Name/Company: Thermolight GmbH & Co. KG
Street address: Mühlweg 2
Postcode, town/city, country: 95632 Wunsiedel
Commercial register/no.: HRA 4813 Hof
Personally liable partner: Thermolight-Verwaltungs-GmbH
Commercial register/no.: HRB 6480 Hof
CEO: Christoph Lamberts
Telephone number: +49 9233 77544 0
Data protection officer: Michael Emrich
Last updated: February 2nd, 2022
Basic information on data processing and legal bases
For the terms used, such as "personal data" or their "processing", we refer to the definitions in Art. 4 of the General Data Protection Regulation (GDPR).
The personal data of users processed in the context of this online offer include inventory data (e.g. names and addresses of customers), contract data (e.g. services used, names of administrators, payment information), usage data (e.g. the websites visited from our online offer, interest in our products) and content data (e.g. entries in the contact form).
The term "user" covers all categories of data subjects. These include our business partners, customers, interested parties and other visitors to our online offer. The terms used, such as "user", are to be understood as gender-neutral.
We only process users' personal data in compliance with the relevant data protection regulations. This means that user data will only be processed where legal permission exists. In other words, in particular where data processing is necessary for the provision of our contractual services (e.g. order processing) and online services, or is required by law, where the user has given his consent, as well as on the basis of our legitimate interests (i.e. interest in the analysis, optimisation and economic operation and security of our online offer as defined by Art. 6 (1) f. GDPR), in particular for range measurement, creation of profiles for advertising and marketing purposes, collection of access data and use of third-party services.
We would like to point out that the legal basis of the consent is Art. 6 (1) a. and Art. 7 GDPR, the legal basis for the processing for the fulfilment of our services and implementation of contractual measures is Art. 6 (1) b. GDPR, the legal basis for processing to fulfil our legal obligations is Art. 6 (1) c. GDPR, and the legal basis for processing to protect our legitimate interests is Art. 6 (1) f. GDPR.
We take organisational, contractual and technical security measures in accordance with the state of the art to ensure that the regulations of data protection laws are complied with and thus to protect the data processed by us against accidental or intentional manipulation, loss, destruction or access by unauthorised persons.
The security measures include, in particular, the encrypted transfer of data between your browser and our server.
Disclosure of data to third parties and third-party providers
Data will only be passed on to third parties within the framework of legal requirements. We only pass on user data to third parties where this is necessary, for example, for contractual purposes on the basis of Art. 6 (1) b. GDPR or on the basis of legitimate interests pursuant to Art. 6 (1) f. GDPR for the economic and effective operation of our business operations.
Where we use subcontractors to provide our services, we take appropriate legal precautions as well as appropriate technical and organisational measures to ensure the protection of personal data in accordance with the relevant legal regulations.
Performance of contractual services
We process inventory data (e.g. names and addresses as well as contact data of users), contract data (e.g. services used, names of contact persons, payment information) for the purpose of fulfilling our contractual obligations and services pursuant to Art. 6 (1) b. GDPR.
Users have the option of creating a user account, in which they can view their orders. During the registration process, users will be informed of the required information. User accounts are not public and cannot be indexed by search engines. If users have cancelled their user account, their data from the user account will be erased, provided that storage is not required for commercial law or tax law reasons pursuant to Art. 6 (1) c. GDPR. It is up to users to save their data before the end of the contract if they have cancelled the contract. We are entitled to irretrievably erase all user data stored during the term of the contract.
During the registration process or when re-registering and using our online services, we store the IP address and the time of the user action in question. The data are stored on the basis of our legitimate interests as well as for the protection of the user against misuse and other unauthorised use. These data will not be passed on to third parties, unless this is necessary to pursue our claims or there is a legal obligation to do so pursuant to Art. 6 (1) c. GDPR.
We process usage data (e.g. the websites of our online offer visited, interest in our products) and content data (e.g. entries in the contact form or user profile) for advertising purposes in a user profile in order to show the user, for example, product information based on the services previously used.
When contacting us (via contact form or e-mail), the user's details are processed for the purpose of processing the contact enquiry and the execution of this pursuant to Art. 6 (1) b. GDPR.
User information can be stored in our Customer Relationship Management System ("CRM System") or comparable request system.
Comments and contributions
If users leave comments or make other contributions, their IP addresses will be stored for 7 days on the basis of our legitimate interests as defined by Art. 6 (1) f. GDPR.
This is for our security, in case someone leaves illegal content in comments and contributions (insults, forbidden political propaganda, etc.). In this case we can be prosecuted ourselves for the comment or contribution and are therefore interested in the identity of the author.
Collection of access data and log files
We collect data on the basis of our legitimate interests as defined by Art. 6 (1) f. GDPR about each case of access to the server on which this service is located (so-called server log files). Access data include the name of the accessed website, file, date and time of access, transferred data volume, notification of successful access, browser type and version, the user's operating system, referrer URL (the site previously visited), IP address and the requesting provider.
Log file information is stored for a maximum of seven days for security reasons (e.g. to investigate misuse or fraud) and then erased. Data whose further storage is required for evidence purposes are excluded from erasure until the incident has been clarified conclusively.
Cookies & range measurement
Cookies are information that is transferred from our web server or third-party web servers to the user's web browser and stored there for later retrieval. Cookies can be small files or other types of information storage.
We use "session cookies", which are only stored for the duration of your current visit to our website (e.g. to enable the storage of your login status or the shopping basket function and thus the use of our online offer at all). A randomly generated unique identification number, a so-called session ID, is stored in a session cookie. A cookie also contains information about its origin and the storage period. These cookies cannot store any other data. Session cookies are erased when you have finished using our online offer and, for example, log out or close your browser.
If users do not want cookies to be stored on their computer, they are asked to deactivate this option in the system settings of their browser. Stored cookies can be erased in the system settings of the browser. The exclusion of cookies may lead to functional restrictions of this online offer.
Google is certified under the Privacy Shield Agreement and thus offers a guarantee that it will comply with European data protection law (https://www.privacyshield.gov/participant?id=a2zt000000001L5AAI&status=Active).
Google will use this information on our behalf to evaluate the use of our online offer by users, to compile reports on the activities within this online offer and to provide us with further services associated with the use of this online offer and the use of the Internet. Pseudonymous user profiles may be created from the processed data.
We use Google Analytics to display the advertisements placed by Google and its partners within advertising services only to users who have shown an interest in our online offer or who have certain characteristics (e.g. interest in certain topics or products that are determined by the websites visited) that we transfer to Google (so-called "remarketing" or "Google Analytics audiences"). With the help of remarketing audiences we also want to ensure that our advertisements correspond with the potential interests of the users and are not annoying.
We only use Google Analytics with IP anonymisation enabled. This means that the user's IP address will be shortened by Google within the Member States of the European Union or in other signatory states of the Agreement on the European Economic Area. Only in exceptional circumstances is the full IP address transferred to a Google server in the USA and shortened there.
The IP address transferred from the user's browser is not combined with other Google data. Users can prevent the storage of cookies by setting their browser software accordingly; users can also prevent Google from collecting the data generated by the cookie and relating to their use of the online offer and the processing of these data by Google by downloading and installing the browser plug-in available under the following link: tools.google.com/dlpage/gaoptout;
Further information on data use by Google, possible settings and objections can be found on Google's websites: www.google.com/intl/de/policies/privacy/partners ("How Google uses data when you use our partners' sites or apps"), www.google.com/policies/technologies/ads ("Use of data in advertising"), www.google.de/settings/ads ("Manage information that Google uses to show you ads").
Google remarketing services
On the basis of our legitimate interests (i.e. interest in the analysis, optimisation and economic operation of our online offer as defined by Art. 6 (1) f. GDPR), we use the marketing and remarketing services ("Google marketing services" for short) of Google Inc., 1600 Amphitheatre Parkway, Mountain View, CA 94043, USA, ("Google").
Google is certified under the Privacy Shield Agreement and thus offers a guarantee that it will comply with European data protection law (https://www.privacyshield.gov/participant?id=a2zt000000001L5AAI&status=Active).
Google marketing services allow us to target advertisements for and on our website in order to present users only with advertisements that potentially match their interests. If a user, for example, sees advertisements for products he has been interested in on other websites, this is referred to as "remarketing". For these purposes, when our and other websites on which Google marketing services are active are accessed, Google directly executes a Google code and (re)marketing tags (invisible graphics or code, also known as "web beacons") are integrated into the website. With their help, an individual cookie, i.e. a small file, is stored on the user's device (comparable technologies can also be used instead of cookies). Cookies can be placed by various domains, including google.com, doubleclick.net, invitemedia.com, admeld.com, googlesyndication.com or googleadservices.com. In this file it is noted which websites the user visits, which content he is interested in and which offers he has clicked on, as well as technical information about the browser and operating system, referring websites, visiting time as well as further information about the use of the online offer. The user's IP address is also recorded, whereby we inform within the framework of Google Analytics that the IP address is shortened within Member States of the European Union or in other signatory states of the Agreement on the European Economic Area and only in exceptional cases transferred in full to a Google server in the USA and shortened there. The IP address is not combined with the user's data within other Google offers. The above information may also be linked by Google to such information from other sources. If the user then visits other websites, the advertisements tailored to his interests can be displayed.
Users' data are processed pseudonymously within Google marketing services. This means that Google does not store and process, for example, the names or e-mail addresses of users, but processes the relevant data relating to cookies within pseudonymous user profiles. This means that, from Google's point of view, the advertisements are not managed and displayed for a specifically identified person, but for the cookie holder, regardless of who this cookie holder is. This does not apply if a user has expressly permitted Google to process the data without this pseudonymisation. The information collected by Google marketing services about users is transferred to Google and stored on Google's servers in the USA.
One of the Google marketing services we use is the online advertising program "Google AdWords". In the case of Google AdWords, each AdWords customer receives a different "conversion cookie". Cookies cannot therefore be traced through the websites of AdWords customers. The information collected with the help of the cookie is used to generate conversion statistics for AdWords customers who have opted for conversion tracking. AdWords customers find out the total number of users who clicked on their advertisement and were redirected to a page with a conversion tracking tag. However, they do not receive any information with which they could personally identify users.
We can also use the "Google Optimizer" service. Google Optimizer allows us to track the effects of various changes to a website (e.g. changes to input fields, design, etc.) within the framework of so-called "A/B testing". Cookies are stored on users' devices for these test purposes. Only pseudonymous user data are processed.
We can also use the "Google Tag Manager" to integrate and manage Google analysis and marketing services into our website.
If you wish to object to interest-based advertising by Google marketing services, you can use the setting and opt-out options provided by Google: www.google.com/ads/preferences.
Facebook custom audiences and marketing services; disabling of the Facebook Pixel function
- Because of our legitimate interests in the analysis, optimisation and economic operation of our online content and for the associated purposes, our website contains the so-called "Facebook Pixel" of the social network Facebook, which is operated by Facebook Inc., 1 Hacker Way, Menlo Park, CA 94025, USA, or if you are resident in the EU, Facebook Ireland Ltd., 4 Grand Canal Square, Grand Canal Harbour, Dublin 2, Ireland ("Facebook").
- Facebook is certified under the Privacy Shield Agreement and thus offers guaranteed compliance with European data protection law (https://www.privacyshield.gov/participant?id=a2zt0000000GnywAAC&status=Active).
- On the one hand, the Facebook Pixel enables Facebook to determine the visitors of our online offer as a target group for the presentation of ads (so-called "Facebook ads"). Accordingly, we use the Facebook Pixel to display the Facebook ads placed by us only to those Facebook users who have also shown an interest in our online offering or who exhibit certain characteristics (e.g. interest in specific topics or products determined on the basis of the websites visited), which we transmit to Facebook (so-called "custom audiences"). With the help of the Facebook Pixel we also wish to ensure that our Facebook ads correspond to the potential interests of users and are not intrusive. The Facebook Pixel also allows us to track the effectiveness of Facebook ads for statistical and market research purposes by seeing whether users are redirected to our website after clicking on a Facebook ad (so-called "conversion").
- The Facebook Pixel is directly integrated by Facebook when you access our website and can place a so-called "cookie", i.e. a small file, on your device. If you then log into Facebook or visit Facebook while logged in, the visit to our online service will be noted in your profile. The data collected about you is anonymous for us, so we are unable to draw conclusions about the identity of the user. However, the data is stored and processed by Facebook so that a connection to the respective user profile is possible and can be used by Facebook and for specific market research and advertising purposes. If we transmit data to Facebook for matching purposes, this data is encrypted locally on the browser and only then sent to Facebook via a secure https connection. This is done solely for the purpose of comparison with the other data that is also encrypted by Facebook.
- In addition, when using the Facebook Pixel, we use the "extended matching" function (with which data such as telephone numbers, email addresses or Facebook IDs of users is sent to Facebook (encrypted) in order to create target groups ("custom audiences" or "look-alike audiences")). Further details of "extended matching": https://www.facebook.com/business/help/611774685654668)
- Also on the basis of our legitimate interests, we use the "custom audiences from file" process of the social network Facebook, Inc. In this case, the email addresses of newsletter recipients are uploaded to Facebook. The upload process is encrypted. The upload serves solely to identify recipients of our Facebook ads. This is to ensure that the ads are only displayed to users who have an interest in our information and services.
- The processing of the data by Facebook takes place within the framework of Facebook's data use policy. General information on the display of Facebook ads in the Facebook data use policy: https://www.facebook.com/policy.php. Specific information and details about the Facebook Pixel and how it works can be found in the Facebook help section: https://www.facebook.com/business/help/651294705016616
- You may object to the recording of your data by the Facebook Pixel and its use to display Facebook ads. To manage what types of ads are displayed to you within Facebook, you can go to the page set up by Facebook and follow the instructions on usage-based advertising settings: https://www.facebook.com/settings?tab=ads. The settings are platform-independent, i.e. they are applied to all devices, such as desktop computers or mobile devices.
- To prevent the collection of your data using the Facebook pixel on our website, please click on "Edit cookie settings" at the top of the page.
Integration of third-party services and content
Within our online offer based on our legitimate interests (i.e. interest in the analysis, optimisation and economic operation of our online offer as defined by Art. 6 (1) f. GDPR), we use content or service offerings of third parties to incorporate their content and services, such as videos or fonts (hereinafter uniformly referred to as "content"). This always presupposes that the third-party providers of this content know the IP address of the user, since without the IP address they could not send the content to their browser. The IP address is therefore required for the display of this content. We make every effort to only use content whose providers only use the IP address for the delivery of the content. Furthermore, third-party providers may use so-called pixel tags (invisible graphics, also known as "web beacons") for statistical or marketing purposes. "Pixel tags" can be used to evaluate information such as visitor traffic on the pages of this website. The pseudonymous information may also be stored in cookies on the user's device and may include technical information about the browser and operating system, referring websites, visiting time and other information about the use of our online offer, and may be linked to such information from other sources.
The following provides an overview of third-party providers and their content, together with links to their privacy policies, which contain further information on the processing of data and, in part already mentioned here, objection options (so-called "opt-out"):
Users have the right, upon request and free of charge, to receive information about the personal data that we have stored about them.
In addition, users have the right to rectify inaccurate data, to restrict the processing and to erase their personal data, if applicable, to assert their rights to data portability and, in the event of the assumption of unlawful data processing, to lodge a complaint with the competent supervisory authority.
In addition, users may withdraw consent with effect for the future.
Erasure of data
The data stored by us will be erased as soon as it is no longer required for its intended purpose and there are no legal obligations to store the data. If the user's data are not erased because they are required for other, legally permissible purposes, their processing will be restricted. This means that the data are blocked and not processed for other purposes. This applies, for example, to user data that must be retained for commercial law or tax law reasons.
In accordance with statutory requirements, the data are stored for 6 years pursuant to Section 257 (1) German Commercial Code (HGB) (trading books, inventories, opening balance sheets, annual financial statements, commercial letters, accounting documents, etc.) and for 10 years pursuant to Section 147 (1) German Tax Code (AO) (books, records, status reports, accounting documents, commercial and business letters, documents relevant for taxation, etc.)
Right to object
Users may object to the future processing of their personal data in accordance with legal requirements at any time. The objection may be lodged in particular against processing for direct marketing purposes.