Privacy Policy

1. Responsible person


The controller within the meaning of the General Data Protection Regulation (GDPR) and other national data protection laws as well as other data protection regulations is:

Nessensohn GmbH

Steigäcker 6

D-88454 Hochdorf

Telephone: 49 7355 93389-0

Fax: 49 7355 93389-99

Email: info@nessensohn.com

Website: www.nessensohn.gmbh

Managing Directors authorized to represent the company: Alexandra Völkle, Olaf Nessensohn


2. Data Protection Contact Person


For questions regarding data protection, please contact:

Thomas Bucher

Email: datenschutz@nessensohn.com

We do not have a legally appointed data protection officer. For questions regarding data protection or to exercise your data subject rights, please contact us directly.



3. General information on data processing


3.1 Scope of processing personal data

We generally process our users' personal data only to the extent necessary for providing a functional website and our content and services. Personal data is regularly processed only with the user's consent. An exception applies in cases where obtaining prior consent is not possible for practical reasons and the processing of the data is permitted by law.


3.2 Legal basis

Insofar as we obtain the consent of the data subject for processing operations involving personal data, Article 6(1)(a) GDPR serves as the legal basis.

When processing personal data necessary for the performance of a contract to which the data subject is a party, Article 6(1)(b) GDPR serves as the legal basis. This also applies to processing operations necessary for carrying out pre-contractual measures.

Where processing is necessary for compliance with a legal obligation, Article 6(1)(c) GDPR serves as the legal basis.

If processing is necessary for the purposes of the legitimate interests pursued by our company or by a third party, and the interests or fundamental rights and freedoms of the data subject do not override those interests, then Article 6(1)(f) GDPR serves as the legal basis for the processing.


3.3 Data deletion and storage period

The personal data of the data subject will be erased or blocked as soon as the purpose of storage no longer applies. Storage may also take place if this is provided for by European or national legislation in EU regulations, laws, or other provisions to which the controller is subject. Data will also be blocked or erased when a storage period prescribed by the aforementioned regulations expires, unless further storage of the data is necessary for the conclusion or performance of a contract.


4. Provisioning the website and creating log files


4.1 Description and scope of data processing

Each time our website is accessed, our system automatically collects data and information from the computer system of the accessing device. The following data is collected:

  • User's IP address (anonymized)
  • Date and time of access
  • Websites from which the user's system accessed our website
  • Websites accessed by the user's system via our website
  • Browser type and version
  • User's operating system
  • User's Internet service provider

This data is stored in our system's log files. This data is not stored together with other personal data of the user.


4.2 Legal basis

The legal basis for the temporary storage of data and log files is Article 6(1)(f) GDPR. Our legitimate interest lies in ensuring the technical operation of the website.


4.3 Storage duration

The data is deleted as soon as it is no longer needed for the purpose for which it was collected. In the case of data collected for the provision of the website, this is the case when the respective session ends. Log files are deleted after 14 days at the latest.


5. SSL encryption


This site uses SSL encryption for security reasons and to protect the transmission of confidential information, such as inquiries you send to us as the site operator. You can recognize an encrypted connection by the fact that the browser's address bar changes from "http://" to "https://" and by the padlock icon in your browser's address bar.

When SSL encryption is enabled, the data you send to us cannot be read by third parties.


6. Contact form and email contact


6.1 Description and scope of data processing

Our website includes a contact form that can be used to contact us electronically. If a user chooses to use this form, the data entered will be transmitted to us and stored. This data includes:

  • name
  • e-mail address
  • News
  • Phone number (if applicable)

The following data is also stored at the time the message is sent: the user's IP address and the date and time of registration.

Your consent for the processing of your data will be obtained during the submission process, and you will be referred to this privacy policy.

Alternatively, you can contact us via the provided email address. In this case, the personal data you transmit with your email will be stored.


6.2 Legal basis

The legal basis for processing data when the user has given consent is Article 6(1)(a) GDPR. The legal basis for processing data transmitted in the course of sending an email is Article 6(1)(f) GDPR. If the email contact aims at concluding a contract, the additional legal basis for processing is Article 6(1)(b) GDPR.


6.3 Storage duration

The data will be deleted as soon as it is no longer required for the purpose for which it was collected. For personal data from the contact form and data transmitted by email, this is the case when the respective conversation with the user has ended. A conversation is considered ended when it is clear from the circumstances that the matter in question has been resolved. Where statutory retention obligations under tax or commercial law exist (Section 147 of the German Fiscal Code, Sections 238 et seq. of the German Commercial Code), the storage period is up to 10 years.


7. Online shop and contract processing


7.1 Description and scope of data processing

We operate an online shop at www.nessensohn.gmbh. In connection with ordering and contract processing, we process the following personal data:

  • First and Last Name
  • Delivery address and billing address
  • E-mail address
  • Telephone number (optional)
  • Order details (items, quantities, prices)
  • Payment details (are transferred directly to the payment service provider Stripe)


7.2 Legal basis

The processing is based on Art. 6 para. 1 lit. b GDPR (performance of a contract) and Art. 6 para. 1 lit. c GDPR (compliance with legal obligations, e.g. bookkeeping obligations pursuant to §§ 238 ff. HGB, § 147 AO).


7.3 Storage duration

Order data is stored in accordance with statutory retention periods (up to 10 years for tax purposes, up to 6 years for commercial purposes). After these periods have expired, the data is routinely deleted unless it is still required for the fulfillment of the contract.


8. Passwordless login (Magic Link)


8.1 Description and scope of data processing

Our shop offers passwordless registration via a so-called "Magic Link." Simply enter your email address. You will then receive an email with a temporary login link, which, once clicked, will automatically log you into your customer account. No password is saved.

Data processed: Email address, timestamp of the request, IP address (for security purposes). The registration link is time-limited and expires after a single use.


8.2 Legal basis

The legal basis is Art. 6 para. 1 lit. b GDPR (performance of a contract, provision of the customer account) and Art. 6 para. 1 lit. f GDPR (legitimate interest in secure authentication).


8.3 Storage duration

Unused Magic Links are automatically deleted after their expiration date. The email address is stored for as long as the customer account exists. After the account is deleted, all associated data is also deleted.


9. Online cancellation form


9.1 Description and scope of data processing

In accordance with § 356a BGB (as amended on 19.06.2026), we provide you with an electronic cancellation form, which you can use to declare your cancellation directly via our website (www.nessensohn.gmbh/widerrufsformular).

When you use the cancellation form, we process the following personal data:

  • First and Last Name
  • Address (street, house number, postal code, city)
  • E-mail address
  • Type of contract (delivery of goods / service)
  • Order number or order date/description
  • Reason for revocation (voluntary)
  • Date and time the form was submitted (automatically recorded timestamp)

The data submitted via this form will be sent to us by email and automatically forwarded to your specified email address as confirmation of receipt. The timestamp of the confirmation of receipt documents the timely receipt of your cancellation notice.


9.2 Legal basis

The processing is based on Art. 6 para. 1 lit. c GDPR (compliance with a legal obligation) in conjunction with § 356a BGB as well as Art. 6 para. 1 lit. b GDPR (processing of the revocation as a contractual obligation).


9.3 Storage duration

Cancellation data is stored as proof of proper cancellation processing in accordance with the commercial and tax law retention periods for at least 3 years, and up to 10 years in connection with tax-relevant booking transactions.

Your cancellation data will not be passed on to third parties unless this is necessary for processing your order (e.g., returning goods).


10. Payment processing via Stripe


10.1 Description and scope of data processing

We use the payment service provider Stripe to process payments in our online shop. When you make a payment via Stripe, your payment details (e.g., credit card information, bank account details) are transmitted directly to Stripe. We do not store any complete payment data ourselves.

The following data will be transmitted to Stripe:

  • Name and billing address
  • E-mail address
  • Order amount and order reference
  • Payment information (directly to Stripe, not to us)
  • IP address (for fraud detection purposes by Stripe)


10.2 Providers

Stripe's responsible bodies for users in Germany (EEA):

Contract partner (DPA):

Stripe Payments Europe, Limited (SPEL)

1 Grand Canal Street Lower, Dublin 2, Ireland

Email: privacy@stripe.com

Regulated Payment Services (EEA):

Stripe Technology Europe, Limited (STEL)

1 Wilton Park, Wilton Place, Dublin 2, D02 FX04, Ireland

Stripe's privacy policy can be found at: https://stripe.com/de/privacy


10.3 Legal basis

The legal basis for the transfer of data is Article 6(1)(b) GDPR (performance of a contract). A data processing agreement pursuant to Article 28 GDPR exists with Stripe.


10.4 Third-country transfer

Stripe may transfer data to the USA. The basis for data transfers to third countries is the EU Standard Contractual Clauses (SCCs) pursuant to Art. 46 para. 2 lit. c GDPR. Stripe LLC is also certified under the EU-US Data Privacy Framework (Adequacy Decision of the EU Commission of 10 July 2023).


10.5 Right to object

You can object to the processing of your data by Stripe, insofar as Stripe acts as an independent data controller. Further information can be found in Stripe's privacy policy: https://stripe.com/de/privacy


11. Payment processing via PayPal


11.1 Description and scope of data processing

On our website, we offer payment via the PayPal payment service. If you choose PayPal as your payment method, the data required for processing the payment will be transmitted to PayPal. This includes, in particular:

  • First and Last Name
  • Billing address and, if applicable, delivery address
  • E-mail address
  • Order amount and order reference
  • IP address (collected by PayPal for fraud detection)

The provider of the payment service for the European area is:

PayPal (Europe) S.à rl et Cie, SCA

22-24 Boulevard Royal, L-2449 Luxembourg

Website: www.paypal.com/de/webapps/mpp/ua/privacy-full


11.2 Independent responsibility

PayPal is not a data processor within the meaning of Article 4 No. 8 GDPR, but rather the independent controller of the data it collects. The processing of personal data by PayPal is governed exclusively by PayPal's privacy policy: https://www.paypal.com/de/webapps/mpp/ua/privacy-full


11.3 Legal basis

The legal basis for transferring your data to PayPal is Article 6(1)(b) GDPR (performance of a contract). This transfer only occurs if you select PayPal as your payment method.


11.4 Third-country transfer

PayPal may transfer data to the USA and other third countries. PayPal relies on Binding Corporate Rules and EU Standard Contractual Clauses pursuant to Art. 46 para. 2 lit. c GDPR for this purpose.


12th Newsletter


12.1 Description and scope of data processing

You can subscribe to a free newsletter on our website. When you subscribe, the data you enter in the registration form will be transmitted to us:

  • E-mail address
  • Name (optional)

Your consent for data processing will be obtained during the registration process, and you will be referred to this privacy policy. In connection with data processing for sending newsletters, your data will not be shared with third parties. The data will be used exclusively for sending the newsletter.


12.2 Legal basis

The legal basis for processing the data after registration for the newsletter by the user is, if the user has given consent, Art. 6 para. 1 lit. a GDPR.


12.3 Storage period / Revocation of consent

The data will be deleted as soon as it is no longer needed for the purpose for which it was collected. The user's email address will therefore be stored for as long as the newsletter subscription is active. Other personal data collected during the registration process will generally be deleted after seven days.

The newsletter subscription can be cancelled by the user at any time. A corresponding link can be found in every newsletter for this purpose.


13. Google Analytics 4


13.1 Description and scope of data processing

Our website uses Google Analytics 4 (GA4), a web analytics service provided by Google Ireland Limited, Gordon House, Barrow Street, Dublin 4, Ireland ("Google"). Google Analytics 4 uses technologies (including cookies and similar storage technologies) that enable an analysis of your use of the website.

GA4 is used on this website with the tracking ID G-D5M51Z98LR.

The following data, among others, may be collected:

  • Page views and visited subpages
  • Time spent on the website
  • Visitor origin (referrer URL)
  • Approximate location (region/country, not exact GPS coordinates)
  • Technical information about browser, device and operating system
  • Interactions on the website (scroll depth, clicks, downloads)
  • IP address (automatically shortened – last octet in IPv4 is set to 0)

IP anonymization is enabled by default in Google Analytics 4. Your IP address is shortened by Google within the EU/EEA before being transmitted to the USA. Only in exceptional cases will the full IP address be transmitted to a Google server in the USA and shortened there.

The information generated by GA4 about your use of this website is usually transmitted to and stored on a Google server in the USA.


13.2 Order processing

We have concluded a data processing agreement with Google in accordance with Article 28 of the GDPR. Google processes the data on our behalf to compile reports on website activity.

The recipients of the data are:

  • Google Ireland Limited, Gordon House, Barrow Street, Dublin 4, Ireland (Data Processor)
  • Google LLC, 1600 Amphitheater Parkway, Mountain View, CA 94043, USA


13.3 Third-country transfer

Google LLC is certified under the EU-US Data Privacy Framework (Adequacy Decision of the EU Commission of 10 July 2023). Since Google servers are distributed worldwide and a transfer to other third countries cannot be completely ruled out, we have also concluded the EU Standard Contractual Clauses (SCCs) with Google pursuant to Art. 46 para. 2 lit. c GDPR.


13.4 Legal basis and consent (§ 25 TTDSG)

The use of Google Analytics version 4 is based on your consent in accordance with Article 6 Paragraph 1 Letter a GDPR and Section 25 Paragraph 1 TTDSG. Consent is obtained via our cookie banner upon your first visit to our website. Google Analytics will only be activated after your explicit consent.


13.5 Storage duration

User and event data in Google Analytics 4 are automatically deleted after 14 months. The maximum lifespan of cookies set by GA4 is 2 years (_ga cookie). Data whose retention period has expired is automatically deleted once a month.


13.6 Revocation of consent / Opt-out

You can withdraw your consent at any time with effect for the future by accessing our cookie settings and changing your selection there. The lawfulness of the processing carried out on the basis of the consent until its withdrawal remains unaffected.

Alternatively, you can prevent tracking by Google Analytics by:

Download and install the browser add-on to deactivate Google Analytics (https://tools.google.com/dlpage/gaoptout), or reject all cookies in your browser.

For more information about Google's privacy policy, please visit: https://policies.google.com/privacy


14. Google Ads


14.1 Description and scope of data processing

Our website uses Google Ads (formerly Google AdWords), an online advertising service provided by Google Ireland Limited, Gordon House, Barrow Street, Dublin 4, Ireland. Google Ads allows us to place advertisements on the Google search network and on partner websites. This service uses conversion tracking, which places a cookie when a user clicks on one of our Google ads.

The information generated by this cookie (pseudonym, no real name) is transmitted to Google and used to evaluate the effectiveness of our advertising campaigns. We only receive information about the total number of users who clicked on our ad and were redirected to a page with a conversion tracking tag.


14.2 Legal basis

The legal basis is your consent pursuant to Art. 6 para. 1 lit. a GDPR and § 25 para. 1 TTDSG, which is obtained via our cookie banner.


14.3 Third-country transfer

Google LLC is certified under the EU-US Data Privacy Framework. For transfers to other third countries, EU Standard Contractual Clauses pursuant to Art. 46 para. 2 lit. c GDPR have been agreed upon.


14.4 Opt-Out / Cancellation

You can prevent the storage of cookies by adjusting your browser settings accordingly. You can also disable ad personalization in your Google settings at https://adssettings.google.com. You can withdraw your consent at any time via our cookie settings.

Further information on data protection at Google: https://policies.google.com/privacy


15. Shipping service provider


15.1 Parcel shipping – GLS

For the parcel shipping of ordered goods, we use the following parcel service provider:

General Logistics Systems Germany GmbH & Co. OHG

GLS-Germany-Straße 1–7, 36286 Neuenstein

Website: www.gls-group.com

To fulfill your shipping order, we will transmit your name, delivery address, and, if applicable, your email address and telephone number to GLS so that the delivery can be carried out properly and you can be informed about the delivery status.

The legal basis is Article 6(1)(b) GDPR (performance of a contract). A data processing agreement pursuant to Article 28 GDPR exists with GLS.


15.2 Freight forwarding – Grieshaber Logistics

For the shipment of bulky or heavy goods via freight forwarding, we work with the following service provider:

Grieshaber Logistik GmbH

To fulfill the shipping order, we will forward your name, delivery address and, if applicable, your email address and telephone number to Grieshaber Logistik so that the delivery can be properly coordinated and carried out.

The legal basis is Article 6(1)(b) GDPR (performance of a contract). A data processing agreement pursuant to Article 28 GDPR exists with Grieshaber Logistik GmbH.


16. Credit check


16.1 Description and scope of data processing

To protect against payment defaults, Creditreform Boniversum GmbH (Hellersbergstraße 11, 41460 Neuss) may obtain a credit report about you. Your name, address, and, if applicable, your date of birth will be transmitted to Creditreform.

The result of the credit check influences whether and to what extent certain payment methods (e.g., purchase on account) are offered.


16.2 Legal basis

The legal basis is Article 6(1)(f) GDPR. Our legitimate interest lies in protecting against payment defaults. This information is only requested if you select a corresponding payment method.


17. Rights of the data subject


If your personal data is being processed, you are a data subject within the meaning of the GDPR and you have the following rights against the controller:


17.1 Right to information

You can request confirmation from the controller as to whether personal data concerning you is being processed by us (Art. 15 GDPR).


17.2 Right to rectification

You have the right to rectification and/or completion vis-à-vis the controller if the processed personal data concerning you is inaccurate or incomplete (Art. 16 GDPR).


17.3 Right to restriction of processing

Under the conditions set out in Article 18 GDPR, you can request the restriction of the processing of your personal data.


17.4 Right to erasure

You can request that the controller delete your personal data without undue delay if one of the grounds listed in Article 17 of the GDPR applies.


17.5 Right to information

If you have asserted your right to rectification, erasure or restriction of processing against the controller, the controller is obliged to communicate this rectification or erasure of data or restriction of processing to all recipients to whom the personal data concerning you have been disclosed (Art. 19 GDPR).


17.6 Right to data portability

You have the right to receive the personal data concerning you, which you have provided to the controller, in a structured, commonly used and machine-readable format (Art. 20 GDPR).


17.7 Right to object

You have the right to object, on grounds relating to your particular situation, at any time to the processing of personal data concerning you which is based on point (e) or (f) of Article 6(1) of the GDPR (Article 21 GDPR). We will no longer process the personal data unless we can demonstrate compelling legitimate grounds for the processing.

If personal data is processed for direct marketing purposes, you have the right to object at any time to the processing of your personal data for such marketing.


17.8 Right to withdraw consent

You have the right to withdraw your consent to data processing at any time. The withdrawal of consent does not affect the lawfulness of processing based on consent before its withdrawal (Art. 7 para. 3 GDPR).


17.9 Right to lodge a complaint with a supervisory authority

Without prejudice to any other administrative or judicial remedy, you have the right to lodge a complaint with a supervisory authority, in particular in the Member State of your habitual residence, your place of work or the place of the alleged infringement, if you consider that the processing of personal data relating to you infringes the GDPR (Art. 77 GDPR).

The responsible supervisory authority for Baden-Württemberg is:

The State Commissioner for Data Protection and Freedom of Information Baden-Württemberg

Lautenschlagerstraße 20

70173 Stuttgart

Telephone: 49 711 615541-0

Email: poststelle@lfdi.bwl.de

Website: www.lfdi.bwl.de


18. Asserting your rights


To assert your rights, contact:

Nessensohn GmbH

Attn: Data Protection

Steigäcker 6, D-88454 Hochdorf

Email: datenschutz@nessensohn.com

Telephone: 49 7355 93389-0

For faster processing, we kindly ask you to submit your request preferably by email and to prove your identity with suitable documents.


19. Note on cross-border sales within the EU


We also deliver goods to other EU member states. The GDPR applies uniformly throughout the European Union, so customers from other EU countries enjoy the same data protection rights as German customers.

The State Commissioner for Data Protection and Freedom of Information Baden-Württemberg (LfDI BW) remains the competent data protection supervisory authority for our company as the lead supervisory authority pursuant to Art. 56 GDPR.

Customers from other EU member states can choose to assert their data subject rights either by contacting us directly (datenschutz@nessensohn.com) or by contacting the competent data protection authority in their country of residence.