Privacy notice

Data Protection and Privacy Policy

1. Information about the collection of personal data and contact details of the person responsible
In the following we inform you about the handling of your personal data when using our website. Personal data are all data with which you can be personally identified.
Responsible for the data processing on this website within the meaning of the General Data Protection Regulation (GDPR) is CEO Christoph Hußmann. The person responsible for the processing of personal data is the natural or legal person who, alone or in concert with others, decides on the purposes and means of processing personal data.
The party responsible for this website within the meaning of data protection legislation and regulations for media services is: Dipl.-Ing. Thomas Hahn. The contact details will be provided on request.
This website uses SSL encoding for security reasons and to protect the transmission of personal data and other confidential contents (e.g. orders or inquiries from the requester). You can recognize an encrypted connection by the character string "https://" and the padlock symbol in your browser bar.

2. Data collection when visiting our website
In the case of merely informative use of our website, i.e. if you do not register or otherwise provide us with information, we only collect data that your browser transmits to our server (so-called “server log files”). When you visit our website, we collect the following information that is technically necessary for us to display the website:

·         our visited website
·         date and time at the time of access
·         amount of data sent in bytes
·         source/reference from which you came to the site
·         used browser
·         used operating system
·         used IP address (if necessary: in anonymous form)

The processing is carried out in accordance with Art. 6 para. 1 lit. f GDPR based on our legitimate interest in improving the stability and functionality of our website. A transfer or other use of the data does not take place. However, we reserve the right to retrospectively check the server logfiles should concrete evidence point to unlawful use.

3. Cookies
In order to make your visit of our online shop and the shopping process more fluid and comfortable, and to allow the use of some features, we use cookies. Cookies are small text files stored on your device. Some of the cookies we use are deleted after the browser session has ended, i. e. after your browser has closed. Other cookies remain on your device and allow us to recognize your browser on your next visit. Cookies do not interfere with your computer's operating system. If you wish, you can block the use of cookies or configure your browser so that you are informed about the use of cookies and decide individually whether to accept them or not. Refusal to accept cookies may block the use of some features and prevent the purchase process.
In some cases, cookies are used to simplify the ordering process by storing settings (for example, remembering the contents of a virtual shopping cart for a later visit to the website). Insofar as personal cookies are also processed by individual cookies implemented by us, the processing is carried out in accordance with Art. 6 para. 1 lit. b GDPR either for the execution of the contract or in accordance with Art. 6 para. 1 lit. f GDPR for safeguarding our legitimate interests in the best possible functionality of the website as well as a customer-friendly and effective design of the page visit.
We may work with advertising partners to help us make our web site more interesting to you. For this purpose, in this case, when you visit our website, cookies from partner companies are stored on your hard disk (third-party cookies). If we cooperate with aforementioned advertising partners, you will be informed individually and separately about the use of such cookies and the scope of the information collected in the following paragraphs.
Please note that you can set your browser so that you are informed about the setting of cookies and individually decide on their acceptance or exclude the acceptance of cookies for specific cases or in general. Each browser differs in the way it manages the cookie settings. This is described in the Help menu of each browser, which explains how to change your cookie settings. These can be found for the respective browser under the following links:

Internet Explorer: http://windows.microsoft.com/en-US/windows-vista/Block-or-allow-cookies
Firefox: https://support.mozilla.org/en-US/kb/enable-and-disable-cookies-website-preferences
Chrome: http://support.google.com/chrome/bin/answer.py?hl=en&hlrm=en&answer=95647
Safari: https://support.apple.com/kb/ph21411?locale=en_US
Opera: http://help.opera.com/Windows/10.20/en/cookies.html

Please note that if you do not accept cookies, the functionality of our website may be limited.

4. Disclosure of data
Personal data will not be passed on to third parties, except in one of the following cases:
- The person concerned has expressly consented to this (Art. 6 para. 1 sentence 1 letter a) EU DS-GMO).
- For the data transmission in accordance with Art. 6, para. 1, sentence 1, letter 1. c) EU DS-GMO there is a legal obligation.
- According to Art. 6 para. 1 sentence 1 letter b) EU DS-GMO, the transfer of data is necessary for the fulfilment of a contractual relationship with the data subject.
- The disclosure pursuant to Art. 6 para. 1 sentence 1 letter f) EU DS-GMO is necessary for the assertion, exercise or protection of legal claims and there is no reason to assume that the data subject has an overriding interest worthy of protection in not disclosing his/her data.
As far as our service providers come into contact with your personal data, we ensure within the scope of the order processing according to Art. 28 DSGVO that these comply with the regulations of the data protection laws in the same way.

5. Contact
In order to contact us (e.g. via the contact form or e-mail), personal data is collected. The data collected in the case of a contact form can be consulted from the corresponding contact form. This data is stored and used exclusively to answer your request or to establish contact. The legal basis for the processing of data is our legitimate interest in responding to your request in accordance with art. 6 para. 1 let. f DSGVO. If your contact aims to conclude a contract, the additional legal basis for the processing is Art. 6 al. 1 bed. b DSGVO. Your data will be deleted after your request has been processed. This may be the case, for example, if it is considered that the facts concerned have been definitively clarified and that there are no contrary legal storage obligations.
We use the CRM system "FreshDesk" of a platform from Freshworks Inc., 1250 Bayhill Drive, Suite 315, San Bruno, CA 94066 based on our legitimate interests (efficient and fast processing of user inquires). For this end, we have concluded a contract with FreshDesk with so-called standard contract clauses, in which FreshDesk undertakes to process user data only in accordance with our instructions and to comply with the EU data protection level. FreshDesk is also certified under the Privacy Shield Agreement and thus offers an additional guarantee to comply with European data protection law  (https://www.privacyshield.gov/participant?id=a2zt0000000KzX1AAK&status=Active).
The FreshWorks Privacy Policy can be viewed here: https://www.freshworks.com/terms/https://www.freshworks.com/privacy/https://www.freshworks.com/security/.

6. Data processing in the application process
Job, or internship applications to xTWO can be sent to the e-mail address jobs@xtwostore.com provided for this purpose. The personal data and documents you provide will be forwarded internally to the responsible person(s). This is done exclusively for the purposes of the application procedure. Your application documents will be deleted no later than six months after the conclusion of the application procedure. This applies under the condition that there is no legal obligation for further storage.

7. Data processing when opening a customer account and for contract execution
According to Art. 6 para. 1 lit. b GDPR, personal data will continue to be collected and processed when you provide it to us for the execution of a contract or when opening a customer account. Which data are collected, can be seen from the respective input forms. A deletion of your customer account is possible at any time and can by a message to the address mentioned above of the person responsible. We save and use the data you have provided for the execution of the contract. After completion of the contract or deletion of your customer account your data will be blocked with regard to tax and commercial retention periods and deleted after expiration of these periods, unless you have expressly consented to further use of your data or a legally permitted further use of data by our side which we will inform you accordingly below.

8. Data processing for order processing
To process your order, we cooperate with the following service providers who support us wholly or partially in the execution of closed contracts. These personal data will be transmitted to these service providers in accordance with the following information.
The personal data collected by us (name, address, e-mail address and phone number) will be passed on to the transport company commissioned with the delivery within the scope of the contract, insofar as this is necessary for the delivery of the goods.
We will pass on your payment details to the commissioned bank as part of the processing of payments, if this is necessary for the payment process. If payment service providers are used, we will inform you explicitly below. The legal basis for the transfer of data is Art. 6 para. 1 lit. b GDPR

8.1 Payment service provider PayPal
On this website, the controller has integrated components of PayPal. PayPal is an online payment service provider. Payments are processed via so-called PayPal accounts, which represent virtual private or business accounts. PayPal is also able to process virtual payments through credit cards when a user does not have a PayPal account. A PayPal account is managed via an e-mail address, which is why there are no classic account numbers. PayPal makes it possible to trigger online payments to third parties or to receive payments. PayPal also accepts trustee functions and offers buyer protection services.
The European operating company of PayPal is PayPal (Europe) S.à.r.l. & Cie. S.C.A., 22-24 Boulevard Royal, 2449 Luxembourg.
If the data subject chooses "PayPal" as the payment option in the online shop during the ordering process, we automatically transmit the data of the data subject to PayPal. By selecting this payment option, the data subject agrees to the transfer of personal data required for payment processing.
The personal data transmitted to PayPal is usually first name, last name, address, email address, IP address, telephone number, mobile phone number, or other data necessary for payment processing. The processing of the purchase contract also requires such personal data, which are in connection with the respective order.
The transmission of the data is aimed at payment processing and fraud prevention. The controller will transfer personal data to PayPal, in particular, if a legitimate interest in the transmission is given. The personal data exchanged between PayPal and the controller for the processing of the data will be transmitted by PayPal to economic credit agencies. This transmission is intended for identity and creditworthiness checks.
PayPal will, if necessary, pass on personal data to affiliates and service providers or subcontractors to the extent that this is necessary to fulfill contractual obligations or for data to be processed in the order.
The data subject has the possibility to revoke consent for the handling of personal data at any time from PayPal. A revocation shall not have any effect on personal data which must be processed, used or transmitted in accordance with (contractual) payment processing.
The applicable data protection provisions of PayPal may be retrieved under https://www.paypal.com/us/webapps/mpp/ua/privacy-full.

8.2 Service provider for Wirecard payment
You can pay your order on our online shop by credit card. The transaction will then be processed by Wirecard AG.
Wirecard's European company is Wirecard AG, Einsteinring 35, 85609 Aschheim. Any user who selects the credit card as a payment method when ordering from our online shop will have their data transmitted to Wirecard. By selecting this payment method, you agree that all personal data necessary for the transaction will be transmitted to Wirecard. In general, the following data can be transmitted to Wirecard : first name, surname, address, e-mail address, IP address, fixed and/or mobile telephone number, payment data such as credit card number and any other personal data necessary for the proper execution of the contract.
Your data are processed in accordance with Article 6 of the General Data Protection Regulations (GDPR) and are only transmitted if they are necessary for the transaction. The purpose of the data transmission is to process the transaction and prevent fraud. The transaction processor forwards personal data to Wirecard, if necessary for the transaction. Wirecard may disclose your personal data to third party companies and service providers or subcontractors when necessary to fulfil contractual obligations.
You may revoke your consent to the transmission of your data at any time. Revocation does not apply to data that must be transmitted and used to process the transaction. The applicable Wirecard data protection provisions are available at https://www.wirecard.de/datenschutz/.

9. Use of social media: YouTube videos
This site uses YouTube Embedding feature to display and play videos from YouTube, which is owned by Google LLC, 1600 Amphitheater Parkway, Mountain View, CA 94043, USA ("Google").
Here, the extended privacy mode is used, which according to the provider information storage of user information only when playing the / the video in motion. When the playback of embedded YouTube videos starts, the provider YouTube uses cookies to collect information about user behavior. According to YouTube hints, these are used, among other things, to capture video statistics, improve user-friendliness and prevent abusive practices. If you're logged in to Google, your data will be assigned directly to your account when you click a video. If you do not wish to associate with your profile on YouTube, you must log out before activating the button. Google stores your data (even for non-logged-in users) as usage profiles and evaluates them. According to Art. 6 (1) (f) of the GDPR, such an evaluation is based on the legitimate interests of Google in the display of personalized advertising, market research and / or tailor-made design of its website. You have a right to object to the creation of these User Profiles, and you must be directed to YouTube to use them.
Regardless of any playback of the embedded video, every time you visit this website, it will connect to the Google Network "DoubleClick", which may trigger further data processing without our having any influence.
US-based Google LLC is certified under the US Privacy Shield, which ensures compliance with the level of data protection in the EU.
For more information on data protection at "YouTube", please see the provider's privacy policy at: https://www.google.com/intl/en/policies/privacy

10. Online-Marketing
We use various online marketing tools on our website to obtain information about usage behavior and thus make visiting our website user-friendly. In the following text, we inform you about the individual tools.

10.1 Use of Google AdWords Conversion Tracking
This website uses “Google AdWords”. AdWords is an online advertising program from Google Inc., 1600 Amphitheater Parkway, Mountain View, CA 94043, United States ("Google").
As part of Google AdWords, we use so-called conversion tracking. When you click on an ad served by Google, a conversion tracking cookie is set. Cookies are small text files that your internet browser stores on your computer. These cookies expire after 30 days and are not used for personal identification of the user. Should the user visit certain pages of the website and the cookie has not yet expired, Google and the website can tell that the user clicked on the ad and proceeded to that page.
Each Google AdWords advertiser has a different cookie. Thus, cookies cannot be tracked using the website of an AdWords advertiser. The information obtained using the conversion cookie is used to create conversion statistics for the AdWords advertisers who have opted for conversion tracking. Customers are told the total number of users who clicked on their ad and were redirected to a conversion tracking tag page. However, advertisers do not obtain any information that can be used to personally identify users. If you do not want to participate in tracking, you can opt-out of this by easily disabling the Google Conversion Tracking cookie by changing your browser settings. In doing so, you will not be included in the conversion tracking statistics.
Conversion cookies are stored based on Art. 6 (1) (f) GDPR. The website operator has a legitimate interest in analyzing user behavior to optimize both its website and its advertising.
For more information about Google AdWords and Google Conversion Tracking, see the Google Privacy Policy: https://www.google.de/policies/privacy/.
You can configure your browser to inform you about the use of cookies so that you can decide on a case-by-case basis whether to accept or reject a cookie. Alternatively, your browser can be configured to automatically accept cookies under certain conditions or to always reject them, or to automatically delete cookies when closing your browser. Disabling cookies may limit the functionality of this website.

10.2 Use of Remarketing or „Like Audiences” feature of Google Inc.
We use the Remarketing or "Like Audiences" feature of Google Inc. on our website (1600 Amphitheater Parkway, Mountain View, CA 94043, USA; "Google"). This function serves the purpose of analyzing visitor behavior and visitor interests.
Google uses cookies to carry out the analysis of the website usage, which forms the basis for the creation of interest-based advertisements. The cookies are used to record site visits and anonymous data on the use of the website. There is no storage of personal data of visitors to the website. If you visit another website on the Google Display Network, you'll see ads that are likely to include previously viewed product and information areas.
If necessary, your data will also be transmitted to the USA. There is an adequacy decision by the European Commission for data transfers to the US.
Processing is based on Art. 6 (1) lit. f GDPR of legitimate interest in targeting visitors to the Website through advertising by showing personalized, interest-based advertising ads to visitors to the Provider's website when visiting other websites on the Google Display Network.
You have the right, for reasons arising from your particular situation, to object at any time to the processing of personal data concerning you, based on Art. 6 (1) f GDPR.
You can permanently deactivate the use of cookies by Google by following the link below and downloading and installing the plug-in provided there: https://support.google.com/ads/answer/7395996?hl=en.
Alternatively, you may opt out of third-party cookies by visiting the Network Advertising Initiative deactivation page at https://www.networkadvertising.org/choices/ and implementing the opt-out information listed there.
For more information about Google Remarketing and its privacy policy, please visit: https://www.google.com/privacy/ads/.

10.3 Use of Google Analytics
This website uses Google Analytics, a web analysis service of Google Inc, (1600 Amphitheatre Parkway Mountain View, CA 94043, USA; “Google”). The use includes the “Universal Analytics” operating mode. This facilitates the assignment of data, sessions and interactions across several devices to a pseudonymous user ID and thus the analysis of a user's activities across devices.
Google Analytics uses “cookies”, which are text files placed on your computer, to allow the website operator to analyze how users use the site. The information generated by the cookie about your use of this website is usually transferred to a Google server in the USA and stored there. However, if IP anonymization is activated on this website, Google will reduce your IP address within Member States of the European Union or in other states party to the Agreement on the European Economic Area beforehand. Only in exceptional cases will the full IP address be transmitted to a Google server in the USA and shortened there. The IP address transmitted by your browser in the context of Google Analytics is not merged with other Google data. On behalf of the operator of this website, Google will use this information to evaluate your use of the website, to compile reports on website activity and to provide the website operator with other services related to website and Internet use. Our legitimate interest in data processing also lies in these purposes. The legal basis for the use of Google Analytics is § 15 para. 3 TMG and Art. 6 para. 1 lit. f GDPR. The data sent by us and linked to cookies, user-identifiers (e.g. User-IDs) or advertising-identifiers are automatically deleted after 14 months. Data whose retention period has been reached is automatically deleted once a month. For more information on terms of use and data protection, please visit https://www.google.com/analytics/terms/gb.html or https://policies.google.com/?hl=en.
You may refuse the use of cookies by selecting the appropriate settings on your browser, however please note that if you do this you may not be able to use the full functionality of this website. You can also prevent Google from collecting the data generated by the cookie and relating to your use of the website (including your IP address) and from processing this data by Google by downloading and installing the https://tools.google.com/dlpage/gaoptout?hl=en Browser Add-on. Opt-out cookies prevent the future collection of your data when you visit this website. To prevent Universal Analytics from collecting data across several devices, you must opt-out on all systems used. 

11. Tools and more
To provide you with a better user experience, we use various tools that support the presentation of the website and the information it contains. These tools are explained below.

11.1 Google Maps
On our website, we use Google Maps (API) from Google LLC, 1600 Amphitheater Parkway, Mountain View, CA 94043, USA (“Google”). Google Maps is a web service for displaying interactive (land) maps to visually display geographic information. The use of this service will show you our location and facilitate your arrival.
When you visit any of the subpages where the Google Maps map is embedded, information about your use of our website (such as your IP address) is transmitted to Google’s servers in the United States and stored there. This is done regardless of whether Google provides a user account that you are logged in to, or if there is no user account. When you’re logged in to Google, your data will be assigned directly to your account. If you do not wish to be associated with your profile on Google, you must log out before activating the button. Google stores your data (even for non-logged-in users) as usage profiles and evaluates them. According to Art. 6 (1) (f) of the GDPR, such an evaluation is based on the legitimate interests of Google in the display of personalized advertising, market research and / or tailor-made design of its website. You have a right of objection to the formation of these user profiles, and you must comply with this to Google.
US-based Google LLC is certified to the US Privacy Shield, which ensures compliance with the level of data protection in the EU.
If you disagree with the future transmission of your data to Google when using Google Maps, you can also disable the Google Maps web service completely by turning off the JavaScript application in your browser. Google Maps and the map display on this website cannot be used.
Google’s Terms of Use can be viewed at http://www.google.com/intl/en/policies/terms/regional.html, and the additional Google Maps Terms of Service can be found at https://developers.google.com/maps/terms?hl=de.
For details on privacy related to the use of Google Maps, please visit the Google Privacy Policy: http://www.google.com/intl/en/policies/privacy/.

11.2 Google Web Fonts
This site uses so-called web fonts provided by Google LLC., 1600 Amphitheater Parkway, Mountain View, CA 94043, USA (“Google”) for consistent font representation. When a page is called, your browser loads the required web fonts into its browser cache to display texts and fonts correctly.
To do this, the browser you use must connect to Google’s servers. As a result, Google learns that our website has been accessed via your IP address. The use of Google Web Fonts is in the interest of a consistent and attractive presentation of our online services. This constitutes a legitimate interest within the meaning of Art. 6 para. 1 lit. f GDPR. If your browser does not support web fonts, a default font will be used by your computer.
US-based Google LLC is certified to the US Privacy Shield, which ensures compliance with the level of data protection in the EU.
More information about Google Web Fonts can be found at https://developers.google.com/fonts/faq and in Google’s Privacy Policy: https://policies.google.com/privacy?hl=en.

12. Rights of the person concerned
The applicable data protection law grants you comprehensive data protection rights (information and intervention rights) to the person responsible with regard to the processing of your personal data, about which we inform you below:
Right of access according to Art. 15 GDPR: In particular, you have a right to information about the personal data processed by us, the processing purposes, the categories of processed personal data, the recipients or categories of recipients to whom your data has been disclosed or will be planned storage period or the criteria for determining the storage period, the right of rectification, deletion, limitation of processing, objection to the processing, complaint to a supervisory authority, the origin of your data, if they were not collected by us, the existence of automated decision-making, including profiling and, where appropriate, meaningful information about the logic involved and the scope involved and the intended effects of such processing, as well as your right to be informed, which guarantees pursuant to Art. 46 GDPR when forwarded Your data to third countries.
Right to correction according to Art. 16 GDPR: You have the right to immediate correction of incorrect data concerning you and / or completion of your incomplete data stored by us.
Right to cancellation pursuant to Art. 17 GDPR: You have the right to demand the deletion of your personal data if the requirements of Art. 17 (1) GDPR are met. However, that right does not apply, in particular, where the processing is necessary for the exercise of the right to freedom of expression and information, for the fulfillment of a legal obligation, for reasons of public interest or for the pursuit, exercise or defense of rights.
Right to restriction of the processing according to Art. 18 GDPR: You have the right to demand the restriction of the processing of your personal data, as long as the correctness of your data, which you contested, is checked, if you refuse a deletion of your data due to inadmissible data processing and instead require the restriction of the processing of your data, if you need your data for the assertion, exercise or defense of legal rights, after we no longer need these data after purpose or if you have objections based on your particular situation, as long as it is not certain, if our legitimate reasons prevail.
Right to information in accordance with Art. 19 GDPR: If you have the right to rectify, delete or limit the processing to the person responsible, he / she is obliged to rectify or delete the data to all recipients to whom the personal data relating to you have been disclosed or limitation of processing, unless proving to be impossible or disproportionate. You have the right to be informed about these recipients.
Right to data portability according to Art. 20 GDPR: You have the right to receive your personal data provided to us in a structured, common and machine-readable format or to request the transfer to another person responsible, as far as this is technically feasible.
Right of revocation of granted consent pursuant to Art. 7 para. 3 GDPR: You have the right to revoke consent once granted in the processing of data at any time with effect for the future. In the case of withdrawal, we will delete the data concerned immediately, as far as further processing cannot be based on a legal basis for consentless processing. The revocation of consent does not affect the lawfulness of the processing carried out on the basis of the consent until the revocation.
Right to appeal under Art. 77 GDPR: If you believe that the processing of personal data concerning you is contrary to the GDPR, you have the right to complain to a supervisory authority, in particular in any other administrative or judicial remedy the Member State of your whereabouts, your place of work or the place of the alleged infringement.

13. Right of Contradiction
If we process your personal data in the context of our outweighing interest, you have the right at any time, for reasons of special circumstances, to object to this processing also effecting for the future. If you exercise your right of contradiction, we will stop the processing of the data concerned. However, further processing remains reserved if we can demonstrate compelling legitimate reasons for processing that outweigh your interests, fundamental rights and fundamental freedoms, or if the processing serves the purpose of asserting, exercising or defending legal claims. If your personal data are processed by us in order to operate direct advertisment, you have the right to object at any time to the processing of personal data concerning you for the purpose of such advertising. You can exercise the contradiction as described above.

14. Duration of storage of personal data
The duration of the storage of personal data is based on the respective legal retention period (eg commercial and tax retention periods). After the deadline, the corresponding data are routinely deleted, if they are no longer required to fulfill the contract or to initiate a contract and / or on our part no legitimate interest in the re-storage persists.

15. Questions and tips
If you have any further questions about data protection on our online shop, you can contact us via email info@xtwostore.com. We will do our best to answer your questions as accurately as possible. Use of our online shop is always subject to the version of the privacy policy available online at the time of your visit. We reserve the right to change this privacy policy at any time in accordance with applicable data protection regulations. If you have provided us with personal data on your own initiative, we will inform you of the changed terms and conditions appropriately, e. g. by email, within a reasonable period of time before the changes take effect. You can visit our online shop regularly to keep track of any changes. Unless otherwise stated, the use of any information we hold about you is subject to this Privacy Policy.

As at: 09.07.2018