1. Responsible person

The entity responsible for the data processing described below is the one named below:

Naturally Pam GmbH
Quays 12
20459 Hamburg
Germany

info@naturally-pam.com

Contact details of the data protection officer

Our external data protection officer is available to answer your questions regarding data protection using the following contact details:

datenschutz nord GmbH
Consul-Smidt-Straße 88
28217 Bremen
Web: www.datenschutz-nord-gruppe.de
Email: office@datenschutz-nord.de

When contacting our data protection officer, please also specify the responsible body.

2. Privacy Policy for our Shopify website

General information on data processing

We operate our website via the platform Shopify Inc., 151 O'Connor Street, Ground Floor, Ottawa, ON K2P 2L8, Canada. Shopify is a service provider that supplies us with the technical infrastructure for our website and processes personal data on our behalf.

When you place an order with us, we process your personal data on the basis of Art. 6 para. 1 lit. b) GDPR, which we absolutely need for order processing, contract fulfillment and, if applicable, for processing returns. This includes providing your name, email address, delivery address, billing address (if applicable) and payment information.

As part of Shopify's Content Delivery Network (CDN), your IP address may be transmitted to the respective third-party provider ( see Shopify's subcontractors) . This is done solely for the purpose of ensuring the website functions quickly and efficiently and reducing loading times.

When placing an order, you are required to fill in the fields marked as mandatory, otherwise we cannot conclude or fulfill the contract with you. However, there are no disadvantages for you if you do not provide the optional information.

When you simply use our website for informational purposes, i.e., if you do not register or otherwise provide us with information, we only collect the personal data that your browser transmits to our server. If you wish to view our website, we collect the following data, which is technically necessary for us to display our website to you and to ensure its stability and security:

• IP address
• Date and time of the request
• Time zone difference to Greenwich Mean Time (GMT)
• Content of the request (specific page)
• Access status/HTTP status code
• each data volume transferred
• Website from which the request originates
• browser
• Operating system and its interface
• Language and version of the browser software.
• The legal basis for storing the data is Art. 6 para. 1 lit. f GDPR.

Data transfer to third countries

Shopify may also transfer data to servers in Canada and the USA. Canada and the USA have an adequacy decision from the EU Commission.

Use of cookies and tracking technologies

To make your visit to our website more enjoyable and to enable the use of certain features, we use cookies, which are small text files that are stored on your device. Some of these cookies are automatically deleted after you close your browser (so-called "session cookies"), while others remain on your device for a longer period and allow us to save your website settings (so-called "persistent cookies"). In the latter case, you can find information about the storage duration in your web browser's cookie settings.

You can configure your browser to notify you when cookies are set and allow you to decide whether to accept them individually, or to exclude the acceptance of cookies in certain cases or entirely.

Please note that if you do not accept cookies, the functionality of our website may be limited.

You can change or revoke your settings here at any time.

Legal basis for processing

Your personal data is processed on the basis of:
- Article 6 paragraph 1 letter b GDPR (performance of a contract)
- Art. 6 para. 1 lit. f GDPR (Our legitimate interest in the analysis data lies in our desire to optimize our product range and therefore evaluate sales. You have the option to object to data processing by email.)

Order processing

We have a data processing agreement with Shopify in accordance with Article 28 of the GDPR. Shopify processes data exclusively on our instructions and in compliance with strict data protection regulations.

3. Google Analytics

To tailor our websites to your needs, we use the web analytics tool "Google Analytics." Google Analytics creates user profiles based on pseudonyms. For this purpose, persistent cookies are stored on your device and read by us. This allows us to recognize returning visitors and count them as such. Google Ireland Limited and Google LLC (USA) support us in the use of Google Analytics as data processors pursuant to Article 28 GDPR. Data processing may therefore also take place outside the EU or the EEA. With regard to Google LLC, an adequate level of data protection cannot be assumed due to processing in the USA. There is a risk that authorities may access the data for security and surveillance purposes without you being informed or having the opportunity to seek legal recourse. Please bear this in mind when deciding whether to consent to our use of Google Analytics. Data processing is based on your consent if you have given your consent via our banner. Transfer to a third country is based on Article 49 Paragraph 1 Letter a GDPR.
You can withdraw your consent at any time. Please follow this link and adjust the settings via our banner.

4. Third-party tracking technologies for advertising purposes

We use cross-device tracking technologies so that, based on your visits to our websites, you can be shown targeted advertising on other websites, and so that we can determine the effectiveness of our advertising campaigns. Data processing is based on your consent, provided you have given your consent via our banner. Your consent is voluntary and can be revoked at any time. How does tracking work? When you visit our websites, the third-party providers listed below may retrieve identifiers for your browser or device (e.g., a so-called browser fingerprint), analyze your IP address, store or read identifiers on your device (e.g., cookies), or access individual tracking pixels. These identifiers can be used by the third-party providers to recognize your device on other websites. We may commission the respective third-party providers to display advertising based on the pages you visit on our website. What does cross-device tracking mean? If you log in to the third-party provider with your own user data, the respective identifiers of different browsers and devices can be linked together. If, for example, the third-party provider has created a unique attribute for your laptop, desktop PC, smartphone, or tablet, these individual attributes can be linked to each other as soon as you use your login credentials to access a service provided by that third party. This allows the third-party provider to target our advertising campaigns across different devices. Which third-party providers do we use in this context? Below, we list the third-party providers with whom we collaborate for advertising purposes. If data is processed outside the EU or the EEA in this context, please note that there is a risk that authorities may access the data for security and surveillance purposes without your knowledge or ability to seek legal recourse. If we use providers in countries with insecure third countries and you consent, the transfer to a third country is based on Article 49(1)(a) GDPR.

Remarketing

On our websites, we use "Custom Audiences" from Facebook Inc., 1601 S. California Ave, Palo Alto, CA 94304, USA ("Facebook") for retargeting and remarketing purposes. This service uses so-called tracking or remarketing pixels. These are pixel image files that enable log file analysis. By using these pixels, the service provider can see when and how many users have accessed the pixel, or whether and when an email was opened or a website was visited.

This service allows us to display interest-based advertisements ("Facebook Ads") to users of our website when they visit the social network Facebook or other websites that also use this technology. Our aim is to show you advertising that is relevant to you, in order to make our website more interesting for you. When you visit our website, a direct connection to Facebook's servers is established via the pixel. This enables Facebook to identify you using your browser ID, as this can be linked to your user account. We have no control over the scope and further use of the data collected by Facebook through this tool and are therefore informing you to the best of our knowledge: By integrating Facebook Custom Audiences, Facebook receives the information that you have accessed the corresponding page of our website or clicked on one of our ads. If you are registered with a Facebook service, Facebook can associate your visit with your account. Even if you are not registered with Facebook or have not logged in, there is a possibility that the provider will learn and store your IP address and other identifying information.

The legal basis for processing your data is Article 6(1)(f) GDPR. Further information on data processing by Facebook can be found at https://www.facebook.com/about/privacy/

criteo

We use cookies and other tracking technologies from Criteo GmbH (Criteo) for advertising purposes. The data collected by Criteo using cookies and non-cookie technologies is used to display targeted advertising based on the recognition of the user's device and the collection of information about their browsing activities. This processing enables us to display advertisements for our products and/or services to users on third-party websites and apps, even across devices and browsers. Criteo acts as a joint controller with us within the meaning of Article 26 GDPR. Users can therefore assert their rights against both us and Criteo. Information about Criteo and the joint controllership agreement can be found at the following link: https://www.criteo.com/privacy/how-we-use-your-data/ . Criteo's privacy policy is available at the following link: http://www.criteo.com/privacy . Personal data processed: Tracker, technical information about the device and internet connection, browsing events. Storage period: 13 months. The legal basis for data processing is your consent pursuant to Section 25 Paragraph 1 TTDSG, Article 6 Paragraph 1 lit. a) GDPR.

Clarity

We work with Microsoft Clarity and Microsoft Advertising to understand how you use and interact with our website using behavioral metrics, heatmaps, and session replays to improve and market our products and services. Website usage data is collected using first- and third-party cookies and other tracking technologies to determine the popularity of products, services, and online activities. We also use this information to optimize the website, for fraud and security prevention, and for advertising. Microsoft Clarity considers itself responsible for data protection. Therefore, please refer directly to Microsoft for information. Further information about how Microsoft collects and uses your data can be found in the Microsoft Privacy Statement . The legal basis for data processing is your consent pursuant to Article 6(1)(a) GDPR.

Advertising for own similar products

After your purchase, we will regularly send you selected product information about similar products from our range via email or post. For this purpose, we use the email address or postal address you provided during the ordering process. The basis for this data processing is our legitimate interest in providing you with further attractive product information based on your purchase. You can object to this advertising for our own similar products at any time. Simply send us an email to datenschutz@goodlife-company.de.

You will be explicitly informed about this mailing and the possibility of objecting when your email address or postal address is collected.

5. Newsletter registration and distribution

You can subscribe to our newsletter on our website. Please note that we require certain data (at least your email address) for newsletter registration. The newsletter will only be sent if you have given us your explicit consent. After subscribing on our website, you will receive a confirmation email at the email address you provided (so-called double opt-in). You can revoke your consent at any time. An easy way to unsubscribe is via the unsubscribe link included in every newsletter. In addition to the data already mentioned, we also store further data during newsletter registration, provided this is necessary to prove that you have subscribed to our newsletter. This may include storing the full IP address at the time of subscription or newsletter confirmation, as well as a copy of the confirmation email we sent. This data processing is based on Article 6 Paragraph 1 Sentence 1 Letter f GDPR and is carried out in our legitimate interest to be able to demonstrate the lawfulness of sending the newsletter.

We use the Klaviyo service provided by Klaviyo Inc., 225 Franklin St, Floor 10, Boston, MA 02110, USA, to send our newsletters. The processing of your data stored during newsletter registration (email address, name if applicable, IP address, date and time of registration) may also take place in the USA. According to the European Court of Justice, the USA currently does not provide an adequate level of data protection.

Klaviyo uses standard contractual clauses pursuant to Article 46(2) and (3) of the GDPR ( https://eur-lex.europa.eu/eli/dec_impl/2021/914/oj?locale=de ) as the basis for processing or transferring data to countries outside the EU. These clauses obligate Klaviyo to comply with EU data protection standards when processing your data, even if the data is transferred to, processed, and stored in third countries such as the USA. You can find more information on Klaviyo's website at https://www.klaviyo.com/legal/data-processing-agreement and https://www.klaviyo.com/legal/privacy/privacy-notice

6. Emails

For sending emails, we use the service providers Klaviyo Inc., 225 Franklin St, Floor 10, Boston, MA 02110, USA; Shopify, a service of Shopify Inc., 126 York Street, Suite 200, Ottawa, ON, Canada, K1N 5T5; and Mailchimp, a service of The Rocket Science Group, LLC, 675 Ponce De Leon Ave NE #5000, Atlanta, GA 30308, USA. This applies to transactional emails such as order confirmations, shipping confirmations, and emails containing promotional content.

Klaviyo has access to your data. This data processing may also take place in the USA. According to the European Court of Justice, the USA currently does not provide an adequate level of data protection.

Klaviyo uses standard contractual clauses pursuant to Article 46(2) and (3) of the GDPR ( https://eur-lex.europa.eu/eli/dec_impl/2021/914/oj?locale=de ) as the basis for processing or transferring data to countries outside the EU. These clauses obligate Klaviyo to comply with EU data protection standards when processing your data, even if the data is transferred to, processed, and stored in third countries such as the USA. You can find more information on Klaviyo's website at https://www.klaviyo.com/legal/data-processing-agreement and https://www.klaviyo.com/legal/privacy/privacy-notice .

8. Ordering on the website

Processing of your data when placing an order

If you decide to order products, we process your data for the fulfillment and execution of the contract and, if applicable, its cancellation upon termination. We also use your data to inform you about the order status. You can deactivate these notifications at any time via your account settings. The legal basis for data processing for contract fulfillment is Article 6 Paragraph 1 Sentence 1 Letter b GDPR, and for fulfilling legal information and retention obligations, Article 6 Paragraph 1 Letter c GDPR. If you are ordering as a contact person for a company or organization, we process your data on the basis of Article 6 Paragraph 1 Sentence 1 Letter f GDPR. As the contact person, you can object to this processing at any time with effect for the future in accordance with Article 21 GDPR.

Email forwarding to parcel services

When you place an order through our website, we share the email address you provided with your order with our logistics partner. This is to ensure we fulfill our contractual obligation to deliver your order and to enable you to receive it. The legal basis for this is Article 6(1)(f) of the GDPR. Our legitimate interest is to guarantee the shipment of goods and a successful order process. The email address also serves as an additional contact option to inform you about the delivery status or to communicate with you in case of delivery problems. Our current logistics partner is Rhiem Services GmbH, which in turn uses various service providers to deliver the packages.

Payment processing

Various payment methods are available during the ordering process (PayPal, credit card). Payment processing via PayPal is handled by PayPal (Europe) S.àr.l. et Cie, SCA, 22-24-Boulevard Royal, L-2449 Luxembourg, under its own responsibility. During the payment process, you will be redirected to PayPal's website to enter your data. PayPal does not transmit any further information to us beyond the selected payment method and confirmation of successful payment processing. We also do not receive any payment information from PayPal, such as bank account details, credit card information, or similar data. The legal basis for processing your data is Article 6 Paragraph 1 Sentence 1 Letter b GDPR. Further information on data protection at PayPal can be found at https://www.paypal.com/myaccount/privacy/privacyhub

Shop reviews from TrustedShops

You can rate our website. In doing so, your name, email address, and other contract/buyer data (e.g., order number) and usage data (e.g., website usage log files) may be processed. The rating is voluntary. By submitting a rating, you consent to the associated data processing, Art. 6 para. 1 lit. a GDPR. The rating is supported by TrustedShops GmbH, with whom we have concluded a data processing agreement pursuant to Art. 28 GDPR. Further information on data protection at TrustedShops can be found at https://business.trustedshops.de/impressum

Duration of data storage

Your data will be stored with us for as long as necessary for the purposes mentioned above or due to a legal obligation to retain it. Your data in your customer account will be stored by us until you delete the account. Data relating to an order will be retained for three years after completion of the order, unless legal obligations (e.g., commercial or tax law obligations under the German Commercial Code (HGB) and the German Fiscal Code (AO)) require longer retention. The period begins at the end of the calendar year in which the event triggering the period occurs.

9. Your rights as a data subject

When processing your personal data, the GDPR grants you, as a data subject, certain rights:

Right of access (Art. 15 GDPR)

You have the right to request confirmation as to whether personal data concerning you is being processed; if this is the case, you have the right to access this personal data and the information detailed in Article 15 of the GDPR.

Right to rectification (Art. 16 GDPR)

You have the right to request the immediate rectification of inaccurate personal data concerning you and, if necessary, the completion of incomplete data.

Right to erasure (Art. 17 GDPR)

You have the right to request that personal data concerning you be deleted without undue delay if one of the grounds listed in Article 17 of the GDPR applies.

Right to restriction of processing (Art. 18 GDPR)

You have the right to request the restriction of processing if one of the conditions listed in Article 18 GDPR is met, e.g. if you have objected to the processing, for the duration of the review by the controller.

Right to data portability (Art. 20 GDPR)

In certain cases, which are detailed in Article 20 of the GDPR, you have the right to receive the personal data concerning you in a structured, commonly used and machine-readable format or to request the transmission of this data to a third party.

Right of withdrawal (Art. 7 GDPR)

If the processing of your data is based on your consent, you have the right, pursuant to Article 7(3) GDPR, to withdraw your consent to the use of your personal data at any time. Please note that the withdrawal of consent is only effective for the future. Processing that took place before the withdrawal remains unaffected.

Right to object (Art. 21 GDPR)

If data is collected on the basis of Article 6(1)(f) GDPR (data processing for the purposes of legitimate interests) or on the basis of Article 6(1)(e) GDPR (data processing for the purposes of the public interest or in the exercise of official authority), you have the right to object to the processing at any time on grounds relating to your particular situation. We will then no longer process the personal data unless we can demonstrate compelling legitimate grounds for the processing which override your interests, rights and freedoms, or the processing serves the purpose of establishing, exercising or defending legal claims.

Right to lodge a complaint with a supervisory authority (Art. 77 GDPR)

Pursuant to Article 77 of the GDPR, you have the right to lodge a complaint with a supervisory authority if you believe that the processing of your personal data infringes data protection regulations. This right to lodge a complaint can be exercised, in particular, with a supervisory authority in the Member State of your habitual residence, your place of work, or the place of the alleged infringement.

Asserting your rights

Unless otherwise described above, please contact the entity named in the legal notice to assert your data subject rights.