Privacy Policy
1. Responsible person
The controller within the meaning of the General Data Protection Regulation (GDPR) and other national data protection laws as well as other data protection regulations is:
Nessensohn GmbH
Steigäcker 6
D-88454 Hochdorf
Telephone: 49 7355 93389-0
Fax: 49 7355 93389-99
Email: info@nessensohn.com
Website: www.nessensohn.gmbh
Managing Directors authorized to represent the company: Alexandra Völkle, Olaf Nessensohn
2. Data Protection Contact Person
For questions regarding data protection, please contact:
Thomas Bucher
Email: datenschutz@nessensohn.com
We do not have a legally appointed data protection officer. For questions regarding data protection or to exercise your data subject rights, please contact us directly.
3. General information on data processing
3.1 Scope of processing personal data
We generally process our users' personal data only to the extent necessary for providing a functional website and our content and services. Personal data is regularly processed only with the user's consent. An exception applies in cases where obtaining prior consent is not possible for practical reasons and the processing of the data is permitted by law.
3.2 Legal basis
Insofar as we obtain the consent of the data subject for processing operations involving personal data, Article 6(1)(a) GDPR serves as the legal basis.
When processing personal data necessary for the performance of a contract to which the data subject is a party, Article 6(1)(b) GDPR serves as the legal basis. This also applies to processing operations necessary for carrying out pre-contractual measures.
Where processing is necessary for compliance with a legal obligation, Article 6(1)(c) GDPR serves as the legal basis.
If processing is necessary for the purposes of the legitimate interests pursued by our company or by a third party, and the interests or fundamental rights and freedoms of the data subject do not override those interests, then Article 6(1)(f) GDPR serves as the legal basis for the processing.
3.3 Data deletion and storage period
The personal data of the data subject will be erased or blocked as soon as the purpose of storage no longer applies. Storage may also take place if this is provided for by European or national legislation in EU regulations, laws, or other provisions to which the controller is subject. Data will also be blocked or erased when a storage period prescribed by the aforementioned regulations expires, unless further storage of the data is necessary for the conclusion or performance of a contract.
4. Provisioning the website and creating log files
4.1 Description and scope of data processing
Each time our website is accessed, our system automatically collects data and information from the computer system of the accessing device. The following data is collected:
- User's IP address (anonymized)
- Date and time of access
- Websites from which the user's system accessed our website
- Websites accessed by the user's system via our website
- Browser type and version
- User's operating system
- User's Internet service provider
This data is stored in our system's log files. This data is not stored together with other personal data of the user.
4.2 Legal basis
The legal basis for the temporary storage of data and log files is Article 6(1)(f) GDPR. Our legitimate interest lies in ensuring the technical operation of the website.
4.3 Storage duration
The data is deleted as soon as it is no longer needed for the purpose for which it was collected. In the case of data collected for the provision of the website, this is the case when the respective session ends. Log files are deleted after 14 days at the latest.
5. SSL encryption
This site uses SSL encryption for security reasons and to protect the transmission of confidential information, such as inquiries you send to us as the site operator. You can recognize an encrypted connection by the fact that the browser's address bar changes from "http://" to "https://" and by the padlock icon in your browser's address bar.
When SSL encryption is enabled, the data you send to us cannot be read by third parties.
6. Contact form and email contact
6.1 Description and scope of data processing
Our website includes a contact form that can be used to contact us electronically. If a user chooses to use this form, the data entered will be transmitted to us and stored. This data includes:
- name
- e-mail address
- News
- Phone number (if applicable)
The following data is also stored at the time the message is sent: the user's IP address and the date and time of registration.
Your consent for the processing of your data will be obtained during the submission process, and you will be referred to this privacy policy.
Alternatively, you can contact us via the provided email address. In this case, the personal data you transmit with your email will be stored.
6.2 Legal basis
The legal basis for processing data when the user has given consent is Article 6(1)(a) GDPR. The legal basis for processing data transmitted in the course of sending an email is Article 6(1)(f) GDPR. If the email contact aims at concluding a contract, the additional legal basis for processing is Article 6(1)(b) GDPR.
6.3 Storage duration
The data will be deleted as soon as it is no longer required for the purpose for which it was collected. For personal data from the contact form and data transmitted by email, this is the case when the respective conversation with the user has ended. A conversation is considered ended when it is clear from the circumstances that the matter in question has been resolved. Where statutory retention obligations under tax or commercial law exist (Section 147 of the German Fiscal Code, Sections 238 et seq. of the German Commercial Code), the storage period is up to 10 years.
7. Online shop and contract processing
7.1 Description and scope of data processing
We operate an online shop at www.nessensohn.gmbh. In connection with ordering and contract processing, we process the following personal data:
- First and Last Name
- Delivery address and billing address
- E-mail address
- Telephone number (optional)
- Order details (items, quantities, prices)
- Payment details (are transferred directly to the payment service provider Stripe)
7.2 Legal basis
The processing is based on Art. 6 para. 1 lit. b GDPR (performance of a contract) and Art. 6 para. 1 lit. c GDPR (compliance with legal obligations, e.g. bookkeeping obligations pursuant to §§ 238 ff. HGB, § 147 AO).
7.3 Storage duration
Order data is stored in accordance with statutory retention periods (up to 10 years for tax purposes, up to 6 years for commercial purposes). After these periods have expired, the data is routinely deleted unless it is still required for the fulfillment of the contract.
8. Passwordless login (Magic Link)
8.1 Description and scope of data processing
Our shop offers passwordless registration via a so-called "Magic Link." Simply enter your email address. You will then receive an email with a temporary login link, which, once clicked, will automatically log you into your customer account. No password is saved.
Data processed: Email address, timestamp of the request, IP address (for security purposes). The registration link is time-limited and expires after a single use.
8.2 Legal basis
The legal basis is Art. 6 para. 1 lit. b GDPR (performance of a contract, provision of the customer account) and Art. 6 para. 1 lit. f GDPR (legitimate interest in secure authentication).
8.3 Storage duration
Unused Magic Links are automatically deleted after their expiration date. The email address is stored for as long as the customer account exists. After the account is deleted, all associated data is also deleted.
9. Online cancellation form
9.1 Description and scope of data processing
In accordance with § 356a BGB (as amended on 19.06.2026), we provide you with an electronic cancellation form, which you can use to declare your cancellation directly via our website (www.nessensohn.gmbh/widerrufsformular).
When you use the cancellation form, we process the following personal data:
- First and Last Name
- Address (street, house number, postal code, city)
- E-mail address
- Type of contract (delivery of goods / service)
- Order number or order date/description
- Reason for revocation (voluntary)
- Date and time the form was submitted (automatically recorded timestamp)
The data submitted via this form will be sent to us by email and automatically forwarded to your specified email address as confirmation of receipt. The timestamp of the confirmation of receipt documents the timely receipt of your cancellation notice.
9.2 Legal basis
The processing is based on Art. 6 para. 1 lit. c GDPR (compliance with a legal obligation) in conjunction with § 356a BGB as well as Art. 6 para. 1 lit. b GDPR (processing of the revocation as a contractual obligation).
9.3 Storage duration
Cancellation data is stored as proof of proper cancellation processing in accordance with the commercial and tax law retention periods for at least 3 years, and up to 10 years in connection with tax-relevant booking transactions.
Your cancellation data will not be passed on to third parties unless this is necessary for processing your order (e.g., returning goods).
10. Payment processing via Stripe
10.1 Description and scope of data processing
We use the payment service provider Stripe to process payments in our online shop. When you make a payment via Stripe, your payment details (e.g., credit card information, bank account details) are transmitted directly to Stripe. We do not store any complete payment data ourselves.
The following data will be transmitted to Stripe:
- Name and billing address
- E-mail address
- Order amount and order reference
- Payment information (directly to Stripe, not to us)
- IP address (for fraud detection purposes by Stripe)
10.2 Providers
Stripe's responsible bodies for users in Germany (EEA):
Contract partner (DPA):
Stripe Payments Europe, Limited (SPEL)
1 Grand Canal Street Lower, Dublin 2, Ireland
Email: privacy@stripe.com
Regulated Payment Services (EEA):
Stripe Technology Europe, Limited (STEL)
1 Wilton Park, Wilton Place, Dublin 2, D02 FX04, Ireland
Stripe's privacy policy can be found at: https://stripe.com/de/privacy
10.3 Legal basis
The legal basis for the transfer of data is Article 6(1)(b) GDPR (performance of a contract). A data processing agreement pursuant to Article 28 GDPR exists with Stripe.
10.4 Third-country transfer
Stripe may transfer data to the USA. The basis for data transfers to third countries is the EU Standard Contractual Clauses (SCCs) pursuant to Art. 46 para. 2 lit. c GDPR. Stripe LLC is also certified under the EU-US Data Privacy Framework (Adequacy Decision of the EU Commission of 10 July 2023).
10.5 Right to object
You can object to the processing of your data by Stripe, insofar as Stripe acts as an independent data controller. Further information can be found in Stripe's privacy policy: https://stripe.com/de/privacy
11. Payment processing via PayPal
11.1 Description and scope of data processing
On our website, we offer payment via the PayPal payment service. If you choose PayPal as your payment method, the data required for processing the payment will be transmitted to PayPal. This includes, in particular:
- First and Last Name
- Billing address and, if applicable, delivery address
- E-mail address
- Order amount and order reference
- IP address (collected by PayPal for fraud detection)
The provider of the payment service for the European area is:
PayPal (Europe) S.à rl et Cie, SCA
22-24 Boulevard Royal, L-2449 Luxembourg
Website: www.paypal.com/de/webapps/mpp/ua/privacy-full
11.2 Independent responsibility
PayPal is not a data processor within the meaning of Article 4 No. 8 GDPR, but rather the independent controller of the data it collects. The processing of personal data by PayPal is governed exclusively by PayPal's privacy policy: https://www.paypal.com/de/webapps/mpp/ua/privacy-full
11.3 Legal basis
The legal basis for transferring your data to PayPal is Article 6(1)(b) GDPR (performance of a contract). This transfer only occurs if you select PayPal as your payment method.
11.4 Third-country transfer
PayPal may transfer data to the USA and other third countries. PayPal relies on Binding Corporate Rules and EU Standard Contractual Clauses pursuant to Art. 46 para. 2 lit. c GDPR for this purpose.
12th Newsletter
12.1 Description and scope of data processing
You can subscribe to a free newsletter on our website. When you subscribe, the data you enter in the registration form will be transmitted to us:
- E-mail address
- Name (optional)
Your consent for data processing will be obtained during the registration process, and you will be referred to this privacy policy. In connection with data processing for sending newsletters, your data will not be shared with third parties. The data will be used exclusively for sending the newsletter.
12.2 Legal basis
The legal basis for processing the data after registration for the newsletter by the user is, if the user has given consent, Art. 6 para. 1 lit. a GDPR.
12.3 Storage period / Revocation of consent
The data will be deleted as soon as it is no longer needed for the purpose for which it was collected. The user's email address will therefore be stored for as long as the newsletter subscription is active. Other personal data collected during the registration process will generally be deleted after seven days.
The newsletter subscription can be cancelled by the user at any time. A corresponding link can be found in every newsletter for this purpose.
13. Google Analytics 4
13.1 Description and scope of data processing
Our website uses Google Analytics 4 (GA4), a web analytics service provided by Google Ireland Limited, Gordon House, Barrow Street, Dublin 4, Ireland ("Google"). Google Analytics 4 uses technologies (including cookies and similar storage technologies) that enable an analysis of your use of the website.
GA4 is used on this website with the tracking ID G-D5M51Z98LR.
The following data, among others, may be collected:
- Page views and visited subpages
- Time spent on the website
- Visitor origin (referrer URL)
- Approximate location (region/country, not exact GPS coordinates)
- Technical information about browser, device and operating system
- Interactions on the website (scroll depth, clicks, downloads)
- IP address (automatically shortened – last octet in IPv4 is set to 0)
IP anonymization is enabled by default in Google Analytics 4. Your IP address is shortened by Google within the EU/EEA before being transmitted to the USA. Only in exceptional cases will the full IP address be transmitted to a Google server in the USA and shortened there.
The information generated by GA4 about your use of this website is usually transmitted to and stored on a Google server in the USA.
13.2 Order processing
We have concluded a data processing agreement with Google in accordance with Article 28 of the GDPR. Google processes the data on our behalf to compile reports on website activity.
The recipients of the data are:
- Google Ireland Limited, Gordon House, Barrow Street, Dublin 4, Ireland (Data Processor)
- Google LLC, 1600 Amphitheater Parkway, Mountain View, CA 94043, USA
13.3 Third-country transfer
Google LLC is certified under the EU-US Data Privacy Framework (Adequacy Decision of the EU Commission of 10 July 2023). Since Google servers are distributed worldwide and a transfer to other third countries cannot be completely ruled out, we have also concluded the EU Standard Contractual Clauses (SCCs) with Google pursuant to Art. 46 para. 2 lit. c GDPR.
13.4 Legal basis and consent (§ 25 TTDSG)
The use of Google Analytics version 4 is based on your consent in accordance with Article 6 Paragraph 1 Letter a GDPR and Section 25 Paragraph 1 TTDSG. Consent is obtained via our cookie banner upon your first visit to our website. Google Analytics will only be activated after your explicit consent.
13.5 Storage duration
User and event data in Google Analytics 4 are automatically deleted after 14 months. The maximum lifespan of cookies set by GA4 is 2 years (_ga cookie). Data whose retention period has expired is automatically deleted once a month.
13.6 Revocation of consent / Opt-out
You can withdraw your consent at any time with effect for the future by accessing our cookie settings and changing your selection there. The lawfulness of the processing carried out on the basis of the consent until its withdrawal remains unaffected.
Alternatively, you can prevent tracking by Google Analytics by:
Download and install the browser add-on to deactivate Google Analytics (https://tools.google.com/dlpage/gaoptout), or reject all cookies in your browser.
For more information about Google's privacy policy, please visit: https://policies.google.com/privacy
14. Google Ads
14.1 Description and scope of data processing
Our website uses Google Ads (formerly Google AdWords), an online advertising service provided by Google Ireland Limited, Gordon House, Barrow Street, Dublin 4, Ireland. Google Ads allows us to place advertisements on the Google search network and on partner websites. This service uses conversion tracking, which places a cookie when a user clicks on one of our Google ads.
The information generated by this cookie (pseudonym, no real name) is transmitted to Google and used to evaluate the effectiveness of our advertising campaigns. We only receive information about the total number of users who clicked on our ad and were redirected to a page with a conversion tracking tag.
14.2 Legal basis
The legal basis is your consent pursuant to Art. 6 para. 1 lit. a GDPR and § 25 para. 1 TTDSG, which is obtained via our cookie banner.
14.3 Third-country transfer
Google LLC is certified under the EU-US Data Privacy Framework. For transfers to other third countries, EU Standard Contractual Clauses pursuant to Art. 46 para. 2 lit. c GDPR have been agreed upon.
14.4 Opt-Out / Cancellation
You can prevent the storage of cookies by adjusting your browser settings accordingly. You can also disable ad personalization in your Google settings at https://adssettings.google.com. You can withdraw your consent at any time via our cookie settings.
Further information on data protection at Google: https://policies.google.com/privacy
15. Shipping service provider
15.1 Parcel shipping – GLS
For the parcel shipping of ordered goods, we use the following parcel service provider:
General Logistics Systems Germany GmbH & Co. OHG
GLS-Germany-Straße 1–7, 36286 Neuenstein
Website: www.gls-group.com
To fulfill your shipping order, we will transmit your name, delivery address, and, if applicable, your email address and telephone number to GLS so that the delivery can be carried out properly and you can be informed about the delivery status.
The legal basis is Article 6(1)(b) GDPR (performance of a contract). A data processing agreement pursuant to Article 28 GDPR exists with GLS.
15.2 Freight forwarding – Grieshaber Logistics
For the shipment of bulky or heavy goods via freight forwarding, we work with the following service provider:
Grieshaber Logistik GmbH
To fulfill the shipping order, we will forward your name, delivery address and, if applicable, your email address and telephone number to Grieshaber Logistik so that the delivery can be properly coordinated and carried out.
The legal basis is Article 6(1)(b) GDPR (performance of a contract). A data processing agreement pursuant to Article 28 GDPR exists with Grieshaber Logistik GmbH.
16. Credit check
16.1 Description and scope of data processing
To protect against payment defaults, Creditreform Boniversum GmbH (Hellersbergstraße 11, 41460 Neuss) may obtain a credit report about you. Your name, address, and, if applicable, your date of birth will be transmitted to Creditreform.
The result of the credit check influences whether and to what extent certain payment methods (e.g., purchase on account) are offered.
16.2 Legal basis
The legal basis is Article 6(1)(f) GDPR. Our legitimate interest lies in protecting against payment defaults. This information is only requested if you select a corresponding payment method.
17. Rights of the data subject
If your personal data is being processed, you are a data subject within the meaning of the GDPR and you have the following rights against the controller:
17.1 Right to information
You can request confirmation from the controller as to whether personal data concerning you is being processed by us (Art. 15 GDPR).
17.2 Right to rectification
You have the right to rectification and/or completion vis-à-vis the controller if the processed personal data concerning you is inaccurate or incomplete (Art. 16 GDPR).
17.3 Right to restriction of processing
Under the conditions set out in Article 18 GDPR, you can request the restriction of the processing of your personal data.
17.4 Right to erasure
You can request that the controller delete your personal data without undue delay if one of the grounds listed in Article 17 of the GDPR applies.
17.5 Right to information
If you have asserted your right to rectification, erasure or restriction of processing against the controller, the controller is obliged to communicate this rectification or erasure of data or restriction of processing to all recipients to whom the personal data concerning you have been disclosed (Art. 19 GDPR).
17.6 Right to data portability
You have the right to receive the personal data concerning you, which you have provided to the controller, in a structured, commonly used and machine-readable format (Art. 20 GDPR).
17.7 Right to object
You have the right to object, on grounds relating to your particular situation, at any time to the processing of personal data concerning you which is based on point (e) or (f) of Article 6(1) of the GDPR (Article 21 GDPR). We will no longer process the personal data unless we can demonstrate compelling legitimate grounds for the processing.
If personal data is processed for direct marketing purposes, you have the right to object at any time to the processing of your personal data for such marketing.
17.8 Right to withdraw consent
You have the right to withdraw your consent to data processing at any time. The withdrawal of consent does not affect the lawfulness of processing based on consent before its withdrawal (Art. 7 para. 3 GDPR).
17.9 Right to lodge a complaint with a supervisory authority
Without prejudice to any other administrative or judicial remedy, you have the right to lodge a complaint with a supervisory authority, in particular in the Member State of your habitual residence, your place of work or the place of the alleged infringement, if you consider that the processing of personal data relating to you infringes the GDPR (Art. 77 GDPR).
The responsible supervisory authority for Baden-Württemberg is:
The State Commissioner for Data Protection and Freedom of Information Baden-Württemberg
Lautenschlagerstraße 20
70173 Stuttgart
Telephone: 49 711 615541-0
Email: poststelle@lfdi.bwl.de
Website: www.lfdi.bwl.de
18. Asserting your rights
To assert your rights, contact:
Nessensohn GmbH
Attn: Data Protection
Steigäcker 6, D-88454 Hochdorf
Email: datenschutz@nessensohn.com
Telephone: 49 7355 93389-0
For faster processing, we kindly ask you to submit your request preferably by email and to prove your identity with suitable documents.
19. Note on cross-border sales within the EU
We also deliver goods to other EU member states. The GDPR applies uniformly throughout the European Union, so customers from other EU countries enjoy the same data protection rights as German customers.
The State Commissioner for Data Protection and Freedom of Information Baden-Württemberg (LfDI BW) remains the competent data protection supervisory authority for our company as the lead supervisory authority pursuant to Art. 56 GDPR.
Customers from other EU member states can choose to assert their data subject rights either by contacting us directly (datenschutz@nessensohn.com) or by contacting the competent data protection authority in their country of residence.
