Privacy Policy

Introduction

We are very pleased that you are interested in our company. Data protection is particularly important to us. In this data protection declaration, we inform you about how we process your data when you visit our website www.weed.de and what rights you are entitled to as a data subject. As part of our business activities, personal data of business partners (in the case of companies, this includes contact persons, employees and other persons associated with a business partner), customers of our business partners, visitors to our website or our social media accounts (in particular when entering data on the website, contacting us via email or social media) or other people who contact us (for example by post, email or in personal conversations) are processed in a variety of ways. The personal data collected in this way is processed under our responsibility. This data protection declaration applies to all processing of personal data carried out by us. The terms used are not gender-specific.

1. Information about the person responsible

   • Responsible for the processing of your personal data within the meaning of the General Data Protection Regulation (“GDPR”) is Tortuga Technologies Trading (Malta) Limited, Office 2, Triq Salvu Psaila, 54 Birkirkara, BKR 9073, hereinafter also “weed.de”, “we” or “us”).
   • If you have any questions about the handling and protection of your data or the exercise of your rights under data protection law (see section 6), please contact us by email at info@weed.de.

2. General

   • Our data processing is subject to the provisions of the GDPR. Please note that in addition to the provisions of the GDPR, national data protection regulations may apply in your or our country of residence or stay.
   • If we transmit personal data to third parties, we attach great importance to compliance with data protection obligations in accordance with the standards of the GDPR. In individual cases, it cannot be ruled out that business partners to whom we transmit data are not themselves subject to the GDPR. In addition, mandatory processing (e.g. for crime prevention) or otherwise necessary processing (e.g. ticket system) may only be carried out by (sub)contractors of business partners in countries without adequate EU data protection (so-called third countries). In these cases, however, we only allow your data to be processed in a third country if the special requirements of Articles 44 ff. GDPR and the relevant case law of the ECJ are met. We regularly agree EU standard contractual clauses with our contractual partners if there is a possibility that personal data will not be adequately processed abroad in accordance with the standards of the GDPR. In addition, before a transfer to a third country, we check whether there are any other possible risks to the protection of personal data – such as access possibilities by foreign authorities – and in this case we take appropriate protective measures or restrict data traffic accordingly.
   • The personal data of data subjects is deleted or blocked as soon as the purpose of processing no longer applies. Storage beyond this period only takes place as long as and to the extent provided for by applicable European or national law or other regulations to which we are subject. In addition, we can store data even after the original purpose of processing no longer applies in order to assert or defend against legal claims. The storage period is also determined by the statutory limitation periods, which are usually three years, but in some cases can be up to thirty years. Commercial or tax law periods for storage or documentation are two to ten years. If personal data is stored for a longer period for the reasons explained above, we ensure that it is processed for the respective storage purpose and not for other purposes.
   • We take the protection of personal data very seriously and have therefore taken comprehensive technical and organizational data protection security measures to ensure a level of protection appropriate to the risk.

3. Data security and compliance measures.

   • We would like to point out that the servers we use are located exclusively in the EU and meet the highest data protection standards in accordance with the GDPR. Tortuga Technologies Trading (Malta) Limited takes all recommended measures to protect personal data, including the use of a secure backend that is only accessible via whitelist IP addresses. Since we are based in Malta and therefore within the EU, we are obliged, just like companies in other EU countries, to comply with the requirements of the GDPR and thus ensure the greatest possible protection of personal and other sensitive data.

4. Activities in which we process your personal data

   • Visiting our website
     On our website www.weed.de we present ourselves and all the services we offer. If you visit our website without filling in any input fields on the website, we process your personal data as follows:
     
     • For the purpose of providing our website, we process your IP address, time of access, information on browser, operating system, language settings, date and time of access, amount of data transferred, screen resolution, the page or file accessed, referrer URL (the previously visited page) and the access status (successful or error code) each time the page is accessed. The processing is technically necessary to enable the use of our website (Art. 6 Para. 1 Clause 1 Letter b) GDPR). The data is deleted after the end of your visit to our website, unless individual data is further processed for one of the purposes listed below.
     • For the purpose of detecting and defending against attacks on our website and the technical infrastructure (e.g. hacking, denial-of-service attacks), we process and store the IP addresses, time of access, subpage(s) accessed and data volume transferred of all website visitors in so-called server log files. The processing serves to fulfil our legal obligation to take protective measures (Art. 6 Para. 1 Clause 1 Letter f) GDPR). Our legitimate interest is based on the fact that we have to protect our website from attacks. The data is deleted 30 days after the end of your visit to our website, provided no attempted attack is detected. In the event of a detected attempted attack from your connection, the data will be further processed for the complete technical and, if necessary, legal processing.
     • We use the services of a web hosting provider as a processor (Article 28 GDPR) for all of the processing activities listed in sections 3.1.1 and 3.1.2. All personal data processed for these activities is transmitted to the processor.
     • We use a “content delivery network” (CDN) to provide our website nationwide. A CDN is a service that enables the content of an online offering, particularly large media files such as graphics or program scripts, to be delivered more quickly and securely using regionally distributed servers connected via the Internet. The legal basis for the use of a CDN is our legitimate interest (Art. 6 Para. 1 Clause 1 Letter f) GDPR).
   • Cookies and third-party services (web analysis and web tracking) on ​​our website
     We use cookies on our website. Detailed information about the cookies and tracking tools used, the respective legal basis and storage periods can be found in our Cookie and Tracking Policy .
   • Marketing and newsletters
     To keep our customers up to date, we send marketing emails and newsletters. The difference between the two is that marketing emails are sent exclusively to existing customers and the content of a marketing email is limited to services that are similar to those that the customer has used, while newsletters inform about all interesting news from weed.de. We provide information about both types in this section.
     • We send marketing emails to existing customers of weed.de. We use the email address that we received from the respective customer as part of our business relationship. Every existing customer has the option to object to the use of their email address for marketing emails.
     • The data processing and sending of marketing emails can take place for the following purposes and based on the following legal basis: -Due to legitimate interest (Art. 6 Para. 1 Clause 1 Letter f) GDPR, Section 7 Para. 3 UWG) The processing of personal data in connection with marketing mailings is carried out for the purpose of informing existing customers about news from weed.de that concern services that are comparable to the services previously used by the respective existing customer. Permission to store and use the email address for email marketing is based on our legitimate interest. This interest lies in informing existing customers about relevant news from weed.de.
     • Recipients of marketing emails have the option of objecting to the use of their email address for marketing purposes at any time. To do so, simply click on the “unsubscribe” link at the end of each marketing email to remove yourself from the recipient list. By clicking on the unsubscribe link, you also object to data processing. After the objection, no more marketing emails will be sent to the email address in question.
     • You can also sign up to receive our newsletter on our website. To subscribe to our newsletter, it is generally sufficient to provide your email address. Registration for our newsletter is generally carried out using a so-called double opt-in process. This means that after registration you will receive an email asking you to confirm your registration. This confirmation is necessary so that no one can register using someone else’s email address. Registrations for the newsletter are logged in order to be able to prove the registration process in accordance with legal requirements. This includes storing the time of registration and confirmation as well as the IP address. Changes to your data stored by the shipping service provider are also logged. However, we may ask you to provide a name for the purpose of being addressed personally in the newsletter or other information if this is necessary for the purposes of the newsletter.
     • The data processing in connection with the sending of newsletters is based on the legal basis of your consent (Art. 6 Para. 1 Clause 1 Letter a) GDPR).
     • Processing of personal data in connection with the newsletter is carried out for the purpose of sending the newsletter to the person ordering it, i.e. it is stored and used for sending.
     • Consent to the storage and use of the email address for sending the newsletter can be revoked at any time. To do so, simply click on the “unsubscribe” link at the end of each newsletter to remove yourself from the recipient list. If consent is revoked, the email address will be deleted from our newsletter file unless there is a justification for further storage. After revocation, no more newsletters will be sent to the email address in question. The legality of data processing operations that have already taken place remains unaffected by the revocation.
     • We use so-called web beacons when sending marketing emails and newsletters. Detailed information about the cookies and tracking tools used , the respective legal basis and storage periods can be found in our Cookie and Tracking Policy.
     • Consent to the sending of mailings can be made dependent on the use of free services (e.g. access to certain content or participation in certain promotions). If users would like to use the free service without registering for the newsletter, please contact us.
     • Transmission to other data recipients is possible provided there is a legal basis for doing so. When sending newsletters and marketing emails, we use the service provider Mailjet as a data processor (Art. 28 GDPR) (Mailjet SAS, 13-13 bis, rue de l’Aubrac, 75012 Paris, France; website: https://www.mailjet.de; privacy policy: https://www.mailjet.de/privacy-policy). This service provider processes your data only for the purposes stated above and on the legal basis stated above.
     • After revocation or objection, we store the data required to prove previous authorization for up to three years after the end of the year of revocation or objection on the basis of our legitimate interests. The processing of this data is limited to the purpose of a possible defense against claims. On the basis of the legitimate interest in permanently observing the user’s revocation or objection, we also store the data required to avoid further contact. An individual request for deletion is possible at any time, provided that the previous existence of consent is confirmed at the same time. In the case of obligations to permanently observe objections, we reserve the right to store the e-mail address in a block list (so-called “block list”) for this purpose alone.
   • Contact us for other inquiries
     
     You can reach us via various communication channels:
     • To process all inquiries that reach us by email, we process your surname, first name, email address, any other personal data you provide in the email, and information about the content of your request. The processing is necessary to process your request (Art. 6 Para. 1 Clause 1 Letter b) GDPR). Email hosting is carried out by the company Amazon Web Services EMEA SARL, Avenue John F. Kennedy 38, LUXEMBOURG, 1855, LUXEMBOURG . The personal data transmitted will be deleted immediately as soon as the matter you contacted us about has been resolved and data processing is not required for other reasons. If this is required by law, the processing of the data will be restricted to the fulfillment of statutory retention periods, in particular commercial and tax law retention periods.
     • In order to process all inquiries that reach us via our contact form, we process your surname, first name, and all other personal data you provide, as well as information about the content of your request. This processing is necessary to process your request (Art. 6 Para. 1 Clause 1 Letter b) GDPR). The personal data transmitted will be deleted immediately as soon as the matter for which you contacted us has been resolved and data processing is not required for other reasons. If this is required by law, the processing of the data will be restricted to the fulfillment of statutory retention periods, in particular commercial and tax law retention periods.
     • In order to process all inquiries that reach us via social networks (LinkedIn, Xing, Facebook, Twitter), we process your first name, last name, and all other personal data you provide, as well as information about the content of your request. This processing is necessary to process your request (Art. 6 Para. 1 Clause 1 Letter b) GDPR). The personal data transmitted will be deleted immediately as soon as the matter you contacted us about has been resolved and data processing is not required for other reasons.
     • If this is required by law, the processing of the data will be restricted to the fulfillment of statutory retention periods, in particular those under commercial and tax law. – To process general telephone enquiries, we process your last name, first name, telephone number (if provided or transmitted), the other personal data you provided by telephone and the information on the content of your telephone enquiry. The processing is necessary to process your request (Art. 6 Para. 1 S. 1 lit. b) GDPR). If the personal data provided by telephone is processed automatically or otherwise recorded and stored in a file system, it will be deleted immediately after the enquiry’s request has been processed, unless the data processing is required for another purpose. If this is required by law, the processing of the data will be restricted to the fulfillment of statutory retention periods, in particular those under commercial and tax law.
     • After revocation or objection, we store the data required to prove previous authorization for contacting or sending for up to three years after the end of the year of revocation or objection on the basis of our legitimate interests. The processing of this data is limited to the purpose of a possible defense against claims. On the basis of the legitimate interest in permanently respecting the user’s revocation or objection, we also store the data required to avoid further contact (e.g., depending on the communication channel, the email address, telephone number, name).

5. Social-Media

   • We use various social media networks. Tortuga Technologies Trading (Malta) Limited is responsible for the various profiles. Visiting our social media presences triggers numerous data protection-relevant processing operations and is carried out by the operator of the respective social media network. This means that social media networks can generally analyze the behavior of their users in detail. We generally have neither control nor influence over these data processing operations. Details of the social media networks we use can be found below and in the terms of use and privacy statements of the respective networks.
   • Data processing in connection with social media can be carried out for the following purposes and based on the following legal basis:
     • For the performance of the contract or for the implementation of pre-contractual measures (Art. 6 Para. 1 Clause 1 Letter b) GDPR) If contact via social media concerns a contract concluded with us or with a dealer, data processing is necessary to execute the contract.
     • Based on our legitimate interests and those of third parties (Article 6 (1) sentence 1 lit. f) GDPR) For contact requests that are not related to the execution of a contract, the data processing is based on our interest in effectively processing and answering the request.
   • Which social media networks do we use?
     • LinkedIn
       We have a profile on LinkedIn. The operator of the network is LinkedIn Ireland Unlimited Company, Wilton Plaza, Wilton Place, Dublin 2, Ireland. LinkedIn uses advertising cookies. LinkedIn advertising cookies can be deactivated via the following link: https://www.linkedin.com/psettings/guest-controls/retargeting-opt-out. LinkedIn’s privacy policy can be accessed via the following link: https://www.linkedin.com/legal/privacy-policy.
     • Instagram
       We have a profile on Instagram. The network is operated by Meta Platforms Ireland Limited, 4 Grand Canal Square, Grand Canal Harbour, Dublin 2, Ireland. Users registered with Instagram can adjust the advertising settings independently in their own user account; privacy policy: https://instagram.com/about/legal/privacy.

6. Plugins and integrated functions and content

   • We incorporate functional and content elements into our online offering that are obtained from the servers of their respective providers (hereinafter referred to as “third-party providers”). These may include, for example, graphics, videos or city maps (hereinafter referred to uniformly as “content”).
   • The integration always requires that the third-party providers of this content process the IP address of the user, since without the IP address they would not be able to send the content to their browser. The IP address is therefore required to display this content or functions. We endeavor to only use content whose respective providers only use the IP address to deliver the content. Third-party providers can also use so-called pixel tags (invisible graphics, also known as “web beacons”) for statistical or marketing purposes. The “pixel tags” can be used to evaluate information such as visitor traffic on the pages of this website. The pseudonymous information can also be stored in cookies on the user’s device and contain, among other things, technical information about the browser and operating system, referring websites, the time of the visit and other information about the use of our online offer, as well as be linked to such information from other sources.
   • Detailed information about the plugins used on our website and the functions and content integrated therein, the respective legal basis and storage periods can be found in our Cookie and Tracking Policy .

7. Your rights

   • You can assert your rights against us at any time by post to the address given above in section 2.1 or by email to the email address given above in section 2.2.
   • You have the following rights with regard to the personal data concerning you:

• You also have the right to contact the data protection supervisory authorities if you have any questions or complaints regarding the processing of your personal data. The following supervisory authority is responsible for us: IDPC, Information and Data Protection Commissioner Malta, Floor 2, Airways House, Triq Il-Kbira, Tas-Sliema SLM 1549, Malta – https://idpc.org.mt/