Privacy Policy

Creation date: 2024-12-14 18:34:18 Update date: 2025-01-28 17:19:19

The responsible person

The entity responsible for the collection and processing of the data provided below is the organization listed below.

Einzehlunternehmen BlumenHorizon
Breslauer Str. 52
27755, Delmenhorst
service@blumenhorizon.de
+49 152 12628766
Vitalii Melnykov


Hosting provider

The web application of the BlumenHorizon online store is hosted on servers of Hetzner Online GmbH (Industriestr. 25, 91710 Gunzenhausen, Germany).

Storage of IP address

We store the IP address transmitted by your web browser strictly for security purposes for a period of seven days, in order to detect, locate, and prevent attacks on our website. After this period, we delete or anonymize the IP address. The legal basis for this is Article 5, Paragraph 1 of the GDPR.

Usage data

When you visit our web pages, we collect the following data that your browser sends to our server (so-called “server log files”):

Purpose of data collection

The data mentioned is stored and anonymized for statistical purposes and to improve the quality of our web pages. Log files help us analyze access to the websites and identify technical issues.

The data is stored only in an anonymized form, so it cannot be linked to a specific user.

Methods of contact with the customer

You can contact us by phone, email, or through messengers (such as Telegram or WhatsApp).

Data processing during phone calls

If we collect any data during a phone call, we use it solely to respond to your inquiry or to get in touch with you.

Data processing during email communication

Data provided in the course of an email is stored and used exclusively to respond to your inquiry or to communicate with you.

Data processing during messenger communication

We prefer communication through messengers, such as Telegram or WhatsApp, and use them to obtain data necessary for fulfilling your orders. In the course of processing orders, we may collect the following information from you:

We use this data solely for the purpose of processing your order. This data is not shared with third parties, except when necessary for order fulfillment. Specifically, the recipient’s name and phone number, delivery address, and greeting card text are passed on to the delivery services that carry out the order delivery.

It should also be noted that companies owning the messengers used, such as Telegram or WhatsApp (owned by Meta Platforms, Inc.), may have access to this data, as messages pass through their servers. This is due to the nature of how such apps work. We recommend considering this aspect when choosing a communication method.

We take all reasonable measures to ensure the confidentiality of your information and use trusted services to minimize the risk of unauthorized access.

Legal basis for data processing

The legal basis for data processing is our legitimate interest in responding to your inquiry and fulfilling your order in accordance with Article 6, Paragraph 1, Point f of the GDPR. If your inquiry is related to the conclusion of a contract, the legal basis for data processing is Article 6, Paragraph 1, Point b of the GDPR.

We delete your data when it is no longer needed and there are no mandatory retention requirements. According to Article 6, Paragraph 1, Point f of the GDPR, you have the right to object to data processing at any time. To do so, please contact us via the email address provided in the contact information (Impressum) or the responsible party listed at the beginning of this document.

Data processing during email communication and message forwarding

Emails sent to our address pass through the servers of our hosting provider, Hetzner Online GmbH (Industriestr. 25, 91710 Gunzenhausen, Germany), which forwards the messages to our main Gmail inbox.

Messages may be temporarily stored on both Hetzner Online GmbH servers and Google servers (Gmail). As a result, the data may be accessible to relevant government authorities under the jurisdictions of Germany and the United States. In theory, government agencies from both countries may have access to your messages if required by national legislation.

We take measures to ensure the highest security for your data and use reliable service providers to minimize the risks of unauthorized access.

Contact forms (on the homepage and product pages)

You have the option to contact us using our contact form on the homepage titled “Contact Us” and on each product page by filling out the form titled “Need a custom solution?”. To use our form, we first require the data marked as mandatory fields. We use this data based on Article 6, Paragraph 1, Sentence 1, Letter f of the GDPR to respond to your inquiry.

You can also decide whether you want to provide us with additional information. This information is provided voluntarily and is not required to contact you. We process your voluntary information based on your consent.

Your data will be processed solely for the purpose of responding to your inquiry. We will delete your data once it is no longer needed and there are no legal retention requirements.

If your data submitted through the contact form is processed based on Article 6, Paragraph 1, Sentence 1, Letter f of the GDPR, you may object to the processing at any time. You can also withdraw your consent for processing voluntary information at any time. To do so, please contact the email address provided in the official notice or use the same form.

After filling out the form and clicking the “Submit” button (or a similarly named button), your request will be sent to the BlumenHorizon online store server and will not be shared with third parties. However, it should be noted that our web application is hosted on the servers of Hetzner Online GmbH (Industriestr. 25, 91710 Gunzenhausen, Germany). In theory, government authorities in Germany may have access to your messages if required by national legislation.

Order processing, guest orders, user accounts

You have the option to place an order with us as a guest. For this, we process the personal data you provide during the order process in accordance with Article 6, Paragraph 1, Letter b of the GDPR (DSGVO) to fulfill your order. We use your email address to notify you of the status of your order. After the contract is fully executed, your data will be deleted unless there are tax (steuerrechtliche) or commercial (handelsrechtliche) obligations to retain it, unless you have explicitly consented to further use of your data, or unless further use is permitted by law.

When creating a customer account, we store the data you provide. This includes your first name, last name, email address, and phone number. We store and use the personal data you provide during the order process (specifically, billing and delivery addresses, information about the items you ordered, and the payment method you selected) in accordance with Article 6, Paragraph 1, Letter b of the GDPR to process your orders. We use your email address to notify you about the status of your order.

When you create a customer account, you also have the option to consent to the creation of a personal profile based on your shopping behavior and usage, in order to better tailor advertisements and web offerings to your personal interests. This is voluntary and not required for creating a customer account. The processing of your personal data for these purposes is carried out with your consent. You can withdraw this consent at any time. To do so, please contact the email address provided in the official notice.

Your customer account can be deleted at any time by sending a message to the responsible party at the email address provided above. Once the contract has been fully processed or your customer account has been deleted, your data will be blocked in accordance with tax (steuerrechtliche) and commercial (handelsrechtliche) retention periods and deleted after these periods, unless you have explicitly consented to further use of your data or we reserve the right to use your data in accordance with the law.

Payment systems and transfer of payment data

To process payments, we use the service Stripe Inc. (Stripe Payments Europe, Limited (SPEL), 1 Grand Canal Street Lower, Grand Canal Dock, Dublin, D02 H210, Ireland). For this, you will be redirected directly to Stripe at the end of the order process. Stripe acts as an independent controller within the meaning of the GDPR during the payment process. In this context, you have the option to choose any payment method offered by Stripe Inc. (a detailed list is available at the following link: https://stripe.com/en-de/payments/payment-methods).

Stripe processes only billing-related data. This includes your basic details, such as your name and address, your bank account details (e.g., account numbers or credit card numbers), and information about your order, such as the invoice amount. These data are processed solely by Stripe. We do not process the data mentioned above. We only receive information about whether the payment was successful or not. Under certain circumstances, Stripe data may also be shared with credit reporting agencies for identity and creditworthiness verification purposes. The data processing serves the purpose of fulfilling the contract in accordance with Article 6, Paragraph 1, Letter b of the GDPR. Please note that Stripe may transfer data to a country that does not provide an adequate level of data protection. If data is transferred to the United States, there is a risk that your data may be processed by U.S. authorities for control and surveillance purposes without the possibility of legal recourse.

For more information on data protection, refer to Stripe’s privacy policy.

Data security for information sent over the internet

To maximize the protection of your data from unauthorized access, we take technical and organizational measures. Our pages use encryption methods. Your data is transmitted from your device to our server and back over the internet using SSL or TLS encryption. You can recognize this by the closed padlock icon in your browser’s status bar, and the address bar starting with https://.

Transmission of data to third parties

Sometimes we transfer personal data to third countries outside the EU (see, for example, Google Analytics below). However, data will only be transferred if you have explicitly consented to the use of these services via the cookie banner. If you do not want these service providers to store your data, do not give your consent or revoke it. If you want to revoke your decision, you can clear all cookies set by the BlumenHorizon online store web application. For example, in Google Chrome, you can do this by clicking on the “Site Information” button to the left of the address bar (settings icon), then selecting “Cookies and site data”, and in the cookie management menu, you can delete BlumenHorizon site data.

We transfer your data for order processing in accordance with Article 28 of the GDPR to service providers who assist us with the operation of our websites (e.g., hosting) and related processes. Our service providers strictly follow our instructions or contractual agreements and are legally obligated to comply with data protection laws. Additionally, your data will also be shared with service providers who assist us with order processing and delivery (e.g., local florists who assemble your bouquet and delivery providers such as DHL, etc.), as well as payment service providers (see “Payment systems and transfer of payment data”).

Please note that under the so-called CLOUD Act (CLOUD Act), access to data by U.S. authorities – possibly without judicial review – cannot be excluded when personal data is stored in the European Union by U.S. sub-processors. There is a risk that authorities may access the data for security and surveillance purposes without your notification or the ability to take legal action.

 

Google Tag Manager

We use the service provided by Google Ireland Limited, Google Building Gordon House, 4 Barrow St, Dublin, D04 E5W5, Ireland. With this service, tags can be centrally integrated through a user interface. Tags are small code snippets that can track user actions. Through Google Tag Manager, script codes of other services are integrated. Tag Manager allows controlling when a specific tag will be activated. The legal basis for processing your data is Art. 6, para. 1, sentence 1, letter f of the GDPR (DSGVO) and our legitimate interest in managing services on our website. A data processing agreement has been concluded with Google.

This service may transfer collected data to other countries outside the EU or EEA (in particular, to the United States). For Google, an adequate level of data protection is ensured in accordance with an adequacy decision (EU-U.S. Data Privacy Framework). Furthermore, Google commits to entering into standard contractual clauses with additional subprocessors.

Processing Entity
Google Ireland Limited
Google Building Gordon House, 4 Barrow St, Dublin, D04 E5W5, Ireland

Purpose of Data Processing
This list presents the purposes for collecting and processing data:

  • Tag management

Technologies Used
This list includes all technologies used by the service for data collection:

  • Web tags

Collected Data
This list includes all (personal) data collected using the service:

  • Aggregated tag trigger data
  • IP addresses

Legal Basis
The necessary legal basis for data processing is as follows:

  • Art. 6, para. 1, sentence 1, letter f of the GDPR

Data Processing Location
This is the main location where the collected data is processed. If data is processed in other countries, you will be notified separately.

  • European Union. This service may transfer collected data to other countries outside the EU or EEA (in particular, to the United States). For data transfers to the U.S., an adequate level of data protection is ensured by the provider’s certification under the adequacy decision (EU-U.S. Data Privacy Framework). Additionally, Google commits to entering into standard contractual clauses with additional subprocessors.

Data Retention Period
The data retention period is the period during which the collected data is stored for processing. Data must be deleted as soon as it is no longer needed for the specified processing purposes.

Data Recipients
The recipients of the collected data are as follows:

  • Google LLC

Google Analytics

We use Google Analytics, a web analytics service provided by Google Ireland Limited, Google Building Gordon House, 4 Barrow St, Dublin, D04 E5W5, Ireland. Google Analytics creates user profiles based on pseudonyms. For this purpose, persistent cookies are stored on your device, which we read. This allows us to recognize returning visitors and count them. The use of this service enables linking data, sessions, and interactions across multiple devices with a pseudonymous user identifier and analyzing user activity on our websites. As part of using the Google Analytics service, Google acts as a data processor. Data processing may also take place in countries outside the EU or EEA (in particular, the United States). For Google, an adequate level of data protection is ensured based on an adequacy decision (EU-U.S. Data Privacy Framework). Google is also committed to entering into standard contractual clauses with additional subprocessors. The legal basis for using Google Analytics 4 is your consent under Art. 6, para. 1, point 1, letter a of the GDPR, which you can withdraw at any time by changing the settings on our consent management platform.

Processing Entity
Google Ireland Limited
Google Building Gordon House, 4 Barrow St, Dublin, D04 E5W5, Ireland

Purpose of Data Processing
This list presents the purposes for collecting and processing data:

  • Marketing
  • Analysis

Technologies Used
This list includes all technologies used by the service for data collection:

  • Tracking code
  • Cookies

Collected Data
This list includes all (personal) data collected using the service:

  • Device information
  • Geographical location
  • Browser information
  • Device operating system
  • Screen resolution
  • Referrer URL
  • Interaction data
  • Date and time of visit
  • User behavior
  • Visited pages
  • Online identifiers
  • Anonymized IP address
  • User ID
  • Advertising ID
  • Purchase information

Legal Basis
The necessary legal basis for data processing is as follows:

  • Art. 6, para. 1, point 1, letter a of the GDPR

Data Processing Location
This is the main location where the collected data is processed. If data is processed in other countries, you will be notified separately.

  • European Union. This service may transfer collected data to other countries outside the EU or EEA (in particular, to the United States). For data transfers to the U.S., an adequate level of data protection is ensured by the provider’s certification under the adequacy decision (EU-U.S. Data Privacy Framework). Google is also committed to entering into standard contractual clauses with additional subprocessors.

Data Retention Period
The data retention period is the period during which the collected data is stored for processing. Data must be deleted as soon as it is no longer needed for the specified processing purposes.

The maximum retention period is 14 months.

Data Recipients
The recipients of the collected data are as follows:

  • Google LLC
  • Google Ireland Limited

Storage Information
The maximum storage duration on the device, depending on the storage method used, is as follows:

  • Maximum cookie storage duration: 2 years

Stored Information
This service uses various means to store information on the user’s device, as mentioned above.

_ga

Used for distinguishing users.

Type:
cookie

Retention period:

2 years
_ga_<container-id>
 
Used to maintain session state.
Type:
cookie
Retention period: 2 years

 

Your Rights as a User

Under the GDPR (General Data Protection Regulation), you have certain rights regarding the processing of your personal data:

Right to Access (Article 15 GDPR):

You have the right to request confirmation as to whether your personal data is being processed. If so, you have the right to obtain information about this data and access the detailed information specified in Article 15 GDPR.

Right to Rectification and Deletion (Articles 16 and 17 GDPR):

You have the right to request immediate correction of inaccurate personal data concerning you and, if necessary, the completion of incomplete data. You also have the right to request the immediate deletion of your personal data if the conditions listed in Article 17 GDPR apply (e.g., if the data is no longer needed for the purposes for which it was collected).

Right to Restriction of Processing (Article 18 GDPR):

You have the right to request the restriction of processing of your data if the conditions outlined in Article 18 GDPR apply, such as if you have objected to processing during the verification period.

Right to Data Portability (Article 20 GDPR):

In certain circumstances, as specified in Article 20 GDPR, you have the right to receive your personal data in a structured, commonly used, and machine-readable format or request its transfer to another entity.

Right to Object (Article 21 GDPR):

If your data is collected based on Article 6(1)(f) GDPR (processing for legitimate interests), you have the right to object at any time to the processing for reasons related to your particular situation. We will cease processing your data unless we can provide compelling legitimate grounds for processing that override your rights and freedoms, or if processing is necessary for the establishment, exercise, or defense of legal claims. If your personal data is processed for direct marketing purposes, you can object at any time to such processing, including profiling related to direct marketing.

Right to Withdraw Consent (Article 7 GDPR):

If the processing of your data is based on your consent, you have the right to withdraw that consent at any time according to Article 7(3) GDPR. Please note that the withdrawal only applies to future processing and does not affect processing carried out prior to the withdrawal.

Right to Lodge a Complaint with a Supervisory Authority (Article 77 GDPR):

You have the right to lodge a complaint with a supervisory authority if you believe that the processing of your data violates data protection laws. The complaint can be filed with the authority in the EU member state where you reside, work, or where the alleged infringement occurred.

Data Processing in Connection with the Exercise of Data Subject Rights

We process your data to verify, process, respond to, and document your request for exercising your data subject rights (Articles 15–22 GDPR). This data processing is carried out based on Article 6(1)(c) GDPR. Legal obligations for such processing stem from Article 12 GDPR, the requested rights (Articles 15–22 GDPR), and Article 5(2) GDPR (accountability principle).

Additionally, we process the data you provide in your request (e.g., email or written correspondence) for documentation purposes. This processing is based on Article 6(1)(f) GDPR, as it serves our legitimate interests in confirming the proper handling of your request to the supervisory authority. The documentation is deleted three years after the completion of your request.

Your data may be shared with external service providers (e.g., IT services, call centers) for the implementation of your rights. If the data processing is based on a contract, these service providers are strictly required to follow our instructions under Article 28 GDPR. If necessary, your request may also be passed to our data protection officer.

In the case of a supervisory authority’s inspection, we are required to provide your data according to Article 6(1)(c) and Article 58 GDPR if the authority requests relevant evidence.