Privacy policy
PRIVACY POLICY
1) Information on the Collection of Personal Data and Contact Details of the Controller
1.1 We're glad you're visiting our website and appreciate your interest. Below, you'll find information about how we handle your personal data when you use our website. Personal data includes all information that can be used to identify you personally.
1.3 For security reasons and to protect the transmission of personal data and other confidential content (such as orders or inquiries sent to us), this website uses SSL or TLS encryption. You can recognize an encrypted connection by the "https://" prefix and the padlock icon in your browser's address bar.
2) Data Collection When You Visit Our Website
If you use our website for informational purposes only, meaning you do not register or otherwise provide us with information, we only collect the data your browser transmits to our server (so-called "server log files"). When you access our website, we collect the following data, which is technically necessary for us to display the website to you:
- The website you visited on our server
- Date and time of access
- Amount of data sent in bytes
- Source or reference from which you reached the site
- Browser used
- Operating system used
- IP address used (possibly in anonymized form)
Processing is carried out in accordance with Art. 6(1)(f) GDPR based on our legitimate interest in improving the stability and functionality of our website. This data is not shared or used for any other purpose. However, we reserve the right to review the server log files later if there are concrete indications of unlawful use.
3) Hosting & Content Delivery Network
Hosting by Shopify
We use the shop system provided by Shopify International Limited, Victoria Buildings, 2nd Floor, 1-2 Haddington Road, Dublin 4, D04 XN32, Ireland (“Shopify”), for hosting and displaying our online shop based on processing carried out on our behalf. All data collected on our website is processed on Shopify’s servers. As part of the services provided by Shopify, data may also be transferred for further processing on behalf of Shopify Inc., 150 Elgin St, Ottawa, ON K2P 1L4, Canada, Shopify Data Processing (USA) Inc., Shopify Payments (USA) Inc., or Shopify (USA) Inc. If data is transferred to Shopify Inc. in Canada, an adequate level of data protection is ensured by a European Commission adequacy decision. For more information about Shopify’s data protection, please visit the following website: https://www.shopify.de/legal/datenschutz
Any further processing on servers other than those mentioned above only takes place as described below.
4) Cookies
To make your visit to our website more enjoyable and to enable certain features, we use cookies. These are small text files that are stored on your device. Some of these cookies are automatically deleted when you close your browser (so-called "session cookies"), while others remain on your device for a longer period and allow your site settings to be saved (so-called "persistent cookies"). For the latter, you can find out how long they are stored by checking your browser's cookie settings overview.
If any of the cookies we use process personal data, this is done in accordance with Art. 6(1)(b) GDPR for the performance of a contract, in accordance with Art. 6(1)(a) GDPR if you have given your consent, or in accordance with Art. 6(1)(f) GDPR to protect our legitimate interest in ensuring the best possible functionality of the website and a user-friendly, efficient experience for visitors.
You can set your browser to notify you when cookies are being set and decide individually whether to accept them, or you can refuse cookies in certain cases or in general.
Please note that if you do not accept cookies, some features of our website may not work properly.
5) Contact
5.1 Review Reminder by Loox
If you have given us your explicit consent during or after your order in accordance with Art. 6 para. 1 lit. a GDPR, we will forward your email address and, if applicable, other previously collected customer data to the review tool Loox, a service provided by Loox Online Ltd., Rehov Har Sinai 2, 6581602 Tel Aviv-Yafo, Israel (“Loox”), so that they can send you a review reminder by email. You can withdraw your consent at any time by contacting the data controller or the review platform.
The transfer of data to Loox in Israel is covered by an adequacy decision of the European Commission, ensuring an appropriate level of data protection.
We have entered into a data processing agreement with Loox, which obligates Loox to protect our customers’ data and not to share it with third parties. You can view this agreement here: https://loox.io/legal/data_processing_addendum.pdf
For more information about Loox’s privacy practices, please visit https://loox.io/legal/privacy_policy_merchants.pdf
5.2 When you contact us (for example, via contact form or email), we process your personal data solely for the purpose of handling and responding to your inquiry, and only to the extent necessary. The legal basis for processing this data is our legitimate interest in responding to your inquiry in accordance with Art. 6 para. 1 lit. f GDPR. If your inquiry is related to a contract, the additional legal basis for processing is Art. 6 para. 1 lit. b GDPR. Your data will be deleted once it is clear from the circumstances that the matter has been fully resolved and there are no legal retention requirements.
6) Data Processing When Creating a Customer Account
According to Art. 6(1)(b) GDPR, we continue to collect and process personal data as needed when you provide it to us while creating a customer account. The data required to open an account can be found in the input fields of the relevant form on our website. You can delete your customer account at any time by sending a message to the address of the controller listed above. Once your customer account is deleted, your data will also be deleted, provided all contracts concluded through the account have been fully processed, there are no legal retention requirements, and we have no legitimate interest in retaining your data.
7) Use of Customer Data for Direct Marketing
Signing up for our email newsletter
If you sign up for our email newsletter, we will regularly send you information about our offers. The only information required to receive the newsletter is your email address. Providing any additional information is optional and helps us address you personally. We use the so-called double opt-in process for sending newsletters. This ensures that you only receive newsletters after you have explicitly confirmed your consent by clicking a verification link sent to your provided email address.
By activating the confirmation link, you give us your consent to use your personal data in accordance with Art. 6(1)(a) GDPR. We store the IP address entered by your internet service provider (ISP), as well as the date and time of your registration, so we can trace any potential misuse of your email address at a later time. The data we collect during newsletter registration is used strictly for this purpose. You can unsubscribe from the newsletter at any time using the link provided in the newsletter or by sending a message to the controller mentioned above. After you unsubscribe, your email address will be promptly removed from our newsletter distribution list, unless you have expressly agreed to further use of your data or we are legally permitted to use your data for other purposes, which we will inform you about in this statement.
Do you want to be removed from our mailing list?
HHC-Vapes sends you, as an existing customer, special offers and promotions by mail, email, SMS, and RCS. New customers will also receive these, provided they have agreed or have not expressly objected. If you don't want to receive offers and promotions by email, you can unsubscribe here or use the link included in all marketing messages. We'll do our best to remove you as quickly as possible, but it may take some time before you're completely deleted from our email list, so you might still receive one or two more emails. If you don't want to receive offers and promotions by mail, SMS, or RCS, just let us know at info@hhc-Vapes.com. Our printed marketing materials are prepared in advance, so the process may take a little while, and you might still get one more message.
If your data appears on a recognized "opt-out" list in your country, HHC-Vapes will make every effort to ensure you don't receive marketing materials from us, unless you have specifically requested otherwise.
8) Data Processing for Order Fulfillment
8.1 If necessary for processing the contract for delivery and payment purposes, we will share the personal data we collect with the contracted shipping company and the contracted financial institution, in accordance with Art. 6(1)(b) GDPR.
If, under a relevant contract, we owe you updates for goods with digital elements or for digital products, we will use the contact details you provided with your order (name, address, email address) to personally inform you about upcoming updates within the legally required timeframe, using an appropriate communication channel (such as mail or email), as required by our legal information obligations under Art. 6(1)(c) GDPR. Your contact details will be used strictly for the purpose of sending you notifications about updates we are required to provide, and we will only process your data as much as is necessary for this purpose.
To process your order, we also work with the following service provider(s), who help us fully or partially fulfill the contracts we have entered into. Certain personal data will be shared with these service providers as described below.
8.2 Use of payment service providers
- Apple Pay
If you choose the "Apple Pay" payment method from Apple Distribution International (Apple), Hollyhill Industrial Estate, Hollyhill, Cork, Ireland, your payment will be processed using the "Apple Pay" feature on your device running iOS, watchOS, or macOS by charging a payment card stored in "Apple Pay." Apple Pay uses security features built into your device’s hardware and software to protect your transactions. To authorize a payment, you need to enter a code you set up earlier and verify using your device’s "Face ID" or "Touch ID" feature.
For payment processing, the information you provide during the order process, along with details about your order, will be sent to Apple in encrypted form. Apple then encrypts this data again with a developer-specific key before forwarding it to the payment service provider of the card stored in Apple Pay to complete the payment. This encryption ensures that only the website where you made your purchase can access your payment data. After the payment is completed, Apple sends your device account number and a transaction-specific dynamic security code to the originating website to confirm the payment.
If personal data is processed during these transmissions, it is done solely for payment processing in accordance with Art. 6(1)(b) GDPR.
Apple stores anonymized transaction data, including the approximate purchase amount, date, and time, as well as whether the transaction was successful. Because the data is anonymized, it cannot be linked to you personally. Apple uses this anonymized data to improve "Apple Pay" and other Apple products and services.
If you use Apple Pay on your iPhone or Apple Watch to complete a purchase you started in Safari on your Mac, your Mac and the authorizing device communicate through an encrypted channel on Apple’s servers. Apple does not process or store any of this information in a format that could identify you. You can turn off the option to use Apple Pay on your Mac in your iPhone settings. Go to "Wallet
For more information about data privacy with Apple Pay, visit the following website: https://support.apple.com/de-de/HT203027
9) Web Analytics Services
Google Analytics 4
This website uses Google Analytics 4, a service provided by Google Ireland Limited, Gordon House, 4 Barrow St, Dublin, D04 E5W5, Ireland ("Google"), which allows us to analyze how websites are used.
Google Analytics 4 typically uses what are known as "cookies." Cookies are text files stored on your device that make it possible to analyze how you use a website. The information collected by cookies about your use of the website (including the IP address sent by your device, which is shortened as described below) is usually transmitted to a Google server, where it is stored and processed. This may also involve transferring information to servers operated by Google LLC in the USA, where it may be further processed.
When you use Google Analytics 4, the IP address sent by your device is always collected and processed in an anonymized form by default and automatically, so that the information cannot be directly linked to you as a person. This automatic anonymization happens because Google shortens the IP address sent by your device within member states of the European Union (EU) or other countries that are part of the European Economic Area (EEA).
On our behalf, Google uses this and other information to evaluate your use of the website, to compile reports about your website activity and usage behavior, and to provide us with other services related to your use of the website and the internet. The IP address sent by your device and shortened as part of Google Analytics 4 is not merged with other Google data. Data collected through Google Analytics 4 is stored for 2 months and then deleted.
Google Analytics 4 also offers a special feature called "demographic characteristics," which makes it possible to create statistics about the age, gender, and interests of website users based on interest-based advertising and third-party information. This allows us to identify and distinguish user groups on the website for the purpose of targeted optimization.
All processing described above, especially the placement of Google Analytics cookies to store and access information on the device you use to access the website, only takes place if you have given us your explicit consent in accordance with Art. 6(1)(a) GDPR. Without your consent, Google Analytics 4 will not be used while you visit the website. You can withdraw your consent at any time with future effect. To do so, please disable this service using the “cookie consent tool” provided on the website.
We have entered into a data processing agreement with Google for our use of Google Analytics 4, which obligates Google to protect the data of our website users and not to share it with third parties.
To ensure compliance with European data protection standards, even if data is transferred from the EU or EEA to the USA and may be processed there, Google relies on the so-called Standard Contractual Clauses of the European Commission, which we have contractually agreed with Google.
You can find further legal information about Google Analytics 4, including a copy of the mentioned Standard Contractual Clauses, at https://policies.google.com/privacy?hl=de&gl=de and at https://policies.google.com/technologies/partner-sites
10) Site Features
10.1 - Google Web Fonts
This site uses web fonts provided by Google Ireland Limited, Gordon House, 4 Barrow St, Dublin, D04 E5W5, Ireland (“Google”) to ensure consistent font display. When you visit a page, your browser downloads the required web fonts into its cache so that text and fonts are displayed correctly.
To do this, your browser needs to connect to Google's servers. This may also involve transferring personal data to Google LLC servers in the USA. Through this connection, Google becomes aware that our website was accessed using your IP address. We only process personal data in connection with the font provider if you have given us your explicit consent in accordance with Art. 6(1)(a) GDPR. You can withdraw your consent at any time with future effect by disabling this service in the “Cookie Consent Tool” provided on the website. If your browser does not support web fonts, a standard font from your computer will be used.
You can find more information about Google Web Fonts at https://developers.google.com/fonts/faq and in Google’s privacy policy: https://www.google.com/policies/privacy/
10.2 Google reCAPTCHA
We use the reCAPTCHA feature from Google Ireland Limited, Gordon House, 4 Barrow St, Dublin, D04 E5W5, Ireland (“Google”) on this website. This feature is mainly used to determine whether an entry is made by a human or is being misused by automated or machine processing. The service involves sending your IP address and, if necessary, other data required by Google for the reCAPTCHA service to Google. This is done in accordance with Art. 6(1)(f) GDPR based on our legitimate interest in verifying individual responsibility online and preventing misuse and spam. When using Google reCAPTCHA, personal data may also be transferred to Google LLC servers in the USA.
For more information about Google reCAPTCHA and Google’s privacy policy, please visit: https://www.google.com/intl/de/policies/privacy/
Where legally required, we have obtained your consent for the processing of your data as described above in accordance with Art. 6(1)(a) GDPR. You can withdraw your consent at any time with effect for the future. To do so, please follow the instructions above for submitting an objection.
For data transfers from the EU to the USA, Google relies on the so-called Standard Contractual Clauses of the European Commission, which are intended to ensure compliance with European data protection standards in the USA.
11) Tools and Other Services
11.1 - Lexoffice
We use the cloud-based accounting software "lexoffice" from Haufe-Lexware GmbH & Co. KG, Munzinger Straße 9, 79111 Freiburg, to handle our bookkeeping.
Lexoffice processes incoming and outgoing invoices and, if applicable, our company's bank transactions. This allows invoices to be automatically recorded, matched to transactions, and used to generate our financial accounting through a partially automated process.
If personal data is processed in this context, it is done in accordance with Art. 6(1)(f) GDPR, based on our legitimate interest in efficient organization and documentation of our business operations.
For more information about lexoffice, automated data processing, and their privacy policy, please visit https://www.lexoffice.de/datenschutz/
11.2 Cookie Consent Tool
This website uses a so-called "cookie consent tool" to obtain valid user consent for cookies and cookie-based applications that require approval. When you visit the site, the "cookie consent tool" appears as an interactive interface where you can give consent for specific cookies and/or cookie-based applications by checking boxes. With this tool, any cookies or services that require consent are only activated if you have given your approval by checking the relevant boxes. This ensures that such cookies are only stored on your device if you have agreed to it.
The tool uses technically necessary cookies to save your cookie preferences. As a rule, no personal user data is processed in this context.
If, in individual cases, personal data (such as your IP address) is processed for the purpose of storing, assigning, or logging cookie settings, this is done in accordance with Art. 6(1)(f) GDPR based on our legitimate interest in providing a legally compliant, user-specific, and user-friendly consent management system for cookies, and thus in ensuring our website complies with legal requirements.
Another legal basis for processing is Art. 6(1)(c) GDPR. As the data controller, we are legally required to make the use of non-essential cookies dependent on the user's consent.
You can find more information about the operator and the settings options for the cookie consent tool directly in the relevant interface on our website.
12) Rights of Data Subjects
12.1 Under applicable data protection law, you have the following rights regarding the processing of your personal data by the data controller (rights to information and intervention). The specific legal basis for exercising each right is referenced below:
- Right of access under Art. 15 GDPR;
- Right to rectification under Art. 16 GDPR;
- Right to erasure under Art. 17 GDPR;
- Right to restriction of processing under Art. 18 GDPR;
- Right to notification under Art. 19 GDPR;
- Right to data portability under Art. 20 GDPR;
- Right to withdraw consent under Art. 7(3) GDPR;
- Right to lodge a complaint under Art. 77 GDPR.
12.2 RIGHT TO OBJECT
IF WE PROCESS YOUR PERSONAL DATA BASED ON OUR OVERRIDING LEGITIMATE INTERESTS AS PART OF A BALANCING OF INTERESTS, YOU HAVE THE RIGHT TO OBJECT TO THIS PROCESSING AT ANY TIME FOR REASONS ARISING FROM YOUR PARTICULAR SITUATION, WITH EFFECT FOR THE FUTURE.
IF YOU EXERCISE YOUR RIGHT TO OBJECT, WE WILL STOP PROCESSING THE RELEVANT DATA. HOWEVER, WE RESERVE THE RIGHT TO CONTINUE PROCESSING IF WE CAN DEMONSTRATE COMPELLING LEGITIMATE GROUNDS FOR THE PROCESSING THAT OVERRIDE YOUR INTERESTS, RIGHTS, AND FREEDOMS, OR IF THE PROCESSING SERVES TO ESTABLISH, EXERCISE, OR DEFEND LEGAL CLAIMS.
IF WE PROCESS YOUR PERSONAL DATA FOR DIRECT MARKETING PURPOSES, YOU HAVE THE RIGHT TO OBJECT AT ANY TIME TO THE PROCESSING OF YOUR PERSONAL DATA FOR SUCH MARKETING. YOU CAN EXERCISE YOUR RIGHT TO OBJECT AS DESCRIBED ABOVE.
IF YOU EXERCISE YOUR RIGHT TO OBJECT, WE WILL STOP PROCESSING THE RELEVANT DATA FOR DIRECT MARKETING PURPOSES.
13) Duration of storage of personal data
The length of time personal data is stored depends on the applicable legal basis, the purpose of processing, and—if relevant—any statutory retention periods (such as commercial or tax law retention requirements).
When personal data is processed based on explicit consent in accordance with Art. 6(1)(a) GDPR, this data will be stored until the individual withdraws their consent.
If there are legal retention periods for data processed as part of contractual or quasi-contractual obligations under Art. 6(1)(b) GDPR, this data will be routinely deleted after the retention periods expire, provided it is no longer needed to fulfill or initiate a contract and/or we no longer have a legitimate interest in retaining it.
When personal data is processed on the basis of Art. 6(1)(f) GDPR, this data will be stored until the individual exercises their right to object under Art. 21(1) GDPR, unless we can demonstrate compelling legitimate grounds for processing that override the interests, rights, and freedoms of the individual, or the processing is necessary for the establishment, exercise, or defense of legal claims.
When personal data is processed for direct marketing purposes on the basis of Art. 6(1)(f) GDPR, this data will be stored until the individual exercises their right to object under Art. 21(2) GDPR.
Unless otherwise specified in this statement regarding specific processing situations, stored personal data will be deleted when it is no longer necessary for the purposes for which it was collected or otherwise processed.
