The Chocolate on the Pillow Group
Favorites

Privacy policy

With the following privacy policy, we would like to inform you about what types of your personal data (hereinafter also referred to as “data”) we process, for what purposes and to what extent. The privacy policy applies to all processing of personal data carried out by us, both in the context of the provision of our services and in particular on our websites, in mobile applications and within external online presences, such as our social media profiles (hereinafter collectively referred to as “online offer”).

The terms used are not gender-specific.

Status: April 27, 2023

Table of contents

Responsible person:

THE CHOCOLATE ON THE PILLOW GROUP GMBH
PETER-HUPPERTZ-STR. 5
51063 COLOGNE

Persons authorized to represent the company:

CEO, Managing Partner: Erik Florvaag

Responsible for data protection:

dataprivacy@sits.com or datenschutz@cotp.group

E-mail address:

hello@cotp.group

Phone:

0221 / 955868-0

Imprint:

https://cotp.group

Overview of processing

The following overview summarizes the types of data processed and the purposes of their processing and refers to the data subjects.

Types of data processed

  • Inventory data.
  • Contact details.
  • Content data.
  • Usage data.
  • Meta, communication and process data.

Categories of affected persons

  • Communication partner.
  • Users.

Purposes of the processing

  • Provision of contractual services and customer service.
  • Contact requests and communication.
  • Safety measures.
  • Direct marketing.
  • Reach measurement.
  • Managing and responding to inquiries.
  • Feedback.
  • Profiles with user-related information.
  • Provision of our online services and user-friendliness.
  • Information technology infrastructure.

Relevant legal bases

Below you will find an overview of the legal bases of the GDPR on the basis of which we process personal data. Please note that in addition to the provisions of the GDPR, national data protection regulations may apply in your or our country of residence or domicile. Should more specific legal bases also apply in individual cases, we will inform you of these in the privacy policy.

  • Consent (Art. 6 para. 1 sentence 1 lit. a) GDPR) – The data subject has given their consent to the processing of their personal data for one or more specific purposes.
  • Performance of a contract and pre-contractual inquiries (Art. 6 para. 1 sentence 1 lit. b) GDPR) – Processing is necessary for the performance of a contract to which the data subject is party or in order to take steps at the request of the data subject prior to entering into a contract.
  • Legitimate interests (Art. 6 para. 1 sentence 1 lit. f) GDPR) – Processing is necessary for the purposes of the legitimate interests pursued by the controller or by a third party, except where such interests are overridden by the interests or fundamental rights and freedoms of the data subject which require protection of personal data.

In addition to the data protection regulations of the GDPR, national data protection regulations apply in Germany. These include, in particular, the Act on the Protection against Misuse of Personal Data in Data Processing (Federal Data Protection Act – BDSG). In particular, the BDSG contains special regulations on the right to information, the right to erasure, the right to object, the processing of special categories of personal data, processing for other purposes and transmission as well as automated decision-making in individual cases, including profiling. It also regulates data processing for the purposes of the employment relationship (Section 26 BDSG), in particular with regard to the establishment, implementation or termination of employment relationships and the consent of employees. The data protection laws of the individual federal states may also apply.

Security measures

We take appropriate technical and organizational measures in accordance with the legal requirements, taking into account the state of the art, the implementation costs and the nature, scope, circumstances and purposes of the processing as well as the different probabilities of occurrence and the extent of the threat to the rights and freedoms of natural persons, in order to ensure a level of protection appropriate to the risk.

The measures include, in particular, safeguarding the confidentiality, integrity and availability of data by controlling physical and electronic access to the data as well as the access, input, disclosure, safeguarding of availability and its separation. Furthermore, we have established procedures that ensure the exercise of data subject rights, the deletion of data and responses to data threats. Furthermore, we already take the protection of personal data into account during the development or selection of hardware, software and processes in accordance with the principle of data protection, through technology design and through data protection-friendly default settings.

TLS encryption (https): We use TLS encryption to protect your data transmitted via our online offering. You can recognize such encrypted connections by the prefix https:// in the address bar of your browser.

Transmission of personal data

As part of our processing of personal data, data may be transmitted to other bodies, companies, legally independent organizational units or persons or disclosed to them. The recipients of this data may include, for example, service providers commissioned with IT tasks or providers of services and content that are integrated into a website. In such cases, we observe the legal requirements and, in particular, conclude corresponding contracts or agreements with the recipients of your data that serve to protect your data.

Data transfer within the organization: We may transfer personal data to other departments within our organization or grant them access to this data. If this transfer is for administrative purposes, the transfer of the data is based on our legitimate business and commercial interests or takes place if it is necessary to fulfill our contractual obligations or if the consent of the data subjects or a legal permission exists.

Deletion of data

The data processed by us will be deleted in accordance with the legal requirements as soon as the consents permitted for processing are revoked or other permissions cease to apply (e.g. if the purpose of processing this data no longer applies or it is not required for the purpose). If the data is not deleted because it is required for other and legally permissible purposes, its processing is restricted to these purposes. This means that the data is blocked and not processed for other purposes. This applies, for example, to data that must be retained for commercial or tax law reasons or whose storage is necessary for the assertion, exercise or defense of legal claims or to protect the rights of another natural or legal person.

Our data protection notices may also contain further information on the storage and deletion of data, which apply primarily to the respective processing.

Use of cookies

Cookies are small text files or other storage notes that store information on end devices and read information from the end devices. For example, to store the login status in a user account, the contents of a shopping cart in an e-shop, the content accessed or the functions used in an online offering. Cookies can also be used for various purposes, e.g. to ensure the functionality, security and convenience of online services and to analyze visitor flows.

Notes on consent: We use cookies in accordance with the statutory provisions. We therefore obtain prior consent from users, unless this is not required by law. In particular, consent is not required if the storage and reading of information, including cookies, is absolutely necessary in order to provide the user with a telemedia service expressly requested by them (i.e. our online offer). Strictly necessary cookies generally include cookies with functions that serve the display and operability of the online service, load balancing, security, storage of user preferences and selection options or similar purposes related to the provision of the main and secondary functions of the online service requested by the user. The revocable consent is clearly communicated to the users and contains the information on the respective use of cookies.

Information on legal bases under data protection law: The legal basis under data protection law on which we process users’ personal data with the help of cookies depends on whether we ask users for their consent. If users consent, the legal basis for processing their data is the consent they have given. Otherwise, the data processed with the help of cookies is processed on the basis of our legitimate interests (e.g. in the business operation of our online offering and improving its usability) or, if this is done in the context of fulfilling our contractual obligations, if the use of cookies is necessary to fulfill our contractual obligations. We explain the purposes for which we process cookies in the course of this privacy policy or as part of our consent and processing procedures.

Storage period: With regard to the storage period, a distinction is made between the following types of cookies:

  • Temporary cookies (also: session cookies): Temporary cookies are deleted at the latest after a user has left an online service and closed their end device (e.g. browser or mobile application).
  • Permanent cookies: Permanent cookies remain stored even after the end device is closed. For example, the login status can be saved or preferred content can be displayed directly when the user visits a website again. The user data collected with the help of cookies can also be used to measure reach. If we do not provide users with explicit information on the type and storage duration of cookies (e.g. when obtaining consent), users should assume that cookies are permanent and can be stored for up to two years.

General information on revocation and objection (opt-out): Users can revoke the consents they have given at any time and also object to processing in accordance with the legal requirements in Art. 21 GDPR. Users can also declare their objection via their browser settings, e.g. by deactivating the use of cookies (although this may also limit the functionality of our online services). An objection to the use of cookies for online marketing purposes can also be declared via the websites https://optout.aboutads.info and https://www.youronlinechoices.com/

  • Legal basis: Legitimate interests (Art. 6 para. 1 sentence 1 lit. f) GDPR); consent (Art. 6 para. 1 sentence 1 lit. a) GDPR).

Customize privacy settings

Further information on processing operations, procedures and services:

  • Processing of cookie data on the basis of consent: We use a cookie consent management procedure in which the consent of users to the use of cookies or the processing and providers mentioned in the cookie consent management procedure can be obtained, managed and revoked by users. The declaration of consent is stored so that it does not have to be requested again and the consent can be proven in accordance with the legal obligation. Consent can be stored on the server and/or in a cookie (so-called opt-in cookie or with the help of comparable technologies) in order to be able to assign the consent to a user or their device. Subject to individual information on the providers of cookie management services, the following information applies: Consent may be stored for up to two years. A pseudonymous user identifier is created and stored with the time of consent, information on the scope of consent (e.g. which categories of cookies and/or service providers) as well as the browser, system and end device used; legal basis: consent (Art. 6 para. 1 sentence 1 lit. a) GDPR).

Provision of the online offer and web hosting

We process users’ data in order to provide them with our online services. For this purpose, we process the user’s IP address, which is necessary to transmit the content and functions of our online services to the user’s browser or end device.

  • Processed data types: Usage data (e.g. websites visited, interest in content, access times); meta, communication and procedural data (e.g. IP addresses, time data, identification numbers, consent status); content data (e.g. entries in online forms).
  • Data subjects: Users (e.g. website visitors, users of online services).
  • Purposes of processing: Provision of our online offer and user-friendliness; information technology infrastructure (operation and provision of information systems and technical devices (computers, servers, etc.)); security measures.
  • Legal basis: Legitimate interests (Art. 6 para. 1 sentence 1 lit. f) GDPR).

Further information on processing operations, procedures and services:

  • Provision of online offer on rented storage space: For the provision of our online offer, we use storage space, computing capacity and software that we rent or otherwise obtain from a corresponding server provider (also called “web host”); legal basis: Legitimate interests (Art. 6 para. 1 sentence 1 lit. f) GDPR).
  • Collection of access data and log files: Access to our online offering is logged in the form of so-called “server log files”. The server log files may include the address and name of the web pages and files accessed, date and time of access, data volumes transferred, notification of successful access, browser type and version, the user’s operating system, referrer URL (the previously visited page) and, as a rule, IP addresses and the requesting provider. The server log files may be used for security purposes, e.g. to prevent server overload (especially in the event of abusive attacks, so-called DDoS attacks) and to ensure server capacity utilization and stability; legal basis: legitimate interests (Art. 6 para. 1 sentence 1 lit. f) GDPR); deletion of data: Log file information is stored for a maximum of 30 days and then deleted or anonymized. Data whose further storage is required for evidentiary purposes is exempt from deletion until the respective incident has been finally clarified.
  • E-mail dispatch and hosting: The web hosting services we use also include the dispatch, receipt and storage of e-mails. For these purposes, the addresses of the recipients and senders as well as other information relating to the sending of e-mails (e.g. the providers involved) and the content of the respective e-mails are processed. The aforementioned data may also be processed for the purpose of detecting SPAM. Please note that e-mails on the Internet are generally not sent in encrypted form. As a rule, emails are encrypted in transit, but not on the servers from which they are sent and received (unless an end-to-end encryption method is used). We can therefore assume no responsibility for the transmission path of the emails between the sender and receipt on our server; legal basis: Legitimate interests (Art. 6 para. 1 sentence 1 lit. f) GDPR).

Blogs and publication media

We use blogs or comparable means of online communication and publication (hereinafter “publication medium”). Readers’ data is only processed for the purposes of the publication medium to the extent necessary for its presentation and communication between authors and readers or for security reasons. In addition, we refer to the information on the processing of visitors to our publication medium in the context of this data protection notice.

  • Processed data types: Inventory data (e.g. names, addresses); Contact data (e.g. e-mail, telephone numbers); Content data (e.g. entries in online forms); Usage data (e.g. websites visited, interest in content, access times); Meta, communication and process data (e.g. IP addresses, time data, identification numbers, consent status).
  • Data subjects: Users (e.g. website visitors, users of online services).
  • Purposes of processing: Provision of contractual services and customer service; feedback (e.g. collecting feedback via online form); provision of our online services and user-friendliness.
  • Legal basis: Legitimate interests (Art. 6 para. 1 sentence 1 lit. f) GDPR).

Contact and inquiry management

When contacting us (e.g. by post, contact form, email, telephone or via social media) and in the context of existing user and business relationships, the data of the inquiring persons are processed insofar as this is necessary to answer the contact inquiries and any requested measures.

  • Processed data types: Contact data (e.g. e-mail, telephone numbers); Content data (e.g. entries in online forms); Usage data (e.g. websites visited, interest in content, access times); Meta, communication and process data (e.g. IP addresses, time data, identification numbers, consent status).
  • Affected persons: Communication partner.
  • Purposes of processing: Contact requests and communication; managing and responding to requests; feedback (e.g. collecting feedback via online form); provision of our online services and user-friendliness.
  • Legal basis: Legitimate interests (Art. 6 para. 1 sentence 1 lit. f) GDPR); contract fulfillment and pre-contractual inquiries (Art. 6 para. 1 sentence 1 lit. b) GDPR).

Further information on processing operations, procedures and services:

  • Contact form: If users contact us via our contact form, e-mail or other communication channels, we process the data provided to us in this context to process the communicated request; legal basis: contract fulfillment and pre-contractual inquiries (Art. 6 para. 1 sentence 1 lit. b) GDPR), legitimate interests (Art. 6 para. 1 sentence 1 lit. f) GDPR).
  • HubSpot: Customer management as well as process and sales support with personalized customer care with multi-channel communication, i.e. management of customer inquiries from different channels as well as with analysis and feedback functions; Service provider: HubSpot, Inc., 25 First St., 2nd floor, Cambridge, Massachusetts 02141, USA; Legal basis: Performance of a contract and pre-contractual inquiries (Art. 6 para. 1 sentence 1 lit. b) GDPR), Legitimate interests (Art. 6 para. 1 sentence 1 lit. f) GDPR); Website: https://www.hubspot.de; Privacy Policy: https://legal.hubspot.com/de/privacy-policy; Data processing agreement: https://legal.hubspot.com/dpa; Standard contractual clauses (Safeguarding the level of data protection when processing data in third countries): https://legal.hubspot.com/dpa.

Created with free Datenschutz-Generator.de by Dr. Thomas Schwenke

[1]Data transfer to the USA

There is no adequate level of data protection for the transfer of personal data to the USA on the basis of a decision by the European Commission. Due to the powers of the US intelligence services and the legal situation in the USA, the requirements of the GDPR cannot be met:

  • Section 702 of the Foreign Intelligence Surveillance Act (FISA) provides no restrictions on the surveillance activities of the intelligence agencies and no safeguards for non-US citizens,
  • Presidential Policy Directive 28 (PPD-28) does not provide affected persons with effective legal remedies against measures taken by the US authorities and does not provide for any limits to ensure proportionate measures,
  • the ombudsman provided for in the Privacy Shield does not have sufficient independence from the executive; he cannot issue binding orders to the intelligence services.

Consequently, no effective legal remedies or an independent data protection supervisory authority are available in the event of access to your personal data by US authorities.

If your personal data is transferred to the USA, the loss of your own data sovereignty cannot be ruled out. As a result, the rights and freedoms of data subjects may be inadequately protected.

HubSpot Analytics

Analytics Type and scope of processing

We use HubSpot Analytics from HubSpot, Inc, 25 First Street, 2nd Floor, Cambridge, MA 02141 USA, as an analysis service for the statistical evaluation of our online offering. This includes, for example, the number of visits to our website, subpages visited and the length of stay of visitors. HubSpot Analytics uses cookies and other browser technologies to evaluate user behaviour and recognize users.

We have concluded an order processing contract with HubSpot in accordance with Art. 28 GDPR.

This information is used, among other things, to compile reports on website activity.

Purpose and legal basis

We process data with the help of HubSpot Analytics on the basis of your consent in accordance with Art. 6 para. 1 lit. a GDPR, § 25 para. 1 TTDSG and Art. 49 para. 1 lit. a GDPR. You can revoke this consent at any time with effect for the future in the cookie banner.

Please note the risks associated with the transfer of your data to the USA mentioned in section [1].

HubSpot Chat

Type and scope of processing

We have integrated components of the HubSpot Chat customer communication platform on our website. HubSpot Chat is a service of HubSpot, Inc, 25 First Street, 2nd Floor, Cambridge, MA 02141 USA and offers us the opportunity to communicate with visitors to our website via chat and to provide targeted help with questions. HubSpot Chat uses cookies and other browser technologies to evaluate user behaviour and recognize users. Furthermore, HubSpot Chat is used to store and transmit data entered in chats using cookies, including your IP address. In this case, your data will be passed on to the operator of HubSpot Chat.

We have concluded an order processing contract with HubSpot in accordance with Art. 28 GDPR.

Purpose and legal basis

The use of HubSpot Chat is based on your consent in accordance with Art. 6 para. 1 lit. a GDPR, § 25 para. 1 TTDSG and Art. 49 para. 1 lit. a GDPR. You can revoke this at any time with effect for the future in the cookie banner.

Please note the risks associated with the transfer of your data to the USA mentioned in section [1].

HubSpot CDN

Type and scope of processing

We use HubSpot CDN to properly provide the content of our website. HubSpot CDN is a service of HubSpot, Inc, 25 First Street, 2nd Floor, Cambridge, MA 02141 USA, which acts as a content delivery network (CDN) on our website to ensure the functionality of other HubSpot services. You will find a separate section in this privacy policy for these services. This section only deals with the use of the CDN.

We have concluded an order processing contract with HubSpot in accordance with Art. 28 GDPR.

A CDN helps to provide the content of our online offering, in particular files such as graphics or scripts, more quickly with the help of regionally or internationally distributed servers. When you access this content, you establish a connection to HubSpot’s servers, whereby your IP address and possibly browser data such as your user agent are transmitted. This data is processed exclusively for the above-mentioned purposes and to maintain the security and functionality of HubSpot CDN.

Purpose and legal basis

The use of HubSpot Chat is based on your consent in accordance with Art. 6 para. 1 lit. a GDPR and Art. 49 para. 1 lit. a GDPR. You can revoke this at any time with effect for the future in the cookie banner.

Please note the risks associated with the transfer of your data to the USA mentioned in section [1].

HubSpot Pixel

Type and scope of processing

We use HubSpot Pixel from HubSpot, Inc, 25 First Street, 2nd Floor, Cambridge, MA 02141 USA, to create so-called Custom Audiences, i.e. to segment visitor groups of our online offer, determine conversion rates and subsequently optimize them. This happens in particular when you interact with advertisements that we have placed with HubSpot.

We have concluded an order processing contract with HubSpot in accordance with Art. 28 GDPR.

Purpose and legal basis

We process your data with the help of HubSpot Pixel on the basis of your consent in accordance with Art. 6 para. 1 lit. a. GDPR and Art. 49 para. 1 lit. a GDPR. You can revoke this at any time with effect for the future in the cookie banner.

Please note the risks associated with the transfer of your data to the USA mentioned in section [1].

HubSpot LeadFlow

Type and scope of processing

We have integrated HubSpot LeadFlow on our website. HubSpot LeadFlow is a service of HubSpot, Inc, 25 First Street, 2nd Floor, Cambridge, MA 02141 USA, which identifies anonymous website visitors, provides full contact details and insights into the visit history.

We have concluded an order processing contract with HubSpot in accordance with Art. 28 GDPR.

HubSpot LeadFlow uses cookies and other browser technologies to evaluate user behavior and recognize users.

Among other things, HubSpot LeadFlow shows us which companies have visited our website, determines the history of your visit, including all the pages you have visited and viewed and the length of your stay on this website.

HubSpot LeadFlow collects and processes data about companies such as company name, phone number, address, web address, industry, company profile, turnover and key people on LinkedIn.

Purpose and legal basis

We process your data with the help of HubSpot LeadFlow on the basis of your consent in accordance with Art. 6 para. 1 lit. a GDPR, § 25 para. 1 TTDSG and Art. 49 para. 1 lit. a GDPR. You can revoke this consent at any time with effect for the future in the cookie banner.

Please note the risks associated with the transfer of your data to the USA mentioned in section [1].

Newsletter

Type and scope of processing

When sending our electronic newsletter, to which you can subscribe, we process the data you enter. Mandatory fields are marked with an *.

We process your e-mail address in order to contact you for the purpose of sending you our electronic newsletter, to inform you about current events and, if applicable, current developments and to maintain our contractual relationship with you. In addition, we use this data for advertising communications by e-mail and, if we have received your e-mail address in connection with our products and services, for advertising measures about our own similar products and services.

We use the service provider HubSpot, Inc, 25 First Street, 2nd Floor, Cambridge, MA 02141 USA for the newsletter. We have concluded an order processing contract with HubSpot in accordance with Art. 28 GDPR.

The so-called web beacon, which is included in all newsletters, is a pixel-sized file that the HubSpot server automatically retrieves when the newsletter is opened. This creates technical information, e.g. about the browser and system, your IP address and the time of retrieval. They are used for technical service optimization and are used with the help of technical data or the target groups and your reading behavior based on their retrieval locations (which can be determined with the help of the IP address) or the access times. The statistical survey also includes information on whether and when the newsletters are opened and which links are clicked. It is therefore possible to assign individual newsletter recipients. However, it is neither our intention nor that of the service provider to monitor individual users in this way. Our sole purpose is to learn more about the reading habits of our users and to adapt our content accordingly or to publish different content in line with their interests.

Legal basis

The consent of the recipients pursuant to Art. 6 para. 1 sentence 1 lit. a GDPR, Art. 49 para. 1 sentence 1 lit. a GDPR, Art. 7 GDPR in conjunction with Section 7 para. 2 no. 3 UWG or on the basis of the legal permission pursuant to Section 7 para. 3 UWG is a basic prerequisite for our newsletter dispatch and its tracking.

You can revoke your consent at any time by clicking on the link provided in every newsletter e-mail or by contacting us.

The registration procedure for our newsletter is called double opt-in. This means that you will receive an e-mail from us immediately after registering for the newsletter, in which we ask you to confirm your registration once again. In this way, we ensure that only people who actually have access to the e-mail address listed register for the newsletter. Newsletter registrations, including the storage of the time of registration and confirmation and your IP address, are logged by us as proof that the registration process complies with legal requirements. Changes to your stored data with the newsletter service provider are also recorded in the log.

Please note the risks associated with the transfer of your data to the USA mentioned in section [1].

 

Status: April 27, 2023