Data protection

1. Data protection at a glance

General information

The following information provides a simple overview of what happens to your personal data when you visit our website. Personal data is all data with which you can be personally identified. You can find detailed information on the subject of data protection in our data protection declaration listed under this text.

Data collection on our website

Who is responsible for data collection on this website?

The data processing on this website is carried out by the website operator. You can find his contact details in the imprint of this website.

How do we collect your data?

On the one hand, your data is collected when you communicate it to us. This may, for example, be data that you enter in a contact form.

Other data is automatically recorded by our IT systems when you visit the website. This is primarily technical data (e.g. Internet browser, operating system or time of page access). This data is recorded automatically as soon as you enter our website.

What do we use your data for?

Some of the data is collected to ensure that the website is provided without errors. Other data can be used to analyze your user behavior.

What rights do you have regarding your data?

You have the right to obtain information about the origin, recipient and purpose of your stored personal data free of charge at any time. You also have the right to request that this data be corrected, blocked or deleted. You can contact us at any time at the address provided in the imprint if you have any questions about this or other questions regarding data protection. You also have the right to lodge a complaint with the responsible supervisory authority.

External hosting

This website is hosted by an external service provider (hoster). The personal data collected on this website is stored on the hoster's servers. This may include IP addresses, contact requests, meta and communication data, contract data, contact details, names, website accesses and other data generated via a website.

The hoster is used for the purpose of fulfilling the contract with our potential and existing customers (Art. 6 Para. 1 lit. b GDPR) and in the interest of a secure, fast and efficient provision of our online offer by a professional provider (Art. 6 Para. 1 lit. f GDPR).

If a corresponding consent has been requested, the processing will be carried out exclusively on the basis of Art. 6 Para. 1 lit. a GDPR and Section 25 Para. 1 TTDSG, insofar as the consent includes the storage of cookies or access to information on the user's end device (e.g. device fingerprinting) within the meaning of the TTDSG. The consent can be revoked at any time.

Our host will only process your data to the extent necessary to fulfill its service obligations and will follow our instructions regarding this data.

We use the following hoster:
Shopify Germany

Order processing
We have concluded a data processing agreement (DPA) with the provider named above. This is a contract required by data protection law that guarantees that the provider will only process the personal data of our website visitors in accordance with our instructions and in compliance with the GDPR.

Analysis tools and third-party tools

When you visit our website, your surfing behavior can be statistically evaluated. This is done primarily with cookies and so-called analysis programs. The analysis of your surfing behavior is usually anonymous; the surfing behavior cannot be traced back to you. You can object to this analysis or prevent it by not using certain tools. You can find detailed information about this in the following data protection declaration.

You can object to this analysis. We will inform you about the options for objection in this privacy policy.

2. General information and mandatory information

data protection

The operators of these pages take the protection of your personal data very seriously. We treat your personal data confidentially and in accordance with the statutory data protection regulations and this data protection declaration.

When you use this website, various personal data is collected. Personal data is data with which you can be personally identified. This privacy statement explains what data we collect and what we use it for. It also explains how and for what purpose this is done.

We would like to point out that data transmission over the Internet (e.g. when communicating by email) may have security gaps. Complete protection of data against access by third parties is not possible.

Note on the responsible body

The responsible body for data processing on this website is:

Aya Sasaki
Flowers SoSo
Guardinistrasse 24, D-81375, Munich

Phone: +49 163 1610804
Email: info@blumensoso.de

The responsible body is the natural or legal person who alone or jointly with others decides on the purposes and means of processing personal data (e.g. names, e-mail addresses, etc.).

Objection to advertising emails

The use of contact data published as part of the imprint obligation to send unsolicited advertising and information materials is hereby prohibited. The operators of the pages expressly reserve the right to take legal action in the event of unsolicited advertising information being sent, for example through spam emails.

Revocation of your consent to data processing

Many data processing operations are only possible with your express consent. You can revoke your consent at any time. All you need to do is send us an informal email . The legality of the data processing carried out up to the time of revocation remains unaffected by the revocation.

Right to lodge a complaint with the competent supervisory authority

In the event of violations of data protection law, the person affected has the right to lodge a complaint with the responsible supervisory authority. The responsible supervisory authority for data protection issues is the state data protection officer of the federal state in which our company is based. A list of data protection officers and their contact details can be found at the following link: https://www.bfdi.bund.de/DE/Infothek/Anschriften_Links/anschriften_links-node.html .

Right to data portability

You have the right to have data that we process automatically on the basis of your consent or in fulfillment of a contract handed over to you or to a third party in a common, machine-readable format. If you request that the data be transferred directly to another responsible party, this will only be done if it is technically feasible.

Information, deletion and correction

Within the framework of the applicable legal provisions, you have the right at any time to obtain free information about your stored personal data, its origin and recipient and the purpose of data processing and, if applicable, a right to correction or deletion of this data.

You can contact us at any time with any questions about this or other issues relating to personal data. Right to restriction of processing You have the right to request that the processing of your personal data be restricted. You can contact us at any time to do so. The right to restriction of processing exists in the following cases:

• If you dispute the accuracy of your personal data stored by us, we usually need time to check this. For the duration of the check, you have the right to request that the processing of your personal data be restricted.
• If the processing of your personal data was/is unlawful, you can request the restriction of data processing instead of deletion.
• If we no longer need your personal data, but you require it to exercise, defend or assert legal claims, you have the right to request that the processing of your personal data be restricted instead of deleted.
• If you have lodged an objection in accordance with Art. 21 Para. 1 GDPR, a balance must be struck between your interests and ours. As long as it is not yet clear whose interests prevail, you have the right to request that the processing of your personal data be restricted .
• If you have restricted the processing of your personal data, these data may – apart from their storage – only be processed with your consent or for the establishment, exercise or defence of legal claims or to protect the rights of another natural or legal person or for reasons of important public interest of the European Union or a Member State.

SSL or TLS encryption

For security reasons and to protect the transmission of confidential content, such as orders or enquiries that you send to us as the site operator, this site uses SSL or TLS encryption. You can recognize an encrypted connection by the fact that the address line of the browser changes from "http://" to "https://" and by the lock symbol in your browser line.

If SSL or TLS encryption is activated, the data you send to us cannot be read by third parties.

Encrypted payment transactions on this website

If, after concluding a paid contract, there is an obligation to provide us with your payment details (e.g. account number for direct debit authorization), these details will be required to process the payment.

Payment transactions using common payment methods (Visa/MasterCard, direct debit) are carried out exclusively via an encrypted SSL or TLS connection. You can recognize an encrypted connection by the fact that the address line of the browser changes from “http://” to “https://” and by the lock symbol in your browser line.

With encrypted communication, your payment data that you send to us cannot be read by third parties.

3. Data collection on our website

Cookies

Some of the websites use so-called cookies. Cookies do not harm your computer and do not contain viruses. Cookies are used to make our service more user-friendly, effective and secure. Cookies are small text files that are stored on your computer and saved by your browser.

Most of the cookies we use are so-called “session cookies”. They are automatically deleted at the end of your visit. Other cookies remain stored on your device until you delete them. These cookies enable us to recognize your browser the next time you visit.

You can set your browser so that you are informed about the setting of cookies and only allow cookies in individual cases, exclude the acceptance of cookies for certain cases or in general and activate the automatic deletion of cookies when closing the browser. If cookies are deactivated, the functionality of this website may be restricted.

Cookies that are required to carry out the electronic communication process or to provide certain functions you require (e.g. shopping cart function) are stored on the basis of Art. 6 Paragraph 1 Letter f of GDPR. The website operator has a legitimate interest in storing cookies to ensure technically error-free and optimized provision of its services. If other cookies (e.g. cookies to analyze your surfing behavior) are stored, these are treated separately in this data protection declaration.

Server log files

The provider of the pages automatically collects and stores information in so-called server log files, which your browser automatically transmits to us. These are:

• Browser type and version
• operating system used
• Referrer URL
• Hostname of the accessing computer
• Time of server request
• IP address

This data will not be merged with other data sources.

The basis for data processing is Art. 6 (1) (b) GDPR, which permits the processing of data to fulfill a contract or for pre-contractual measures.

contact form

If you send us inquiries via the contact form, your details from the inquiry form, including the contact details you provided there, will be stored by us for the purpose of processing the inquiry and in the event of follow-up questions.

We will not pass on this data without your consent. This data is processed on the basis of Art. 6 (1) (b) GDPR, provided that your request is related to the performance of a contract or is necessary to carry out pre-contractual measures .

In all other cases, the processing is based on our legitimate interest in the effective processing of the enquiries addressed to us (Art. 6 Para. 1 lit. f GDPR) or on your consent (Art. 6 Para. 1 lit. a GDPR) if this was requested; the consent can be revoked at any time.

The data you enter in the contact form will remain with us until you request deletion, revoke your consent to storage or the purpose for storing the data no longer applies (e.g. after your request has been processed). Mandatory legal provisions - in particular retention periods - remain unaffected.

Inquiry by email, telephone

If you contact us by email, telephone or fax, your request, including all personal data resulting from it (name, request), will be stored and processed by us for the purpose of processing your request .

We will not pass on this data without your consent. The processing of this data is based on Art. 6 Paragraph 1 Letter b of GDPR, provided that your request is related to the performance of a contract or is necessary to carry out pre-contractual measures . In all other cases, the processing is based on our legitimate interest in the
effective processing of the enquiries addressed to us (Art. 6 Para. 1 lit. f GDPR) or on your consent (Art. 6 Para. 1 lit. a GDPR) if this was requested; the consent can be revoked at any time.

The data you send to us via contact requests will remain with us until you request deletion, revoke your consent to storage or the purpose for data storage no longer applies (e.g. after your request has been processed). Mandatory legal provisions –
in particular statutory retention periods – remain unaffected.

Commercial and business services

We process data of our contractual and business partners, e.g. customers and interested parties (collectively referred to as “contractual partners”) within the framework of contractual and comparable legal relationships as well as related measures and within the framework of communication with the contractual partners (or pre-contractually), e.g. to answer inquiries.

We process this data to fulfill our contractual obligations, to protect our rights and for the purposes of the administrative tasks associated with this information and for business organization. Within the framework of applicable law, we only pass on the data of contractual partners to third parties to the extent that this is necessary for the aforementioned purposes or to fulfill legal obligations or with the consent of the persons concerned (e.g. to participating telecommunications, transport and other auxiliary services as well as subcontractors, banks, tax and legal advisors, payment service providers or tax authorities). The contractual partners are informed about other forms of processing, e.g. for marketing purposes, within the framework of this data protection declaration.

We inform our contractual partners which data is required for the aforementioned purposes before or during data collection, e.g. in online forms, by special marking (e.g. colors) or symbols (e.g. asterisks or similar), or in person.

We delete the data after the expiry of statutory warranty and similar obligations, i.e., generally after 4 years, unless the data is stored in a customer account, e.g. as long as it must be kept for legal archiving reasons (e.g. for tax purposes, usually 10 years). We delete data that was disclosed to us by the contractual partner as part of an order in accordance with the specifications of the order, generally after the end of the order.

To the extent that we use third-party providers or platforms to provide our services, the terms and conditions and data protection notices of the respective third-party providers or platforms apply to the relationship between the users and the providers.

Economic analyses and market research : For business reasons and in order to be able to identify market trends and the wishes of contractual partners and users, we analyse the data available to us on business transactions, contracts, inquiries, etc., whereby the group of persons concerned may include contractual partners, interested parties, customers, visitors and users of our online offer.

The analyses are carried out for the purposes of business evaluations, marketing and market research (e.g. to determine customer groups with different characteristics). In doing so, we can take into account the profiles of registered users, if available, along with their information, e.g. on services used. The analyses serve us alone and are not disclosed externally, unless they are anonymous analyses with summarized, i.e. anonymized values. Furthermore, we take the privacy of the users into account and process the data for the analysis purposes as pseudonymously as possible and, if possible, anonymously (e.g. as summarized data).

Shop and e-commerce : We process our customers' data to enable them to select, purchase or order the selected products, goods and associated services, as well as to pay for and deliver or execute them. If necessary to execute an order, we use service providers, in particular postal, forwarding and shipping companies, to carry out the delivery or execution for our customers. We use the services of banks and payment service providers to process payment transactions. The required information is marked as such in the order or comparable purchase process and includes the information required for delivery, provision and billing as well as contact information in order to be able to hold any consultation.

• Types of data processed: inventory data (e.g. names, addresses), payment data (e.g. bank details, invoices, payment history), contact data (e.g. e-mail, telephone numbers), contract data (e.g. subject of the contract, term, customer category), usage data (e.g. websites visited, interest in content, access times), meta/communication data (e.g. device information, IP addresses).
• Affected persons: interested parties, business and contractual partners, customers.
• Purposes of processing: Provision of contractual services and customer service, contact requests and communication, office and organizational procedures, administration and response to inquiries, security measures, visit action evaluation, interest-based and behavioral marketing, profiling (creation of user profiles).
• Legal basis: Contractual performance and pre-contractual inquiries (Art. 6 Para. 1 S. 1 lit. b. GDPR), legal obligation (Art. 6 Para. 1 S. 1 lit. c. GDPR), legitimate interests (Art. 6 Para. 1 S. 1 lit. f. GDPR).

Payment service providers

Within the framework of contractual and other legal relationships, due to legal obligations or otherwise on the basis of our legitimate interests, we offer the data subjects efficient and secure payment options and, in addition to banks and credit institutions, use other payment service providers (collectively "payment service providers").

The data processed by the payment service providers includes inventory data such as name and address, bank details such as account numbers or credit card numbers, passwords, TANs and checksums as well as contract, sum and recipient-related information. The information is required to carry out the transactions. However, the data entered is only processed and stored by the payment service providers. This means that we do not receive any account or credit card-related information, only information confirming or rejecting the payment. The payment service providers may transmit the data to credit agencies. This transmission is for the purpose of checking identity and creditworthiness. For this purpose, we refer to the terms and conditions and the data protection information of the payment service providers.

The terms and conditions and data protection notices of the respective payment service providers apply to payment transactions and can be accessed on the respective websites or transaction applications. We also refer to these for further information and to assert revocation, information and other rights of those affected.

• Types of data processed: inventory data (e.g. names, addresses), payment data (e.g. bank details, invoices, payment history), contract data (e.g. subject matter of the contract, term, customer category), usage data (e.g. websites visited, interest in content, access times), meta/communication data (e.g. device information, IP addresses).
• Affected persons: customers, interested parties.
• Purposes of processing: Provision of contractual services and customer service.
• Legal basis: Contractual performance and pre-contractual inquiries (Art. 6 Para. 1 Clause 1 lit. b. GDPR), legitimate interests (Art. 6 Para. 1 Clause 1 lit. f. GDPR).

Services and service providers used:

• PayPal: payment services and solutions (e.g. PayPal, PayPal Plus, Braintree); service provider: PayPal (Europe) S.à rl et Cie, SCA, 22-24 Boulevard Royal, L-2449 Luxembourg; website: https://www.paypal.com/de ; privacy policy: https://www.paypal.com/de/webapps/mpp/ua/privacy-fulll/
• Shopify Payments
  Location Presences in social networks (social media)

We maintain online presences within social networks and process user data in this context in order to communicate with the users active there or to offer information about us.

We would like to point out that user data may be processed outside the European Union. This may result in risks for users because it could, for example, make it more difficult to enforce user rights.

Furthermore, the data of users within social networks is usually processed for market research and advertising purposes. For example, user profiles can be created based on the user's usage behavior and the resulting interests. The user profiles can in turn be used, for example, to place advertisements within and outside the networks that presumably correspond to the user's interests. For these purposes, cookies are usually stored on the user's computers in which the user's usage behavior and interests are stored. Furthermore, data can also be stored in the user profiles regardless of the devices used by the user (especially if the users are members of the respective platforms and are logged in to them).

For a detailed description of the respective processing methods and the options for objection (opt-out), please refer to the data protection declarations and information provided by the operators of the respective networks.

In the case of requests for information and the assertion of data subject rights, we would like to point out that these can be asserted most effectively with the providers. Only the providers have access to the user data and can take appropriate measures and provide information directly. If you still need help, you can contact us.

• Types of data processed: inventory data (e.g. names, addresses), contact data (e.g. e-mail, telephone numbers), content data (e.g. entries in online forms), usage data (e.g. websites visited, interest in content, access times), meta/communication data (e.g. device information, IP addresses).
• Affected persons: Users (e.g. website visitors, users of online services).
• Purposes of processing: contact requests and communication, tracking (e.g. interest-/behavior-related profiling, use of cookies), remarketing, reach measurement (e.g. access statistics, recognition of returning visitors).
• Legal basis: Legitimate interests (Art. 6 Para. 1 S. 1 lit. f. GDPR).

Services and service providers used:

• Instagram: social network; service provider: Instagram Inc., 1601 Willow Road, Menlo Park, CA, 94025, USA; website: https://www.instagram.com ; privacy policy: https://instagram.com/about/legal/privacy .
• Facebook: Social network; Service provider: Facebook Ireland Ltd., 4 Grand Canal Square, Grand Canal Harbour, Dublin 2, Ireland, parent company: Facebook, 1 Hacker Way, Menlo Park, CA 94025, USA; Website: https://www.facebook.com ; Privacy policy: https://www.facebook.com/about/privacy ; Possibility of objection (opt-out): Settings for advertisements: https://www.facebook.com/settings?tab=ads ; Additional information on data protection: Agreement on joint processing of personal data on Facebook pages: https://www.facebook.com/legal/terms/page_controller_addendum , Data protection information for Facebook pages: https://www.facebook.com/legal/terms/information_about_page_insights_data .

Analysis tools and advertising

Google AdWords with conversion tracking

We use Google AdWords with conversion tracking for advertising on our website. This is a service provided by Google LLC, based at 1600 Amphitheatre Parkway, Mountain View, CA 94043 USA, hereinafter referred to as "Google". Through certification under the EU-US Privacy Shield, Google guarantees that EU data protection regulations are also adhered to when processing data in the USA.

We use conversion tracking to specifically advertise our offer. The legal basis for this is Article 6 Paragraph 1 Letter f of the GDPR. When you click on a Google ad, our conversion tracking places a cookie on your device. These conversion cookies expire after 30 days and do not identify you personally. If the cookie is still valid and you visit a certain page on our website, we and Google can recognize that you clicked on one of our ads on Google and were then redirected to our website.

Google creates statistics about visits to our website based on the information collected. This tells us how many users clicked on our ads and which pages they then visited on our website. Neither we nor others who also use Google AdWords can identify you using this method.

You can prevent or restrict the installation of cookies by changing the settings in your Internet browser. You can delete saved cookies at any time. The steps and measures depend on your Internet browser. If you have any questions, use the help function or the documentation of your Internet browser. If necessary, contact the manufacturer.

Google offers further information on this topic, in particular on how to prevent data usage. This information is available at the following links:
– https://services.google.com/sitestats/de.html
– http://www.google.com/policies/technologies/ads/
– http://www.google.de/policies/privacy/

Deletion of data

The data we process will be deleted in accordance with legal requirements as soon as the consents permitted for processing are revoked or other permissions no longer apply (e.g. if the purpose of processing this data no longer applies or it is no longer required for the purpose).

If the data is not deleted because it is required for other legally permissible purposes, its processing will be restricted to these purposes. This means that the data will be blocked and not processed for other purposes. This applies, for example, to data that must be retained for commercial or tax law reasons or whose storage is necessary to assert, exercise or defend legal claims or to protect the rights of another natural or legal person.

Further information on the deletion of personal data can also be found in the individual data protection notices of this data protection declaration.

Changes and updates to the privacy policy

We ask you to regularly inform yourself about the content of our privacy policy. We will adapt the privacy policy as soon as changes to the data processing we carry out make this necessary. We will inform you as soon as the changes require your cooperation (e.g. consent) or other individual notification.

If we provide addresses and contact information of companies and organizations in this privacy policy, please note that the addresses may change over time and please check the information before contacting us.

Rights of the data subjects

As a data subject, you are entitled to various rights under the GDPR, which arise in particular from Articles 15 to 21 of the GDPR:

• Right to object: You have the right to object at any time to the processing of personal data concerning you which is carried out on the basis of Art. 6 (1) (e) or (f) GDPR, for reasons related to your particular situation; this also applies to profiling based on these provisions. If the personal data concerning you are processed in order to conduct direct advertising, you have the right to object at any time to the processing of personal data concerning you for the purposes of such advertising; this also applies to profiling insofar as it is related to such direct advertising.
• Right to withdraw consent: You have the right to withdraw consent at any time.
• Right to information: You have the right to request confirmation as to whether or not data concerning you is being processed and to request information about this data as well as further information and a copy of the data in accordance with legal requirements.
• Right to rectification: You have the right, in accordance with the statutory provisions, to request that the data concerning you be completed or that inaccurate data concerning you be rectified.
• Right to erasure and restriction of processing: You have the right, in accordance with the statutory provisions, to demand that data concerning you be erased immediately or, alternatively, to demand that the processing of the data be restricted in accordance with the statutory provisions.
• Right to data portability: You have the right to receive the data concerning you that you have made available to us in a structured, common and machine-readable format in accordance with the legal requirements or to request that it be transmitted to another controller.
• Complaint to the supervisory authority: You also have the right, in accordance with the statutory provisions, to lodge a complaint with a supervisory authority, in particular in the Member State of your habitual residence, your place of work or the place of the alleged infringement, if you consider that the processing of personal data concerning you violates the GDPR.