Customer Service: +49 40 41 435 86 88

Privacy & Security Statement

This privacy policy explains the process, the purpose and the extent of our collection and usage of your personal data ("data") within our online service and connected websites, functions and content as well as external online entities such as out social media profiles ("online service"). With regard to terms such as "processing" or "responsible persons" we refer to the definitions in art. 4 of the General Data Protection Regulation  (GDPR).

Responsible Persons

Kreativhaus oHG
Venusberg 12
DE-20459  Hamburg Deutschland
Email address: info@kreativhaus.de
Directors: Alexander Braren, Christian Braren
Imprint:  https://www.kreativhaus.de/impressum/
Contacting the data protection officer: info@kreativhaus.de

Types of processed data

- Inventory data (e.g. names, addresses).
- Contact data (e.g. email addresses, phone numbers).
- Content data (e.g. entered text, photos, videos).
- Usage data (e.g. visited websites, content interests, access times).
- Meta/communication data (e.g. device information, IP addresses).

Types of affected persons

Visitors and users of our online service ("user", "users").

Purpose of data processing

- Providing the online service, its functions and contents.
- Responding to requests and communicating with users.
- Security measures.
- Calculating reach/marketing.

Used Terminology

"Personal data" is all information relating to an identified or identifiable natural person ("affected person"). A person is identifiable if they can be identified, directly or indirectly, via allocation to an identification such as a name, an identification number, location data, online identification (e.g. cookie) or to one or more unique characteristics which are expressive of this natural persons physical, psychological, genetic, mental, economic, cultural or social identity.

"Processing" is every operation or number of operations, including automated processes, which involves personal data. The term encompasses practically any and all handling of data. 

"Pseudonymization" is the processing of personal data in such a way that the personal data can no longer be attributed to a specific affected person without the use of additional information, provided that such additional information is kept separately and is subject to technical and organizational measures to ensure that the personal data are not attributed to an identified or identifiable natural person.

"Profiling" is any form of automated processing of personal data consisting of the use of personal data to evaluate certain personal aspects relating to a natural person, in particular to analyze or predict aspects concerning that natural person's performance at work, personal preferences, economic situation, reliability, health, interests, behavior, location or movements.

A "controller" is a natural or legal person, agency, public authority or other body which decides the purpose and procedure of processing personal data.

A "processor" is a natural or legal person, agency, public authority or other body which processes personal data on behalf of the controller.

Significant legal bases

In accordance with art.13 GDPR we disclose the legal bases concerning data processing. If the legal basis is not disclosed in the privacy policy, the following takes effect: the legal basis for obtaining permission is art.6 §1 lit. a and art. 7 GDPR, the legal basis for processing in order to fulfill services and perform contractual measures as well as answering requests is art. 6 §1 lit. b GDPR, the legal basis for processing in order fulfill legal obligations is art. 6 §1 lit. c DSGVO, and the legal basis for processing in order to protect our legitimate interests is art. 6 §1 lit. f GDPR. In the case that vital interests of affected persons or any other natural person require processing of personal data, a legal basis is provided by art.6 §1 lit. d GDPR.

Security measures

In accordance with art. 32 GDPR and under consideration of the level of technology, cost of implementation and the nature, extent, context and purpose of processing as well as the likelihoods and significance of risks for rights and freedoms of natural persons, we have implemented suitable technical and administrative measures in order to grant an appropriate level of protection.

These measures include securing the confidentiality, integrity and availability of data via controlling physical access to data as well as their accessibility, entry, transfer, security of availability and their separation. Furthermore we have implemented methods which allow for support of affected persons, deletion of data and reaction to circumstances endangering data. Furthermore we take the protection of personal data into account during selection of hardware, software and procedures, in accordance with the principle of data protection by design and by default (art.25 GDPR).

Cooperation with processors and third parties

If we transfer or grant access to data to other persons or companies (processors or third parties) during the process of processing data, it may only happen on the basis of a legal permission (such as when transferring data to a third party such as a payment provider, in accordance with art.6 §1 lit. b GDPR, is contractually required), the affected person has agreed, a legal obligation is present or on the basis of our legitimate interests (e.g. during the use of representatives, web hosts etc.).

Should we task third parties with the processing of data on the basis of a so called "processing contract", we do so on the basis of art. 28 GDPR.

Transferring to third countries

If data is processed in a third country (a country outside of the European union (EU) or the European economic area (EEA)) by us, by third parties or due to sharing of data with third parties, it may only happen on the basis of your consent, fulfillment of our (pre)contractual obligations, due to legal obligations or on the basis of our legitimate interests. Due to legal or contractual terms we only allow data to be processed in a third country if certain conditions listed in art. 44 ff. GDPR are met. This means that the processing of data is subject to special guarantees, such as the official assessment of a data protection level equivalent to that of the EU (e.g. "privacy shield" in the US) or certain officially recognized contractual obligations (so-called "standard contractual clauses").

Rights of affected persons

In accordance with art. 15 GDPR you have the right to demand a confirmation of whether or not personal data is being processed, as well as to get disclosure on personal data and to receive information and copies of the data.

In accordance with art. 16 GDPR you have the right to demand the completion of incomplete data concerning you or the correction of incorrect data concerning you.

In accordance with art. 17 GDPR you have the right to demand immediate deletion of data concerning you. Furthermore, in accordance with art. 18 GDPR you have the right to demand a limitation on the processing of data concerning you.

In accordance with art. 20 GDPR you have the right to demand to receive data concerning you or to have it forwarded to other controllers.

Furthermore, in accordance with art. 77 GDPR you have the right to submit a complaint to the responsible regulatory authority.

Right to revoke

In accordance with art. 7 §3 GDPR you have the right to revoke given consent, with future effect.

Right to object

In accordance with art. 21 GDPR you may object to the processing of your data at any point. The objection may be made specifically against processing for the purpose of  direct advertising.

Cookies and the right to object against direct advertising

A "cookie" is a small text file that a website saves on your computer. Different parameters may be saved within a cookie. The primary purpose of a cookie is to save information about the user (or, more accurately, his device) during and after his visit on an online service.

A temporary cookie, or "session cookie" or "transient cookie" is a cookie that is deleted after the user leaves the website and closes their browser. Such a cookie may contain data like login data or the content of a shopping cart in an online shop. A "permanent" or "persistent" cookie continues to be stored on your computer even after exiting the browser. This allows a users login status to persist for several days even if the site is not visited by them. These cookies may also record users preferences, which may be used for analysis or marketing purposes. While a "first party cookie" is offered by the website controller, a "third party cookie" is offered by a different provider.

We may use temporary and permanent cookies and will inform our users accordingly.

If users do not want cookies to be saved on their devices, they may deactivate the appropriate function in their browser options. Saved cookies may also be deleted in the browsers system settings. Disabling cookies may negatively affect the experience of browsing certain websites.

A general objection against the use of cookies for the purposes of online marketing, especially tracking, is explained by several services such as the US-American site https://www.aboutads.info/choices/  or the EU site https://www.youronlinechoices.com/.

Deletion of data

In accordance with art. 17 and 18 GDPR, data processed by us is deleted or has its access restricted. Unless specifically mentioned in this privacy policy, data is deleted as soon as it is no longer required for its  intended purpose and is not affected by legal retention requirements. If data is not deleted due to being required for other, legally permissible purposes, it is restricted and may no longer be processed. This may be the case if data has to be stored due to mercantile or fiscal law.

Due to legal requirements in Germany, data is stored for 10 years in accordance with §§ 147 Abs. 1 AO, 257 Abs. 1 Nr.1 and 4, Abs. 4 HGB (this affects books, records, reports, vouchers, account books, documents relevant for taxation etc.) and 6 years in accordance with § 257 Abs. 1 Nr. 2 and 3, Abs 4 HGB (for commercial letters).

Due to legal requirements in Austria, accounting records, bills, accounts, receipts, business papers and statements of revenue and expenditure are stored for 7 years as dictated by § 132 Abs. 1 BAO. Data related to real estate is stored for 22 years. Documents regarding electronic services as well as television and telecommunication services that are provided to non-entrepreneurs and make use of the Mini-One-Stop-Shop (MOSS) are stored for 10 years.

Business related processing

Additionally we process contract data (e.g. contract subject, contract term, customer category) and payment data (e.g. bank details, payment history) of our customers, interested parties and business partners in order to meet contractual obligations, provide support and customer care and for the purposes of marketing, advertisement and market research.

Order handling in our online shop and customer account

We process our customers data during the ordering process in our online shop. This allows for the selection and ordering of our products and services as well as their payment and delivery and/or implementation.

The processed data includes inventory data, communication data, contract data and payment data. The affected persons are customers, interested persons and other business partners. The processing takes place for the purpose of fulfilling contractual obligations within our online shop, billing, delivering products and supporting our customers. We utilize session cookies to store the contents of the online shopping kart and permanent cookies to store the users login status.

The processing takes place on the basis of art. 6 § 1 lit. b (performance of the ordering process) and c (legal obligation to store data) GDPR. Data is only revealed to third parties if necessary for delivery or payment or in the scope of statutory requirements or duties to legal advisers and authorities. Data is only processed in third countries when necessary to perform a contract (e.g. delivery or payment as desired by a customer).

Users have the option to create a user account which they may use to view their orders. During registration, the user is informed of mandatory details they may have to enter. User accounts are not public and cannot be indexed by search engines. Should a user terminate their account, data relating to that account is deleted, unless storage is dictated by mercantile of fiscal law on the basis of art.6 § 1 lit. c GDPR. Information related to user accounts are stored until deletion and may be archived in case of a legal obligation. In the case of an account being deleted, it is up to the user to secure their data before the contract runs out.

During registration and further logins as well as during use of our online services we store the IP address and time associated with each user action. This happens on the basis of our legitimate interest as well as to protect users from misuse and unauthorized usage of their accounts. This data is generally not passed on to third parties unless necessary to pursue our interests or required by law on the basis of art. 6 § 1 lit. c GDPR.

Data is deleted after statutory warranties and similar obligations have expired. Archived data is checked for necessity of storage every 3 years. If legal archiving obligations are present, data is deleted after 6 (commercial law) or 10 (fiscal law) years.

Contractual services

We process data of our contracting parties and interested parties as well as other customers, clients and contractors ("contractors") on the basis of art. 6 § 1 lit. b GDPR in order to fulfill contractual or preliminary performances. The processed data and the process, purpose, extent and necessity of their processing is determined by the underlying contract relationship.

Among the processed data of our contractors is master data (e.g. names and addresses), contact data (e.g. email addresses and phone numbers) as well as contractual data (e.g. requested services, contract contents, contractual communication, names of liaisons) and payment data (e.g. bank details, payment history).

We generally do not process special categories of personal data unless they are part of a commissioned or contractual processing.

We process data which is required to fulfill contractual services, and indicate their necessity, should it not be evident to our contractors. Transference of this data to external persons or companies only takes place if contractually required. While processing data acquired due to a contract, we act in correspondence with our contractors as well as legal requirements.

During use of our online services we may store the IP address and time associated with every user action. This storage takes place due to our legitimate interests as well as to protect our users accounts from illegitimate use. This data is generally not passed on to third parties unless necessary to pursue our interests on the basis of art.6 § 1 lit. f GDPR or required by law on the basis of art. 6 § 1 lit. c GDPR.

Deletion of data occurs when the data is no longer necessary for the fulfillment of contractual or legal obligations or for statutory warranties and similar obligations. Archived data is checked for necessity of storage every 3 years. Further  retention obligations apply.

External payment service providers

We utilize external payment service providers which allows our users and us to carry out payment transactions. We utilize (for example, with links to their privacy policies):
- Paypal (https://www.paypal.com/en/webapps/mpp/ua/privacy-full)
- Klarna (https://www.klarna.com/uk/privacy-policy/)
- Skrill (https://www.skrill.com/en/footer/privacypolicy/)
- Giropay (https://www.giropay.de/rechtliches/datenschutz-agb/)
- Visa (https://www.visaeurope.com/privacy/)
- Mastercard (https://www.mastercard.com/en-lb/about-mastercard/what-we-do/privacy.html)
- American Express (https://www.americanexpress.com/mn/en/network/content/privacy-policy.html)
- Concardis (https://www.concardis.com/de-en/protecting-your-data)

In order fulfill contractual obligations, we use payment service providers on the basis of art. 6 § 1 lit. b GDPR. We furthermore use external payment service providers on the basis of our legitimate interests in accordance with art. 6 §1 lit. f GDPR to offer our users a convenient and secure payment method. 

Among the data processed by payment service providers is master data such as name and address, bank data such as account numbers or credit card numbers, passwords, TANs and checksums as well as contract details, sums and recipient details. This data is required to complete the transaction. However, this data is only processed and stored by the payment service providers, which means that we do not receive data related to your bank account or credit card. We only receive information on whether or not the payment was successful. Under certain circumstances, the payment service providers may transmit data to credit agencies in order to confirm identity and credit rating. Please refer to the terms and conditions and the privacy policies of the payment service providers for more information.

The terms and conditions and privacy policies of each payment service provider apply to transactions on their respective website or application. Please also refer to them for more information and for potential cancellation, disclosure and other rights.

Administration, accounting, office management, contact management

We process data for administrative purposes as well as to organize our business, accounting and to adhere to legal obligations, such as archiving. During this, we process the same data as during our contractual services. The bases for processing are art. 6 §1 lit. c and lit. f GDPR. Affected by processing are customers, interested parties, business partners and website visitors. The purpose of and our interest in processing is based in administration, accounting, office management and the archiving of data, which are tasks that serve the maintenance of our business activities and allow us to perform our services. The deletion of data with regard to contractual obligations and communication comply with these same terms.

During this, we reveal or transfer data to financial management, advisors such as tax consultants or auditors as well as other payment service providers.

Furthermore, based on business interests, we collect details about suppliers, organizers and other business partners in order to contact them later. We usually store this data permanently, as it is mostly business related.

Business analyses and market research

In order to economically run our business and to detect market trends as well as our customers and users wishes, we analyze available data on business transactions, contracts, requests etc. We process inventory data, communication data, contract data, payment data, usage data, and meta data on the basis of art. 6 §1 lit. f GDPR. Affected persons include contractual partners, interested parties, customers, visitors and users of our online services.

These analyses are conducted for the purposes of  business assessment, management and market research. During this, we may take into account profiles of registered users and their data concerning, among other things, requested services. These analyses allow us to improve user-friendliness, optimization of our offers and the efficiency of our business practices. The analyses are only performed and utilized by us and are not revealed to external parties, unless they are anonymous analyses with summarized results.

If these analyses or profiles contain personal data, they are deleted or anonymized upon account termination, otherwise two years after conclusion of the contract. Generally, business analyses and trend determinations are created anonymously if possible.

Amazon partner program

On the basis of our legitimate interests (interest in the economic operation of our online services in accordance with art.6 §1 lit. f GDPR), we participate in an affiliate program by Amazon EU. This program allows websites to place ads and links to amazon.com in order to receive advertising cost compensation. This means that Amazon partners earn money from qualified purchases.

Amazon uses cookies to determine the origin of an order. Among other things, Amazon can recognize that you clicked the partner link on this website and subsequently ordered a product from Amazon.

Further information on how Amazon uses data and ways to object to it can be found in their privacy statement: https://www.amazon.com/gp/help/customer/display.html?nodeId=468496 .

Attention: Amazon and the Amazon logo are trademarks of Amazon.com, Inc. or affiliated companies.

Registration

Users have the ability to create a user account. During registration, the user is informed of certain mandatory details they may have to enter, which are processed on the basis of art. 6 §1 lit. b GDPR in order to provide the user account. Among the processed data is login information (name, password and an email address). Data entered during registration are used for purposes related to the usage of the user account.

User may be contacted via email to receive information relevant to their user account, e.g. technical changes. When users terminate their account, data relating to their account is deleted, unless subject to legal retention obligations. In the case of an account being deleted, it is up to the user to secure their data before the contract runs out. We are authorized to irreversibly delete any user data during the contractual period.

During registration and further logins as well as during use of our online services we store the IP address and time associated with each user action. This happens on the basis of our legitimate interest as well as to protect users from misuse and unauthorized usage of their accounts. This data is generally not passed on to third parties unless necessary to pursue our interests or required by law on the basis of art. 6 § 1 lit. c GDPR. Stored IP addresses are deleted or anonymized after a maximum of 7 days.

Contacting

When contacting us (via contact form, email, phone or social media), user details are processed for the purposes of handling the contact request in accordance with art. 6 §1 lit. b GDPR. User details may be stored in a customer relationship management system ("CRM system") or a similar request organization system.

We delete requests as soon as they are no longer required. Archived data is checked for necessity of storage every 2 years. Further  retention obligations apply.

Hosting and email dispatch

The hosting services we make use of provide the following: infrastructural and platform services, computing capacity, storage space and database services, email functions, security services and technical maintenance services we use to run our online service.

For this we process, among other things, our host providers inventory data, contact data, content data, contractual data, usage data, meta- and communication data of customers, interested parties and visitors of our online service on the basis of our reasonable interests in an efficient and safe provision of our online service in accordance with art. 6 §1 lit. f GDPR and art. 28 GDPR.

Collection of access data and log files

We, or rather out host provider, collect data about any access to the server hosting this service (so-called log files) on the basis of our reasonable interests according to art. 6 §1 lit. f GDPR. Access data include the name of the requested website, files, date and time of the request, transferred volume of data, report of a successful request, browser type and version, operating system, referrer URL (the previously visited website), IP-address and the requesting provider.

For security purposes (e.g. to prevent or investigate acts of misuse or fraud), log files are stored for a maximum of 7 days and then deleted. Data required as proof or other purposes are excepted from deletion until the related incident is cleared.

Google Tag Manager

Google Tag Manager is a service which we use to manage so-called website tags via an interface, which allows us to integrate Google Analytics and other Google marketing services into our online services. The Tag Manager itself (which implements the tags) does not process personal user data. Concerning the processing of user data, we refer to the following information on Google services. Tag manager policy: https://www.google.com/intl/de/tagmanager/use-policy.html

Google Analytics

On the basis of our legitimate interests (interest in analysis, optimization and efficient operation of our online service in accordance with art. 6 §1 lit. f GDPR) we use Google Analytics, a web analysis service of Google LLC ("Google"). Google uses cookies. Collected data about usage of the online service by users are generally transferred to a server in the USA and stored there.

Google is certified under the Privacy Shield agreement, offering a guarantee to comply with European data protection laws (https://www.privacyshield.gov/participant?id=a2zt000000001L5AAI&status=Active).

Google uses this data on our behalf to process usage of our online services, to create reports concerning activity in our online service, and to provide us with other services related to online services and internet usage. During this, the processed data may be used to create pseudonymous usage profiles of users.

We only use Google Analytics with enabled IP anonymisation. This means that the users IP addresses are truncated in an EU member state or an EEA member state. Only in exceptional cases are full IP addresses transmitted to a Google server in the United States and truncated there.

The IP address transmitted by the users browser is not combined with other data collected by Google. Users can prevent the storage of cookies using the appropriate option in their browser software. Furthermore, users may prevent the collection and processing of data related to the use of the online service by Google by downloading and installing the browser plugin linked here: https://tools.google.com/dlpage/gaoptout?hl=en

Further information on how Google uses data, settings and options to object can be found in their privacy policy (https://policies.google.com/technologies/ads) and in their settings regarding advertisements placed by Google (https://adssettings.google.com/authenticated).

Personal data is deleted or anonymized after 14 months.

Target group formation with Google Analytics

We use Google Analytics to only show our advertisements hosted via Google and its partners to users who show interest in our online service or exhibit certain characteristics (e.g. interest in certain themes or products as demonstrated by visiting related websites), which we transmitted to Google (so-called "Remarketing-" or "Google Analytics Audiences"). Using remarketing audiences, we want to make sure that our adverts correspond to potential user interest.

Google AdWords and Conversion measurement

On the basis of our legitimate interests (interest in analysis, optimization and efficient operation of our online service in accordance with art. 6 §1 lit. f GDPR) we use the services of Google LLC, 1600 Amphitheatre Parkway, Mountain View, CA 94043, USA, ("Google").

Google is certified under the Privacy Shield agreement, offering a guarantee to comply with European data protection laws (https://www.privacyshield.gov/participant?id=a2zt000000001L5AAI&status=Active).

We use the online marketing service Google "AdWords" to place ads in the Google advertisement network (e.g. search results, in videos, on websites, etc.) so they are shown so users who may be interested in the adverts. This allows us to display ads within and for our online service more precisely to only present them to users with appropriate interests. If a user is shown, for instance, advertisements for products which he showed interest in on other websites, it is called "remarketing". For this purpose, upon visiting our or other websites on which the Google advertisement network is active, Google immediately executes code which binds (re)marketing tags (invisible graphics or code, also known as "web beacons") into the website. They in turn store cookies on the users device. These cookies contain data about which website the user visits and what content interests them, and further technical data on the browser and operating system, referral websites, the time of visit and further information on the use of the online service.

Furthermore we receive a unique "conversion cookie". Google uses the data collected by this cookie to create conversion statistics for us. We only receive the anonymous total amount of users who clicked on our ad and were forwarded to a site containing a conversion tracking tag. We receive no data that could be used to identify a user.

User data is pseudonymously processed within the Google ad network. This means that Google does not store data like the name or email of users, only relevant cookie-related data contained in pseudonymous user profiles. This in turn means that Google manages ads not for identifiable persons, but for cookie owners, regardless of who they may be. This is not the case if a user has explicitly allowed Google to process their data without pseudonymization. Collected user data is transmitted to Google and stored on Google servers in the USA.

Further information on how Google uses data, settings and options to object can be found in their privacy policy (https://policies.google.com/technologies/ads) and in their settings regarding advertisements placed by Google (https://adssettings.google.com/authenticated).

Online presence in social media

We maintain an online presence on social media websites and platform in order to communicate with customers, interested parties and users and inform them of our offers and services. Visits to those websites and platforms is subject to their own privacy policies and terms and conditions.

Unless stated differently within our privacy policy, we process user data if they communicate with us on social media websites and platforms, e.g. if they leave comments on our pages or message us.

Integration of third party contents and services

On the basis of our legitimate interests (interest in analysis, optimization and efficient operation of our online service in accordance with art. 6 §1 lit. f GDPR) we use content and/or services of third party providers, such as videos or fonts ("content").

This requires the providers of these contents to see the users IP address, as they cannot send the contents to the users browser without the IP address. We endeavor to only use content of providers who use IP addresses only in order to deliver content. Furthermore, third party providers may use so-called pixel tags (invisible graphics, also known as "web beacons") for statistical and marketing purposes. "Pixel tags" can be used to process information such as the number of visitors on the pages within this website. Pseudonymous information may further be stored in cookies on the users end device, which may contain technical information about the browser and operating system, referring websites, time of visit and further data on the use of our online services, and may be connected to similar data from different sources.

Vimeo

We may embed videos of the platform "Vimeo" by provider Vimeo Inc., Attention: Legal Department, 555 West 18th Street New York, New York 10011, USA, in our website. Privacy policy: https://vimeo.com/privacy. We point out that Vimeo may use Google analytics and refer to its privacy policy (https://policies.google.com/privacy) as well as possibilities to opt out (https://tools.google.com/dlpage/gaoptout?hl=de) and the options by Google for data usage for marketing purposes (https://adssettings.google.com/).

YouTube

We may embed videos of the platform "YouTube" by provider Google LLC, 1600 Amphitheatre Parkway, Mountain View, CA 94043, USA, in our website. Privacy policy: https://policies.google.com/privacy. Opt out: https://adssettings.google.com/.

Google Fonts

We use the fonts ("Google Fonts") by provider Google LLC, 1600 Amphitheatre Parkway, Mountain View, CA 94043, USA, on our website. Privacy policy: https://policies.google.com/privacy. Opt out: https://adssettings.google.com/.

Google ReCaptcha

We use the function for the recognition of bots, e.g. when inputting online forms ("ReCaptcha")  by provider Google LLC, 1600 Amphitheatre Parkway, Mountain View, CA 94043, USA, on our website. Privacy policy: https://policies.google.com/privacy. Opt out: https://adssettings.google.com/.

Google Maps

We use maps of the service "Google Maps" by provider Google LLC, 1600 Amphitheatre Parkway, Mountain View, CA 94043, USA, on our website. Among the processed data are the IP addresses and location information, which are not collected without the users consent (usually regulated via the mobile devices options). The data may be processed in the USA. Privacy policy: https://policies.google.com/privacy. Opt out: https://adssettings.google.com/.