Impressum & Privacy Policy

Information pursuant to Section 5 of the German Telemedia Act (TMG):

Brammibal’s Donuts GmbH
Boxhagener Straße 78
10245 Berlin
Germany

Managing Directors: Bram van Montfort, Jessica Jeworutzki

Contact:
Email: info@brammibalsdonuts.com

VAT Identification Number pursuant to Section 27a of the German VAT Act: DE320402979

Commercial Register: HRB 190030 B
General information and mandatory disclosures

Privacy Policy

The following privacy policy applies to the use of our online services atwww.brammibalsdonuts.com andwww.brammibalsdonuts.de (hereinafter referred to as the “Website”).
The protection of your personal data is an important concern for us. We treat your personal data confidentially and in accordance with the statutory data protection regulations, in particular the General Data Protection Regulation (GDPR), as well as this privacy policy.
This privacy policy applies to all channels through which we process personal data. If individual processing activities are not listed here, we will inform you separately.

The controller responsible for data processing on this website is:
Brammibal’s Donuts GmbH
Boxhagener Straße 78
10245 Berlin, Germany
Represented by the managing directors:
Bram van Montfort, Jessica Jeworutzki
Email: info@brammibalsdonuts.com
VAT ID: DE320402979
Commercial Register No.: HRB 190030 B

The controller decides alone or jointly with others on the purposes and means of processing personal data (e.g. names, contact details).

Data Protection Officer
Our Data Protection Officer is:
Bram van Montfort
Email: hello@brammibalsdonuts.com

Data processing in connection with your visit to our website

In connection with your visit to our website, we process personal data relating to you. This is done for the purposes described below and to the extent described below. We only share your data with third parties as described below.

SSL/TLS encryption
For security reasons and to protect the transmission of confidential content, this website uses SSL/TLS encryption. You can recognize an encrypted connection by the “https://” address line in your browser and the lock symbol.

Server log files
The website provider automatically collects and stores information in so-called server log files, which your browser automatically transmits. This includes:

pages visited
date and time of the server request
browser type and browser version
operating system used
referrer URL
host name of the accessing computer
IP address

These data are not merged with other data sources.
Legal basis: Art. 6(1)(f) GDPR
(legitimate interest in the technically error-free operation and security of the website)

Data transfer upon conclusion of a contract for the purchase and shipment of goods

Personal data are only transmitted to third parties if this is necessary for the performance of the contract. This includes in particular payment service providers and logistics companies.
Legal basis: Art. 6(1)(b) GDPR

Payment service providers

PayPal
If you pay via PayPal, payment data will be forwarded to:
PayPal (Europe) S.à r.l. et Cie, S.C.A., Luxembourg.

Legal bases:

Art. 6(1)(b) GDPR (contract)
Art. 6(1)(a) GDPR (consent to use of PayPal account)

Klarna / Sofortüberweisung
Payments via “Sofort” are processed via Klarna Bank AB (publ).

Our website enables payment via “Sofortüberweisung.” The provider of the payment service is Sofort GmbH, Theresienhöhe 12, 80339 Munich, Germany.

With the help of the “Sofortüberweisung” procedure, we receive a real-time payment confirmation from Sofort GmbH and can immediately begin fulfilling our obligations.

When paying by “Sofortüberweisung,” your PIN and TAN are transmitted to Sofort GmbH. The payment provider logs into your online banking account, automatically checks your account balance, and executes the transfer. This is followed by an immediate transaction confirmation. Your account transactions, the credit limit of your overdraft facility, and the existence of other accounts and their balances are also automatically checked after login.

In addition to PIN and TAN, the transmission to Sofort GmbH also includes payment data and data about your person. Personal data include first and last name, address, telephone number(s), email address, IP address, and other data necessary for payment processing, if applicable. This data transfer is necessary in order to clearly establish your identity and prevent fraud attempts.

Processed data may include:

name
bank details
payment information
identity and creditworthiness data

Legal bases: see above.

Transfer of data to delivery service providers (Uber)

For the delivery of our donuts via external delivery services, we transfer personal data to Uber where delivery is carried out using this service.

Depending on the service used, the recipient of the data is the respective Uber entity responsible for the delivery (e.g. Uber Eats or Uber Direct).

The data transferred may include in particular:

name
delivery address
where applicable, telephone number
where applicable, email address
order and delivery information

The transfer of data takes place exclusively for the purpose of fulfilling and delivering your order.

The legal basis for the processing is Art. 6(1)(b) GDPR (performance of a contract).

In the course of using Uber, personal data may be processed in third countries, in particular the United States. Data transfers are carried out on the basis of appropriate safeguards pursuant to Art. 46 GDPR, in particular through the use of standard contractual clauses or – where applicable – on the basis of an EU adequacy decision (EU–US Data Privacy Framework).

Transfer to logistics service providers (DHL)

For the shipment of goods, we transmit personal data to:
DHL Paket GmbH

In particular, the following data are transmitted:

name
delivery address
email address (for shipping notifications and shipment tracking)

The transfer of data is carried out exclusively for the purpose of delivery.
Legal basis: Art. 6(1)(b) GDPR

Contact form
You can contact us in various ways. When you contact us by email or via a contact form, the data you provide (your email address and, if applicable, your name and telephone number) will be stored by us in order to answer your questions and process your request. The legal basis in this respect is Art. 6(1) sentence 1 lit. f) GDPR. Our legitimate interest lies in establishing and maintaining a customer relationship.
Where we request information via our contact form that is not required for contacting you, we always mark it as optional. This information helps us to specify your request and to process your matter more efficiently. Providing this information is expressly voluntary and based on your consent, Art. 6(1) sentence 1 lit. a) GDPR.
If this involves information relating to communication channels (e.g. email address, telephone number), you also consent that we may contact you via this communication channel in order to respond to your request. You may revoke this consent at any time with effect for the future.

This does not apply only if the content of your contact request directly serves to perform a contractual relationship existing between you and us. In these cases, we base the processing of your data on Art. 6(1) sentence 1 lit. b) GDPR.

The data will remain with us until you request deletion, revoke your consent, or the purpose for storage no longer applies. Statutory retention obligations remain unaffected.
Legal basis: Art. 6(1)(a) GDPR (consent)

Cookies & cookie consent (CookieYes)

This website uses cookies. Technically necessary cookies are set without consent.
All other cookies (analytics, marketing) are only set after your explicit consent via the CookieYes consent tool.

Legal bases:

Art. 6(1)(c) GDPR (legal documentation obligation)
Art. 6(1)(a) GDPR (consent)

You can revoke your consent at any time via the cookie settings.

We use so-called session cookies to optimize our website. A session cookie is a small text file that is sent by the respective servers when you visit a website and temporarily stored on your hard drive. This file contains a so-called session ID, which allows various requests from your browser to be assigned to the same session. This enables your computer to be recognized when you return to our website. These cookies are deleted when you close your browser. They serve, for example, to allow you to use the shopping cart function across several pages.

We also use persistent cookies to a limited extent (also small text files stored on your device), which remain on your device and enable us to recognize your browser the next time you visit. These cookies are stored on your hard drive and delete themselves after the specified time. Their lifespan ranges from 1 month to 10 years. This allows us to present our services in a more user-friendly, effective, and secure way and, for example, to show you information on the site that is specifically tailored to your interests.

Our legitimate interest in the use of cookies pursuant to Art. 6(1) sentence 1 lit. f) GDPR is to make our website more user-friendly, effective, and secure. The following data and information may be stored in cookies, for example:

login information
language settings
information about the number of visits to our website and the use of individual functions of our website

When a cookie is activated, it is assigned an identification number. Your personal data are not assigned to this identification number. Your name, IP address, or similar data that would allow the cookie to be linked to you are not stored in the cookie. Based on cookie technology, we only receive pseudonymized information, for example which pages of our shop were visited, which products were viewed, etc.

You can configure your browser so that you are informed in advance about the setting of cookies and can decide on a case-by-case basis whether to accept cookies for certain cases or in general, or to prevent cookies entirely. This may restrict the functionality of the website.

Google Web Fonts

We use Google Web Fonts for a uniform presentation.
In doing so, your IP address may be transmitted to Google.

This site uses so-called web fonts provided by Google for the uniform display of fonts. When you access a page, your browser loads the required web fonts into its browser cache to display texts and fonts correctly. We have chosen the offline variant, in which the Google Fonts are stored locally on our web server. Managing the fonts is then possible—via CSS—like any other font family. No transmission of IP addresses or other data to Google takes place.

Google Web Fonts are used in the interest of a uniform and appealing presentation of our online services, with regard to efficiency and cost-saving considerations. This constitutes a legitimate interest within the meaning of Art. 6(1)(f) GDPR or § 25(2) no. 2 TDDDG. If your browser does not support web fonts, a standard font from your computer will be used.

Further information on Google Web Fonts can be found in Google’s privacy policy: https://www.google.com/policies/privacy/.
Legal basis: Art. 6(1)(f) GDPR

Google Analytics

Our website uses functions of the web analytics service Google Analytics. The provider of the web analytics service is Google Inc., 1600 Amphitheatre Parkway, Mountain View, CA 94043, USA.

Google Analytics uses “cookies.” These are small text files that your web browser stores on your device and that enable an analysis of website usage. Information generated by the cookie about your use of our website is transmitted to a Google server and stored there. The server is usually located in the USA.

Google Analytics cookies are set on the basis of Art. 6(1)(f) GDPR. As the operator of this website, we have a legitimate interest in analyzing user behavior in order to optimize our web offering and, if applicable, advertising.

IP anonymization
We use Google Analytics in conjunction with the IP anonymization function. This ensures that Google truncates your IP address within member states of the European Union or in other states party to the Agreement on the European Economic Area before it is transferred to the USA. There may be exceptional cases in which Google transfers the full IP address to a server in the USA and truncates it there. On our behalf, Google will use this information to evaluate your use of the website, compile reports on website activity, and provide other services related to website usage and internet usage. There is no merging of the IP address transmitted by Google Analytics with other data held by Google.

Browser plugin
You can prevent the setting of cookies by your browser. However, some functions of our website may be restricted as a result. You can also prevent the collection of data relating to your use of the website, including your IP address, and subsequent processing by Google. This is possible by downloading and installing the browser plugin available via the following link: https://tools.google.com/dlpage/gaoptout?hl=de.

Objection to data collection
You can prevent the collection of your data by Google Analytics by clicking the following link. An opt-out cookie will be set that prevents the collection of your data on future visits to our website: Disable Google Analytics.

Details on how Google Analytics handles user data can be found in Google’s privacy policy: https://support.google.com/analytics/answer/6004245?hl=de.

Data processing agreement
To fully comply with statutory data protection requirements, we have concluded a data processing agreement with Google.

Demographic characteristics in Google Analytics
Our website uses the “demographic characteristics” function of Google Analytics. This allows reports to be created that contain statements about the age, gender, and interests of website visitors. These data come from Google’s interest-based advertising and from visitor data provided by third parties. It is not possible to assign these data to a specific person. You can deactivate this function at any time. This can be done via the ad settings in your Google account or by generally preventing the collection of your data by Google Analytics as explained under “Objection to data collection.”

Use takes place exclusively after your consent via CookieYes.
IP addresses are processed in anonymized form.
Legal basis: Art. 6(1)(a) GDPR
Data may be transferred to the USA. This transfer is based on standard contractual clauses pursuant to Art. 46 GDPR.

Newsletter (Klaviyo)

To send our newsletter, we require your email address. Verification of the email address provided is necessary and you must consent to receive the newsletter. Additional data are not collected or are voluntary.
Data entered for setting up the subscription will be deleted upon unsubscribing. If these data have been transmitted to us for other purposes and elsewhere, they will remain with us.

We use Klaviyo to send our newsletter. In particular, your email address and, if applicable, your name and interaction data are processed. Processing is carried out exclusively on the basis of your consent (double opt-in).
Legal basis: Art. 6(1)(a) GDPR
You can unsubscribe from the newsletter at any time via the unsubscribe link in the newsletter.
A data processing agreement, including standard contractual clauses for data transfers to the USA, exists with Klaviyo.

Use for marketing purposes

If you consent, we collect and process data on our website using the tools listed below in order to show you more relevant advertising on this and other websites (remarketing/retargeting) and to measure the success of our advertising measures. We work with providers who help us in particular to track whether users reach us via certain advertising measures (so-called conversion tracking). In this context, pseudonymized usage profiles are also created. The legal basis is your consent pursuant to Art. 6(1) sentence 1 lit. a) GDPR and § 25(1) TDDDG.

Google Marketing Services

We use marketing services of Google LLC on these websites, 1600 Amphitheatre Parkway, Mountain View, CA 94043, USA. The controller for users in the EU/EEA and Switzerland is Google Ireland Limited, Google Building Gordon House, 4 Barrow St, Dublin, D04 E5W5, Ireland.

The services used include:

AdWords: Using the Google AdWords service enables us to carry out conversion tracking, i.e. it can be determined whether you reached our website via a Google ad. Identification of you is not possible on this basis; only statistics are created.

Google Tag Manager: Use of the Google Tag Manager service merely enables integration of the services listed by implementing the other cookies/tags and integrating the consent manager (“cookie banner”). The legal basis for processing is our legitimate interest pursuant to Art. 6(1) sentence 1 lit. f) GDPR and § 25(2) no. 2 TDDDG, which lies in optimizing our website and complying with GDPR requirements through a consent manager.

As part of the services mentioned, Google uses cookies and cookie-like technologies such as pixel tags (i.e. small transparent graphics, also known as web beacons) and processes personal data, in particular information about browser type/version, operating system used, the page you previously visited, the host name of the accessing device, IP address and the time of the request, as well as offers, search terms and content you were interested in. These data are transmitted to Google. Pseudonymized usage profiles are created. This means that we cannot identify you on this basis. Further information can be found at https://policies.google.com/technologies/types.
The cookies are automatically deleted after 30 days. You can object to or adjust interest-based advertising here: https://www.google.com/ads/preferences/?hl=de

Your data may be processed in the USA and transferred there, i.e. to a third country outside the European Union (EU) or the European Economic Area (EEA). The legal basis for the data transfer is the adequacy decision with the USA pursuant to Art. 45(1) GDPR based on the EU–US Data Privacy Framework. The provider is certified under the EU–US Data Privacy Framework and has therefore committed to complying with the EU level of data protection.
Further information and Google’s applicable privacy provisions can be accessed at https://policies.google.com/privacy. The functionality of Google Marketing Services is explained in more detail here: https://policies.google.com/technologies/ads.

Facebook Pixel / Facebook Custom Audiences

As part of usage-based online advertising, we use the Custom Audiences service of Meta Platforms, Inc. (1601 S. California Avenue, Palo Alto, CA 94304, USA). For this purpose, we define target groups in Facebook Ads Manager based on certain characteristics, who will then be shown ads within the Facebook network. Users are selected by Facebook based on the profile information they have provided and other data made available through their use of Facebook. If a user clicks on an ad and then visits our website, Facebook receives the information via the Facebook pixel integrated on our website that the user clicked on the banner. As a rule, a non-reversible and non-personal checksum (hash value) is generated from your usage data and transmitted to Facebook for analysis and marketing purposes. A Facebook cookie is set for this purpose. This collects information about your activities on our website (e.g. browsing behavior, visited subpages, etc.). For geographic control of advertising, your IP address is also stored and used. Facebook Custom Audiences via customer lists, as well as the “advanced matching” function, are not used by us.
The data are deleted no later than after 720 days.

Your data may be processed in the USA and transferred there, i.e. to a third country outside the European Union (EU) or the European Economic Area (EEA). The legal basis for the data transfer is the adequacy decision with the USA pursuant to Art. 45(1) GDPR based on the EU–US Data Privacy Framework. The provider is certified under the EU–US Data Privacy Framework and has therefore committed to complying with the EU level of data protection.
Facebook’s privacy policy can be found here: https://www.facebook.com/policy.php — You can object to data collection by the Facebook pixel and the use of your data here: https://www.facebook.com/settings?tab=ads.

The legal basis for this data processing is your consent pursuant to Art. 6(1) sentence 1 lit. a) GDPR and § 25(1) TDDDG. You can revoke your consent at any time with effect for the future by accessing the cookie settings in the footer and changing your selection there.

Social media / insights

For advertising purposes on Facebook and Instagram, we receive anonymized statistical evaluations (“Insights”). These data do not allow any conclusions to be drawn about individual persons.

Facebook
Facebook (Meta Platforms, Inc., 1601 S. California Ave, Palo Alto, CA 94304, USA (www.facebook.com) and Meta Platforms Ireland Limited, Hanover Reach, 5–7 Hanover Quay, Dublin 2, Ireland (www.facebook.de)) enables us, on so-called fan pages, to receive your anonymized data with the help of the Facebook Insight function, which is provided as a non-waivable part of the user relationship. These data are collected using cookies, each of which contains a unique user code. The user code can be linked to your Facebook login data if you are registered with Facebook and is collected and processed when you access the fan page. Facebook provides further information here:http://de-de.facebook.com/help/pages/insights.

Facebook does not clearly and conclusively state how it uses data from visits to Facebook pages for its own purposes, to what extent activities on the Facebook page are assigned to individual users, how long Facebook stores these data, and whether data from a visit to the Facebook page are passed on to third parties; this is not finally and clearly specified and is unknown to us. When accessing a Facebook page, the IP address assigned to your device is transmitted to Facebook. According to Facebook, this IP address is anonymized (for “German” IP addresses).
Facebook also stores information about users’ devices (e.g. as part of the “login notification” function); it may therefore be possible for Facebook to assign IP addresses to individual users. If you are currently logged in to Facebook, a cookie with your Facebook ID is stored on your device. This allows Facebook to trace that you have visited this page and how you used it. This also applies to all other Facebook pages. Facebook buttons embedded in websites enable Facebook to record your visits to these websites and assign them to your Facebook profile. Based on these data, content or advertising can be tailored to you.

If you want to make it more difficult for Facebook to track you, you should log out of Facebook and/or deactivate the “stay logged in” function, delete cookies stored on your device, and close and restart your browser. This deletes Facebook information that can be used to identify you directly. This allows you to use our Facebook page without Facebook being able to identify you via your cookies.
If you access interactive functions of the page (Like, Comment, Share, Messages, etc.), a Facebook login screen will appear. After logging in, you are directly identifiable to Facebook as a specific user.

Information on how to manage or delete the information available about you can be found on the following Facebook support pages: https://de-de.facebook.com/about/privacy#.

Instagram
Information on data protection at Instagram (Instagram LLC., 1601 Willow Road, Menlo Park, CA 94025, USA) and an option to object can be found here:http://instagram.com/about/legal/privacy/

Retention period

Personal data are stored only as long as necessary to fulfill the respective purposes.
Statutory retention periods (e.g. under tax and commercial law) remain unaffected.

Data processing in the context of applications (Homerun)

If you apply to us, we process the personal data you provide as part of the application process. This includes in particular name, contact details, application documents (e.g. CV, cover letter, references/certificates) and, if applicable, other information you submit.
This data is processed exclusively for the purpose of carrying out the application process and deciding on the establishment of an employment relationship.
The legal basis is Art. 6(1)(b) GDPR in conjunction with § 26(1) BDSG.

For handling the application process, we use the external service provider Homerun B.V., which acts as a processor for us. A data processing agreement with Homerun exists pursuant to Art. 28 GDPR. Your data are processed exclusively according to our instructions and in compliance with applicable data protection laws.

Within our company, only those persons have access to your application data who are involved in carrying out the application process or who require this information to decide on an employment relationship.

After completion of the application process, your personal data will generally be deleted no later than six months after the end of the application process, unless statutory retention obligations exist or you have expressly consented to longer storage (e.g. for a talent pool).

Your rights

In particular, you have the following rights:

Right of access (Art. 15 GDPR)
Right to rectification (Art. 16 GDPR)
Right to erasure (Art. 17 GDPR)
Right to restriction of processing (Art. 18 GDPR)
Right to withdraw consent (Art. 7(3) GDPR)
Right to data portability (Art. 20 GDPR)
Right to lodge a complaint with a supervisory authority (Art. 77 GDPR)
Right to object (Art. 21 GDPR)

Your rights as a data subject
1 Right of access
You have the right to obtain information from us as to whether and which data we process about you. This includes, among other things, information on how long and for what purpose we process the data, where they come from and to which recipients or categories of recipients we disclose them. You may also obtain a copy of these data from us.

2 Right to rectification
You have the right to have inaccurate or no longer accurate information about you corrected without undue delay. You may also request completion of your incomplete personal data. Where required by law, we will also inform third parties of such rectification if we have disclosed your data to them.

3 Right to erasure (“right to be forgotten”)
You have the right to request the immediate erasure of your personal data if one of the following reasons applies:

Your data are no longer necessary for the purposes for which they were collected or otherwise processed, or the purpose has been achieved;
You withdraw your consent and there is no other legal basis for the processing;
You object to the processing and there are no overriding legitimate grounds for the processing; for the use of personal data for direct marketing, your objection alone is sufficient;
Your personal data have been processed unlawfully;
The erasure of your personal data is necessary to comply with a legal obligation under Union law or the law of the Member States to which we are subject.

Please note that your right to erasure may be restricted by statutory provisions. This includes in particular the restrictions set out in Art. 17 GDPR and § 35 of the German Federal Data Protection Act (Bundesdatenschutzgesetz) in the version applicable from 25 May 2018.

4 Right to restriction of processing (blocking)
You have the right to request restriction of processing of your personal data if one of the following conditions is met:

You contest the accuracy of your personal data for a period enabling us to verify the accuracy of the personal data;
The processing is unlawful and you oppose the erasure of the personal data and request restriction of their use instead;
We no longer need the personal data for the purposes of processing, but you require them for the establishment, exercise or defense of legal claims; or
You have objected to processing pending the verification whether our legitimate grounds override yours.

If you have obtained restriction of processing, we will inform you before the restriction is lifted.

5 Right to withdraw consent
You can withdraw any consent you have given us at any time with effect for the future. This withdrawal may be made informally to the contact addresses listed above. This also applies to consents given before the GDPR became applicable (i.e. before 25 May 2018). If you withdraw your consent, the lawfulness of the processing carried out up to that point remains unaffected. The consequence of withdrawal is generally that you may no longer be able to use our services for which we requested your consent, or not to the full extent.

6 Right to data portability
You have the right to receive personal data concerning you that you have provided to us in a structured, commonly used and machine-readable format and to transmit those data to another controller. For details and limitations, please refer to Art. 20 GDPR. Exercising this right does not affect your right to erasure.

7 Right to lodge a complaint with a supervisory authority
If you believe that the processing of your data by us violates applicable data protection law, you have the right to lodge a complaint with one of the competent supervisory authorities, in particular with the Hamburg Commissioner for Data Protection and Freedom of Information or the supervisory authority in the Member State of your habitual residence, place of work, or the place of the alleged infringement.

8 Right to object under Art. 21 GDPR
Under Art. 21 GDPR, you have the right, on grounds relating to your particular situation, to object at any time to the processing of your data where we base such processing on legitimate interests pursuant to Art. 6(1) sentence 1 lit. f) GDPR. If you object, we will no longer process your personal data, except in two cases:

we can demonstrate compelling legitimate grounds for the processing that override your interests, rights and freedoms; or
the processing serves the establishment, exercise, or defense of legal claims.

In particular, if we process your personal data for direct marketing (e.g. as part of our newsletter), you have the right to object at any time to the processing of your data for the purposes of such advertising. If you object to processing for direct marketing purposes, we will no longer use your personal data for this purpose.

Security of processing

We implement technical and organizational security measures to protect your data against manipulation, loss, or unauthorized access. Our security measures reflect the current state of the art.

Changes to this privacy policy

We reserve the right to amend this privacy policy in order to adapt it to changes in legal requirements or technical developments.