PRIVACY POLICY

The terms used in this privacy policy (e.g. "personal data" or "processing") are based on the definitions in Art. 4 of the General Data Protection Regulation (GDPR).

1. NAME AND ADDRESS OF THE DATA CONTROLLER

The controller within the meaning of the General Data Protection Regulation, other data protection laws applicable in the Member States of the European Union and other provisions of a data protection nature is

rhinopaq GmbH
Schornstr. 5
45128 Essen
E-mail:rhinopaq
Phone: +49 (0) 156 7844 0389

The controller of personal data is the natural or legal person who alone or jointly with others determines the purposes and means of the processing of personal data.

This website uses SSL or TLS encryption for security reasons and to protect the transmission of personal data and other confidential content (e.g. orders or inquiries to the controller). You can recognize an encrypted connection by the character string "https://" and the lock symbol in your browser line.

2. WEB-HOSTING

Our website is hosted by a server provider in Germany - Strato AG, Otto-Ostrowski-Straße 7, 10249 Berlin. Strato is a German hosting service provider that operates in accordance with the applicable data protection laws and processes data in compliance with data protection regulations. When using the hosting services, Strato processes personal data on our behalf and in accordance with the requirements of the GDPR and in consultation with us. The legal basis for this is Art. 6 para. 1 lit. f GDPR, legitimate interest in a secure and reliable technical infrastructure.

3. COOKIES

The websiterhinopaq uses cookies. Cookies are text files that are placed and stored on a computer system via an Internet browser. Numerous websites and servers use cookies. Many cookies contain a so-called cookie ID. A cookie ID is a unique identifier of the cookie. It consists of a string of characters that can be used to assign websites and servers to the specific internet browser in which the cookie was stored. This enables the websites and servers visited to distinguish the individual browser of the data subject from other Internet browsers that contain other cookies. A specific Internet browser can be recognized and identified via the unique cookie ID. Through the use of cookies, rhinopaq.com can provide the users with more user-friendly services that would not be possible without the cookie setting. By means of a cookie, the information and offers on our website can be optimized for the benefit of the user. As already mentioned, cookies enable us to recognize the users of our website. The purpose of this recognition is to make it easier for users to use our website. For example, the user of a website that uses cookies does not have to re-enter access data each time they visit the website because this is taken over by the website and the cookie stored on the user's computer system. The data subject may, at any time, prevent the setting of cookies through our website by means of a corresponding setting of the Internet browser used, and may thus permanently deny the setting of cookies. Furthermore, cookies that have already been set can be deleted at any time via an Internet browser or other software programs. This is possible in all common Internet browsers. We use a consent management tool to obtain and document legally required consents for cookies and comparable technologies. Users can change their settings at any time via the corresponding link in the footer ("Cookie settings"). If the data subject deactivates the setting of cookies in the Internet browser used, not all functions of our website may be fully usable.

4. COLLECTION OF GENERAL DATA AND INFORMATION

The websiterhinopaq collects a series of general data and information when a data subject or automated system calls up the website. This general data and information is stored in the server log files. The (1) browser types and versions used, (2) the operating system used by the accessing system, (3) the website from which an accessing system reaches this website (so-called referrer), (4) the sub-websites which are accessed via an accessing system on this website can be recorded, (5) the date and time of access to the website, (6) an internet protocol address (IP address), (7) the internet service provider of the accessing system and (8) other similar data and information used for security purposes in the event of attacks on the information technology systems. When using these general data and information,rhinopaq does not draw any conclusions about the data subject. Rather, this information is needed to (1) deliver the content of the website correctly, (2) optimize the content of the website as well as its advertisement, (3) ensure the long-term viability of the information technology systems and website technology, and (4) provide law enforcement authorities with the information necessary for criminal prosecution in case of a cyber-attack. The anonymous data of the server log files are stored separately from all personal data provided by a data subject.

5. CONTACT POSSIBILITY VIA THE WEBSITE

The websiterhinopaq contains information that enables a quick electronic contact to our enterprise, which also includes a general address of the so-called electronic mail (e-mail address). If a data subject contacts us by email or via a contact form, the personal data transmitted by the data subject is automatically stored. Such personal data transmitted on a voluntary basis by a data subject to the controller are stored for the purposes of processing or contacting the data subject. This personal data is not passed on to third parties.

6. ROUTINE ERASURE AND BLOCKING OF PERSONAL DATA

The controller shall process and store the personal data of the data subject only for the period necessary to achieve the purpose of storage, or as far as this is granted by the European legislator or other legislators in laws or regulations to which the controller is subject to. If the storage purpose no longer applies or if a storage period prescribed by the European legislator or another competent legislator expires, the personal data is routinely blocked or erased in accordance with the statutory provisions.

7. RIGHTS OF THE DATA SUBJECT

A) RIGHT TO CONFIRMATION Each data subject shall have the right granted by the European legislator to obtain from the controller the confirmation as to whether or not personal data concerning him or her are being processed. If a data subject wishes to avail himself of this right of confirmation, he or she may, at any time, contact us. B) RIGHT TO INFORMATION Any person affected by the processing of personal data has the right, granted by the European legislator of directives and regulations, to obtain information free of charge at any time from the controller about the personal data stored about him/her and a copy of this information. Furthermore, the European legislator has granted the data subject access to the following information:

• • the purposes of processing
  • the categories of personal data that are processed
  • the recipients or categories of recipients to whom the personal data have been or will be disclosed, in particular recipients in third countries or international organizations
  • if possible, the planned duration for which the personal data will be stored,
  • or, if this is not possible, the criteria for determining this duration
  • the existence of the right to request from the controller rectification or erasure of personal data or restriction of processing of personal data concerning the data subject or to object to such processing
  • the existence of a right to lodge a complaint with a supervisory authority
  • if the personal data is not collected from the data subject: All available information about the origin of the data
  • the existence of automated decision-making, including profiling, referred to in Article 22(1) and (4) GDPR and, at least in those cases, meaningful information about the logic involved, as well as the significance and the envisaged consequences of such processing for the data subject

Furthermore, the data subject has a right to information as to whether personal data has been transferred to a third country or to an international organization. If this is the case, the data subject also has the right to obtain information about the appropriate safeguards in connection with the transfer. If a data subject wishes to exercise this right to information, they can contact us at any time. C) RIGHT TO RECTIFICATION Any person affected by the processing of personal data has the right granted by the European legislator to demand the immediate correction of incorrect personal data concerning them. Taking into account the purposes of the processing, the data subject shall also have the right to have incomplete personal data completed, including by means of providing a supplementary statement. If a data subject wishes to exercise this right to rectification, he or she may contact us at any time. D) RIGHT TO ERASURE (RIGHT TO BE FORGOTTEN) Any person affected by the processing of personal data has the right, granted by the European legislator, to obtain from the controller the erasure of personal data concerning him or her without undue delay where one of the following grounds applies and insofar as the processing is not necessary:

• • The personal data was collected or otherwise processed for purposes for which it is no longer necessary.
  • The data subject withdraws consent on which the processing is based according to point (a) of Article 6(1) of the GDPR, or point (a) of Article 9(2) of the GDPR, and where there is no other legal ground for the processing.
  • The data subject objects to the processing pursuant to Art. 21 (1) GDPR and there are no overriding legitimate grounds for the processing, or the data subject objects to the processing pursuant to Art. 21 (2) GDPR.
  • The personal data was processed unlawfully.
  • The deletion of personal data is necessary to fulfill a legal obligation under Union law or the law of the Member States to which the controller is subject.
  • The personal data was collected in relation to information society services offered in accordance with Art. 8 para. 1 GDPR.

If one of the above reasons applies and a data subject wishes to have personal data stored by us erased, they can contact us at any time. If we have made the personal data public and are obliged to erase the personal data pursuant to Article 17(1) GDPR, we shall take reasonable steps, including technical measures, taking into account the available technology and the cost of implementation, to inform other controllers which are processing the personal data that the data subject has requested the erasure by such controllers of any links to, or copy or replication of, those personal data, as far as processing is not required. We will take the necessary steps in individual cases. E) RIGHT TO RESTRICTION OF PROCESSING Any person affected by the processing of personal data has the right granted by the European legislator to require the controller to restrict the processing if one of the following conditions is met:

• • The accuracy of the personal data is contested by the data subject, for a period enabling the controller to verify the accuracy of the personal data.
  • The processing is unlawful and the data subject opposes the erasure of the personal data and requests the restriction of their use instead.
  • The controller no longer needs the personal data for the purposes of the processing, but they are required by the data subject for the establishment, exercise or defense of legal claims.
  • The data subject has objected to processing pursuant to Article 21(1) GDPR pending the verification whether the legitimate grounds of the controller override those of the data subject.

Sofern eine der oben genannten Voraussetzungen gegeben ist und eine betroffene Person die Einschränkung von personenbezogenen Daten, die bei uns gespeichert sind, verlangen möchte, kann sie sich hierzu jederzeit an uns wenden. F) RECHT AUF DATENÜBERTRAGBARKEIT Jede von der Verarbeitung personenbezogener Daten betroffene Person hat das vom Europäischen Richtlinien- und Verordnungsgeber gewährte Recht, die sie betreffenden personenbezogenen Daten, welche durch die betroffene Person einem Verantwortlichen bereitgestellt wurden, in einem strukturierten, gängigen und maschinenlesbaren Format zu erhalten. Sie hat außerdem das Recht, diese Daten einem anderen Verantwortlichen ohne Behinderung durch den Verantwortlichen, dem die personenbezogenen Daten bereitgestellt wurden, zu übermitteln, sofern die Verarbeitung auf der Einwilligung gemäß Art. 6 Abs. 1 Buchstabe a DS-GVO oder Art. 9 Abs. 2 Buchstabe a DS-GVO oder auf einem Vertrag gemäß Art. 6 Abs. 1 Buchstabe b DS-GVO beruht und die Verarbeitung mithilfe automatisierter Verfahren erfolgt, sofern die Verarbeitung nicht für die Wahrnehmung einer Aufgabe erforderlich ist, die im öffentlichen Interesse liegt oder in Ausübung öffentlicher Gewalt erfolgt, welche dem Verantwortlichen übertragen wurde. Ferner hat die betroffene Person bei der Ausübung ihres Rechts auf Datenübertragbarkeit gemäß Art. 20 Abs. 1 DS-GVO das Recht, zu erwirken, dass die personenbezogenen Daten direkt von einem Verantwortlichen an einen anderen Verantwortlichen übermittelt werden, soweit dies technisch machbar ist und sofern hiervon nicht die Rechte und Freiheiten anderer Personen beeinträchtigt werden. Zur Geltendmachung des Rechts auf Datenübertragbarkeit kann sich die betroffene Person jederzeit an uns wenden. G) RECHT AUF WIDERSPRUCH Jede von der Verarbeitung personenbezogener Daten betroffene Person hat das vom Europäischen Richtlinien- und Verordnungsgeber gewährte Recht, aus Gründen, die sich aus ihrer besonderen Situation ergeben, jederzeit gegen die Verarbeitung sie betreffender personenbezogener Daten, die aufgrund von Art. 6 Abs. 1 Buchstaben e oder f DS-GVO erfolgt, Widerspruch einzulegen. Dies gilt auch für ein auf diese Bestimmungen gestütztes Profiling. Die Seite www.rhinopaq.com verarbeitet die personenbezogenen Daten im Falle des Widerspruchs nicht mehr, es sei denn, wir können zwingende schutzwürdige Gründe für die Verarbeitung nachweisen, die den Interessen, Rechten und Freiheiten der betroffenen Person überwiegen, oder die Verarbeitung dient der Geltendmachung, Ausübung oder Verteidigung von Rechtsansprüchen. Verarbeiten wir personenbezogene Daten, um Direktwerbung zu betreiben, so hat die betroffene Person das Recht, jederzeit Widerspruch gegen die Verarbeitung der personenbezogenen Daten zum Zwecke derartiger Werbung einzulegen. Dies gilt auch für das Profiling, soweit es mit solcher Direktwerbung in Verbindung steht. Widerspricht die betroffene Person uns gegenüber der Verarbeitung für Zwecke der Direktwerbung, so werden wir die personenbezogenen Daten nicht mehr für diese Zwecke verarbeiten. Zur Ausübung des Rechts auf Widerspruch kann sich die betroffene Person direkt an uns wenden. Der betroffenen Person steht es ferner frei, im Zusammenhang mit der Nutzung von Diensten der Informationsgesellschaft, ungeachtet der Richtlinie 2002/58/EG, ihr Widerspruchsrecht mittels automatisierter Verfahren auszuüben, bei denen technische Spezifikationen verwendet werden. H) AUTOMATISIERTE ENTSCHEIDUNGEN IM EINZELFALL EINSCHLIESSLICH PROFILING Jede von der Verarbeitung personenbezogener Daten betroffene Person hat das vom Europäischen Richtlinien- und Verordnungsgeber gewährte Recht, nicht einer ausschließlich auf einer automatisierten Verarbeitung — einschließlich Profiling — beruhenden Entscheidung unterworfen zu werden, die ihr gegenüber rechtliche Wirkung entfaltet oder sie in ähnlicher Weise erheblich beeinträchtigt, sofern die Entscheidung (1) nicht für den Abschluss oder die Erfüllung eines Vertrags zwischen der betroffenen Person und dem Verantwortlichen erforderlich ist, oder (2) aufgrund von Rechtsvorschriften der Union oder der Mitgliedstaaten, denen der Verantwortliche unterliegt, zulässig ist und diese Rechtsvorschriften angemessene Maßnahmen zur Wahrung der Rechte und Freiheiten sowie der berechtigten Interessen der betroffenen Person enthalten oder (3) mit ausdrücklicher Einwilligung der betroffenen Person erfolgt. Ist die Entscheidung (1) für den Abschluss oder die Erfüllung eines Vertrags zwischen der betroffenen Person und dem Verantwortlichen erforderlich oder (2) erfolgt sie mit ausdrücklicher Einwilligung der betroffenen Person, treffen wir angemessene Maßnahmen, um die Rechte und Freiheiten sowie die berechtigten Interessen der betroffenen Person zu wahren, wozu mindestens das Recht auf Erwirkung des Eingreifens einer Person seitens des Verantwortlichen, auf Darlegung des eigenen Standpunkts und auf Anfechtung der Entscheidung gehört. Möchte die betroffene Person Rechte mit Bezug auf automatisierte Entscheidungen geltend machen, kann sie sich hierzu jederzeit an uns wenden. I) RECHT AUF WIDERRUF EINER DATENSCHUTZRECHTLICHEN EINWILLIGUNG Jede von der Verarbeitung personenbezogener Daten betroffene Person hat das vom Europäischen Richtlinien- und Verordnungsgeber gewährte Recht, eine Einwilligung zur Verarbeitung personenbezogener Daten jederzeit zu widerrufen. Möchte die betroffene Person ihr Recht auf Widerruf einer Einwilligung geltend machen, kann sie sich hierzu jederzeit an uns wenden.

8. DATA PROTECTION PROVISIONS ABOUT THE APPLICATION AND USE OF GOOGLE ANALYTICS (WITH ANONYMIZATION FUNCTION)

We use the functions of Google Analytics 4 from Google Inc. with anonymization function on our website. Google Analytics 4 is a web analysis service that collects and evaluates data on the behavior of visitors to our website, including information on referrers, pages visited, length of stay and frequency of visits. The aim is to optimize our website and analyze internet advertising. Google Analytics 4 does not store complete IP addresses, but anonymizes them directly, so that a personal reference is excluded as far as possible. For data protection-compliant use, we obtain the active consent of users before activating tracking (consent management). A contract for commissioned data processing has been concluded with Google. The personal data collected during the analysis is processed in data centers within the European Union. Data is only transferred to the USA if suitable protective measures such as the EU-US Data Privacy Framework (DPF) are in place and the conditions under data protection law are complied with. Users can prevent the setting of analytics cookies at any time in the browser settings and delete cookies that have already been set. It is also possible to object to the collection and processing by Google Analytics via a browser add-on(https://tools.google.com/dlpage/gaoptout). Further information on data protection and Google Analytics can be found at: https://www.google.de/intl/de/policies/privacy/ and https://www.google.com/intl/de_de/analytics/.

9. HUBSPOT INTEGRATION AND CRM SYSTEM

We use a HubSpot integration on our website and use HubSpot as a CRM system. HubSpot is a service of HubSpot Inc, Two Canal Park, Cambridge, MA 02141, USA ("HubSpot"). By using the HubSpot integration, we collect and process certain personal data. When people visit our website, certain data is automatically collected and transmitted to HubSpot. This includes information such as pages visited, date and time of access, time spent on the website and other statistical data. This data is used to analyze and optimize our website. This data collection can be rejected by rejecting the analytics cookies. Furthermore, contact forms can be filled out via our website. Data such as your name or email address is requested and recorded here. This data is used by us to process the inquiries and for communication purposes, provided consent has been given. We pass on certain personal data to HubSpot in order to use it in the CRM system. HubSpot processes this data on our behalf and in accordance with its own data protection regulations. Since 2021, HubSpot has been operating data centers in the European Union (in particular Germany and Ireland), which means that data processing can be carried out in accordance with European data protection law. The transfer of personal data to the USA or other third countries only takes place if suitable protective measures are in place, in particular on the basis of the EU-US Data Privacy Framework (DPF) and standardized data protection agreements (SCCs). HubSpot supports us in managing customer relationships, carrying out marketing activities and improving our services. The legal basis for processing personal data via HubSpot is usually your consent, performance of a contract or legitimate interest in compliance with data protection laws. We ensure that all data processing is carried out in accordance with the applicable data protection laws. The data processing agreement with HubSpot can be requested from us or viewed directly at HubSpot. In accordance with the applicable data protection laws, you have the right to information, correction, deletion, restriction of processing, data portability and objection to your personal data in HubSpot. If you have any questions or wish to exercise these rights, you can contact us at any time.

10. LEGAL BASIS OF THE PROCESSING

Art. 6 I lit. a GDPR serves as the legal basis for processing operations for which we obtain consent for a specific processing purpose. If the processing of personal data is necessary for the performance of a contract to which the data subject is party, as is the case, for example, with processing operations necessary for the supply of goods or the provision of any other service or consideration, the processing is based on Art. 6 I lit. b GDPR. The same applies to such processing operations that are necessary to carry out pre-contractual measures, for example in cases of inquiries about our products or services. If we are subject to a legal obligation which requires the processing of personal data, such as for the fulfillment of tax obligations, the processing is based on Art. 6 I lit. c GDPR. In rare cases, the processing of personal data may be necessary to protect the vital interests of the data subject or another natural person. Then the processing would be based on Art. 6 I lit. d GDPR. Ultimately, processing operations could be based on Art. 6 I lit. f GDPR. This legal basis is used for processing operations which are not covered by any of the abovementioned legal grounds, if processing is necessary for the purposes of the legitimate interests pursued by us or by a third party, except where such interests are overridden by the interests or fundamental rights and freedoms of the data subject which require protection of personal data. We are permitted to carry out such processing operations in particular because they have been specifically mentioned by the European legislator. In this respect, it took the view that a legitimate interest could be assumed if the data subject is a customer of the controller (Recital 47 Sentence 2 GDPR).

11. LEGITIMATE INTERESTS IN PROCESSING PURSUED BY THE CONTROLLER OR BY A THIRD PARTY

If the processing of personal data is based on Article 6 I lit. f GDPR, our legitimate interest is the performance of our activities for the benefit of our well-being.

12. DURATION FOR WHICH THE PERSONAL DATA IS STORED

The criterion for the duration of the storage of personal data is the respective statutory retention period. After this period has expired, the corresponding data is routinely deleted, provided that it is no longer required for contract fulfillment or contract initiation.

13. STATUTORY OR CONTRACTUAL REQUIREMENTS FOR THE PROVISION OF PERSONAL DATA; NECESSITY FOR THE CONCLUSION OF THE CONTRACT; OBLIGATION OF THE DATA SUBJECT TO PROVIDE THE PERSONAL DATA; POSSIBLE CONSEQUENCES OF FAILURE TO PROVIDE SUCH DATA

We would like to inform you that the provision of personal data is partly required by law (e.g. tax regulations) or may also result from contractual regulations (e.g. information on the contractual partner). Sometimes it may be necessary for a contract to be concluded for a data subject to provide us with personal data that must subsequently be processed by us. For example, the data subject is obliged to provide us with personal data if we conclude a contract with them. Failure to provide the personal data would mean that the contract with the data subject could not be concluded. The data subject must contact us before providing personal data. We will inform the data subject on a case-by-case basis whether the provision of the personal data is required by law or contract or is necessary for the conclusion of the contract, whether there is an obligation to provide the personal data and what the consequences would be if the personal data were not provided.

14. EXISTENCE OF AUTOMATED DECISION-MAKING

As responsible persons, we do not use automated decision-making or profiling.

15. SHOPIFY & WOOCOMMERCE INTEGRATIONS

The rhinopaq do not send any personal data from the user's site to us. If the smart rhinopaq function is activated, only the dimensions and weight of all products in the shopping cart are sent to our service or our servers. The data is used to offer the possible use of our reusable packaging in the checkout process. If our service confirms the possibility, positive feedback is sent back to the online store using it. rhinopaq is then suggested as the shipping method and a pop-up is created asking the user whether they would like to use reusable packaging or stick with a disposable solution. No personal data is sent, nor any information about the products beyond their weight and dimensions. The recorded data is stored by us in order to be able to determine the quality of our calculations in the long term and to optimize the service.