Privacy policy of WALA Heilmittel GmbH

For greater clarity, we do not differentiate between genders. For the purposes of non-discrimination, relevant terms apply to all genders. The meaning of the terms used, such as “personal data” and their “processing” is explained in Art. 4 GDPR.

Personal data processed within the scope of this website include the following:

• inventory data (e.g. customer names and addresses)
• contract data (e.g. services used, payment information)
• usage data (e.g. pages visited on our website) and
• content data (e.g. entries in online forms)

The website provider automatically collects and stores information in server log files that your browser automatically transmits to us as follows:

• browser type and browser version
• operating system used
• referrer URL
• host name of the accessing computer
• time of the server request
• IP address

These data are not combined with other data sources.

The basis for data processing is our legitimate interest in accordance with Art. 6(1)(f) GDPR.

Cookies are small text files that are stored locally in the cache of your internet browser. Cookies enable the recognition of your internet browser, for example. The files are used to help the browser navigate the website and to make full use of all functions.

Cookies, which are necessary to carry out electronic communications or to provide certain functions you request (e.g. shopping basket function), are stored on the basis of Art. 6(1)(f) GDPR. The website operator has a legitimate interest in storing cookies in order to optimally provide their services without technical errors. If other cookies (e.g. cookies to analyse your browsing behaviour) are stored, they are treated separately in this privacy policy.

We may therefore store cookies on your device if they are strictly necessary to operate our website. We require your permission for all other types of cookies. 
Our website uses different types of cookies. Some cookies are set by third parties and are used on our webpages.

You may change or withdraw your consent at any time on our website.
When you contact us regarding your consent, please provide your consent ID and date.

We use the following provider’s system to host our website and display the page contents: Amazon Web Services, Inc., P.O. Box 81226, Seattle, WA 98108-1226

All data collected on our website are processed on the provider’s servers.

We have entered into a data processing agreement with the provider that ensures the protection of our website visitors’ data and prohibits unauthorised forwarding to third parties.

Despite the selection of the server location in Frankfurt (Germany), data may be transferred to a third country (in this case the USA) or an international organisation. Since July 2023, there has been an adequacy decision by the European Commission (Data Privacy Framework) that identifies the USA as a third country with a data protection level comparable to that of the EU. The adequacy decision can now serve as a basis for data transfers to certified organisations in the USA. Amazon Web Services Inc. is listed as a certified company according to the list of certified companies published by the U.S. Department of Commerce.

On our website, we use technologies from etracker GmbH to analyse and interpret visitor data in a pseudonymised user profile, using both cookieless tracking and cookies. Cookies are only tracked with your consent in accordance with Art. 6(1)(a) GDPR, which you may withdraw at any time using our consent tool in the footer (“cookie settings”).

With cookieless tracking, which is based on our legitimate interest (Art. 6(1)(f) GDPR), pseudonymised data such as page views, end devices, operating systems, browsers, geoinformation, referrers, click events, conversions and shortened IP addresses are collected when pages are viewed. This limits visitor recognition to 24 hours.

You may object to such tracking at any time – by telephone or fax, by using our contact form or by email. Data are processed exclusively in Germany; they are not forwarded to third parties or transferred to third countries. We have entered into a data processing agreement with etracker. Further data protection information can be found at https://www.etracker.com/en/data-protection-by-etracker/.

We use the services of Google Ireland Limited, Gordon House, 4 Barrow St, Dublin, D04 E5W5, Ireland on our website.

All the processing described above within the scope of the use of Google services is carried out exclusively on the basis of your explicit consent in accordance with Art. 6(1)(a) GDPR in conjunction with Section 25 TDDDG (Telecommunications Digital Services Data Protection Act). You may withdraw your consent at any time with immediate effect. To withdraw your consent, please disable these services using the cookie consent tool provided on the website.

We have entered into a data processing agreement with Google, under which Google is obliged to protect the data of our website users and not to pass them on to third parties.

In order to also ensure compliance with the European data protection level in the event of any transfer of data from the EU or EEA to the USA and possible further processing there, Google relies on the standard contractual clauses of the European Commission, which we have agreed with Google.

Since July 2023, there has been an adequacy decision by the European Commission (Data Privacy Framework) that identifies the USA as a third country with a data protection level comparable to that of the EU. The adequacy decision can now serve as a basis for data transfers to certified organisations in the USA. According to the list of certified companies published by the US Department of Commerce, Google LLC is listed as a certified company.

Further legal information on Google, including a copy of the standard contractual clauses mentioned above, can be found at https://policies.google.com/privacy and at https://policies.google.com/technologies/partner-sites.

The following Google services are used on our website:

Our website uses Google Analytics 4, which enables the analysis of website usage.

The version we use applies cookies. Cookies are text files that are stored on your end device and enable your website use to be analysed. The information gathered by the cookies about your use of the website is usually transferred to a Google server and stored and processed there. The transfer of information to Google LLC's servers at its registered office in the USA cannot be ruled out. Google LLC processes the data for its own purposes and may use it to aggregate this information to create a comprehensive profile of you.

The IP address transmitted by your end device is, by default and automatically, only ever collected and processed anonymously so that the information collected cannot be directly linked to an individual. Google removes the last digits from the IP address within member states of the European Union (EU) or other contracting states to the Agreement on the European Economic Area (EEA).

The use of Google Analytics on our website requires a large amount of information to analyse user behaviour on our website, to compile reports (reports) on your website activities and user behaviour and to provide us with other services related to your website and internet use. Furthermore, the “demographic details” function is used to collect statistics with statements about the age, gender and interests of website users on the basis of an evaluation of interest-based advertising and using third-party information. These are used to enable us to implement target-group-oriented marketing measures. However, the data collected in this way cannot be attributed to a specific person or to you personally.

We also use the “User-ID” feature as an extension of Google Analytics 4.

By assigning individual user IDs, we can have reports created across devices (referred to as “cross device tracking”). Therefore, if you have created a personal account by registering on this website and are logged into your personal account on various end devices with your corresponding log-in data, your user behaviour will also be analysed across devices. The data collected in this way show, among other things, the end device on which you first clicked on an ad and the end device on which the conversion in question took place.

We also use the Google Signals service as an extension of Google Analytics 4.

With Google Signals, we can also have Google create cross-device reports (i.e. “cross device tracking”). If you have activated “personalised ads” in your Google account and linked your internet-compatible end devices to your Google account, Google can analyse user behaviour across devices and create database models based on this. The data show, among other things, on which end device you first clicked on an ad and on which end device the corresponding conversion occurred. We obtain statistics based solely on Google Signals. You have the option to disable the “personalised ads“ function in the settings of your Google account and stop the cross-device analysis in connection with Google Signals.

Data collected when using Google Analytics 4 are stored for 24 months and then deleted.

We use the online advertising programme “Google Ads“ on this website and conversion tracking within the scope of Google Ads. By using Google Ads, we can use advertising materials (referred to as Google Adwords) on external websites to draw attention to our products and also measure the success of the advertising campaign. We do this in order to show you advertising tailored to your needs.

If a user clicks on an ad placed by Google, a cookie (small text file) will be set on their end device for conversion tracking. These cookies usually expire after 30 days and are not used for personal identification. With the help of Google, the cookie enables us to recognise that the user has been redirected to our site when the advert is clicked on.

This means that cookies cannot be traced beyond the websites of Google Ads customers. This information is used to compile conversion statistics and provide us with information on the total number of users who have clicked on our ad and been redirected to a page with a conversion tracking tag. However, we do not receive any information that personally identifies users.

Our website uses the functions of Google Ads remarketing. This is used to advertise this website in Google search results and on third-party websites.

For this purpose, Google sets a cookie in your end device browser that automatically enables interest-based advertising based on a pseudonymous cookie ID and the pages you visit.

Any further data processing will only take place if you have given Google your consent to have your internet and app browsing history linked to your Google account and if information from your Google account is used to personalise ads that you view on the Web. If you are logged in to Google during a visit to our website, Google will use your data together with Google Analytics data to create and define target group lists for cross-device remarketing. For this purpose, Google temporarily links your personal data to Google Analytics data in order to form target groups.

Details of the processing initiated by Google Ads remarketing and how Google handles data from websites can be found here: https://policies.google.com/technologies/partner-sites.

We use a service called Google Tag Manager. This is an auxiliary service and processes per-sonal data only for technically necessary purposes. Google Tag Manager allows other compo-nents to be loaded that may collect data. Google Tag Manager does not access these data.

We use Google Maps for displaying maps and for creating travel routes. By using this online option, you consent to the collection, processing and use of the automatically collected data and the data you entered (including the IP address) by Google or any of their representatives or third party providers.

The legal basis for the use of Google Maps is Art. 6(1)(a) GDPR.

The terms of use for Google Maps can be seen at the following link:

https://policies.google.com/terms?hl=en-GB&gl=FR

On our website we use conversion tracking (“Pinterest tag”) of the social network Pinterest, operated by Pinterest Europe Ltd., Palmerston House, 2nd Floor, Fenian Street, Dublin 2, Ireland (“Pinterest”). With the help of the Pinterest tag, Pinterest is able to identify visitors to our website as the target group for advertisements (“Pinterest ads”). We use the Pinterest tag to show the Pinterest ads we place only to those Pinterest users who have also shown an interest in our online service or who have certain characteristics (e.g. interests in certain topics or products determined by the websites visited). We also want to use the Pinterest tag to ensure that our Pinterest ads correspond to the potential interest of users and are not annoying. The Pinterest tag also enables us to track the effectiveness of Pinterest ads for statistical and market research purposes by seeing if users are redirected to our website after clicking on a Pinterest ad (referred to as “conversion”). When you visit our website and give your consent for tracking, the Pinterest tag is integrated. This establishes a direct connection between your browser and the Pinterest server. Among other things, Pinterest receives the information that you have visited our site with your IP address. If you are registered with Pinterest, Pinterest may associate your visit with your user account. The data collected during this process are anonymous to us and do not allow any conclusions to be drawn about your identity as a user. Pinterest may, however, link these data to your Pinterest account and use them for its own advertising purposes.  Pinterest conversion tracking is used on the basis of your consent in accordance with Art. 6(1)(a) GDPR. You can withdraw your consent at any time with future effect via our consent banner. Pinterest may process data outside the European Union, in particular in the United States. Pinterest Europe Ltd. uses the European Commission’s standard contractual clauses and additional data protection measures to do this. You can find out more about Pinterest data protection in the Pinterest privacy policy.

Within the scope of our online service, the “Meta Pixel” by the social network Facebook is used in the advanced data matching mode, which is operated by Meta Platforms Ireland Ltd., 4 Grand Canal Square, Dublin 2, Ireland (“Facebook”).

Whenever a user clicks on an ad displayed on Facebook, the Meta Pixel adds an extension to the URL of our linked page. This URL parameter is then supplemented by the placement of a cookie from our website after being redirected to the user’s browser. This cookie also collects specific customer data, such as the email address that we collect on our website linked to the Facebook ad during transactions such as purchases, account log-ins or registrations (advanced data matching). The cookie is read by the Meta Pixel and enables the data, including the specific customer data, to be forwarded to Meta.

With the help of the Meta Pixel with advanced data matching, Meta is able to accurately appoint visitors to our online service as a target group for displaying advertisements (“Facebook ads”). This enables us to display the Facebook ads placed by us only to Facebook users who have shown an interest in our online service or who have certain characteristics (e.g. interests in certain topics or products, which are determined by the websites visited) that we transmit to Meta (referred to as “custom audiences”).

By using the Meta Pixel, we also want to ensure that our Facebook ads correspond to the potential interest of users and are not annoying. This enables us to further evaluate the effectiveness of Facebook ads for statistical and market research purposes by tracking whether users were redirected to our website after clicking on a Facebook ad (referred to as “conversion”). This enables us to better measure the effectiveness of our advertising campaigns by recording more associated conversions.

All transmitted data are stored and processed by Meta so that a connection to the respective user profile is possible and Facebook can use the data for its own advertising purposes, in accordance with the Facebook Privacy Policy (https://www.facebook.com/about/privacy/). These data may enable Facebook and its partners to place advertisements on and off Facebook. To this end, we have entered into a joint controller agreement with Meta in accordance with Art. 26 GDPR.

Such processing will only take place with the express consent given in accordance with Art. 6(1)(a) GDPR in conjunction with Section 25 TDDDG.

The information generated by the Meta Pixel is usually transferred to a Meta server and stored there, which may also include a transfer to Meta Inc. servers in the USA. Since July 2023, there has been an adequacy decision by the European Commission (Data Privacy Framework) that identifies the USA as a third country with a data protection level comparable to that of the EU. The adequacy decision can now be regarded as a suitable guarantee under Art. 45 GDPR for data transfers to certified organisations in the USA. Meta Inc. is listed as a certified company according to the list of certified companies published by the U.S. Department of Commerce.

You can object to Meta storing and analysing your data at any time. Simply click on Cookie settings and slide the slider in the cookie category “Marketing” to the left. Then click on the “Confirm selection” button.

Our website integrates social plugins (“plugins”) from the social networks Facebook and Instagram (Meta Platforms Ireland Limited, 4 Grand Canal Square, Dublin 2, Ireland). Facebook can be recognised by the Facebook logo (“f”) or the like button and Instagram can be recognised by the Instagram logo (camera symbol) or Instagram button.

If you access a page of our online shop that contains such a plugin, initially no contact is established with the Facebook/Instagram servers. To increase data protection, we use a two-click solution: when you visit one of our pages, no personal data are initially transferred to Facebook or Instagram. Only when you activate the respective plugin will a connection be established to the Meta Platforms servers and personal data (e.g. your IP address or information about the device used, including your social media log-in if necessary) will be forwarded to Meta and processed there. If you are logged into your social media account while doing so, Meta can associate your visit to our website with your profile.

The plugins are integrated to enable you to interact with social networks and to make our products more attractive. Integration is based on Art. 6(1)(a) GDPR, i.e. only with your prior consent (via our consent banner/tool). No data will be transferred without consent. You can withdraw your consent at any time using the consent tool on our website.

Meta Platforms may also process data outside the EU/EEA, in particular in the USA. In such cases, there are so-called standard contractual clauses intended to ensure data protection. We have no influence over the further use of data by Meta Platforms. Further information can be found in the Facebook and Instagram privacy policies.

In addition to this online service, we also have profiles on various social media platforms, which you can access via the corresponding buttons on our website. If you visit any of these profiles, personal data may be transferred to the social network provider. In addition to the storage of the data you entered in this social medium, the social network provider may also process other information.

You can find out more in our social media privacy policy

Our website uses the Shopware 6 shop system from shopware AG (Ebbinghoff 10, 48624 Schöppingen, Germany). Below, we explain the specific processing of personal data by Shopware 6 when using our online shop.

When you visit our online shop, Shopware 6 automatically processes technical information to ensure the correct functioning and security of the website:

• IP address (in anonymous form)
• browser type and version
• operating system
• referrer URL (the page visited previously)
• date and time of the request
• session IDs and cookies for session management

The legal basis for this is Art. 6(1)(f) GDPR (legitimate interest in the security and correct functioning of the shop).

The following personal data are processed in order to process orders and manage customer accounts:

• surname, name
• email address
• billing and delivery address
• telephone number (if provided)
• payment information
• order history

According to Art. 6(1)(b) GDPR, personal data will be collected and processed if you provide them to us to perform a contract or to open a customer account. The respective entry forms may be inspected to determine which data are being collected. Your customer account can be deleted at any time by sending notification to the above-mentioned address of the person responsible. After full performance of the contract or the deletion of your customer account, your data will be blocked allowing for tax and commercial statutory retention periods and erased after the expiration of these periods, unless you have expressly consented to further use of your data or if we reserve the right to a legally permitted further use of data of which you will be duly informed below.

Our website uses the Shopware 6 shop system from shopware AG (Ebbinghoff 10, 48624 Schöppingen, Germany). Below, we explain the specific processing of personal data by Shopware 6 when using our online shop.

When you visit our online shop, Shopware 6 automatically processes technical information to ensure the correct functioning and security of the website:

• IP address (in anonymous form)
• browser type and version
• operating system
• referrer URL (the page visited previously)
• date and time of the request
• session IDs and cookies for session management

The legal basis for this is Art. 6(1)(f) GDPR (legitimate interest in the security and correct functioning of the shop).

The following personal data are processed in order to process orders and manage customer accounts:

• surname, name
• email address
• billing and delivery address
• telephone number (if provided)
• payment information
• order history

According to Art. 6(1)(b) GDPR, personal data will be collected and processed if you provide them to us to perform a contract or to open a customer account. The respective entry forms may be inspected to determine which data are being collected. Your customer account can be deleted at any time by sending notification to the above-mentioned address of the person responsible. After full performance of the contract or the deletion of your customer account, your data will be blocked allowing for tax and commercial statutory retention periods and erased after the expiration of these periods, unless you have expressly consented to further use of your data or if we reserve the right to a legally permitted further use of data of which you will be duly informed below.

As part of contract performance, the personal data collected by us will be forwarded to the transport company commissioned with the delivery, insofar as this is necessary for the delivery of goods.

Goods are delivered by the transport service provider DHL (DHL Paket GmbH, Sträßchensweg 10, 53113 Bonn). If you have given us your consent during the ordering process, we will forward your email address in accordance with Art. 6(1)(a) GDPR before the goods are delivered to DHL to coordinate a delivery date or provide notice of delivery. Otherwise, for the purpose of delivery in accordance with Art. 6(1)(b) GDPR, we will only forward the name of the recipient and the delivery address to DHL. Forwarding will only take place if this is necessary for the delivery of goods. In this case, prior coordination of the delivery date or notice of delivery with DHL is not possible. You can withdraw your consent at any time with future effect with respect to us or the transport service provider DHL.

Trusted Shops widgets are integrated into this website to display Trusted Shops services (e.g. quality seal, collected reviews) and DocCheck to offer Trusted Shops products to buyers after placing an order.

This serves to protect our overriding legitimate interests in optimal marketing by enabling secure purchasing in accordance with Art. 6(1)(f) sentence 1 GDPR. The Trustbadge and the services advertised with it are a service from Trusted Shops AG, Subbelrather Str. 15C, 50823 Cologne, with whom, in accordance with Art. 26 GDPR, we are joint data controllers. Within the scope of this privacy policy, we will inform you below about the essential contents of the contract in accordance with Art. 26(2) GDPR.

The Trustbadge is provided by a CDN (content delivery network) provider in the USA as part of a joint responsibility. An appropriate level of data protection is ensured by standard data protection clauses and other contractual measures. You can find out more about Trusted Shops AG’s data protection in their privacy policy.

When the Trustbadge is viewed, the web server automatically saves a server log file, which also contains your IP address, date and time of viewing, amount of data transferred and the requesting provider (access data) and documents the viewing. The IP address is anonymised immediately after collection so that the stored data cannot be attributed to you. The anonymous data are used in particular for statistical purposes and for error analysis.

Upon completion of the order, your email address that has been hashed using the one-way cryptological function will be transferred to Trusted Shops AG. The legal basis is Art. 6(1)(f) sentence 1 GDPR. This serves to check whether you are already registered with Trusted Shops AG for services and is therefore required for fulfilling our and Trusted Shops’ overriding legitimate interests in providing the buyer protection and transactional valuation services linked to the specific order in accordance with Art. 6(1)(f) sentence 1 GDPR. If this is the case, further processing will be carried out in accordance with the contractual agreement concluded between you and Trusted Shops. If you are not yet registered for the services, you will then be given the opportunity to do so for the first time. Further processing after registration is also governed by the contractual agreement with Trusted Shops AG. If you do not register, all transmitted data will be automatically erased by Trusted Shops AG and reference to a specific person will no longer be possible.

Within the scope of the joint responsibility existing between us and Trusted Shops AG, if you have any data protection questions and wish to assert your rights, please contact Trusted Shops AG using the contact options specified in the privacy policy linked above. Regardless, you may always contact the responsible person of your choice. If necessary, your request will then be forwarded to the other responsible person for reply.

On this website we use chat software developed by the company Userlike UG (limited liability), Probsteigasse 44-46, 50670 Cologne, Germany. You can use the chat as a contact form to chat with our employees almost in real time. When starting the chat, the following personal data are gathered:

date and time of access

• browser type/version
• IP address
• operating system used
• URL of the website visited previously
• amount of data sent
• and if specified or you are logged into a customer account: name, surname and email address

Depending on the conversation with our employees, further personal data that you have entered in the chat may be gathered. The type of data greatly depends on your query or the issue that you raise with us. We process these data to provide you with a quick and efficient means of contact and so improve our customer service.

All of our employees have been instructed regarding data privacy and receive ongoing training to ensure the safe and reliable handling of customer data. All of our employees are bound by confidentiality and undertake to maintain both confidentiality and data privacy.

When this website is accessed, the chat widget is loaded in the form of a JavaScript file from AWS CloudFront. The chat widget is technically the source code that is run on your computer and enables the chat to work.

We use this to save the chat for a period of one month. This is to save you the inconvenience of having to provide lengthy explanations about the background of your query and for the ongoing quality control of our chat feature. Processing is therefore required in accordance with Art. 6(1)(f) GDPR. If you object to such processing, you are welcome to notify us using the contact details provided below. Any saved chats will then be deleted immediately.

We also save the chat data to guarantee the security of our IT systems. This is within our legitimate interest for which processing is permitted under Art. 6(1)(f) GDPR.

To find out more, see the Userlike UG (limited liability) privacy policy.

If a product should ever be unavailable in our shop, we offer our customers the option to receive an email notification if the product becomes available again.
You can enter your email address under the information field “Notify me as soon as the product is available”. When you enter the email address and press the submit button, these data will be transferred to us and stored. In the event of product availability, a corresponding notification will be sent to the email address provided.

The legal basis for data processing is Art. 6(1)(f) GDPR for the purpose of notifying about product availability.

The email address will be deleted as soon as it is no longer required to achieve the purpose for which it was collected. In the case of the notification function, this is the time of notification of product availability. If the product is still not available six months after entering your email address using the notification function, your email address will automatically be deleted from our system.

You have the option to rate our Dr. Hauschka products in our online shop. We are required by law to ensure that the reviews published in the online shop are reviews by consumers who have purchased the reviewed product and are therefore able to provide a genuine review.

To verify that you have actually purchased the reviewed product, we only provide the option to rate our products to customers with a customer account.

You can find all the products you have previously purchased in our online shop in your Dr. Hauschka customer account area, under your order history. You can rate a particular product by clicking on the “write a review” button, which will take you to a rating screen. Within this template, you can provide a star rating (1–5) and optionally enter a review text and publish it afterwards. Your rating as well as your first name and the first letter of your surname will then be visible in our online shop.  Your name is also programmed as a link to access all your product reviews by clicking on your name.

By clicking on the corresponding checkbox, you consent to the collection and processing of data, which may be health data. You voluntarily provide WALA Heilmittel GmbH with these for publication. The legal basis for data processing is Art. 6(1)(a) GDPR.

The online skin test on our website allows you to determine your skin condition by answering a few questions. You will then see suitable Dr. Hauschka products. No personal data are stored or analysed.

Optionally, via two separate forms of consent you can do the following:

1. Link your skin test result to your user profile so that it can be viewed in your customer account and used for marketing and statistical purposes.
2. Link the purchase of recommended products to your data based on the skin test so that these purchases undergo statistical analysis.

Data processing is based on your consent (Art. 6(1)(a) GDPR) and will continue until your customer account is revoked or deleted.

We reserve the right to adapt our privacy policy at short notice so that it always complies with the current legal requirements or in order to implement changes to our services. This may include, for example, the introduction of new services. The new privacy policy will then apply when you visit the site again.