Data protection declaration

We are very pleased about your interest in our company. Data protection is of a particularly high priority for the management of Summary GmbH. The use of the Internet pages of the Summary GmbH is possible without any indication of personal data. However, if a data subject wants to use special services of our enterprise via our website, processing of personal data could become necessary. If processing of personal data is necessary and there is no legal basis for such processing, we will generally obtain the consent of the data subject.

1. definitions

The data protection declaration of Summary GmbH is based on the terms used by the European
Parliament and the Council for the adoption of the General Data Protection Regulation (GDPR). Our data
protection declaration should be easy to read and understand for the public as well as for our customers
and business partners. To ensure this, we would like to explain the terms used in advance.

We use the following terms, among others, in this privacy policy:

a) personal data

Personal data means any information relating to an identified or identifiable natural person
(hereinafter “data subject”). An identifiable natural person is one who can be identified, directly or
indirectly, in particular by reference to an identifier such as a name, an identification number, location
data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental,
economic, cultural or social identity of that natural person.

.
Subscribe to DeepL Pro to edit this document.
Visit www.DeepL.com/profor more information.
b) Person concerned

The data subject is any identified or identifiable natural person whose personal data are processed
by the controller.
c) Processing

Processing is any operation or set of operations which is performed upon personal data, whether or
not by automatic means, such as collection, recording, organisation, filing, storage, adaptation or
alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making
available, alignment or combination, restriction, erasure or destruction.

.
d) Restriction of processing

Restriction of processing is the marking of stored personal data with the aim of limiting their future
processing.
e) Profiling

Profiling is any form of automated processing of personal data which consists of using such personal
data to evaluate certain personal aspects relating to a natural person, in particular to analyse or predict
aspects relating to that natural person’s performance at work, economic situation, health, personal
preferences, interests, reliability, behaviour, location or change of location.
f) Pseudonymisation

Pseudonymisation is the processing of personal data in such a way that the personal data can no
longer be attributed to a specific data subject without the use of additional information, provided that
such additional information is kept separately and is subject to technical and organisational measures
which ensure that the personal data are not attributed to an identified or identifiable natural
person.
g) Controller or person responsible for processing

with others determines the purposes and means of the processing of personal data. Where the purposes
and means of such processing are determined by Union or Member State law, the controller or the
specific criteria for its designation may be provided for under Union or Member State law.
h) Processor

A processor is a natural or legal person, public authority, agency or other body that processes
personal data on behalf of the controller.
i) Receiver

Recipient means a natural or legal person, public authority, agency or other body to whom personal
data are disclosed, whether or not a third party. However, public authorities that may receive personal
data in the context of a specific investigative task under Union or Member State law shall not be
considered as recipients.
j) Third party

Third party means any natural or legal person, public authority, agency or other body other than the
data subject, the controller, the processor and the persons who, under the direct authority of the
controller or the processor, are authorised to process the personal data.
k) Consent

Consent shall mean any freely given specific and informed indication of his or her wishes, in the form
of a statement or other unambiguous affirmative act, by which the data subject signifies his or her
agreement to personal data relating to him or her being processed.

Consent shall mean any
freely given indication of his or her wishes, in an informed and unambiguous manner, by which the data
subject signifies his or her agreement to personal data relating to him or her being processed.

2. name and address of the controller

The responsible party within the meaning of the General Data Protection Regulation, other data
protection laws applicable in the Member States of the European Union and other provisions of a data
protection nature is the:

Summary GmbH

Vossbarg 14-16
25524. Itzehoe.
Deutschland

Tel.: +49 (0)4821 779 67-0

Email: compliance-ag@summary-company.com

Website: www.ultranatura.net

3. cookies

The Internet pages of Summary GmbH use cookies. Cookies are text files that are placed and stored
on a computer system via an internet browser.

Numerous websites and servers use cookies. Many cookies contain a so-called cookie ID. A cookie ID
is a unique identifier of the cookie. It consists of a string of characters by which internet pages and
servers can be assigned to the specific internet browser in which the cookie was stored. This enables the
visited Internet pages and servers to distinguish the individual browser of the data subject from other
Internet browsers that contain other cookies. A specific internet browser can be recognised and
identified via the unique cookie ID.

Through the use of cookies, the Summary GmbH can provide the users of this website with more
user-friendly services that would not be possible without the cookie setting.

By means of a cookie, the information and offers on our website can be optimised in the sense of the
user. As already mentioned, cookies enable us to recognise the users of our website. The purpose of this
recognition is to make it easier for users to use our website. For example, the user of a website that uses
cookies does not have to re-enter his or her access data each time he or she visits the website, because
this is done by the website and the cookie stored on the user’s computer system. Another example is the
cookie of a shopping basket in an online shop. The online shop remembers the items that a customer has
placed in the virtual shopping basket via a cookie.

The data subject can prevent the setting of cookies by our website at any time by means of an
appropriate setting of the Internet browser used and thus permanently object to the setting of cookies.
Furthermore, cookies that have already been set can be deleted at any time via an internet browser or
other software programmes. This is possible in all common internet browsers. If the data subject
deactivates the setting of cookies in the Internet browser used, not all functions of our website may be
fully usable.

4. Collection of general data and information

The website of the Summary GmbH collects a series of general data and information every time a
data subject or automated system calls up the website. This general data and information is stored in the
log files of the server. The following data may be collected: (1) the browser types and versions used, (2)
the operating system used by the accessing system, (3) the website from which an accessing system
accesses our website (so-called referrer), (4) the sub-websites that are accessed via an accessing system
on our website, (5) the date and time of an access to the website, (6) an Internet protocol address (IP
address), (7) the Internet service provider of the accessing system and (8) other similar data and
information that serve to avert danger in the event of attacks on our information technology
systems.

When using these general data and information, the Summary GmbH does not draw any conclusions
about the data subject. Rather, this information is needed (1) to deliver the contents of our website
correctly, (2) to optimise the contents of our website and the advertising for these, (3) to ensure the
long-term functionality of our information technology systems and the technology of our website, and
(4) to provide law enforcement authorities with the information necessary for prosecution in the event
of a cyber attack. Therefore, the Summary GmbH analyzes anonymously collected data and information
on one hand, and on the other hand, with the aim of increasing the data protection and data security of
our enterprise so that we can ultimately ensure an optimal level of protection for the personal data we
process. The anonymous data of the server log files are stored separately from any personal data
provided by a data subject.

5. Registration on our website

The data subject has the possibility to register on the website of the controller by providing personal
data. The personal data that is transmitted to the controller in this context results from the respective
input mask used for the registration. The personal data entered by the data subject are collected and
stored exclusively for internal use by the controller and for its own purposes. The controller may arrange
for the data to be transferred to one or more processors, for example a parcel service provider, who will
also use the personal data exclusively for an internal use attributable to the controller.

By registering on the website of the controller, the IP address assigned by the Internet service
provider (ISP) of the data subject, the date and the time of registration are also stored. The storage of
this data takes place against the background that only in this way can the misuse of our services be
prevented and, if necessary, this data makes it possible to clarify criminal offences that have been
committed. In this respect, the storage of this data is necessary for the protection of the data controller.
As a matter of principle, this data is not passed on to third parties, unless there is a legal obligation to
pass it on or the passing on serves the purpose of criminal prosecution.

The registration of the data subject by voluntarily providing personal data serves the purpose of the
controller to offer the data subject content or services which, due to the nature of the matter, can only
be offered to registered users. Registered persons are free to modify the personal data provided during
registration at any time or to have them completely deleted from the controller’s database.

The controller shall provide any data subject at any time, upon request, with information on what
personal data is stored about the data subject. Furthermore, the controller shall correct or erase
personal data at the request or indication of the data subject, provided that there are no legal
obligations to retain such data. The entire staff of the controller shall be available to the data subject as
contact persons in this context.

6. Subscription to our newsletter

On the website of the Summary GmbH, users are given the opportunity to subscribe to our
enterprise’s newsletter. The personal data transmitted to the controller when the newsletter is ordered
is specified in the input mask used for this purpose.

The Summary GmbH informs its customers and business partners at regular intervals by means of a
newsletter about enterprise offers. The newsletter of our enterprise can basically only be received by the
data subject, if (1) the data subject has a valid e-mail address and (2) the data subject registers for the
newsletter mailing. For legal reasons, a confirmation e-mail is sent to the e-mail address registered by a
data subject for the first time for the newsletter dispatch using the double opt-in procedure. This
confirmation email serves to verify whether the owner of the email address as the data subject has
authorised the receipt of the newsletter.

When registering for the newsletter, we also store the IP address of the computer system used by
the data subject at the time of registration as well as the date and time of registration, which is assigned
by the Internet service provider (ISP). The collection of this data is necessary in order to be able to trace
the (possible) misuse of a data subject’s email address at a later point in time and therefore serves as a
legal safeguard for the controller.

The personal data collected in the context of a registration for the newsletter is used exclusively for
sending our newsletter. Furthermore, subscribers to the newsletter could be informed by e-mail if this is
necessary for the operation of the newsletter service or a related registration, as could be the case in the
event of changes to the newsletter offer or changes in the technical circumstances. No personal data
collected as part of the newsletter service will be passed on to third parties. The subscription to our
newsletter can be cancelled by the data subject at any time. The consent to the storage of personal data,
which the data subject has given us for the newsletter dispatch, can be revoked at any time. For the
purpose of revoking consent, a corresponding link can be found in each newsletter. Furthermore, it is
also possible to unsubscribe from the newsletter at any time directly on the website of the controller or
to inform the controller of this in another way.

7. Newsletter tracking

The newsletters of Summary GmbH contain so-called tracking pixels. A tracking pixel is a miniature
graphic that is embedded in such emails that are sent in HTML format to enable log file recording and log
file analysis. This allows a statistical evaluation of the success or failure of online marketing campaigns.
Based on the embedded tracking pixel, the Summary GmbH may see if and when an e-mail was opened
by a data subject, and which links contained in the e-mail were called up by the data subject.

Such personal data collected via the tracking pixels contained in the newsletters are stored and
analysed by the controller in order to optimise the newsletter dispatch and to better adapt the content
of future newsletters to the interests of the data subject. This personal data will not be disclosed to third
parties. Data subjects are entitled at any time to revoke the separate declaration of consent given in this
regard via the double opt-in procedure. After a revocation, this personal data will be deleted by the data
controller. The Summary GmbH automatically regards a withdrawal from the receipt of the newsletter as
a revocation.

8. Contact possibility via the website

The website of the Summary GmbH contains legal requirements which enable a quick electronic
contact to our enterprise, as well as direct communication with us, which also includes a general address
of the so-called electronic mail (e-mail address). If a data subject contacts the controller by e-mail or by
using a contact form, the personal data transmitted by the data subject will be stored automatically.
Such personal data transmitted on a voluntary basis by a data subject to the controller will be stored for
the purposes of processing or contacting the data subject. This personal data will not be disclosed to
third parties.

9. Comment function in the blog on the website

The Summary GmbH offers users the possibility to leave individual comments on individual blog
contributions on a blog, which is located on the website of the controller. A blog is a portal maintained
on a website, which is usually publicly viewable, in which one or more persons, called bloggers or web
bloggers, can post articles or write down thoughts in so-called blogposts. The blogposts can usually be
commented on by third parties.

If a data subject leaves a comment on the blog published on this website, in addition to the
comments left by the data subject, details of the time the comment was entered and the user name
(pseudonym) chosen by the data subject are also stored and published. Furthermore, the IP address
assigned by the Internet service provider (ISP) of the person concerned is also logged. This storage of the
IP address takes place for security reasons and in the event that the person concerned violates the rights
of third parties by posting a comment or posts illegal content. The storage of this personal data is
therefore in the controller’s own interest, so that the controller could exculpate itself if necessary in the
event of an infringement. There will be no disclosure of these collected personal data to third parties,
unless such disclosure is required by law or serves the legal defence of the controller.

10. Routine deletion and blocking of personal data

The controller shall process and store personal data of the data subject only for the time necessary to
achieve the purpose of the storage or where provided for by the European Directive and Regulation or
other legislator in laws or regulations to which the controller is subject.

If the purpose of storage no longer applies or if a storage period prescribed by the European
Directive and Regulation or another competent legislator expires, the personal data will be routinely
blocked or deleted in accordance with the statutory provisions.

11. Rights of the data subject

a) Right to confirmation
Any data subject shall have the right, granted by the European Directive and the Regulation, to
obtain confirmation from the controller as to whether personal data concerning him or her are being
processed. If a data subject wishes to exercise this right, he or she may, at any time, contact any
employee of the controller.
b) Right of access
Any person concerned by the processing of personal data has the right, granted by the European
Directive and Regulation, to obtain at any time from the controller, free of charge, access to, and a copy
of, personal data relating to him or her which has been stored. Furthermore, the European Directive and
Regulation has granted the data subject access to the following information:
- - the purposes of processing
  - the categories of personal data that are processed
  - the recipients or categories of recipients to whom the personal data have been or will be disclosed, in
    particular in the case of recipients in third countries or international organisations
  - If possible, the planned duration for which the personal data will be stored or, if this is not possible,
    the criteria for determining this duration
  - the existence of a right to obtain the rectification or erasure of personal data concerning him or her,
    or to obtain the restriction of processing by the controller, or a right to object to such processing
  - the existence of a right of appeal to a supervisory authority
  - if the personal data are not collected from the data subject: All available information about the origin
    of the data
GDPR and, at least in these cases, meaningful information about the logic involved and the scope and
intended effects of such processing for the data subject
The data subject also has the right to be informed whether personal data have been transferred to a
third country or to an international organisation. If this is the case, the data subject also has the right to
be informed about the appropriate safeguards in connection with the transfer.
If a data subject wishes to exercise this right of access, he or she may, at any time, contact an
employee of the controller.
c) Right of rectification
Any person affected by the processing of personal data shall have the right granted by the European
Directive and Regulation to obtain the rectification without delay of inaccurate personal data concerning
him or her. Furthermore, the data subject has the right to request the completion of incomplete
personal data, including by means of a supplementary declaration, taking into account the purposes of
the processing.
If a data subject wishes to exercise this right of rectification, he or she may, at any time, contact any
employee of the controller.
d) Right to erasure (right to be forgotten)
Every data subject concerned by the processing of personal data has the right, granted by the
European Directive and Regulation, to obtain from the controller the erasure without delay of personal
data relating to him or her, where one of the following grounds applies and insofar as the processing is
not necessary:
- The personal data have been collected or otherwise processed for purposes for which they are no
  longer necessary.
- The data subject revokes his or her consent on which the processing was based pursuant to Article
  6(1)(a) of the GDPR or Article 9(2)(a) of the GDPR and there is no other legal basis for the processing.
- The data subject objects to the processing pursuant to Article 21(1) of the GDPR and there are no
  overriding legitimate grounds for the processing, or the data subject objects to the processing pursuant
  to Article 21(2) of the GDPR.
- The personal data have been processed unlawfully.
- The deletion of the personal data is necessary for compliance with a legal obligation under Union or
  Member State law to which the controller is subject
- The personal data were collected in relation to information society services offered pursuant to Art. 8
  (1) DS-GVO.
If one of the aforementioned reasons applies, and a data subject wishes to arrange for the deletion
of personal data stored by the Summary GmbH, he or she may, at any time, contact any employee of the
controller. The employee of the Summary GmbH will arrange for the deletion request to be complied
with immediately.
If the personal data has been made public by the Summary GmbH and our company as the
responsible party is obliged to delete the personal data pursuant to Art. 17 Para. 1 DS-GVO to erase the
personal data, Summary GmbH shall implement reasonable measures, including technical measures,
taking into account the available technology and the cost of implementation, in order to inform other
data controllers which are processing the published personal data that the data subject has requested
from those other data controllers to erase all links to or copies or replications of the personal data,
unless the processing is necessary. The employee of the Summary GmbH will arrange the necessary in
individual cases.
e) Right to restriction of processing
Any person concerned by the processing of personal data has the right, granted by the European
Directive and Regulation, to obtain from the controller the restriction of processing where one of the
following conditions is met:
- The accuracy of the personal data is contested by the data subject for a period enabling the
  controller to verify the accuracy of the personal data
- The processing is unlawful, the data subject objects to the erasure of the personal data and instead
  requests the restriction of the use of the personal data.
- The controller no longer needs the personal data for the purposes of processing, but the data subject
  needs them for the establishment, exercise or defence of legal claims.
- The data subject has objected to the processing pursuant to Article 21(1) of the GDPR and it is not yet
  clear whether the legitimate grounds of the controller override those of the data subject
If one of the aforementioned conditions is met, and a data subject wishes to request the restriction
of personal data stored by the Summary GmbH, he or she may, at any time, contact any employee of the
controller. The employee of the Summary GmbH will arrange the restriction of the processing.
f) Right to data portability
Any data subject of the processing of personal data has the right granted by the European Directive
and Regulation to receive the personal data concerning him or her, which have been provided by the
data subject to a controller, in a structured, commonly used and machine-readable format. He or she
shall also have the right to transmit such data to another controller without hindrance from the
controller to whom the personal data have been provided, provided that the processing is based on
consent pursuant to Article 6(1)(a) of the GDPR or Article 9(2)(a) of the GDPR or on a contract pursuant
to Article 6(1)(b) of the GDPR and the processing is carried out by automated means, unless the
processing is necessary for the performance of a task carried out in the public interest or in the exercise
of official authority vested in the controller.
Furthermore, when exercising the right to data portability pursuant to Article 20(1) of the GDPR, the
data subject shall have the right to obtain that the personal data be transferred directly from one
controller to another controller, where this is technically feasible and provided that this does not
adversely affect the rights and freedoms of other persons.
In order to assert the right to data portability, the data subject may at any time contact any
employee of the Summary GmbH.
g) Right of appeal
Any person affected by the processing of personal data shall have the right granted by the European
Directive and Regulation to object at any time, on grounds relating to his or her particular situation, to
the processing of personal data concerning him or her which is carried out on the basis of Article 6(1)(e)
or (f) of the GDPR. This also applies to profiling based on these provisions.
The Summary GmbH shall no longer process the personal data in the event of the objection, unless
we can demonstrate compelling legitimate grounds for the processing which override the interests,
rights and freedoms of the data subject, or for the assertion, exercise or defence of legal claims.
If the Summary GmbH processes personal data for the purpose of direct marketing, the data subject
shall have the right to object at any time to processing of personal data processed for such marketing.
This also applies to the profiling, insofar as it is related to such direct marketing. If the data subject
objects to Summary GmbH to the processing for direct marketing purposes, Summary GmbH will no
longer process the personal data for these purposes.
In addition, the data subject has the right, on grounds relating to his or her particular situation, to
object to processing of personal data concerning him or her which is carried out by the Summary GmbH
for scientific or historical research purposes, or for statistical purposes pursuant to Article 89(1) of the
Data Protection Regulation, unless such processing is necessary for the performance of a task carried out
in the public interest.
In order to exercise the right to object, the data subject may directly contact any employee of the
Summary GmbH or another employee. The data subject is also free, in connection with the use of
information society services, notwithstanding Directive 2002/58/EC, to exercise his or her right to object
by means of automated procedures using technical specifications.
h) Automated decisions in individual cases including profiling
Any person concerned by the processing of personal data shall have the right, granted by the
European Directive and the Regulation, not to be subject to a decision based solely on automated
processing, including profiling, which produces legal effects concerning him or her or similarly
significantly affects him or her, provided that the decision (1) is not necessary for entering into, or the
performance of, a contract between the data subject and the controller, or (2) is authorised by Union or
Member State law to which the controller is subject and that such law lays down appropriate measures
to safeguard the data subject’s rights and freedoms and legitimate interests, or (3) is based on the data
subject’s explicit consent.
If the decision (1) is necessary for entering into, or the performance of, a contract between the data
subject and the data controller, or (2) it is made with the data subject’s explicit consent, the Summary
GmbH shall implement suitable measures to safeguard the data subject’s rights and freedoms and
legitimate interests, which include at least the right to obtain the data subject’s involvement on the part
of the controller, to express his or her point of view and to contest the decision.
If the data subject wishes to exercise rights concerning automated decisions, he or she may, at any
time, contact any employee of the controller.
i) Right to withdraw consent under data protection law
Any person concerned by the processing of personal data has the right granted by the European
Directive and Regulation to withdraw consent to the processing of personal data at any time.
If the data subject wishes to exercise the right to withdraw consent, he or she may, at any time,
contact any employee of the controller.

12. privacy policy on the use and application of AddThis

The controller has integrated components of the company AddThis on this website. AddThis is a socalled bookmarking provider. The service enables a simplified bookmarking of Internet pages via buttons.
By moving the mouse over the AddThis component or by clicking on it, a list of bookmarking and sharing
services is displayed. AddThis is used on more than 15 million websites, and the buttons are displayed
more than 20 billion times a year, according to the operating company.

The operating company of AddThis is Oracle Corporation, 10 Van de Graaff Drive, Burlington, MA
01803, USA.

Whenever one of the individual pages of this website operated by the data controller is called up and
on which an AddThis component has been integrated, the internet browser on the information
technology system of the data subject is automatically prompted by the respective AddThis component
to download data from the website www.addthis.com. The data subject’s internet browser automatically
receives the AddThis component. As part of this technical procedure, AddThis receives knowledge about
the visit and which specific individual page of this website is used by the information technology system
used by the data subject. Furthermore, AddThis obtains knowledge of the IP address of the computer
system used by the data subject assigned by the Internet service provider (ISP), the browser type, the
browser language, the website accessed before our website, the date and the time of the visit to our
website. AddThis uses this data to create anonymised user profiles. The data and information
transmitted to AddThis in this way enable AddThis itself and the companies associated with AddThis or
its partner companies to target visitors to the controller’s Internet pages with personalised and interestbased advertising.

AddThis displays personalised and interest-based advertising on the basis of a cookie set by the
company. This cookie analyses the individual surfing behaviour of the computer system used by the
person concerned. The cookie stores the visits to Internet pages originating from the computer system.

The data subject can prevent the setting of cookies by our website, as already described above, at
any time by means of an appropriate setting of the Internet browser used and thus permanently object
to the setting of cookies. Such a setting of the Internet browser used would also prevent AddThis from
setting a cookie on the information technology system of the data subject. In addition, cookies already
set by AddThis can be deleted at any time via an internet browser or other software programmes.

The data subject also has the option to permanently object to the processing of personal data by
AddThis. To do so, the data subject must press the opt-out button under the link
http://www.addthis.com/privacy/opt-out, which sets an opt-out cookie. The opt-out cookie set with the
objection is stored on the information technology system used by the data subject. If the cookies on the
data subject’s system are deleted after an objection, the data subject must call up the link again and set
a new opt-out cookie.

With the setting of the opt-out cookie, however, there is the possibility that the Internet pages of the
controller are no longer fully usable for the data subject.

The applicable privacy policy of AddThis can be found at http://www.addthis.com/privacy/privacypolicy.

13. privacy policy on the use of Facebook

The controller has integrated components of the company Facebook on this website. Facebook is a
social network.

A social network is a social meeting place operated on the Internet, an online community that usually
allows users to communicate and interact with each other in virtual space. A social network can serve as
a platform for exchanging opinions and experiences or enables the internet community to provide
personal or company-related information. Facebook allows social network users to create private
profiles, upload photos and network via friend requests, among other things.

The operating company of Facebook is Facebook, Inc., 1 Hacker Way, Menlo Park, CA 94025, USA.
The controller of personal data, if a data subject lives outside the USA or Canada, is Facebook Ireland Ltd,
4 Grand Canal Square, Grand Canal Harbour, Dublin 2, Ireland.

Whenever a data subject accesses one of the individual pages of this website operated by the data
controller and on which a Facebook component (Facebook plug-in) has been integrated, the internet
browser on the data subject’s information technology system is automatically prompted by the
respective Facebook component to download a representation of the corresponding Facebook
component from Facebook. A complete overview of all Facebook plug-ins can be found at
https://developers.facebook.com/docs/plugins/?locale=de_DE. Within the scope of this technical
procedure, Facebook receives information about which specific sub-page of our website is visited by the
data subject.

If the data subject is logged in to Facebook at the same time, Facebook recognises which specific subpage of our website the data subject is visiting each time the data subject calls up our website and for
the entire duration of the respective stay on our website. This information is collected by the Facebook
component and assigned by Facebook to the respective Facebook account of the data subject. If the data
subject activates one of the Facebook buttons integrated on our website, for example the “Like” button,
or if the data subject posts a comment, Facebook assigns this information to the personal Facebook user
account of the data subject and stores this personal data.

Facebook always receives information via the Facebook component that the data subject has visited
our website if the data subject is logged into Facebook at the same time as calling up our website; this
takes place regardless of whether the data subject clicks on the Facebook component or not. If the data
subject does not want this information to be transmitted to Facebook, he or she can prevent the
transmission by logging out of his or her Facebook account before accessing our website.

The data policy published by Facebook, which can be accessed at https://dede.facebook.com/about/privacy/, provides information on the collection, processing and use of personal
data by Facebook. It also explains which setting options Facebook offers to protect the privacy of the
data subject. In addition, various applications are available that make it possible to suppress data
transmission to Facebook. Such applications can be used by the data subject to suppress data
transmission to Facebook.

14. Privacy policy on the use and application of functions of the Amazon affiliate programme

As a participant in the Amazon affiliate programme, the controller has integrated Amazon
components on this website. The Amazon components have been designed by Amazon with the aim of
referring customers to different websites of the Amazon group, in particular Amazon.co.uk,
Local.Amazon.co.uk, Amazon.de, BuyVIP.com, Amazon.fr, Amazon.it and Amazon.es, via advertisements.
BuyVIP.com in return for the payment of a commission. The controller may generate advertising revenue
through the use of the Amazon components.

The operating company of these Amazon components is Amazon EU S.à.r.l, 5 Rue Plaetis, L-2338
Luxembourg, Luxembourg.

Amazon sets a cookie on the information technology system of the data subject. What cookies are
has already been explained above. By each individual call-up of one of the individual pages of this
website, which is operated by the controller and on which an Amazon component has been integrated,
the internet browser on the information technology system of the data subject is automatically caused
by the respective Amazon component to transmit data to Amazon for the purpose of online advertising
and the settlement of commissions. As part of this technical process, Amazon obtains knowledge of
personal data that is used by Amazon to trace the origin of orders received by Amazon and subsequently
to enable commission accounting. Among other things, Amazon can track that the person concerned has
clicked on an affiliate link on our website.

The data subject can prevent the setting of cookies by our website, as already described above, at
any time by means of an appropriate setting of the Internet browser used and thus permanently object
to the setting of cookies. Such a setting of the Internet browser used would also prevent Amazon from
setting a cookie on the information technology system of the data subject. In addition, cookies already
set by Amazon can be deleted at any time via an internet browser or other software programmes.

Further information and Amazon’s applicable privacy policy can be found at
https://www.amazon.de/gp/help/customer/display.html?nodeId=3312401.

15. Privacy policy on the use and application of Google Analytics (with anonymisation
function)

The controller has integrated the Google Analytics component (with anonymisation function) on this
website. Google Analytics is a web analysis service. Web analysis is the collection, compilation and
evaluation of data about the behaviour of visitors to websites. Among other things, a web analysis
service collects data on the website from which a data subject has accessed a website (so-called
referrers), which sub-pages of the website have been accessed or how often and for how long a subpage has been viewed. A web analysis is mainly used to optimise a website and to analyse the costbenefit of internet advertising.

The operating company of the Google Analytics component is Google Ireland Limited, Gordon House,
Barrow Street, Dublin, D04 E5W5, Ireland.

The controller uses the addition “_gat._anonymizeIp” for web analysis via Google Analytics. By
means of this add-on, the IP address of the internet connection of the data subject is shortened and
anonymised by Google if access to our internet pages takes place from a member state of the European
Union or from another state party to the Agreement on the European Economic Area.

The purpose of the Google Analytics component is to analyse the flow of visitors to our website.
Google uses the data and information obtained, among other things, to evaluate the use of our website,
to compile online reports for us showing the activities on our website and to provide other services in
connection with the use of our website.

Google Analytics sets a cookie on the information technology system of the data subject. What
cookies are has already been explained above. By setting the cookie, Google is enabled to analyse the
use of our website. Each time one of the individual pages of this website operated by the data controller
is called up and on which a Google Analytics component has been integrated, the internet browser on
the data subject’s information technology system is automatically caused by the respective Google
Analytics component to transmit data to Google for the purpose of online analysis. As part of this
technical process, Google obtains knowledge of personal data, such as the IP address of the data subject,
which Google uses, among other things, to track the origin of visitors and clicks and subsequently to
enable commission calculations.

By means of the cookie, personal information, for example the access time, the location from which
an access originated and the frequency of visits to our website by the data subject, is stored. Each time
the data subject visits our website, this personal data, including the IP address of the internet connection
used by the data subject, is transmitted to Google in the United States of America. This personal data is
stored by Google in the United States of America. Google may pass on this personal data collected via
the technical process to third parties.

The data subject can prevent the setting of cookies by our website, as already described above, at
any time by means of an appropriate setting of the Internet browser used and thus permanently object
to the setting of cookies. Such a setting of the Internet browser used would also prevent Google from
setting a cookie on the information technology system of the data subject. In addition, a cookie already
set by Google Analytics can be deleted at any time via the internet browser or other software
programmes.

The data subject also has the option of objecting to the collection of data generated by Google
Analytics and related to the use of this website, as well as to the processing of this data by Google, and
to prevent such processing. For this purpose, the data subject must download and install a browser addon under the link https://tools.google.com/dlpage/gaoptout. This browser add-on informs Google
Analytics via JavaScript that no data and information on visits to Internet pages may be transmitted to
Google Analytics. The installation of the browser add-on is considered by Google as an objection. If the
data subject’s information technology system is deleted, formatted or reinstalled at a later date, the data
subject must reinstall the browser add-on in order to deactivate Google Analytics. Sofern das BrowserAdd-On durch die betroffene Person oder einer anderen Person, die ihrem Machtbereich zuzurechnen
ist, deinstalliert oder deaktiviert wird, besteht die Möglichkeit der Neuinstallation oder der erneuten
Aktivierung des Browser-Add-Ons.

Further information and Google’s applicable privacy policy can be found at
https://www.google.de/intl/de/policies/privacy/ and at
http://www.google.com/analytics/terms/de.html. Google Analytics is explained in more detail at this link
https://www.google.com/intl/de_de/analytics/.

16. Privacy Policy on the Use and Application of Google+

The controller has integrated the Google+ button as a component on this website. Google+ is a socalled social network. A social network is a social meeting place operated on the Internet, an online
community, which usually enables users to communicate and interact with each other in virtual space. A
social network can serve as a platform for sharing opinions and experiences or enables the internet
community to provide personal or company-related information. Google+ allows users of the social
network to create private profiles, upload photos and network via friend requests, among other
things.

The operating company of Google+ is Google Ireland Limited, Gordon House, Barrow Street, Dublin,
D04 E5W5, Ireland.

Whenever a data subject accesses one of the individual pages of this website operated by the data
controller and on which a Google+ button has been integrated, the internet browser on the data
subject’s information technology system is automatically triggered by the respective Google+ button to
download a representation of the corresponding Google+ button from Google. Within the scope of this
technical procedure, Google receives information about which specific sub-page of our website is visited
by the data subject. More detailed information on Google+ is available at
https://developers.google.com/+/.

If the data subject is logged in to Google+ at the same time, Google recognises which specific
subpage of our website the data subject is visiting each time the data subject calls up our website and for
the entire duration of the respective stay on our website. This information is collected by the Google+
button and assigned by Google to the respective Google+ account of the data subject.

If the data subject activates one of the Google+ buttons integrated on our website and thus makes a
Google+1 recommendation, Google will associate this information with the data subject’s personal
Google+ user account and store this personal data. Google stores the Google+1 recommendation of the
data subject and makes it publicly available in accordance with the terms and conditions accepted by the
data subject in this regard. A Google+1 recommendation made by the data subject on this website will
subsequently be stored and processed together with other personal data, such as the name of the
Google+1 account used by the data subject and the photo stored in this account, in other Google
services, for example the search engine results of the Google search engine, the Google account of the
data subject or in other places, for example on websites or in connection with advertisements.
Furthermore, Google is able to link the visit to this website with other personal data stored by Google.
Google also records this personal information for the purpose of improving or optimising Google’s
various services.

Google always receives information via the Google+ button that the data subject has visited our
website if the data subject is simultaneously logged into Google+ at the time of calling up our website;
this takes place regardless of whether the data subject clicks on the Google+ button or not.

If the data subject does not want personal data to be transmitted to Google, he or she can prevent
such transmission by logging out of his or her Google+ account before accessing our website.

Further information and Google’s applicable privacy policy can be found at
https://www.google.de/intl/de/policies/privacy/. Further guidance from Google on the Google+1 button
can be found at https://developers.google.com/+/web/buttons-policy.

17. Privacy Policy on the Use and Application of Google AdWords

The controller has integrated Google AdWords on this website. Google AdWords is an internet
advertising service that allows advertisers to place ads both in Google’s search engine results and in the
Google advertising network. Google AdWords allows an advertiser to specify certain keywords in
advance, by means of which an ad is displayed in Google’s search engine results exclusively when the
user retrieves a keyword-relevant search result with the search engine. In the Google advertising
network, the ads are distributed on topic-relevant internet pages by means of an automatic algorithm
and taking into account the previously defined keywords.

The operating company of the Google AdWords services is Google Ireland Limited, Gordon House,
Barrow Street, Dublin, D04 E5W5, Ireland.

The purpose of Google AdWords is to advertise our website by displaying interest-relevant
advertising on the websites of third-party companies and in the search engine results of the Google
search engine and to display third-party advertising on our website.

If a data subject accesses our website via a Google ad, a so-called conversion cookie is stored by
Google on the data subject’s information technology system. What cookies are has already been
explained above. A conversion cookie loses its validity after thirty days and does not serve to identify the
data subject. The conversion cookie is used to track whether certain sub-pages, for example the
shopping basket of an online shop system, have been called up on our website, provided the cookie has
not yet expired. The conversion cookie enables both us and Google to track whether a data subject who
has accessed our website via an AdWords ad has generated a turnover, i.e. has completed or cancelled a
purchase of goods.

The data and information collected through the use of the conversion cookie are used by Google to
create visit statistics for our website. These visit statistics are in turn used by us to determine the total
number of users who were referred to us via AdWords ads, i.e. to determine the success or failure of the
respective AdWords ad and to optimise our AdWords ads for the future. Neither our company nor other
advertisers of Google AdWords receive information from Google by means of which the data subject
could be identified.

By means of the conversion cookie, personal information, such as the websites visited by the data
subject, is stored. Each time the data subject visits our website, personal data, including the IP address of
the internet connection used by the data subject, is transmitted to Google in the United States of
America. This personal data is stored by Google in the United States of America. Google may pass on this
personal data collected via the technical procedure to third parties.

The data subject can prevent the setting of cookies by our website, as already described above, at
any time by means of an appropriate setting of the internet browser used and thus permanently object
to the setting of cookies. Such a setting of the Internet browser used would also prevent Google from
setting a conversion cookie on the information technology system of the data subject. In addition, a
cookie already set by Google AdWords can be deleted at any time via the internet browser or other
software programmes.

The data subject also has the option of objecting to interest-based advertising by Google. To do this,
the data subject must call up the link www.google.de/settings/ads from any of the internet browsers he
or she uses and make the desired settings there.

Further information and Google’s applicable privacy policy can be found at
https://www.google.de/intl/de/policies/privacy/.

18. Privacy policy on the use of Instagram

The controller has integrated components of the Instagram service on this website. Instagram is a
service that qualifies as an audiovisual platform and allows users to share photos and videos and also to
redistribute such data on other social networks.

The operating company of the Instagram services is Facebook Ireland Ltd, 4 Grand Canal Square,
Grand Canal Harbour, Dublin 2 Ireland.

Whenever one of the individual pages of this website operated by the controller is called up and on
which an Instagram component (Insta button) has been integrated, the internet browser on the
information technology system of the data subject is automatically prompted by the respective
Instagram component to download a representation of the corresponding Instagram component. Within
the scope of this technical procedure, Instagram receives knowledge of which specific subpage of our
website is visited by the data subject.

If the data subject is logged in to Instagram at the same time, Instagram recognises which specific
subpage the data subject is visiting each time the data subject calls up our website and for the entire
duration of the respective stay on our website. This information is collected by the Instagram component
and assigned by Instagram to the respective Instagram account of the data subject. If the data subject
activates one of the Instagram buttons integrated on our website, the data and information thus
transmitted are assigned to the personal Instagram user account of the data subject and stored and
processed by Instagram.

Instagram always receives information via the Instagram component that the data subject has visited
our website if the data subject is logged into Instagram at the same time as calling up our website; this
takes place regardless of whether the data subject clicks on the Instagram component or not. If the data
subject does not want this information to be transmitted to Instagram, he or she can prevent the
transmission by logging out of his or her Instagram account before accessing our website.

Further information and Instagram’s applicable privacy policy can be found at
https://help.instagram.com/155833707900388 and
https://www.instagram.com/about/legal/privacy/.

19. Privacy Policy on the use of Jetpack for WordPress

The controller has integrated Jetpack on this website. Jetpack is a WordPress plug-in that offers
additional functions to the operator of a website built on WordPress. Among other things, Jetpack allows
the website operator to keep track of visitors to the site. By displaying related posts and publications or
the possibility to share content on the page, it is also possible to increase the number of visitors. In
addition, security functions are integrated into Jetpack so that a website using Jetpack is better
protected against brute force attacks. Jetpack also optimises and speeds up the loading of images
integrated on the website.

The operating company of the Jetpack plug-in for WordPress is Aut O’Mattic A8C Ireland Ltd,
Business Centre, No.1 Lower Mayor Street, International Financial Services Centre, Dublin 1, Ireland.

Jetpack sets a cookie on the information technology system of the data subject. What cookies are has
already been explained above. Each time one of the individual pages of this website operated by the
controller is called up, on which a Jetpack component has been integrated, the internet browser on the
information technology system of the data subject is automatically triggered by the respective Jetpack
component to transmit data to Automattic for analysis purposes. As part of this technical procedure,
Automattic obtains knowledge of data that is subsequently used to create an overview of website visits.
The data obtained in this way is used to analyse the behaviour of the data subject who has accessed the
website of the controller and is evaluated with the aim of optimising the website. The data collected via
the Jetpack component will not be used to identify the data subject without obtaining the prior explicit
consent of the data subject. The data also comes to the knowledge of Quantcast. Quantcast uses the
data for the same purposes as Automattic.

The data subject can prevent the setting of cookies by our website, as already described above, at
any time by means of an appropriate setting of the Internet browser used and thus permanently object
to the setting of cookies. Such a setting of the Internet browser used would also prevent
Automattic/Quantcast from setting a cookie on the information technology system of the data subject.
In addition, cookies already set by Automattic can be deleted at any time via the internet browser or
other software programs.

In addition, the data subject has the possibility to object to and prevent the collection of data
generated by the Jetpack cookie and related to the use of this website as well as the processing of such
data by Automattic/Quantcast. To do so, the data subject must press the opt-out button under the link
https://www.quantcast.com/opt-out/, which sets an opt-out cookie. The opt-out cookie set with the
objection is stored on the information technology system used by the data subject. If the cookies on the
data subject’s system are deleted after an objection, the data subject must access the link again and set
a new opt-out cookie.

With the setting of the opt-out cookie, however, there is the possibility that the Internet pages of the
controller are no longer fully usable for the data subject.

The applicable privacy policy of Automattic is available at https://automattic.com/privacy/.
Quantcast’s applicable privacy policy is available at https://www.quantcast.com/privacy/.

20. Privacy policy on the use and application of LinkedIn

The controller has integrated components of the LinkedIn Corporation on this website. LinkedIn is an
Internet-based social network that allows users to connect with existing business contacts and to make
new business contacts. Over 400 million registered people use LinkedIn in more than 200 countries. This
makes LinkedIn currently the largest platform for business contacts and one of the most visited internet
sites in the world.

The operating company of LinkedIn is LinkedIn Corporation, 2029 Stierlin Court Mountain View, CA
94043, USA. For data protection issues outside the USA, LinkedIn Ireland, Privacy Policy Issues, Wilton
Plaza, Wilton Place, Dublin 2, Ireland, is responsible.

With each individual call-up of our website that is equipped with a LinkedIn component (LinkedIn
plug-in), this component causes the browser used by the person concerned to download a
corresponding representation of the component from LinkedIn. Further information on LinkedIn plug-ins
can be found at https://developer.linkedin.com/plugins. Within the scope of this technical procedure,
LinkedIn receives knowledge of which specific sub-page of our website is visited by the data
subject.

If the data subject is logged in to LinkedIn at the same time, LinkedIn recognises which specific
subpage of our website the data subject is visiting with each call-up of our website by the data subject
and for the entire duration of the respective stay on our website. This information is collected by the
LinkedIn component and assigned by LinkedIn to the respective LinkedIn account of the data subject. If
the data subject activates a LinkedIn button integrated on our website, LinkedIn assigns this information
to the personal LinkedIn user account of the data subject and stores this personal data.

LinkedIn always receives information via the LinkedIn component that the data subject has visited
our website if the data subject is logged into LinkedIn at the same time as calling up our website; this
takes place regardless of whether the data subject clicks on the LinkedIn component or not. If the data
subject does not want this information to be transmitted to LinkedIn, he or she can prevent the
transmission by logging out of his or her LinkedIn account before accessing our website.

LinkedIn offers the ability to unsubscribe from email messages, SMS messages and targeted ads, as
well as manage ad settings at https://www.linkedin.com/psettings/guest-controls. LinkedIn also uses
partners such as Quantcast, Google Analytics, BlueKai, DoubleClick, Nielsen, Comscore, Eloqua and
Lotame, which may set cookies. Such cookies can be rejected at https://www.linkedin.com/legal/cookiepolicy. LinkedIn’s applicable privacy policy is available at https://www.linkedin.com/legal/privacy-policy.
LinkedIn’s cookie policy is available at https://www.linkedin.com/legal/cookie-policy.

21. privacy policy on the use and application of Twitter

The controller has integrated Twitter components on this website. Twitter is a multilingual publicly
accessible microblogging service on which users can publish and distribute so-called tweets, i.e. short
messages limited to 280 characters. These short messages can be accessed by anyone, including people
who are not registered with Twitter. However, the tweets are also displayed to the so-called followers of
the respective user. Followers are other Twitter users who follow the tweets of a user. Furthermore,
Twitter makes it possible to address a broad audience via hashtags, links or retweets.

Operating company of Twitter International Company, One Cumberland Place, Fenian Street Dublin
2, D02 AX07, Ireland.

Whenever a data subject accesses one of the individual pages of this website operated by the data
controller and on which a Twitter component (Twitter button) has been integrated, the internet browser
on the data subject’s information technology system is automatically prompted by the respective Twitter
component to download a representation of the corresponding Twitter component from Twitter.
Further information on the Twitter buttons can be found at
https://about.twitter.com/de/resources/buttons. Within the scope of this technical procedure, Twitter
receives information about which specific sub-page of our website is visited by the data subject. The
purpose of integrating the Twitter component is to enable our users to disseminate the content of this
website, to make this website known in the digital world and to increase our visitor numbers.

If the data subject is logged in to Twitter at the same time, Twitter recognises which specific subpage
of our website the data subject is visiting each time the data subject calls up our website and for the
entire duration of the respective stay on our website. This information is collected by the Twitter
component and assigned by Twitter to the respective Twitter account of the data subject. If the data
subject activates one of the Twitter buttons integrated on our website, the data and information thus
transmitted will be assigned to the personal Twitter user account of the data subject and stored and
processed by Twitter.

Twitter always receives information via the Twitter component that the data subject has visited our
website if the data subject is logged into Twitter at the same time as calling up our website; this takes
place regardless of whether the data subject clicks on the Twitter component or not. If the data subject
does not want this information to be transmitted to Twitter, he or she can prevent the transmission by
logging out of his or her Twitter account before accessing our website.

The applicable privacy policy of Twitter is available at https://twitter.com/privacy?lang=de.

22. Privacy Policy on the Use and Application of YouTube

The controller has integrated YouTube components on this website. YouTube is an Internet video
portal that allows video publishers to post video clips free of charge and other users to view, rate and
comment on them, also free of charge. YouTube allows the publication of all types of videos, which is
why complete film and television programmes, but also music videos, trailers or videos made by users
themselves can be accessed via the Internet portal.

YouTube’s operating company is Google Ireland Limited, Gordon House, Barrow Street, Dublin, D04
E5W5, Ireland.

Whenever a data subject accesses one of the individual pages of this website operated by the data
controller on which a YouTube component (YouTube video) has been integrated, the internet browser
on the data subject’s information technology system is automatically prompted by the respective
YouTube component to download a representation of the corresponding YouTube component from
YouTube. Further information on YouTube can be found at https://www.youtube.com/yt/about/de/.
Within the scope of this technical procedure, YouTube and Google receive knowledge of which specific
subpage of our website is visited by the data subject.

If the data subject is logged into YouTube at the same time, YouTube recognises which specific subpage of our website the data subject is visiting when a sub-page containing a YouTube video is called up.
This information is collected by YouTube and Google and assigned to the respective YouTube account of
the data subject.

YouTube and Google always receive information via the YouTube component that the data subject
has visited our website if the data subject is logged into YouTube at the same time as calling up our
website; this takes place regardless of whether the data subject clicks on a YouTube video or not. If the
data subject does not want this information to be transmitted to YouTube and Google, he or she can
prevent the transmission by logging out of his or her YouTube account before accessing our website.

The privacy policy published by YouTube, which can be accessed at
https://www.google.de/intl/de/policies/privacy/, provides information on the collection, processing and
use of personal data by YouTube and Google.

23. legal basis of the processing

Art. 6 I lit. a DS-GVO serves our company as the legal basis for processing operations in which we
obtain consent for a specific processing purpose. If the processing of personal data is necessary for the
performance of a contract to which the data subject is a party, as is the case, for example, with
processing operations that are necessary for the delivery of goods or the provision of another service or
consideration, the processing is based on Art. 6 I lit. b DS-GVO. The same applies to processing
operations that are necessary for the implementation of pre-contractual measures, for example in the
case of enquiries about our products or services. If our company is subject to a legal obligation by which
the processing of personal data becomes necessary, such as for the fulfilment of tax obligations, the
processing is based on Art. 6 I lit. c DS-GVO. In rare cases, the processing of personal data might become
necessary in order to protect the vital interests of the data subject or another natural person. This would
be the case, for example, if a visitor were to be injured on our premises and as a result his or her name,
age, health insurance details or other vital information had to be passed on to a doctor, hospital or other
third party. Then the processing would be based on Art. 6 I lit. d DS-GVO.
Ultimately, processing operations could be based on Art. 6 I lit. f DS-GVO. Processing operations which
are not covered by any of the aforementioned legal bases are based on this legal basis if the processing
is necessary for the protection of a legitimate interest of our company or a third party, provided that the
interests, fundamental rights and freedoms of the data subject are not overridden. Such processing
operations are permitted to us in particular because they were specifically mentioned by the European
legislator. In this respect, it took the view that a legitimate interest could be assumed if the data subject
is a customer of the controller (recital 47, sentence 2 of the GDPR).

24. Legitimate interests in the processing pursued by the controller or a third party

Where the processing of personal data is based on Article 6 I lit. f DS-GVO, our legitimate interest is
the conduct of our business for the benefit of the well-being of all our employees and our shareholders.

25. duration for which the personal data are stored

The criterion for the duration of the storage of personal data is the respective statutory retention
period. After expiry of the period, the corresponding data is routinely deleted if it is no longer required
for the fulfilment or initiation of the contract.

26. Legal or contractual requirements to provide the personal data; necessity for the conclusion of
the contract; obligation of the data subject to provide the personal data; possible consequences of nonprovision

We inform you that the provision of personal data is partly required by law (e.g. tax regulations) or
may also result from contractual regulations (e.g. details of the contractual partner).
Sometimes, in order to conclude a contract, it may be necessary for a data subject to provide us with
personal data which must subsequently be processed by us. For example, the data subject is obliged to
provide us with personal data if our company concludes a contract with him or her. Failure to provide
the personal data would mean that the contract with the data subject could not be concluded.
Before the data subject provides personal data, the data subject must contact one of our employees. Our
employee will inform the data subject on a case-by-case basis whether the provision of the personal data
is required by law or contract or is necessary for the conclusion of the contract, whether there is an
obligation to provide the personal data and what the consequences of not providing the personal data
would be.

27. Existence of automated decision-making

As a responsible company, we refrain from automatic decision-making or profiling.

This data protection declaration was created by the data protection declaration generator of the
DGD Deutsche Gesellschaft für Datenschutz GmbH, which acts as External Data
Protection Officer Essen, in cooperation with the data
protection lawyers of the law firm WILDE BEUGER SOLMECKE | Rechtsanwälte.

service.de@ultranatura.net

00800 880 88008

+49 (0) 4821 / 77967-136