The protection of your personal data is an important concern for us. When processing this data, Bike24 will strictly observe the applicable provisions of data protection law in the European Union, and of data protection law in the Federal Republic of Germany.
By means of this Data Privacy Statement, we are informing you of what data we collect on our websites, for what purposes we process this data, and to which recipients we may possibly transfer this data, and of the legal bases for the data processing, the period for which the data will be stored, the controllers responsible for the processing, as well as your rights.
1. Controller responsible for the data processing
The controller responsible for the data processing within the meaning of Article 13 (1) a) of the General Data Protection Regulation (GDPR) is:
Email: datenschutz at bike24.net
If you wish to contact our data protection officer, please use the following contact details:
Email: datenschutz at bike24.net
2. Specific details relating to the data processing
2.1. Personal data
Article 4 (1) GDPR defines personal data as any information relating to an identified or identifiable natural person. Personal data includes, for example, name, address, telephone number, email address, bank account details, credit card number.
2.2. Data processing for the performance of a contract
If you place an order with Bike24, we shall need personal data for the purposes of processing the purchase, including shipping the goods that you have ordered, handling returns or dealing with complaints. Specifically, we shall need details relating to your name, postal address, email address and, if applicable, essential payment details. It is essential that you provide your email address so that we can send you confirmation of receipt of your order, notify you of the shipment of your goods and/or contact you. Therefore, this data processing will take place for the purpose of performing the contract.
Even before a contract is concluded, you may have already contacted Bike24 and, for example, sent us an email enquiry requesting our advice. In this case, the data received from you, such as your email address and possibly your name, will be processed by us for the purpose of carrying out precontractual measures.
Article 6 (1) b) GDPR is the legal basis for data processing for the purpose of performing a contract or for carrying out precontractual measures as a result of an enquiry from the data subject.
For handling your order, Bike24 will pass on personal data to service partners such as payment service providers (including, but not limited to, banks, Paypal, Amazon Pay, credit card companies) and shipping service providers (including, but not limited to, DHL, DPD, Hermes, forwarders), insofar as this is necessary for the performance of your contract. It is also possible that your personal data will be passed on to a supplier delivering the goods directly to you. The recipient must use the transferred data only for the performance of its task. Any use beyond this is not permitted.
Personal data processed for the performance of the contract will be stored by us for the statutory period of limitation.
The data necessary under commercial law or fiscal law will be stored by us for the retention periods prescribed by law under Section 257 HGB [German Commercial Code] and Section 157 AO [Tax Code], generally for a period of 10 years.
Personal data processed for carrying out precontractual measures will be erased within 12 months if no contract is concluded.
You can subscribe to the Bike24 newsletter in the course of the ordering process or separately via our shop website. In any event, we shall use the double opt-in procedure. This means that you will receive from us an email with a link via which you, as the owner of the email address, can confirm your subscription to the newsletter. Only after you have given this confirmation will you be subscribed to the newsletter. Subscribe to the Bike24 newsletter.
Following registration, Bike24 will use your submitted data for marketing purposes. We shall then regularly inform you of, for example, new products, activities or sales campaigns.
We store your e-mail address and the language in which you are using the Bike24 webshop.
Article 6 (1) a) GDPR is the legal basis for this data processing. The data processing will take place only according to express consent.
In addition, we store the data of the application under the double opt-in procedure. Article 6 (1) f) GDPR is the legal basis for this data processing. The essential justified interest lies in proving an existing consent.
The dispatch of the newsletter as well as the storage and administration of the mentioned data will be carried out by CleverReach GmbH & Co. KG, Mühlenstr. 43, 26180 Rastede, Germany. This provider is undertaking a contractually agreed processing of data within the meaning of Article 28 of the GDPR.
Apart from transfering the mentioned data to CleverReach no other data transfer takes place to third parties.
You may revoke your consent at any time with effect for the future. Each newsletter will contain an unsubscribe link. If you use that link, the unsubscribe of your e-mail adress will be executed immediately. Apart from that you can revoke your consent at any time by sending an e-mail to datenschutz at bike24.net.
For reasons of proof and for defence against legal claims the dataset concerning your e-mail address can be stored for up to 3 years after you have unsubscribed. The dataset in question will then be deleted automatically. Article 6 (1) f) GDPR is the legal basis for this data processing.
2.4. Customer account
You have the possibility of creating a Bike24 customer account. This password-protected, personal access offers you a series of useful features, including, but not limited to, viewing of the orders that you have placed in the preceding 2 years, displaying and downloading of your invoices, management of personal customer data, addition and editing of different delivery addresses, saving of a standard payment method and creation of a personal reminder note and/or wish list.
Article 6 (1) a) GDPR is the legal basis for this data processing. The data processing will take place only according to express consent. The data submitted to the customer account will be stored as long as your consent exists. You may revoke this consent at any time with effect for the future. An informal notification using the contact details stated under Section 1 will suffice for this. If your consent is revoked, your customer account, including the data submitted to it, will be deleted.
3.1. What are cookies?
"Cookies" are small text files that are stored on your data carrier and contain certain settings and data. A distinction is made between session cookies and temporary/permanent cookies. Session cookies will be deleted as soon as you close your browser. Temporary/permanent cookies will be stored for a defined period or permanently.
3.2. What cookies does Bike24 use?
Most of the cookies used are technically essential for providing you with certain features in the shop or enabling a comfortable user experience. For example, certain shop settings made by you will then not need to be set anew by you every time you visit the Bike24 shop. These session cookies as well as permanent cookies (lifetime of up 2 years) will be stored on your data carrier and will delete themselves after the pre-set period has expired.
3.2.1. Technically essential cookies:
|Name of the cookie||Purpose or function||Validity period|
|ID||This cookie contains the session ID. This is necessary in order to be able to link a user's actions over multiple website visits. This is necessary in order to be able to, for example, link to a specific user the current shopping basket or a current log-in over multiple website visits.||as long as the browser is open|
|PARM||This includes the point in time when the Bike24 shop was first visited. Only a date will be stored.||2 years from the date of the last visit to the website|
|BasketStoreCart||This includes the current shopping basket ID, also possibly for allocating this ID to a log-in. The shopping basket ID enables the functionality of the shopping basket to be preserved beyond the actual user session. Therefore, this will also enable the shopping basket to be restored weeks or months after the last use.||1 year from the date of the last change to the shopping basket|
|product_rotator_height||This contains a setting relating to a product slider in the product detail view. The setting made as regards whether the slider is to be visible or hidden will be stored.||1 year from the date of the last visit to the website|
3.2.2. Web analysis cookies
Generally, you do not necessarily have to accept web analysis cookies in order to be able to use the Bike24 shop. The Bike24 Shop is fully usable without web analysis cookies.
These web analysis cookies will be placed only insofar as no browser add-on for deactivating Google Analytics exists. You can find more information on Google Analytics under Section 4.
3.3. Technically essential cookies from third-party providers
If you select certain payment methods such as Amazon Pay or Paypal, cookies enabling payment using the respective payment method will be placed.
If we integrate elements of "Facelift Cloud" such as competitions or an advent calendar into our website and you call this page with your browser, a cookie is set by "Facelift Cloud" to identify and prevent attacks against the server infrastructure of "Facelift Cloud". You can find more information on "Facelift Cloud" under Section 7.
If you wish to play YouTube videos integrated into Bike24, cookies will likewise be placed.
Article 6 (1) f) GDPR is the legal basis for the use of technically essential cookies. The essential justified interest lies in securing the functionality of the Bike24 shop.
Article 6 (1) a) GDPR is the legal basis for the use of web analysis cookies. You have declared your consent expressly:
3.5. Revocation of consent, and deletion of cookies
In your browser's settings, you can also deactivate the acceptance of cookies. If you wish to accept only Bike24 cookies, but not our service providers' cookies, you can choose the setting "Block cookies from third-party providers" in your browser.
4. Google Analytics and Google Tag Manager
Bike24 uses Google Analytics and Google Tag Manager, web analysis services from Google LLC, 1600 Amphitheatre Parkway, Mountain View, CA 94043, USA („Google“). Google Analytics uses tracking cookies to help the website analyze how users use the site. The information generated by the cookie about your use of the website will generally be transmitted to and stored by Google on servers in the United States.
If IP anonymisation has been activated on this website, Google will however, within Member States of the European Union or the European Economic Area, truncate your IP address beforehand. Only in exceptional cases will your full IP address be transferred to a Google server in the USA and be truncated there. IP anonymisation is active on this website. Google will, on behalf of the operator of this website, use this information to evaluate your usage of the website, put together reports on website activities and provide the website operator with other services relating to website and Internet usage.
The IP address transmitted by your browser within the framework of Google Analytics will not be combined with other Google data. You can prevent the storage of cookies by setting your browser software accordingly. Please note, however, that you may then possibly be unable to fully use all features of this website. By downloading and installing the browser plugin available at the following link, you can, furthermore, prevent data (including your IP address) generated by such cookie relating to your use of the website from being collected and transmitted to Google and being processed by Google: browser add-on for deactivating Google Analytics.
Bike24 uses Google Analytics with the setting "anonymizeIP". As a result, IP addresses are further processed by Google Analytics only in truncated form in order to rule out the possibility of persons being directly individualised.
Bike24 uses Google Analytics expressly without the re-targeting feature. Re-targeting is understood as meaning the targeted insertion of, generally, personalised advertising on other websites (so-called partner websites) after a user has, for example, visited an online shop.
5. Google reCAPTCHA
Bike24 uses the service "Google reCAPTCHA" on this website. Provider is Google LLC, 1600 Amphitheatre Parkway, Mountain View, CA 94043, USA ("Google"). We use Google reCAPTCHA to prevent misuse through automated data entry. This applies in particular to pages on which users enter certain form data and transmit it to our servers. Google reCAPTCHA makes it possible to distinguish between data input by humans and automatic data input.
The service analyses the behaviour of the user on the website in the background. Google reCAPTCHA uses certain characteristics to determine whether the website is naturally operated. Google reCAPTCHA transmits your IP address and possibly other data (e.g. about the device you are using) to Google.
Article 6 (1) f) GDPR is the legal basis for this data processing. The essential justified interest lies in in the prevention of abuse and/or spying on our web page as well as in the prevention of SPAM.
You can find more information about Google reCAPTCHA and Google's privacy statement at: https://www.google.com/intl/en/policies/privacy/
6. Log files
When you visit the Bike24 website, your Internet browser will send usage data to our servers. Usage data is logged in so-called log files by our servers. In this respect, the following will be stored: the data and time, the type of request, the log type and access status, the size and name of the file, the IP address from which the request originated, the referrer URL (information on the website from which you have arrived at our website), information on the Internet browser used (e.g. which browser is used, the version number of this browser and the type of encryption).
We use log files to monitor the functionality and performance of our shop and to further develop and improve the Bike24 shop. As a result, any malfunctioning of the shop, for example, will be recorded and subsequently remedied by us. Furthermore, the storage of data in log files takes place for security reasons to ensure secure operation of our system.
Article 6 (1), f) GDPR is the legal basis for this data processing. The essential justified interest lies in securing the functionality of the shop and ensuring secure operation of our shop servers. The users' IP addresses will be deleted or anonymised after a maximum of 10 days.
7. Content Delivery Network (CDN)
Bike24 uses the service provider CDN77, DataCamp Ltd, London, which will, on our behalf, deliver certain content from the Bike24 shop website to you or your browser. This content includes, but is not limited to, product images. On the one hand, this service provider enables, by means of its infrastructure, speedy delivery of this data to you. In parallel, the service provider will deliver the data from a server situated as physically close to you as possible. Both these services will minimise loading times and improve the user experience for you.
The CDN service provider will necessarily receive your IP address.
Generally, no log data will be recorded. Only in the case of faults log data will be recorded by the CDN service provider for fault analysis. In this respect, the IP address will be stored only in anonymised form; the log file will be deleted after a maximum of 10 days.
Article 6 (1), f) GDPR is the legal basis for this data processing.
8. Facelift Cloud
We use the "Facelift Cloud" service to coordinate our marketing activities, to carry out certain online marketing campaigns such as competitions or our Advent calendar and for the integrated control and administration of our social media activities. "Facelift Cloud" is a service of "Facelift brand building technologies GmbH (Facelift bbt), Gerhofstr. 19, 20354 Hamburg, Germany". This provider is undertaking a contractually agreed processing of data. Facelift bbt is contractually obliged to ensure the protection of your data by suitable technical and organisational measures. The legal basis for contractually agreed processing of data is Article 28 of the GDPR.
If we implement competitions or the Advent calendar on our website with "Facelift Cloud" and you call up the relevant page of the Bike24 shop, the modules of "Facelift Cloud" collect data on the device you are using and on the browser you are using. The data collected includes the type of device, operating system, browser and browser version, local time of access, language used, screen resolution and browser plug-ins used. This data is processed to ensure the functionality and performance of Facelift Cloud services on as many devices as possible. In addition, the IP address from which you visit the site is stored to prevent misuse of the service. The IP address is stored anonymously and only temporarily. In general, the above data is stored exclusively on servers based in Germany. In addition, "Facelift Cloud" sets a cookie to identify and prevent attacks against the server infrastructure of "Facelift Cloud". The legal basis for the aforementioned data processing is Article 6 (1) f) GDPR.
9. Your rights as a user
Below, we would like to summarise for you your rights under the General Data Protection Regulation.
9.1. Right to revoke your declaration of consent under data protection law (Article 7 (3) GDPR)
You have the right time to revoke your consent at any time. Revocation of your consent will not affect the lawfulness of the processing carried out on the basis of your consent up to the time of revocation. Before you give your consent, you will be informed hereof.
9.2. Right of access (Article 15 GDPR)
Under Article 15 GDPR, you have the right to demand from us confirmation of whether we process personal data concerning you. If this is the case, you have the right to access this personal data and the following information:
- the purposes for which we process this data;
- the categories of personal data processed by us;
- to whom this personal data has been disclosed, or is yet to be disclosed, particularly in the case of disclosure to recipients in third countries or at international organisations;
- if possible, the envisaged period of storage of the personal data, or, if this is not possible, the criteria used to determine this period;
- the existence of a right to rectification or erasure of the personal data concerning you, or a right to restriction of processing by us, or a right to object to processing by us;
- the existence of a right to lodge a complaint with a supervisory authority;
- in cases where the personal data is not collected from you, all available information concerning the origin of the data;
- whether automated decision-making, including profiling, as referred to in Article 22 (1) and (4) GDPR, takes place, and, if so, meaningful information about the logic involved, as well as the significance and envisaged consequences of such processing for you.
- If personal data is transferred to a third country or to an international organisation, you will have the right to be informed of what suitable safeguards have been put in place to ensure that these recipients also comply with the provisions of the GDPR.
9.3. Right to rectification (Article 16 GDPR)
You may demand that we rectify, without delay, inaccurate data concerning you. With due regard being given to the purposes of the processing, you will, additionally, have the right to demand that incomplete personal data be completed, also by means of a supplementary statement.
9.4. Right to erasure or "right to be forgotten" (Article 17 GDPR)
You have the right that we erase data without delay if one of the following grounds applies:
- The data is no longer needed for the purposes for which it was collected or otherwise processed.
- You revoke your consent on which the processing was based, and there is no other legal basis for the processing.
- In accordance with Article 21 (1) GDPR, you lodge an objection to the processing for reasons ensuing from your particular situation, and there are no overriding legitimate reasons for the processing.
- In accordance with Article 21 (2) GDPR, you lodge an objection to processing for direct marketing purposes.
- The data has been unlawfully processed.
- It is necessary to erase the data in order to fulfil a legal obligation under European or German law.
- The data has been collected in relation to an offer of information society services in accordance with Article 8 (1) GDPR.
If we have made your data public and are obliged to erase it, we shall, with due regard being given to the available technology and the implementation costs, take appropriate measures to inform the controllers that you have requested the erasure of your data.
9.5. Right to restriction of processing (Article 18 GDPR)
According to Article 18 GDPR, we must restrict the processing of your data in the following cases, namely if:
- you dispute the accuracy of your data, in which case the processing will be restricted until we have been able to check the accuracy;
- the processing is unlawful, and you decline to have your data erased and demand instead that use of your personal data be restricted;
- we no longer need the data for the purposes of the processing, but you need this data for asserting, exercising or defending legal claims, or
- you lodge, in accordance with Article 21 (1) GDPR, an objection to the processing for reasons ensuing from your particular situation, as long as it has not yet been established whether the legitimate reasons for the processing by us outweigh your interests.
If processing is restricted, we shall merely be permitted to store this data. Any processing beyond this will then be permissible only with your consent or for the purpose of asserting, exercising or defending legal claims or for protecting the rights of another natural person or legal entity or for reasons of an important public interest of the Union or a Member State.
You may at any time revoke your consent given in this connection.
You will be notified by us before the restriction is lifted.
9.6. Notification obligation (Article 19 GDPR)
All recipients to whom your data has been disclosed must be informed by us of any rectification or erasure of your data, or of any restriction of processing. This will be inapplicable only insofar as this proves to be impossible or is associated with disproportionate expense. We shall inform you of these recipients if you so request.
9.7. Right to data portability (Article 20 GDPR)
You have the right to receive in a structured, commonly used and machine-readable format the data concerning you that has been provided to us. Additionally, you have the right that we transfer this data to a third party insofar as
- the processing of the data is based on your consent or on a contract, and
- the processing takes place by automated means.
In this respect, you may demand that we transfer your data directly to such third party insofar as this is technically feasible. This right must not impair the rights and freedoms of other persons.
9.8. Automated decision-making in individual cases, including profiling (Article 22 GDPR)
You have the right not to be subject to a decision based solely on automated processing, including profiling, that has legal effect on you or that impairs you in a similar manner. This will not apply if:
- you have given your express prior consent thereto, or
- the decision is necessary for the conclusion or performance of a contract between us, or
- applicable legal provisions permit this, and these provisions contain appropriate measures for protecting your rights and freedoms as well as your legitimate interests.
In the first two cases, we shall take appropriate measures to protect your rights and freedoms as well as your legitimate interests. This includes your right to state your own point of view, your right to challenge the automated decision and your right to intervention by one of our employees.
9.9. Right to object (Article 21 GDPR)
If we process your data on the basis of a legitimate interest (Article 6 (1) f GDPR), you will have the right to lodge an objection thereto if the grounds for this ensue from your particular situation. This also applies to any profiling based on these provisions. In this case, we shall no longer process your data, unless we can prove that the reasons for the processing are compelling and worthy of protection. This must outweigh your interests, rights and freedoms, or the processing must serve the assertion, exercise or defence of legal claims.
Insofar as we process your data in order to engage in direct marketing, you may lodge an objection to the processing of your data. This also applies to profiling insofar as profiling is related to such direct marketing.
Following your objection, your data will no longer be processed for these purposes.
To lodge an objection, merely send a corresponding informal notification using the contact details given in Section 1.
9.10. Right to lodge a complaint with a supervisory authority (Article 77 GDPR)
You have the right to lodge a complaint with a supervisory authority, in particular in the Member State where you reside or work or where the alleged breach took place, if you are of the opinion that the processing of the data concerning you breaches the General Data Protection Regulation. Further legal remedies under administrative law, or judicial remedies, to which you may possibly be entitled will remain unaffected hereby.