The following information is intended to inform you about how we use your personal data. In doing so, we adhere to the strict provisions of the UK's Data Protection Act 2018 (DPA) as well as the requirements of the European General Data Protection Regulation (GDPR).
Scope of the processing of personal data
As a matter of principle, we only collect and use personal data from you insofar as this is necessary to provide a functional website and our content and services, e.g. when you register on our website or log in to an existing customer account or when you order products. The collection and use of your personal data regularly only takes place with your consent. An exception applies in cases where prior consent is not possible for actual reasons and the processing of the data is permitted by legal regulations.
The security of your personal data is a high priority for us. We therefore protect your data stored with us by technical and organisational measures in order to effectively prevent loss or misuse by third parties. In particular, our employees who process personal data are bound to data secrecy and must comply with it. To protect your personal data, it is transmitted in encrypted form; for example, we use SSL=Secure Socket Layer for communication via your Internet browser.
You can recognise this by the lock symbol that your browser displays when an SSL connection is established. In order to ensure the permanent protection of your data, the technical security measures are regularly checked and, if necessary, adapted to the state of the art. These principles also apply to companies that process and use data on our behalf and in accordance with our instructions.
Purposes of processing and legal basis
We collect, process and use your personal data for the following purposes:
- Establishment and performance of contractual relationships;
- Sending newsletters;
- Marketing measures;
- Customer satisfaction surveys and analyses;
- Product evaluations;
- Customer service and customer support;
- To process orders for our online range of goods.
The following informs you about the legal basis of us processing your data and unless the legal basis is not specifically mentioned, the following applies:
- Consent – This is where we have asked you to provide explicit permission to process your data for a particular purpose.
- Contract – This is where we process your information to fulfil a contractual arrangement we have made with you.
- Answering your business enquiries – This is where we process your information to reply to your messages, e-mails, posts, calls, etc.
- Legitimate Interests - This is where we rely on our interests as a reason for processing, generally this is to provide you with the best products and service in the most secure and appropriate way. Of course, before relying on any of those legitimate interests we balance them against your interests and make sure they are compelling enough and will not cause any unwarranted harm.
- Legal Obligation – This is where we have a statutory or other legal obligation to process the information, such as for the investigation of crime.
- Vital interests – This is where we process your information for communications about security, privacy and performance improvements of our services. Or for establishing, exercising or defending our legal rights.
Collection of general data and information, so-called log files
If you visit our website for information purposes only, without providing personal data via registration or in any other way, only the Internet connection data that your browser transmits to our server will be processed. Our website collects a series of general data and information with each call, which is temporarily stored in log files of a server. A log file is created in the course of an automatic protocol of the processing computer system. The following can be recorded:
- Access to the website (date, time and frequency)
- How you arrived at the website (previous page, hyperlink etc.)
- Amount of data sent
- Which browser and browser version you are using
- The operating system you are using
- Which internet service provider you use
- Your IP address, which your Internet access provider assigns to your computer when you connect to the Internet
The legal basis for this data processing is our legitimate interest, as the collection and storage of this data is necessary for the operation of the website in order to ensure the functionality of the website and to deliver the content of our website correctly.
In addition, the data serve us to optimise our website and to ensure the security of our IT systems and the processing is our legitimate interest. For this reason, the data is stored for a maximum of 7 days as a technical precaution.
We also use this data for the purposes of advertising, market research and to design our services to meet your needs by creating and evaluating user profiles under pseudonyms, but only if you have not exercised your right to object to this use of your data (see information on the right to object under "Your rights").
Superfoods Company uses the platform Shopify Inc. (Shopify) as a shop system. When you place an order in our shop, you agree to the storage and processing of your personal data by Shopify. For this purpose, your personal data will be forwarded to the Shopify data centre in the United States and processed. This storage and processing of data is for the purposes of supporting and processing your orders, authenticating you, processing payments and improving Shopify's services.
Data processing upon orderingWhen you place an order with us we process the data required for the conclusion and execution of a contract. This includes:
- First name, last name
- Billing and Shipping address
- E-mail address
- Billing and payment data
- Telephone number, if applicable
It is also possible for you to create a user account. For this purpose, you can choose a password together with your e-mail address, both of which will enable you to log in more easily without having to enter your data again when you make a purchase at a later date. We store the data you enter to set up a customer account through which your orders are recorded, executed and processed. We will also hold your data for further orders as long as you maintain your registration. You have the right to access, correct or delete your registration data at any time.
If you contact us, the data you provide will be stored so that your message can be forwarded to the correct contact person. This is done to process your request. Your data provided via the contact form or e-mail will not be used for any other purposes, in particular not for advertising.
On our website you have the possibility to register for our newsletter. In order to exclude errors when entering your email address, we rely on the double opt-in procedure. After you have inserted your data and clicked on the registration button, we will send you a confirmation link. Only when you click on this link will your email address be added to our mailing list. You can revoke your consent at any time with effect for the future. To do so, simply unsubscribe from the footer of the newsletter email or send a short note.
The legal basis for the processing of your personal data in the context of direct marketing measures is either your consent or our legitimate interest in marketing and promoting our services. The purpose of processing your personal data in the context of direct marketing measures is to send information, offers and, if applicable, to promote sales through the sale of goods or services. Your personal data will be deleted as soon as they are no longer necessary to achieve the purpose for which they were collected; this is the case in particular upon receipt of the revocation or objection. You can revoke your consent at any time for the future or object to the processing of your personal data in the context of direct marketing measures at any time for the future.
When you send a data subject access request
The legal basis for the processing of your personal data in the context of handling your data subject access request is our legal obligation and the legal basis for the subsequent documentation of t data subject access request is both our legitimate interest and our legal obligation. The purpose of processing your personal data in the context of processing data when you send a data subject access request is to respond to your request. The subsequent documentation of the data subject access request serves to fulfil the legally required accountability.. Your personal data will be deleted as soon as they are no longer required to achieve the purpose for which they were collected. In the case of the processing of a data subject access request, this is three years after the end of the respective process. You have the possibility at any time to object to the processing of your personal data in the context of the processing of a data subject access request for the future. In this case, however, we will not be able to further process your request. The documentation of the legally compliant processing of the respective data subject access request is mandatory. Consequently, there is no possibility for you to object.
Legal defence and enforcement of our rights
The legal basis for the processing of your personal data in the context of legal defence and enforcement of our rights is our legitimate interest. The purpose of processing your personal data in the context of legal defence and enforcement of our rights is the defence against unjustified claims and the legal enforcement and assertion of claims and rights. Your personal data will be deleted as soon as they are no longer necessary to achieve the purpose for which they were collected. The processing of your personal data in the context of legal defence and enforcement is mandatory for legal defence and enforcement of our rights. Consequently, there is no possibility for you to object.
Disclosure of personal data to third parties
Your personal data will only be passed on if there is a legal obligation to do so or to service providers and partner companies that have been carefully selected in advance and are contractually obliged to comply with the requirements of the DPA and GDPR.
a) Disclosure within affiliated companies
We pass on your personal data for the conclusion and processing of contracts for offers on our website to affiliated companies. This is particularly necessary so that you can use all our offers. If you contact us with questions, complaints or returns as well as other queries, they will also receive access to your order data in order to be able to process your request.
b) Disclosure to service providers
For the operation and optimisation of our website and our services and for the processing of contracts, various service companies work for us, e.g. for central IT services or the hosting of our website, for the payment and delivery of products or for the dispatch of newsletters, to whom we pass on the data required for the fulfilment of the task (e.g. name, address).
Some of these companies act for us by way of commissioned processing and may therefore use the data provided exclusively in accordance with our instructions. In this case, we are legally responsible for appropriate data protection precautions at the companies we commission. We therefore agree on specific data security measures with these companies and monitor them regularly.
In contrast to order processing, in the following cases we transmit data to third parties for their own use in order to process the contract:
- In the case of delivery processing and shipping of goods to our fulfilment service provider (Huboo Technologies) specified when the order was placed.
- In the case of payment for goods to our payment service provider (Shoppay and Google Pay) specified when the order was placed.
We do not collect or store any payment transaction information such as credit card numbers or bank details during the payment process. You only provide this information directly to the respective payment service provider.
c) Disclosure to other third parties
We will disclose your data to third parties or government agencies within the framework of existing data protection laws if we are legally obliged to do so, e.g. due to official or court orders, or if we are entitled to do so, e.g. because this is necessary for the prosecution of criminal offences or for the exercise and enforcement of our rights and claims.
Data transfer to third countries
If we use service providers in third countries, we take additional measures to ensure an adequate level of data protection for the transfer of personal data in accordance with the DPA and GDPR and thus ensure that the transfer is generally permissible and that the special requirements for a transfer to a third country are met (e.g. by concluding standard contracts and additional guarantees, supplementary technical and organisational measures such as encryption or anonymisation).
Storage period of your personal data
We adhere to the principles of data minimisation and data economy. This means that we only store the data you provide to us for as long as is necessary to fulfil the aforementioned purposes or as specified by the various storage periods provided for by law. If the respective purpose ceases to apply or after the relevant periods have expired, your data will be routinely blocked or deleted in accordance with the statutory provisions.
Of course, you have rights with regard to the collection of your data, which we are pleased to inform you of herewith. If you would like to make use of one of the following free rights, a simple message to us will suffice. For your own protection, we reserve the right, in the case of an existing enquiry, to obtain further information necessary to confirm your identity and, if identification is not possible, to refuse to process the enquiry.
a) Right to information
You have the right to request information and/or copies of the personal data stored about you.
b) Right to rectification
You have the right to request that personal data relating to you be corrected and/or completed without delay.
c) Right to object to processing
You have the right to request the restriction of the processing of your personal data, insofar as the accuracy of the data is disputed by you, the processing is unlawful, but you object to its erasure and we no longer require the data, but you need it for the assertion, exercise or defence of legal claims or you have lodged an objection to the processing.
d) Right to erasure
You have the right to request the erasure of your personal data stored by us, unless the exercise of the right to freedom of expression and information, the processing is necessary for compliance with a legal obligation, for reasons of public interest or for the assertion, exercise or defence of legal claims.
e) Right to information
Where you have exercised the right to rectification, erasure or restriction of processing, we will notify all recipients to whom personal data relating to you has been disclosed of such rectification or erasure or restriction of processing, unless this proves impossible or involves a disproportionate effort.
f) Right to data portability
You have the right to have personal data that you have provided to us handed over to you or to a third party in a structured, common and machine-readable format. If you request the direct transfer of the data to another responsible party, this will only be done insofar as it is technically feasible.
g) Right of objection
Insofar as your personal data are processed on the basis of legitimate interests , you have the right to object to the processing at any time.If we process your for the purpose of direct marketing, you have the right to object at any time to the processing of personal data concerning you for the purpose of such marketing; this also applies to profiling insofar as it is related to such direct marketing.
h) Right to withdraw consent
You have the right to cancel your consent to the collection of data at any time with effect for the future. The data collected until the cancellation becomes legally effective will remain unaffected. Please understand that the implementation of your cancellation may take a little time for technical reasons and that you may still receive messages from us in the meantime.
i) Right to complain to a supervisory authority
If the processing of your personal data violates data protection law or if your data protection rights have otherwise been violated in any way, you may complain to the supervisory authority.
You can also exercise your rights of rectification and deletion most quickly, easily and conveniently by logging into your customer account and directly editing or deleting your data stored there.
j) Automated decision making including profiling
You have the right not to be subject to a decision based solely on automated processing which produces legal effects concerning you or similarly significantly affects you.
We use the shop system of the service provider Shopify International Limited, Victoria Buildings, 2nd Floor, 1-2 Haddington Road, Dublin 4, D04 XN32, Ireland ("Shopify"), for the purpose of hosting and displaying the online shop on the basis of processing on our behalf. All data collected on our website is processed on Shopify's servers. As part of Shopify's aforementioned services, data may also be transferred to Shopify Inc, 150 Elgin St, Ottawa, ON K2P 1L4, Canada, Shopify Data Processing (USA) Inc, Shopify Payments (USA) Inc or Shopify (USA) Inc as part of further processing on our behalf. In the event that data is transferred to Shopify Inc. in Canada, the adequate level of data protection is guaranteed by adequacy decision of the European Commission.
Our website uses functions of the web analysis service Google Analytics by Google Inc, 1600 Amphitheatre Parkway, Mountain View, CA 94043, USA ("Google"). Cookies are used for this purpose, which enable an analysis of the use of the website by your users. The information generated by the cookie about your use of the website will be transmitted to and stored by Google on servers in the United States.You can prevent this by setting up your browser so that no cookies are stored. Your IP address is recorded, but pseudonymised immediately (e.g. by deleting the last 8 bits). This means that only a rough localisation is possible. The data processing is carried out on the basis of your consent and/or our legitimate interest. Our legitimate interest is the improvement of our offer and our web presence. Since the privacy of our users is important to us, the user data is pseudonymised. The user data is stored for a period of 14 months.
When you access a Google service, the browser sends this cookie along with your request for a page. The NID cookie contains a unique ID that we use to store your preferred settings and other information, such as your preferred language, how many search results to display per page (e.g. 10 or 20) and whether to enable the Google SafeSearch filter. The data processing is carried out on the basis of your consent and/or our legitimate interest. Our legitimate interest is the improvement of our offer and our web presence.
Automated decision-making and profiling
We do not use automation for decision-making and profiling.
Klaviyo e-mail systems
It is important that the data we hold about you is accurate and current, therefore please keep us informed of any changes to your personal data.
Our website is not intended for children and we do not knowingly collect data relating to children. If you become aware that your Child has provided us with Personal Data, without parental consent, please contact us and we take the necessary steps to remove that information from our server.
If you have any further questions or are concerned about the security of your data, please contact us.