Privacy Policy

General

The following gives a simple overview of what happens to your personal information when you visit our website. Personal information is any data with which you could be personally identified. Detailed information on the subject of data protection can be found in our privacy policy found below.

1. name and address of the responsible person

Your contact person in terms of the European Data Protection Regulation (EU-DSGVO) and other national data protection laws of the member states as well as other data protection regulations is:

THERME Badwörishofen GmbH
Spa avenue 1
86825 Bad Wörishofen
Phone: +49 (0)8247 / 399 300
E-mail: info@therme-badwoerishofen.de
(hereinafter referred to as “we” or “our”)

2. name and address of the data protection officer

The protection of your personal data is of great importance to us. In order to express this importance, we have commissioned a consulting firm specializing in data protection and data security to take on these central issues. We are advised by:

actago GmbH
Maximilian Nuss
Straubinger Street 7
94405 Landau on the Isar

E-mail: datenschutz@therme-badwoerishofen.de

3 General information on data processing

3.1 Scope of the processing of personal data
As a matter of principle, we process your personal data only insofar as this is necessary for the performance of our services. Your personal data is regularly processed only on the basis of your consent. An exception applies in those cases where obtaining prior consent is not possible for actual reasons or the processing of your personal data is permitted by law.

3.2 Legal basis for the processing of personal data
Insofar as we obtain consent from you for the processing of personal data, Art. 6 (1) lit. a EU-DSGVO serves as our legal basis.
When processing personal data that is necessary for the performance of a contract between you and us, Art. 6 (1) lit. b EU-DSGVO serves as our legal basis. This also applies to processing operations that are necessary for the performance of pre-contractual measures.
Insofar as processing of personal data is necessary for compliance with a legal obligation to which we are subject, Art. 6 (1) c EU-DSGVO serves as the legal basis for us.
In the event that vital interests of you or another natural person make processing of personal data necessary, Art. 6 (1) (d) EU-DSGVO serves as our legal basis.
If the processing is necessary to protect a legitimate interest of us or a third party and your interests, fundamental rights and freedoms do not outweigh the former interest, then Art. 6 (1) lit. f EU-DSGVO serves us as the legal basis for the processing.

3.3 Data deletion and storage period
Your personal data will be deleted or blocked as soon as the purpose of storage ceases to apply. Storage may take place beyond this if this has been provided for by the European or national legislator in Union regulations, laws or other provisions to which we are subject. Data will also be blocked or deleted if a storage period prescribed by the aforementioned standards expires, unless there is a need for further storage of the data for the conclusion or performance of a contract.

4 Provision of the website and creation of log files

4.1 Description and scope of data processing
Each time our website is called up, our system automatically collects data and information from the computer system of the calling computer. The following data is collected in this process:
– Information about the browser type and the version used.
– The operating system of the user
– The user’s Internet service provider
– The IP address of the user
– Date and time of access
– Time zone difference/HTTP status code
– The amount of data transferred in each case
– Websites from which the user’s system accesses our website
– Websites that are accessed by the user’s system via our website

This data is also stored in the log files of our system. This data is not stored together with other personal data of the user.

4.2 Legal basis for data processing
The legal basis for the processing of your personal data in the context of providing the website and creating log files is Art. 6 (1) lit. f EU-DSGVO.

4.3 Purpose of data processing
The temporary storage of your personal data by us is necessary to enable delivery of the website to your computer. For this purpose, your personal data must be stored for the duration of the session.
The storage of your personal data in log files is done to ensure the functionality of the website. In addition, we use your personal data to optimize the website and to ensure the security of our information technology systems. An evaluation of your personal data for marketing purposes does not take place in this context.
These purposes are also our legitimate interest in data processing according to Art. 6 Para. 1 lit. f EU-DSGVO.

4.4 Duration of storage
Your personal data will be deleted as soon as they are no longer required to achieve the purpose for which they were collected. In the case of the collection of your personal data for the provision of the website, this is the case as soon as the respective session has ended.
In the case of storage of your personal data in log files, these are deleted after seven days at the latest. Storage beyond this period is possible. In this case, your personal data will be deleted or alienated so that an assignment of the calling client is no longer possible.

4.5 Possibilities of objection and removal
The collection of your personal data to provide the website and the storage of your personal data in log files is mandatory for the operation of the website. Consequently, there is no possibility for you to object.

5. use of cookies

When you access this website, we store cookies (small files) on your device. These have a validity of:

Name: Storage period:
– borlabs-cookie 1 year
– _ga 2 years
– _gat 2 years
– _gid 2 years
– NID (Google Maps) 6 months
– vuid 2 years
– NID (Youtube) 6 months

We use these to improve the use of the site and provide more features to visitors. Most browsers are set to accept the use of cookies, but this feature can be turned off by you for the current session or permanently by setting the internet browser.

6. newsletter

6.1 Description and scope of data processing
Our website offers a newsletter in which we inform you about current events and offers. If you would like to subscribe to the newsletter, you must provide a valid e-mail address. If you subscribe to the newsletter, you agree to receive the newsletter and the explained procedures.
The newsletter dispatch is carried out by CleverReach, a dispatch platform of CleverReach GmbH & Co. KG, //CRASH Building, Schafjückenweg 2, 26180 Rastede, Germany. Information about the privacy policy of the shipping service provider is available at:
https://www.cleverreach.com/

6.2 Legal basis for data processing
The legal basis for the processing of your personal data within the scope of the newsletter dispatch is Art. 6 para. 1 lit. a EU-DSGVO if consent has been given or as a result of the sale of goods or services the legal permission of § 7 para. 3 UWG.

6.3 Purpose of data processing
The purpose of collecting your personal data is to send the newsletter to you. The purpose of processing your personal data in the context of sending the newsletter is to promote the sale of goods or services.

6.4 Duration of storage
Your personal data will be deleted as soon as they are no longer required to achieve the purpose for which they were collected. Accordingly, your personal data will be stored as long as the subscription to the newsletter is active.

6.5 Possibility of objection and removal
You can cancel your subscription to the newsletter at any time. For this purpose, you will find a corresponding link in each newsletter. Cancellation of the subscription also enables revocation of consent.

8. contacting by e-mail

8.1 Description and scope of data processing
It is possible to contact us via the e-mail address provided. In this case, your personal data transmitted with the e-mail will be stored. In this context, the data will not be passed on to third parties. The data is used exclusively for processing the conversation.

8.2 Legal basis
The legal basis for the processing of your personal data transmitted in the event of contact being made by e-mail is Art. 6 (1) lit. f EU-DSGVO. If the purpose of contacting you via the contact form or by e-mail is to conclude a contract, Art. 6 (1) lit. b EU-DSGVO is an additional legal basis for the processing.

8.3 Purpose of data processing
The processing of your personal data in the event of contact by e-mail serves us solely to process the contact.

8.4 Duration of storage
Your personal data will be deleted as soon as they are no longer required to achieve the purpose for which they were collected.
For personal data sent by e-mail, this is the case when the conversation has ended. The conversation is ended when the circumstances indicate that the matter in question has been conclusively clarified.
The additional personal data collected during the sending process will be deleted after a period of seven days at the latest.

8.5 Possibilities of objection and removal
You have the option at any time to object to the processing of your personal data in the context of contacting us by e-mail at any time for the future. In such a case, the conversation between you and us cannot be continued. All personal data stored in the course of contacting you will be deleted in this case.

9. web tracking and web analysis by Google Analytics

9.1 Handling of processing
This website uses Google Analytics, the web analysis service of Google Inc. (hereinafter “Google”). Google Analytics uses “cookies”, which are text files placed on your computer, to help the website analyze how users use the site. The information generated by the cookie about your use of this website is usually transmitted to a Google server in the USA and stored there. In the event that IP anonymization is activated on this website, however, your IP address will be truncated beforehand by Google within member states of the European Union or in other contracting states to the Agreement on the European Economic Area. Only in exceptional cases will the full IP address be transmitted to a Google server in the USA and shortened there. On behalf of the operator of this website, Google will use this information for the purpose of evaluating your use of the website, compiling reports on website activity and providing other services relating to website activity and internet usage to the website operator. The IP address transmitted by your browser as part of Google Analytics will not be merged with other data from Google.
You can also prevent the collection of data generated by the cookie and related to your use of the website (including your IP address) to Google and the processing of this data by Google by downloading and installing the available browser plugin.
You can prevent the collection by Google Analytics by clicking on the following link. An opt-out cookie will be set, which will prevent the future collection of your data when visiting this website:
– Disable Google Analytics
For more information, see Google Terms of Use and Google Privacy Policy.

9.2 Legal basis for data processing
The legal basis for the processing of your personal data is Art. 6 para. 1 lit. f EU-DSGVO.

9.3 Purpose of data processing
The processing of your personal data enables us to analyze your surfing behavior. By evaluating the data obtained, we are able to compile information about the use of the individual components of our website. This helps us to continuously improve our website and its user-friendliness. These purposes are also our legitimate interest in processing your personal data according to Art. 6 para. 1 lit. f EU-DSGVO. By anonymizing your IP address, your interest in the protection of personal data is sufficiently taken into account.

9.4 Duration of storage
Your personal data will be deleted as soon as they are no longer required for our aforementioned purposes.

9.5 Opt-out and opt-out options
Users of this website who do not want their data to be collected by Google Analytics can install the browser add-on to disable Google Analytics. This add-on instructs Google Analytics JavaScript (ga.js, analytics.js and dc.js) running on websites not to allow information to be sent to Google Analytics.
If you want to disable Google Analytics, visit this page and install the Google Analytics disable add-on for your browser. For detailed information on installing and uninstalling the add-on, see the relevant help resources for your browser.
Browser and operating system updates may cause the opt-out add-on to stop working as intended. For more information on managing add-ons for Chrome, click here. If you’re not using Chrome, check directly with your browser manufacturer to see if add-ons work properly in the browser version you’re using.
The latest versions of Internet Explorer occasionally load the Google Analytics disable add-on after sending data to Google Analytics. Therefore, if you use Internet Explorer, the add-on will install cookies on your computer. These cookies ensure that any data collected is immediately deleted from the server that collected the data. Make sure that third-party cookies are not disabled for Internet Explorer. If you delete your cookies, the add-on will reset these cookies within a short period of time to ensure that your Google Analytics browser add-on continues to work without restrictions.
The Google Analytics opt-out browser add-on does not prevent data from being sent to the website or other web analytics services.
More information on terms of use and data protection can be found at
www.google.com/analytics/terms/de.html or at
support.google.com/analytics/answer/6004245
IP anonymization is activated on this website.

10 Google Web Fonts

For the uniform display of fonts, this website can use the so-called Google Web Fonts.
When using these fonts, your browser downloads the required fonts from our website system. These are then temporarily stored in the so-called browser cache in order to display the fonts correctly.
During this process, your browser does not establish a connection to Google’s servers. This ensures that Google does not gain knowledge of your call or your IP address.

11. use of 360 degrees team

We use on the website the application 360 Grad Team, which is provided by 360 Grad Team GmbH, located in August-Bebel-Straße 16, 09376 Oelsnitz/Erzgeb.
The application offers the possibility to provide 360-degree images of different areas of the Therme on the website to give website users a better insight into the different areas of the Therme.
In the process, personal data such as the IP address is transferred to 360 Grad GmbH.
This is done on the basis of a legitimate interest according to Art. 6 para. 1 lit. f DSGVO.

12 Google Tag Manager

We use “Google Tag Manager” on our website, a service provided by Google Ireland Limited, Google Building Gordon House, Barrow St, Dublin 4, Ireland (hereinafter referred to as “Google”). Google Tag Manager allows us as marketers to manage website tags through one interface. The Google Tag Manager tool that implements the tags is a cookie-less domain and does not itself collect any personal data. Google Tag Manager takes care of triggering other tags, which in turn may collect data. Google Tag Manager does not access this data. If a deactivation has been made at the domain or cookie level, this remains in place for all tracking tags implemented with Google Tag Manager.
Information of the third-party provider: Google Ireland Limited, Google Building Gordon House, Barrow St, Dublin 4, Ireland.
Further information on data protection can be found on the following Google web pages:
– Privacy Policy: https://policies.google.com/privacy?hl=de&gl=de
– FAQ Google Tag Manager: https://www.google.com/intl/de/tagmanager/faq.html
– Google Tag Manager Terms of Service: https://www.google.com/intl/de/tagmanager/use-policy.html

13 Google Maps

This site uses the map service Google Maps via an API. The provider is Google Inc, 1600 Amphitheatre Parkway, Mountain View, CA 94043, USA.
To use the functions of Google Maps, it is necessary to store your IP address. This information is usually transferred to a Google server in the USA and stored there. The provider of this site has no influence on this data transmission.
The use of Google Maps is in the interest of an appealing presentation of our online offers and an easy location of the places indicated by us on the website.
Google Maps is only used on the basis of consent in accordance with Art. 6 Para. 1 lit. a DSGVO.
More information on the handling of user data can be found in Google’s privacy policy: https://www.google.de/intl/de/policies/privacy/.

14. presence on Facebook

To enhance our Internet presence, we offer a Facebook page. This is a service of Facebook Ireland Ltd, 4 Grand Canal Square Grand Canal Harbour, Dublin 2, Ireland.
We would like to point out that you use this Facebook page and its functions on your own responsibility. This applies in particular to the use of the interactive functions (e.g. commenting, sharing, rating).
When you visit our Facebook page, Facebook collects, among other things, your IP address and other information that is present on your PC in the form of cookies. This information is used to provide us, as operators of the Facebook pages, with statistical information about the use of the Facebook page. Facebook provides more detailed information on this at the following link: https://de-de.facebook.com/help/pages/insights .
The data collected about you in this context is processed by Facebook Ltd. and may be transferred to countries outside the European Union in the process. Facebook describes in general terms what information it receives and how it is used in its data usage guidelines. There you will also find information on how to contact Facebook and on the settings options for advertisements. The data usage guidelines are available at the following link:
https://de-de.facebook.com/about/privacy
Facebook’s full data policies can be found here:
https://de-de.facebook.com/help/568137493302217
In what way Facebook uses data from visits to Facebook pages for its own purposes, to what extent activities on the Facebook page are assigned to individual users, how long Facebook stores this data and whether data from a visit to the Facebook page is passed on to third parties, is not conclusively and clearly stated by Facebook and is not known to us.
When you access a Facebook page, the IP address assigned to your terminal device is transmitted to Facebook. According to Facebook, this IP address is anonymized (for “German” IP addresses) and deleted after 90 days. Facebook also stores information about the end devices of its users (e.g. as part of the “login notification” function); this may enable Facebook to assign IP addresses to individual users.
If you are currently logged in to Facebook as a user, a cookie with your Facebook ID is located on your end device. This enables Facebook to track that you have visited this page and how you have used it. This also applies to all other Facebook pages. Via Facebook buttons embedded in websites, it is possible for Facebook to record your visits to these website pages and assign them to your Facebook profile. Based on this data, content or advertising can be offered tailored to you.
If you want to avoid this, you should log out of Facebook or deactivate the “stay logged in” function, delete the cookies present on your device and exit and restart your browser. In this way, Facebook information through which you can be directly identified will be deleted. This will allow you to use our Facebook page without revealing your Facebook identifier. When you access interactive features of the page (like, comment, share, message, etc.), a Facebook login screen will appear. After any login, you will again be recognizable to Facebook as a specific user.
Information on how to manage or delete information about you can be found on the following Facebook support pages: https://de-de.facebook.com/about/privacy#.
As the provider of the information service, we also collect and process the following data from your use of our service: publicly viewable data from the user profile of the person concerned. This includes, for example, the user name, profile picture, content of comments written on our posts.
You can also find more information about Facebook and other social networks and how to protect your data at www.youngdata.de.

15. presence on Instagram

To extend our internet presence, we offer an Instagram page. This is a service of Facebook Ireland Ltd, 4 Grand Canal Square Grand Canal Harbour, Dublin 2, Ireland.
We would like to point out that you use this Instagram page its functions on your own responsibility. This applies in particular to the use of the interactive functions (e.g. commenting, sharing, rating).
When you visit our Instagram page, Instagram collects, among other things, your IP address and other information that is present in the form of cookies on your PC. This information is used to provide us, as operators of the Facebook pages, with statistical information about the use of the Facebook page. Facebook provides more detailed information on this at the following link: https://help.instagram.com/1896641480634370?ref=ig.
The data collected about you in this context is processed by Facebook Ltd. and may be transferred to countries outside the European Union in the process. Instagram describes in general terms what information it receives and how it is used in its data usage guidelines. There you will also find information on how to contact Instagram and on the settings options for advertisements. The data policies are available at the following link:
https://help.instagram.com/519522125107875/?helpref=hc_fnav&bc[0]=Instagram-Hilfebereich&bc[1]=Privatsph%C3%A4re%20und%20Sicherheit
In what way Instagram uses data from visits to Instagram pages for its own purposes, to what extent activities on the Facebook page are assigned to individual users, how long Facebook stores this data and whether data from a visit to the Instagram page is passed on to third parties, is not conclusively and clearly stated by Facebook and is not known to us.
When accessing an Instagram page, the IP address assigned to your end device is transmitted to Instagram. According to Facebook, this IP address is anonymized (for “German” IP addresses) and deleted after 90 days. Instagram also stores information about the end devices of its users (e.g. as part of the “login notification” function); if necessary, this enables Facebook to assign IP addresses to individual users.
If you are currently logged in to Instagram as a user, a cookie with your Instagram ID is located on your end device. This enables Instagram to track that you have visited this page and how you have used it. This also applies to all other Instagram pages.
If you want to avoid this, you should log out of Instagram or disable the “stay logged in” feature, delete the cookies present on your device, and exit and restart your browser. In this way, Instagram information through which you can be directly identified will be deleted. This allows you to use our Instagram page without revealing your Instagram identifier. When you access interactive features of the site (like, comment, share, message, etc.), an Instagram login screen will appear. After any login, you will again be recognizable to Instagram as a specific user.
You can find information on how to manage or delete information about you on the following Facebook support pages: https://help.instagram.com/519522125107875/?helpref=hc_fnav&bc[0]=Instagram help area&bc[1]=Privacyph%C3%A4re%20and%20Security.
As the provider of the information service, we also collect and process the following data from your use of our service: publicly viewable data from the user profile of the person concerned. This includes, for example, the user name, profile picture, content of comments written on our posts.
For more information on Instagra, and other social networks and how you can protect your data, please also visit www.youngdata.de.

16. use of Twitter social plugins

Our website uses social plugins (“plugins”) of the social network Twitter, which is operated by Twitter Inc, 795 Folsom St. Sweet 600, San Francisco, CA 94107, USA (“Twitter”).
By using Twitter and the “retweet” function, the websites you visit are linked to your Twitter account and made known to other users. In the process, data is also transmitted to Twitter.
We have no knowledge of the content of the transmitted data or its use by Twitter. The purpose and scope of the data collection and the further processing and use of the data by Twitter, as well as your rights in this regard and setting options for protecting your privacy, can be found in the privacy policy of Twitter: https://twitter.com/privacy?lang=de.

17 Use of Pinterest plugins

Our website uses plugins of the Pinterest network, which is operated by Pinterest Inc, 808 Brannan St, San Francisco, CA 94103, USA (“Pinterest”).
By visiting our website with the embedded “Pin it” button, Pinterest receives the information that you have accessed the corresponding page of our website. If you are logged into Pinterest during your visit to our website, Pinterest can assign your visit to your Pinterest account. If you click the “Pin it” button, the transmitted data will be stored by Pinterest. If you do not want this, you must log out of Pinterest before visiting our website.
For the purpose and scope of the data collection and the further processing and use of the data by Pinterest, as well as your rights in this regard and setting options for protecting your privacy, please refer to the Pinterest data protection information: https://about.pinterest.com/de/privacy-policy-0

18. data processing when using our online store

18.1 Description and scope of data processing
Purchase in the online store
When you make purchases in the online store, the following personal data may be collected from you, processed and used to process your order:

– Name
– First name
– Title
– Billing and delivery address
– e-mail address
– Telephone (optional)
– Customer number
– payment method
(“customer master data”).
Your data is encrypted during transmission to us by the latest technical security standards, a so-called SSL 256bit encryption (SSL = Secure Socket Layer). The security certificate used is issued by one of the world market leaders, COMODO CA Limited or Thawthe.
In order to ensure the best possible support for our customers, we pass on their personal data to other companies, which we have appointed as order processors, within the scope of what is legally permissible, exclusively for the proper fulfillment of the contract and only to the extent necessary for this purpose, and ensure that your data is only processed according to our instructions.

Credit assessment
Credit checks help us to prevent problems in payment transactions. They ensure the protection of our company against financial risks, which can also affect sales prices in the medium to long term. A credit check is always necessary if we are to send goods without receiving the respective purchase price at the same time, e.g. in the case of a purchase on account. Without carrying out a credit check, only the prepayment option is possible (Sofortüberweisung, Paypal, credit card).
For credit assessment, we transmit your name, address, for example, to the following service providers:

SCHUFA Holding AG
Kormoranweg 5
65201 Wiesbaden
Infoscore Consumer Data GmbH
Rheinstrasse 99
76532 Baden-Baden
CRIF Bürgel GmbH
P.O. Box 500 166
22701 Hamburg

The transfer of data to the above-mentioned credit agencies takes place exclusively within the scope of what is legally permissible and for the analysis of your previous payment behavior as well as for the assessment of the risk of non-payment on the basis of mathematical-statistical procedures using address data as well as for the verification of your address (check of deliverability). Depending on the results of the credit check, we may no longer be able to offer you individual payment methods, such as purchase on account.

Prevention of abuse
When you visit our online store, an automated check is performed to determine whether there are any indications of misuse of our online store. This is done by means of the data for the purchase contract processing (e.g. object of purchase, name, postal address, e-mail address, delivery address, payment method). If there is a suspicion of misuse, a member of our team checks the underlying indications. If a contract is rejected, we will inform you of this on request. In this case, you can make your point of view known at info@therme-badwoerishofen.de. The decision will then be reviewed again by a member of our team.

Payment methods
n the context of payment in our online store, we collect certain personal data from you in order to process the payment transaction.
In addition to the purchase on account, where we send an invoice to your specified contact address, we offer various other payment methods to make shopping in our online store as convenient as possible. These include, among others, the following services:

Paypal:
When paying via PayPal, credit card via PayPal, direct debit via PayPal or – if offered – “purchase on account” via PayPal, we pass on your payment data to PayPal (Europe) S.à r.l. et Cie, S.C.A., 22-24 Boulevard Royal, L-2449 Luxembourg (hereinafter “PayPal”) as part of the payment processing.
PayPal reserves the right to conduct a credit check for the payment methods credit card via PayPal, direct debit via PayPal or – if offered – “purchase on account” via PayPal. PayPal uses the result of the credit check with regard to the statistical probability of non-payment for the purpose of deciding on the provision of the respective payment method.
The credit report may contain probability values (so-called score values). Insofar as score values are included in the result of the credit report, they have their basis in a scientifically recognized mathematical-statistical procedure. Among other things, address data is included in the calculation of the score values. For further data protection information, including information on the credit agencies used, please refer to the privacy policy of PayPal: https://www.paypal.com/de/webapps/mpp/ua/privacy-full is required for the provision of certain content and services on our website.

Sofortüberweisung:
On our website, we offer, among other things, payment by “Sofortüberweisung”. The provider of this payment service is Sofort GmbH, Theresienhöhe 12, 80339 Munich, Germany (hereinafter “Sofort GmbH”).
With the help of the “Sofortüberweisung” procedure, we receive a payment confirmation from Sofort GmbH in real time and can immediately begin to fulfill our obligations.
If you have chosen the payment method “Sofortüberweisung”, you transmit the PIN and a valid TAN to Sofort GmbH, with which it can log into your online banking account. After logging in, Sofort GmbH automatically checks your account balance and carries out the transfer to us using the TAN you have transmitted. It then immediately sends us a transaction confirmation. After logging in, it also automatically checks your turnover, the credit line of the overdraft facility and the existence of other accounts and their balances.
In addition to the PIN and the TAN, the payment data you have entered as well as data about yourself are also transmitted to Sofort GmbH. Your personal data includes your first and last name, address, telephone number(s), email address, IP address and, if necessary, other data required for payment processing. The transmission of this data is necessary to establish your identity beyond doubt and to prevent fraud attempts.
The transmission of your data to Sofort GmbH is based on Art. 6 para. 1 lit. a DSGVO (consent) and Art. 6 para. 1 lit. b DSGVO (processing for the performance of a contract). You have the option to revoke your consent to data processing at any time. A revocation does not affect the effectiveness of past data processing operations.
For details on payment by Sofortüberweisung, please refer to the following links: https://www.sofort.de/datenschutz.html and https://www.klarna.com/sofort/.

Payment by credit card:
Furthermore, we also offer you to make your payments by credit card. In this case, we transmit your data to Wirecard AG, which, as a service provider, matches your payment data with the respective credit institutions (Visa, Mastercard, etc.). Your credit card will be charged via a Wirecard AG payment form. Wirecard AG is one of the world’s leading independent providers of outsourcing and white label solutions for electronic payment transactions. Wirecard complies with the PCI security standard so that you can pay securely online. https://www.wirecard.de/produkte/zahlungsmethoden/kreditkartenzahlung/
When paying by credit card, the following data is processed:
– Card type (American Express, Mastercard or VISA)
– Name of the cardholder
– card number
– Check digit
– Validity period

Amazon Payment:
When paying via amazon pay, we share your payment data primarily with Amazon Payments Europe s.c.a., and secondarily by Amazon EU SARL, Amazon Services Europe SARL and Amazon Media EU SARL, all three located at 5, Rue Plaetis L 2338 Luxembourg (hereinafter “Amazon Payments”), as part of the payment processing.
Amazon Payments reserves the right to conduct a credit check. Amazon Payments uses the result of the credit check with regard to the statistical probability of non-payment for the purpose of deciding on the provision of the respective payment method.
The credit report may contain probability values (so-called score values). Insofar as score values are included in the result of the credit report, they have their basis in a scientifically recognized mathematical-statistical procedure. Among other things, address data is included in the calculation of the score values.
In addition, Amazon Payments is entitled to disclose your data to unnamed third parties (banks, e-service providers, service partners, but also auditors, analysis services, credit agencies, marketing partners, cloud service providers, retargeting providers, affiliated companies), among others.
For further data protection information, including on the credit agencies used, please refer to the Amazon Payments privacy policy: https://pay.amazon.com/de/help/201751600

Tracking:
After placing an order via our online store, you will receive status notifications from the respective shipping company regarding your delivery for the purpose of package notification. For this purpose, we pass on your e-mail address – depending on which shipping method you have chosen – to DPD Deutschland GmbH, SalesServiceCenter, Gutenstetter Str. 8b, 90449 Nuremberg or TNT Express GmbH, Einsteinring 24-26, 86368 Gersthofen, which are legally bound to data protection. If you do not agree to this, simply send an e-mail to the following address: info@therme-badwoerishofen.de.

18.2 Legal basis for data processing
The legal basis for the processing of your data in the context of the purchase and purchase initiation in our online store is Art. 6 (1) lit. b DSGVO.
Legal basis for the transmission of your data for credit assessment is Art. 6 para. 1 lit. b and f DSGVO. Transmissions on the basis of these provisions may only take place insofar as this is necessary to safeguard the legitimate interests of our company or third parties and does not outweigh the interests of the fundamental rights and freedoms of the persons concerned, which require the protection of personal data. Detailed information on Infoscore Consumer Data GmbH iSd. Art. 14 DSGVO, i.e. information on the business purpose, on purposes of data storage, on data recipients, on the right to self-disclosure, on the right to erasure and rectification, etc. can be found at the following link: https://finance.arvato.com/icdinfoblatt.
The legal basis for abuse detection and prevention is also Art. 6 para. 1 lit. b and f DSGVO.
The legal basis for the transfer of your data to external payment service providers is
Art. 6 para. 1 lit. a and b DSGVO.
The legal basis for shipment tracking is Art. 6 para. 1 lit. b DSGVO.

18.3 Purpose of data processing
We use your personal data, which we receive within your use of our online store, for the initiation and processing of purchase contracts concluded via the online store as well as for customer service and advice. In addition, we also use your personal data to enforce rights arising from the purchase contracts concluded or initiated with you.
The purpose of the credit check is to avoid and minimize payment defaults and corresponding risks. Since creditworthiness checks are only carried out when we make advance payments for the shipment of goods without receiving a corresponding means of security (e.g. in the case of purchase on account), we have a legitimate interest in processing the data.
The same purposes also apply to abuse detection and prevention.
The processing of your data in the context of the payment process takes place in order to carry out the payment method you have selected.
The transfer of your mail address to postal service providers is done with the purpose of informing you about the status of your shipment so that you can plan when the package will arrive at the shipping address.

18.4 Duration of storage
In principle, we process and store your data for the duration of our contractual relationship. This also includes the initiation of a contract (pre-contractual legal relationship).
In addition, we are subject to various storage and documentation obligations, which result, among other things, from the German Commercial Code (HGB) and the German Fiscal Code (AO).
The periods specified there for storage and documentation are up to ten years beyond the end of the contractual relationship or the pre-contractual legal relationship.
Furthermore, special statutory provisions may require a longer retention period, such as the preservation of evidence within the scope of statutory limitation provisions. According to §§ 195 ff. of the German Civil Code (BGB), the regular limitation period is three years, but limitation periods of up to 30 years may also be applicable.
If the data are no longer required for the fulfillment of contractual or legal obligations and rights, they are regularly deleted, unless their – temporary – further processing is necessary for the fulfillment of the purposes listed above for an overriding legitimate interest of the employer.
In the context of payment by credit card, we store the following data for the named periods in each case if you have consented to the storage when selecting the payment method “credit card”:
– PKN pseudo card number: This ID remains stored for 36 months.
– Cardholder name: We store this value for 12 months
– Validity period: Stored for 12 months

19 Direct marketing

19.1 Description and scope of data processing
Our company processes personal data such as address and name in order to send you advertising by mail and thereby increase sales of the sale of goods or services.

19.2 Legal basis for data processing
The legal basis for the processing of your personal data in the context of direct marketing by mail is Art. 6 (1) lit. f EU-DSGVO.

19.3 Purpose of data processing
The purpose of processing your personal data in the context of direct marketing by mail is to promote the sale of goods or services. This purpose is our legitimate interest in data processing according to Art. 6 (1) lit. f EU-DSGVO.

19.4 Duration of storage
Your personal data will be deleted as soon as they are no longer required to achieve the purpose for which they were collected; this is the case in particular upon receipt of the objection.

19.5 Possibilities of objection and elimination
You may object to the processing of your personal data in the context of direct marketing by mail at any time for the future.

20 Legal defense and enforcement

20.1 Description and scope of data processing
Our company aims to protect itself from unjustified claims by means of legal defense. We also enforce claims and rights to which we are entitled.
For this purpose, it is necessary to process personal data.
These consist of the legally relevant data of the data subjects.

20.2 Purpose of data processing
The purpose of processing your personal data in the context of legal defense and enforcement is the defense against unjustified claims and the legal enforcement of claims and rights. In this purpose lies our legitimate interest in data processing according to Art. 6 para. 1 lit. f EU-DSGVO.

20.3 Duration of storage
Your personal data will be deleted as soon as they are no longer required to achieve the purpose for which they were collected.

20.4 Possibilities of objection and elimination
The processing of your personal data in the context of legal defense and enforcement is mandatory for legal defense and enforcement. Consequently, there is no possibility for you to object.

21. categories of recipients
Within our company, those offices and departments receive personal data that need it to fulfill the aforementioned purposes. In addition, we sometimes use different service providers and transmit your personal data to other trustworthy recipients. These may be, for example:

– Banks
– scanning service
– printing houses
– lettershops
– IT service providers
– Lawyers and courts

22. rights of the data subjects

22.1 Right to information
In accordance with Art. 15 EU-DSGVO, you may request confirmation from the controller as to whether personal data concerning you is being processed by us.
If such processing is taking place, you may request information from the controller pursuant to Art. 15 (1) EU-DSGVO about the following information:
– the purposes for which the personal data are processed
– the categories of personal data which are processed
– the recipients or categories of recipients to whom the personal data concerning you have been or will be disclosed
– the planned duration of the storage of the personal data concerning you or, if concrete information on this is not possible, criteria for determining the storage duration
– the existence of a right to rectification or erasure of the personal data concerning you, a right to restriction of processing by us or a right to object to such processing
– the existence of a right of appeal to a supervisory authority
– any available information about the origin of the data, if the personal data is not collected from the data subject
– the existence of automated decision-making, including profiling, pursuant to Article 22(1) and (4) EU GDPR and – at least in these cases – meaningful information about the logic involved and the scope and intended effects of such processing for you. You have the right to request information about whether the personal data concerning you is transferred to a third country or to an international organization. In this context, you may request to be informed about the appropriate safeguards pursuant to Art. 46 EU GDPR in connection with the transfer
If this data is transferred to a third country or to an international organization, you have the right to be informed about the appropriate safeguards pursuant to Art. 46 EU-DSGVO in connection with the transfer pursuant to Art. 15 (2) EU-DSGVO

22.2 Right to rectification
Based on Art. 16 EU-DSGVO, you have a right to rectification and/or completion vis-à-vis the controller if the processed personal data concerning you are inaccurate or incomplete. We shall carry out the rectification without undue delay

22.3 Right to restriction of processing
As follows from Article 18 (1) EU GDPR, you may request the restriction of the processing of personal data concerning you under the following conditions:

– if you contest the accuracy of the personal data concerning you for a period enabling the controller to verify its accuracy (Art. 18(1)(a) EU GDPR)

– the processing is unlawful and you object to the erasure of the personal data and request instead the restriction of the use of the personal data (Art. 18 (1) (b) EU-DSGVO)

– we no longer need the personal data for the purposes of processing, but it is necessary for you to assert, exercise or defend legal claims (Art. 18(1)(c) EU GDPR)

– if you have objected to the processing pursuant to Art. 21 (1) EU-DSGVO and it has not yet been determined whether our legitimate grounds override yours. (Art. 18 para. 1 lit. d EU-DSGVO).
If the processing of personal data relating to you has been restricted, this data may – apart from being stored – only be processed with your consent or for the assertion, exercise or defense of legal claims or for the protection of the rights of another natural or legal person or for reasons of an important public interest of the Union or a Member State.
(Art. 18(2) EU GDPR).
If the restriction of processing has been restricted in accordance with the above conditions, you will be informed by us before the restriction is lifted.
(Art. 18 para. 3 EU-DSGVO).

22.4 Right to deletion
a) Obligation to delete
Pursuant to Art. 17 (1) EU-DSGVO, you may demand that we delete the personal data relating to you without undue delay. Furthermore, we are obliged to delete this data without delay if one of the following reasons applies:

The personal data concerning you are no longer necessary for the purposes for which they were collected or otherwise processed.
(Art. 17 para. 1 lit. a EU-DSGVO).
You withdraw your consent on which the processing was based pursuant to Art. 6 (1) (a) or Art. 9 (2) (a) EU-DSGVO and there is no other legal basis for the processing. (Art. 17 para. 1 lit. b EU-DSGVO).
You object to the processing pursuant to Art. 21 (1) EU-DSGVO and there are no overriding legitimate grounds for the processing, or you object to the processing pursuant to Art. 21 (2) EU-DSGVO.
(Art. 17 para. 1 lit. c EU-DSGVO).
The personal data concerning you has been processed unlawfully. (Art. 17 para. 1 lit. d EU-DSGVO).
The erasure of the personal data concerning you is necessary for compliance with a legal obligation under Union or Member State law to which the controller is subject. (Art. 17 para. 1 lit. e EU-DSGVO).
The personal data concerning you was collected in relation to information society services offered pursuant to Art. 8 (1) EU-DSGVO. (Art. 17 para. 1 lit. f EU-DSGVO)
b) Information to third parties
If we have made the personal data concerning you public and we are obliged to erase it pursuant to Art. 17 (1) EU GDPR, we shall take reasonable steps, including technical measures, having regard to the available technology and the cost of implementation, to inform data controllers that process the personal data that you, as the data subject, have requested them to erase all links to, or copies or replications of, that personal data. (Art. 17(2) EU GDPR).

c) Exceptions
The right to erasure does not exist to the extent that the processing is necessary for one of the following reasons:

To exercise the right to freedom of expression and information.
(Art. 17 para. 3 lit. a EU-DSGVO)
For compliance with a legal obligation which requires processing under Union or Member State law to which we are subject, or for the performance of a task carried out in the public interest or in the exercise of official authority vested in us.
(Art. 17 para. 3 lit. b EU-DSGVO)
for reasons of public interest in the area of public health pursuant to Art. 9 (2) (h) and (i) and Art. 9 (3) EU-DSR
(Art. 17 para. 3 lit. c EU-DSGVO)
for archiving purposes in the public interest, scientific or historical research purposes, or statistical purposes pursuant to Art. 89(1) EU-DSDR, insofar as the right referred to in section a) is likely to render impossible or seriously prejudice the achievement of the purposes of such processing, or (Art. 17(3)(d) EU-DSDR)
for the assertion, exercise or defense of legal claims.
(Art. 17 para. 3 lit. e EU-DSGVO).

22.5 Right to information
If you have asserted the right to rectification, erasure or restriction of processing against us, we are obliged pursuant to Art. 19 EU-DSGVO to inform all recipients to whom the personal data concerning you have been disclosed of this rectification or erasure of the data or restriction of processing, unless this proves impossible or involves a disproportionate effort. You have the right against us to be informed about these recipients.

22.6 Right to data portability
Based on Article 20 (1) EU-DSGVO, you have the right to receive the personal data concerning you that you have provided to the controller in a structured, common and machine-readable format. You also have the right to transfer this personal data to another controller without hindrance from us, provided that

the processing is based on consent pursuant to Art. 6 (1) (a) EU GDPR or Art. 9 (2) (a) EU GDPR or on a contract pursuant to Art. 6 (1) (b) EU GDPR and (Art. 20 (1) (a) EU GDPR)
the processing is carried out with the aid of automated procedures
(Art. 20 para. 1 lit. b EU-DSGVO).
Pursuant to Art. 20(2) EU GDPR, you also have the right to obtain that the personal data concerning you be transferred directly from us to another controller, to the extent that this is technically feasible.
The exercise of the right under Article 20 (1) EU-DSGVO does not affect the right to erasure under Article 17 EU-DSGVO. This does not apply to processing that is necessary for the performance of a task, is in the public interest or is carried out in the exercise of delegated official authority. This results from Art. 20 (3) EU-DSGVO.
According to Art. 20 (4) EU GDPR, freedoms and rights of other persons must not be affected by this.
The right to data portability does not apply to processing of personal data necessary for the performance of a task carried out in the public interest or in the exercise of official authority vested in us.

22.7 Right of objection
Pursuant to Article 21(1) EU GDPR, you have the right to object at any time, on grounds relating to your particular situation, to the processing of personal data concerning you which is carried out on the basis of Article 6(1)(e) or (f) EU GDPR; this also applies to profiling based on these provisions.
We will no longer process the personal data concerning you unless we can demonstrate compelling legitimate grounds for the processing which override your interests, rights and freedoms, or the processing serves the purpose of asserting, exercising or defending legal claims.

If the personal data concerning you is processed for the purposes of direct marketing, you have the right to object at any time to the processing of personal data concerning you for the purposes of such marketing; this also applies to profiling, insofar as it is related to such direct marketing.
(Art. 21 para. 2 EU-DSGVO).
If you object to processing for direct marketing purposes, the personal data concerning you will no longer be processed for these purposes.
(Art. 21 para. 3 EU-DSGVO).
You have the possibility, in connection with the use of information society services, notwithstanding Directive 2002/58/EC, to exercise your right to object by means of automated procedures using technical specifications. (Art. 21 (5) EU GDPR).
You also have the right to object, on grounds relating to your particular situation, to the processing of your personal data concerning you which is carried out for scientific or historical research purposes or for statistical purposes pursuant to Art. 89(1) EU GDPR, unless the processing is necessary for the performance of a task carried out in the public interest
(Art. 21 (6) EU-DSGVO).

22.8 Right to revoke the declaration of consent under data protection law
Based on Art. 7 (3) EU-DSGVO, you have the right to revoke your declaration of consent under data protection law at any time. The revocation of the consent does not affect the lawfulness of the processing carried out on the basis of the consent until the revocation.
You will be informed of this before giving your consent.

22.9 Automated decision in individual cases including profiling.
You have the right not to be subject to a decision based solely on automated processing – including profiling – which produces legal effects concerning you or similarly significantly affects you. This does not apply if the decision is necessary for the conclusion or performance of a contract between you and us is permitted by legislation of the Union or the Member States to which we are subject and that legislation contains appropriate measures to safeguard your rights and freedoms and your legitimate interests, or is carried out with your express consent.
This results from Art. 22 (1), (2) EU-DSGVO. However, these decisions may not be based on special categories of personal data pursuant to Art. 9(1) EU-DSDR, unless Art. 9(2)(a) or (g) EU-DSDR applies and appropriate measures have been taken to protect the rights and freedoms as well as your legitimate interests. With regard to the cases mentioned in (1) and (3), we take reasonable steps to safeguard the rights and freedoms as well as your legitimate interests, which include at least the right to obtain the intervention of a person on the part of the controller, to express your point of view and to contest the decision. (Art. 21(3), (4) EU GDPR).

22.10 Right to complain to a supervisory authority.
Without prejudice to any other administrative or judicial remedy, you have the right to lodge a complaint with a supervisory authority, in particular in the Member State of your residence, place of work or place of the alleged infringement, pursuant to Article 77 EU GDPR, if you consider that the processing of personal data relating to you infringes the EU GDPR.
The supervisory authority to which the complaint has been lodged shall inform the complainant of the status and outcome of the complaint, including the possibility of a judicial remedy under Article 78 GDPR.
(Art. 77 EU-DSGVO).
Competent supervisory authority for us is:
Bavarian State Office for Data Protection Supervision (BayLDA):
https://www.datenschutz-bayern.de, poststelle@datenschutz-bayern.de

The supervisory authority to which you have submitted a complaint will inform you about the status and outcome of the complaint, including the possibility of a judicial remedy pursuant to Art. 78 EU-DSGVO. If you have any questions, please do not hesitate to contact our data protection officer at any time.

23. note on data privacy statement

Unless otherwise regulated, the use of all information we have about you is subject to this privacy policy.
The company reserves the right to continuously adapt this data protection declaration to the necessary security measures in accordance with technological developments and will announce any changes here.

Status: April 2021