Data protection

The person responsible for data processing is:
Bonorum CBD GmbH
Severinstrasse 17
50678 Cologne
Germany
shop@bonorumcbd.de

Telephone: +49 221 95939361

We are pleased about your interest in our online shop. Protecting your privacy is very important to us. Below we will inform you in detail about how your data is handled.

1. Access data and hosting

You can visit our websites without providing any personal information. Every time a website is accessed, the web server automatically saves only a so-called server log file, which contains, for example, the name of the requested file, your IP address, date and time of retrieval, amount of data transferred and the requesting provider (access data) and documents the retrieval. This access data is evaluated exclusively for the purpose of ensuring trouble-free operation of the site and improving our offering. This serves to protect our legitimate interests, which predominate in the context of a balancing of interests, in a correct presentation of our offer in accordance with Article 6 Paragraph 1 Sentence 1 Letter f of the GDPR. All access data will be deleted no later than seven days after the end of your visit to the site.

1.1 Hosting

The services for hosting and displaying the website are partly provided by our service providers as part of processing on our behalf. Unless otherwise explained in this data protection declaration, all access data and all data collected in the forms provided on this website are processed on its servers. If you have any questions about our service providers and the basis of our cooperation with them, please contact us using the contact option described in this data protection declaration.

Our service providers are located in these countries: USA
There is no adequacy decision from the European Commission for these countries. Our cooperation with you is based on these guarantees: Approved Code of Conduct, Approved Certification Mechanism

1.2 Content Delivery Network

In order to shorten loading times, we use a so-called Content Delivery Network (“CDN”) for some offers. With this service, content, such as large media files, is delivered via regionally distributed servers of external CDN service providers. Access data is therefore processed on the servers of the service providers. Our service providers work for us as part of order processing. If you have any questions about our service providers and the basis of our cooperation with them, please contact us using the contact option described in this data protection declaration.

Our service providers are located in these countries: USA
There is no adequacy decision from the European Commission for these countries. Our cooperation with you is based on these guarantees: Approved Code of Conduct, Approved Certification Mechanism

2. Data processing for contract processing, contacting you and opening a customer account

We collect personal data if you voluntarily provide it to us as part of your order or when you contact us (e.g. via contact form or email). Mandatory fields are marked as such because in these cases we absolutely need the data to process the contract or to process your contact and you cannot send the order or contact us without providing them. Which data is collected can be seen from the respective input forms. We use the data you provide to process the contract and process your inquiries in accordance with Article 6 Paragraph 1 Sentence 1 Letter b GDPR.
If you have given your consent in accordance with Article 6 Paragraph 1 Sentence 1 Letter a GDPR by deciding to open a customer account, we will use your data for the purpose of opening a customer account. Further information on the processing of your data, in particular on the transfer to our service providers for the purposes of order, payment and shipping processing, can be found in the following sections of this data protection declaration. After the contract has been fully processed or your customer account has been deleted, your data will be restricted for further processing and deleted after the expiry of the tax and commercial law retention periods in accordance with Art You have consented to your data in accordance with Article 6 Paragraph 1 Sentence 1 Letter a of the GDPR or we reserve the right to use your data beyond this, which is permitted by law and about which we inform you in this declaration. Deleting your customer account is possible at any time and can be done either by sending a message to the contact option described in this data protection declaration or using a function provided for this purpose in the customer account.

3. Data processing for the purpose of shipping processing

In order to fulfill the contract in accordance with Article 6 Paragraph 1 Sentence 1 Letter b GDPR, we pass on your data to the shipping service provider commissioned with the delivery, to the extent that this is necessary for the delivery of ordered goods.

Data transfer to shipping service providers for the purpose of shipping notification

If you have given us your express consent to this during or after your order, we will pass on your email address to the selected shipping service provider in accordance with Art can contact you for delivery notification or coordination purposes.
Consent can be revoked at any time by sending a message to the contact option described in this data protection declaration or directly to the shipping service provider at the contact address listed below. After revocation, we will delete the data you provided for this purpose unless you have expressly consented to further use of your data or we reserve the right to use your data beyond this, which is permitted by law and about which we inform you in this declaration.

DHL Parcel GmbH
Sträßchensweg 10
53113 Bonn
Germany

4. Data processing for payment processing

When processing payments in our online shop, we work with these partners: technical service providers, credit institutions, payment service providers.

4.1 Data processing for transaction processing

Depending on the payment method selected, we pass on the data necessary to process the payment transaction to our technical service providers who work for us as part of order processing, or to the commissioned credit institutions or to the selected payment service provider, to the extent that this is necessary to process the payment. This serves to fulfill the contract in accordance with Article 6 Paragraph 1 Sentence 1 Letter b GDPR. In some cases, the payment service providers collect the data required to process the payment themselves, e.g. B. on your own website or via a technical integration in the ordering process. The data protection declaration of the respective payment service provider applies.
If you have any questions about our payment processing partners and the basis of our cooperation with them, please contact us using the contact option described in this data protection declaration.

4.2 Data processing for the purpose of preventing fraud and optimizing our payment processes

If necessary, we give our service providers further data, which they use together with the data necessary to process the payment as our processors for the purposes of fraud prevention and optimizing our payment processes (e.g. invoicing, processing disputed payments, accounting support). In accordance with Article 6 Paragraph 1 Sentence 1 Letter f of the GDPR, this serves to protect our legitimate interests, which predominate in the context of a balancing of interests, in our protection against fraud and in efficient payment management.

5. Advertising via email

5.1 Email newsletter with registration

If you register for our newsletter, we will use the data required for this or provided separately by you to regularly send you our email newsletter based on your consent in accordance with Article 6 Paragraph 1 Sentence 1 Letter a GDPR.
You can unsubscribe from the newsletter at any time and can do so either by sending a message to the contact option described in this data protection declaration or via a link provided for this purpose in the newsletter. After you unsubscribe, we will delete your email address from the recipient list unless you have expressly consented to further use of your data or we reserve the right to use your data beyond this, which is permitted by law and about which we inform you in this declaration.

5.2 Newsletter dispatch

The newsletter may also be sent by our service providers as part of processing on our behalf. If you have any questions about our service providers and the basis of our cooperation with them, please contact us using the contact option described in this data protection declaration.

Our service providers are located in these countries: USA

There is no adequacy decision from the European Commission for these countries. Our cooperation with you is based on these guarantees: Approved Code of Conduct, Approved Certification Mechanism

5.3 Omnisend

This website uses Omnisend's services to collect email addresses, create pop-ups and send our newsletter. Our newsletter is usually sent weekly, but may vary. You can also use this application to create and activate so-called workflows. With these workflows, emails are sent depending on actions taken by a subscriber to our newsletter. For example, after a period p, a customer who has not placed an order during this time will be sent an automated email to draw attention to us again. The provider is Omnisend, Soundest LLC, Legal department, Verkiu Str. 25C, Lithuania.

Omnisend is a service that, among other things, can be used to organize and analyze the sending of newsletters. If you enter data for the purpose of subscribing to the newsletter (e.g. email address), it will be stored on Omnisend's servers.

If you do not carry out any analysis/storage If you want Omnisend , you must unsubscribe from the newsletter. For this purpose, we provide a corresponding link in every newsletter message. You can also unsubscribe from the newsletter directly on the website.

Data processing is based on your consent (Art. 6 Para. 1 lit. a GDPR). You can revoke this consent at any time by unsubscribing from the newsletter. The legality of the data processing operations that have already taken place remains unaffected by the revocation.

The data you provide to us for the purpose of subscribing to the newsletter will be stored by us until you unsubscribe from the newsletter and, after you unsubscribe from the newsletter, will be stored by us both on our servers and on the servers of Omnisend deleted. Data stored by us for other purposes (e.g. email addresses for the member area) remains unaffected.

For more information, please see Omnisend's privacy policy at: https://www.omnisend.com/privacy

6. Cookies and other technologies

General information

In order to make visiting our website attractive and to enable the use of certain functions, we use technologies including so-called cookies on various pages. Cookies are small text files that are automatically stored on your device. Some of the cookies we use are deleted at the end of the browser session, i.e. after you close your browser (so-called session cookies). Other cookies remain on your device and enable us to recognize your browser the next time you visit (persistent cookies).
We use technologies that are absolutely necessary for the use of certain functions of our website (e.g. shopping cart function). These technologies collect and process IP address, time of visit, device and browser information as well as information about your use of our website (e.g. information about the contents of the shopping cart). As part of a balancing of interests, this serves overriding legitimate interests in an optimized presentation of our offer in accordance with Article 6 Paragraph 1 Sentence 1 Letter f of the GDPR.

You can find the cookie settings for your browser at the following links: Microsoft Edge™ / Safari™ / Chrome™ / Firefox™ / Opera™

If you have consented to the use of the technologies in accordance with Article 6 Paragraph 1 Sentence 1 Letter a GDPR, you can revoke your consent at any time by sending a message to the contact option described in the data protection declaration.

7. Social media

7.1 Social plugins from Facebook, Instagram

Social buttons from social networks are used on our website. These are only integrated into the page as HTML links, so that no connection is established with the servers of the respective provider when our website is accessed. If you click on one of the buttons, the website of the respective social network opens in a new window in your browser. There you can, for example, press the Like or Share button.

7.2 Our online presence on Facebook, Instagram

If you have given your consent to the respective social media operator in accordance with Article 6 Paragraph 1 Sentence 1 Letter a of the GDPR, your data will be automatically collected for market research and advertising purposes when you visit our online presence on the social media mentioned above and stored, from which usage profiles are created using pseudonyms. These can be used, for example, to display advertisements within and outside the platforms that presumably match your interests. Cookies are usually used for this purpose. For detailed information on the processing and use of data by the respective social media operator as well as a contact option and your related rights and setting options to protect your privacy, please refer to the provider's data protection information linked below. If you still need help with this, you can contact us.

Facebook is an offer from Facebook Ireland Ltd., 4 Grand Canal Square, Dublin 2, Ireland (“Facebook Ireland”) The information automatically collected by Facebook Ireland about your use of our online presence on Facebook is usually sent to a Facebook server , Inc., 1601 Willow Road, Menlo Park, California 94025, USA and stored there. There is no adequacy decision from the European Commission for the USA. Our cooperation is based on standard data protection clauses from the European Commission. Data processing when visiting a Facebook fan page is based on an agreement between jointly responsible parties in accordance with Art. 26 GDPR. You can find more information (about Insights data) here .

Instagram is an offer from Facebook Ireland Ltd., 4 Grand Canal Square, Dublin 2, Ireland (“Facebook Ireland”) The information automatically collected by Facebook Ireland about your use of our online presence on Instagram is usually sent to a Facebook server , Inc., 1601 Willow Road, Menlo Park, California 94025, USA and stored there. There is no adequacy decision from the European Commission for the USA. Our cooperation is based on standard data protection clauses from the European Commission. Data processing when visiting an Instagram fan page is based on an agreement between jointly responsible parties in accordance with Art. 26 GDPR. You can find more information (about Insights data) here .

8. Contact options and your rights

As a data subject, you have the following rights:

  • in accordance with Art. 15 GDPR, the right to request information about your personal data processed by us to the extent specified therein;
  • in accordance with Art. 16 GDPR, you have the right to immediately request the correction of incorrect or complete personal data stored by us;
  • In accordance with Art. 17 GDPR, you have the right to request the deletion of your personal data stored by us, unless further processing is required
    • to exercise the right to freedom of expression and information;
    • to fulfill a legal obligation;
    • for reasons of public interest or
    • is necessary to assert, exercise or defend legal claims;
  • in accordance with Art. 18 GDPR, you have the right to request the restriction of the processing of your personal data, to the extent that
    • you dispute the accuracy of the data;
    • the processing is unlawful but you object to its deletion;
    • we no longer need the data, but you need it to assert, exercise or defend legal claims or
    • you have objected to the processing in accordance with Art. 21 GDPR;
  • in accordance with Art. 20 GDPR, the right to receive your personal data that you have provided to us in a structured, common and machine-readable format or to request that it be transmitted to another person responsible;
  • in accordance with Art. 77 GDPR, you have the right to complain to a supervisory authority. As a rule, you can contact the supervisory authority at your usual place of residence or work or at our company headquarters.

If you have any questions about the collection, processing or use of your personal data, information, correction, restriction or deletion of data as well as revocation of consent given or objection to a specific use of data, please contact us directly using the contact details in our legal notice.

Right to object
To the extent that we process personal data as explained above to protect our legitimate interests, which predominate in the context of a balancing of interests, you can object to this processing with effect for the future. If the processing is carried out for direct marketing purposes, you can exercise this right at any time as described above. If processing is carried out for other purposes, you only have the right to object if there are reasons that arise from your particular situation.

After exercising your right to object, we will no longer process your personal data for these purposes unless we can demonstrate compelling legitimate grounds for the processing which override your interests, rights and freedoms, or if the processing is necessary for the establishment, exercise or defense of serves legal claims.

This does not apply if the processing is carried out for direct marketing purposes. We will then no longer process your personal data for this purpose.


Data protection declaration created with Rechtstexter.de .

9. Apps or plugins used

We use the following applications, among others

9.1 Tidio LLC

We use Tidio, a chat platform that connects users with BonorumCBD GmbH customer support. We collect email addresses, names, phone numbers only with the user's consent to start the chat. This only if it is set as a pre-survey. Pre-survey is the process where the user provides email addresses, names and/or phone numbers before the chat begins. If the volume of chat requests is too high, for example, we allow ourselves a pre-survey so that we have data from the customer and can contact them in time (e.g. by email) and clarify their concerns. The exchanged messages and data are stored within the Tidio application. For more information, please see Tidio's Privacy Policy .

BonorumCBD GmbH only uses these messages or data to track users' registered problems or inquiries. Your personal data will be processed and transferred in accordance with the General Data Protection Regulation (GDPR).

9.2 Easy DHL

As an interface to DHL, personal data (name, address, email, telephone number) that is necessary for sending the package is transferred to DHL via this app.

For further information, please see the following data protection declaration

9.3 Volume & Discount Pricing

In order to offer the user a price tier, we use the Volume & Discount Pricing app. Here, the app creates a new order in the background with the same product details and address that the customer provided. It may also be the case that personal data is stored by Volume & Discount Pricing.

For further information, please see the following data protection declaration

9.4 Trusted Shops Trustbadge


The Trusted Shops trust badge is integrated on this website to display our Trusted Shops seal of quality and the reviews we have collected, as well as to offer Trusted Shops products to buyers after an order.

This is necessary to protect our overriding legitimate interests in optimal marketing by ensuring the security of your purchase in accordance with Article 6 (1) (f) GDPR. The Trustbadge and the services advertised with it are an offer from Trusted Shops GmbH, Subbelrather Str. 15C, 50823 Cologne, _Germany. The trust badge is provided by a CDN (content delivery network) provider as part of order processing. Trusted Shops GmbH also uses service providers from the USA. An appropriate level of data protection is guaranteed. Further information on data protection at Trusted Shops GmbH can be found here: https://www.trustedshops.de/impressum/

When you access the trust badge, the web server automatically saves a server log file that contains, for example, your IP address, date and time of access, amount of data transferred and the requesting provider (access data) and documents the retrieval call. To analyze security problems, individual access data is stored in a security database. The log files are automatically deleted no later than 90 days after creation.

Further personal data will be transmitted to Trusted Shops GmbH if you decide to use Trusted Shops products after completing an order or have already registered for use. The contractual agreement made between you and Trusted Shops applies. For this purpose, personal data is automatically collected from the order data. Whether you are already registered as a Trusted Shops customer is automatically checked using a neutral parameter, the email address hashed using a one-way cryptographic function. Before transmission, the email address is converted into this hash value, which cannot be decrypted by Trusted Shops. After checking for compliance, the parameter is automatically deleted.

This is to protect our and Trusted Shops' predominant legitimate interests in providing the buyer protection associated with the specific order and the transaction verification services in accordance with Art. 6 para. 1 sec. 1 lit. f GDPR. Further details, including your right to object, can be found in the Trusted Shops data protection declaration linked above and in the Trustbadge.

9.5 Adcell / Firstlead GmbH partner program

This website uses tracking cookies from Firstlead GmbH with the ADCELL brand (www.adcell.de). As soon as the visitor clicks on an advertisement with the partner link, a cookie is set. Firstlead GmbH / ADCELL uses cookies to be able to trace the origin of orders. Firstlead GmbH / ADCELL also uses so-called tracking pixels. This allows information such as visitor traffic on the pages to be evaluated. The information generated by cookies and tracking pixels about the use of this website (including the IP address) and delivery of advertising formats is transmitted to a Firstlead GmbH / ADCELL server and stored there. Among other things, Firstlead GmbH / ADCELL can recognize that the partner link on this website was clicked. Firstlead GmbH / ADCELL can pass on this (anonymized) information to contractual partners under certain circumstances, but data such as the IP address will not be merged with other stored data.

For further information, please see the following data protection declaration

9.6 Order Printer Pro

We use Order Printer Pro to generate invoices for an order. This will be made available to the customer via email as a PDF. Here, personal data such as name, address (invoice & delivery address), email, telephone number, voucher codes, shipping method, payment details are provided by us to Order Printer Pro.

For further information, please see the following data protection declaration

9.7 Stamped.io Reviews

Stamped.io is our rating system. Here the user can rate products, which are displayed in the form of stars and comments in our online shop. Personal data such as, but not limited to, email, name, date of purchase, products purchased, order number, rating (stars), comment is provided to Stamped.io. After ordering, we can send the customer an email asking them to rate the purchased product and publish it when they submit a rating.

For further information, please see the following data protection declaration

10 tracking

10.1 Google Analytics

We use Google Analytics to analyze website usage. The data obtained from this is used to optimize our website and advertising measures.

Google Analytics is provided to us by Google Ireland Limited (Gordon House, Barrow Street, Dublin 4, Ireland). Google processes website usage data on our behalf and is contractually obliged to take measures to ensure the security and confidentiality of the processed data.

During your website visit, the following data, among others, is recorded:

  • Pages viewed
  • Orders including sales and the products ordered
  • Achieving “website goals” (e.g. contact inquiries and newsletter registrations)
  • Your behavior on the pages (e.g. dwell time, clicks, scrolling behavior)
  • Your approximate location (country and city)
  • Your IP address (in shortened form so that no clear assignment is possible)
  • Technical information such as browser, internet provider, device and screen resolution
  • Source of origin of your visit (i.e. which website or advertising medium you came to us from)

Personal data such as name, address or contact details are never transferred to Google Analytics.

This data is transferred to Google servers in the USA. We would like to point out that data protection law in the USA cannot guarantee the same level of protection as within the EU.

Google Analytics stores cookies in your web browser for a period of two years since your last visit. These cookies contain a randomly generated user ID that can be used to recognize you on future website visits.

The recorded data is stored together with the randomly generated user ID, which enables the evaluation of pseudonymous user profiles. This user-related data is automatically deleted after 14 months. Other data remains stored in aggregated form indefinitely.

If you do not agree with the recording, you can do so by installing it once Browser add-ons to deactivate Google Analytics prevent or by rejecting cookies via our cookie settings dialog .

10.2 Facebook Pixels

We use the Facebook pixel from Facebook on our website. We have implemented code for this on our website. The Facebook pixel is a snippet of JavaScript code that loads a collection of functions that allow Facebook to track your user actions if you came to our website via Facebook Ads. For example, if you purchase a product on our website, the Facebook pixel is triggered and stores your actions on our website in one or more cookies. These cookies enable Facebook to compare your user data (customer data such as IP address, user ID) with the data from your Facebook account. Then Facebook deletes this data again. The data collected is anonymous and cannot be viewed by us and can only be used to place advertisements. If you are a Facebook user and are logged in, your visit to our website will automatically be assigned to your Facebook user account.

We only want to show our services and products to those people who are really interested in them. With the help of Facebook pixels, our advertising measures can be better tailored to your wishes and interests. This means that Facebook users (if they have allowed personalized advertising) see appropriate advertising. Facebook also uses the data collected for analysis purposes and its own advertisements.

Below we will show you the cookies that were set by integrating Facebook pixels on a test page. Please note that these are just example cookies. Depending on the interaction on our website, different cookies are set.

Name: _fbp
Value: fb.1.1568287647279.257405483-6231579493877-7
Purpose: This cookie uses Facebook to display advertising products.
Expiry date: after 3 months

Name: fr
Value: 0aPf312HOS5Pboo2r..Bdeiuf…1.0.Bdeiuf.
Purpose: This cookie is used to ensure that Facebook Pixel works properly.
Expiry date: after 3 months

Name: comment_author_50ae8267e2bdf1253ec1a5769f48e062231579493877-3
Value: Author's name
Purpose: This cookie stores the text and name of a user who, for example, leaves a comment.
Expiry date: after 12 months

Name: comment_author_url_50ae8267e2bdf1253ec1a5769f48e062
Value: https%3A%2F%2Fwww.testseite…%2F (author’s URL)
Purpose: This cookie stores the URL of the website that the user enters in a text field on our website.
Expiry date: after 12 months

Name: comment_author_email_50ae8267e2bdf1253ec1a5769f48e062
Value: Author email address
Purpose: This cookie stores the user's email address if they have provided it on the website.
Expiry date: after 12 months

Note: The cookies mentioned above relate to individual user behavior. Changes on Facebook can never be ruled out, especially when it comes to the use of cookies.

If you are logged in to Facebook, you can change your advertising settings yourself at https://www.facebook.com/ads/preferences/?entry_product=ad_settings_screen . If you are not a Facebook user, you can generally manage your usage-based online advertising at http://www.youronlinechoices.com/de/praferenzmanagement/ . There you have the option to deactivate or activate providers.

If you would like to learn more about Facebook's data protection, we recommend that you consult the company's own data policies https://www.facebook.com/policy.php .