gebana AG Privacy Policy

A. General Notes Applicable Across All Sales Channels

1. Data Controller and Scope of This Privacy Policy

We, gebana AG (Ausstellungsstrasse 21, 8005 Zurich, Switzerland), are the operators of both the gebana retail locations ("Retail Locations") and the website gebana.com ("Website"). Unless otherwise stated, we are responsible for the data processing activities outlined in this Privacy Policy.
Thank you for your interest in our websites. Your privacy is very important to us. We take data protection seriously and take the required measures to ensure security.

To help you understand what personal data we collect and for what purposes we use it, please read the following information carefully. We ensure the protection of data in accordance with the legal requirements of Swiss data protection law, in particular the Federal Act on Data Protection (FADP) and the EU GDPR, the provisions of which may be applicable in individual cases.

Please note that the following information may be occasionally reviewed and amended. We therefore recommend that you consult this privacy policy on a regular basis. For certain data processing activities described below, other companies may act as independent or joint data controllers. In these cases, the respective privacy policies of those companies also apply.

2. Contact for Data Protection

If you have any questions regarding data protection or wish to exercise your rights, you may contact our Data Protection Officer via email at:
[email protected]

You may also contact our EU Data Protection Representative:
Gebana B.V. (Ganzenmarkt 6, 3512 GD Utrecht, Netherlands), [email protected]

3. Your Rights

If the legal requirements are met, you have the following rights as a data subject:

Right of access: You have the right to request access to your personal data stored by us at any time free of charge when we process it. This gives you the opportunity to confirm which data concerning you is being processed and to ensure that we are using it in accordance with the applicable data protection regulations.

Right to rectification: You have the right to obtain the rectification of inaccurate personal data concerning you and to be informed about the rectification. Should this occur, we will inform the recipients of the data concerned about the corrections made, unless this is impossible or involves disproportionate effort.

Right to erasure: You have the right to obtain the erasure of personal data concerning you under certain circumstances. In specific cases, particularly if statutory retention periods exist, the right to erasure may be excluded. If this is the case, the data may be blocked instead of erased if the necessary conditions are met.

Right to restriction of processing: You have the right to request the restriction of processing of your personal data.

Right to data portability: You have the right to receive the personal data concerning you, which you have provided to us, in a readable format, free of charge.

Right to object: You can object to the processing of your personal data at any time, especially when it is processed for direct marketing purposes (such as promotional emails).

Right to withdraw consent: If you have given consent to process your personal data, you may withdraw it at any time. The withdrawal does not affect the lawfulness of processing based on consent before its withdrawal.

To exercise your rights, please send us an email at:
[email protected]

Right to lodge a complaint: You have the right to lodge a complaint with a supervisory authority regarding the processing of your personal data, including how and in what manner it is processed.

4. Data Security

We implement appropriate technical and organisational security measures to protect your personal data stored by us against unauthorised access, loss or unlawful processing. Our employees and contracted service providers are bound by confidentiality obligations and are required to comply with data protection regulations. Access to personal data is granted to these individuals only to the extent necessary to carry out their designated responsibilities.

We continuously update our security measures to reflect technological advancements. However, the transmission of information via the internet or other electronic means involves inherent security risks. We therefore cannot guarantee the absolute security of data transmitted in this way.

5. Contacting Us

If you contact us via our communication channels (such as email, telephone or contact forms), we process your personal data. We process the personal data you provide to us, including your name, email address, phone number and the details of your enquiry. We also record the date and time your request is received. Required fields in contact forms are indicated by an asterisk (*).

We process the information provided in these fields solely to respond to your enquiry (e.g. providing product information, assisting with contract-related matters such as returns, or incorporating your feedback to enhance our services). The legal basis for this data processing is our legitimate interest pursuant to Article 6(1)(f) EU GDPR in responding to your enquiry. If your request relates to the conclusion or performance of a contract, the legal basis is the necessity of processing for the performance of a contract pursuant to Article 6(1)(b) EU GDPR.

6. Use of Your Data for Marketing Purposes

6.1 Centralised Data Storage and Analysis

If it is possible to clearly associate the data with you, we will store and link the personal data described in this privacy policy – such as your personal details, contact history, and contract information – in a centralised database. This enables the efficient management of customer data, ensures we can respond effectively to your enquiries and allows us to provide the requested services and process the related contracts efficiently. The legal basis for this data processing is our legitimate interest pursuant to Article 6(1)(f) EU GDPR in the efficient management of user data.

We analyse this data to tailor our services to your preferences and to present you with relevant information and personalised offers. The legal basis for this data processing is our legitimate interest pursuant to Article 6(1)(f) EU GDPR in conducting marketing activities.

6.2 Email Marketing and Newsletters

When you sign up for our email newsletter (e.g. during the creation of your customer account or within your account), we collect the following data. Required fields in the registration form are indicated by an asterisk (*):

• Email address
• First and last name

We use a double opt-in process for registration to prevent misuse and ensure that the owner of the email address has expressly provided their consent. After submitting the registration form, you will receive a confirmation email containing a confirmation link. You must click this link to complete the subscription process. If the confirmation is not provided within one week, your data will be deleted and the newsletter will not be sent to this email address.

By registering, you consent to the processing of your data for the purpose of receiving communications from us about our company, our food-related offerings and other related products and services. This may include requests to participate in contests or to provide reviews for the above-mentioned products and services. We collect your name to verify if the registration is linked to an existing customer account and to personalise the content of our emails to you. By linking your data with a customer account, we can personalise the offers and content in our newsletters to better match your interests and potential needs.

We will use your data to send marketing emails until you withdraw your consent. You may revoke your consent at any time, for example, by clicking the unsubscribe link provided in every marketing email.

Our marketing emails may include web beacons or 1x1 tracking pixels or similar technical tools. A web beacon is a small, invisible graphic associated with the user ID of the newsletter subscriber. For each marketing email we send, we receive information about delivery status, including undelivered emails, successful deliveries and any delivery failures. We also receive information on how often emails are opened and which links are clicked. Additionally, we receive data regarding unsubscribes, the email programme used, the type of device (desktop or mobile) and the IP address-based location. This data is used for statistical purposes and to optimise promotional emails in terms of frequency, timing, structure and content. By doing so, we aim to better tailor the information and offers in our emails to the individual interests of the recipients.

The web beacon is deleted when you delete the email. To prevent the use of web beacons in our marketing emails, you can configure your email client to block the display of HTML in messages (if this is not already the default setting). Instructions on how to adjust these settings can typically be found in the help section of your email software, such as Microsoft Outlook.

By subscribing to our newsletter, you consent to the statistical analysis of your user behaviour for the purpose of optimising and personalising the newsletter. This consent forms the legal basis for processing your data in accordance with Article 6(1)(a) EU GDPR.

We use the marketing software Klaviyo provided by Klaviyo Inc., 60 South Street, Suite 910, Boston Massachusetts, USA for marketing emails. Your data is stored in a database operated by Klaviyo Inc., which may access your data to the extent necessary to provide software functionality and support for its use.

For the delivery of transactional emails (e.g. order confirmations), we use the Mailgun software provided by Sinch AB (Lindhagensgatan 74, 112 18 Stockholm, Sweden). Consequently, your data is stored in a database managed by Sinch AB, which may access your data when and as needed to ensure the provision of the software and related support services. For more information on data protection at Mailgun/Sinch AB, please click here.

The legal basis for this data processing is our legitimate interest pursuant to Article 6(1)(f) EU GDPR in utilising third-party services.

6.3 Direct marketing sent by post to existing customers

If you place an order with us, we process the name and address provided during your purchase to recommend products that are related to the ones you purchased. The legal basis for sending these communications following the sale of goods or services is our legitimate interest pursuant to Article 6(1)(f) EU GDPR in promoting our products to existing customers through direct marketing.

We also use a service provider to manage address data, which requires the transfer of this data to their servers. The data is processed and stored by the following service provider in the United States: Klaviyo Inc., 60 South Street, Suite 910, Boston, Massachusetts, USA ('Klaviyo').

7. Disclosure to Third Parties and Access by Third Parties

We rely on the assistance of other companies in order to deliver our services effectively. To use the services of these companies, it is sometimes necessary to share your personal data. Such data sharing is limited to what is required to fulfil the contract you have entered into with us, for example, with logistics or shipping providers for delivering products you have ordered. The legal basis for this processing is the performance of a contract pursuant to Art. 6(1)(b) EU GDPR.

We may also share your personal data with selected service providers, but only to the extent necessary for the provision of their services. Various third-party service providers are explicitly mentioned in this Privacy Policy, particularly in the sections on marketing. These may include IT service providers (such as software solution providers), advertising agencies and consulting firms. The legal basis for this data sharing is our legitimate interest pursuant to Article 6(1)(f) EU GDPR in engaging third-party services.

In addition, we may share your data with authorities, legal advisors or debt collection agencies if required by law or if necessary to protect our legitimate interests, particularly for enforcing claims arising from our contractual relationship with you. We may also share your personal data if our business or parts of it are to be acquired by another company and such data sharing is necessary to carry out due diligence processes or to finalise the transaction. The legal basis for this data sharing is our legitimate interest pursuant to Article 6(1)(f) EU GDPR in protecting our rights, fulfilling our legal obligations, or enabling the sale of our business.

8. Transfer of Personal Data Abroad

We may transfer your personal data to third parties located outside of your country if such transfers are necessary to perform the data processing activities described in this Privacy Policy (see esp. Sections 12-14). Such transfers are conducted in compliance with applicable legal provisions governing the disclosure of personal data to third parties. In cases where the country does not provide an adequate level of data protection, we implement contractual clauses to ensure your personal data is adequately protected with these companies.

9. Retention Periods

We store personal data only for as long as it is necessary to carry out the processing described in this Privacy Policy in accordance with our legitimate interests. The storage of contractual data is subject to mandatory retention periods under legal obligations. These obligations arise from accounting and tax regulations, which require us to retain the data. According to these regulations, business communications, concluded contracts and accounting documents must be stored for up to 10 years. Once we no longer need this data to perform the services for you, the data will be blocked. This means that the data may then only be used if this is necessary to fulfil retention obligations or to defend and enforce our legal interests. We will delete or anonymise your data when no mandatory retention period or legitimate interest requires its continued retention.

B. Specific Notes for Our Website

10. Log File Data

When you visit our website, the servers of our hosting providers – Feinheit AG (Fabrikstrasse 54, 8005 Zurich, Switzerland), Microsoft Azure (Microsoft Corporation, One Microsoft Way, Redmond, Washington 98052, USA) and Google Cloud Platform (Google Ireland Limited, Gordon House, Barrow Street, Dublin 4, Ireland) – temporarily store each access in a log file. The following data is automatically collected and stored until it is automatically deleted:

• The IP address of the requesting device
• The date and time of access
• The name and URL of the accessed file
• The website from which access was made (including any search terms used)
• The operating system and browser used (including type, version and language settings)
• The type of device used in the case of mobile access
• The city or region from which access was made
• The name of your internet service provider.

We collect and process this data to enable access and establish a connection to our website, ensure ongoing system security and stability, perform error and performance analyses, and optimise our website (see Section 12 for further details).

In the event of an attack on our website's network infrastructure or suspected unauthorised use or misuse of the website, we reserve the right to analyse the IP address and other data to investigate and prevent such incidents. Where necessary, this data may also be used to identify individuals and to pursue civil or criminal legal action against the suspected users.

The legal basis for this data processing is our legitimate interest as described above, pursuant to Art. 6(1)(f) EU GDPR.

In addition, we use cookies, applications and tools based on cookies when you visit our website. The data described herein may also be processed in this context. For more information, please refer to the subsequent sections of this Privacy Policy, particularly Section 11.

11. Cookies

Cookies are information files stored by your web browser on your computer’s hard drive or memory when you visit our website. Cookies are assigned unique identification numbers that allow your browser to be recognised and the information contained in the cookie to be accessed.

Cookies help make your visit to our website easier, friendlier and more efficient. We use cookies for various purposes, including those that are technically necessary for the website to function according to your needs. For example, we use cookies to identify you as a registered user after login, so you don’t have to re-enter your credentials when navigating different subpages. Similarly, cookies enable essential features like the shopping cart and order process functionality. Cookies also perform other technical functions necessary for the operation of the website, such as load balancing, which distributes the load across multiple web servers to optimise performance. They are also used for security purposes, such as preventing the unauthorised posting of content. Finally, cookies support the design and programming of our website, such as enabling the uploading of scripts or codes.

The legal basis for this data processing is our legitimate interest pursuant to Article Article 6(1)(f) GDPR in providing a user-friendly and modern website.

Most internet browsers accept cookies automatically. However, when you access our website, we request your consent for the use of non-essential cookies, particularly cookies from third-party providers used for marketing purposes. You can configure your preferences for cookies using the buttons in our cookie banner. Details about the services associated with each cookie and their respective data processing purposes are provided in the cookie banner and in subsequent sections of this Privacy Policy.

Additionally, you can configure your browser settings to prevent cookies from being saved on your computer or to notify you each time a cookie is received. Instructions for managing cookies in specific browsers are available on the following pages:

• Google Chrome
• Apple Safari
• Microsoft Edge

Please note that disabling cookies may limit the functionality of our website.

12. Tracking and Web Analytics Tools

12.1 General Information on Tracking

For the purpose of customising the design and ensuring the continuous improvement of our website, we use the web analytics tools listed below. In this context, pseudonymised user profiles are created and cookies are used (please see Section 11 for details). The information generated by the cookies regarding your use of this website is typically transmitted, along with the log file data mentioned in Section 10, to a server operated by the service provider, where it is stored and processed. In some cases, this may involve transmission to servers located abroad, such as in the United States (see Section 8 for information on security).

The processed data provides us with insights, including but not limited to:

• The navigation path taken by visitors on our website (including content viewed and products selected or purchased)
• The time spent on the website or its subpages
• The subpage from which the website was exited
• The country, region or city from which the user accessed the website
• The device used (type, version, colour depth, resolution and browser window dimensions)
• Whether the visitor is a returning or new user

The service provider processes this information on our behalf to evaluate the use of the website, compile reports on website activity and provide further services associated with website and internet usage for purposes of market research and website customisation. For certain processing activities, we and the service provider may act as joint controllers under data protection laws.

The legal basis for these data processing activities is your consent in accordance with Article 6(1)(a) EU GDPR. You may withdraw your consent at any time or refuse further processing by disabling the relevant cookies in your browser settings (see Section 11). You can also opt out by using the specific options provided by the service providers below.

For any subsequent processing of your data by the respective service provider as an (independent) data controller (e.g. sharing data with third parties such as authorities under national laws), please refer to the service provider's specific privacy policies.

12.2 Google Analytics

We use the web analytics service Google Analytics, provided by Google Ireland Limited (Gordon House, 4 Barrow St, Dublin, D04 E5W5, Ireland) and, where applicable, Google LLC (1600 Amphitheatre Parkway, Mountain View, CA 94043, USA) ("Google").

As part of this service, data about your use of the website for the processing purposes outlined in Section 12.1 may be transmitted to servers operated by Google LLC in the United States. IP anonymisation is activated on this website. This means that your IP address will be truncated within the member states of the European Union or other parties to the Agreement on the European Economic Area before being transmitted. Only in exceptional cases will the full IP address be transmitted to a Google server in the United States and truncated there.

You can prevent Google from collecting and processing the data generated by cookies and related to your use of the website (including your IP address) by downloading and installing the browser plugin available at the following link:
http://tools.google.com/dlpage/gaoptout?hl=en. For more information on data protection at Google, please click here.

12.3 Klaviyo

We use the services of Klaviyo Inc., 60 South Street, Suite 910, Boston, Massachusetts, USA (“Klaviyo”), to analyse user behaviour on our website for our own marketing and market research purposes. Klaviyo uses cookies and may link your website usage data with your personal information if you have subscribed to our newsletter, created a customer account or completed a purchase in our webshop.

13. Social Media

13.1 Social Media Profile

Our website includes links to our profiles on the following social networking services:

• Meta Platforms Inc, 1601 S California Ave, Palo Alto, CA 94304, USA, privacy policy;
• Instagram Inc., 1601 Willow Road, Menlo Park, CA 94025, USA, privacy policy;
• Pinterest Inc., 651 Brannan Street, San Francisco, CA 94103, privacy policy;
• LinkedIn Unlimited Company, Wilton Place, Dublin 2, Ireland, privacy policy.

When you click on the icons of these social networking services, you will be automatically redirected to our profile on the respective network. In doing so, a direct connection is established between your browser and the server of the respective social networking service. As a result, the social networking service receives information that your IP address accessed our website and clicked on the link.

If you are logged into your account on the respective social networking service when clicking the link, the content of our website may be linked to your profile, allowing the network to associate your visit to our website with your user account. To prevent this, log out of your social media account before clicking the links. If you log into your social media account after clicking the link, the network will associate your access to our website with your user account. Please note that the respective social networking service is responsible for any associated data processing. For details, please refer to the information provided on the website of the respective social networking service.

The legal basis for any data processing that may be attributed to us is our legitimate interest pursuant to Article 6(1)(f) EU GDPR in promoting and maintaining our social media profiles.

13.2 Social Media Plugins

Our website includes social media plugins from the following providers:

• Meta Platforms Inc, 1601 S California Ave, Palo Alto, CA 94304, USA, privacy policy;
• Instagram Inc., 1601 Willow Road, Menlo Park, CA 94025, USA, privacy policy;
• Pinterest Inc., 651 Brannan Street, San Francisco, CA 94103, privacy policy;
• LinkedIn Unlimited Company, Wilton Place, Dublin 2, Ireland, privacy policy.

We use these social media plugins to enable you to share content from our website more easily. The social media plugins also help us increase the visibility of our content on social networking services, contributing to improved marketing efforts.

By default, the plugins on our website are deactivated. This means they do not send any data to the social networking services when you simply visit our website. To enhance data protection, we have embedded the plugins in a way that prevents an automatic connection to the servers of the social networking services. The plugins only become active when you enable them and consent to the transfer of data and its subsequent processing by the respective social networking services. Once activated, your browser establishes a direct connection to the servers of the relevant social networking service.

The content of the plugin is transmitted directly from the social networking service to your browser and embedded in our website. When this happens, the provider of the plugin receives information that your browser has accessed a specific page on our website, even if you do not have an account with that social networking service or are not currently logged in. This information, including your IP address, is transmitted directly from your browser to the provider’s server (usually located in the United States) and stored there. We do not have control over the scope of data collected by the provider through the plugin. To a certain extent, the provider and we may be considered joint controllers under data protection laws.

If you are logged into the social networking service, the provider can associate your visit to our website with your user account. If you interact with the plugins (for example, by clicking a "like" button), this information is also transmitted directly to the provider's server and stored there. This information may also be published on your social media profile and, depending on the circumstances, shared with other users. The provider of the social networking service may use this information to deliver targeted advertising and to optimise its services. This might involve creating user profiles based on your usage, interests and relationships to evaluate your website behaviour with regard to the advertising delivered to you on the social networking site, to inform other users about your activities on our website and to provide other services associated with the use of the network. For more information about the purpose and scope of data collection, as well as the further processing and use of data by the providers, please refer to the privacy policies of the respective social networking services. These policies also explain your rights and available settings to protect your privacy.

If you do not want the social network provider to associate data collected via our website with your user account, make sure that you log out of the network before activating the plugin. The legal basis for the described data processing is your consent pursuant to Article 6(1)(b) EU GDPR. You may withdraw your consent at any time by following the instructions in privacy policy of the respective service provider.

14. Online Advertising and Targeting

14.1 General Information

We use services from various providers to present you with interesting online offers. Your browsing behaviour on our website and other providers' websites is analysed to display personalised online advertising tailored to you.

Most technologies used for tracking your browsing behaviour ("tracking") and displaying targeted advertising ("targeting") rely on cookies (see also Section 11). These cookies enable your browser to be recognised across different websites. Depending on the service provider, it may also be possible to recognise you across multiple devices (e.g. laptop and smartphone), particularly if you use a service with a registered account on multiple devices.

In addition to the data already mentioned, such as the log file data collected when you access websites (see Section 10) and data collected through cookies (see Section 11), which may be shared with the companies within the advertising networks, the following types of information may be used to select advertising that maybe the most relevant to you:

• Personal details provided during the registration or use of advertising partner services (e.g. your gender, age group)
• User behaviour such as search queries, interactions with ads, types of websites visited, products viewed or purchased, and newsletter subscriptions.

We and our service providers use this data to determine whether you belong to the target audience for specific advertising campaigns. For example, after visiting our website, you may see ads for the products you viewed ("re-targeting") when visiting other websites. Depending on the scope of the data, a user profile may be created and automatically analysed to select advertisements based on the information stored in the profile, such as specific certain demographic segments or potential interests or behaviours. These ads may appear on various channels, including our website or app (onsite and in-app marketing) or through online advertising networks we use, such as Google.

The data may also be evaluated for the purpose of invoicing the service provider and to assess the effectiveness of advertising campaigns, better understand the needs of our users and customers, and improve future campaigns. For example, we may identify which actions (e.g. visiting specific sections of our website or submitting details) are associated with particular advertisements. Our service providers may also provide us with aggregated reports of advertising activities and information on how users interact with our website and advertisements.

The legal basis for processing this data is your consent pursuant Article 6(1)(a) EU GDPR. You can withdraw your consent at any time by disabling the relevant cookies in your browser settings (see Section 11). Information about further options to block advertisements is available from the respective service providers, such as Google.

14.2 Google Ads

This website uses the online advertising services of Google LLC, 1600 Amphitheatre Parkway, Mountain View, CA 94043, USA (‘Google’). Google uses cookies for this purpose, such as the so-called DoubleClick cookie, which enables your browser to be recognised when you visit other websites. The information generated by cookies about your visit to this website (including your IP address) will be transmitted to and stored by Google on servers in the United States (see also Section 8). For more information on data protection at Google, please click here.

14.3 Meta

This website uses the services of Meta Platforms Inc., 1601 S California Ave, Palo Alto, CA 94304, USA (‘Meta’) for online advertising. Meta uses cookies for this purpose that enable your browser to be recognised when you visit other websites. The information generated by the cookies about your visit to this website (including your IP address) is transmitted to a Meta server in the USA and stored there (see also Section 8). Further information on data protection at Meta can be found here.

14.4 Linkster

In order to measure and visualise insights into partnerships and advertising channels, we use the tracking technology of Linkster GmbH (Colonnaden 5, 20354 Hamburg) on this site. This is a function for measuring the efficiency of the corresponding advertising measures. Furthermore, the information enables us to allocate advertising successes for billing with corresponding advertising partners.

The information generated by the cookies about your visit to this website (including your IP address) will be transmitted to and stored by Linkster on servers in Germany. Further information about Linkster can be found here. The cookies stored by Linkster GmbH are deleted after 30 days at the latest.

The information transmitted to us and the cookies are used solely for the purpose of correctly assigning the success of an advertising medium and the corresponding billing and is justified with our legitimate interests in accordance with Art. 6 para. 1 sentence 1 lit. f DSGVO.

15. Registering for a customer account

If you open a customer account on our website, we collect the following data, with mandatory information marked with an asterisk (*) in the corresponding form:

• Personal details:
• Last name
• First name
• Billing and delivery address
• Company, company address for corporate customers
• Telephone number
• Login data:
• Email address
• Password

We use your personal data to verify your identity and to check the conditions for registration. The email address and password together serve as login data and thus to ensure that the right person is using the website with your details. We also need your email address to verify and confirm the opening of the account and for future communication with you that is necessary for the performance of the contract. In addition, this data is stored in the customer account for future contracts. For this purpose, we also enable you to store further information in the account (e.g. your preferred means of payment).

We also use the data to provide an overview of the products ordered and services purchased (see in particular sections 16 and 22) and to provide an easy way for you to manage your personal data and for us to administer our website and the contractual relationships, i.e. to establish, define the content of, process and amend the contracts concluded with you via your customer account.

The legal basis for the processing of your data for the above purpose is your consent in accordance with Art. 6(1)(a) EU GDPR. You can revoke your consent at any time by removing the information from the customer account or by deleting your customer account or by having it deleted by notifying us.

To avoid misuse, you must always treat your login data confidentially and should close the browser window when you have finished communicating with us, especially if you share your computer with others.

16. Product Orders

If you wish to order products or book services on the website, we require various data for the processing of the contract. If you do not register with your customer account (see section 15), we collect the following data, depending on the product or service, with mandatory information marked with an asterisk (*) in the corresponding form:

• Last name
• First name
• Billing and delivery address
• Company, company address for business customers
• Telephone number
• Email address

We use the data to verify your identity before concluding a contract. We also need your email address to confirm your order and for any future communication with you that is necessary for the performance of the contract. We store your data together with the order details (e.g. time, order number, etc.), the data for the ordered/booked services (e.g. description, price and characteristics of the product; ‘product data’), the data for payment (e.g. selected payment method, confirmation of payment and time; see also section 17) as well as the information for the processing and fulfilment of the contract (e.g. returning of products, use of service or warranty services, etc.) in our customer database (see section 6.1) so that we can ensure correct order processing and fulfilment of the contract.

Insofar as this is necessary for the fulfilment of the contract, we will also pass on the required information to any third-party service providers (e.g. transport companies).

The legal basis for this data processing is the fulfilment of the contract with you in accordance with Art. 6 (1) point b GDPR.

The provision of data that is not marked as mandatory is voluntary. We process this data in order to tailor our offer to your personal needs in the best possible way, to facilitate the processing of contracts, to contact you via an alternative communication channel if necessary in order to fulfil the contract, or for statistical recording and evaluation in order to optimise our offers. The legal basis for this data processing is your consent in accordance with Art. 6(1)(a) EU GDPR. You can revoke your consent at any time by notifying us.

17. Online Payment Processing

If you purchase services or products on our website that are subject to a charge, you will need to provide additional information, such as your credit card information or login details for your payment service provider, depending on the product or service and the desired method of payment, in addition to the information mentioned in Section 16. This information, along with the fact that you have purchased a service from us for the relevant amount and at the relevant time, will be forwarded to the respective payment service providers (e.g. payment solution providers, credit card issuers and credit card acquirers). Please always also note the information provided by the respective company, in particular the data protection declaration and the general terms and conditions. The legal basis for this transmission lies in the fulfilment of a contract in accordance with Art. 6 para. 1 lit. b EU-DSGVO.

18. Use of WhatsApp Business

Insofar as you have given your consent, we process the personal data you have provided or that is available (e.g. name, telephone number, e-mail address, messenger ID, profile picture, messages) for communication regarding the preparation and execution of any orders as well as for sending promotional information (e.g. offers, newsletters) using the instant messaging service ‘WhatsApp’ from WhatsApp Ireland Limited (4 Grand Canal Square, Grand Canal Harbour, Dublin 2, Ireland). An existing messaging account is required to use this service. Please note that WhatsApp Ireland Limited may also transfer personal data (in particular metadata of the communication) to WhatsApp Inc., which may also be processed on servers in countries outside the EU (e.g. USA) where there is no adequate level of data protection. WhatsApp may share this data with other companies within and outside the Meta group of companies. Further information can be found in the WhatsApp Business (https://www.whatsapp.com/legal/business-policy/) and WhatsApp (https://www.whatsapp.com/legal/#privacy-policy) privacy policies. We have no precise knowledge of, nor influence over, the data processing by WhatsApp Ireland Limited or WhatsApp Inc., which is responsible in this respect under data protection law. In addition to the recipients already specifically named above, we use the help of other service providers (processors) to fulfil our obligations. We would like to point out that you can revoke your consent at any time without giving reasons for the future by notifying us of your revocation via Whatsapp with a message with the note REVOCATION or by sending an e-mail to [email protected] of the corresponding processing of your personal data. We will delete the above data in accordance with legal requirements as soon as your consent to process it has been revoked or when the purpose of processing this data has ceased to apply or it is no longer required for the purpose. If the data is not deleted because it is required for other and legally permissible purposes, its processing will be limited to these purposes. This means that the data will be blocked and not processed for other purposes. This applies, for example, to data that must be retained for commercial or tax law reasons or whose storage is necessary for the assertion, exercise or defence of legal claims or for the protection of the rights of another natural or legal person.

C. Specific Notes for Our Retail Locations

19. Video surveillance

To prevent misuse and to take action against unlawful conduct (in particular theft and property damage), the entrance area and the publicly accessible areas of our business premises are monitored by cameras. The image data will only be viewed if there is suspicion of unlawful conduct. Otherwise, the image recordings are automatically deleted after 14 days.

We use a service provider to provide the video surveillance system, who may have access to the data if this is necessary for the provision of the system. Should the suspicion of unlawful conduct be confirmed, the data may then be passed on to the extent necessary to enforce claims or to file a report with consulting firms (in particular our law firm) and authorities.

The legal basis for this is our legitimate interest in protecting our property and in safeguarding and enforcing our rights within the meaning of Art. 6 para. 1 lit. f. EU-DSGVO.

20. Use of our WiFi network

You can use the WiFi network operated by gebana AG free of charge in our business premises. Prior registration is required to prevent misuse and to take action against illegal behaviour. In doing so, you transmit the following data to gebana AG:

• MAC address of the end device (automatically)

In addition to the above data, each time the WiFi network is used, data on the visited business premises, including time, date and end device, is recorded. The legal basis for this processing is your consent in accordance with Art. 6(1)(a) EU GDPR. The customer can revoke their registration at any time by notifying us.

Gebana must comply with the legal obligations of the Federal Act on the Surveillance of Post and Telecommunications (BÜPF) and the associated ordinance. Insofar as the legal requirements are met, the WiFi operator must monitor the use of the internet and data traffic on behalf of the relevant authority. The WiFi operator may also be obliged to disclose the customer's contact, usage and marginal data to the authorised authorities. The contact, usage and marginal data are stored for 6 months on a personal basis and then deleted.

The legal basis for this processing is our legitimate interest within the meaning of Art. 6 para. 1 lit. f EU-DSGVO in providing a wifi network in compliance with the applicable legal requirements.

21. Opening a customer account

When you open a customer account at our business premises, we collect the following data, with the mandatory information in the corresponding form marked with an asterisk (*):

• Personal details
• Last name
• First name
• Billing and delivery address
• Company, company address for business customers
• Telephone number
• Login data:
• Email address
• Password

We use the data to verify your identity and to check the conditions for opening the account. We collect your email address and telephone number for future communication with you that is necessary for the performance of the contract. In addition, this data, as well as data on the purchase of products and services (see Section 16), is stored under a customer number in the customer account so that we can provide you with an overview of your data at your request and to enable future linking with data from other channels. Your account and the stored data will also be linked to your online account (see Section 15) if the personal data is identical.

The legal basis for the processing of your data for the above purpose lies in your consent in accordance with Art. 6(1)(a) EU GDPR. You can revoke your consent at any time by asking us to delete the data.

22. Purchase or order of products in the business premises

In our business premises, you can usually purchase products without providing your name, whereby in this case the section on payment processing must be observed (see section 24). If requested, you will receive a paper receipt, which you should keep and present for after-sales service (see section 25). However, you can also purchase products by quoting your customer account. In this case, please also note the section on opening a customer account (see section 22).

When you purchase or order certain products, we need your name and various other data to process the contract. Depending on the product or service, we collect the following data, with mandatory information in forms marked with an asterisk (*):

• Last name
• First name
• Billing and delivery address
• Company name and address for corporate customers
• Telephone number
• Email address

We use this data to verify your identity before concluding a contract. We also need your email address for any future communication with you that may be necessary for the performance of the contract. We store your data together with the order details (e.g. time, order number, etc.), the data on the services ordered/booked (e.g. description, price and characteristics of the product; ‘product data’), the data on payment (e.g. selected payment method, confirmation of payment and time; see further section 17) as well as the information for the processing and fulfilment of the contract (e.g. returning of products, use of service or warranty services, etc.) in our webshop and our CRM database (see section 6.1) so that we can ensure correct order processing and fulfilment of the contract.

If necessary for the performance of the contract, we will also forward the required information to any third-party service providers (e.g. transport companies).

The legal basis for this data processing is the performance of the contract with you in accordance with Article 6 (1) (b) of the EU GDPR.

The provision of data not marked as mandatory is voluntary. We process this data in order to tailor our offer to your personal needs in the best possible way to tailor our offer to your personal needs in the best possible way, to facilitate the processing of contracts, to contact you if necessary via an alternative communication channel with a view to fulfilling the contract, or for statistical recording and evaluation in order to optimise our offers. The legal basis for this data processing is your consent within the meaning of Art. 6(1)(a) EU GDPR. You can revoke your consent at any time by notifying us.

23. Payment processing

When you purchase products in our shop using electronic means of payment, it is necessary to process personal data. By using the payment terminal, you transmit the information stored on your means of payment, such as the name of the cardholder and the card number, to the payment service providers involved (e.g. payment solution providers, credit card issuers and credit card acquirers). They also receive the information that the means of payment was used in our restaurant, the amount and the time of the transaction. Conversely, we only receive the credit note for the amount of the payment made at the corresponding time, which we can assign to the relevant receipt number, or information that the transaction was not possible or was cancelled. Please always also note the information provided by the respective company, in particular the data protection declaration and the general terms and conditions. The legal basis for this transmission lies in the fulfilment of the contract with you in accordance with Art. 6 para. 1 lit. b EU-DSGVO.

24. Use of customer services at the business premises

At our business premises, you can take advantage of numerous customer services that may require the processing of personal data. This applies, for example, to the collection of an ordered product, the return of products in exercise of a right of return or a warranty claim, the complaint about a service, etc. In such cases, we collect the following data, depending on the product concerned or the desired service, with mandatory information in forms marked with an asterisk (*):

• Last name
• First name
• Billing and delivery address
• Company, company address for business customers
• Telephone number
• Email address

We use the data to verify your identity. We also need your email address to communicate with you as required to provide customer service. We store this data together with the details, time and content of the requested service in our CRM database (see Section 6.1) so that we can ensure the requested service is provided correctly. Insofar as this is necessary for the fulfilment of the contract, we will also pass on the required information to any third-party service providers (e.g. transport companies) or other involved third parties (e.g. manufacturers in the event of a claim under the manufacturer's warranty).

The legal basis for this data processing is our legitimate interest within the meaning of Art. 6 (1) (f) EU GDPR in implementing your request or, if your request concerns the execution of a contract with you, the necessity of carrying out the necessary contractual measures within the meaning of Art. 6 (1) (b) EU GDPR.