Global E | How to

Data protection information for the website, external sites, products and other data processing activities of shopware AG

I. General

1. Body responsible for data processing (“controller”)

shopware AG takes the protection of your personal data and the legal obligations to ensure data protection very seriously. The law requires full transparency regarding the processing of personal data. You as a data subject can only understand the details of the processing if you are duly informed about the purpose, nature and scope of the processing.That is why our data protection information explains in detail which personal data we process when you use our website (www.shopware.com) or other websites referring to our website or in any other cases described herein.The body responsible for the data processing, i.e. the controller within the meaning of the General Data Protection Regulation (GDPR), the Bundesdatenschutzgesetz (German Federal Data Protection Act – “BDSG”) and other data protection regulations isshopware AG Ebbinghoff 10 D-48624 Schöppingen Germany +49 (0) 2555 92885-0 info@shopware.com- Referred to hereinafter as "Controller" or „we“ -You can contact our data protection officer at: Sascha Kremer, Fachanwalt für IT-Recht (specialist lawyer for IT law) c/o KREMER RECHTSANWÄLTE Brückenstraße 21 D-50667 Cologne (City) GermanyPlease be aware that, if you click the links on our website, you may be redirected to other websites which are not run by us but by third parties. We either clearly mark these links or the redirection becomes clear by a change in the browser address bar. We are not responsible for compliance with the applicable data protection regulations and for secure treatment of your personal data when you use these third-party websites.

2. Definitions

GDPR terminology

For the purposes of this data protection information, we use the terms and wording of the GDPR. The definitions (Art. 4 GDPR) are available at https://eur-lex.europa.eu/legal-content/DE/TXT/?uri=CELEX:32016R0679.

Additional definitions:

Cookies and similar technologies

Cookies are text files which a website places on your terminal and/or which are read there. They contain combinations of letters and numbers which enable us to recognise the user and user settings when the user comes back to the website which set the cookie; they also enable the user to stay logged-in to a customer account and they enable us to statistically analyse a certain user behaviour.The WebStorage technology enables local storage of variables and values in the user’s browser cache. The technology includes the so-called "sessionStorage" which remains stored until the browser tab is closed as well as the "localStorage" which remains stored in the browser cache until the cache is emptied by the user. The localStorage technology enables, among other things, recognition of the user and user settings when the user comes back to our website.

Data categories

If we specify the data categories we process, they include but are not limited to the following data: master data (e.g. names, addresses, dates of birth), contact data (e.g. email addresses, telephone numbers, messenger services), content data (e.g. entered texts, photos, videos, contents of documents/files), contract data (e.g. contract purpose, contract terms, customer categories), payment data (e.g. bank details, payment history, use of other payment service providers), usage data (e.g. history on our website, use of certain contents, times of access, contact history and purchasing history), connection data (e.g. device information, IP addresses, URL referrer), position data (e.g. GPS data, IP geo-localisation, points of access); diagnosis data (e.g. crash logs, performance data of the website/app, other technical data for analysing failures, breakdowns and errors).

3. Information on the data processing

We only process personal data to the extent permitted by law. We only disclose or transfer personal data to third parties in the cases described below. The personal data are protected by appropriate technical and organisational measures (e.g. pseudonymisation, encryption).Except where we are obliged by law to store the data or disclose or transfer them to third parties (including but not limited to prosecuting authorities), the decision which personal data we process and for how long and to which extent we may disclose or transfer them to third parties depends on the specific website features you use from time to time.

4. Storage duration

The personal data are deleted as soon as the purpose of the processing or the prescribed storage period, if any, has expired unless the storage of the personal data needs to be continued for the purpose of entering into or performing a contract. If and to the extent we are obliged to inform you about the duration of storage of cookies and similar technologies, this information is made available in our consent tool.Personal data which we process for application purposes (see below) are stored for a period of six months from completion of the application procedure.

5. Automated individual decision-making, including profiling

Automated individual decision-making including profiling does not take place.

6. Data subjects’ rights

As a data subject you have the right of access/ right to information under Art. 15 GDPR, the right to rectification under Art. 16 GDPR, the right to erasure under Art. 17 GDPR, the right to restriction of processing under Art. 18 GDPR and the right to data portability under Art. 20 GDPR. The right of access/right to information and the right to erasure are subject to the restrictions under § 34, § 35 BDSG (Bundesdatenschutzgesetz - German Federal Data Protection Act). You have the right to lodge a complaint with a supervisory authority (Art. 77 in combination with § 19 BDSG).The supervisory authority responsible for us/our headquarters is:Landesbeauftragte für Datenschutz und Informationsfreiheit Nordrhein-Westfalen Kavalleriestraße 2-4 D-40213 Düsseldorf GermanyYou may however also lodge your complaint with another supervisory authority.A list of the available supervisory authorities is available at: https://www.bfdi.bund.de/ (Infothek/Anschriften und Links)

7. Controller’s notification obligations

We will communicate any rectification or erasure of your personal data or restriction of processing carried out in accordance with Art. 16, Art. 17 (1) and Art. 18 GDPR to each recipient to whom the personal data have been disclosed, unless this proves impossible or involves disproportionate effort. We will inform you about those recipients if you request it.

8. Obligation to provide or disclose data

Unless stated otherwise in the explanations below regarding the applicable legal basis, you are not obliged to provide or disclose personal data to us. However, in the cases referred to in Art. 6 (1) point (b) GDPR, the personal data are necessary for entering into or performing a contract. If you do not provide use with the relevant personal data, it will be impossible for us to enter into, or perform, the contract. If you do not provide us with the data in the cases referred to in Art. 6 (1) point (a) and (f) GDPR, you will not be able to use the respective parts of our website.You are not obliged to provide us with your personal data for the purposes of our events; you will however not be able to participate in the events without providing your data.

9. Right to object

You have the right to object, on grounds relating to your particular situation, at any time to processing of personal data concerning you which is based on point (f) of Art. 6 (1) GDPR. Where personal data are processed for direct marketing purposes, you have the right to object at any time to processing of personal data concerning you for such marketing.The objection is not subject to formal requirements and should be sent to the contact data stated above.

10. Withdrawal of consent

Pursuant to Art. 7 (3) sentence 1 GDPR, you have the right to withdraw your consent by mail or email, without observing any other formal requirements, at any time with effect for the future. The withdrawal of consent does not affect the lawfulness of processing based on consent before its withdrawal. After you have withdrawn your consent, we will delete the personal data we have processed based on your consent unless there is another legal basis for the processing of these data.The withdrawal is not subject to formal requirements and should be sent to the contact data stated above.You can also withdraw your consent(s) by deactivating the relevant data processing services directly in our consent tool. Please be aware that you have to withdraw your consent on every single device from which you have accessed our website and consented to the data processing.

II. Data processing in connection with the use of our website

Generally, the use of the website and its features necessarily involves the processing of personal data.

Subscription to our newsletter

Purposes of data processing: Subscription to our newsletter which contains our news and offers; maintaining proof of your consent; ensuring the security of our information technology systems; personalised design of our newsletter based on your user behaviour.

Legal basis: Art. 6 (1) point (a), Art. 49 (1) point (a) GDPR.

Data categories: master data, contact data and connection data.

Data recipients: HubSpot Inc., 25 First Street, 2nd Floor, Cambridge, MA 02141, USA; HubSpot European Office, Ground Floor, Two Dockland Central Guild Street, Dublin 1, Ireland; rami.io GmbH, Markgräfler Straße 16, D-69126 Heidelberg, Germany.

Intended transfer to third countries: in individual cases: USA and other third countries (based on the standard data protection clauses of the European Commission, Art. 46 (2) point (c) GDPR).

Do we store personal data on your terminal based on your consent or do we read such data? No.

After-Sales mails

Purposes of data processing: Sending gratuitous and, where appropriate, personalised after-sales mails which contain news, offers, information and campaigns or promotions involving shopware partners (https://store.shopware.com/hersteller-uebersicht/).

Legal basis: Art. 6 (1) point (f) GDPR.

Data categories: connection data.

Data recipients: The data are only transferred to third parties if this is necessary for the operation of our website. For such purpose, the personal data are transferred to the following recipients: Profihost AG, Expo Plaza 1, D-30539 Hannover, Germany; Link11 GmbH, Lindleystraße 12, D-60314 Frankfurt am Main, Germany.

Intended transfer to third countries: None.

Do we store personal data on your terminal based on your consent or do we read such data? No.

Registering for, and holding of, webinars

Purposes of data processing: Registering for webinars on our website; maintaining proof of your registration; holding of webinars; ensuring the security of our information technology systems.

Legal basis: Art. 6 (1) point (b), Art. 49 (1) point (a) GDPR.

Data categories: master data, contact data and connection data.

Data recipients: HubSpot Inc., 25 First Street, 2nd Floor, Cambridge, MA 02141, USA; HubSpot European Office, Ground Floor, Two Dockland Central Guild Street, Dublin 1, Ireland; depending on the specific tool used: Zoom Video Communications, Inc.; 55 Almaden Boulevard, Suite 400, 500, 600 San Jose, CA 95113, USA; Thinkific HQ, 400 – 369 Terminal Avenue, Vancouver, BC, Canada V6A 4C4.

Intended transfer to third countries: USA, Canada and other third countries (based on adequacy decisions of the European Commission, Art. 45 GDPR, and based on the standard data protection clauses of the European Commission, Art. 46 (2) point (c) GDPR).

Do we store personal data on your terminal based on your consent or do we read such data? No.

Registering for, and implementing of, the shopware app contest

Purposes of data processing: Registering for the shopware app contest on our website; maintaining proof of your registration; implementation of the contest; notification of winners; announcement of the winner of the shopware app contest on our website; further development of the shopware app contest; integration of the data into our CRM system; ensuring the security of our information technology systems.

Legal basis: Art. 6 (1) point (b), Art. 49 (1) point (a) GDPR.

Data categories: master data, contact data, contract data and connection data.

Data recipients: HubSpot Inc., 25 First Street, 2nd Floor, Cambridge, MA 02141, USA; HubSpot European Office, Ground Floor, Two Dockland Central Guild Street, Dublin 1, Ireland.

Intended transfer to third countries: USA and other third countries (based on the standard data protection clauses of the European Commission, Art. 46 (2) point (c) GDPR).

Do we store personal data on your terminal based on your consent or do we read such data? No.

Registering for our user group meetings

Purposes of data processing: Preparation and implementation of the shopware user group meeting in which you want to participate regularly; ensuring the security of the information technology systems.

Legal basis: Art. 6 (1) point (b), (f) GDPR.

Data categories: master data, contact data and connection data.

Data recipients: Only to the extent that this is required for the implementation of the shopware user group meeting (e.g. cooperation partner who provides the rooms for the meeting).

Intended transfer to third countries: None.

Evaluation for product changes (booking)

Purpose of processing: If you want to switch to a Shopware plan, you can do so in your customer account and in various places in the admin area. In this case, we evaluate the requested plan and the GMV (gross merchandise value) specified by you in order to optimize our product and price structure in the future.

Legal basis: Art. 6 (1) point (f) GDPR

Recipient of the data: Google Ireland Ltd, Gordon House, Barrow Street Dublin 4 Ireland, Microsoft Ireland Operations Limited (One Microsoft Place, South County Business Park, Leopardstown, Dublin 18, D18 P521 ("Microsoft").

Intended third country transfer: In individual cases, USA on the basis of the adequacy decision pursuant to Art. 45 GDPR (EU-US. Data Privacy Framework).

Do we store or read personal data on your end device based on your consent? Yes (details can be found in our Consent Tool).

Provision of the website

Purposes of data processing: Functioning and optimisation of the website and ensuring the security of our information technology systems if our website is used for mere information purposes (without using additional features such as contact forms or social media plug-ins); integration and display of features and contents (e.g. diagrams) which we do not provide ourselves.

Legal basis: Art. 6 (1) point (f) GDPR.

Data categories: connection data.

Data recipients: The data are only transferred to third parties if this is necessary for the operation of our website. For such purpose, the personal data are transferred to the following recipients: Profihost AG, Expo Plaza 1, D-30539 Hannover, Germany; Link11 GmbH, Lindleystraße 12, D-60314 Frankfurt am Main, Germany.

Intended transfer to third countries: None.

Do we store personal data on your terminal based on your consent or do we read such data? No.

Applications (application form and applications sent by email)

Purposes of data processing: Processing of your application and implementation of the application procedure; consideration of your application for future application procedures in our company or affiliated companies if you have expressly consented to this.

Legal basis: Art. 6 (1) point (a) GDPR in combination with Art. 7 GDPR and in combination with Art. 9 GDPR, Art. 49 (1) point (a) GDPR.

Data categories: master data, contact data, content data, contract data; and, if applicable, connection data, usage data and special categories of personal data within the meaning of Art. 9 (1) GDPR (depending on the specific job advertisement; we only store those data relating to your application which you disclose to us and which we are allowed to process for application purposes).

Data recipients: Bamboo HR LLC, 335 South 560 West Lindon, UT 84042-1911, USA. Only if you give your express consent, we will transfer the data to our affiliated companies for their current and possibly also future application procedures.

Intended transfer to third countries: In individual cases USA based on consent.

Do we store personal data on your terminal based on your consent or do we read such data? No.

Blog with comment feature

Purposes of data processing: Implementation of the comment feature; verification of the origin of the comment; security of our systems.

Legal basis: Art. 6 (1) point (f) GDPR.

Data categories: master data, contact data and connection data.

Data recipients: None.

Intended transfer to third countries: None.

Do we store personal data on your terminal based on your consent or do we read such data? No.

Do we store personal data on your terminal based on your consent or do we read such data? No.

Displaying videos on the Shopware website

Purpose of processing: Videos on the Shopware website are provided by means of the Bunny Stream service from the provider BunnyWay d.o.o. When a video is loaded on this page, a direct connection to the Bunny Way servers is established.

Legal basis: Art. 6 (1) point (f) GDPR.

Data categories: connection data.

Recipient of the data: BunnyWay d.o.o., Dunajska cesta 165, 1000 Ljubljana, Slovenia.

Intended third-country transfer: None.

Do we store personal data on your end device based on your consent or read such data? No.

Implementation of the survey on our website

Purposes of data processing: Evaluation of the survey based on your anonymized and aggregated data for the purpose of market and opinion research; ensure that there are no multiple participations in the surveys that could skew the results.

Legal basis: Art. 6 (1) point (f) GDPR.

Data categories: connection data.

Data recipients: eresult GmbH, Friedrichstraße 3-4, 37073 Göttingen; Questback AS, Bogstadveien 54, 0366 Oslo, Norway.

Intended transfer to third countries: None.

Do we store personal data on your terminal based on your consent or do we read such data? No.

Integration of external content

Purposes of data processing: Integration of external content (Instagram, Facebook, Twitter, YouTube) for personalised website design.

Legal basis: Art. 6 (1) point GDPR, Art. 49 (1) point (a) GDPR.

Data categories: connection data.

Data recipients: depending on the content: Meta Platforms Ireland Ltd., 4 Grand Canal Square, Grand Canal Harbour, Dublin 2, Ireland (“Facebook”); Google Ireland Ltd., Gordon House, Barrow Street Dublin 4 Ireland; Twitter International Company, One Cumberland Place, Fenian Street, Dublin 2, D02 AX07, Ireland (“Twitter”).

Intended transfer to third countries: In individual cases USA on the basis of consent and other third countries (based on the standard data protection clauses of the European Commission, Art. 46 (2) point (c), and based on adequacy decisions, Art. 45 GDPR).

Do we store personal data on your terminal based on your consent or do we read such data? Yes (for more details please go to our consent tool).

eTracker

Purpose of processing: Statistical analysis; optimization and needs-based design of our website based on your click and usage behavior.

Legal basis: Art. 6 (1) point (a) GDPR.

Data categories: Usage data, connection data.

Recipient of the data: eTracker GmbH, Erste Brunnenstraße 1, 20459 Hamburg, Germany.

Intended third country transfer: None.

Do we store or read personal data on your end device based on your consent? Yes (details can be found in our Consent Tool).

Facebook Custom Audiences

Purposes of data processing: Display of personalised advertisements in the facebook advertising network (facebook ads) on the basis of your pseudonymously recorded surfing behaviour.

Legal basis: Art. 6 (1) point (a) GDPR, Art. 49 (1) point (a) GDPR.

Data categories: master data, contact data, usage data and connection data.

Data recipients: Meta Platforms Ireland Ltd., 4 Grand Canal Square, Grand Canal Harbour, Dublin 2, Ireland (as joint controller according to Art. 26 GDPR with respect to the processing of event data for the targeting of ads, the improvement of ad display and the individualisation of features and contents and, where applicable, the delivery of commercial and transaction-related data – the key elements of the contract concluded for such purpose (including information on the implementation of your rights as a data subject) are available at: https://www.facebook.com/legal/controller_addendum ; further information on the processing of personal data by Facebook, the legal basis on which Facebook relies for the processing, and on the exercise of the data subjects’ rights in the relationship with Facebook is available at: https://www.facebook.com/about/privacy.

Intended transfer to third countries: in individual cases USA on the basis of consent, other third countries (based on the standard data protection clauses of the European Commission, Art. 46 (2) point (c) GDPR, or - where applicable - on the basis of adequacy decisions (Art. 45 GDPR)).

Do we store personal data on your terminal based on your consent or do we read such data? Yes (for more details please go to our consent tool).

G2 crowd

Purposes of data processing: Statistical analysis; optimisation and customisation of our website design based on your clicks and user behaviour.

Legal basis: Art. 6 (1) point (a) GDPR, Art. 49 (1) point (a) GDPR.

Data categories: usage data, connection data.

Data recipients:G2 Crowd, Inc., 20 N. Wacker Dr., Suite 1800, Chicago, IL 60606, USA.

Intended transfer to third countries: In individual cases USA on the basis of consent.

Do we store personal data on your terminal based on your consent or do we read such data? Yes (for more details please go to our consent tool).

Google Ads Conversion Tracking

Purposes of data processing: Measuring the success of our Google Ads advertising campaigns.

Legal basis: Art. 6 (1) point (a) GDPR, Art. 49 (1) point (a) GDPR.

Data categories: usage data, connection data.

Data recipients: Google Ireland Ltd., Gordon House, Barrow Street Dublin 4 Ireland.

Intended transfer to third countries: in individual cases: USA (based on the standard data protection clauses of the European Commission, Art. 46 (2) point (c) GDPR).

Do we store personal data on your terminal based on your consent or do we read such data? Yes (for more details please go to our consent tool).

Google Analytics

Purposes of data processing: Statistical analysis; optimisation and customisation of our website design based on your clicks and user behaviour.

Legal basis: Art. 6 (1) point (a) GDPR, Art. 49 (1) point (a) GDPR.

Data categories: usage data, connection data.

Data recipients: Google Ireland Ltd., Gordon House, Barrow Street Dublin 4 Ireland.

Intended transfer to third countries: in individual cases USA on the basis of consent.

Do we store personal data on your terminal based on your consent or do we read such data? Yes (for more details please go to our consent tool).

Google Maps

Purposes of data processing: Integration of interactive maps and mapping features of Google Maps.

Legal basis: Art. 6 (1) point (a) GDPR, Art. 49 (1) point (a) GDPR.

Data categories: usage data, connection data, position data (depending on the specific kind of use).

Data recipients: Google Ireland Ltd., Gordon House, Barrow Street Dublin 4 Ireland.

Intended transfer to third countries: None.

Do we store personal data on your terminal based on your consent or do we read such data? No.

Google Marketing Platform (formerly: Google DoubleClick)

Purposes of data processing: Marketing and optimisation; display of relevant advertisements; improvement of campaign performance reports; avoiding repeated display of the same advertisements.

Legal basis: Art. 6 (1) point (f) GDPR, Art. 49 (1) point (a) GDPR.

Data categories: usage data, connection data.

Data recipients: Google Ireland Ltd., Gordon House, Barrow Street Dublin 4 Ireland.

Intended transfer to third countries: in individual cases USA on the basis of consent.

Do we store personal data on your terminal based on your consent or do we read such data? Yes (for more details please go to our consent tool).

Google Optimize

Purposes of data processing: Analysis of how our website is used; optimisation and customisation of our website design; implementation of A/B tests.

Legal basis: Art. 6 (1) point (a) GDPR, Art. 49 (1) point (a) GDPR.

Data categories: connection data, usage data.

Data recipients: Google Ireland Ltd., Gordon House, Barrow Street Dublin 4 Ireland.

Intended transfer to third countries: in individual cases USA on the basis of consent.

Do we store personal data on your terminal based on your consent or do we read such data? Yes (for more details please go to our consent tool).

Google reCAPTCHA

Purposes of data processing: Preventing misuse of our website by verifying whether access is made by humans or by bots or similar programs; ensuring the security of our website and our information technology systems.

Legal basis: Art. 6 (1) point (a) GDPR, Art. 49 (1) point (a) GDPR.

Data categories: usage data, connection data.

Data recipients: Google Ireland Ltd., Gordon House, Barrow Street Dublin 4 Ireland.

Intended transfer to third countries: in individual cases USA on the basis of consent.

Do we store personal data on your terminal based on your consent or do we read such data? Yes.

Google Tag Manager

We use the Google Tag Manager to embed contents of third-party providers. This is a technical solution which does not itself store or read cookies or similar technologies requiring consent, but merely controls the conditions under which the other programs used on our website and described below are activated.

hCaptcha

Purpose of processing: Preventing the misuse of our website by checking whether access is made by humans and not by bots or similar programs; ensuring the security of our website and our information technology systems.

Legal basis: Art. 6 (1) point (a) GDPR, Art. 49 (1) point (a) GDPR.

Data categories: Usage data, connection data.

Recipient of the data: Intuition Machines, Inc, 1625 North Market Blvd Sacramento, CA 95834

Intended third country transfer: In individual cases USA.

Do we store or read personal data on your end device based on your consent? Yes.

HubSpot (marketing hub)

Purposes of data processing: Analysis of clicks and user behaviour for optimisation and customisation of our website design and for advertising purposes.

Legal basis: Art. 6 (1) point (a) GDPR, Art. 49 (1) point (a) GDPR.

Data categories: connection data.

Data recipients: HubSpot Inc., 25 First Street, 2nd Floor, Cambridge, MA 02141, USA; HubSpot European Office, Ground Floor, Two Dockland Central Guild Street, Dublin 1, Ireland.

Intended transfer to third countries: In individual cases USA on the basis of consent.

Do we store personal data on your terminal based on your consent or do we read such data? Yes (for more details please go to our consent tool).

Kameleoon

Purpose of processing: Analysis of the use of our website; optimization and needs-based design of the website; A/B testing.

Legal basis: Art. 6 (1) point (a) GDPR.

Data categories: Usage data, connection data.

Recipient of the data: Kameleoon GmbH, beim Alten Ausbesserungswerk 4, 77654 Offenburg, Germany / Kameleoon SAS, 12 Rue de la Chaussée d'Antin 75009 Paris, France.

Intended third country transfer: None.

Do we store or read personal data on your end device based on your consent? Yes (details can be found in our Consent Tool).

Contact requests and use of the chat function

Purposes of data processing: Processing of your contact request; use of our contact forms and our chat function.

Legal basis: Art. 6 (1) point (f) GDPR; Art. 6 (1) point (b) GDPR (when the request leads to subsequent contract conclusion or pertains to an existing contract), Art. 49 (1) point (a) GDPR.

Data categories: depending on the type of the request. Usually: contact data and master data.

Data recipients: HubSpot Inc., 25 First Street, 2nd Floor, Cambridge, MA 02141, USA; HubSpot European Office, Ground Floor, Two Dockland Central Guild Street, Dublin 1, Ireland.

Intended transfer to third countries: In individual cases USA on the basis of consent.

Do we store personal data on your terminal based on your consent or do we read such data? No.

Contacting contractual partners

Purposes of data processing: Passing the contact request on to our partner (producer).

Legal basis: Art. 6 (1) point (f) GDPR.

Data categories: connection data.

Data recipients: The data are only transferred to third parties if this is necessary for the operation of our website. For such purpose, the personal data are transferred to the following recipients: Profihost AG, Expo Plaza 1, D-30539 Hannover, Germany; Link11 GmbH, Lindleystraße 12, D-60314 Frankfurt am Main, Germany.

Intended transfer to third countries: None.

Do we store personal data on your terminal based on your consent or do we read such data? No.

Customer account

Purposes of data processing: Use of a customer account (as a prerequisite for placing purchase orders in our online shop); ensuring data and information security; allocation of future usage processes (purchase orders, contact requests, blog contributions); integration of the data into our CRM system; ensuring the security of our systems.

Legal basis: Art. 6 (1) point (b), Art. 49 (1) point (a) GDPR.

Data categories: master data, contact data and connection data.

Data recipients: HubSpot Inc., 25 First Street, 2nd Floor, Cambridge, MA 02141, USA; HubSpot European Office, Ground Floor, Two Dockland Central Guild Street, Dublin 1, Ireland.

Intended transfer to third countries: In individual cases USA on the basis of consent.

Do we store personal data on your terminal based on your consent or do we read such data? No.

LinkedIn ads

Purposes of data processing: Display of personalised advertisements (so-called “LinkedIn ads”) on LinkedIn and/or in the LinkedIn network; measuring the success of our LinkedIn advertising campaigns (so-called “conversion tracking”).

Legal basis: Art. 6 (1) point (a) GDPR, Art. 49 (1) point (a) GDPR.

Data categories: usage data, connection data.

Data recipients: LinkedIn Ireland Unlimited Company, Wilton Place, Dublin 2, Ireland ("LinkedIn").

Intended transfer to third countries: In individual cases USA on the basis of consent.

Do we store personal data on your terminal based on your consent or do we read such data? Yes (for more details please go to our consent tool).

Microsoft Advertising (formerly: Bing Advertising) and Bing Pixel

Purposes of data processing: Analysis of how our website is used; display of personalised advertisements in the Microsoft Advertising advertising network on the basis of your pseudonymously recorded surfing behaviour and for measuring the success of our Microsoft Advertising campaigns and for optimising them.

Legal basis: Art. 6 (1) point (a) GDPR, Art. 49 (1) point (a) GDPR.

Data categories: usage data, connection data.

Data recipients: Microsoft Ireland Operations Limited (One Microsoft Place, South County Business Park, Leopardstown, Dublin 18, D18 P521 ("Microsoft"). When Universal Tracking Event (UET) is used, Microsoft processes personal data. Further information on data processing by Microsoft is available at: https://privacy.microsoft.com/de-de/privacystatement.

Intended transfer to third countries: In individual cases USA on the basis of consent, .

Do we store personal data on your terminal based on your consent or do we read such data? Yes (for more details please go to our consent tool).

Online shop

Purposes of data processing: Operation of the online shop; processing of your purchase orders and requests; ensuring the security of our online shop.

Legal basis: Art. 6 (1) point (b), (f) GDPR.

Data categories: master data, contact data, contract data, content data, connection data, and payment data. If you have already created a customer account with us, you only have to log in to your account and we will then use the personal data from your customer account.

Data recipients: payment service providers; IT service providers.

Intended transfer to third countries: None.

Do we store personal data on your terminal based on your consent or do we read such data? No.

Oktopost

Purpose of processing: Social media and analysis

Legal basis: Art. 6 (1) point (a) GDPR, Art. 49 (1) point (a) GDPR.

Data categories: Contact data, usage data

Recipient of the data: Oktopost Technologies Inc, 34 Tuval Street, Tel Aviv, Israel

Intended third country transfer: in individual cases USA on the basis of consent.

Do we store or read personal data on your end device based on your consent? Yes (details can be found in our Consent Tool).

Sentry

Purposes of data processing: Analysis of how our apps are used and of the terminals used for avoiding (system) crashes and other technical problems in connection with our apps.

Legal basis: Art. 6 (1) point (a) GDPR, Art. 49 (1) point (a) GDPR.

Data categories: connection data, usage data, content data (as applicable from time to time).

Data recipients: Functional Software Inc. Sentry 132 Hawthorne Street San Francisco, California 94107, USA.

Intended transfer to third countries: In individual cases USA on the basis of consent.

Do we store personal data on your terminal based on your consent or do we read such data? No.

Shopware Community Hub

Purpose of data processing: Provision of a user account as a prerequisite for access to the Community Hub; provision and administration of the Community Hub, including various so-called tracks, e.g. the "Growth", "Community" and "Mentor" tracks; personalization; provision of user profiles; assignment of future usage processes, e.g. follow function, interaction between users via chat and comment function; presentation of participation in events (no registration); access to other user profiles insofar as these are activated for other users; access to learning materials and learning aids. Follow function, interaction between users via chat and comment function; display of participation in events (no registration); access to other user profiles, insofar as these are activated for other users; access to learning materials and learning paths; access to leaderboard (points-based ranking for activity in the Community Hub feeds).

Legal basis: Art. 6 (1) point (a), (b), where applicable (c), (f) GDPR.

Data categories: Where applicable master data; contact data, content data, usage data, connection data.

Data recipients: IT service provider; possibly third parties (insofar as there is a legal obligation to provide information).

Intended transfer to third countries: None.

Do we store personal data on your terminal based on your consent or do we read such data? No.

Shopware Community Hub - Community Track

Purpose of data processing: Interaction between users, e.g. via chat and comment function, reproduction of linked or publicly accessible content or content from third-party platforms that can be found, for example, by means of a tag or other identification.

Legal basis: Art. 6 (1) point (a) and (b), insofar as there is a link between a third-party provider and the Shopware Community Hub, (f) GDPR

Data categories: Where applicable, master data; contact data, content data, usage data, connection data.

Data recipients: IT service provider.

Intended transfer to third countries: None.

Do we store personal data on your terminal based on your consent or do we read such data? No.

Shopware Community Hub - Growth Track

Purpose of data processing: Access to learning materials and learning paths.

Legal basis: Art. 6 (1) point (b) if there is a link between a third-party provider and the Shopware Community Hub, (f) GDPR.

Data categories: Where applicable, master data; contact data, content data, usage data, connection data.

Data recipients: IT service provider.

Intended transfer to third countries: None.

Do we store personal data on your terminal based on your consent or do we read such data? No.

Single-Sign-On (SSO) for Shopware Community Hub

Purpose of data processing: Simplification of login to the Shopware Community Hub (authentication); if necessary, automatic completion of the information required to create a user account, insofar as this is stored with the respective IT service provider.

Legal basis: Art. 6 (1) point (b), (f) GDPR.

Data categories: Where applicable, master data, contact data.

Data recipients: IT service provider.

Intended transfer to third countries: None.

Do we store personal data on your terminal based on your consent or do we read such data? No.

shopware store wish list

Purposes of data processing: Saving items on your wish list for later visits to the store, provided you use the corresponding function ("Add to Wish List").

Legal basis: Art. 6 (1) point (b), (f) GDPR.

Data categories: connection data, usage data.

Data recipients: None.

Intended transfer to third countries: None.

Do we store personal data on your terminal based on your consent or do we read such data? No.

Booking of training courses

Purposes of data processing: Preparation, provision and marketing of the training courses as well as uploading of videos, preparation of tests and organisation of all contents.

Legal basis: Art. 6 (1) point (b), (f) GDPR.

Data categories: master data, contact data, connection data, country of origin, booked training course, company name, software identification number (SW ID).

Data recipients: Thinkific HQ, 400 – 369 Terminal Avenue, Vancouver, BC, Canada V6A 4C4.

Intended transfer to third countries: Canada (based on the adequacy decision of the European Commission, Art. 45 GDPR); in individual cases, if applicable: USA on basis of consent.

Do we store personal data on your terminal based on your consent or do we read such data? No.

Twitter Advertising and Twitter Pixel

Purposes of data processing: Analysis of how our website is used; display of personalised advertisements in the Twitter Advertising advertising network on the basis of your pseudonymously recorded surfing behaviour and for measuring the success of our Twitter Advertising campaigns and for optimising them.

Legal basis: Art. 6 (1) point (a) GDPR, Art. 49 (1) point (a) GDPR.

Data categories: usage data, connection data.

Data recipients: Twitter International Company, One Cumberland Place, Fenian Street, Dublin 2, D02 AX07, Ireland ("Twitter").

Intended transfer to third countries: In individual cases USA on the basis of consent.

Do we store personal data on your terminal based on your consent or do we read such data? Yes (for more details please go to our consent tool).

Unzer

Purposes of data processing: Payment processing via the payment service provider; offering various payment options with various service providers (e.g. PayPal).

Legal basis: Art. 6 (1) point (b) GDPR.

Data categories: contact data; master data; contract data, where applicable; payment data; usage data, where applicable; connection data.

Data recipients: Unzer GmbH, Vangerowstraße 18, 69115 Heidelberg, Germany; if chosen as payment service provider: PayPal (Europe) S.à.r.l. et Cie, S.C.A., 22-24 Boulevard Royal, L-2449 Luxembourg (“PayPal”).

Intended transfer to third countries: None.

Do we store personal data on your terminal based on your consent or do we read such data? No.

Usercentrics

Purposes of data processing: When you visit our website, certain information is read or stored on your terminal if this is absolutely necessary for the operation of our website. This includes information which Usercentrics processes to ensure that only those cookies are set or read which are technically indispensable for the operation of our website or to which you have consented. We have selected the operator by criteria relating to data protection by design and by default.

Legal basis: Art. 6 (1) point (c), (f) GDPR.

Data categories: usage data, connection data.

Data recipients: Usercentrics GmbH, Rosental 4, 80331 Munich, Germany.

Intended transfer to third countries: None.

Do we store personal data on your terminal based on your consent or do we read such data? No.

VWO

Purpose of processing: Our website uses A/B and multiversion tests from VWO, a web analytics service from Wingify Software Pvt. Ltd. called VWO. VWO uses cookies. VWO collects information about user behavior in order to improve the user-friendliness of the website.

Legal basis: Art. 6 (1) point (a) GDPR.

Data categories: The only information VWO collects via a cookie is a visitor ID. VWO uses aggregated data to analyze the non-personal use of the website and to compile reports on website activity. All data is anonymized and stored in aggregated form.

Option to prevent processing (opt-out): Users can object to the use of VWO at any time by clicking on the following link: https://www.shopware.com/?vwo_opt_out=1

Recipient of the data: Wingify Software Pvt. Ltd. acting as VWO, address: Hamburg office, Heidenkampsweg 58, Hamburg, 20097, Germany.

Intended third country transfer: None. The information generated by cookies about the use of our website is transferred to a VWO server within the EU and stored there.

Do we store personal data on your end device based on your consent or do we read this data? Yes (lifetime of the cookie: 100 days).

III. Information on external sites of shopware AG

Facebook

Purposes of data processing: We established a site about our company on the “Facebook” platform under https://www.facebook.com/shopware (“Facebook site”). When you access that site, Facebook processes personal data concerning you. We receive statistics regarding the use of that site which are derived from your data.

Legal basis: Art. 6 (1) point (a) GDPR, Art. 49 (1) point (a) GDPR.

Data categories: master data, contact data, content data, usage data, connection data; position data, where applicable.

Data recipients: Meta Platforms Ireland Ltd., 4 Grand Canal Square, Grand Canal Harbour, Dublin 2, Ireland (“Facebook”) (as joint controller according to Art. 26 GDPR – the key elements of the contract concluded for such purpose are available at: https://www.facebook.com/legal/terms/page_controller_addendum).

Intended transfer to third countries: In individual cases USA on the basis of consent.

Do we store personal data on your terminal based on your consent or do we read such data? No.

Data subjects’ rights: The implementation of your rights as a data subject is the responsibility of Facebook. Facebook provides information about your rights as a data subject at: https://www.facebook.com/legal/terms/information_about_page_insights_data You may also send any request regarding your rights to us, we will promptly pass it on to Facebook.

Gartner peerinsights

Purposes of data processing: We established a profile on the “Gartner peerinsights” platform of Gartner, Inc., 56 Top Gallant Road, Stamford, CT 06902, USA ("Gartner peerinsights") under https://www.gartner.com/reviews/market/digital-commerce/vendor/shopware/product/shopware. When you access that site, Gartner processes personal data concerning you. We receive statistics regarding the use of that site which are derived from your data.

Legal basis: Art. 6 (1) point (a) GDPR, Art. 49 (1) point (a) GDPR.

Data categories: master data, contact data, content data, usage data, connection data; position data, where applicable.

Data recipients: Gartner, Inc., 56 Top Gallant Road, Stamford, CT 06902, USA.

Intended transfer to third countries: in individual cases USA based on consent.

Do we store personal data on your terminal based on your consent or do we read such data? No.

Instagram

Purposes of data processing: We established a site about our company on the “Instagram” platform of Meta Platforms Ireland Ltd., 4 Grand Canal Square, Grand Canal Harbour, Dublin 2, Ireland (“Facebook”) under https://www.instagram.com/shopware (“Instagram site”). When you access that site, Facebook processes personal data concerning you.

Legal basis: Art. 6 (1) point (a) GDPR, Art. 49 (1) point (a) GDPR.

Data categories: master data, contact data, content data, usage data, connection data; position data, where applicable.

Data recipients: Meta Platforms Ireland Ltd., 4 Grand Canal Square, Grand Canal Harbour, Dublin 2, Ireland (“Facebook”) (as joint controller according to Art. 26 GDPR – the key elements of the contract concluded for such purpose are available at: https://www.facebook.com/legal/terms/page_controller_addendum).

Intended transfer to third countries: In individual cases USA on the basis of consentand other third countries (based on the standard data protection clauses of the European Commission, Art. 46 (2) point (c), and based on adequacy decisions, Art. 45 GDPR).

Do we store personal data on your terminal based on your consent or do we read such data? No.

Data subjects’ rights: The implementation of your rights as a data subject is the responsibility of Facebook. Facebook provides information about your rights as a data subject at: https://www.facebook.com/legal/terms/information_about_page_insights_data You may also send any request regarding your rights to us, we will promptly pass it on to Facebook.

Instatus

Purpose of processing: Provision of information about the availability of our systems and services.

Legal basis: Art. 6 (1) point (f) GDPR.

Data categories: Master data (for information by email), contact data (for information by email or SMS), usage data and connection data (for information by Slack or MS Teams).

Recipient of the data: Instatus Inc, 9450 SW Gemini Dr, PMB 30900 Beaverton, Oregon, USA.

Intended third country transfer: USA on the basis of standard data protection clauses of the EU Commission, Art. 46 (2) point (c) GDPR.

Do we store or read personal data on your end device based on your consent? No.

kununu (profile)

Purposes of data processing: We established a site about our company on the “kununu” platform under https://www.kununu.com/de/shopware. When you access that site, kununu processes personal data concerning you.

Legal basis: Art. 6 (1) point (a) GDPR, Art. 49 (1) point (a) GDPR. Data categories: master data, contact data, content data, usage data, connection data; position data, where applicable.

Data recipients: New Work SE, Dammtorstraße 30, 20354 Hamburg, Germany (“kununu”).

Intended transfer to third countries: In individual cases USA on the basis of consent and other third countries (based on the standard data protection clauses of the European Commission, Art. 46 (2) point (c), and based on adequacy decisions, Art. 45 GDPR).

Do we store personal data on your terminal based on your consent or do we read such data? No.

LinkedIn (profile)

Purposes of data processing: We established a site about our company on the “LinkedIn” platform under https://www.linkedin.com/company/shopware-ag. When you access that site, LinkedIn processes personal data concerning you. We receive statistics regarding the use of that site which are derived from your data.

Legal basis: Art. 6 (1) point (a) GDPR, Art. 49 (1) point (a) GDPR.

Data categories: master data, contact data, content data, usage data, connection data; position data, where applicable.

Data recipients: LinkedIn Ireland Unlimited Company, Wilton Place, Dublin 2, Ireland (as joint controller according to Art. 26 GDPR – the key elements of the contract concluded for such purpose are available at: LinkedIn).

Intended transfer to third countries: In individual cases USA on the basis of consent and other third countries (based on the standard data protection clauses of the European Commission, Art. 46 (2) point (c)).

Do we store personal data on your terminal based on your consent or do we read such data? No.

Data subjects’ rights: The implementation of your rights as a data subject is the responsibility of LinkedIn. LinkedIn provides information about your rights as a data subject at: https://www.linkedin.com/legal/privacy-policy You may also send any request regarding your rights to us, we will promptly pass it on to LinkedIn.

Pinterest (profile)

Purposes of data processing: We established a site on the “Pinterest” platform under https://www.pinterest.de/shopware_ag/. When you access that site, Pinterest processes personal data concerning you. We receive statistics regarding the use of that site which are derived from your data.

Legal basis: Art. 6 (1) point (a) GDPR, Art. 49 (1) point (a) GDPR.

Data categories: master data, contact data, content data, usage data, connection data; position data, where applicable.

Data recipients: Pinterest Europe Ltd., Palmerston House, 2nd FloorFenian Street, Dublin 2, Ireland.

Intended transfer to third countries: In individual cases USA on the basis of consent.

Do we store personal data on your terminal based on your consent or do we read such data? No.

Trustpilot

Purposes of data processing: We established a profile on the “Trustpilot” platform of Trustpilot A/S, Pilestræde 58, 5, 1112 Copenhagen, Denmark ("Trustpilot") under https://de.trustpilot.com/review/shopware.de. When you access that site, Trustpilot processes personal data concerning you. We receive statistics regarding the use of that site which are derived from your data.

Legal basis: Art. 6 (1) point (f) GDPR.

Data categories: master data, contact data, content data, usage data, connection data; position data, where applicable.

Data recipients: Trustpilot A/S, Pilestræde 58, 5, 1112 Copenhagen, Denmark.

Intended transfer to third countries: None.

Do we store personal data on your terminal based on your consent or do we read such data? No.

Twitter

Purposes of data processing: We established a profile on the “Twitter” platform under https://www.twitter.com/shopware. When you access that site, Twitter processes personal data concerning you. We receive statistics regarding the use of that site which are derived from your data.

Legal basis: Art. 6 (1) point (a) GDPR, Art. 49 (1) point (a) GDPR.

Data categories: master data, contact data, content data, usage data, connection data; position data, where applicable.

Data recipients: Twitter International Company, One Cumberland Place, Fenian Street, Dublin 2, D02 AX07, Ireland (“Twitter”).

Intended transfer to third countries: In individual cases USA on the basis of consent.

Do we store personal data on your terminal based on your consent or do we read such data? No.

XING (profile)

Purposes of data processing: We established a site about our company on the “XING” platform of New Work SE, Dammtorstraße 30, 20354 Hamburg, Germany ("New Work") under https://www.xing.com/pages/shopwareag. When you access that site, New Work processes personal data concerning you.

Legal basis: Art. 6 (1) point (f) GDPR.

Data categories: master data, contact data, content data, usage data, connection data; position data, where applicable.

Data recipients: New Work SE, Dammtorstraße 30, 20354 Hamburg, Germany (“XING”).

Intended transfer to third countries: None.

Do we store personal data on your terminal based on your consent or do we read such data? No.

YouTube Channel

Purposes of data processing: We established a video channel on the “YouTube” platform of Google Ireland Ltd., Gordon House, Barrow Street Dublin 4 Ireland ("Google") under https://www.youtube.com/user/shopwareag. When you access that site, Google processes personal data concerning you. We receive statistics regarding the use of that site which are derived from your data.

Legal basis: Art. 6 (1) point (a) GDPR, Art. 49 (1) point (a) GDPR.

Data categories: master data, contact data, content data, usage data, connection data; position data, where applicable.

Data recipients: Google Ireland Ltd., Gordon House, Barrow Street Dublin 4, Ireland.

Intended transfer to third countries: In individual cases USA on the basis of consent.

Do we store personal data on your terminal based on your consent or do we read such data? No.

IV. Data processing in connection with the use of our products

Shopware Analytics client-side tracking

Purpose of processing: Implementing changes to plans, services and bookings, activating additional features.

Legal basis: Art. 6 (1) point (b) (for store owners), (f) (for employees of store owners) GDPR

Data categories: Master data, contact data, content data, connection data, usage data

Recipient of the data: IT service provider

Intended third-country transfer: No.

Do we store personal data on your end device based on your consent or read such data? No.

V. Other processing activities

Registration for, and implementation of, events

Purposes of data processing: Registering for our events; implementation of our events; ensuring the security of our information technology systems.

Legal basis: Art. 6 (1) point (b), (f) GDPR.

Data categories: master data, contact data and connection data.

Data recipients: depending on the specific event.

Intended transfer to third countries: depending on the specific event.

Do we store personal data on your terminal based on your consent or do we read such data? No.

Recordings of lecturers at events

Purposes of data processing: : If you participate in our events as a lecturer, photo or video recordings will be made of the lecturer contributions. These recordings are generated for marketing purposes and, where applicable, for training purposes and may also be further used and exploited for marketing purposes and, where applicable, for training purposes. Lecturing at an event without recording is not possible.

Legal basis: Art. 6 (1) point (a) GDPR, Art. 49 (1) point (a) GDPR.

Data categories: content data.

Data recipients: depending on the specific tool used: Zoom Video Communications, Inc.; 55 Almaden Boulevard, Suite 400, 500, 600 San Jose, CA 95113, USA; Thinkific HQ, 400 – 369 Terminal Avenue, Vancouver, BC, Canada V6A 4C4.

Intended transfer to third countries: In individual cases USA on the basis of consent, Canada and other third countries (based on adequacy decisions of the European Commission, Art. 45 GDPR, and based on the standard data protection clauses of the European Commission, Art. 46 (2) point (c) and).

Do we store personal data on your terminal based on your consent or do we read such data? No.

Recordings of participants in events

Purposes of data processing: If you participate in our events, photo or video recordings will be made of individual sequences of the event or of the entire event. The recordings may include user names, chat contents and image data of participants. These recordings are generated for marketing purposes and, where applicable, for training purposes and may also be further used and exploited for marketing purposes and, where applicable, for training purposes. Participation in an event without recording is not possible.

Legal basis: Art. 6 (1) point (a) GDPR, Art. 49 (1) point (a) GDPR.

Data categories: content data.

Data recipients: depending on the specific tool used: Zoom Video Communications, Inc.; 55 Almaden Boulevard, Suite 400, 500, 600 San Jose, CA 95113, USA; Thinkific HQ, 400 – 369 Terminal Avenue, Vancouver, BC, Canada V6A 4C4.

Intended transfer to third countries: In individual cases USA on the basis of consent, Canada and other third countries (based on adequacy decisions of the European Commission, Art. 45 GDPR, and based on the standard data protection clauses of the European Commission, Art. 46 (2) point (c) and).

Do we store personal data on your terminal based on your consent or do we read such data? No.

Data subject information for applicants

Information on the data protection of your data in the event of an application to shopware AG can be found in our Data subject information for applicants document.