Privacy Policy EU Online Shop

Valid as of 13 August, 2024

1. INTRODUCTION

We know that you care how your personal data is used and shared. We take the protection of your personal data very seriously, therefore data protection is a high priority for In a nutshell – kurzgesagt GmbH (“KGS”). This Privacy Policy describes how we collect and process your personal data and the purposes it is processed for when you visit and use our online shop, create an account, place an order and subscribe to our email newsletter, and outlines your rights regarding your personal data.

The personal data we collect consists of:

Information you provide to us directly, e.g. when creating an account in our online shop;

Information collected automatically, e.g. information collected via cookies on our online shop; and

Information we need to process to fulfill your orders.

We always treat your personal data in accordance with the statutory data protection regulations applicable to KGS, including, but not limited to the General Data Protection Regulation (GDPR), and this Privacy Policy.

 

2. CONTROLLER AND DATA PROTECTION OFFICER

2.1. Controller is:

In a nutshell – kurzgesagt GmbH ("KGS"),
Landwehrstraße 39, 80336 Munich, Germany,
Phone +49 (0)89 9545 730 20, e-mail: info@kurzgesagt.org

2.2. Our data protection officer (“DPO”) is:

LS Sport GmbH, Widenmayerstraße 28, 80538 München, Germany,
e-mail: dataprotection@kurzgesagt.org

If you have any questions about data protection, you can contact our data protection officer at any time.

 

3. GENERAL INFORMATION ON DATA PROCESSING

The use of our online shop is generally possible without any indication of personal data; however, if you want to use the services of our online shop (e.g. create an account, place an order, subscribe for the newsletter), processing of personal data could become necessary.

Please note that links and features in our online shop may take you to other websites which are not operated by us but by third parties. Such links are either clearly marked by us or are recognizable by an obvious change in the address line of your web browser. We are not responsible or liable for compliance with the respective data protection regulations and safe handling of your personal data on these websites operated by third parties.

 

4. VISITING OUR ONLINE SHOP / LOGFILES

Each time you visit our online shop, our system automatically collects data and information from the computer system of the calling computer. This general data and information are stored in the server log files. The following data is logged:

IP address of the calling computer

Operating system of the calling computer

Browser type and version of the calling computer

Name of the retrieved file/website

Date and time of retrieval

Transferred amount of data

Referring URL

The mentioned data is processed in order to be able to present the online shop correctly, to ensure its security, availability and integrity (e.g., detection and defense against DoS attacks or access by bots), to improve the quality and presentation of the content of the online shop to be able to identify and correct errors and for statistical purposes.

In this context, we analyze this data and information statistically in order to ensure an optimal level of security and protection for both our business and the personal data we process in the course of entering in a contract with our potential customers.

The anonymous data of the server log files are stored separately from all personal data provided by potential customers. We do not combine this personal data with other data sources. This data is regularly deleted after a few days. However, we reserve the right to check the server log files retrospectively if there are concrete indications of illegal or system-inappropriate use of our online shop.

 

5. ONLINE SHOP

5.1 Operation of the KGS Online Shop

As of 23 March 2024 KGS will directly handle your EU shop purchases, whereas up until then, they were managed by DFTBA Europe B.V. (“DFTBA Europe”). Orders placed via our EU online shop until/on 22 March 2024 are handled and fulfilled by DFTBA Europe as your contractual partner on the basis of the privacy policy you have taken note of during your purchase process. In this case, DFTBA Europe will transfer personal data collected about you as their customer over to us unless you object to this transfer. This will allow us to provide you with a seamless shopping experience, to ensure the fulfillment of any of your (warranty) claims or our claims, if any, in the context of your purchase and to share relevant information with you. This transfer concerns your name and contact information such as your e-mail address, your shipping address, your purchase history, and information on customer service contacts.

After the data transfer, we will process your data in accordance with this privacy policy if you have not objected to the transfer by emailing DFTBA Europe at kurzgesagt@dftba.com until 22 March 2024.

As of 23 March 2024, i.e. after the data transfer to us, you can of course always object to the use of your data and request their deletion by contacting us directly (see Sec. 12).

5.2 Shopify

Our online shop is provided and hosted by Shopify International Ltd. in Ireland (“Shopify”) on the basis of a data processing agreement (“DPA”) pursuant to Art. 28 GDPR. The processing by Shopify International Ltd. (Ireland), which is our contractual partner, may involve the transfer of data to a third country outside the EU, i.e. to the parent company Shopify Inc. (USA). With regard to appropriate safeguards in accordance with Art. 44 et seq. GDPR, if needed, please see Sec. 11.

5.3 Placing Orders and Fulfillment, Payment

If you place an order in our online shop, we will process the following data:

last name,

first name,

e-mail address,

postal address,

phone number,

purchase and payment information.

When purchasing goods via our online shop we are your contractual partner and will fulfill all orders placed. We will process the above mentioned data for the conclusion of the contract with you and the fulfillment of your order. We record and process your personal data, which is transmitted to us after successful completion of the ordering process, if and to the extent that this is necessary to get your order to you or to handle returns and/or warranty claims you might have.

This data will be passed on to the shipping company commissioned with the delivery, insofar as this is necessary for the delivery of the ordered goods as well as to credit institutions and/or payment service providers commissioned with the payment processing. These third-party companies act as independent data controllers and are not bound to any instructions by us.

Besides, as of August 2024, your provided customer data will be transferred to our service provider located in the US. This is necessary to inform you via transactional emails about the process of your future online purchases and to improve our customer service. Hence, the transfer is based on Art. 6 para. 1 lit. b and f GDPR. The transfer takes place in compliance with Article 44 ff GDPR, as our service provider acts on the basis of a data processing agreement (“DPA”) pursuant to Art. 28 GDPR, which obliges the service provider to implement appropriate security measures and grants us comprehensive control powers. Additionally, our service provider is certified in accordance with the EU-U.S. Data Privacy Framework. If you do not wish your date to be transferred, you can object at any time by contacting us directly (see Sec. 12).

On the same legal basis, your personal data may be passed on to our customer service commissioned, if necessary, to sort out any issues/inquiries regarding your online purchase. Our customer service acts as our data processor on the basis of a Data Processing Agreement (“DPA”) pursuant to Art. 28 GDPR. With regard to appropriate safeguards in accordance with Art. 44 et seq. GDPR, if needed, please see Sec. 11.

5.4 Creating an Account

You do not have to create an account but can shop as a guest in our online shop. However, creating an account in the context of ordering via our online shop can make future purchases easier and provide a more customized, simpler shopping experience. For example, your address data and payment methods may be pre-selected for your next order in our online shop.

If you create an account, we will process your data as described under Sec. 5.3 as well as login data provided for your account.

Your data will be processed and stored as long as you use your account. You can, of course, delete your account and any data stored therein at any time by contacting us (see Sec. 12). If you delete your account, the data processed via your account will be deleted (subject to any retention obligations, see below under "Retention and Deletion").

5.5 Direct advertising

We may use the e-mail address you provide when creating an account and/or concluding a contract with us for direct advertising for our own and similar products and services. If you do not wish to receive any direct advertising, you can object to the use of your e-mail address at any time by using the unsubscribe link contained in every email, or you can exercise your right to object by contacting us directly (see Sec. 12).

As of August 2024, we use an external service provider as a data processor located in the US for sending direct advertising e-mails on the basis of a Data Processing Agreement (“DPA”) pursuant to Art. 28 GDPR, which obliges the service provider to implement appropriate security measures and grants us comprehensive control powers. Additionally, our service provider is certified in accordance with the EU-U.S. Data Privacy Framework. In this context, your provided customer data will be transferred to our service provider once to improve our customer service and send you future marketing e-mails on the basis of your legitimate interest pursuant to Art. 6 Art. 6 para. 1 lit. f GDPR. If you do not wish your data to be transferred, you can object at any time by contacting us directly (see Sec. 12).

With regard to appropriate safeguards in accordance with Art. 44 et seq. GDPR, if needed, please see Sec. 11.

 

6. CONTACT FORM/CONTACT US BY E-MAIL

If you use the contact form on our online shop or send us an e-mail, we will process the personal data you provide us (e.g. name, e-mail address, your IP address and the date and time of the contact request). This information is transmitted by your browser or e-mail client and processed in our IT systems. The processing of this personal data is necessary to answer your request. In addition, misuse of the contact form should be prevented and the security of our IT systems ensured.

The personal data will be processed as long as necessary to respond to your request. Should your request lead to a later conclusion of the contract, processing will take place as long as this is necessary to carry out pre-contractual measures or to fulfil the contract. We do not merge your personal data with other data sources. We do not transfer your personal data to a third country outside the EU in this context. You are not obliged to provide your personal data, but it is not possible to use the contact form or send an e-mail without providing it.

If you contact us by e-mail or message via the contact form, you can object to the storage of your personal data at any time by contacting us (see Sec. 12).

 

7. NEWSLETTER

7.1 Registration and scope of data processing

On our website, you can register to receive a newsletter by email. During registration, the data from the input mask, the IP address of the calling computer and the date and time of registration are transmitted to us. For the processing of the data, your consent is obtained during registration and reference is made to this Privacy Policy.

In order to verify that a registration for the newsletter is made by the actual owner of an email address, we use the so-called "double opt-in" procedure. In this process, after registration of an email address, a confirmation email is sent to the registered email address. Registration for the newsletter is only completed when a confirmation link contained in the confirmation e-mail is activated. The IP address of the calling computer and the date and time of activation of the confirmation link are also transmitted to us.

We will use your data to send you our newsletter, in which we inform you about all our services and news.

You can unsubscribe from the newsletter any time by using the unsubscribe link contained in each newsletter or by contacting us directly (please see Sec. 12). Your data will be deleted immediately after you unsubscribe.

7.2 Newsletter Analytics/Tracking

The newsletter of KGS contains so-called tracking pixels. A tracking pixel is a miniature graphic embedded in such e-mails, which are sent in HTML format to enable log file recording and analysis. This allows a statistical analysis of the success or failure of online marketing campaigns. Based on the embedded tracking pixel, KGS may see if and when you opened an e-mail, and which links in the e-mail were called up by you.

These personal data will not be passed on to third parties. You are at any time entitled to revoke the respective separate declaration of consent issued by means of the double-opt-in procedure. After withdrawal, these personal data will be deleted by us. KGS automatically regards a withdrawal from the receipt of the newsletter as a withdrawal of this data processing.

7.3 Newsletter Service Provider

As of August 2024, we use an external service provider located in the US as a data processor for sending and analyzing our newsletter on the basis of a Data Processing Agreement (“DPA”) pursuant to Art. 28 GDPR, which obliges the service provider to implement appropriate security measures and grants us comprehensive control powers. Additionally, our service provider is certified in accordance with the EU-U.S. Data Privacy Framework. In this context, the personal data you provided will be transferred to our service provider in the US. This is necessary to continue sending you our newsletter and is therefore based on our legitimate interest pursuant to Art. 6 para. 1 lit. f GDPR. If you do not wish your data to be transferred, you can object at any time by contacting us directly (see Sec. 12).

 

8. COOKIES AND THIRD-PARTY TOOLS/FUNCTIONS

In order to make visiting our online shop attractive and to enable the use of certain functions in our online shop, we use cookies and implement third-party tools and functions.

Please note our separate cookie policy, which informs you about all data processing by cookies: https://kurzgesagt.org/cookies.

 

9. SOCIAL MEDIA BUTTONS

Social media buttons of various social media networks (e.g. Linkedin, Instagram, X (Twitter), Youtube, Facebook, and TikTok) are integrated on our shop website.

The providers of the social platforms whose buttons we have integrated on the shop website may have their registered office (often via the parent company) outside the EU or the EEA - an adequate level of data protection in accordance with the GDPR may therefore not exist. The buttons/links are clearly marked on our website. To ensure data protection on our website, we only use such buttons if you have given your consent as part of the cookie consent tool or together with the so-called "two-click" solution. This application prevents the buttons integrated on our website from transmitting data to the providers as soon as you enter the website for the first time. Only when you have given your express consent using the opt-in function or activate the respective button by clicking on the associated button (implied consent), a direct connection to the provider's server will be established. As soon as you activate the button, the providers receive the information that you have visited our website with your IP address. If you are logged into your respective social media account (e.g. Facebook or Instagram) at the same time, the providers can assign the visit to our website to your user account. Activating the button/link constitutes implied consent. You can revoke both express and implied consent at any time with effect for the future.

For information on the purpose and scope of data collection and processing by the providers of the respective social media network, the provider identification, a contact option and your rights and setting options for data protection, please refer to the respective privacy policy of the providers of the social media networks.

YouTube: https://policies.google.com/privacy?hl=de

X (Twitter): https://twitter.com/privacy?lang=de

Facebook: https://www.facebook.com/policy.php

Instagram: https://help.instagram.com/478745558852511

Patreon: https://www.patreon.com/privacy

Reddit: https://www.redditinc.com/policies/privacy-policy

Bēhance: https://www.adobe.com/de/privacy/policies/behance.html

Discord: https://discord.com/privacy

LinkedIn: https://de.linkedin.com/legal/privacy-policy

TikTok: https://www.tiktok.com/legal/page/eea/privacy-policy/de

 

10. LEGAL BASIS

When processing your personal data as described above this is based on the following legal sources in accordance with the GDPR. The respective legal basis for each data processing depends on the specific purpose (as outlined above) of the respective data processing:

10.1 Performance of a contract (Art. 6 para. 1 lit. b) GDPR)

This applies when we conclude (or are about to conclude) a contract with you or communicate with you about it. This includes processing your personal data to accept and fulfill orders, deliver products and services, and process payments.

10.2 Legitimate Interest (Art. 6 para. 1 lit. f) GDPR)

This applies with regard to data processing with regard to necessary measures to operate the shop website, detecting and preventing fraud or abuse to protect the safety of our customers, our own safety and that of third parties regarding our online shop, and when we show you interest-based, direct advertising. In these cases, you may have the right to object the respective data processing by contacting us (see Sec. 12).

10.3 Consent (Art. 6 para. 1 lit. a) GDPR)

This applies when we ask for your consent to process your personal data for a specific purpose notified to you (i.e. also via our cookie consent tool). In these cases, you may freely withdraw your consent at any time by contacting us and we will stop processing your personal data for that purpose (see Sec. 12).

10.4 Legal obligations (Art. 6 para. 1 lit. c) GDPR)

This applies when we process your personal data to comply with a legal obligation. For example, need to store specific order information due to retention obligations under statutory commercial or tax law.

10.5 Other legal grounds in accordance with GDPR

Other legal grounds according to Art. 6 GDPR may apply depending on the purposes for which we use personal information.

 

11. RECIPIENTS OF DATA

Within our company, those internal departments or organizational units receive your data which they need to fulfill their tasks, to fulfill contracts with you, if necessary, for data processing with your consent or to safeguard our overriding legitimate interests.

Data will only be passed on to third parties within the framework of legal requirements and as described with regard to the respective data processing above.

In accordance with Art. 44 para. 1 GDPR, we transfer personal data to a recipient in a third country outside the EU only if an adequacy decision has been issued by the EU Commission for this third country in accordance with Art. 45 GDPR or if appropriate guarantees are complied with in accordance with Art. 46 GDPR and enforceable rights and effective legal remedies are available to the data subjects, or if you have given your voluntary consent.

We will provide you with proof of appropriate safeguards in accordance with Art. 44 et seq. GDPR with regard to any recipients in the context of the data processing described above, if needed, at any time upon request.

 

12. YOUR RIGHTS

You have the rights explained below with regard to the personal data processed by us concerning you:

12.1 Right of Access

You can request information in accordance with Art. 15 GDPR about your personal data that we process.

12.2 Right to Rectification

If the information concerning you is not (or no longer) accurate, you may request a correction in accordance with Art. 16 GDPR. If your data is incomplete, you may request that it be completed.

12.3 Right to Erasure

You may request the erasure of your personal data in accordance with Art. 17 GDPR.

12.4 Right to Restriction of Processing

In accordance with Art. 18 GDPR you have the right to request restriction of processing of your personal data.

12.5 Right to Object to Processing

You have the right to object at any time on grounds relating to your particular situation to the processing of your personal data which is carried out on the basis of Art. 6 para. 1 lit. e) or lit. f) GDPR in accordance with Art. 21 para. 1 GDPR. In this case, we will not further process your data unless we can demonstrate compelling legitimate grounds for the processing which override your interests, rights and freedoms, or if the processing serves to assert and exercise or defend against legal claims (Art. 21 para. 1 GDPR).

In addition, according to Art. 21 para. 2 GDPR, you have the right to object at any time to the processing of personal data concerning you for the purposes of direct marketing; this also applies to any profiling, insofar as it is related to such direct advertising.

12.6 Right to Withdraw Consent

Insofar as you have given your consent for processing in accordance with Art. 6 para. 1 lit. a) GDPR, you have the right to withdraw your consent pursuant to Art. 7 para. 3 GDPR at any time without giving reasons. The consequence of this is that we may no longer continue the data processing based on this consent in the future. However, the withdrawal of your consent does not affect the lawfulness of processing based on consent before its withdrawal.

12.7 Right to Data Portability

You have the right to receive the personal data concerning you that you have provided to us in a structured, common and machine-readable format ("data portability") as well as the right to have this data transferred to another controller if the conditions of Art. 20 para. 1 lit. a) and b) GDPR are met.

12.8 Exercise of Rights

If you wish to exercise the above mentioned rights, simply send an e-mail to dataprotection@kurzgesagt.org.

12.9 Right of appeal to the supervisory authority

Finally, in accordance with Art. 77 GDPR, you have the right to lodge a complaint with a supervisory authority. As a rule, you can contact the supervisory authority of your usual place of residence or workplace or our registered office. The supervisory authority responsible for our registered office is Bayerisches Landesamt für Datenschutz.

 

13. RETENTION AND DELETION

We adhere to the principles of data avoidance and data economy and only store your personal data for as long as is necessary to achieve the respective purpose of the data processing purposes or as stipulated by the storage periods provided by law (in particular, regarding any retention periods under statutory commercial or tax law).

If the purpose of storage no longer applies or if a storage period provided for by law expires, the personal data will be routinely anonymized or deleted in accordance with the statutory provisions.

 

14. INFORMATION SECURITY

We take appropriate technical and organizational measures in accordance with the state of the art to ensure a level of protection for the personal data we process that is appropriate to the risk of the respective processing and to protect the data we process against accidental or intentional manipulation, loss, destruction or against access by unauthorized persons.

Our shop website uses SSL encryption for security reasons and to protect the transmission of confidential content, such as orders, inquiries or payment data that you send to us.

Our employees receive regular training on data protection and information security and are committed to confidentiality and data protection.

A restrictive rights and roles concept on a "need to know" basis ensures that employees only have access to the personal data they absolutely need to perform their duties.

 

15. MODIFICATION OF THIS PRIVACY POLICY

Due to the further development of our online shop and services or due to changed legal or regulatory requirements, it may become necessary to change this Privacy Policy. In the event of significant adjustments, we will inform you in an appropriate manner.