Data protection

1. Controller and Data Protection Officer

QUIRIS Healthcare GmbH & Co. KG

Isselhorster Str. 260

33334 Gütersloh

Germany

Data Protection Officer:

QUIRIS Healthcare GmbH & Co. KG

Data Protection Officer

Isselhorster Str. 260

33334 Gütersloh

Germany

Email: datenschutz@quiris.de

2. General information on data processing

We generally only process personal data to the extent necessary for providing a functional website, our content and services, and for processing orders.

The processing is based on the GDPR, the BDSG and the Telecommunications Digital Services Data Protection Act (TDDDG).

3. Collection and storage of personal data

When you visit our website www.elasten.shop, your browser automatically sends information to our server. This information is temporarily stored in log files. The data collected includes: IP address, date and time of access, name and URL of the accessed file, browser used, and operating system.

This data is technically necessary to provide the website and ensure system security.

Legal basis: Art. 6 para. 1 lit. f GDPR (legitimate interest). Log files are generally deleted after 7 days, unless retention is required for security reasons.

Our website is operated via the Shopify platform. The provider is Shopify International Ltd., Victoria Buildings, 2nd Floor, 1-2 Haddington Road, Dublin 4, D04 XN32, Ireland. Shopify processes personal data on our behalf in accordance with Article 28 of the GDPR. This may involve data transfers to third countries (in particular Canada and the USA). Canada has an adequacy decision from the EU Commission. Where data is transferred to the USA, this is done on the basis of appropriate safeguards (e.g., EU Standard Contractual Clauses).

4. Data collection during orders

When you order through our online shop, we collect the following data: title, first name, last name, address, email address, payment information and, if applicable, telephone number.

We process this data for contract fulfillment, delivery of goods, and communication.

Legal basis: Art. 6 para. 1 lit. b GDPR (performance of a contract).

We store data relevant for billing purposes due to commercial and tax law requirements.

5. Payment service providers

For payment processing, we forward personal data to the respective payment service providers. Depending on the chosen payment method, the processing is carried out by:

- PayPal (Europe) S.à rl et Cie, SCA

- Klarna Bank AB (publ)

- Stripe Payments Europe, Ltd.

- Credit card providers

The data transmitted includes, in particular, your name, email address, invoice amount, and payment details. The payment service providers act as independent controllers within the meaning of the GDPR. Legal basis: Art. 6 para. 1 lit. b GDPR (performance of a contract). You can find further information in the privacy policies of the respective providers.

6. Shipping service provider

For the purpose of delivery, we transmit data (name, address, email) to the shipping service provider, usually DHL Paket GmbH, Charles-de-Gaulle-Straße 20, 53113 Bonn.

Legal basis: Art. 6 para. 1 lit. b GDPR.

7. Newsletter & Email Marketing

You can subscribe to our newsletter to receive regular updates on products, promotions and offers from QUIRIS Healthcare.

a) Registration

Registration is done via a double opt-in process: After registering, you will receive an email in which you must confirm your registration.

b) Data processing

The following data is collected: name, email address, time of registration, and IP address. This data is used exclusively for sending the newsletter. The newsletter is sent via the Shopify platform (Shopify International Ltd., Ireland), which acts as a data processor in accordance with Article 28 of the GDPR. This may involve the transfer of data to third countries (see section "Data Transfer to Third Countries").

Legal basis: Art. 6 para. 1 lit. a GDPR (consent).

c) Revocation

You can withdraw your consent at any time – for example, via the unsubscribe link in the newsletter or by email to datenschutz@quiris.de. We will delete your data after withdrawal, unless legal retention obligations prevent us from doing so.

8. Cookies and tracking technologies

We use cookies and similar technologies to enable and optimize the use of our website. To manage consent, we use the consent management tool "GDPR Backpack" (Consentmo Ltd.). This involves storing consent data (time, selection, IP address) to fulfill legal documentation obligations pursuant to Article 7 of the GDPR.

a) Necessary cookies

These are necessary for the operation of the website (e.g., shopping cart, checkout). The storage of and access to information on your device is based on Section 25 Paragraph 2 of the German Telemedia Act (TMG) (required). The subsequent processing of personal data is based on Article 6 Paragraph 1 Letter b GDPR (contract/order) or Article 6 Paragraph 1 Letter f GDPR (legitimate interest), depending on the purpose.

b) Statistics and marketing cookies

We only use analytics and marketing tools with your explicit consent.

Legal basis: Art. 6 para. 1 lit. a GDPR in conjunction with § 25 para. 1 TDDDG. Revocation: possible at any time via the cookie/consent banner.

9. Analysis and marketing tools

a) Google Analytics

We use Google Analytics, a web analytics service provided by Google Ireland Ltd. Google uses cookies to analyze website usage. IP addresses are anonymized (IP masking). A data processing agreement in accordance with Article 28 of the GDPR has been concluded. User and event data is stored for 14 months.

Legal basis: Consent, Art. 6 para. 1 lit. a GDPR.

b) Google Ads & Conversion Tracking

We use Google Ads Conversion Tracking to measure the success of our advertising. When you click on a Google ad, a cookie is set that expires automatically after 30 days.

Legal basis: Consent, Art. 6 para. 1 lit. a GDPR.

c) Meta (Facebook) Pixel

We use the Facebook Pixel from Meta Platforms Ireland Ltd. to measure conversions and for retargeting. We are jointly responsible with Meta Platforms Ireland Ltd. for data collection in accordance with Article 26 of the GDPR. The corresponding agreement can be found at: https://www.facebook.com/legal/controller_addendum

Legal basis: Consent, Art. 6 para. 1 lit. a GDPR.

d) Newsletter tracking

Our newsletters may contain tracking pixels that allow us to measure open and click-through rates. This analysis includes open rates, click behavior, and interactions. This data enables us to create user profiles and better tailor content to your interests.

Legal basis: Consent, Art. 6 para. 1 lit. a GDPR.

10. Order processing and recipients

We use service providers (e.g., hosting, shop and IT service providers, newsletter and marketing service providers, payment processors, shipping) who process data on our behalf as data processors in accordance with Article 28 of the GDPR. We have corresponding contracts with these service providers. Key data processors include, in particular, Shopify (hosting and newsletter), Consentmo ("GDPR Backpack"), and, where applicable, IT and marketing service providers.

Insofar as service providers act as independent controllers (e.g. payment service providers), their data protection notices apply.

11. Storage duration

We only store personal data for as long as is necessary to fulfill the respective purposes or as long as legal retention obligations exist (e.g. tax and commercial law periods of up to 10 years).

12. Your rights (data subject rights)

Provided the legal requirements are met, you have the following rights: access (Art. 15 GDPR), rectification (Art. 16 GDPR), erasure (Art. 17 GDPR), restriction of processing (Art. 18 GDPR), data portability (Art. 20 GDPR) and the right to object to processing (Art. 21 GDPR).

If the processing is based on your consent, you can withdraw this consent at any time with effect for the future (Art. 7 para. 3 GDPR).

To exercise your rights, simply send a message to datenschutz@quiris.de.

13. Right to lodge a complaint with the supervisory authority

You have the right to lodge a complaint with a data protection supervisory authority (Art. 77 GDPR). The State Commissioner for Data Protection and Freedom of Information of North Rhine-Westphalia (LDI NRW) is the supervisory authority responsible for us.

14. Data transfer to third countries

Some recipients (e.g., providers of analytics and marketing tools) may also transfer personal data to countries outside the EU/EEA (e.g., the USA). In these cases, the transfer only takes place if the requirements of Articles 44 et seq. GDPR are met, e.g., on the basis of EU standard contractual clauses and, where applicable, additional safeguards, or – where applicable – on the basis of an adequacy decision (e.g., the EU-US Data Privacy Framework).

15. Changes to this Privacy Policy

We reserve the right to amend this privacy policy from time to time to reflect changes in legal or technical requirements. The most current version can always be found on our website.