Privacy Policy
Privacy Policy
We appreciate your interest in our website www.25kg.eu (the "Website"). Protecting your privacy is very important to us. Below, we provide detailed information about how we handle your data. The collection and processing of personal data are carried out exclusively in accordance with the legal provisions of EU Regulation 679/2016 (GDPR) and the German Federal Data Protection Act (BDSG) and observe the provisions of the Telecommunications Digital Services Data Protection Act (TDDDG) when you visit our Website or Social Media profiles ("Social Media Profiles"), use the webshop (“Webshop”) and other services available at our Website.
The operator of the Website and the responsible party in terms of data protection law is:
Konstantin Grcic Design GmbH
represented by the Managing Director Konstantin Grcic
Kurfürstenstr. 13
10785 Berlin / Germany
E-Mail: info@25kg.eu
1. Collection, Processing, and Use of Personal Data for the provision of the Website
1.1 Logfiles
You can visit our Website without providing personal information. However, the browser used on your end device sends information automatically to our Website server. This information is temporarily stored in a so-called logfile. We only store access data such as IP address, browser type and version, date and time of access, operating system, name of your internet service provider, the page from which you visit us, or the name of the requested file until automatic deletion. This data is used exclusively to enable access to and use of the Website and to improve our services without allowing direct conclusions about your identity. Logfiles serve as a source of information for error analysis in the event of a system crash, allowing lost data to be reconstructed. They can also be used for range analysis. The data will not be merged with other data provided by you. The use of data for these purposes is justified by our legitimate interest in providing and improving our Website according to Art. 6(1)(f) GDPR. These data will be deleted as soon as they are no longer necessary for the purposes for which they were collected, typically after the end of the respective browser session.
1.2 Cookies
To make our Website attractive and enable the use of certain functions, we use Cookies or pixel tags, which collect your data using pseudonyms. Cookies are small text files stored on your device when visiting the Website, allowing us to recognize previous settings and interactions. Pixel tags are small graphic files that are often used together with Cookies (Cookies and pixel tags hereinafter collectively "Cookies")
Most of our Cookies are essential for using our Website and are deleted at the end of your browser session (“Session Cookies”). Other Cookies remain on your device and enable us to recognize your browser on your next visit (“Persistent Cookies”). These are only stored if you consent when first visiting the Website. We use so-called “First-party Cookies”, which are set and controlled by us as the operator of the Website.
(2) Purposes of use
We use different categories of Cookies depending on their purpose:
• Strictly necessary Cookies
Most of the Cookies we use are technically strictly necessary to enable you to use our Website and the services offered on it. Our legitimate interest in data processing lies in this purpose; legal bases are Art. 6 (1)(f) GDPR, Section 25 (2) no. 2 TDDDG. As these Cookies are strictly necessary to provide you with the Website and the services offered via the Website, you cannot refuse them.
Strictly necessary Cookies are usually only stored on your device for as long as your browser is active and, unless otherwise specified, are deleted after the end of the respective browser session, but at the latest after two weeks. The data is not merged with other personal data or used for advertising purposes.
• Functional and preference Cookies
We use temporary Cookies to improve the user experience. These Cookies allow us to recognise you when you return to our Website and to automatically remember your settings and preferences (e.g. your choice of language or region). The legal basis for the use of Cookies is Art. 6 (1)(a) GDPR, Section 25 (1) TDDDG, i.e. your prior consent. You give your consent to the use of these Cookies on our Website by clicking on "Accept " in our Cookie banner or by explicitly allowing the service in the “Preferences”. If you do not allow these Cookies, the Website and/or our services offered via the Website may not function properly.
• Web analysis and statistics Cookies
We use Cookies to create pseudonymous usage profiles for the purpose of web analysis. These Cookies enable us to recognise returning users (device owners), analyse their behaviour on the Website, optimise the Website and measure its reach. The legal basis for the data processing is Art. 6 (1)(a) GDPR, Section 25 (1) TDDDG, i.e. your prior consent. You give your consent to this tracking on our Website by clicking on "Accept " in our Cookie banner or by explicitly allowing the service in the “Preferences”. We do not set any web analysis Cookies before this happens. We do not combine the data with other personal data and do not use it to target individual users for advertising purposes.
• Targeting and marketing Cookies
We use Cookies for targeted and interest-based online advertising. These Cookies collect and store information about your use of our Website in pseudonymous form. We use this information to show you advertisements on our Website and to measure the success of our advertising campaigns and to optimise them. If you do not allow these Cookies, you will see less targeted advertising.
The legal basis for the data processing is Art. 6 (1)(a) GDPR, Section 25 (1) TDDDG, i.e. your prior consent. You give your consent to this tracking on our Website by clicking on "Accept " in our Cookie banner or by explicitly allowing the service in the “Preferences”. We do not set any targeting and marketing Cookies before this happens.
(3) Consent Management Tool Consentmo GDPR
We use the Consentmo GDPR consent management tool by iSenseLabs dba as Consentmo (Prof. Georgi Bradistilov Str. No.4, 1700 Sofia, Bulgaria). When you visit our Website, the following data is transmitted to Consentmo:
o masked IP address (for privacy, the visitor’s IP is partially anonymized in the records consents given or their revocation)
o information about your browser and device and any information that may be available in your http header
o date and time of your visit to the Website
o Referrer URL
o User Agent
Consentmo stores strictly necessary Cookies in your browser to be able to allocate the consents you have given or withdrawn and the above-mentioned data. Data that our Website collects for compliance purposes — such as records of cookie consents and records of GDPR/CCPA requests — is retained for 12 months from the date of collection. Mandatory statutory storage obligations remain unaffected. The data that Consentmo collects and processes is stored on secure servers with reputable cloud providers. For our GDPR compliance features, all data is stored in the European Union. The purpose of data processing is to obtain and document the necessary consent for data processing to comply with legal obligations, Art. 6 (1)(c) GDPR, Section 25 (2) no. 2 TDDDG. Consentmo acts as processor within the meaning of Art. 28 GDPR. We have concluded a data processing agreement ("DPA") with Consentmo. This ensures that Consentmo only processes your personal data in accordance with our instructions and in compliance with the GDPR. Further information can be found at https://www.consentmo.com/privacy-policy-terms-of-service/en.
(4) Hosting by Shopify
Strictly necessary Cookies are also set by the provider Shopify International Limited, 2nd Floor Victoria Buildings, 1-2 Haddington Road, Dublin 4, D04 XN32, Ireland („Shopify“), who hosts our Website. We use the shop system for the purpose of hosting and displaying the Webshop and have a legitimate interest in the data processing. All data collected on our Website is processed on Shopify's servers. Shopify is part of the Shopify Inc. at 151 O'Connor Street, Ground floor, Ottawa, ON, K2P 2L8, Canada. When your data is transferred to a Shopify entity based in Canada, the appropriate level of data protection is guaranteed by an adequacy decision of the European Commission. However, Shopify may also use sub-processors based in a third country outside the European Union ("EU") and the European Economic Area ("EEA") which does not provide adequate protection for your personal data under EU data protection law. We have concluded a data processing agreement ("DPA") within the meaning of Art. 28 GDPR with Shopify as part of the General Terms and Conditions (https://www.shopify.com/legal/dpa), which includes the EU Standard Contractual Clauses ("SCC") to ensure that the processing of your data is carried out by means of appropriate safeguards within the meaning of Art. 46 (2)(c) GDPR. Further information on the purpose and scope of data collection and processing by Shopify can be found at https://www.shopify.com/legal/privacy.
(5) Cookie management and revocation of your consent
If you wish to withdraw your consent, i.e. deactivate the use of cookies, you can change the “Preferences” or change the settings of your browser and delete existing cookies in your browser at any time. If your device supports the change of Cookie settings in your browser you can set up your browser so that it does not accept any new Cookies (especially Third-party Cookies) or informs you of new Cookies. You can also delete Cookies that have already been saved in the settings of your internet browser. You can find help on how to change your Cookie settings, for example, in the help function of your internet browser. Further information on this and on Cookies in general can be found, for example, at http://www.allaboutcookies.org and http://www.youronlinechoices.com/.
Please be aware that if you deactivate Cookies, you may not be able to use all the functions of the Website.
(6) Transfer of data to providers located outside the EEA
When using Third-party Cookies, your personal data may be transferred to and processed by providers located outside the European Union (EU) or the European Economic Area (EEA). All transfers of personal data will be made in accordance with the criteria and requirements of applicable law by obtaining appropriate guarantees, e.g. based on an adequacy decision of the European Commission (this applies, for example, to data transfers to Canada and service providers certified under the EU - U.S. Data Privacy Framework) or Standard Contractual Clauses (SCC). Please refer to our general information on data processing in third countries (see section 5 of this Privacy Policy) or contact us using the contact details provided in this Privacy Policy. You can view the certificates here https://www.dataprivacyframework.gov/list.
1.3 Simple links
Our Website also contains simple links to our Social Media Profiles (e.g. Instagram). If you click on these links or buttons, you will leave our Website. The data processing on the Websites of the social media provider is governed by the Privacy Policies available there.
2. Data processing in connection with the web shop
2.1 Fulfilment of contractual and pre-contractual obligations
Personal data is processed if you voluntarily provide them to us for the provision of this Website, of the products and services offered via the Website and the marketing and development of our products, in particular for the conclusion and execution of contracts, for billing purposes, for the implementation of pre-contractual measures, for responding to enquiries in connection with our business relationship and for all activities required for the operation and administration of our company.
We process the personal information that you provide to us for contractual purposes, in order to process payments for a contract your order via our web shop or as part of an enquiry.
We may also receive data about you from third parties, for example from payment service providers, credit bureaus or credit reference agencies. In particular, this involves the following data:
- Personal information (e.g. first name, surname, title, date of birth),
- Contact details (e.g. postal and shipping address, telephone number, fax number, e-mail address),
- Order and purchase data (e.g. order information, information about purchased products, information about the payment method, communication between you and us regarding purchases, delivery and payment status, information about returns, if applicable),
- Billing and payment data (e.g. payment method, billing address, IBAN and BIC, or account number and bank sort code, credit card data, creditworthiness data; information that external payment service providers (e.g. PayPal) use for identification), and
- Messages and conversation content (e.g. in the context of enquiries)The purposes of data processing primarily depend on the specific contractual relationship. The legal basis for data processing is Art. 6 (1)(b) GDPR, insofar as it serves the fulfilment of a contract with you as data subject or the implementation of pre-contractual measures, and Art. 6 (1)(f) GDPR, insofar as it is necessary to protect our legitimate interests or those of a third party (e.g. contact details of employees). Our legitimate interest lies in ensuring a smooth business process. Further details on the purpose of data processing in the context of contracts can be found in the respective contract documents and terms and conditions.
Upon complete processing of the contract and full payment, your data will be blocked for further use and deleted after expiration of tax and commercial retention periods unless you have expressly consented to further use of your data.
2.2 Based on your consent
If you have given us your consent to process personal data for certain purposes (e.g. passing on data), this processing is lawful based on your consent (Art. 6 (1)(a) GDPR). You can withdraw your consent at any time. Please note that the withdrawal is only effective for the future. Processing that took place before the withdrawal is not affected.
2.3 Protection of legitimate interests
In addition, we process your data to protect the legitimate interests of us or third parties, in particular in the following cases:
- responding to enquiries outside of a contract or pre-contractual measures;
- advertising or market and opinion research, insofar as you have not objected to the use of your data;
- Assertion of legal claims and defence in legal disputes;
- Transmission of outstanding debt data to debt collection service providers
- Ensuring our IT security and operations;
- Prevention and investigation of criminal offences.
The legal basis is Art. 6 (1)(f) GDPR. Our legitimate interest is to further develop our services or to protect ourselves against impairments and dangers and to enforce our claims.
2.4 Compliance with legal requirements
In addition, we are subject to various legal obligations, i.e. legal requirements. The purposes of the processing include, among others, the fulfilment of retention periods under commercial and tax law. The legal basis for data processing is Art. 6 (1)(c) GDPR.
3. No obligation to provide personal data
If we ask you to provide personal data, you can of course refuse to do so. However, we may then not be able to provide certain functions of the Website, answer your enquiries or conclude a contract. This applies in particular if the data is required for the establishment, implementation and termination of a business relationship or if we are legally obliged to collect data.
4. Sharing of Personal Data
Within our company those departments or individuals get access to your data that need it to fulfil our contractual and legal obligations.
We pass on your data to the recipients expressly named in this Privacy Policy and thus also to service providers of Third-party Cookies. In doing so, we observe the legal requirements and, if necessary, conclude corresponding contracts or agreements with the recipients of your data that serve to protect your data.
Furthermore, we share your data with the following categories of recipients if it is necessary for the fulfilment of a contractual relationship existing between you and us or for the implementation of pre-contractual measures (Art. 6 (1)(b) GDPR) or for the protection of legitimate interests (Art. 6 (1)(f) GDPR) or due to a legal regulation:
- IT service providers, e.g. hosting, Software-as-a-Service
-
Logistics service providers, e.g DHL, UPS, DPD
- Payment service providers
-
Credit institutions for the cancellation of a fee
- Debt collection companies for the enforcement of claims
- Third parties involved in legal proceedings, provided that they submit a legal order, court order or equivalent legal disposition to us.
Where processing is necessary to protect legitimate interests, for example when using IT services, our legitimate interest is to outsource functions. In addition, we will only share your personal data with third parties, if required by law (Art. 6 para. 1 sentence 1 lit. c GDPR) or if you have given your consent (Art. 6 para. 1 sentence 1 lit. a GDPR).
We use the payment service Shopify Payments which in the EU is provided by Shopify International Limited, 2nd Floor Victoria Buildings, 1-2 Haddington Road, Dublin 4, D04 XN32, Ireland. Further information on Shopify can be found in our Privacy Policy under point 1.2 Cookies, (2) Strictly necessary cookies.
When making a payment via the payment service provider PayPal”, you will be redirected to the Website of the PayPal (Europe) S.à.r.l. et Cie, S.C.A., 22-24 Boulevard Royal, L-2449 Luxembourg. The personal data you enter is transmitted to PayPal in encrypted form. This mostly includes your name, address, telephone number, IP address, payment data and e-mail address. The legal basis for the forwarding of the data is Art. 6 (1)(b) GDPR. The processing of the personal data is carried out by PayPal as the responsible party. Insofar as this is necessary for the fulfilment of the order, data may also be passed on to third parties by PayPal. For the purpose of checking identity and creditworthiness, PayPal also transmits personal data to credit agencies such as SCHUFA. For more information about data processing by PayPal, please visit https://www.paypal.com/de/legalhub/paypal/privacy-full.
If third-party content is integrated (see Section 1.2 Cookies), data may be transferred to recipients outside the EEA, where different data protection standards may apply. We take appropriate measures to ensure an adequate data protection level. For more details, contact us at the email address provided in Section 9.
5. International data transfer
For the processing of your personal data, we also use service providers located in third countries outside the European Union (EU) or the European Economic Area (EEA). These countries may have a lower level of data protection than within the European Union. In case of a data transfer to these countries, we will obtain the necessary safeguards to ensure that your data is processed as securely as within the EEA, e.g. by concluding EU Commission standard contractual clauses (SCC) within the meaning of Art. 46 para. 2 sentence 1 lit. c GDPR or by other measures provided for by law. You can request a copy of the measures taken by contacting us at the contact details provided above. Most of the service providers we use have been certified under the EU-U.S. Data Privacy Framework to ensure an adequate level of data protection for data transfers to the USA. You can view the certificates here https://www.dataprivacyframework.gov/list.
6. Social Media Profiles
We operate Social Media Profiles. There we publish and share news about our work, recommendations, content, competitions and offers.
When you visit the Social Media Profiles, the social media provider processes information about you. You can find more detailed information on data processing in the Privacy Policy of the respective social media provider listed below. Some social media providers also offer the option to object to certain data processing. Please note that according to the social media providers, user data is also processed in the USA or other third countries.
6.1. Insights
Meta (Facebook, Instagram) and LinkedIn use Cookies and similar technologies to record your user behaviour when visiting the Social Media Profiles and make the information available to us in anonymized form as statistics (so-called Insights). This gives us insights into how our Social Media Profiles are used, which topics are particularly popular and what interests our Social Media Profile visitors have. This enables us to optimize our Social Media Profiles and better respond to the interests of our audience. We do not have access to the personal data used by Meta or LinkedIn to create this information. Meta and LinkedIn select the Insights data independently of us and process it accordingly.
We are jointly responsible with both Meta and LinkedIn for the collection of your data and the processing for the provision of the Insights, but not the further processing of this data by the Social Media providers. We have shared responsibility with
· Meta under the following agreement https://de-de.facebook.com/legal/terms/page_controller_addendum
· LinkedIn under the following agreement https://legal.linkedin.com/pages-joint-controller-addendum
which specifies which company fulfils which data protection obligations when processing personal data for Insights. Under these agreements, Meta and LinkedIn agree to comply with users' requests regarding your data protection rights. This means that you can contact Meta (Facebook, Instagram) or LinkedIn directly for information and deletion requests. You can find a clear summary of the most important points of the Meta agreement here: https://www.facebook.com/legal/terms/information_about_page_insights_data.
Information regarding your data subject rights can be found in the respective data protection provisions:
· Meta: https://www.facebook.com/privacy/policy
· LinkedIn: https://de.linkedin.com/legal/privacy-policy.
6.2 Contact
If you communicate directly with us via a Social Media Profile or share personal content with us, we are responsible for processing your data. The purpose of the data processing is to communicate with you. Furthermore, we also use the information you share with us for marketing purposes. The legal basis for the data processing is our legitimate interest in the meaning of Art. 6 (1)(f) GDPR to get in contact with enquirers and to further develop our services.
7. Storage duration and erasure
We and our service providers will process and store your personal data in accordance with applicable data protection law to the extent and for the duration necessary for the processing purposes set out in this Privacy Policy.
For the duration of a contractual relationship, this may also include, for example, the initiation and processing of a contract.
Logfiles are generally deleted after the end of the respective browser session, unless their further storage is exceptionally necessary and lawful. The storage period of Cookies depends on the individual case and is usually between twelve and 24 months. For more information, please visit our Cookie Preferences. If we process your personal data based on your consent, we store your data for the period required to process your personal data in accordance with your consent.
In the case of contractual relationships, but also in the case of other claims under civil law, the storage period is also based on the statutory limitation periods, which, for example, according to Sections 195 et seq. of the German Civil Code ("BGB"), are generally three years, but in certain cases can be up to thirty years. In addition, we are subject to various retention and documentation obligations, which result from the German Commercial Code ("HGB") and the German Fiscal Code ("AO"), among other things. The retention and documentation periods specified there are six years for correspondence in connection with the conclusion of a contract and ten years for accounting vouchers and business letters (Sections 238, 257 (1) and (4) HGB, Section 147 (1) and (3) AO).
8. Your Rights
You have the right to request access to your stored personal data (Art. 15 GDPR), the right of rectification of inaccurate personal data (Art. 16 GDPR), the right to erasure (Art. 17 GDPR), or the right to restriction of processing (Art. 18 GDPR) and the right to data portability (Art. 20 GDPR). With regard to the right of access and the right to erasure, the restrictions according to Sections 34 and 35 BDSG apply. You also have the right to object to data processing (Art. 21 GDPR). If you believe we are processing your data unlawfully, you have the right to file a complaint with a supervisory authority – in particular in the EU member state of your place of residence, your place of work or the place of the alleged infringement (Art. 77 GDPR, Section 19 BDSG).
Your rights in detail:
• Right of access: You can request the confirmation as to whether and how we process your personal data. In particular, you have a right of access to your personal data and the information about the purposes of processing, the categories of personal data, the recipients or categories of recipients to whom the personal data have been or will be disclosed, if possible the envisaged storage period, or, if this is not possible, the criteria for determining this period; the existence of a right to rectification or erasure of your personal data, to restriction of the processing or to object to such processing; the existence of a right to lodge a complaint with a supervisory authority; the source of the data if the personal data has not been collected from you, the existence of automated decision-making, including profiling, and, if applicable, meaningful information about the logic involved and the significance and envisaged consequences of such processing. If we transfer personal data to a third country or an international organisation, you may also request information about the safeguards we have in place to protect your data. Your right to information may be limited in individual cases by national law (Sections 29 (1) sentence 2, 34 BDSG) and the rights and freedoms of others.
• Right to rectification: You may request the rectification of inaccurate personal data with undue delay or, taking into account the purposes of the processing, the completion of incomplete personal data – also by means of providing a supplementary declaration.
• Right to erasure: You have a right to immediate erasure of your personal data under certain circumstances, e.g. if your personal data is no longer necessary for the purposes for which it was collected or otherwise processed, if you withdraw your consent and there is no other legal basis for the processing, or if you have objected to the processing of your data for direct marketing purposes. The right does not exist to the extent the processing is necessary for exercising the right to freedom of expression and information, for compliance with a legal obligation, for reasons of public interest or for the exercise of a public power vested in us, or for the establishment, exercise or defence of legal claims. Your right to erasure may be limited in individual cases by national law (Section 35 BDSG).
• Right to restriction of processing: You may request the restriction of processing if you contest the accuracy of the personal data for the duration of the verification of the accuracy by us, if the processing is unlawful but you object to the erasure of your personal data, if we no longer need your personal data but you need the data to establish, exercise or defend legal claims, or if you have objected to the processing.
• Right to data portability: You have the right to data portability, i.e. the right to receive and transmit the personal data you have provided to us in a structured, commonly used and machine-readable format, if we process your personal data on the basis of your consent or a contract and the processing is carried out by automated means.
Right of objection according to Art. 21 GDPR
You have the right to object at any time, on grounds relating to your particular situation, to the processing of personal data concerning you which is carried out on the basis of Art. 6 (1) (e) GDPR (public security) or Art. 6 (1) (f) GDPR (legitimate interests); this also applies to profiling based on these provisions. We shall no longer process this data upon the lodging of the objection, unless there are compelling reasons for the processing that merit protection, e.g. processing for the establishment, exercise, or defence of legal claims.
Where personal data is processed for direct marketing purposes, you have the right to object at any time to the processing of personal data concerning you for such marketing; this also applies to profiling insofar as it is associated with such direct marketing. We will no longer process your personal data for direct advertising if you exercise your right to object.
If our processing of your personal data is based on consent (Art. 6 (1)(a) GDPR), you may withdraw this consent at any time; the lawfulness of the data processing carried out on the basis of the consent until withdrawal remains unaffected by this.
9. Contact for Data Protection
For questions regarding data collection, processing, or usage, as well as requests for correction, blocking, or deletion of data, or withdrawal of consent, please contact: info@25kg.eu.
10. Data Security
Your personal data is transmitted using TLS (Transport Layer Security) encryption. We take technical and organizational measures to protect our Website and systems against loss, destruction, unauthorized access, alteration, or distribution of your data by unauthorized persons.
Status: April 3, 2025