Data protection information within the meaning of Art. 13 and 14 GDPR
In this data protection information, we provide comprehensive information about how we handle personal data and inform you about your rights.
1. Name and contact details of the responsible entity for data processing and of the data protection officer
This data privacy information applies to data processing by:
Responsible entity within the meaning of Art. 4 No. 7 GDPR:
LaVita GmbH (hereinafter referred to as LaVita)
Ziegelfeldstraße 10, 84036 Kumhausen, Germany
Email: info@lavita.com
Telephone: +49 871/972 170
Fax: +49 871/972 1717
The data protection officer of LaVita can be reached at the above address, attn: Data Protection Department, or at datenschutz@lavita.de.
2. Collection and storage of personal data, as well as the nature and purpose of processing
a) When visiting the website
When you visit our website www.lavita.com the browser on your device automatically sends information to the server of our website. This information is temporarily stored in a so-called log file. The following information will be collected without any action on your part and stored until it is automatically deleted:
The above-mentioned data will be processed by us for the following purposes:
The legal basis for the processing of data is Article 6(1)(1)(f) of the GDPR. Our legitimate interest is based on the purposes for data collection listed above. We do not use the collected data to identify you personally.
In addition, we use cookies and analytics services when you visit our website. For more details see Sections 4 and 5 of this data protection information.
b) When you place an order in our online shop as a guest
When you order products from our website as a guest, we collect the following information:
This data is collected for the following purposes:
The data processing is carried out following your query and is necessary according to Article 6(1)(1)(b) of the GDPR for the purposes mentioned for the fulfilment of the contract and pre-contractual measures.
In order to ensure smooth and easy processing of your order and for faster clarification of any queries, you can also voluntarily provide your telephone number. Your telephone number is processed in accordance with Art. 6 para. 1 sentence 1 lit. f GDPR on the basis of our aforementioned legitimate interests.
The personal data collected by us for the order will be stored until the expiry of the statutory warranty obligation and will then be automatically deleted unless, according to Article 6(1)(1)(c) of the GDPR, we are obliged to store it for a longer period due to tax and commercial law storage and documentation obligations (as per HGB (German Commercial Code), StGB (German Criminal Code) or AO (German Tax Code) or you have consented to storage beyond this period in accordance with Article 6(1)(1)(a) of the GDPR.
c) When you set up a user account
You have the option to set up a password-protected user account with us, in which we store your personal data. This serves the purpose of providing you with the greatest possible convenience in processing your orders by enabling a simpler, faster and more personalised purchasing experience.
If you wish to set up a password-protected user account with us, we require the following information from you:
To create a user account, you must provide a password of your own choice. Along with your email address, the password gives you access your user account. In your user account, you can view and change the data stored about you at any time.
We only store your personal data in a user account if you have voluntarily given us your consent according to Article 6(1)(1)(a) of the GDPR.
You do not need a user account to use our website or to place orders with us. We offer you the option to place an order as a guest (see Section 2. b). However, in this case you will have to re-enter your data every time you place an order.
Once your user account is deleted, the data collected by us will be automatically deleted unless, according to Article 6(1)(1)(c) of the GDPR, we are obliged to store it for a longer period due to tax and commercial law storage and documentation obligations (as per HGB (German Commercial Code), StGB (German Criminal Code) or AO (German Tax Code) or you have consented to storage beyond this period in accordance with Article 6(1)(1)(a) of the GDPR.
d) When you sign up for our newsletter
Provided you gave your express consent in accordance with Article 6(1)(1)(a) of the GDPR and Section 7 (2) No. 1 UWG , we use your email address to regularly send you our newsletter. To receive the newsletter, all you need to do is provide your email address in the newsletter form
In certain circumstances we may use your email address pursuant to § 7 para. 3 UWG, in order to send you information about similar products from our company, provided you are an existing customer and have not objected to the use of your email address for this purpose.
In both cases you can unsubscribe at any time, for example, by clicking the link at the end of the newsletter. Alternatively, you are welcome to email your request to unsubscribe at any time via info@lavita.com.
If we send you email newsletters, these newsletters contain elements that respond to the reading or confirmation of links within the newsletter and are associated with an individual technical identifier. We use this information on the basis of our legitimate interest in a statistical evaluation of all feedback information obtained from the use of the newsletter in order to improve the newsletter service for you. The legal basis in this respect is Art. 6 para. 1 sentence 1 lit. f GDPR. For newsletter campaign automation, we use the services of Bloomreach/Exponea (see 5. a) V.).
e) When using our contact form
If you have any questions, you can contact us by using the contact form provided on the website. You will need to provide us with a valid email address so that we know who is asking the question and to allow us to reply. Additional information can be provided voluntarily.
Data processing for the purpose of establishing contact with us is based on Article 6(1)(1)(a) of the GDPR on the basis of your voluntarily granted consent. You can revoke this consent at any time with effect for the future by sending an e-mail to info@lavita.de.
The personal data we collect when you use the contact form is automatically deleted once we have dealt with your inquiry.
f) When submitting an application via the online form
You have the opportunity to apply for the positions advertised on our website using the online application form. The following personal data will be processed as part of the application process:
The provision of the aforementioned data is necessary for our application process. If you do not provide this data, we will not be able to consider your application.
We process your personal data in accordance with Art. 6 para. 1 sentence 1 lit. b GDPR in conjunction with. § Section 26 (1) of the Federal Data Protection Act (BDSG) in order to be able to make a decision on the establishment of an employment relationship. In addition, you may provide further information that we process on the basis of our legitimate interest in the proper processing of your application on the basis of Art. 6 para. 1 sentence 1 lit. f GDPR If an employment relationship is established with you, you will be informed in a separate document about the data processing in the context of the employment relationship.
Insofar as processing is necessary for the defense against legal claims, it is carried out on the basis of our legitimate interest pursuant to Art. 6 para. 1 sentence 1 lit. f GDPR in the defense or enforcement of claims, e.g. under the AGG.
Information provided voluntarily is processed on the basis of your consent in accordance with Art. 6 para. 1 sentence 1 lit. a GDPR and, in the case of special categories of personal data, in accordance with Art. 9 para. 2 lit. a GDPR. You can revoke your consent at any time with effect for the future, but we will then not be able to consider the information provided on this basis in the application process.
Personal data is regularly deleted 6 months after the end of the application process, unless you have consented to longer storage in accordance with Art. 6 para. 1 sentence 1 lit. a GDPR or longer storage is necessary due to our legitimate interest in the assertion or defense of legal claims (Art. 6 para. 1 sentence 1 lit. f GDPR; max. further 6 months).
To process your application, we use the service provider Personio SE & Co. KG (Seidlstraße 3, 80335 Munich), with whom we have concluded an order processing contract in accordance with Art. 28 para. 2 GDPR.
3. Data transfer
Your data is not passed on to third parties for any purposes other than those listed below.
a) For contract execution
In as far this is legally permissible and required in accordance with Article 6(1)(1)(b) of the GDPR for the processing of contractual relationships, your personal data is passed on to third parties. This includes, in particular, the transfer to shipping companies for the purpose of delivering the goods you ordered and the transfer of payment data to payment service providers or banks to facilitate the payment transaction. The data shared with third parties may only be used by these for the specified purposes.
b) For billing purposes
Based on our legitimate interests pursuant to Article 6(1)(1)(f) of the GDPR we may also transfer your data to our partners. The transfer of your data to our partners is necessary for general billing purposes. This economic interest is to be regarded as a legitimate interest within the meaning of Article 6(1)(1)(f) of the GDPR.
c) For other purposes
In addition to the above, we only transfer your personal data to third parties in the following cases:
4. Cookies
We use cookies or similar technologies such as pixels, tags or web beacons (hereinafter uniformly referred to as “cookies”) on our website. These are small files that your browser automatically creates and that are stored on your end device (laptop, tablet, smartphone, etc.) when you visit our website. Cookies do not cause any damage to your end device and do not contain any viruses, Trojans or other malware.
Information is stored in the cookie that results in each case in connection with the specific end device used. However, this does not mean that we obtain direct knowledge of your identity. Cookies send your IP address, the referrer URL of the website visited, the time at which the website was viewed, the browser used and previously set cookie information to a web server. This enables us to perform and offer the services described in this data protection information.
On the one hand, the use of cookies serves to make the use of our website more pleasant for you. For example, we use so-called session cookies to recognize that you have already visited individual pages of our website, that you have already logged into your user account or to display your shopping cart. These are automatically deleted after you leave our site. The data processed by these cookies is required for the aforementioned purposes to safeguard our legitimate interests in accordance with Art. 6 para. 1 sentence 1 lit. f GDPR and technically in accordance with Section 25 para. 2 no. 2 TDDDG in order to provide a service requested by you.
In addition, we also use temporary cookies to optimize user-friendliness, which are stored on your end device for a specified period of time. If you visit our site again to use our services, it is automatically recognized that you have already visited us and which entries and settings you have made so that you do not have to enter them again. The data processed by these cookies is required for the aforementioned purposes to safeguard our legitimate interests in accordance with Art. 6 para. 1 sentence 1 lit. f GDPR and technically in accordance with Section 25 para. 2 no. 2 TDDDG in order to offer a service requested by you.
On the other hand, we use cookies to statistically record the use of our website and to evaluate it for the purpose of optimizing our offer for you (see section 5). These cookies are set if you have given your explicit consent when accessing our website, Art. 6 para. 1 sentence 1 lit. a GDPR and § 25 para. 1 TDDDG. You can revoke your consent at any time with effect for the future.if you are accessing our website for the first time or would like to change your past decision, you can make your settings via our cookie banner. You can find the cookie banner in the footer of our website at any time. We save your settings on the basis of Art. 6 para. 1 sentence 1 lit. f GDPR. We have a legitimate interest in functioning consent management. We base the technical use on § 25 para. 2 no. 2 TDDDG, as this is necessary for the functionality of the website.
Most browsers accept cookies automatically. However, you can configure your browser so that no cookies are stored on your computer or a message always appears before a new cookie is created. However, completely deactivating cookies may mean that you cannot use all the functions of our website. You can prevent the use of cookies on our website by using appropriate tools or browser add-ons (e.g. the “AdBlock” add-on for the Firefox browser).
The cookies are automatically deleted after a defined period of time. You will find more detailed information in the relevant data processing section.
5. Analysis tools
a) Tracking tools
The tracking measures listed below and used by us are carried out based on your consent pursuant to Article 6(1)(1)(a) of the GDPR. With these tracking measures we want to ensure that our website is designed to meet requirements and is continually improved. Furthermore, we use the tracking measures to statistically analyse the use of our website and to evaluate it for you for the purpose of optimising our services.
The respective data processing purposes and data categories can be found in the relevant tracking tools.
I.) Google Analytics 4
We use Google Analytics, a web analysis service of Google Ireland Ltd. (Gordon House, Barrow Street, Dublin 4, Irland; hereinafter referred to as 'Google') to design our web pages in line with needs and to continuously improve them. In this context, pseudonymised user profiles are created and cookies (see Section 4) are used. The information generated by the cookie about your use of this website, such as
is transmitted to a Google server in the USA and stored there. For the USA, the EU Commission has issued an adequacy decision (EU-US Data Privacy Framework, “DPF” for short), which applies to certified companies. Google is DPF-certified. This ensures that there is a level of protection comparable to that in the EU.
The information is used to evaluate the use of the website, to compile reports on website activity and to provide other services related to website and internet usage for the purposes of market research and the needs-based design of these internet pages. This information may be passed on to third parties insofar as the law requires this or if third parties process the data on another party’s behalf. Under no circumstances will your IP address be associated with other data stored by Google. The IP addresses are anonymised, which means that it is not possible to identify specific individuals (IP masking). The data processed by Google is generally deleted automatically after 14 months.
The legal basis for the use of Google Analytics 4 is your consent in accordance with Art. 6 para. 1 sentence 1 lit. a GDPR and Section 25 para. 1 TDDDG. You can revoke your consent at any time with effect for the future, for example via the cookie settings in the footer of our website.
You can prevent the installation of the cookies by selecting the appropriate settings in your browser; please note, however, that in this case it is possible that you will not be able to use all the features of this website.
You can additionally prevent the collection of data generated by the cookie and associated with your use of the website (including your IP address), its transmission to and its processing by Google by downloading and installing a browser add-on.
As an alternative to the browser add-on, especially for browsers on mobile devices, you can also prevent data collection by Google Analytics by clicking on this link. This sets an opt-out cookie, which prevents the future collection of your data when visiting this website. The opt-out cookie is only valid for this browser and only for our website and is stored on your device. If you delete the cookies in this browser, you have to set the opt-out cookie again.
For more information on data protection in connection with Google Analytics, please consult the Google Analytics help centre.
II.) Google Adwords Conversion Tracking
To statistically capture the use of our website and to evaluate it for the purpose of optimising our offer for you, we also use Google Conversion Tracking. Google AdWords then sets a cookie (see Section 4) on your end device if you have accessed our website via a Google ad.
These cookies expire after 30 days and do not personally identify a user. If the user visits certain pages of the website of the AdWords customer and the cookie has not yet expired, then Google and the customer can see that the user clicked on the ad and was redirected to this page.
Every AdWords customers receives a different cookie. This means that cookies cannot be tracked through the websites of other AdWords customers. The information collected by conversion cookies only serves to generate conversion statistics for AdWords customers who have decided to use conversion tracking. Customers find out the total number of users who have clicked on their ads and who have been redirected to a page with a conversion tracking tag. They do not, however, receive any information that could be used to identify users personally.
We also use the “Enhanced Conversions” function. If you enter personal data (e.g. your e-mail address) during an order or contact process, this information is encrypted (“hashed”) on the browser side for data from the respective cookie, for data uploaded to our server using SHA-256 hash and then transmitted to Google. The hash enables Google to correctly assign conversions to an ad click even if cookies are not available due to browser settings, ad blockers or technical restrictions. Google uses the hash exclusively for matching with existing Google signals; it is not used for remarketing purposes.
The legal basis for the use of Google Adwords Conversion Tracking and Enhanced Conversions is your consent in accordance with Art. 6 para. 1 sentence 1 lit. a GDPR and Section 25 para. 1 TDDDG. You can revoke your consent at any time with effect for the future, for example via the cookie settings in the footer of our website.
If you do not wish to participate in the tracking process, you can also refuse the setting of a cookie required for this – for example, by a browser setting that generally disables the automatic setting of cookies. You can also revoke your consent to conversion tracking, including enhanced conversions, at any time in the cookie banner on our website. You can also disable cookies for conversion tracking by setting your browser to block cookies from the domain 'www.googleadservices.com'. You can find Google's data protection information about conversion tracking here.
III.) Google Tag Manager
Google Tag Manager is a solution that allows us to manage so-called website tags through an interface (thereby integrating Google Analytics and other Google marketing services into our online offer). Google Tag Manager is used to facilitate the integration of services and tools that improve the usability and performance of our website. This enables efficient management and updating of tags on our website and at the same time provides an additional layer of security by allowing the data to be filtered and modified before it is passed on.
The legal basis is your consent in accordance with Art. 6 para. 1 sentence 1 lit. a GDPR, insofar as personal data is processed by the integrated tags. You can revoke your consent at any time with effect for the future, for example in the cookie banner on our website.
It cannot be ruled out that personal data may be transferred to servers in third countries and processed there by the integrated tags. These transfers are carried out by the respective services, which are triggered by the Google Tag Manager. For the USA, the EU Commission has issued an adequacy decision (EU-US Data Privacy Framework, “DPF” for short), which applies to certified companies. Google is DPF-certified. This ensures that there is a level of protection comparable to that in the EU.
You can find further information at Google https://www.google.com/intl/de/tagmanager/use-policy.html.
IV.) Microsoft Advertising
We use Universal Event Tracking (UET) from Microsoft Advertising. This is a service provided by Microsoft Ireland Operations Ltd (One Microsoft Place, South County Business Park, Leopardstown, Dublin 18, D18 P521, Ireland; hereinafter referred to as “Microsoft”). This enables us to track the activities of users on our website if they have reached our website via advertisements from Microsoft Advertising.
If you reach our website via a Microsoft Advertising ad, a cookie (see section 4) is set on your device. A UET tag is integrated on our website. This is a code that is used in conjunction with the cookie to store some data about the use of the website. This includes, among other things, the time spent on the website, which areas of the website were accessed and which advertisement the user used to access the website. Information about your identity is not recorded.
We process your data on the basis of your consent in accordance with Art. 6 para. 1 sentence 1 lit. a GDPR (for data processing) and Section 25 para. 1 sentence 1 TDDDG (for technical provision). You can revoke your consent at any time with effect for the future, for example in the cookie banner on our website.
It cannot be ruled out that your personal data will also be transferred to Microsoft Corporation servers in the USA and processed there. For the USA, the EU Commission has issued an adequacy decision (EU-US Data Privacy Framework, “DPF” for short), which applies to certified companies. Microsoft is DPF-certified. This ensures that a level of protection comparable to that in the EU exists.
The data collected by Microsoft Advertising is stored by default for a period of 180 days and then automatically deleted. Alternatively, other storage periods can be configured, such as deletion after 30 days or 365 days, depending on the retention periods specified by us and Microsoft's internal guidelines.
You can find more information about UET from Microsoft Advertising on the Microsoft website.
Further information on data protection at Microsoft can be found in Microsoft's privacy policy.
V.) BloomReach Exponea
This website uses the Exponea service of BloomReach B.V. Keizergracht 125, 1015 CJ Amsterdam, Netherlands (hereinafter “Exponea”) for interest-based marketing purposes, retargeting, optimization of our website, analysis of your surfing behavior and marketing campaign automation. In addition, certain content modules of our website (e.g. text modules, image elements, buttons) are delivered via the service.
Exponea uses the following cookies (see section 4) to collect information about the use of our website: https://docs.exponea.com/docs/cookies-storage. Exponea is integrated into our website as JavaScript code, which sets the aforementioned cookies and transmits data to the Bloomreach servers.
The data collected by the cookies contains the following information IP address, login data, time zone setting, operating system and platform, information about visits including URL, search terms, information about what you have searched for or viewed on our site, website response time, download errors, duration of visits to certain pages, information about website interaction (e.g. scrolling, clicks and mouse-overs) and the methods used to leave the page, user activity, web page browsing.
The combination of this data allows us to create pseudonymized user profiles in order to provide personalized content (see processing purposes above). Personal data such as names or contact details are only processed if you have provided them to us separately (e.g. as part of a registration); however, such identification data is not required for the pure tracking functions of Exponea and data processing generally takes place within the European Union (EU). Bloomreach operates Exponea on Google Cloud infrastructure in data centers in Europe (currently e.g. in Belgium and London). Your tracking data is therefore preferably stored and processed on servers within the EU. In individual cases, server locations outside the EU (e.g. in the USA or Canada) may also be used for support or for operational reasons. This is the case, for example, if technical support for processing is provided by the US parent company Bloomreach, Inc. For such cases, we have agreed suitable guarantees with the service provider in accordance with Art. 44 et seq. GDPR, in particular the EU standard contractual clauses pursuant to Art. 46 para. 2 lit. c GDPR. Bloomreach has also certified its compliance with the EU-U.S. Data Privacy Framework (“DPF”), so that an adequate level of protection of your data is guaranteed.
The legal basis for data processing in the course of the delivery of certain content modules of our website (e.g. text modules, image elements, buttons) is Art. 6 para. 1 lit. f GDPR, due to our legitimate interest in the technical provision of our website.
Data processing for the purpose of interest-based marketing, retargeting, optimization of our website, analysis of your surfing behavior and marketing campaign automation using Exponea is based on your consent in accordance with Art. 6 para. 1 sentence 1 lit. a GDPR. You can revoke your consent at any time with effect for the future, e.g. by adjusting your cookie settings via our website or by sending us a corresponding message.
You can find further information on data protection at https://www.bloomreach.com/de/legal/privacy.
VI.) OpenReplay
OpenReplay, a service provided by Asayer SAS, 16 Rue Washington, 75008 Paris, France, is an open source session replay software that we use to analyze how users use our platform. A JavaScript records website visits (DOM changes, mouse/touch interactions, network calls, console logs, performance metrics, etc.) to reproduce errors, identify UX problems and enable product optimizations and support functions. OpenReplay provides us with records for this purpose, which we can use to track and thus rectify activities on the platform in the event of a problem (“bugs”).
If personal data is processed in individual cases, this is done on the basis of Art. 6 para. 1 sentence 1 lit. f GDPR due to our legitimate interests in effective troubleshooting and security monitoring.
OpenReplay is configured in such a way that all entered data is anonymised and obscured for recording. This process of anonymisation means that only the course of action of the user and the occurrence of bugs are recorded and documented. Any personal data will be automatically anonymised and obscured. Furthermore, OpenReplay does not store any personal data.
For support access, data may be transferred to OpenReplay servers in the USA. Data processing generally takes place within the European Union (EU). Asayer SAS operates OpenReplay on Google Cloud infrastructure in data centers in Europe (currently e.g. in Belgium and London. In individual cases, server locations outside the EU (e.g. in the USA or Canada) may also be used for support or for operational reasons. This is the case, for example, if technical support for processing is provided by the US parent company Asayer, Inc. For such cases, we have agreed suitable guarantees with the service provider in accordance with Art. 44 et seq. GDPR, in particular the EU standard contractual clauses pursuant to Art. 46 para. 2 lit. c GDPR. Asayer, Inc. has also certified its compliance with the EU-U.S. Data Privacy Framework (“DPF”), so that an adequate level of protection of your data is guaranteed.
VII.) etracker
We use the services of etracker GmbH, Erste Brunnenstraße 1, 20459 Hamburg, to analyze usage data of our website.
WebsiteWe only use personal data for visitor counting, which the browser transmits anyway. However, we anonymize this data for the further purpose of “analysis of user behaviour”, as we do not create user profiles. Web analysis is therefore not carried out using personal data, but with the help of so-called “cross-device IDs”, which cannot be related to individual users. We use etracker without cookies. Nor does etracker use any other identifiers.
WebsiteThe legal basis for the processing of your personal data to analyze your user behavior is Art. 6 para. 1 sentence 1 lit. f GDPR. The improvement of our website is to be classified as a legitimate interest within the meaning of this provision and will not be used for any other purpose, merged with other data or passed on to third parties.
You can object to the data processing described above at any time by clicking on the slider. The objection has no negative consequences. If no slider is displayed, data collection has already been prevented by other blocking measures.
VIII.) Pirsch.io
We also use Pirsch Analytics from Emvi Software GmbH, Nickelstr. 1b, 33378 Rheda-Wiedernbrück, Germany, for reach and usage analysis, error diagnosis and performance monitoring as well as for the purpose of optimizing our website. Pirsch Analytics is a cookie-free web analytics software that was developed according to the Privacy by Design principle. To analyze visitor flows, Pirsch Analytics uses a hashing algorithm to generate a 16-digit number as the visitor ID when the page request is received. The input values are the IP address, the user agent, the date and a salt.The visitor's IP address is not persisted in whole or in part, and is anonymized completely and non-reversibly by the hash. The inclusion of the date and the use of one salt per website ensures that website visitors cannot be recognized for more than 24 hours and cannot be tracked across multiple websites. A rough localization (country/city) is performed via a locally integrated database.
The legal basis is Art. 6 para. 1 sentence 1 lit. f GDPR due to our legitimate interest in data protection-friendly reach measurement and § 25 para. 2 no. 2 TDDDG, as no information is stored or read out on the end device.
b) Targeting and remarketing tools
We use targeting measures to ensure that only advertisements aligned with your actual or assumed interests are displayed on your devices.
We also use remarketing on our website. This is a method through which we aim to re-engage with you. Through this application, after visiting our website, our advertisements can be displayed to you during your internet use after visiting our website. The aim of remarketing is successful interaction with our offer. This is done by means of cookies stored in your browser, which are used to record and analyse your usage behaviour when visiting various websites via tracking partners. This allows tracking partners to know that you have visited our website. The data collected during remarketing is not combined with your personal data stored by the tracking partners. In particular, tracking partners use pseudonymisation in their remarketing.
The respective data processing purposes and data categories can be found in the relevant targeting tools.
I.) Google Adwords Remarketing
We use Google Remarketing Tags. Google uses cookies (see section 4), which are stored on your end device and enable your use of the website to be analyzed. The information generated by the cookie about your use of the website (including your IP address) will be transmitted to and stored by Google on servers in the United States. The IP address is then shortened by Google by the last three digits, so that it is no longer possible to clearly assign the IP address. For the USA, the EU Commission has issued an adequacy decision (EU-US Data Privacy Framework, “DPF” for short), which applies to certified companies. Google is DPF-certified. This ensures that there is a level of protection comparable to that in the EU. Google will use this information for the purpose of evaluating your use of the website, compiling reports on website activity for website operators and providing other services relating to website activity and internet usage.
Google may also transfer this information to third parties where required to do so by law, or where such third parties process the information on Google's behalf. Third-party providers, including Google, place ads on websites on the Internet. Third-party providers, including Google, use stored cookies to place ads based on a user's previous visits to this website. Google will not associate your IP address with any other data held by Google.
The legal basis for the use of Google Adwords Remarketing is your consent in accordance with Art. 6 Para. 1 S.1 lit. a GDPR and § 25 Para. 1 TDDDG. You can revoke your consent at any time with effect for the future, for example via the cookie settings in the footer of our website.
You can disable Google's use of cookies by visiting the Google advertising opt-out page.
We would like to point out, however, that you may not be able all to use all features of this website in that case. By using this website you agree to the processing of the data collected about you by Google in the manner and for the purpose outlined above. You can find more information about Google's policies here.
The storage period is usually 30 days without prior revocation.
II.) Meta Pixel Custom Audiences
We use retargeting with “Custom Audiences via the Meta Pixel” to address visitors to our website again after their visit with ads relevant to them on the Meta platforms (Facebook, Instagram, Audience Network).
When you access our pages, the Meta Pixel embedded in the code establishes a connection between your browser and the servers of Meta Platforms Ireland Limited (4 Grand Canal Square, Grand Canal Harbour, Dublin 2, Ireland - “Meta”).
In doing so, the pixel transmits the URL currently accessed as well as a pixel ID (“pixel event”), your shortened IP address and the browser used (user agent) and, if applicable, a hash of your Meta advertising ID (first-party cookie “_fbp”). Meta assigns these signals to your user account, provided you are logged in there, and makes them available to us in anonymized form as a “custom audience”. Based on this target group, we can then place ads that are specifically tailored to previous visitors (so-called retargeting).
The meta pixel is used to measure the success of our campaigns and to retarget users based on their interests.
The legal basis is your consent pursuant to Art. 6 para. 1 sentence 1 lit. a GDPR in conjunction with Section 25 para. 1 TDDDG. You can withdraw your consent at any time with effect for the future by deactivating the marketing category in our cookie banner or deleting cookies in your browser. In addition, logged-in Meta users can adjust their personalized ad settings at https://www.facebook.com/settings/?tab=ads.
With your consent, the pixel sets the first-party cookie “_fbp” (lifespan: 90 days), which Meta uses to recognize visitors. Meta can also use a session cookie “fr” (lifespan: 7 days). No new IDs are set after the expiry of the respective periods or a revocation; you can delete existing cookies at any time in the browser settings.
The processed data is stored on servers within the EU; however, a transfer to Meta Platforms Inc. (USA) cannot be ruled out. Meta bases such transfers on the EU standard contractual clauses and is certified for the EU-US Data Privacy Framework.
Under this link you can object to the use of the Custom Audiences service. You can find more information on data protection at Meta in Facebook's privacy policy, among other places.
III.) TikTok
We use the TikTok pixel on our website. The TikTok pixel is a TikTok advertiser tool provided by TikTok Technology Limited, 10 Earlsfort Terrace, Dublin, D02 T380, Ireland, and TikTok Information Technologies UK Limited, WeWork, 125 Kingsway, London, WC2B 6NH, United Kingdom (collectively 'TikTok').
The TikTok pixel is a JavaScript code snippet that allows us to understand and track visitors' activity on our website.
This enables us to display personalized advertising based on the interests and behaviour of users. The data collected includes, in particular, IP addresses, information about the browser and operating system used, pages visited and ads clicked on.
The TikTok pixel collects and processes information about the users of our website or the devices they use.
The data collected includes, in particular, IP addresses, information about the browser and operating system used, pages visited and ads clicked on.
The data collected through the TikTok pixel is used for targeting our ads and improving ad delivery and for personalised advertising. The data collected on our website by means of the TikTok pixel is transmitted to TikTok for this purpose. Some of this data is information stored on the device you are using. Cookies are also used via the TikTok pixel; these are used to store information on the device you are using. Storage of information by the TikTok pixel or access to information already stored on your device only happens with your consent.
We process your data on the basis of your consent in accordance with Art. 6 para. 1 sentence 1 lit. a GDPR (for data processing) and § 25 para. 1 sentence 1 TDDDG (for technical provision). You can withdraw your consent at any time with effect for the future.
We and TikTok are jointly responsible for data processing within the framework of joint responsibility in accordance with Art. 26 GDPR. The joint controllership agreement between us and TikTok regulates the respective responsibilities as follows
It cannot be ruled out that your personal data will also be transferred to TikTok servers in third countries, including China, and processed there. China is not a safe third country within the meaning of the GDPR, as there is no adequacy decision by the EU Commission for China. This means that no comparable level of data protection is guaranteed in China as in the EU. However, TikTok ensures that an adequate level of data protection is guaranteed in accordance with the requirements of the GDPR through appropriate contractual agreements or other mechanisms.
The data collected by the TikTok Pixel is stored by default for a period of 180 days and then automatically deleted. This period makes it possible to analyze long-term trends and campaign performance without keeping the data for an unnecessarily long time.
For more information on how TikTok processes personal data, including the legal basis TikTok relies on and the ways to exercise your rights against TikTok, please refer to TikTok's privacy policy at https://www.tiktok.com/legal/privacy-policy?lang=de-DE.
IV.) Meta Conversions API
In order to statistically record the use of our website and to optimize our meta advertising campaigns, we use the Meta “Conversions API” (CAPI) in addition to the pixel method.
This establishes a direct server-to-server channel between our web server and the servers of Meta Platforms Ireland Limited (4 Grand Canal Square, Grand Canal Harbour, Dublin 2, Ireland).
The data is used exclusively for campaign measurement and optimization; it is not used for other remarketing purposes. You can deactivate tracking at any time via our cookie banner or - if you are logged in - adjust it in your Facebook profile at https://www.facebook.com/settings/?tab=ads. Meta provides further information on the Conversions API at https://developers.facebook.com/docs/marketing-api/conversions-api/.
6. Social media
On our website, based on Article 6(1)(1)(f) of the GDPR, we use social plug-ins of the social networks Facebook and Instagram to raise awareness of our company that way. The underlying advertising purpose is deemed a legitimate interest within the meaning of the GDPR. The integration of these plug-ins is based on the so-called two-click process in order to protect visitors to our website as much as possible.
We also operate channels on various social media platforms to inform you about us and our services and to give you the opportunity to interact with us. First, we will inform you about the basic processing of your data on these platforms. We will then go into more detail about the respective platform.
We would like to point out that you use the social media platforms and their functions on your own responsibility. This applies in particular to the use of interactive functions (e.g. commenting, sharing, rating).
For certain processing operations, we and the platform operators also act as joint controllers within the meaning of Art. 26 GDPR.
However, your personal data may also be collected if you are not logged in or do not have an account with the respective social media platform. In this case, this data is collected, for example, via cookies or similar technologies that are stored on your device or by recording your IP address. This processing is carried out by the provider of the social media platform alone.
When you visit one of our social media channels, we process your interactions with this channel (e.g. the content of messages, inquiries, posts or comments that you send to us or leave on our social media channels or when you like or share our posts) as well as your publicly visible profile data (e.g. your name and profile picture). Which personal data from your profile is publicly visible depends on your profile settings, which you can adjust yourself in your settings on the social media platform.
The purpose of data processing on our social media channels is effective and up-to-date public relations work, to simplify interaction with users and, if necessary, to initiate and process contracts.
The information you voluntarily publish may be made available to third parties. In addition, your data will be processed by the service providers of the social media platforms. You can find more information on this below in the description of the respective platform and in the privacy policy of the respective platform.
The legal basis for the processing of your data via our channels is Art. 6 para. 1 sentence 1 lit. f GDPR, based on our legitimate interest in the aforementioned public relations work, corporate communication and the optimization of our company presentation. If you contact us with the aim of concluding a contract or in connection with an existing contractual relationship, the data processing is also carried out on the basis of Art. 6 para. 1 lit. b GDPR.
a) Channels on Facebook and Instagram
The operator of the Facebook and Instagram services is Meta Platforms Ireland Ltd, 4 Grand Canal Square, Grand Canal Harbour, Dublin 2, Ireland (“Meta”).
We operate a Facebook page and an Instagram profile for the aforementioned purposes. Meta processes your data for its own purposes when you interact with the service. You can find more information about this here. We have no further knowledge of the data processing carried out by Meta.
If you interact with our Facebook page or our Instagram profile, we process your data with Meta in so-called joint responsibility in accordance with Art. 26 GDPR for so-called insights. It has been agreed here that we are responsible for informing data subjects in accordance with Art. 12 et seq. GDPR and Meta is responsible for fulfilling requests from data subjects in accordance with Art. 15 - 20 GDPR. The right to object pursuant to Art. 21 GDPR is safeguarded by both in relation to their own processing. Both are subject to the reporting and notification obligations under Art. 33 and 34 GDPR. You can view the agreement here. You can assert your rights against both controllers at any time.
The parent company of Meta Platforms Ireland is Meta Platforms, Inc. in the USA. The information generated by Meta is transferred to Meta Platforms, Inc. servers in the USA and processed there. On 10.07.2023, the EU Commission adopted an adequacy decision for the Data Privacy Framework for data transfers to recipients based in the USA. According to this, an adequate level of data protection is assumed for data transfers to certified recipients based in the USA. Meta Platforms, Inc. is a certified company.
b) Plugins from Facebook and Instagram
We integrate social media plug-ins from Facebook and Instagram (collectively “meta plug-ins”) to make it easier to share our company's content on social networks and to conveniently display our presence there on your website. The plug-ins are, for example, the “Like/Share button”, the Facebook page or Instagram embed frame. The service provider is Meta Platforms Ireland Limited, 4 Grand Canal Square, Grand Canal Harbour, Dublin 2, Ireland (“Meta”).
As soon as you access a page of our website in which a Meta plug-in is embedded, your browser automatically establishes a direct connection to Meta's servers. For example, your IP address, information about your browser, operating system and time of access as well as the specific page URL (referrer) are transmitted to Meta. If you are logged into your Facebook or Instagram account during this time, Meta can directly associate the page visit with your profile. If you interact with the plug-in (e.g. click on “Like” or “Share”), this action will also be assigned to your user account and - depending on your account settings - published in your network.
We use the plug-ins to make our content easy to share, to increase the reach of our offer on social media platforms and to facilitate communication with you and other users. The plug-ins are integrated on the basis of your consent in accordance with Art. 6 para. 1 lit. a GDPR in conjunction with Section 25 para. 1 TDDDG. When you visit our website for the first time, you will therefore receive a consent banner in which you can decide whether external social media content may be loaded. Without consent, the plug-in will remain deactivated (we will display a placeholder instead); personal data will then not be transmitted to Meta. You can revoke your consent at any time with effect for the future by deactivating the social media category in our cookie banner or deleting cookies that have already been set in your browser. If you are logged in to Facebook or Instagram, you can also restrict personalized advertising at https://www.facebook.com/settings/?tab=ads or https://www.instagram.com/accounts/privacy_and_security/.
Meta may also process the data collected via the plug-in on servers of Meta Platforms Inc. in the USA. For such transfers, Meta uses the EU standard contractual clauses and is certified in accordance with the EU-US Data Privacy Framework.
According to Meta, log data (e.g. IP address) is deleted or anonymized after 90 days at the latest. We have no influence on the actual deletion by the provider; details can be found in the Meta privacy policy.
Details on data processing by Meta can be found in Meta's privacy policy: https://www.facebook.com/privacy/policy/.
7. Trusted Shops
On our website and for orders in our online shop, we use the buyer protection system of Trusted Shops GmbH, Subbelrather Str. 15c, 50823 Cologne, ('Trusted Shops'), to enable customers to purchase our products securely in the online shop.
When placing orders in our online shop you have the option to use the buyer protection of Trusted Shops and also to leave a review in the Trusted Shops review system. This is done voluntarily.
If you activate the buyer protection option after completing an order on the Trustbadge, we transmit the following information to Trusted Shops: Order value, order number, date of purchase, payment method if applicable and your e-mail address. The legal basis for the transmission is Art. 6 para. 1 sentence 1 lit. b GDPR, as the processing of the aforementioned data is necessary for the fulfillment of the contract for buyer protection.
If you have given us your consent in accordance with Art. 6 para. 1 sentence 1 lit. a GDPR during or after your order by activating a corresponding checkbox or clicking a button provided for this purpose (“Rate later”), we will pass on your e-mail address, Bstell number and internal customer ID to Trusted Shops for a rating invitation. You can revoke this consent at any time with effect for the future, for example by clicking on the unsubscribe link in every evaluation mail from Trusted Shops.
Trusted Shops uses the data exclusively for contract processing (buyer protection) or to send the rating request and, if submitted, to display your rating in our store. No data is passed on to uninvolved third parties. Trusted Shops processes all data on servers in Germany. Data is not transferred to countries outside the European Economic Area. Log data is anonymized after seven days; Trusted Shops retains buyer protection contract data in accordance with commercial and tax law deadlines (up to ten years). Reviews remain visible until you request their deletion or the display is required for legal reasons.
For more information, see the data protection declaration of Trusted Shops. There you can also find out how you can assert your data subject rights (information, correction, deletion, restriction, data portability, objection) against Trusted Shops.
8. WhatsApp
We use the WhatsApp Business Cloud API from Meta Platforms Ireland Limited (4 Grand Canal Square, Grand Canal Harbour, Dublin 2, Ireland; “Meta”) to answer customer and partner inquiries quickly and conveniently. Our public WhatsApp business number is connected to our ticket system via the API; all incoming WhatsApp messages are created there as a support ticket so that our service team can respond centrally.
When you communicate with us via WhatsApp, Meta - and subsequently our ticket system - processes all the content you send, including your mobile phone number (as well as display name, profile picture, if approved), message content (e.g. text, photos, documents, voice messages, location pins, etc.) and metadata (e.g. time, delivery and read status, device and connection information). We may add notes to the ticket, such as order or transaction numbers, in order to assign your request more quickly.
If the processing takes place in order to fulfill existing contracts or pre-contractual inquiries, for example in the case of order or shipping inquiries, postponements or price information, Art. 6 para. 1 sentence 1 lit. b GDPR is the legal basis. In other cases, such as for customer support or troubleshooting, Art. 6 para. 1 sentence 1 lit. f GDPR is the legal basis due to our legitimate interest in efficient support to ensure the satisfaction of customers, interested parties or website visitors. The use of WhatsApp is voluntary. You can also submit your request by email or telephone at any time without incurring any disadvantages.
Meta may process data on servers of Meta Platforms Inc, USA. The data transfer is based on the EU standard contractual clauses and Meta's EU-US Data Privacy Framework certification. Within our company, only authorized support employees will have access to your ticket; it will not be passed on to third parties unless this is mandatory for the execution of the contract.
According to Meta (WhatsApp Business Cloud API), it stores encrypted message copies for up to 30 days to enable delivery, misuse detection and error analysis; they are then deleted.
If you no longer wish to be contacted via WhatsApp, simply let us know in a chat or via the alternative channels mentioned above; we will then block your number for future WhatsApp communication.
Further information on data processing by Meta can be found in the WhatsApp Privacy Policy (https://www.whatsapp.com/legal/privacy-policy-eea).
9. Competitions
To take part in our regular competitions, which we run both on our website and on our social media channels Facebook and Instagram, you only need to provide the information requested in each case.
Depending on the channel, we collect your first and last name (to identify the person taking part), email address (to notify you of the prize) and full postal address (only for non-cash prizes, to enable us to send the prize) in order to run the competition.
We occasionally ask for optional information (e.g. Instagram username) if this is required to determine the winner or contact them via the platform.
The sole purpose of the processing is to correctly determine the winners, notify them and deliver the prize.
The legal basis is Art. 6 para. 1 sentence 1 lit. b GDPR, as the processing of the aforementioned data is necessary for the fulfillment of the competition contract.
In principle, we do not use your competition data for subsequent advertising purposes. Only in rare exceptional cases do we wish to subsequently inform participants of a suitable offer by email. In this case, we will integrate a separate opt-in checkbox in the competition form. Participation is of course also possible without consent. If you give this consent, we base the sending on Art. 6 para. 1 sentence 1 lit. a GDPR; you can revoke it at any time by clicking on the unsubscribe link in each email.
Depending on the competition format, we will publish the first name and abbreviated surname (e.g. “Anna K.”) and, if relevant, the winner's place of residence on Facebook, Instagram and/or our website. This publication takes place on the basis of Art. 6 para. 1 sentence 1 lit. f GDPR due to our legitimate interest in creating transparency for all participants and only insofar as this is announced in the conditions of participation.
We delete data from non-winners no later than three weeks after the end of the competition. We store winners' data for as long as is necessary for shipping, any warranty or tax obligations (regularly up to three years after the prize has been paid out).
We operate the competitions on Facebook and Instagram as joint controllers with Meta Platforms Ireland Ltd (4 Grand Canal Square, Dublin 2, Ireland). Meta collects additional usage and profile data for its own purposes (e.g. page insights) when you visit the campaign. We have no influence on this processing; you can find more information in the Meta privacy policy (https://www.facebook.com/privacy/policy).
10. Data subject rights
You have the right:
11. Right of objection
If your personal data is processed based on legitimate interests in accordance with Article 6(1)(1)(1)(f) of the GDPR, you have the right, in accordance with Article 21 of the GDPR, to object to the processing of your personal data, provided there are reasons that arise from your special situation or the objection is directed against direct advertising. In the latter case you have a general right of objection that we implement without you having to provide information about a special situation. If you would like to exercise your right of revocation or right of objection, all you need to do is send an email to info@lavita.com.
12. Data security
When you place an order we use the standard SSL method (Secure Socket Layer) in conjunction with the highest encryption setting supported by your browser in each case. As a rule, this is 256-bit encryption technology. If your browser does not support 256-bit technology, we use 128-bit v3 encryption instead. The closed key or lock icon in the lower task bar of your browser indicates whether the specific website page is transmitted in an encrypted form.
Moreover, we also use suitable technical and organisational security measures to protect your data from accidental or deliberate manipulation, partial or complete loss, destruction and from unauthorised access by third parties. Our security measures are revised continuously in line with technological development.
13. Updating and making changes to this data protection declaration
This data protection declaration is currently valid and was last updated in May 2025. Because of the development of our website and its offerings or because of changed legal or regulatory requirements, it may become necessary to change this data protection declaration.
You can access and print out the most recent version of the data protection declaration at any time on our website at https://www.lavita.com/privacy.