Skip to Content
  • Discover OOKA
  • Explore Flavors
  • Shop OOKA
  • Shop Pods
  • OOKA-FINDER

PRIVACY POLICY

Data protection notice for www.ooka.com

 

Preamble

We, Ooka GmbH, take the protection of your personal data seriously and would like to inform you here, about the processing of your personal data when visiting, registering with and concluding contracts via our website www.ooka.com. Moreover, we would like to inform you about the rights you may have in connection with the processing of your personal data.

The processing of your personal data is governed by the General Data Protection Regulation (Regulation (EU) 2016/679) (“GDPR”) and other applicable data protection law. With this declaration ("data protection notice"), we inform you about the way in which your personal data is processed by us in accordance with Art. 13 and 14 GDPR.

 

Content:

A.    In general

(1) Definitions of terms

(2) Name and contact details of the controller responsible for processing

(3) Legal bases for data processing

(4) Data erasure and storage duration

(5) Cooperation with processors

(6) Profiling of user profiles

(7) Requirements for the transfer of personal data to third countries

(8) Legal obligation to transfer certain data

(9) Your rights

(10) Changes to the data protection notice

B. Visiting websites

(1) Explanation of the function

(2) Processed personal data

(3) Purpose and legal basis of data processing

(4) Duration of data processing

(5) Transfer of personal data to third parties; basis for justification

(6) Use of cookies, plugins and other services on our website

C. Purchasing in our webstore

(1) Use of data for the performance of a contract

(2) Data storage, customer account

(3) Making contact

(4) Use of data for advertising

(5) Identity and credit check and scoring

(6) Withdrawal and objection to advertising

 

A. In general

 

(1) Definitions of terms

Following the example of Art. 4 GDPR, this data protection notice is based on the following definitions:

– ‘personal data’ (Art. 4 No. 1 GDPR) means any information relating to an identified or identifiable natural person (‘data subject’); an identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person;

– ‘processing’ (Art. 4 No. 2 GDPR) means any operation or set of operations which is performed on personal data or on sets of personal data, whether or not by automated means, such as collection, recording, organisation, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure or destruction;

– ‘restriction of processing’ (Art. 4 No. 3 GDPR) means the marking of stored personal data with the aim of limiting their processing in the future;

– ‘profiling’ (Art. 4 No. 4 GDPR) means any form of automated processing of personal data consisting of the use of personal data to evaluate certain personal aspects relating to a natural person, in particular to analyse or predict aspects concerning that natural person's performance at work, economic situation, health, personal preferences, interests, reliability, behaviour, location or movements;

– ‘controller’ (Art. 4 No. 7 GDPR) means the natural or legal person, public authority, agency or other body which, alone or jointly with others, determines the purposes and means of the processing of personal data; where the purposes and means of such processing are determined by Union or Member State law, the controller or the specific criteria for its nomination may be provided for by Union or Member State law;

– ‘processor’ (Art. 4 No. 8 GDPR) means a natural or legal person, public authority, agency or other body which processes personal data on behalf of the controller;

– ‘third party’ (Art. 4 No. 10 GDPR) means a natural or legal person, public authority, agency or body other than the data subject, controller, processor and persons who, under the direct authority of the controller or processor, are authorised to process personal data;

– ‘consent’ (Art. 4 No. 11 GDPR) of the data subject means any freely given, specific, informed and unambiguous indication of the data subject's wishes by which he or she, by a statement or by a clear affirmative action, signifies agreement to the processing of personal data relating to him or her.

 

(2) Name and contact details of the controller responsible for processing

We, as the controller, are responsible for the processing of your personal data within the meaning of Art. 4 No. 7 GDPR:

 

Ooka GmbH

Fahrenheitstraße 5, 86899 Landsberg am Lech, Germany

legal@air.global (only) for data protection inquiries

 

(3) Legal bases for data processing

In principle, any processing of personal data is prohibited by law and is only permitted if the data processing falls under one of the following justifications (also called legal basis):

– Art. 6 para. 1 lit. a GDPR (consent): Where the data subject has voluntarily, in an informed and unambiguous manner, indicated by a statement or other unambiguous affirmative act that he or she consents to the processing of personal data relating to him or her for one or more specific purposes;

– Art. 6 para. 1 lit. b GDPR: If the processing is necessary for the performance of a contract to which the data subject is party or in order to take steps at the request of the data subject prior to entering into a contract;

– Art. 6 para. 1 lit. c GDPR: If processing is necessary for compliance with a legal obligation to which the controller is subject (e.g. a statutory retention obligation);

– Art. 6 para. 1 lit. d GDPR: Where processing is necessary in order to protect the vital interests of the data subject or of another natural person;

– Art. 6 para. 1 lit. e GDPR: If the processing is necessary for the performance of a task carried out in the public interest or in the exercise of official authority vested in the controller, or

– Art. 6 para. 1 lit. f GDPR (legitimate interests): If the processing is necessary for the purposes of the legitimate (in particular legal or economic) interests pursued by the controller or by a third party, except where such interests are overridden by the interests or rights of the data subject which require protection of personal data (in particular where the data subject is a minor).

– The storage of information in the end user's terminal equipment or access to information that is already stored in the terminal equipment is only permitted if it is covered by one of the following justifications:

o Section 25 para. 1 TDDDG (German Telecommunications Digital Services Data Protection Act): If the end user has consented on the basis of clear and comprehensive information. Consent must be given in accordance with Art. 6 para. 1 lit. a GDPR;

o Section 25 para. 2 no. 1 TDDDG: If the sole purpose is to carry out the transmission of a communication over a public telecommunications network or

o Section 25 para. 2 no. 2 TDDDG: If storage or access is absolutely necessary so that the provider of a digital service can provide a digital service expressly requested by the user.

For the processing operations we carry out, we indicate the applicable legal basis in each case below. In principle, processing can also be based on several legal bases.

 

(4) Data erasure and storage duration

For the processing operations carried out by us, we indicate below how long the data will be stored by us and when it will be deleted or blocked. Unless an explicit storage period is specified below, your personal data will be erased or blocked as soon as the purpose or legal basis for storage no longer applies. Your data will generally only be stored on our servers located in the European Economic Area (EEA), unless otherwise specified (e.g. under A. (7)).

However, your personal data may be stored beyond the specified period in the event of an (impending) legal dispute with you or other legal proceedings or if storage is provided for by statutory provisions to which we are subject as the controller (e.g. Section 257 HGB (German Commercial Code), Section 147 AO (German Fiscal Code)). If archiving is required by law, the data will be blocked for other access. These documents are deleted and destroyed in accordance with applicable data protection law once the statutory retention periods have expired.

If you have consented to the processing of your personal data, we will store and use your data indefinitely until you withdraw your consent or until the purpose for which you gave your consent

no longer applies. Thereafter, the consent and processing data will be archived until the statute of limitations (regularly three years) for legal defense purposes (legal basis Art. 17 para. 3 lit. e GDPR).

If you no longer wish to receive advertising from us, we will use your name, address and, if applicable, e-mail address for the purposes of blocking in corresponding lists with which we compare our advertising measures so that you no longer receive any further advertising. Deletion in this sense therefore initially means that your data will be blocked in our systems, in particular to prevent advertising and marketing activities towards you (legal basis Art. 6 para. 1 lit. f GDPR). The data will - if necessary - continue to be processed for purposes other than advertising, for example in the context of contract performance and, if applicable, warranty as well as commercial and tax documentation (legal basis Art. 6 para. 1 lit. b and c GDPR).

 

(5) Cooperation with processors

As with any large company, we also use external service providers to carry out our business transactions (e.g. for IT, logistics, telecommunications, sales and marketing). These service providers only act in accordance with our instructions and are contractually obliged to comply with data protection regulations within the meaning of Art. 28 GDPR.

If your personal data is passed on by us to our subsidiaries or is passed on to us by our subsidiaries (e.g. for advertising purposes), this is done based on existing data processing agreements.

 

(6) Profiling of user profiles

We may create pseudonymized user profiles of a statistical nature, i.e. separated from your personal identifiers, in order to be able to draw conclusions about interests in our content and offers through an evaluation and to tailor corresponding information and offers to users with corresponding interests (profiling). We may also use the information to improve data security, to counter attacks on our systems and, if necessary, to support law enforcement authorities in the event of attacks on our systems or other criminal acts.

We use appropriate web analysis tools to analyze user behavior. You can find out more under “Use of cookies, plugins and other services on our website" (see under B. (6)) and under “Withdrawal and objection to advertising” (see under C. (6)).

You can object to the creation of profiles with personal data and the further use of profile data for advertising purposes and withdraw any consent you have given in this regard (see under C. (6.)).

 

(7) Requirements for the transfer of personal data to third countries

As part of our business relationships, your personal data may be passed on or disclosed to third-party companies. These may also be located outside the EEA, i.e. in third countries. Such processing is carried out for the fulfilment of contractual and business obligations and to maintain your business relationship with us (legal basis is Art. 6 para. 1 lit. b or lit. f in each case in conjunction with. Art. 44 ff. GDPR).

· For recipients outside the EEA, some of these recipients are located in countries for which an adequacy decision by the European Commission applies (in particular the United Kingdom, Switzerland, the United States of America - for participants in the EU-U.S. Data Privacy Framework program), and therefore an adequate level of data protection can generally be assumed.

· Other recipients outside the EEA may be located in countries that do not offer an adequate level of data protection from the perspective of European data protection law. We will take the necessary measures to ensure that transfers of personal data to countries outside the EEA and processing there are adequately protected. With respect to transfers to countries that do not provide an adequate level of data protection, we will, where legally required, base the transfer on appropriate or suitable safeguards, such as standard data protection clauses adopted by the European Commission ( https://eur-lex.europa.eu/eli/dec_impl/2021/914/oj ) or a supervisory authority, approved codes of conduct together with legally binding and enforceable obligations of the recipient or approved certification mechanisms together with legally binding and enforceable obligations of the recipient.

Please contact us (see under A. (2)) if you would like more information on this or if you would like to obtain a copy of the appropriate safeguards.

 

(8) Legal obligation to transfer certain data

Under certain circumstances, we may be subject to a specific legal or statutory obligation to provide the lawfully processed personal data to third parties, in particular public authorities (Art. 6 para. 1 lit. c GDPR).

 

(9) Your rights

You can assert your rights as a data subject with regard to your processed personal data at any time by contacting us using the contact details provided under A. (2). As the data subject, you may

–   request access, according to Art. 14 GDPR, about your personal data which is processed by us.

–   request rectification, according to Art. 16 GDPR, if the information concerning you is not (or no longer) accurate. If your data is incomplete, you can request that it will be completed.

–   request erasure, according to Art. 17 GDPR. Your right to erasure depends, among other things, on whether the data concerning you is still required by us to fulfil our legal obligations.

–   request restriction of processing, according to 18 GDPR, of the data concerning you.

–   request to receive your data, according to Art. 20 GDPR, in a structured, commonly used and machine-readable format and request to transmit those data to another controller.

–   object, according to Art. 21 GDPR, to the processing of data concerning you at any time on grounds relating to your particular situation. However, we are not always able to comply with this, e.g. if we are required by law to process your data.

–   withdraw your consent at any time, according to Art. 7 para. 3 GDPR. However, the withdrawal of consent shall not affect the lawfulness of processing based on consent before its withdrawal.

–   in accordance with Art. 77 GDPR, to lodge a complaint with a data protection supervisory authority. For example you can lodge a complaint with the data protection authority responsible for us:

Bayerisches Landesamt für Datenschutzaufsicht Promenade 18

91522 Ansbach

Germany

Phone: +49 (0) 981 180093-0

Fax: +49 (0) 981 180093-800 poststelle@lda.bayern.de

Please contact us (see under A. (2)) if you have any questions or wish to assert your rights.

 

(10) Changes to the data protection notice

As part of the further development of data protection law and technological or organizational changes, our data protection notice is regularly reviewed to determine whether it needs to be adapted or supplemented. The most recent version of this data protection notice can be found on our website at www.ooka.com. This data protection notice is valid as of November 2024.

 

B. Visiting websites

 

(1) Explanation of the function

You can obtain information about our company and the products we offer in particular at www.ooka.com together with the associated subpages (hereinafter jointly referred to as "websites"). When you visit our websites, your personal data may be processed (see under B. (2)).

 

(2) Processed personal data

We process the following categories of personal data when you use the website for information purposes:

a. Log data:

When you visit our websites, a so-called log data record (so-called server log files) is temporarily and anonymously stored on our web server. This consists of

–   the page from which the page was requested (so-called referrer URL);

–   the name and URL of the requested page;

–   the date and time of the request;

–   the description of the type, language and version of the web browser used;

–   the IP address of the requesting device, which is shortened so that a personal reference can no longer be established;

–   the amount of data transferred;

–   the browser user (typ, version, language) and operating system;

–   the message as to whether the request was successful (access status / http status code);

–   the GMT time zone difference;

–   products and content in which the visitor is interested and the nature of the interest, such as duration, frequency, interaction with forms, navigation elements and links.

 

b. Contact form data:

When contact forms are used, the data transmitted through them is processed (e.g. gender, surname and first name, address, company, e-mail address and the time of transmission).

 

c. Newsletters with connection to our websites:

You also can sign-up for certain newsletters via our website. We may also evaluate your user behavior when sending you such newsletters. For this evaluation, the e-mails sent contain so-called web beacons or tracking pixels, which are one-pixel image files stored on our website. For the evaluations, we link the aforementioned data, certain log data (see under B. (2) a.) and the web beacons with your e-mail address and an individual ID. Links contained in the newsletter also contain this ID.

 

(3) Purpose and legal basis of data processing

We process the personal data specified above in accordance with the provisions of the GDPR and other applicable data protection law only to the extent necessary. Insofar as the processing of personal data is based on Art. 6 para. 1 lit. f GDPR, the purposes mentioned also represent our legitimate interests.

The processing of log data serves statistical purposes and to improve the quality of our website, in particular the stability and security of the connection (legal basis is Art. 6 para. 1 lit. a or lit. f GDPR).

The processing of contact form data is carried out to process customer inquiries (legal basis is Art. 6 para. 1 lit. b or lit. f GDPR).

Newsletter data is processed for the purpose of sending the newsletter. When registering for our newsletter, you consent to the processing of your personal data (legal basis is Art. 6 para. 1 lit. a GDPR). We use the so-called double opt-in procedure to subscribe to our newsletter. This means that after you have registered, we will send you an email to the email address you have provided in which we ask you to confirm that you wish to receive the newsletter. The purpose of this procedure is to be able to prove your registration and, if necessary, to clarify any possible misuse of your personal data. You can withdraw your consent to receive the newsletter at any time and unsubscribe from the newsletter. You can declare your withdrawal by clicking on the link provided in every newsletter e-mail, or by sending a message to the contact details under A. (2).

If the processing of the data requires the storage of information in your terminal equipment or access to information that is already stored in the terminal equipment, Section 25 para. 1, 2 TDDDG is the legal basis for this.

 

(4) Duration of data processing

Your data will only be processed for as long as it is necessary to achieve the above-mentioned processing purposes; the legal bases specified in the context of the processing purposes apply accordingly. With regard to the use and storage duration of cookies, please refer to B. (6) and the cookie policy https://de.ooka.com/en/content/cookie-richtlinie.

 

(5) Transfer of personal data to third parties; basis for justification

The following categories of recipients, which are usually processors (see A. (5)), may receive access to your personal data:

–   Service providers for the operation of our website and the processing of data stored or transmitted by the systems (e.g. for data center services, IT security). The legal basis for the transfer is Art. 6 para. 1 lit. b or lit. f GDPR, insofar as these are not processors;

–   Government bodies/authorities, insofar as this is necessary to fulfill a legal obligation. The legal basis for the transfer is Art. 6 para. 1 lit. c GDPR;

–   Other engaged to carry out or support our business operations (e.g. auditors, banks, insurance companies, legal advisors, supervisory authorities, parties involved in company acquisitions or the establishment of joint ventures). The legal basis for the transfer is Art. 6 para. 1 lit. b or lit. f GDPR.

In addition, we will only pass on your personal data to third parties if you have given your express consent in accordance with Art. 6 para. 1 lit. a GDPR.

 

(6) Use of cookies, plugins and other services on our website

a. Cookies

We use cookies on our websites. Cookies are small text files that are assigned and stored on your device you are using by means of a characteristic string of characters. Cookies may

contain data that makes it possible to recognize the device used. In some cases, cookies only contain information on certain settings that are not personally identifiable.

A distinction is made between session cookies, which are deleted as soon as you close your browser, and permanent cookies, which are stored beyond the individual session. In terms of their function, a distinction is made between cookies:

–   Technical cookies: These are strictly necessary to move around the website, use basic functions and ensure the security of the website; they do not collect information about you for marketing purposes, nor do they store which web pages you have visited;

–   Performance cookies: These collect information about how you use our website, which pages you visit and, for example, whether errors occur during website use; they do not collect any information that could identify you – all information collected is anonymous and is only used to improve our website and to find out what interests our users;

–   Advertising cookies, targeting cookies: These are used to offer the website user needs-based advertising on the website or offers from third parties and to measure the effectiveness of these offers; advertising and targeting cookies are stored for a maximum of 13 months;

–   Sharing cookies: These are used to improve the interactivity of our website with other services (e.g. social networks); sharing cookies are stored for a maximum of 13 months.

The legal basis for cookies that are absolutely necessary to provide you with the expressly requested service is Section 25 para. 2 No. 2 TDDDG. Any use of cookies that is not absolutely technically necessary for this purpose constitutes data processing that is only permitted with your express and active consent in accordance with Section 25 para. 1 TDDDG in conjunction with Art. 6 para.1 GDPR. Art. 6 para. 1 lit. a GDPR. This applies in particular to the use of performance, advertising, targeting or sharing cookies. In addition, we only pass on your personal data processed by cookies to third parties if you have given your express consent to this in accordance with Art. 6 para. 1 lit. a GDPR.

 

b. Cookie policy

For more information about which cookies we use and how you can manage your cookie settings and disable certain types of tracking, please see our cookie policy https://de.ooka.com/en/content/cookie-richtlinie.

 

c. Social media plugins

We do not use any social media plugins on our websites. If our websites contain symbols from social media providers (e.g. Instagram, YouTube, TikTok), we only use these to passively link to the pages of the respective providers.

 

d. Other integration of third-party services and content

It may happen that third-party content, such as videos from YouTube, maps from Google Maps, RSS feeds or graphics from other websites are integrated into this online offering. This always requires that the providers of this content (hereinafter referred to as "third-party providers") receive the IP address of the user. Without the IP address, they would not be able to send the content to the respective user's browser. The IP address is therefore required to display this content. We endeavor to only use content whose respective providers only use the IP address to deliver the content. However, we have no influence on whether the third-party providers store the IP address, e.g. for statistical purposes. Insofar as we are aware of this, we will inform users accordingly.

 

C. Purchasing in our webstore

 

(1) Use of data for the performance of a contract

If you make an inquiry with us or conclude a contract with us, we require and process certain data, such as the details of the intended or placed order, your address, e-mail address and payment processing data for the pre-contractual check, the performance of the contract and any subsequent warranty or guarantee processing (see Art. 6 para. 1 lit b GDPR as legal basis). As part of order and payment processing, the service providers we use (e.g. logistics companies, payment intermediaries) receive the necessary data about you or your order.

We also carry out credit checks (see under C. (5)). We cannot accept orders or offer you certain payment options without the relevant information.

In addition, commercial and tax law obliges us to archive data from concluded transactions for the duration of the statutory retention periods. The legal basis for the corresponding use of data is Art. 6 para. 1 lit. c GDPR.

 

(2) Data storage, customer account

Your specific order data will be stored by us. You can register with us (e-mail address and password). Registration gives you access to the data we have stored about you and your orders, among other things.

If you wish to close your access again, please use the contact options listed on our website (e.g. via e-mail or the contact form).

Please note that your data will continue to be stored by us and used for the stated purposes (such as order processing) even if you close your account.

 

(3) Making contact

If you contact us via our contact options (e.g. via e-mail or the contact form), we will store your name and contact details as well as your request. The data will be used to process your request and to communicate with you. Especially, we use your e-mail address to be able to reply to you by e-mail (legal basis Art. 6 para. 1 lit. b and f GDPR).

 

(4) Use of data for advertising

We are interested in maintaining the customer relationship with you, acquiring new customers, reactivating old customers and providing our customers with information and offers.

Therefore and after we have obtained your express consent, we use the following data for the purposes stated below:

–   Postal advertising

We use your first and last name, your postal address and - if we have received this additional information from you - your title, academic degree and date of birth to send you offers and information about our company and our services and products by post if we expect this information to be of interest to you based on your previous purchases and reactions to advertising. Legal basis is Art. 6 para. 1 lit. a or f GDPR.

–   E-mail advertising

We use your e-mail address to advertise our products. We can also ask you to rate previously purchased goods or services. In our advertising emails you will receive a link to easily opt-out from the E-Mail advertising. We statistically evaluate when such an e-mail is called up and, if applicable, which information offers and with what intensity these are met with interest (e.g. when a link is called up). The evaluation is carried out to improve the delivery times and optimize the content of our offers and advertising information. Legal basis is Art. 6 para. 1 lit. a GDPR.

–   Telephone advertising

In a business-to-business relationship we use your telephone number for advertising purposes. Legal basis is Art. 6 para. 1 lit. f GDPR.

 

(5) Identity and credit check and scoring

a. Internal check

If we make advance payments (purchase on account), we use our data to check your current and previous payment behavior and any atypical order behavior (e.g. orders placed at the same time under different customer accounts to the same address) based on our interest in protecting ourselves from payment defaults and customers from identity fraud. We use your address data and date of birth for identification purposes.

The creditworthiness data that is taken into account includes outstanding payments, dunning procedures, information about insolvency, debtor counseling, deferral agreements due to payment defaults. Together with data from the areas of address, age, ordered product range, order method and selected payment options, we calculate a statistical probability of default by way of order processing on the basis of recognized mathematical and statistical procedures, the result of which is included in the external creditworthiness information listed below.

We also check whether you meet the legal age requirements applicable to our products. To do this, we check the date of birth you provide. We are obliged to implement the legal age requirements. To do this, we may ask you to prove your age by sending us a copy of your ID. We will only use the data obtained in this way to verify your age. The delivery of the products you have ordered may depend on the transmission of this data.

 

b. External recommendations in connection with fraud and abuse detection

We transmit personal data on credit card payments for the application, execution and termination of business relationships as well as data on non-contractual behaviour or fraudulent behaviour to Signifyd, Inc. Signifyd, Inc provides us with recommendations and other information and we decide what action to take or not to take based on these recommendations and other information (e.g., reject the conclusion of a contract).

 

The legal basis for these transfers is Art. 6 para. 1 lit. b and f GDPR. The exchange of data with Signifyd, Inc. also serves to fulfil legal obligations to carry out credit checks on customers.

Further information on the activities of Signifyd, Inc. can be found online at https://www.signifyd.com/privacy/.

 

(6) Withdrawal and objection to advertising

In case you have given us your consent for the use of your personal data for advertising purposes you can withdraw your consent at any time (see also under A. (9)).

Further, you can object to the use of your email address at any time, without incurring any costs other than the transmission costs in accordance with the basic tariffs.

Please use the contact options listed on our website for the withdrawal of consent or the objection. Moreover, you will find a note in our advertising emails and newsletters with an address or a link to easily unsubscribe from such communications.

Your options to object also extend to profiling (see under A. (6)) and the use of data collected when visiting our websites for direct marketing purposes. We explain the technical options for exercising your right to object and preventing data collection in detail in the information on the web tools used in our cookie policy at https://de.ooka.com/en/content/cookie-richtlinie.