Privacy Policy

The subject matter of data protection is the protection of personal data (also referred to as “personal information”) within the meaning of the DSG and the GDPR. Personal data refers to any information relating to an identified or identifiable natural person (known as a “data subject”). Consequently, your personal data includes all data that allows for your identification, such as your name, address, phone number, or email address. Personal data also includes information that is necessarily generated through the use of our platform, such as the start and end times and scope of use, or your IP address.

Personal data is also collected to the extent that you provide us with information and content as part of our customer interactions.

We process your data only if permitted by applicable law. We will base the processing of your data on the following legal grounds, among others:

• Consent: We will process certain data only on the basis of your prior, explicit, and voluntary consent. You have the right to withdraw your consent at any time with future effect.
• Performance of a contract or implementation of pre-contractual measures: In particular, we require certain data from you to initiate or carry out your contractual relationship with us.
• Compliance with a legal obligation: In addition, we process your personal data to comply with legal obligations, such as regulatory requirements or retention obligations under commercial and tax law.
• Protection of legitimate interests: We will process certain data to protect our interests or those of third parties. However, this applies only if your interests do not outweigh ours in the specific case.

Please note that this is not a complete or exhaustive list of possible legal bases, but rather consists solely of examples intended to make the legal bases under data protection law more transparent. For more detailed information on the legal bases for the individual data processing activities on our website, please refer to the explanations in the following sections.

2.1. Server Log Data

When you visit our websites, the following information regarding your access may be stored:

• IP address of the requesting device,
• pages and files accessed,
• the HTTP response code,
• the size of the pages and files accessed in bytes,
• the previous website from which you visited the platform (referrer URL),
• Date, time, and time zone of the server request,
• the type and version of the browser used,
• the operating system used by the requesting device.

We process this data based on our legitimate interests in providing our websites, ensuring their technical operation, and maintaining the security of our information technology systems. In doing so, we pursue the legitimate interest of enabling and continuously maintaining the use of our websites and their technical functionality. This data is processed automatically when you access our websites. Without providing this data, you cannot use our websites. We do not use this data for the purpose of drawing conclusions about your identity.

When you visit our websites, relevant information may be stored on your device and/or information already stored on your device may be accessed. Storing or accessing this information is absolutely necessary to ensure the operation of our websites and IT security, and to provide you with our services as requested.

The data collected automatically is generally deleted once the purpose has been fulfilled, unless another legal basis applies. If the latter is the case, we will delete the data once the other legal basis no longer applies.

We cannot accommodate an objection to the collection and storage of your server log data, as this data is absolutely necessary for the smooth operation of our websites.

2.2. Website Features

a) Contact

Contact Form

On our websites, you have the option to contact us via a contact form. When you use the contact forms, we collect and store the following data:

• Name,
• Email address,
• Personal message,
• Details regarding your specific inquiry.

This data is absolutely necessary for the proper processing of your contact request.

Phone and Email

You also have the option of contacting us by phone or email. If you contact us through these communication channels, we may process the data you voluntarily provide, such as contact information (e.g., name, phone number, or email address) and, if applicable, your personalized message.

The data you provide via our contact form, by phone, or by email is transmitted to us via a secure connection (see Section 10 for details). We transfer this data to our customer relationship management system (see Section 3). The collection, processing, and use of your data are limited to the specific purpose of receiving and, if applicable, responding to your inquiry. Your data is processed for the purpose of initiating or fulfilling a contractual relationship with you, or to safeguard our legitimate interests. In the latter case, we have a legitimate interest in processing contact requests voluntarily submitted to us.

We will delete the data you have provided as soon as the purpose for which it was collected no longer applies, subject to compliance with any ongoing legal retention obligations.

To the extent that your data is processed based on legitimate interests, you may object to the storage of your personal data at any time. In this case, we will no longer process your data unless we can demonstrate a legitimate interest in doing so or are otherwise legally required to store it. To exercise your right to object to the processing, please contact us via email.

Please note, however, that we cannot guarantee complete data security when communicating via the contact form and, in particular, via email. Therefore, especially in the case of confidential information, we recommend that you send it via a secure transmission method, such as regular mail.

2.3. Online Store

We offer our products and courses for purchase through our websites. To enable you to select and order products and courses, as well as to process payment and delivery, we process—in particular—your personal and contact information, order details, contract information, and your billing and payment information as part of the respective ordering/booking process. This processing is carried out for the purpose of providing contractual services in connection with the operation of our online store, for order processing, billing, delivery, and the provision of customer service.

Payment processing for orders and bookings made through our online store is carried out, at your discretion, either by invoice, credit card, PayPal, Apple Pay, or Google Pay. Depending on the payment method, we process the information you provide regarding your bank account or credit card, as well as your billing address, if applicable, to fulfill the respective contract.

For payment processing, we work with the following payment service providers:

• PayPal (Europe) S.à r.l. et Cie, S.C.A., 22-24 Boulevard Royal, L-2449 Luxembourg,
• Apple Distribution International Limited, Hollyhill Industrial Estate, Hollyhill, Cork, Ireland (Apple Pay),
• Google Ireland Limited, Gordon House, Barrow Street, Dublin 4, Ireland (Google Pay).

For the purpose of processing payments, your payment data (name of your bank, IBAN, BIC, credit or debit card information, billing address) is transferred to the respective payment service provider. We do not store your payment data ourselves.

Please therefore refer to the respective privacy and security notices of the payment service providers:

• PayPal (Europe) S.à r.l. et Cie, S.C.A., https://www.paypal.com/de/webapps/mpp/ua/privacy-full?locale.x=de_DE
• Apple Distribution International Limited (Apple Pay), https://www.apple.com/de/legal/privacy/data/de/apple-pay/
• Google Ireland Limited (Google Pay), https://support.google.com/googlepay/answer/7643925

The processing of your data in connection with order and booking processing is carried out for the purpose of initiating and fulfilling the respective contract with you, as well as, where applicable, to comply with statutory retention requirements.

If you select a payment method that poses a credit risk to us, we will conduct a credit check before concluding the contract. This is particularly the case when purchasing on account or agreeing to pay in installments. As part of the credit check, we share your data with a credit reporting agency. This agency then provides us with information about your payment history and creditworthiness in the form of a credit score. Based on this score, we decide whether to enter into the contract using the selected payment method. In this context, we process the following data:

• Personal master data (first name, last name, date of birth)
• Contact information (mailing address)
• Creditworthiness (score calculated by the credit bureau)

The processing carried out as part of the credit check serves to prevent payment defaults and thus to protect our financial interests. Consequently, this processing also serves to determine whether to enter into contracts with customers. As part of the credit check, we process your data based on our legitimate interest in preventing payment defaults and protecting our financial interests.

We only transfer the data to third parties if it is necessary for contract fulfillment, in particular for payment processing and delivery, for credit checks, or to comply with legal obligations.

To the extent that your data is processed based on legitimate interests, you may object to the processing of your personal data at any time. In this case, we will no longer process your data unless we can demonstrate a legitimate interest in doing so or are otherwise legally required to retain it. To exercise your right to object to the processing, please contact us via email.

The data you provided in connection with an order will be deleted after the relevant statutory warranty, statute of limitations, and retention obligations have expired (see Section 7).

2.4. “BLACKROLL Community” Loyalty Program

You can sign up for our loyalty program via our websites. A prerequisite for signing up for and participating in our loyalty program is an existing user account (see Section 2.2(d) for more information).

If you participate in our loyalty program and join the BLACKROLL Community, you have the opportunity to earn points through various activities—such as purchases via our online store or subscribing to our newsletter—which you can redeem for various benefits (e.g., discounts, gift cards, access to exclusive presales).

As part of our loyalty program, we use the “Yotpo Loyalty & Referrals” service provided by Yotpo Ltd., 35 Hamasger, Tel Aviv-Jaffa, Central District, 6721407 Israel (hereinafter “Yotpo”). Yotpo provides us with a platform that enables us to technically manage our loyalty program, create customer segments, plan and evaluate campaigns, and incorporate recommendations and reviews into the program design.

In connection with your use of the loyalty program, we process, in particular, your user account data (see Section 2.2(d)) as well as your customer master data and, if applicable, order data (see Section 2.3). In addition, we process the following information about you in particular:

• Your current point balance and the history of points earned and redeemed;
• your participation in individual loyalty campaigns (e.g., point promotions, bonus promotions);
• the number and status of your referrals;
• the date of your last purchase as well as other activity data on our loyalty platform (e.g., logins, responses to campaigns);
• Your assignment to specific loyalty levels or tiers, which are determined, among other things, by your past purchasing behavior and your participation in the program;
• technical communication data, to the extent that we inform you about such promotions (e.g., via email, provided you have given your consent).

Yotpo enables us to create customer segments based on program-related data, e.g., by point balance, number of completed referrals, date of last purchase, loyalty tier, and similar criteria. Furthermore, we can use Yotpo to plan, manage, and execute time-sensitive campaigns (e.g., limited-time bonus point promotions, special discounts for specific program tiers). Based on this, we can:

• target specific customer groups (e.g., very active members, inactive members) with information about our loyalty program;
• send you personalized offers and notifications based on your use of the loyalty program (e.g., high point balance, points about to expire, long time since last purchase);
• create aggregated and pseudonymized analyses of the loyalty program’s usage (e.g., number of active members, average points earned, redemption rates for rewards);
• Measure the effectiveness of individual campaigns and program features (e.g., which promotions are used most frequently, which rewards are in high demand);
• continuously improve our offerings and the design of the loyalty program and make them more user-friendly.

Segmentation is used to make communications regarding the loyalty program more relevant to you, without involving automated decision-making that has legal effects.

Data processing is carried out for the proper initiation or performance of a contractual relationship with you, to the extent that data processing is necessary for the initiation or performance of the contract. In addition, data processing may be carried out to safeguard our legitimate interests in the proper provision of the services you request, the economically sound operation of the loyalty program, and the enhancement of customer satisfaction. To the extent that you have expressly consented to us contacting you for marketing purposes in connection with the loyalty program (e.g., via email), data processing is based on that consent.

You may revoke any consent you have given at any time with future effect. To the extent that your data is processed on the basis of legitimate interests, you may object to the storage of your personal data at any time. In this case, we will no longer process your data unless we can demonstrate a legitimate interest in doing so or are otherwise legally obligated to store it. To exercise your right to revoke consent or object to processing, please contact us in writing, by fax, or by email.

Your data will be transferred to Yotpo’s servers outside the EEA, specifically in the United States, Israel, the United Kingdom, Australia, and the Philippines, and stored there. Transfers of personal data from individuals residing in the EU and from individuals residing in Switzerland to countries outside the EEA or Switzerland are subject to the Standard Contractual Clauses entered into with Yotpo and, where applicable, the respective adequacy decision of the European Commission (e.g., based on the EU-U.S. Data Privacy Framework).

For more information on data protection at Yotpo, please visit Yotpo’s website at the following links:

• https://www.yotpo.com/privacy-policy/ ( Yotpo Privacy Policy);
• https://www.yotpo.com/yotpo-privacy-guide/ ( Yotpo Privacy Guide).

We generally store your personal data processed in connection with the loyalty program for the duration of your participation in the loyalty program or until you revoke any consent or object to the processing of your data, subject to applicable statutory warranty, statute of limitations, and retention obligations (see Section 7).

2.6. Web Analytics

a) Google Analytics

If you have consented to this, we use Google Analytics, a web analytics service provided by Google Ireland Limited, Gordon House, Barrow Street, Dublin 4, Ireland (“Google”).

Google Analytics uses so-called cookies. This may involve storing information on your device and/or accessing information already stored on your device. The information generated by the cookie regarding your use of our websites is generally transmitted to a Google server in the United States and stored there. The legal basis for data processing, as well as for storing information on your device or accessing such information, is your consent. We expressly reserve the right to rely on other legal bases. Google’s parent company, Google LLC, is certified under the EU-U.S. Data Privacy Framework and the Swiss-U.S. Data Privacy Framework (see https://www.dataprivacyframework.gov/list/). Any transfers of personal data from individuals residing in the EU to the U.S. are subject to the EU Commission’s adequacy decision based on the EU-U.S. Data Privacy Framework. Any transfers of personal data from individuals residing in Switzerland to the U.S. are subject to the Standard Contractual Clauses entered into with Google, which can be accessed here: https://business.safety.google/adsprocessorterms/?sjid=2513094034223128120-EU.

On our behalf, Google will use this information to evaluate your use of the websites, to compile reports on website activity, and to provide us with other services related to website and internet usage. Pseudonymous user profiles may be created from the processed data.

We use Google Analytics only with IP anonymization enabled. This means that Google truncates users’ IP addresses within member states of the European Union (EU) or in other signatory states to the Agreement on the European Economic Area (EEA). Only in exceptional cases is the full IP address transmitted to a Google server in the United States and truncated there.

The data is deleted as soon as it is no longer needed for our record-keeping purposes. In our case, this is generally after 14 months.

You can revoke any consent you may have given to the use of Google Analytics at any time via the cookie settings on our websites. Furthermore, you can technically prevent the storage and use of cookies by adjusting your browser settings or using browser add-ons (see Section 2.5 above). You can also prevent Google from collecting the data generated by the cookie and related to your use of our websites (including your IP address), as well as prevent Google from further processing this data, by downloading and installing the browser plugin available at the following link: https://tools.google.com/dlpage/gaoptout?hl=de .

For more information on Google’s use of data, as well as options for settings and opting out, please visit Google’s websites at the following links:

• https://www.google.com/intl/de/policies/privacy/partners ( “Google’s use of data when you use our partners’ websites or apps”),
• https://www.google.com/policies/technologies/ads ( “Data usage for advertising purposes”),
• https://www.google.de/settings/ads ( “Manage the information Google uses to show you ads”).

b) Hotjar

If you have given your consent, we use Hotjar on our websites. This is analytics software provided by Hotjar Ltd., Dragonara Business Centre, 5th Floor, Dragonara Road, Paceville St Julian’s STJ 3141, Malta (“Hotjar”). This tool allows us to measure and analyze user behavior (e.g., clicks, mouse movements, scroll depths, etc.) on our websites. In doing so, information may be stored on your device and/or information already stored on your device may be accessed (see also Section 2.5.). The information generated by the “tracking code” and cookies regarding your use of our websites is transmitted to Hotjar’s servers in Ireland and stored there. The following information may be recorded by your device and browser:

• Your device’s IP address;
• Your email address, including your first and last name, to the extent that you have provided this information to us via the platform, e.g., by entering it in a form;
• Your device’s screen size;
• Device type and browser information;
• Geographic location (country only);
• Preferred language for displaying our website;
• User interactions;
• Mouse events (movement, position, and clicks);
• keyboard inputs;
• Date and time of access.

The legal basis for data processing, as well as for storing information on your device or accessing it, is your consent. We expressly reserve the right to rely on other legal bases.

Hotjar will use this information on our behalf to analyze your use of our platform, generate usage reports, and provide other services related to platform usage. To this end, we have entered into a data processing agreement with Hotjar. For more information about Hotjar and its privacy policy, please visit https://www.hotjar.com/privacy.

The data will be deleted as soon as it is no longer needed for our recording purposes.

You can revoke any consent you may have given to the use of Hotjar at any time via the cookie settings on our websites (see Section 2.5 above). Furthermore, you can technically prevent the storage and use of cookies by adjusting your browser settings or using browser add-ons (see Section 2.5 above). You can also prevent the collection of data generated by the cookie and related to your use of our websites, as well as the processing of this data by Hotjar, by activating the opt-out option available at the following link: https://www.hotjar.com/opt-out .

c) Klar Attribution

To the extent that you have consented to this, we use Klar Attribution, a service provided by Klar Insights GmbH, Marktstr. 18, 80802 Munich, Germany (hereinafter “Klar”), for reach measurement, statistical analysis, and attribution of marketing touchpoints (assigning conversions along the customer journey).

Klar uses cookies and similar technologies for this purpose. In doing so, information may be stored on your device and/or information already stored on your device may be accessed. Depending on the specific implementation, the information processed in this context may include, in particular, user and session IDs, online identifiers, device/browser information, screen resolution, timestamps, page/URL and referrer information, IP address, and event/conversion data (e.g., visit, product view, add-to-cart, checkout, order). This information may also be combined with information from other data sources (e.g., the e-commerce platform, Google Analytics) to create pseudonymous usage profiles.

We generally receive aggregated analyses/reports from Klar regarding the use of our websites and the performance of our marketing channels; we do not directly identify individual users in this process.

The legal basis for data processing, as well as for storing information on your device or accessing it, is your consent. We expressly reserve the right to rely on other legal bases.

Klar processes the data on our behalf; to this end, we have entered into a data processing agreement with Klar: https://app.getklar.com/legal/data-protection.

The data will be deleted as soon as it is no longer needed for our record-keeping purposes.

You may revoke any consent you may have given to the use of Klar at any time via the cookie settings on our websites (see Section 2.5 above). Furthermore, you can also technically prevent the storage and use of cookies by adjusting your browser settings or using browser add-ons (see Section 2.5 above).

2.7. Third-Party Services and Content

We integrate third-party services, such as maps and fonts (collectively referred to below as “Content”), into our websites (e.g., via so-called plugins). The processing of your data and any storage and/or retrieval of information on/from your device is based on your consent, provided you have given it to us, and otherwise on our legitimate interest. We have a legitimate interest in the efficient operation and optimization (particularly in terms of user-friendliness) of our websites. Furthermore, the storage and/or retrieval of information on or from your device is absolutely necessary to ensure the operation of our websites and IT security, and to provide you with our websites as desired. We expressly reserve the right to rely on other legal bases.

The third-party providers of this content always receive your IP address, as they would not be able to transmit the content to your device without it. The IP address is required to display the content. Third-party providers may also place cookies on your device.

You can prevent the plugins from loading or block the storage and use of cookies in your browser settings or by using browser add-ons, such as “Adblock Plus” (https://adblockplus.org/de/) in combination with the “EasyPrivacy” list (https://easylist.to) (see section 2.5. above); however, please note that in this case, you may not be able to use all features of our websites.

a) Google Fonts

We integrate so-called Google Fonts (typefaces) from the provider Google Ireland Limited, Gordon House, Barrow Street, Dublin 4, Ireland (“Google”) into our websites, which allows us to access Google’s font library. In doing so, Google’s font library is hosted locally on our servers. No data is transferred to Google.

For more information on Google’s use of data, as well as options for settings and opting out, please visit Google’s website at https://policies.google.com/privacy?hl=de.

b) Google Tag Manager

We use “Google Tag Manager” from Google Ireland Limited, Gordon House, Barrow Street, Dublin 4, Ireland (“Google”) on our websites. Google Tag Manager allows us to manage other services—such as Google Analytics—that we use on our websites without having to modify the website’s source code. The data processed may include, in particular, IP addresses.

This data may be transferred to Google’s servers in the United States and stored there. Google’s parent company, Google LLC, is certified under the EU-U.S. Data Privacy Framework and the Swiss-U.S. Data Privacy Framework (see https://www.dataprivacyframework.gov/list/). Any transfers of personal data from individuals residing in the EU to the United States are subject to the EU Commission’s Adequacy Decision based on the EU-U.S. Data Privacy Framework. Any transfers of personal data from individuals residing in Switzerland to the U.S. are subject to the Standard Contractual Clauses entered into with Google, which can be accessed here: https://business.safety.google/adsprocessorterms/?sjid=2513094034223128120-EU.

For more information about Google Tag Manager, please visit Google’s website at the following links:

• https://support.google.com/tagmanager/answer/9323295?hl=de
  (Google Privacy Policy);
• https://marketingplatform.google.com/about/analytics/tag-manager/use-policy/
  (Google Tag Manager Terms of Service).

c) Google reCAPTCHA

To detect bots—for example, when filling out online forms—and thus ultimately as an IT security measure, we use the reCAPTCHA service provided by Google Ireland Limited, Gordon House, Barrow Street, Dublin 4, Ireland (“Google”) on our websites. This occurs either through website visitors’ interaction with the service or, in some cases, in the background—without being apparent to website visitors—based on an analysis of browsing behavior. This involves the processing of server log data (see Section 2.1) as well as, where applicable, additional data, such as information on mouse movements and keystrokes. Data processing is based on your consent, provided you have given it to us.

The data collected by the reCAPTCHA service is transmitted to Google, subject to your consent. Google uses the collected information on our behalf to evaluate your use of the website and thereby ensure the detection of bots and spam messages. In addition, Google may use this information for its own purposes.

The data processed by you may also be transferred to and stored on servers operated by Google LLC, Google’s parent company, in the United States. Google’s parent company, Google LLC, is certified under the EU-U.S. Data Privacy Framework and the Swiss-U.S. Data Privacy Framework (see https://www.dataprivacyframework.gov/list) . Any transfers of personal data from individuals residing in the EU to the United States are subject to the EU Commission’s Adequacy Decision based on the EU-U.S. Data Privacy Framework. Any transfers of personal data from individuals residing in Switzerland to the United States are subject to the Standard Contractual Clauses entered into with Google, which can be accessed here: https://business.safety.google/adsprocessorterms/?sjid=2513094034223128120-EU. For more information on data processing by Google, as well as options for settings and opting out with Google, please visit

• https://www.google.com/policies/technologies/ads ( “Data Use for Advertising Purposes”);
• https://www.google.de/settings/ads ( “Manage the information Google uses
  to show you ads”).

d) YouTube

Our websites use embedded YouTube videos. YouTube is operated by Google Ireland Limited, Gordon House, Barrow Street, Dublin 4, Ireland (hereinafter “Google” or “YouTube”).

The YouTube videos embedded on our websites—which are stored on http://www.youtube.com and can be played directly from our websites—are embedded in “enhanced privacy mode,” meaning that, according to YouTube, no data about you as a user is transmitted to YouTube unless you play the videos.

When you access the YouTube videos embedded on our websites, a connection is typically established with YouTube’s servers in the United States, and certain information (e.g., your IP address) is transmitted to and stored on YouTube’s servers in the United States, even if you are not logged in to the respective video service. Google’s parent company, Google LLC, is certified under the EU-U.S. Data Privacy Framework and the Swiss-U.S. Data Privacy Framework (see https://www.dataprivacyframework.gov/list/) . Any transfers of personal data from individuals residing in the EU to the U.S. are subject to the EU Commission’s adequacy decision based on the EU-U.S. Data Privacy Framework. Any transfers of personal data from individuals residing in Switzerland to the U.S. are subject to the Standard Contractual Clauses entered into with Google, which can be accessed here: https://business.safety.google/adsprocessorterms/?sjid=2513094034223128120-EU.

We generally have no knowledge of the nature and scope of the data collected by YouTube and have no influence over its use.

For more information on the purposes and scope of data collection, as well as the further processing and use of the data by Google, your rights in this regard, and the available privacy settings, please refer to Google’s privacy policy and websites: https://www.google.de/intl/de/policies/privacy/ ( Google’s privacy policy, which also covers YouTube).

If you do not want YouTube to associate your visit to our websites with your YouTube user account, you must log out of YouTube before visiting our websites. Even if you are not logged in to YouTube, websites containing videos may, through the use of cookies, send data to YouTube that allows YouTube, for example, to create an anonymized or pseudonymized user profile.

e) Trusted Shops Trustbadge

We integrate the “Trusted Shops Trustbadge” (widget) from Trusted Shops SE, Subbelrather Straße 15c, 50823 Cologne, Germany (hereinafter “Trusted Shops”) into our websites to display our Trusted Shops seals of approval as well as the reviews collected by Trusted Shops, thereby promoting transparency and trust in our offerings.

When you visit our websites where the Trustbadge is embedded, technically necessary access data is transmitted to Trusted Shops (in particular, IP address, time of access, referrer URL, and, if applicable, additional header/browser information). Trusted Shops processes this data, among other things, to deliver the widget, display current review information, and ensure trouble-free operation (e.g., monitoring/logging). According to Trusted Shops, Trusted Shops generally does not set cookies or store information in the local storage of website visitors’ devices when simply embedding widgets.

The legal basis for the integration and the associated processing of access data is our legitimate interest in displaying the quality seal and review information. To the extent that, in individual cases (e.g., as part of A/B testing of the widget), the setting of cookies or access to information on the end device is necessary, this is done only on the basis of an appropriate legal basis—typically your consent in accordance with the relevant regulations on end-device protection.

We are jointly responsible with Trusted Shops under data protection law for the integration of the Trust Badge and the associated data processing, and have entered into a joint controller agreement that governs our respective obligations under the GDPR (see https://business.trustedshops.de/hubfs/legal-documents/joint-controllership/de/joint_controllership_trustedshops_de_20240909.pdf) . In this agreement, we have stipulated, for example, that

• we are primarily responsible for providing you with information about the joint processing;
• we are jointly responsible with Trusted Shops for enabling you to exercise the rights to which you are entitled under the GDPR (see Section 8).

For more information on data processing by Trusted Shops, please visit https://help.etrusted.com/hc/de/categories/23970781480722-Compliance-Legal.

You may revoke any consent you have given at any time with future effect. To the extent that your data is processed on the basis of legitimate interests, you may object to the storage of your personal data at any time. In this case, we will no longer process your data unless we can demonstrate a legitimate interest in doing so or are otherwise legally obligated to store it. To exercise your right to revoke consent or object to processing, please contact us in writing, by fax, or by email.

2.9. Remarketing/Retargeting

We use retargeting/remarketing services, including those from third-party providers, on our websites to optimize our offerings. Data processing and any storage and/or retrieval of information on/from your device is based on your consent, to the extent that you have provided it to us. We expressly reserve the right to rely on other legal bases.

a) How Retargeting/Remarketing Works

On our websites, data is collected using cookie and tracking technology to optimize our advertising and our entire online offering (so-called retargeting/remarketing). We do not use this data to identify you personally; rather, it serves solely to analyze the use of our websites and to target users who have already shown interest in our content and offers with interest-based advertising on our websites and on other websites and social media platforms operated by our partners. We are convinced that displaying interest-based advertising is generally more interesting to users than advertising that lacks such a personal connection. The display of advertising on our websites or on our partners’ websites is based on an analysis of previous usage behavior. User profiles are generally created anonymously or pseudonymously, in accordance with the guidelines provided by the providers of the retargeting/remarketing services we use. We do not combine this data with any other personal data we have stored at any time. You can find out which third-party providers we work with, how your data is processed in this context, and how you can disable retargeting/remarketing technologies in the following section of this Privacy Policy.

b) Google Ads & Google Conversion Tracking

On our websites, we use the remarketing or “Similar Audiences” feature in Google Ads/Google Marketing Platform (formerly DoubleClick by Google) as well as the Google Conversion Tracking service provided by Google Ireland Limited, Gordon House, Barrow Street, Dublin 4, Ireland (hereinafter “Google”).

As part of Google Ads, Google uses cookie and tracking technologies that are stored on your device to analyze your use of our websites and to display ads for products or services that may be of interest to you. Google Conversion Tracking uses cookie and tracking technologies that enable the measurement of certain parameters for evaluating the effectiveness of the respective ads, such as ad impressions or clicks. Typically, the following metrics are stored for analysis: the unique cookie ID, the number of ad impressions per placement (frequency), the last impression (relevant for post-view conversions), and opt-out information (an indicator that a website visitor no longer wishes to be targeted). We ourselves do not collect or process any personal data in this process. We receive only statistical reports from Google, which allow us to determine how successful the individual advertising measures are. In particular, we cannot identify you based on this information.

According to Google, the cookies used for the purposes mentioned above do not contain any personal information. The information generated by the cookie/tracking technologies regarding your use of our websites is transmitted to a Google server in the United States and stored there. Google’s parent company, Google LLC, is certified under the EU-U.S. Data Privacy Framework and the Swiss-U.S. Data Privacy Framework (see https://www.dataprivacyframework.gov/list/). Any transfers of personal data from individuals residing in the EU to the United States are subject to the EU Commission’s Adequacy Decision based on the EU-U.S. Data Privacy Framework. Any transfers of personal data from individuals residing in Switzerland to the U.S. are subject to the Standard Contractual Clauses entered into with Google, which can be accessed here: https://business.safety.google/adsprocessorterms/?sjid=2513094034223128120-EU.

If you are registered with and logged into a Google service, Google may associate your visit to our websites with your account. Even if you are registered with Google, it is possible that Google may obtain your IP address and use it to create and store usage profiles about you. We do not use the feature offered by Google for matching customer data.

For more information on the analysis of your search and browsing behavior, please visit:

• https://www.google.com/intl/de/policies/privacy/; and
• https://www.google.com/policies/technologies/ads/;
• https://marketingplatform.google.com/about/enterprise/.

You can disable interest-based advertising on Google via the following link: https://www.google.com/settings/ads/plugin.

c) Meta Pixel and Meta Conversion API

In addition, services provided by Meta Platforms Ireland Limited, 4 Grand Canal Square, Grand Canal Harbour, Dublin 2, Ireland (hereinafter “Meta”), such as the Meta Pixel and the Meta Conversion API, are used on our websites for retargeting/remarketing purposes.

When you visit our websites—and provided you have given us your consent to do so—certain information about your interactions with our websites, specifically the time of your visit, the webpage you visited, your IP address, and your user agent, as well as other specific data where applicable (e.g., products purchased, price, and currency), is transmitted to Meta’s servers, which may also be located in the United States. A complete overview of the data collected can be found here: https://developers.facebook.com/docs/marketing-api/conversions-api/parameters.

Meta’s U.S.-based parent company, Meta Platforms, Inc., is certified under the EU-U.S. Data Privacy Framework and the Swiss-U.S. Data Privacy Framework (see https://www.dataprivacyframework.gov/list/). Any transfers of personal data from individuals residing in the EU to the U.S. are subject to the EU Commission’s adequacy decision based on the EU-U.S. Data Privacy Framework. Any transfers of personal data from individuals residing in Switzerland to the U.S. are subject to the Standard Contractual Clauses entered into with Meta, which can be accessed here: https://www.facebook.com/legal/EU_data_transfer_addendum/update.

Meta receives information that you have visited our websites, which allows us to make our Facebook and Instagram activities more effective and, for example, display posts or ads exclusively to visitors of our websites. In addition, we receive an analysis of the use of our websites from Meta, which enables us to display ads for content and offers that may be of interest to you. The collected data is transmitted to Meta only in encrypted form and is anonymous to us; that is, we cannot view the personal data of individual users. We do not use the “extended matching” feature.

We expressly draw your attention to the fact that Meta also uses the data for its own business purposes. In this respect, Meta is, alongside us, a data controller under data protection law for data processing within the scope of the Meta Conversion API. With regard to the collection and transmission of data to Meta described above, we are jointly responsible with Meta and have entered into a joint controller agreement that governs our respective obligations under the GDPR (see https://www.facebook.com/legal/controller_addendum) . In this agreement, we have stipulated, for example, that

• we are joint controllers with Meta for the collection of the data described above and its transfer to Meta;
• we are primarily responsible for providing you with information about the joint processing;
• Meta assumes primary responsibility and is primarily responsible for enabling you to exercise the rights to which you are entitled under the GDPR (see Section 8);
• Meta may process your data after we have transferred it to Meta for its own purposes, acting as an independent controller based on a separate legal basis (see https://www.facebook.com/privacy/policy/?entry_point=data_policy_redirect&entry=0) .

Meta’s subsequent processing of data is not part of the joint processing. We generally have no influence over Meta’s collection of data or its further use. We cannot determine or influence the extent to which, the location where, or the duration for which the data is stored; the extent to which Meta complies with existing erasure obligations; the analyses and linkages performed on the data; or to whom the data is disclosed.

For more information on the nature, scope, purposes, legal bases, and options to object to data processing by Meta, as well as your privacy settings, please refer to Meta’s Privacy Policy at https://www.facebook.com/privacy/policy/?entry_point=data_policy_redirect&entry=0.

You can also disablethe “Custom Audiences” remarketing feature in the ad settings section at https://www.facebook.com/ads/preferences/?entry_product=ad_settings_screen . To do this, you must be logged in to Facebook.

If you do not have a Facebook or Instagram account, you can opt out of Meta’s interest-based advertising on the European Interactive Digital Advertising Alliance website: http://www.youronlinechoices.com/de/praferenzmanagement/ .

d) Microsoft Advertising

We use Microsoft Advertising to optimize and measure the performance of our websites. Microsoft Advertising is an online advertising program provided by Microsoft Ireland Operations Ltd., 1 Microsoft Place, Leopardstown South County Business Park, Dublin, Ireland (“Microsoft”).

As part of Microsoft Advertising, we use what is known as conversion tracking. When you click on an ad placed by Microsoft, a conversion tracking cookie is set. The information generated by the cookie is used to evaluate how our website visitors interact with our ads and to compile statistics on the conversion rates of our ads. This data cannot be linked to any specific individual.

e) TikTok Pixel

On our websites, we use the TikTok Pixel provided by TikTok Technology Limited, 10 Earlsfort Terrace, Dublin, D02 T380, Ireland (hereinafter “TikTok”) for the purposes of conversion tracking and retargeting/remarketing.

When you visit our websites—and provided you have given us your consent to do so—certain information about your interactions with our websites (website events) is transmitted to TikTok. Depending on the event logic we have configured, this may include, in particular, the following information: the time of the visit, the URL accessed (including referrer and URL parameters, if applicable), or the triggered event (e.g., “ViewContent,” “AddToCart,” “Purchase”), your IP address (truncated if applicable), information about your device and browser (user agent), cookie IDs or similar online identifiers, and, if applicable, additional event parameters (e.g., product/content IDs, shopping cart or order value, currency). TikTok uses cookies and similar technologies for this purpose.

This provides TikTok with information that you have visited our websites or performed certain actions. Based on this, we can make our TikTok advertising activities more effective—for example, by displaying ads only to users who have already visited our websites—and evaluate the effectiveness of our campaigns (conversion tracking, reach, attribution). As a rule, we receive aggregated reports from TikTok regarding the use of our websites and the performance of our advertising campaigns; we do not, as a matter of principle, directly identify individual users. We do not currently use any “Advanced Matching” features.

The processing may also involve the transfer of data to recipients in third countries outside Switzerland and outside the EU/EEA, particularly if TikTok or companies or service providers affiliated with TikTok process or access the data there. In the absence of an adequacy decision by the European Commission or the Swiss Federal Council, TikTok states that it bases such data transfers on appropriate safeguards, in particular EU Standard Contractual Clauses, and supplementary protective measures.

We expressly point out that TikTok also processes the transferred data for its own purposes (e.g., to improve and secure its services and to optimize ad delivery). We and TikTok are jointly responsible under data protection law for the collection and transfer of the aforementioned event data to TikTok. To this end, we have entered into a joint controller agreement that sets forth our respective obligations under the GDPR (see https://ads.tiktok.com/i18n/official/policy/jurisdiction-specific-terms) . In this agreement, we have stipulated, for example, that

• we are joint controllers with TikTok for the collection of the data described above and its transmission to TikTok;
• we are jointly responsible with TikTok for providing you with information about the joint processing;
• TikTok assumes primary responsibility and is primarily responsible for enabling you to exercise the rights to which you are entitled under the GDPR (see Section 8);
• TikTok may process your data after we have transferred it to TikTok for its own purposes, acting as an independent controller based on a separate legal basis.

Any further processing of the data by TikTok after it has been transferred is the responsibility of TikTok and is not part of our joint processing. We generally have no influence over the extent to which, the location where, or the duration for which TikTok stores the data, the analyses or linkages TikTok performs, or to whom TikTok may disclose the data.

For more information on data processing by TikTok, please see the TikTok Privacy Policy (EEA): https://www.tiktok.com/legal/page/eea/privacy-policy/de-DE.

You can withdraw your consent at any time with future effect via our cookie settings. Additionally, if you have a TikTok account, you can adjust the personalization of ads in the TikTok settings (including “Ads personalization” / “Personalized ads”) and, if applicable, disconnect your “Off-TikTok” activity tracking (“Clear My Activity”): https://privacytiktok.zendesk.com/hc/en-us/articles/5956398061075-Manage-personal-data-choices .

If you do not have a TikTok account, you can also manage usage-based online advertising via the European Interactive Digital Advertising Alliance (EDAA) website: https://www.youronlinechoices.eu/ .

f) Pinterest Tag

On our websites, we use the Pinterest Tag provided by Pinterest Europe Ltd., Waterloo Exchange, 3rd Floor, Waterloo Road, Dublin 4, Ireland (hereinafter “Pinterest”) for the purposes of conversion tracking and retargeting/remarketing.

When you visit our websites—and provided you have given us your consent to do so—certain information about your interactions with our websites (“Activity Data”) is transmitted to Pinterest, depending on the event logic we have configured. This may include, in particular: the time of the visit, the URL accessed (including the referrer URL), the triggered event (e.g., “pagevisit,” “addtocart,” “checkout”), event data, technical information such as screen size, and cookie/tag IDs. Pinterest uses cookies and similar technologies for this purpose; the cookies read by the tag may contain, among other things, identification and association information and, according to Pinterest, generally remain persistent for up to one year (unless deleted earlier). We do not currently use any “Enhanced Match” features.

This provides Pinterest with information that you have visited our websites or performed certain actions. Based on this, we can make our Pinterest advertising activities more effective (e.g., targeting visitors to our websites) and evaluate the effectiveness of our campaigns. As a rule, we receive aggregated metrics and reports from Pinterest for this purpose; we do not directly identify individual users.

The information generated through the Pinterest tag may also be transferred to and stored on servers operated by Pinterest, Inc., the parent company of Pinterest, in the United States. Pinterest, Inc., the parent company based in the United States, is certified under the EU-U.S. Data Privacy Framework and the Swiss-U.S. Data Privacy Framework (see https://www.dataprivacyframework.gov/participant/4203) . Any transfers of personal data from individuals residing in the EU to the U.S. are subject to the EU Commission’s Adequacy Decision based on the EU-U.S. Data Privacy Framework. According to Pinterest’s own statements, any transfers of personal data from individuals residing in Switzerland to the U.S. are based on appropriate safeguards, in particular EU Standard Contractual Clauses, and supplementary protective measures.

We expressly draw your attention to the fact that Pinterest also processes the transferred data for its own purposes. We and Pinterest are jointly responsible for the collection and transfer of the aforementioned “Activity Data” to Pinterest in accordance with the terms and conditions provided by Pinterest. To this end, we have entered into a joint controller agreement that sets forth our respective obligations under the GDPR (see https://business.pinterest.com/de/pinterest-advertising-services-agreement/germany/) . In this agreement, we have stipulated, for example, that

• we are joint controllers with Pinterest for the collection of the data described above and its transmission to Pinterest;
• we are primarily responsible for providing you with information about the joint processing;
• Pinterest assumes primary responsibility and is primarily responsible for enabling you to exercise the rights to which you are entitled under the GDPR (see Section 8);
• Pinterest may process your data after we have transferred it to Pinterest for its own purposes, acting as an independent controller based on a separate legal basis.

For more information on the nature, scope, and purposes of the processing, as well as options for setting preferences or objecting, please refer to Pinterest’s Privacy Policy at https://policy.pinterest.com/de/privacy-policy and the Ad Data Terms at https://policy.pinterest.com/de/ad-data-terms.

You can revoke your consent at any time with future effect via our cookie settings. In addition, if you have a Pinterest account, you can disable the “Use info from sites you visit” option in your Pinterest settings (under “Privacy and data”/“Personalization”): https://help.pinterest.com/en/article/edit-personalization-settings .

If you do not have a Pinterest account, you can also manage usage-based online advertising through industry opt-out programs (e.g., AdChoices/DAA): https://www.youronlinechoices.eu/ .

g) Taboola Advertiser Pixel / Realize

On our websites, we use the Taboola Advertiser Pixel from Taboola, Inc., 1115 Broadway, 7th Floor, New York, NY 10010, USA (hereinafter “Taboola”) for the purposes of conversion tracking and retargeting/remarketing.

When you visit our websites and provided you have given us your consent to do so, certain information about your interactions with our websites may be transmitted to Taboola—depending on the event logic we have configured. This may include, in particular: the time of the visit, the URL accessed (including the referrer URL, if applicable), information about your device and browser, IP address, online identifiers (e.g., cookie IDs/tag IDs), and event/conversion data (e.g., page views, clicks, shopping cart/checkout or purchase events, to the extent implemented by us). Taboola uses cookies and similar technologies for this purpose.

This provides Taboola with information that you have visited our websites or performed certain actions. Based on this, we can make our advertising activities on the Taboola network (“Realize”) more effective (e.g., retargeting visitors to our websites) and evaluate the effectiveness of our campaigns. As a rule, we receive aggregated/summarized reports and metrics for this purpose; we do not, as a matter of principle, directly identify individual users.

The information generated by the Taboola Advertiser Pixel may also be transferred to Taboola servers outside of Switzerland and the EU/EEA—specifically in the United Kingdom, Israel, and the United States—and stored there. Any data transfers to third countries are subject to the Standard Contractual Clauses concluded with Taboola, which can be accessed here: https://policies.taboola.com/de/advertiser-privacy-terms/.

We expressly note that Taboola also processes the transmitted data for its own purposes (e.g., for conversion measurement, platform analysis, data integration/segmentation, and ad delivery optimization). Under data protection law, we and Taboola each process the data collected in connection with the Taboola Advertiser Pixel under our own respective responsibility; in this regard, Taboola and we do not act as joint controllers.

For more information on the nature, scope, purposes, and legal basis of Taboola’s processing, as well as options to object or opt out, please refer to the Taboola Privacy Policy at https://policies.taboola.com/privacy-policy/ and the Taboola Cookie Policy at https://policies.taboola.com/cookie-policy/.

You can withdraw your consent at any time with future effect via our cookie settings. In addition, Taboola offers an opt-out option for interest-based advertising (device- and browser-specific): https://accessrequest.taboola.com/ .

If you do not have a Taboola account, you can also manage usage-based online advertising through industry opt-out programs (e.g., AdChoices/DAA): https://www.youronlinechoices.eu/ .

2.11. Online Courses / BLACKROLL Academy

In our online store and on our course platform “BLACKROLL Academy” (https://academy.blackroll.com), we offer various digital, interactive courses on the topics of prevention and health promotion in the field of physical activity. The courses and related content are accessed via BLACKROLL Academy. To use the platform, you need a user account (see Section 2.2(d)). The courses are offered in the form of interactive videos that can be accessed at any time (see Section 2.7(d)). Data processing in connection with the use of BLACKROLL Academy is carried out for the purpose of conducting the respective course in accordance with the course description and our Terms of Use, as well as for providing related customer services. In particular, the following data is processed:

• Title and full name;
• Contact information (email address, phone number, mailing address (especially as part of the order/booking process), company name (if applicable));
• Payment information;
• Information about your preferences and interests;
• Information regarding the courses booked (progress in each course, start and end dates of course participation, date the certificate of participation was issued);
• voluntary information (provided in the context of communication with our experts and evaluation questions).

Within each course unit, we ask you to participate in a short lifestyle survey. Participation is voluntary and serves as feedback for you, giving you a sense of the improvements you are experiencing as a result of the course.

Furthermore, as part of our courses, you have the opportunity to communicate directly with our experts. For this purpose, we provide you with an email contact through which you can direct both content-related and technical questions to us.

Data processing is carried out to fulfill the contract concluded with you, to the extent necessary. In addition, data processing is based on our legitimate interests in providing the services you have requested, as well as in taking into account the information you have voluntarily provided and in properly responding to your respective inquiry.

We will only transfer your data to external recipients—in particular, the course instructors and experts we engage to conduct the courses (provided they are not BLACKROLL employees)—within the scope of the aforementioned purposes and to the extent that we are authorized to do so. In addition, we forward aggregated results from our evaluation questionnaires to the certification body responsible for us.

We store your data only for as long as is necessary to fulfill the purposes mentioned above, subject to any statutory retention periods.

To the extent that your data is processed based on legitimate interests, you may object to the processing of your personal data at any time. In this case, we will no longer process your data unless we can demonstrate a legitimate interest in doing so or are otherwise legally required to retain it. To exercise your right to object to the processing, please contact us via email.

2.12. Links to Social Media

On our websites, you will find links (hyperlinks) to the social networks and platforms of Facebook, LinkedIn, Instagram, and YouTube. These services are provided by the companies listed below (hereinafter also referred to as “third-party providers”):

• Facebook and Instagram are operated by Meta Platforms Ireland Limited, 4 Grand Canal Square, Grand Canal Harbour, Dublin 2, Ireland (“Meta”),
• LinkedIn is operated by LinkedIn Ireland Unlimited Company, Wilton Plaza, Wilton Place, Dublin 2, Ireland (“LinkedIn”),
• YouTube is operated by Google Ireland Limited, Gordon House, Barrow Street, Dublin 4, Ireland (“Google”).

For information on the purpose and scope of data collection, as well as the further processing and use of the data by Meta, LinkedIn, and Google, and regarding your rights in this regard and the available privacy settings, please refer to the privacy policies of the third-party providers:

• Facebook’s Data Policy: https://www.facebook.com/privacy/explanation, https://de.facebook.com/legal/terms/, https://www.facebook.com/about/privacy/update, and https://www.facebook.com/policies/cookies/;
• Instagram Privacy Policy: https://help.instagram.com/519522125107875, https://help.instagram.com/581066165581870, and https://help.instagram.com/1896641480634370/?helpref=hc_fnav&bc[0]=Instagram Help Center&bl[]=Policies%20and%20Reports
• LinkedIn Privacy Policy: https://www.linkedin.com/legal/privacy-policy ;
• Google’s Privacy Policy, which also covers YouTube: https://www.google.de/intl/de/policies/privacy/.

If you do not want a third-party provider to be able to associate a click on a link leading to its service with your user account there, you must log out of the respective service before clicking on such a link. Even if you are not logged in to the third-party providers, data may be sent to the third-party provider through the use of cookies after you click on a link.

As a data subject, you have numerous rights. Specifically, these are:

• Right of Access: You have the right to obtain information about the personal data we have stored about you.
• Right to Rectification and Erasure: You may request that we correct inaccurate data and—provided the legal requirements are met—erase your data.
• Right to restriction of processing: You may request that we restrict the processing of your data—provided the legal requirements are met.
• Right to data portability: If you have provided us with data based on a contract or consent, you may—provided the legal requirements are met—request that we provide you with the data you have provided in a structured and commonly used format or that we transfer it to another data controller.
• Right to Object to Data Processing Based on Legitimate Interests: You have the right to object at any time, on grounds relating to your particular situation, to our processing of your data, provided that such processing is based on legitimate interests. If you exercise your right to object, we will cease processing your data unless we can demonstrate compelling legitimate grounds for further processing that override your rights.
• Withdrawal of Consent: If you have given us your consent to process your data, you may withdraw it at any time with future effect. The lawfulness of the processing of your data up until the withdrawal remains unaffected. If you wish to withdraw your consent to the use of certain cookies, please refer to our explanation in Section 2.5.
• Right to File a Complaint with the Supervisory Authority: You may also file a complaint with the competent supervisory authority if you believe that the processing of your data violates applicable law. To do so, you may contact either the data protection authority responsible for your place of residence, your workplace, or the location of the alleged violation, or the data protection authority responsible for us.

If you have any questions regarding the processing of your personal data, your rights as a data subject, or any consent you may have provided, please contact us using the contact information provided at the beginning of this Privacy Policy.