored to answer your query. The data is deleted as soon as the business transaction has been completed and legal requirements permit it.

e-mail
If you communicate with us by email, data may be saved on the respective device (computer, laptop, smartphone, etc.) and data may be saved on the email server. The data will be deleted as soon as the business transaction has been completed and legal requirements permit it.

Online forms
If you communicate with us using an online form, data will be stored on our web server and, if necessary, forwarded to an email address of ours. The data will be deleted as soon as the business transaction has been completed and legal requirements permit it.

Legal basis
The processing of the data is based on the following legal bases:

Art. 6 Para. 1 lit. a GDPR (consent): You give us your consent to store your data and to continue to use it for the purposes related to the business case;
Art. 6 (1) (b) GDPR (contract): There is a need to fulfil a contract with you or a processor such as the telephone provider or we have to process the data for pre-contractual activities, such as preparing an offer;
Art. 6 (1) (f) GDPR (legitimate interests): We want to handle customer inquiries and business communication in a professional setting. For this, certain technical facilities such as email programs, exchange servers and mobile phone operators are necessary in order to be able to conduct communication efficiently.

8. Registration
Registration Summary
👥 Affected persons: All persons who register, create an account, log in and use the account.
📓 Data processed: email address, name, password and other data collected during registration, login and account usage.
🤝 Purpose: Providing our services. Communicating with customers in connection with the services.
📅 Storage period: As long as the company account linked to the texts exists and thereafter usually for 3 years.
⚖️ Legal basis: Art. 6 Para. 1 lit. b GDPR (contract), Art. 6 Para. 1 lit. a GDPR (consent), Art. 6 Para. 1 lit. f GDPR (legitimate interests)
If you register with us, personal data may be processed if you enter personally identifiable data or if data such as your IP address is recorded during processing. You can read what we mean by the rather cumbersome term “personal data” below.

Please only enter data that we need for registration and for which you have the approval of a third party if you are registering on behalf of a third party. If possible, use a secure password that you do not use anywhere else and an email address that you check regularly.

Below we will inform you about the exact type of data processing, because we want you to feel comfortable with us!

What is registration?
When you register, we collect certain data from you and then enable you to easily log in online later and use your account with us. An account with us has the advantage that you do not have to enter everything again each time. This saves time, effort and ultimately prevents errors in the provision of our services.

Why do we process personal data?
In short, we process personal data to enable the creation and use of an account with us.
If we didn't do that, you would have to enter all the data every time, wait for approval from us and enter everything again. We and many, many customers wouldn't like that. How would you feel about that?

What data is processed?
All data that you provided during registration, when logging in or when managing your data in your account.

When you register, we process the following types of data:

First name
Last name
Birthday
E-mail address
Company name
Street + house number
Place of residence
Postal code
country
When you register, we process the data you enter when registering, such as your user name and password, and data collected in the background, such as device information and IP addresses.

When you use your account, we process data that you enter during your account use and which is created when you use our services.

Storage period
We store the data entered at least for as long as the account linked to the data exists and is used with us, as long as contractual obligations exist between us and, when the contract ends, until the respective claims arising from it have expired. In addition, we store your data for as long as and to the extent that we are subject to legal obligations to store it. After that, we keep accounting documents relating to the contract (invoices, contract documents, bank statements, etc.) for 10 years (§ 147
AO) as well as other relevant business documents for 6 years (§ 247 HGB) after they arise.

Right to object
You have registered, entered data and would like to revoke the processing? No problem. As you can read above, the rights according to the General Data Protection Regulation also apply during and after registration, login or account with us. Contact the person responsible for data protection listed above to exercise your rights. If you already have an account with us, you can easily view or manage your data and texts in your account.

Legal basis
By completing the registration process, you are approaching us in a pre-contractual manner in order to conclude a user agreement via our platform (although a payment obligation does not automatically arise). You invest time to enter data and register, and we offer you our services after logging into our system and viewing your customer account. We also fulfill our contractual obligations. Finally, we must keep registered users informed of important changes by email. This means that Art. 6 Para. 1 lit. b GDPR (implementation of pre-contractual measures, fulfillment of a contract) applies.

If necessary, we will also obtain your consent, e.g. if you voluntarily provide more data than is absolutely necessary or if we are allowed to send you advertising. Art. 6 paragraph 1 letter a of the GDPR (consent) therefore applies.

We also have a legitimate interest in knowing who we are dealing with in order to be able to contact you in certain cases. We also need to know who is using our services and whether they are being used in the way our terms of use stipulate, so Art. 6 (1) (f) GDPR (legitimate interests) applies.

Note: the following sections must be checked by users (as required):

Registration with real name

Since we need to know who we are dealing with in business operations, registration is only possible with your real name (full name) and not with pseudonyms.

Registration with pseudonyms

Pseudonyms can be used when registering, which means that you do not have to register with us using your real name. This ensures that we cannot process your name.

Storage of the IP address

During registration, login and account usage, we store the IP address in the background for security reasons in order to be able to determine lawful use.

Public Profile

The user profiles are publicly visible, which means that parts of the profile can be viewed on the Internet without providing a user name and password.

2-factor authentication (2FA)

Two-factor authentication (2FA) offers additional security when logging in, as it prevents people from logging in without a smartphone, for example. This technical measure to secure your account protects you from the loss of data or unauthorized access, even if your username and password are known. You can find out which 2FA is used when you register, log in, and in the account itself.

9. Payment providers
Payment Provider Privacy Policy Summary
👥 Affected: Visitors to the website
🤝 Purpose: Enabling and optimizing the payment process on our website
📓 Data processed: Data such as name, address, bank details (account number, credit card number, passwords, TANs, etc.), IP address and contract data
You can find more details in the payment provider tool you use.
📅 Storage period: depends on the payment provider used
⚖️ Legal basis: Art. 6 para. 1 lit. b GDPR (performance of a contract)
What is a payment provider?
We use online payment systems on our website that enable us and you to make payments safely and smoothly. Personal data may also be sent to the respective payment provider, stored there and processed there. Payment providers are online payment systems that allow you to place an order via online banking. The payment is processed by the payment provider you have chosen. We then receive information about the payment made. This method can be used by any user who has an active online banking account with PIN and TAN. There are hardly any banks that do not offer or accept such payment methods.

Why do we use payment providers on our website?
We naturally want to offer the best possible service with our website and our integrated online shop so that you feel comfortable on our site and use our offers. We know that your time is valuable and that payment processing in particular must work quickly and smoothly. For these reasons, we offer you various payment providers. You can choose your preferred payment provider and pay in the usual way.

What data is processed?
Which data is processed depends, of course, on the respective payment provider. However, data such as name, address, bank details (account number, credit card number, passwords, TANs, etc.) are generally stored. This is necessary data in order to be able to carry out a transaction at all. In addition, any contract data and user data, such as when you visit our website, which content you are interested in or which subpages you click on, can also be stored. Your IP address and information about the computer you are using are also stored by most payment providers.

The data is usually stored and processed on the payment providers' servers. We as website operators do not receive this data. We are only informed whether the payment was successful or not. Payment providers may forward data to the relevant department for identity and credit checks. The business and data protection principles of the respective provider always apply to all payment transactions. Therefore, please always read the general terms and conditions and the data protection declaration of the payment provider. You also have the right to have data deleted or corrected at any time, for example. Please contact the respective service provider regarding your rights (right of withdrawal, right to information and right to be affected).

Duration of data processing
We will inform you about the duration of data processing below if we have further information. In general, we only process personal data for as long as it is absolutely necessary to provide our services and products. If it is required by law, such as in the case of accounting, this storage period can also be exceeded. For example, we keep accounting documents relating to a contract (invoices, contract documents, bank statements, etc.) for 10 years (Section 147 AO) and other relevant business documents for 6 years (Section 247 HGB) after they arise.

Right to object
You always have the right to information, correction and deletion of your personal data. If you have any questions, you can contact the person responsible for the payment provider used at any time. You can find contact details either in our specific data protection declaration or on the website of the relevant payment provider.

You can delete, deactivate or manage cookies that payment providers use for their functions in your browser. This works in different ways depending on which browser you use. Please note, however, that the payment process may then no longer work.

Legal basis
In addition to traditional banking/credit institutions, we also offer other payment service providers for the processing of contractual or legal relationships (Art. 6 Para. 1 lit. b GDPR). The privacy policies of the individual payment providers (such as Amazon Payments, Apple Pay or Discover) provide you with a detailed overview of data processing and data storage. In addition, you can always address any questions you may have about data protection-related issues to the responsible persons.

Information about the specific payment providers – if available – can be found in the following sections.

giropay privacy policy
We use the online payment provider giropay on our website. The service provider is the German company paydirekt GmbH, Stephanstraße 14-16, 60313 Frankfurt am Main, Germany.

You can find out more about the data processed through the use of giropay in the privacy policy at https://www.giropay.de/agb/index.html.

PayPal Privacy Policy
We use the online payment service PayPal on our website. The service provider is the American company PayPal Inc. The company PayPal Europe (S.à rl et Cie, SCA, 22-24 Boulevard Royal, L-2449 Luxembourg) is responsible for the European region.

PayPal processes your data in the USA, among other places. We would like to point out that, in the opinion of the European Court of Justice, there is currently no adequate level of protection for data transfer to the USA. This can involve various risks for the legality and security of data processing.

PayPal uses so-called standard contractual clauses (= Art. 46. Para. 2 and 3 GDPR) as the basis for data processing for recipients based in third countries (outside the European Union, Iceland, Liechtenstein, Norway, i.e. in particular in the USA) or for data transfer there. Standard contractual clauses (SCC) are templates provided by the EU Commission and are intended to ensure that your data complies with European data protection standards even if it is transferred to third countries (such as the USA) and stored there. Through these clauses, PayPal undertakes to comply with the European data protection level when processing your relevant data, even if the data is stored, processed and managed in the USA. These clauses are based on an implementing decision of the EU Commission. You can find the decision and the corresponding standard contractual clauses here, among other places: https://eur-lex.europa.eu/eli/dec_impl/2021/914/oj?locale=de

For more information about the standard contractual clauses and the data processed through the use of PayPal, please see the privacy policy at https://www.paypal.com/webapps/mpp/ua/privacy-full.