Bonano GmbH develops natural cosmetics products. In the following, we would like to provide you with information on the processing of personal data which is carried out within the context of the online services we provide. It is of great importance to us that we deal with personal information in a careful way. In the processing of your personal data, we of course comply with the statutory regulations and we take the protection of your data very seriously.
You may print out this document or save it by making use of the usual functionality of your browser (usually File/Save to). You can also download and archive this document in PDF format by clicking here . To open the PDF file you need the free program Adobe Reader or similar programs that execute the PDF format.
1. Point of contact
Point of contact and the organisation responsible for the processing of your personal data when you visit this website in accordance with the General Data Protection Regulation (GDPR) is:
Please feel free to contact us at any time if you have any questions on the theme of data protection in connection with our products or the use of our website. You can reach us via the contact details given above or via our contact form.
2. Processing of personal data
When you make use of our online provision, or interact with our website (e.g. by filling out and submitting our contact form), processing of your personal data takes place.
2.1 Personal data
Personal data is information which relates to an identified or identifiable person. This includes in particular details which permit conclusions to be drawn about your identity, for example, your name, your telephone number, your address or your e-mail address. Statistical data which we collect when a visit is made to our website, for example, and which cannot be connected to your person, does not fall into the category of personal data.
2.2 Use for information purposes
If you make use of our online provision purely to get information, we do not collect any personal data, with the exception of the data which your browser transfers in order to make it possible for you to visit the website. This includes, for example:
- IP address (will be anonymised) of the requesting device
- Date and time of the request
- Time zone difference compared to Greenwich Mean Time (GMT)
- Content of the request (concrete page)
- Access Status/HTTP Status Code
- Website origin of the request
- Browser and its version and language
- Operating system and its version
- Details of manufacturer and model for mobile devices such as smartphones or tablets
- Screen resolution
- Colour level
The data processing of this access data is necessary to enable the visit of the website and to ensure the permanent functionality and security of our systems. The access data is also temporarily stored in internal log files for the purposes described above, in order to compile statistical information about the use of our website, to further develop our website with regard to the usage habits of our visitors (e.g. if the proportion of mobile devices used to access the pages increases) and to generally maintain our website administratively.
The legal basis is Art. 6 para. 1 sentence 1 lit. b DSGVO, insofar as the page view occurs in the course of the initiation or execution of a contract, and otherwise Art. 6 para. 1 sentence 1 lit. f DSGVO due to our legitimate interest in the permanent functionality and security of our systems.
The IP addresses of the users are deleted or anonymised after termination of use. In the case of anonymisation, the IP addresses are changed in such a way that the individual details about personal or factual circumstances can no longer be assigned to a specific or identifiable natural person or can only be assigned to a specific or identifiable natural person with a disproportionate amount of time, cost and labour. The log files are stored for 7 days and then anonymised. The data in the so-called log files are analysed in anonymised form in order to further improve the Bonano online offers and make them more user-friendly, as well as to find and rectify errors more quickly. In addition, they are used to control the server capacities in order to be able to provide corresponding data volumes if necessary.
2.3 Contact form and making contact via e-mail
As well as the use of our online provision for the sole purpose of getting information, there are also various options for interacting with us and we offer services which you can make use of if you are interested in doing so. These include our contact form and the option of contacting us via e-mail. To make use of these functions, you will need to supply further personal details which we will use and store in order to perform the service required. If you supply personal data to us via our contact form or via e-mail, we will use this data only to answer your query or to process your complaint and we will do this in compliance with the statutory regulations on data protection. In the case that you establish contact via the contact form, we store your first name and surname, your e-mail address and your preferred title in order that we can answer your query comprehensively and in a proper way.
In the case that it is possible for you to provide additional details on a voluntary basis, these fields are marked accordingly and serve to allow us to answer your query in a better way. The legal basis for queries relating to products is Art. 6 para. 1 point b of the GDPR. The legal basis for queries not related to products is Art. 6 sentence 1 point f of the GDPR.
No data is passed on to third parties, with the exception of a transfer of personal data to Alnatura Produktions- und Handels GmbH, Mahatma-Gandhi-Str. 7, 64295 Darmstadt, for the purpose of processing contracts or answering customer enquiries in connection with enquiries on the subject of "natural cosmetics". Only the data required to answer this specific customer enquiry (e.g. a complaint) or to process these contracts will be passed on. Further information can be found in the data protection regulations of Alnatura Produktions- und Handels GmbH. The legal basis for the transfer is Art. 6 (1) lit. b with regard to the processing of contracts and Art. 6 (1) lit. f DSGVO, based on our legitimate interest in answering customer enquiries.
We undertake only to use the data for the underlying purpose and in accordance with the statutory provisions on data protection.
2.4 Surveys, competitions and prize draws
If you take part in one of our surveys, we use your data for market research and opinion research. As a matter of principle, we evaluate the data in an anonymised form for our internal purposes. In the case that surveys are in exceptional cases not evaluated anonymously, the data is exclusively collected with your consent. The GDPR is not applicable to anonymous surveys and, for the exceptional case of person-related evaluations, the legal basis is the above-mentioned consent, in accordance with Art. 6 para. 1 sentence 1 point a of the GDPR.
Within the context of prize draws and competitions, we use your data for the purpose of carrying out the promotion in question and to inform the winners. You can find detailed information on this if required in the conditions of participation for the respective promotion. The legal basis for the processing of the data is the prize draw/competition contract in accordance with Art. 6 para.1 sentence 1 point b of the GDPR.
As a rule, the prizes will be sent to you by us. Due to the nature of a prize or also to save transport routes, your data may be passed on to transport partners for the purpose of processing the competition or dispatching the prize. Insofar as these are not explicitly named in the terms and conditions of participation, we have concluded order processing agreements with the transport company with regard to the processing of your name and address by the transport company required for the shipment in accordance with Art. 28 DSGVO.
3. Passing on personal data
We will in principle only pass on data which we have collected if:
- you have expressly given your consent to this in accordance with Art. 6 para. 1 sentence 1 point a of the GDPR,
- the passing on of data is required in accordance with Art. 6 para. 1 sentence 1 point f of the GDPR for the assertion, exercise or defence of legal claims and there is no reason to suppose that you have an outweighing interest worthy of protecting in your data not being passed on,
- we are legally bound to pass on data in accordance with Art. 6 para. 1 sentence 1 point c of the GDPR or
- this is legally permissible and necessary in accordance with Art. 6 para. 1 sentence 1 point b of the GDPR for the handling of contractual relations with yourself or for the carrying out of precontractual measures which are carried out at your request.
A part of the data processing may be carried out by our service providers. As well as the service providers mentioned in this Privacy Statement, this may also include in particular computer centres which store our website and databases, IT service providers who maintain our system, and consultancy firms. In the case that we pass on data to our service providers, this data may only be used for the fulfilment of their assigned tasks.
Our service providers have been carefully selected and appointed by us. They are contractually obliged to comply with our instructions, have in place the appropriate technical and organisational measures to protect the rights of the persons in question, and are regularly monitored by us.
Furthermore, data may be passed on in connection with enquiries from the authorities, court rulings and legal proceedings, if this is necessary for the assertion of rights or enforcement of the Law.
4. Storage and deletion of your data
As a matter of principle, we only store personal data for as long as this is necessary for the fulfilment of the contractual or legal duties for which we have collected the data. After this, we delete the data without delay, unless we need to keep the data until the expiry of the statute of limitation for the purpose of providing proof for claims under civil law or on account of a legal obligation to retain data.
We are legally obliged to retain contractual details, for the purpose of providing evidence, for a further three years from the end of the year in which the business relationship with you comes to an end. Any claims become time-barred in accordance with statutory limitation periods at this point in time at the earliest.
Even after this period, we are bound to retain some of your data for reasons of bookkeeping. We are bound to do this on account of the statutory obligation to provide documentation which may arise in particular through the German Commercial Code (HGB) and the German Fiscal Code (AO). The terms prescribed here for the retention of documentation are up to ten years.
5. cookies and similar technologies
We also share information about your use of our website with our social media, advertising and analytics partners where we have consent.
Our partners may combine this information with other data that you have provided to them or that they have collected in the course of your use of the services.
This site uses different types of cookies. Some cookies are placed by third parties that appear on our pages.
Basically, there are two different types of cookies, so-called session cookies, which are deleted as soon as you close your browser (=end of session) and persistent cookies, which are stored on your data carrier for a longer period of time or indefinitely. Most of the cookies we use are session cookies and are automatically deleted from your hard drive again at the end of the browser session. In addition, we also use persistent cookies that remain on your hard drive. When you visit us again, this automatically recognises that you have already been with us and which entries and settings you prefer.
The cookies are stored on your hard drive and delete themselves after the time specified in the listing.
We understand that you may not be interested in all of the features when you access our website, which is why we give you the opportunity to opt in or out of certain services when you first access our website. When selecting your personal cookie setting, you have the choice between:
You can find more detailed information on cookies in your individual setting under Details.
You can change or revoke your consent at any time from the cookie declaration on our website. You therefore have the option of adjusting your preferences at any time via the cookie settings.
5.1 Legal basis and revocation
5.1.1 Legal basis
We use tools necessary for website operation on the basis of our legitimate interest pursuant to Art. 6 (1) p. 1 lit. f DSGVO to enable you to use our website more conveniently and individually and to make use as time-saving as possible. In certain cases, these tools may also be necessary for the performance of a contract or for the implementation of pre-contractual measures, in which case the processing is carried out in accordance with Art. 6 para. 1 p. 1 lit. b DSGVO.
We use all other tools, in particular those for marketing purposes, on the basis of your consent pursuant to Art. 6 para. 1 p. 1 lit. a DSGVO and pursuant to Section 15 para. 3 p. 1 TMG, insofar as usage profiles are created for the purposes of advertising or market research. Data processing with the help of these tools only takes place if we have received your consent in advance.
If personal data is transferred to third countries, we refer you to section 7 ("Data transfer to third countries"), also with regard to the possible associated risks. We will inform you if we have concluded standard contractual clauses or other guarantees with the providers of certain tools. If you have given your consent to use certain tools, we (also) transfer the data processed when using the tools to third countries on the basis of this consent.
5.1.2 Obtaining your consent
We use the Cookiebot tool from Cybot A/S, Havnegade 39, 1058 Copenhagen, Denmark ("Cookiebot") to obtain and manage your consent. This generates a banner informing you about data processing on our website and giving you the option to consent to all, some or no data processing through optional tools. This banner appears the first time you visit our website and when you revisit your choice of settings to change them or withdraw consent. The banner will also appear on subsequent visits to our website if you have disabled the storage of cookies or if the cookie has been deleted by Cookiebot or has expired.
Your consents or revocations (consent status as proof of consent), your shortened IP address (the last 3 digits are set to zero), information about your browser, your terminal device and at the time of your visit as well as the URL from which the consent was sent are transmitted to Cookiebot as part of your website visit. In addition, Cookiebot uses a necessary cookie to store the consents and revocations you have given. If you delete your cookies, we will ask you for your consent again when you visit the site later. Otherwise, we store your consent status for one year.
The data processing by Cookiebot is necessary to provide you with the legally required consent management and to comply with our documentation obligations. The legal basis for the use of Cookiebot is Art. 6 para. 1 p. 1 lit. f DSGVO, justified by our interest in fulfilling the legal requirements for cookie consent management.
5.1.3 Withdrawing your consent or changing your settings
You can revoke your consent for certain tools at any time. To do so, click on the following link/button: [link/button]. There you can also change the selection of the tools you wish to consent to using, as well as obtain additional information on the cookies and the respective storage period. Alternatively, you can assert your revocation for certain tools directly with the provider.
5.2 Necessary and Functional Tools
We use certain tools to enable the basic functions of our website ("Necessary Tools"). Without these tools, we could not provide our service. We also use tools to improve the user experience on our website and to provide you with more features ("functional tools"). Unless we obtain consent for these tools, necessary and functional tools are used without consent on the basis of our legitimate interests pursuant to Art. 6 (1) sentence 1 lit. f DSGVO or for the performance of a contract or for the implementation of pre-contractual measures pursuant to Art. 6 (1) sentence 1 lit. b DSGVO.
5.2.1 Own cookies
We use our own necessary cookies in particular
- to store your language preferences,
- to record that information placed on our website has been displayed to you - so that it is not displayed again the next time you visit the website.
5.3 Analysis and advertising measures
In order to improve our website, we use various technologies to analyse usage behaviour and evaluate the associated data. The data collected may include, in particular, the IP address of the end device, the date and time of access, the identification number of a cookie, the device identifier of mobile end devices and technical information about the browser and operating system. However, the collected data is stored exclusively pseudonymously, so that no direct conclusions can be drawn about the persons. This data is also processed for marketing purposes and so that individualised advertising messages can be played to you. The legal basis for both analysis measures and advertising measures and the associated data processing is Art. 6 para. 1 p. 1 lit. a DSGVO, based on the consent you have given separately for both purposes, if applicable via the cookie banner. You can revoke or change the individual consents at any time with effect for the future (see above).
The legal basis for the marketing tools is your consent according to Art. 6 para. 1 p. 1 lit. a DSGVO. For revocation of your consent, see 4.1.3: "Revoking your consent or changing your selection". In the event that personal data is transferred to the USA or other third countries, your consent expressly extends to the data transfer (Art. 49 para. 1 sentence 1 lit. a DSGVO). Please refer to section 7 ("Data transfer to third countries") for the associated risks.
In the following section, we would like to explain these technologies and the providers used for this purpose in more detail. The data collected may include in particular:
- the IP address of the device;
- the identification number of a cookie;
- the device identifier of mobile devices (Device ID);
- Referrer URL (previously visited page);
- Pages accessed (date, time, URL, title, length of stay);
- Downloaded files;
- Clicked links to other websites;
- Achievement of specific goals (conversions), if applicable;
- Technical information: Operating system; Browser type, version and language; Device type, brand, model and resolution;
- Approximate location (country and city, if applicable).
However, the data collected is only stored pseudonymously, so that no direct conclusions can be drawn about individuals.
In the following section, we would like to explain these technologies and the providers used for them in more detail.
5.3.1 Google Analytics
However, your IP address is shortened before the usage statistics are analysed so that no conclusions can be drawn about your identity. For this purpose, Google Analytics has been extended on our online offers by the code "anonymizeIP" to ensure anonymised collection of IP addresses.
We also use Google Analytics to analyse new content and functions on our website. For this purpose, we use the optimisation service "Google Optimize", which is also offered by Google. Google Optimize makes it possible to display newly designed areas of our website to some of our users for test purposes and to evaluate usage in order to improve our website.
On the basis of Google Analytics, we use the Google service "Google Data Studio" to analyse the traffic development on our website over a certain period of time and, if necessary, evaluate the success of our website on the basis of further specific measuring points. This includes the tracking of internal advertising media for the presentation of brand campaigns, of product insertions as well as share buttons and newsletter sign-ups.
Google will use the information obtained through the cookies to evaluate your use of the website, to compile reports on website activity for website operators and to provide other services related to website activity and internet usage. Google may also transfer this information to third parties where required to do so by law, or where such third parties process the information on Google's behalf.
We have made the following data protection settings for Google Analytics:
- IP anonymisation (shortening of the IP address before evaluation so that no conclusions can be drawn about your identity).
- Limitation of the storage period
- Deactivated advertising function (including target group remarketing through GA Audience)
- Disabled personalised ads
- Disabled cross-site tracking (Google signals)
- Disabled data sharing with other Google products and services
- The following data is processed by Google Analytics:
- Anonymised IP address;
- Referrer URL (previously visited page);
- Pages viewed (date, time, URL, title, time spent);
- Downloaded files;
- Clicked links to other websites;
- Achievement of specific goals (conversions), if applicable;
- Technical information: Operating system; Browser type, version and language; Device type, brand, model and resolution;
- Approximate location (country and city, if applicable, based on anonymised IP address).
- Google Analytics sets the following cookies for the stated purpose with the respective storage period:
- "_ga" for 2 years and "_gid" for 24 hours (both to recognise and distinguish website visitors by a user ID);
- "_gat" for 1 minute (to reduce requests to Google servers).
We have concluded an order processing agreement with Google for the use of Google Analytics as well as EU standard contractual clauses in the event that personal data is transferred to the USA or other third countries.
As described above, you can configure your browser to reject cookies or you can prevent the collection of data generated by the cookie and related to your use of this website (including your IP address) by Google and the processing of this data by Google by loading and installing the browser plugin.
As an alternative to the selection option in the cookie banner and the browser add-on or within browsers on mobile devices, you can set an opt-out cookie to prevent the collection by Google Analytics within this website in the future (the opt-out only works in the browser and only for this domain). If you delete your cookies in this browser, you must click this link again.
5.3.2 Hetzner Online GmbH
Our website is hosted by Hetzner Online GmbH, Industriestr. 25, 91710 Gunzenhausen, Germany. This means that the connection between your device and the content on our website is established via the servers of Hetzner Online GmbH. The servers used by Hetzner Online GmbH are located within the European Union. We will be happy to provide you with further information on the appropriate guarantees for maintaining an adequate level of data protection upon request.
The legal basis for the use of Hetzner Online GmbH is Art. 6 para. 1 p. 1 lit. f DSGVO, based on our legitimate interest in presenting content on our website quickly, securely and reliably.
This website uses Hotjar. The provider is Hotjar Ltd, Level 2, St Julians Business Centre, 3, Elia Zammit Street, St Julians STJ 1000, Malta, Europe (website: https://www.hotjar.com).
Hotjar is a tool used to analyse your user behaviour on this website. Hotjar allows us to record, among other things, your mouse movements, scrolling movements and clicks. Hotjar can also determine how long you have stayed with the mouse pointer on a certain spot. From this information, Hotjar creates so-called heat maps, which can be used to determine which website areas are viewed preferentially by the website visitor.
Furthermore, we can determine how long you stayed on a page and when you left it. We can also determine at which point you cancelled your entries in a contact form (so-called conversion funnels).
We have concluded an order processing agreement with Hotjar for the use of the service.
Hotjar cookies remain on your terminal device until you delete them.
The use of Hotjar and the storage of Hotjar cookies are based on Art. 6 para. 1 lit. f DSGVO. The website operator has a legitimate interest in analysing user behaviour in order to optimise both its website and its advertising.
If a corresponding consent has been requested and granted (e.g. consent to the storage of cookies via the cookie banner), the processing is carried out exclusively on the basis of Art. 6 para. 1 lit. a DSGVO; the consent can be revoked at any time.
If you wish to deactivate the data collection by Hotjar, click on the following link and follow the instructions there: https://www.hotjar.com/opt-out . Please note that Hotjar must be deactivated separately for each browser or end device.
5.4 Google Maps
Our website uses the map service Google Maps which is offered by Google Ireland Limited, Gordon House, Barrow Street, Dublin 4, Ireland for users from the European Economic Area, Switzerland and Liechtenstein and by Google LLC 1600 Amphitheatre Parkway Mountain View, CA 94043, USA (together "Google") for all other users.
We integrate this service in particular to provide the "store finder" and producer map functions. In order for the Google map material used by us to be integrated and displayed in your web browser, your web browser must establish a connection to a Google server, which may also be located in the USA, when you call up the contact page. In the event that personal data is transferred to the USA or other third countries, we have concluded standard contractual clauses with Google.
By integrating the map material, Google receives the information that a page of our website was called up from the IP address of your device. If you call up the Google map service on our website while you are logged into your Google profile, Google can also link this event to your Google profile. If you do not wish to be associated with your Google profile, you must log out of Google before accessing our contact page. Google stores your data and uses it for the purposes of advertising, market research and personalised presentation of Google Maps.
The legal basis is Art. 6 para. 1 p. 1 lit. a DSGVO, based on the consent you may have given via the cookie banner.
6. Online presence in social networks
We maintain online presences in social networks in order to communicate with customers and interested parties and to provide information about our products and services.
The user data is usually processed by the social networks concerned for market research and advertising purposes. In this way, usage profiles can be created based on the interests of the users. For this purpose, cookies and other identifiers are stored on the users' computers. On the basis of these usage profiles, advertisements, for example, are then placed within the social networks but also on third-party websites.
As part of the operation of our online presences, it is possible that we can access information such as statistics on the use of our online presences, which are provided by the social networks. These statistics are aggregated and may include, in particular, demographic information and data on interaction with our online presences and the posts and content distributed via them. Please refer to the list below for details and links to the data of the social networks that we can access as operators of the online presences.
The legal basis for data processing is Art. 6 para. 1 p. 1 lit. f DSGVO, based on our legitimate interest in effectively informing users and communicating with users, or Art. 6 para. 1 p. 1 lit. b DSGVO, in order to stay in contact with and inform our customers and to carry out pre-contractual measures with future customers and interested parties.
For the legal basis of the data processing carried out by the social networks on their own responsibility, please refer to the data protection information of the respective social network. The links below also provide you with further information on the respective data processing and the options to object.
We would like to point out that data protection requests can be asserted most efficiently with the respective provider of the social network, as only these providers have access to the data and can take appropriate measures directly. Below is a list with information on the social networks on which we operate online presences:
- Instagram (Facebook Ireland Ltd, 4 Grand Canal Square, Grand Canal Harbour, Dublin 2, Ireland).
- Google/ (Google Ireland Limited, Gordon House, Barrow Street, Dublin 4, Ireland)
- Opt-out: https://www.google.com/settings/ads
- Data transfer to third countries
Where this is not possible, we base the transfer of data on exceptions to Art. 49 DSGVO, in particular your express consent or the necessity of the transfer for the performance of the contract or for the implementation of pre-contractual measures.
If a third country transfer is provided within the scope of the Data Protection Regulation and no adequacy decision or appropriate safeguards are in place, it is possible and there is a risk that authorities in the respective third country (e.g. intelligence services) may gain access to the transferred data in order to collect and analyse it and that the enforceability of your data subject rights cannot be guaranteed. When obtaining your consent via the cookie banner, you will also be informed of this.
7. Your rights
You have the right to request information at any time on the processing of your personal data carried out by us. When issuing this information, we will explain the processing of the data which we do and will make available to you an overview of the data on your person which we are holding. Should any of the data stored by us be incorrect or no longer up to date, you have the right to have this data corrected. You may also request that your data is deleted. Should it in exceptional cases be the case that it is not possible to delete the data on account of other statutory regulations, then the data will be blocked in order that it will solely be available for the legal purpose in question. You may also limit the processing of your data, e.g. if you are of the opinion that the data we are holding is not correct. You also have the right to have the data transferred to you, i.e. at your request, we will send you a digital copy of the personal data which you have supplied to us.
If you wish to act on any of the rights described here, please feel free to get in touch with us at any time using the contact details given above. This is also the case if you would like to be sent copies of guarantees as proof of having an appropriate level of data protection.
You also have the right to object to the processing of your data, on the basis of Art. 6 para. 1 point e or f of the GDPR. Ultimately, you have the right to complain to the Data Protection authorities who are responsible for overseeing us.
You have the right to revoke your consent at any time. This means that we will no longer process the data based on this consent in the future. The revocation of consent does not affect the lawfulness of the processing carried out on the basis of the consent until the revocation.
Insofar as we process your data on the basis of legitimate interests, you have the right to object to the processing of your data at any time on grounds relating to your particular situation. If it is a matter of objecting to data processing for direct marketing purposes, you have a general right of objection, which will also be implemented by us without giving reasons.
If you wish to make use of your right of revocation or objection, it is sufficient to send an informal message to the contact details above.
You can act on this right by contacting a supervisory authority in the member state of the town/city where you live, or where you work, or the place where the alleged violation of rights has occurred. In Hesse, where the head office of Bonano is located, the responsible supervisory authority is the Hesse Data Protection Officer, PO Box 3163, 65021 Wiesbaden.
8. Data security
We use the most up-to-date technical measures to ensure data security, in particular to protect your personal data from any danger during transmission and to prevent it from being accessed by any third parties. These measures are regularly updated to ensure that they are in all cases in line with the latest developments in technology.
9. Changes to our Privacy Statement
We may make updates to this Privacy Statement from time to time – for example, if we make modifications to our website or if there are changes in the statutory requirements in this respect.
Status: June 2021