Data protection

Updated on:

February 9, 2023

We, Coffee Roastars GmbH, Neuer Jungfernstieg 17, 20354 Hamburg (Coffee Roastars /we) , are pleased about your visit to our website and your interest in our products and services. In the following provisions we inform you about the type, scope and purposes of the collection and use of your personal data on this website. Personal data is any information relating to an identified or identifiable natural person. This includes in particular your name, your address and your email address.

1. DATA PROCESSING TO ENABLE USE OF THE WEBSITE

Every time the content of our website is accessed, connection data is transmitted to our web server. This connection data includes:

• the IP address (Internet Protocol address) of the respective user,
• the date and time of the request,
• the referrer URL,
• Device numbers such as UDID (Unique Device Identifier) ​​and comparable device numbers, device information (e.g. device type) as well
• the browser type/version.

This connection data is not used to identify the user or combined with data from other data sources, but is used to provide the website. The legal basis for the processing of your data is Article 6 Paragraph 1 Sentence 1 Letter f GDPR.

2. DATA PROCESSING ON ORDER

It is generally possible to use our website without providing any personal data. You are neither obliged to access this website nor to provide any personal data. However, the provision of personal data is required, for example, to receive newsletters or when registering. If you do not provide us with personal data for the purposes listed below, you may not be able to use the functionalities of this website or individual services.

2.1. ORDER IN SHOP

If you place an order with us, we will process the following data about you:

• Registration data from the customer account or your guest data,
• Purchasing data (order/shopping cart),
• Payment data (payment method, account and credit card details, billing addresses)

Your personal data is processed on the basis of Article 6 Paragraph 1 Sentence 1 Letter b GDPR within the scope of what is necessary for the fulfillment of the contract.

2.2. REGISTER AS A CUSTOMER

If you would like to register with us as a customer, we will collect the required mandatory information from you (first name, last name, email address, password). Alternatively, you can also register using your existing Google or Apple account. If you select this function, you will be redirected to the respective provider's registration form and can log in there with your access data. Google or Apple will then transmit to us your name, your email address and confirmation that you are actually logged in to Google or Apple for authentication purposes. You can determine which other data is transferred to us within your (privacy) settings with the respective provider. The password you use with the respective provider will not be transferred to us. With regard to data processing by the providers in connection with this registration option, please also note the data protection declarations of Apple and Google .

Registration is not necessary, but it will make the ordering process easier for future orders because you can reuse the data you have already saved. Alternatively, you can also place an order as a guest. In this case, we collect the same data from you as when you registered, with the exception of a password. However, this data is not stored in a customer account for you, so you do not have access to a customer account.

After registering, you log in by entering your email address and password. Please always ensure that you log out before leaving the website.

When using a password, please take appropriate security measures. A password should be at least 8 characters long and, if possible, always consist of a combination of letters in upper and lower case, numbers and special characters. In this respect, trivial passwords such as “ABC” or keyboard sequences (e.g. “qwert” or “asdfgh”), all kinds of names (e.g. of friends, acquaintances, colleagues, family members, pets), names of cities and buildings, and cartoon characters are problematic , car brands, license plates, terms, dates of birth, telephone numbers, common abbreviations, etc.

The processing of your personal data is based on your consent in accordance with Article 6 Paragraph 1 Sentence 1 Letter a GDPR.

In addition, as part of the registration process, we store your IP address and the time of registration. This is necessary to ensure the security of our information technology systems. The legal basis for the processing of your data in this case is Article 6 Paragraph 1 Sentence 1 Letter f GDPR.

2.3. LOG IN

If you are a Coffee Roastars customer, you may be able to access specific information or updates about the product you use through the login function on this website.

Login details must be kept strictly secret. If the data has nevertheless been passed on, for example to enable third parties to access certain data sets in an emergency, the password must be changed immediately. For your own protection, it is prohibited to reuse passwords that have already been used.

In addition, when you log in, we store your IP address and the time of access. This is necessary to ensure the security of our information technology systems.

We also set a session cookie every time you log in. This session cookie prevents automatic logout during active use of the account or associated services. After you log out, the session cookie is automatically deleted within a few minutes.

The legal basis for the processing of your data is Article 6 Paragraph 1 Sentence 1 Letter f GDPR and, if your contractual relationship is affected, Article 6 Paragraph 1 Clause 1 Letter b and/or f GDPR.

2.4. NOMINATION OF A ROASTRY

To become part of our community, you have the opportunity to nominate your roastery. For this purpose, we provide a corresponding form via the third-party provider “Hubspot”. In addition to providing the name, location and website of the roastery, you are also required to provide your name and email address. The additional information about the telephone number and job title is optional.

The legal basis for the processing of your data is based on Article 6 Paragraph 1 Sentence 1 Letter fGDPR. Our legitimate interest then lies in answering your query. In the case of the implementation of pre-contractual or contractual measures, the legal basis is Article 6 Paragraph 1 Sentence 1 Letter b GDPR.

To provide the form, we use the HubSpot service from HubSpot Inc., a software company from the USA, 25 First Street, Cambridge, MA 02141 USA, with a branch in Ireland, Ground Floor, Two Dockland Central, Guild St, North Dock, Dublin, D01 K2C5, Ireland (“HubSpot”). With regard to data processing through the use of this service, we refer to Section 3.7. this data protection declaration.

2.5. NEWSLETTER

If you have expressly agreed to receive our newsletter, you will regularly receive information about our roasters or new products at the email address you provided. To receive it, it is sufficient to provide your email address.

We use the so-called double opt-in procedure to register for the newsletter. This means that after you register, we will send you an email to the email address you provided, in which we will ask you to confirm that you wish to send or receive the newsletter. If you do not confirm your registration within 100 days, your information will be automatically deleted.

The processing of your personal data is based on your express consent in accordance with Article 6 Paragraph 1 Sentence 1 Letter a GDPR.

You can revoke your consent at any time with future effect. The revocation of consent does not affect the lawfulness of the processing carried out based on the consent before its revocation. There is a link at the end of each newsletter to exercise your right of revocation. Alternatively, you can revoke your consent at any time, for example by sending an email to contact@60beans.com .

In connection with our newsletter, we use the klaviyo service, operated by Klaviyo, Inc., 125 Summer Street, Floor 6, Boston, MA, 02110, United States (“klaviyo”). Klaviyo is a service that can be used to organize and analyze newsletter distribution. The email address you provided to receive the newsletter will be stored on klaviyo's servers.

Our newsletters sent with klaviyo enable us, among other things, to analyze the behavior of newsletter recipients via a tracking pixel and cookies. Among other things, it can be analyzed how many recipients have opened the newsletter message or how often which link in the newsletter was clicked. With the help of so-called conversion tracking, it can also be analyzed whether a pre-defined action took place after clicking on the link in the newsletter. Further information on data protection at klaviyo can be found at: https://www.klaviyo.com/legal/privacy/privacy-notice

Please note that klaviyo is a US company. According to a recent ruling by the European Court of Justice (ECJ), there is no adequate level of data protection in the USA and therefore a risk to the protection of your data. For example, under certain conditions, your data may be processed by US authorities for control and monitoring purposes. The new EU standard data protection clauses were agreed upon as appropriate safeguards to ensure an adequate level of protection during data transfer.

The legal basis for data processing in connection with the aforementioned analysis is based on your consent, based on Section 25 Paragraph 1 Sentence 1 TTDSG for the storage and access to information in end devices and Art. 6 Paragraph 1 Sentence 1 lit. a GDPR for our further processing of your data. You can revoke your consent separately at any time via email to contact@60beans.com.

When you register for a newsletter, we also store your IP address and the time of registration in order to be able to fulfill our legal documentation obligations. The legal basis for data processing in this case is Article 6(1). 1 S. 1 lit. c GDPR.

2.6. ONLINE APPLICATION

You can apply for a job with us on our website. You have the option of using our online application form. Alternatively, you can also apply by email or post.

As part of the online application, you will be asked for personal information (e.g. name and contact details). In order to establish and implement a possible employment relationship, certain data must be provided. If you do not provide these data, which are marked separately as mandatory fields, your application will be incomplete and cannot be further considered as part of the application process. Providing other information and uploading files or documents (e.g. CV or application photo) is not mandatory at this time of application, but optional. As long as you only provide mandatory information, there will be no disadvantages for your application.

After receiving your online application, you will receive an automatic confirmation of receipt from us. Further communication regarding the application process will then take place via our HR department.

We will process your data for the purpose of deciding whether to establish an employment relationship. The legal basis for data processing is Article 88 Paragraph 1 GDPR in conjunction with Section 26 Paragraph 1 Sentence 1 BDSG. If special categories of personal data are affected, processing is governed by Art. 88 GDPR in conjunction with Section 26 Paragraph 3 BDSG. In the event of a rejection or completion of the application process, your data will be deleted within 6 months.

To provide the online application, we use the provider Personio GmbH & Co. KG, Rundfunkplatz4, 80335 Munich (“Personio”), which operates human resources management and applicant management software. The data you provide as part of the application will be transferred to Personio and stored there in a database. With regard to data processing by Personio, we refer to Personio’s data protection declaration.

2.7. CHAT (CUSTOMER SUPPORT)

On our website you have the opportunity to contact our customer support via a chat widget and thus receive answers to your questions more quickly. To provide the chat widget, we use the Zendesk service provided by Zendesk Inc., 989 Market Street, San Francisco, CA 94103, USA (“Zendesk”). Cookies are used to provide the chat and to display your chat history. For this purpose, Zendesk also collects your device data, browser information and IP address.

The legal basis for data processing in connection with the chat widget is based on your consent, which you can give before starting the chat, based on Section 25 Paragraph 1 Sentence 1 TTDSG for the storage and access to information in end devices and Art 6 Paragraph 1 Sentence 1 Letter a GDPR for our further processing of your data. You can revoke your consent at any time via email to contact@60beans.com .

Please note that Zendesk is a US company. According to a recent ruling by the European Court of Justice (ECJ), there is no adequate level of data protection in the USA and therefore a risk to the protection of your data. For example, under certain conditions, your data may be processed by US authorities for control and monitoring purposes. The new EU standard data protection clauses were agreed upon as appropriate safeguards to ensure an adequate level of protection during data transfer.

2.8. BUTTON FINDER

On our website we offer you the opportunity to receive coffee recommendations by answering a few questions about your taste. It is not necessary to provide personal data. However, you can voluntarily provide your name to personalize your Tastefinder result. The legal basis for this processing is your consent in accordance with Article 6 Paragraph 1 Sentence 1 Letter a GDPR

‍

3. DATA PROCESSING FOR THE NEEDS-TAILORED DESIGN OF THE WEBSITE

To make your use of our website as pleasant as possible, we use so-called web tracking systems. Cookies are usually used for this purpose, i.e. small text files that are sent to your browser by a web server and stored on your computer's hard drive. This enables us to recognize the device you use when using our website. The tracking tools and other services we use that use cookies are listed in sections 3.1 ff.

In this way it is possible for us to determine, for example, whether you are logged in, have an active shopping cart and what contents the shopping cart contains. The session cookies used to use the shop are deleted after the end of the browser session. Other cookies remain on your device and enable us to recognize your device on your next visit.

Most browsers are set to automatically accept cookies. You can deactivate the storage of cookies in your browser and have the option of deleting them from your hard drive at any time. However, you can also only prevent the setting of certain cookies via your browser (e.g. third-party cookies), for example if you want to prevent web tracking. You can find further information about this in the help function of your browser.

We would also like to point out that you can also install a plugin in your browser to protect your privacy, which offers the option of preventing tracking - e.g. AdBlock, Ghostery or NoScript (please note the data protection information of the respective plugin provider).

Finally, we would like to point out that if cookies are deactivated, not all functions of this website may be able to be used to their full extent. Please also note that deactivation may have to be done for each browser and for each device.

Details about the cookies used on the website can be found in the cookie banner and in the following provisions. The legal basis for the processing of your data follows, insofar as the following provisions in section 3.1.ff. not shown differently, from Article 6 Paragraph 1 Sentence 1 Letter f of the GDPR and - insofar as cookies that are technically absolutely necessary - Section 25 Paragraph 2 No. 2 TTDSG. Our legitimate interest lies in the needs-based design of the website.

3.1. COOKIE CONSENT WITH THE COOKIE CONSENT TOOL

In order to be able to administer your consent to the use of tracking tools, we use the cookie consent tool “Cookiebot”. The provider of this tool is Usercentrics A/S, Havnegade 39, 1058 Copenhagen, Denmark, website: https://www.cookiebot. com/de/ (“Usercentrics”). In this context, in addition to the connection data, the granting or rejection of your consent or the revocation of consent are transmitted to Usercentrics. In order to be able to make the corresponding assignment, Usercentrics also sets a cookie in your browser .

Cookiebot is used to obtain the legally required consent for the use of cookies. The legal basis for this is Article 6 Paragraph 1 Sentence 1 Letter c GDPR.

3.2. GOOGLE ANALYTICS

Our website uses the tracking tool “Google Analytics”. This is a service provided by Google Ireland Limited, a company incorporated and operating under the laws of Ireland with its registered office at Gordon House, Barrow Street, Dublin 4, Ireland (“Google”). This tracking tool helps us to make the website more interesting for you and to improve the user experience. Data about the use of our website is stored in pseudonymous user profiles. Cookies can also be used for this purpose. In addition, data from different devices, sessions and interactions can be linked to a so-called “User ID”. The information generated is usually transferred to a Google server in the USA and stored there. We would like to point out that Google Analytics has been expanded to include the “anonymizeIp” function on our website. As a result, your IP address will first be shortened by Google within member states of the European Union or in other contracting states to the Agreement on the European Economic Area and only then transmitted to a Google server in the USA.

Shortening the IP address represents an additional measure in accordance with Article 25 Para. 1 GDPR to protect users, but it does not mean that the complete data processing is carried out anonymously. When using Google Analytics, in addition to the IP address, other usage data is also collected that is to be assessed as personal data, such as identification characteristics of individual users, which also allow a link to an existing Google account, for example.

On our behalf, Google will use the information received to evaluate your use of our website, to compile reports on website activity and to provide us with other services relating to website activity and internet usage. The pseudonymized usage profiles will not be merged with personal data about the bearer of the pseudonym without a separate consent.

For more information about Google Analytics, see:

https://support.google.com/analytics/answer/2790010?hl=de

Please note that Google also has independent access to your data collected via Google Analytics and can also use this data for its own purposes. This allows Google to link this data with other data about you, such as search history, personal account, usage data from other devices and any other data that Google has about you.

The legal basis for the use of Google Analytics is your consent, based on Section 25 Paragraph 1 Sentence 1 TTDSG for the storage and access to information in end devices and Art. 6 Paragraph 1 Sentence 1 Letter a GDPR for our further purposes Processing of your data. You give your corresponding consent via our cookie banner. Please note that Google is a US company. According to a recent ruling by the European Court of Justice (ECJ), there is no adequate level of data protection in the USA and therefore a risk to the protection of your data. For example, under certain conditions, your data may be processed by US authorities for control and monitoring purposes. The new EU standard data protection clauses were agreed upon as appropriate safeguards to ensure an adequate level of protection during data transfer.

3.3. GOOGLE ADS CONVERSION

In order to advertise our products and services on external websites using advertising materials and to determine the success of our advertising measures, we use the “Google Ads Conversion” service. These advertising materials are delivered by Google via so-called “ad servers”. If you reach our website via a Google ad, Google Ads will store a cookie on your device. These cookies usually expire after 30 days and are not used to identify you personally. The analysis values ​​for this cookie are usually the unique cookie ID, number of ad impressions per placement (frequency), last impression (relevant for post-view conversions) and opt-out information (marking that the user does not would like to be addressed more).

The aforementioned cookies enable Google to recognize your Internet browser. If you have visited certain websites of an Ads customer and the cookie stored on your computer has not yet expired, Google and the Ads customer can recognize that you clicked on the ad and were redirected to this page. Cookies cannot be tracked across Ads customers' websites. We ourselves do not collect or process any personal data in the advertising measures mentioned. We also only receive statistical evaluations from Google. Based on these evaluations, we can identify which of the advertising measures used are particularly effective. We do not receive any further data from the use of advertising materials; in particular, we cannot identify you based on this information.

Due to the marketing tools used, your browser automatically establishes a direct connection with the Google server. We have no influence on the extent and further use of the data collected by Google through the use of this tool and therefore inform you as follows based on our knowledge: By integrating Ads Conversion, Google receives the information that you have received the relevant part accessed our website or clicked on an advertisement from us. If you are registered with a Google service, Google can assign the visit to your account. Even if you are not registered with Google or have not logged in, there is a possibility that the provider will find out and store your IP address.

Further information about data protection at Google can be found here:

https://support.google.com/google-ads/answer/93148 https://ads.google.com/intl/de_de/home/faq/gdpr/

The legal basis for the use of Google Ads Conversion is your consent, based on Section 25 Paragraph 1 Sentence 1 TTDSG for the storage and access to information in end devices and Art. 6 Paragraph 1 Sentence 1 lit. a GDPR for ours further processing of your data. You give your corresponding consent via our cookie banner. Please note that Google is a US company. According to a recent ruling by the European Court of Justice (ECJ), there is no adequate level of data protection in the USA and therefore a risk to the protection of your data. For example, under certain conditions, your data may be processed by US authorities for control and monitoring purposes. The new EU standard data protection clauses were agreed upon as appropriate safeguards to ensure an adequate level of protection during data transfer.

3.4 GOOGLE MAPS

On our website we also use the map service Google Maps from Google via an API. In order to use the functions of Google Maps, it is necessary to save your IP address. This information is usually transferred to a Google server in the USA and stored there. We have no influence on this data transfer. We have also concluded an agreement with Google on mutual responsibility for processing personal data. You can view our agreement with Google at the following link. The legal basis for the use of Google Maps is your consent, based on Section 25 Paragraph 1 Sentence 1 TTDSG for the storage and access to information in end devices and Art. 6 Paragraph 1 Sentence 1 lit. aDSGVO for our further processing of your data. You give your corresponding consent via our cookie banner. Please note that Google is a US company. According to a recent ruling by the European Court of Justice (ECJ), there is no adequate level of data protection in the USA and therefore a risk to the protection of your data. For example, under certain conditions, your data may be processed by US authorities for control and monitoring purposes. The new EU standard data protection clauses were agreed upon as appropriate safeguards to ensure an adequate level of protection during data transfer.

You can find more information on how to handle user data in Google's privacy policy: https://www.google.de/intl/de/policies/privacy/.

3.5. HOTJAR

Our website uses Hotjar, an analysis software from Hotjar Ltd., Dragonara Business Centre, 5th Floor, Dragonara Road, Paceville St Julian's STJ 3141, Malta (“Hotjar”) to better understand the needs of our users and to improve what is offered on this website optimize. With Hotjar's technology we get a better understanding of our users' experiences (e.g. how much time users spend on which pages, which links they click, what they like and what they don't, etc.) and this helps us to align our offering with our users' feedback . Hotjar works with cookies and other technologies to collect information about the behavior of our users and their devices, in particular screen size, device type (unique device identifiers), information about the browser used, location (country only), preferred language for viewing our website. Hotjar stores this information in a pseudonymized user profile. The information is not used by Hotjar or us to identify individual users or combined with other data about individual users. Further information can be found in Hotjar's privacy policy (https://www.hotjar.com/legal/policies/privacy).

The legal basis for the use of Hotjar is your consent, based on Section 25 Paragraph 1 Sentence 1TTDSG for the storage and access to information in end devices and Art. 6 Paragraph 1 Sentence 1 lit. a GDPR for our further processing of your data . You give your corresponding consent via our cookie banner.

You can prevent Hotjar from storing a user profile and information about your visit to our website and from setting Hotjar tracking cookies on other websites by activating the “Do Not Track” setting in your browser. Hotjar provides instructions for this under the following link: https://www.hotjar.com/de/legal/policies/do-not-track/.

3.5. LEAD FEEDER

We use the Leadfeeder service from the Finnish company Liidio Oy / Leadfeeder, Keskuskatu 6 E, 00100 Helsinki, Finland (“Leadfeeder”) on our website. This service allows us to identify the names of the companies that visit our website in order to better target B2B marketing efforts. The behavior of website visitors is recorded, e.g. the pages accessed, where the visitors come from and how long they spend on the website. In addition, the IP address of visitors is recorded to determine the company and geographical location. Cookies are also used here. In addition, Leadfeeder enriches the collected data with contact details of people from the company, which are available in publicly accessible data sources, in order to identify contact persons within the company.

If it turns out that a website visit is not from a company but from a private person, this visitor is filtered out by the system and no further data is recorded.

We have activated the IP address anonymization function within Leadfeeder. This shortens the IP address of website visitors. Shortening IP addresses does not affect the recognition of companies. However, this prevents individual, individual visitors from being identified.

The legal basis for the use of Leadfeeder is your consent, based on Section 25 Paragraph 1 Sentence 1TTDSG for the storage and access to information in end devices as well as Art. 6 Paragraph 1 Sentence 1 lit. a GDPR for our further processing of your data. You give your corresponding consent via our cookie banner.

Further information on data processing by Leadfeeder can be found in Leadfeeder's data protection declaration: https://www.leadfeeder.com/privacy/

3.7. HUBSPOT

For our online marketing activities we use the service of HubSpot Inc., a software company from the USA, 25 First Street, Cambridge, MA02141 USA, with a branch in Ireland, Ground Floor, Two Dockland Central, Guild St, North Dock , Dublin, D01 K2C5, Ireland (“HubSpot”).

HubSpot is an integrated software solution that we use to cover various aspects of our online marketing. These include, among other things: email marketing, contact management (e.g. user segmentation & CRM) as well as data processing via contact forms. Using our contact form (see section 2.4.), users of our website can nominate roasting companies and provide their contact information and other information. This information is then stored on servers of our software partner HubSpot. They can be used by us to contact users of our website. All information we collect is subject to this Privacy Policy.

We use all information collected exclusively to optimize our marketing measures.

The legal basis for the use of HubSpot is your consent, based on Section 25 Paragraph 1 Sentence 1 TTDSG for the storage and access to information in end devices and Art. 6 Paragraph 1 Sentence 1 lit. a GDPR for our further processing of your data. You give your corresponding consent via our cookie banner. Please note that HubSpot is a US company. According to a recent ruling by the European Court of Justice (ECJ), there is no adequate level of data protection in the USA and therefore a risk to the protection of your data. For example, under certain conditions, your data may be processed by US authorities for control and monitoring purposes. The new EU standard data protection clauses were agreed upon as appropriate safeguards to ensure an adequate level of protection during data transfer.

3.8. TRUST PILOT

We use the services of the provider Trustpilot A/S, Pilestraede 58, 5th floor, DK-1112 Copenhagen (“Trustpilot”) for our website and our customer satisfaction surveys. Trustpilot offers us the opportunity to have our services rated by our customers. If you have placed an order through our shop, you will receive a review request from us with a link to the Trustpilot review page. To ensure that only those customers who have actually ordered through our shop leave a review, we send Trustpilot the data required for verification. This includes your name, email address and reference number. You can object to the use of your email address for review requests at any time by sending an email to contact@60beans.com.

In order to leave a review, you must create a user profile on Trustpilot. Trustpilot is solely responsible for data processing in connection with this user profile and the reviews submitted on the platform. In this respect, reference is made to Trustpilot's data protection declaration: https://de.legal.trustpilot.com/for-reviewers/end-user-privacy-terms

In addition, we use the widget offered by Trustpilot on our website to display the customer feedback we receive. For this purpose, our website establishes a connection to the Trustpilot servers. Trustpilot collects the following data as part of providing the widget: impressions, views and clicks. This data allows us to analyze your interaction with the widget.

3.9. FACEBOOK CUSTOM AUDIENCE VIA THE PIXEL PROCESS (STANDARD VERSION)

We use the “Facebook Custom Audience” product offered by Meta Platforms Ireland Limited (formerly Facebook Ireland Ltd.), 4 Grand Canal Square, Grand Canal Harbour, Dublin 2, Ireland (“Meta”) via the pixel process (standard version) . Cookies are used in this process (see section 4). The legal basis for the use of Facebook Custom Audience is your consent, based on Section 25 Paragraph 1 Sentence 1TTDSG for the storage and access to information in end devices and Art. 6 Paragraph 1 Sentence 1 Letter a GDPR for our further purposes Processing of your data. You give your corresponding consent via our cookie banner. Please note that Meta is a US company. According to a recent ruling by the European Court of Justice (ECJ), there is no adequate level of data protection in the USA and therefore a risk to the protection of your data. For example, under certain conditions, your data may be processed by US authorities for control and monitoring purposes. In the event that data is transferred to Meta Platforms Inc. in the USA, the new standard data protection clauses have been agreed between Meta Platforms Ireland Limited and Meta Platforms Inc.

Meta collects and stores usage data in pseudonymous profiles for the purpose of web analysis or to enable interest-oriented advertising. This allows us to track users' actions after they have seen or clicked on a Facebook ad. This allows us to record the effectiveness of Facebook advertisements for statistical and market research purposes. The data collected in this way is anonymous to us, which means we do not see the personal data of individual users. However, this data is stored and processed by Meta, about which we will inform you according to our level of knowledge. Meta may connect this data to your Facebook account and also use it for its own advertising purposes in accordance with Meta's data use policy. Further information on data processing by Meta can be found in Meta's data protection declaration (https://www.facebook.com/privacy/explanation) and https://de-de.facebook.com/notes/facebook-and-privacy/relevant -ads-that-protect-your-privacy/457827624267125/.

In addition to us, Meta itself is also responsible for data processing. Meta processes the data in accordance with Meta's data usage guidelines. Please see Meta's Data Use Policy for details. Specific information and details about the Facebook Pixel and how it works can be found in the Meta help section.

In this respect, we and Metatogether are responsible for the processing of your personal data within the meaning of Art. 26 GDPR. In this case, you can generally assert your rights (see section 9) both against us and against Meta. However, Meta serves as the first port of call. We have entered into an agreement with Meta on shared responsibility for processing personal data. You can view these at the following link: https://www.facebook.com/legal/controller_addendum.

3.10. META PIXEL

The so-called “meta pixel” involves an invisible meta pixel being integrated into our website, through which the online behavior of every website visitor is monitored by the Meta Platforms IrelandLimited (formerly Facebook Ireland Limited), 4 Grand Canal Square, Grand Canal Harbour, Dublin 2, Ireland (“Meta”) is analyzed. The Meta Pixel makes it possible to transmit customer data such as first name, last name, email address, etc. to Meta and enrich it with existing tracking data. This makes it possible to collect data from non-users of the social network Facebook or to record users who are not logged in to Facebook while visiting a website. This means that website visitors are tracked via Meta, which deliberately prevents the storage of third-party cookies. We have the opportunity to specifically address you on Facebook with an advertisement. Using the meta pixel, it is also possible to specifically attract new customers and address new people who are similar to website visitors.

In addition to us, Meta itself is also responsible for data processing. Meta processes the data in accordance with Meta's data usage guidelines. Please see Meta's Data Use Policy for details. Specific information and details about the Meta Pixel and how it works can be found in the Meta Help section.

In this respect, we and Metatogether are responsible for the processing of your personal data within the meaning of Art. 26 GDPR. In this case, you can generally assert your rights (see section 9) both against us and against Meta. However, Meta serves as the first port of call. We have entered into an agreement with Meta on shared responsibility for processing personal data. You can view these at the following link: https://www.facebook.com/legal/controller_addendum.

The legal basis for the use of the Meta-Pixel is your consent, based on Section 25 Paragraph 1 Sentence 1TTDSG for the storage and access to information in end devices and Art. 6 Paragraph 1 Sentence 1 lit. a GDPR for our further purposes Processing of your data. You give your corresponding consent via our cookie banner. Please note that Meta is a US company. According to a recent ruling by the European Court of Justice (ECJ), there is no adequate level of data protection in the USA and therefore a risk to the protection of your data. For example, under certain conditions, your data may be processed by US authorities for control and monitoring purposes. In the event that data is transferred to Meta Platforms Inc. in the USA, the new standard data protection clauses have been agreed between Meta Platforms Ireland Limited and Meta Platforms Inc.

3.11. TIKTOK PIXELS

We also use the TikTok Pixel, a tool from TikTok Technology Limited, 10 EarlsfortTerrace, Dublin, D02 T380, Ireland (“TikTok”) on our website. The TikTok pixel enables us to analyze the online behavior of users of our website. If a user clicks on an ad from us on the TikTok platform and is redirected to our website, the TikTok pixel collects information about the ad, the user's IP address, browser information and the time of the click. In addition, actions that a user then takes on our website are tracked. Cookies are also used here. The use of the TikTok Pixel allows us to measure the effectiveness of our advertising measures and thus optimize our marketing.

In addition to us, TikTok itself is also responsible for data processing. TikTok's processing is carried out in accordance with TikTok's data protection declaration and data protection declaration for business products. In this respect, we and TikTok are jointly responsible for the processing of your personal data within the meaning of Art. 26 GDPR. In this case, you can generally assert your rights (see Section 9) both against us and against TikTok. However, TikTok serves as the first port of call. We have entered into a joint controllership agreement with TikTok for the processing of personal data. You can view these at the following link: https://ads.tiktok.com/i18n/official/policy/jurisdiction-specific-terms

The legal basis for the use of the TikTok Pixel is your consent, based on Section 25 Paragraph 1 Sentence 1 TTDSG for the storage and access to information in end devices and Art. 6 Paragraph 1 Sentence 1 lit. a GDPR for our further purposes Processing of your data. You give your corresponding consent via our cookie banner. Please note that TikTok also has companies outside the EU, particularly in the USA. According to a recent ruling by the European Court of Justice (ECJ), there is no adequate level of data protection in the USA and therefore a risk to the protection of your data. For example, under certain conditions, your data may be processed by US authorities for control and monitoring purposes. The new EU standard data protection clauses were agreed upon as appropriate safeguards to ensure an adequate level of protection during data transfer.

4. SOCIAL MEDIA APPEARANCES

4.1. LINKS TO SOCIAL NETWORKS

Our website contains links to social networks (Facebook, Instagram, Linkedin and TikTok). These websites are operated exclusively by third parties. If you follow the links, the respective provider may process your personal data. Please note the data protection information of the providers in this regard.

4.2. DATA PROCESSING BY COFFEE ROASTARS AND LEGAL BASIS

Our social media presence (Facebook, Instagram, Linkedin and TikTok) serves the purpose of informing you about Coffee Roastars and our new developments, services and products. Depending on the offer of the respective provider, you have the opportunity to interact in different ways (comments, recommendations, etc.), for example in connection with our social media presence. User interaction is an important criterion for us in order to conduct targeted marketing. For example, we can determine which articles are preferred to be read. We therefore also use the statistics determined by the providers in this regard for our own purposes. If we process users' personal data, the legal basis for this is Article 6 Paragraph 1 Sentence 1 Letter f GDPR. Our legitimate interest then lies in particular in targeted information/advertising. The providers will inform you separately about the legal basis on which the providers process your data for their own purposes.

4.3. SHARED RESPONSIBILITY

In individual cases, we and the social media providers are jointly responsible for processing your personal data. In this case, you can exercise your rights (see section 9) in relation to both. us as well as against to the social media provider. However, the first point of contact is the social media provider.

We have concluded an agreement with Meta (formerly Facebook) on shared responsibility for processing personal data. This applies to the processing of so-called “insights data”. These are page statistics, particularly on the interactions of Facebook users. Details about the Insights data can be found here: https://www.facebook.com/business/pages/manage#page_insights. You can view our agreement with Meta at the following link: https://www.facebook.com/legal /controller_addendum.

We have also concluded an agreement on shared responsibility with LinkedIn Ireland with regard to so-called “page insights”. With the page insights, LinkedIn Ireland does not provide us with any personal data about you, but only aggregated data. It is not possible for us to draw conclusions about individual users from the information provided in the page insights. Details of Page Insights and our agreement with LinkedIn Ireland can be found at the following link:

https://legal.linkedin.com/pages-joint-controller-addendum.

Please note that the social media providers also process your data outside the EU/EEA. According to a recent ruling by the European Court of Justice (ECJ), there is no adequate level of data protection in the USA and therefore a risk to the protection of your data. For example, under certain conditions, your data may be processed by US authorities for control and monitoring purposes.

With regard to the storage period of the data we process from you for our own purposes, we refer to our statements in section 7. Otherwise, please note the data protection regulations of the respective social media provider.

‍

5. DATA TRANSFER

We only pass on your personal data to third parties or other recipients if this is necessary to provide the service (in particular as part of the necessary transmission of shipping data to the respective roasting companies, which carry out the shipping directly to you), if you have given your consent, a legal consent There is an obligation or the data transfer is permitted on the basis of another legal basis. Data is passed on, for example, to technical service providers or - in the case of a corporate transaction - to interested parties/buyers etc. We also use the services of the service provider Shopify International Limited, Victoria Buildings, 2nd Floor, 1-2 Haddington Road, Dublin 4, D04 XN32, Ireland (Shopify), for the purpose of hosting our website. To the extent necessary, we have made agreements with the recipients of your data regarding order processing in accordance with Art. 28 GDPR.

Please also note the separate data protection provisions of the payment methods you have selected.

PayPal: https://www.paypal.com/de/webapps/mpp/ua/privacy-full

Klarna: https://cdn.klarna.com/1.0/shared/content/legal/terms/0/de_de/privacy

VISA: www.visaeurope.com

MasterCard: www.mastercard.com

American Express: https://www.americanexpress.com/de/

Coinbase and Coinbase Commerce https://www.coinbase.com/

Amazon Pay: https://pay.amazon.de/

6. DATA TRANSFER TO COUNTRIES OUTSIDE THE EU

To the extent necessary for our purposes, we will also transmit your data to recipients outside the EU if you have given your consent, there is a legal obligation or the data transfer is permitted on the basis of another legal basis. As part of data processing, your data will also be transmitted to recipients who are based in the USA. Please note, however, that according to a recent ruling by the European Court of Justice (ECJ), there is no adequate level of data protection in the USA and therefore a risk to the protection of your data. For example, under certain conditions, your data may be processed by US authorities for control and monitoring purposes. An appropriate level of data protection is ensured by the conclusion of the new so-called EU standard data protection clauses.

As part of the use of Shopify (see Section 5), personal data may be transmitted to Shopify Inc. in Canada or the USA. In the event that data is transferred to Shopify Inc. in Canada, the appropriate level of data protection is guaranteed by an adequacy decision by the European Commission. Further information on Shopify's data protection can be found on the following website: https://www.shopify.de/legal/datenschutz .

7. DURATION FOR WHICH PERSONAL DATA WILL BE STORED / CRITERIA FOR DETERMINING THE DURATION

We will store your personal data for as long as it is necessary for the above-mentioned purposes of processing, in the event of an objection there are no compelling legitimate reasons on the part of Coffee Roastars or in the event of a revocation there is no other legal basis for data processing. In certain cases, for example if there is a legal retention requirement, your personal data will not be deleted immediately but will first be blocked. The retention period for messages via the contact form with business content can be up to ten years.

If an application (e.g. via our online application form, see section 2.6.) is successful, your data will be transferred to the personnel file and stored beyond the period of the application process in accordance with the legal provisions. If your application is not successful, we will store your data beyond the period of the application process for a maximum of 6 months, unless you have given your consent to further data processing.

8. SECURITY MEASURES TO PROTECT YOUR PERSONAL DATA

We protect your data from unauthorized access, loss or destruction using technical and organizational measures. Our security measures are continuously improved in line with technological developments. Our employees and all persons involved in data processing are obliged to comply with data protection laws and to handle personal data confidentially. Our employees are trained accordingly.

To protect your personal data on this website, we use a secure online transmission process called “Secure Socket Layer” (SSL) transmission. You can recognize this because a closed lock symbol is displayed on the address component https://. By clicking on the symbol you will receive information about the SSL certificate used. The display of the symbol depends on the browser version you are using. SSL encryption ensures the encrypted and complete transmission of your data.

9. YOUR RIGHTS

Within the framework of the legal requirements, you are generally entitled to claim from Coffee Roastars

• Confirmation as to whether personal data concerning you is being processed by Coffee Roastars,
• Information about this data and the circumstances of processing,
• Correction if this data is incorrect,
• Deletion if there is no justification for the processing and no obligation to store it (any longer),
• Restriction of processing in special cases determined by law,
• Objection in the event of data processing based on Article 6 Paragraph 1 Sentence 1 Letter f GDPR and
• Transmission of your personal data – if you have provided it – to you or a third party in a structured, common and machine-readable format.

To the extent that the processing of your personal data is based on your consent, you have the right to withdraw your consent at any time, with the result that the processing of your personal data will be inadmissible in the future. However, this does not affect the lawfulness of the processing carried out based on consent until its revocation.

Please send your specific request in writing or by email, clearly identifying yourself to:

Coffee Roastars GmbH | 60 beans
New Jungfernstieg 17
20354 Hamburg

Managing Directors: Ferdinand von Kalm, Roman Smigiel, Dijana Dimitrovska

Email: contact@60beans.com

To the extent that we process your data with third parties under joint responsibility within the meaning of Art. 26 GDPR, the third party is centrally responsible for exercising all of the rights of those affected. However, you are free to assert your rights against us.

Finally, we would like to point out your right to lodge a complaint with the supervisory authority.

‍

10. NO AUTOMATED INDIVIDUAL DECISIONS

We do not use your personal data for automated individual decisions.

11. CHANGES TO THE PRIVACY POLICY

New legal requirements, business decisions or technical developments may require changes to our data protection declaration. The data protection declaration will then be adjusted accordingly. You can always find the current version on our website.