Privacy Policy

Status May 2024

Table of contents
  1. Name and address of the responsible party
  2. Contact details of the data protection officer
  3. General information on data processing
  4. Rights of the data subject
  5. Provision of the website and creation of log files
  6. Use of cookies
  7. Registration
  8. Order
  9. Payment options
  10. Credit assessment
  11. Fraud prevention and Abuse Detection Measures
  12. Newsletter
  13. Postal advertising
  14. Competitions
  15. Product Reviews / Comments
  16. Customer Surveys
  17. Hosting
  18. Press Portal
  19. Appointments Use of eAppointment
  20. Guarantee claim / warranty claim / repair order
  21. Direct delivery
  22. Returns processing
  23. Use of corporate presences in social networks
  24. Use of the Data Subject Request Tool (DSR) for managing data subject requests
  25. Use of the whistleblower portal

I. Name and address of the controller

The controller within the meaning of the General Data Protection Regulation (GDPR) and other data protection regulations is:

ROSE Bikes GmbH
Schersweide 4
46395 Bocholt
Germany

customerservice@rosebikes.com

Management: Erwin Rose, Stefanie Rose, Thorsten Heckrath-Rose.

II. Contact details of the data protection officer

The data protection officer of the responsible party is:

DataCo GmbH
Nymphenburger Str. 86
80636 Munich, Germany
Germany

E-mail: datenschutz@dataguard.de

III. General information on data processing

1. Scope of the processing of personal data

    We only process our users' personal data to the extent necessary to provide a functional website as well as our content and services. The processing of personal data of our users is only carried out with the consent of the user. An exception applies in cases where prior consent cannot be obtained for factual reasons and the processing of the data is required by law.

2. Legal basis for the processing of personal data

    Whenever we obtain the consent of the data subject for the processing of personal data, Art. 6 para. 1 sentence 1 lit. a GDPR serves as the legal basis. For the processing of personal data necessary for the performance of a contract to which the data subject is party, Art. 6 para. 1 sentence 1 lit. b GDPR serves as the legal basis. This also applies to processing operations that are necessary for the implementation of pre-contractual measures. Insofar as the processing of personal data is required to fulfil a legal obligation to which our company is subject, Art. 6 para. 1 sentence 1 lit. c GDPR is the legal basis. In the event that vital interests of the data subject or another individual require the processing of personal data, Art. 6 para. 1 sentence 1 lit. d GDPR is the legal basis. If the processing is necessary to safeguard a legitimate interest of our company or a third party and if the interests, fundamental rights and freedoms of the data subject do not outweigh the first-mentioned interest, Art. 6 para. 1 sentence 1 lit. f GDPR serves as the legal basis for processing.

3. Data deletion and retention period

    The personal data of the data subject will be deleted or blocked as soon as the purpose of storage no longer applies. Data may also be stored if this has been provided for by the European or national legislator in EU regulations, laws or other provisions to which the controller is subject. The data will also be blocked or deleted if a retention period prescribed by the aforementioned standards expires, unless there is a need for further storage of the data for the conclusion or fulfilment of a contract.

IV. Rights of the data subject

If your personal data is processed, you are a data subject within the meaning of the GDPR and you have the following rights vis-à-vis the controller:

1. Right to information (Art. 15 EU GDPR)

You have the right to request confirmation from us as to whether personal data concerning you is being processed.

If this is the case, you have a right of access to this data and to the following information:

  • Processing purposes
  • Categories of personal data
  • Recipients or categories of recipients
  • Planned duration of storage or criteria for determining this duration
  • The existence of the rights to rectification, erasure, restriction or objection
  • Right of appeal to the competent supervisory authority
  • If applicable origin of the data (if collected from a third party)
  • If applicable the existence of automated decision-making including profiling with meaningful information about the logic involved, the scope and the expected effects
  • If applicable transfer of personal data to a third country or international organisation

2. Right to rectification (Art. 16 EU GDPR)

If your personal data is incorrect or incomplete, you have the right to request immediate correction or completion of the personal data.

3. Right to restriction of processing (Art. 18 EU GDPR)

If one of the following conditions is met, you have the right to request that the processing of your personal data is restricted:

  • You contest the accuracy of your personal data for a period enabling us to verify the accuracy of the personal data.
  • In the event of unlawful processing, you object to the erasure of the personal data and instead request the restriction of the use of the personal data.
  • WWe no longer need your personal data for the purposes of processing, but you need your personal data for the establishment, exercise or defence of legal claims or, after you have objected to processing, for the period necessary to verify whether our legitimate grounds override your grounds.

4. Right to erasure (Art. 17 EU GDPR)

If one of the following reasons applies, you have the right to demand that your personal data be deleted immediately:

  • Your data is no longer necessary for the processing purposes for which they were originally collected.
  • You withdraw your consent and there is no other legal basis for the processing.
  • You object to the processing and there are no overriding legitimate grounds for the processing or you object to the processing pursuant to Art. 21 para. 2 GDPR.
  • Your personal data is processed unlawfully.
  • The deletion is necessary to fulfil a legal obligation under EU law or the law of the member state to which we are subject.
  • The personal data was collected in relation to information society services offered in accordance with Article 8 para. 1 GDPR.

Please note that the above reasons do not apply if the processing is necessary:

  • To exercise the right to freedom of expression and information;
  • To fulfil a legal obligation or to perform a task that is in the public interest and to which we are subject.
  • For reasons of public interest in the area of public health.
  • For archiving purposes in the public interest, scientific or historical research purposes or for statistical purposes.
  • Assertion, exercise or defence of legal claims.

5. Right to data portability (Art. 20 EU GDPR)

You have the right to receive your personal data in a structured, commonly used and machine-readable format or to request that it be transmitted to another controller.

6. Right to object to certain data processing (Art. 21 GDPR)

You have the right to object at any time, on grounds relating to your particular situation, to the processing of personal data concerning you which is carried out on the basis of Art. 6 para. 1 sentence 1 lit. e or f of the GDPR. This also applies to profiling based on these provisions. If your personal data is processed for the purpose of direct marketing, you have the right to object at any time to the processing of your personal data for the purpose of such marketing; this also applies to profiling, insofar as it is related to such direct marketing.

7. Right of appeal to the competent supervisory authority (Art. 77 EU GDPR)

Without prejudice to any other administrative or judicial remedy, you have the right to lodge a complaint with a supervisory authority if you consider that the processing of personal data concerning you infringes the GDPR. The supervisory authority to which the complaint has been submitted shall inform the complainant of the status and outcome of the complaint, including the possibility of a judicial remedy pursuant to Art. 78 GDPR. A list of the competent supervisory authorities in Germany can be found on the website of the Federal Commissioner for Data Protection under the following link: https://www.bfdi.bund.de/DE/Service/Anschriften/Laender/Laender-node.html

You have the right to complain to a data protection supervisory authority about the processing of your personal data.

State Commissioner for Data Protection and Freedom of Information of North Rhine-Westphalia
PO Box 20 04 44
40102 Düsseldorf
Phone: 0211/38424-0
Fax: 0211/38424-10
Email: poststelle@ldi.nrw.de

V. Provision of the website and creation of log files

1. Description and scope of data processing

Every time our website is accessed, our system automatically collects data and information from the computer system of the accessing computer.

The following data is collected:

  • Name of your internet service provider
  • Visitor source
  • Name of the requested file

This data is stored in the log files of our system. This data is not stored together with other personal data of the user.

2. Purpose of data processing

The temporary storage of the IP address by the system is necessary to enable the website to be delivered to the user's computer. For this purpose, the user's IP address must remain stored for the duration of the session. Storage in log files takes place to ensure the functionality of the website. We also use the data to optimise the website and to ensure the security of our information technology systems. The data is not analysed for marketing purposes in this context. These purposes also constitute our legitimate interest in data processing pursuant to Art. 6 para. 1 sentence 1 lit. f GDPR.

3. Legal basis for data processing

The legal basis for the temporary storage of data and log files is Art. 6 para. 1 sentence 1 lit. f GDPR.

4. Duration of storage

The data will be deleted as soon as they are no longer required to achieve the purpose for which they were collected. When data is collected for the provision of the website, this is the case when the respective session has ended. If the data is stored in log files, this is the case after seven days at the latest. Storage beyond this is possible. In this case, the IP addresses of the users are deleted or anonymised so that it is no longer possible to identify the accessing client.

5. Possibility of objection

The collection of data for the provision of the website and the storage of data in log files is absolutely necessary for the operation of the website. The user can object to this. Whether the objection is successful must be determined as part of a balancing of interests.

VI. Use of cookies

1. Description and scope of data processing

Cookies are set when you visit our website. Cookies are files that are stored in the internet browser or by the internet browser on the user's computer system. This storage of information on the user's end device can take place using unique identifiers (UID), which enables us to identify or assign it to an individual.

2. Purpose and legal basis for data processing, cancellation

The provisions of the New German Telecommunications Digital Services Data Protection Act (TDDDG) apply to the storage of information in the end user's terminal equipment and/or access to information already stored in the end user's terminal equipment. If the setting and reading of cookies is technically necessary, this is done to ensure the functionality of our website. In this case, the storage of and access to cookies on your terminal equipment takes place on the basis of § 25 para. 2 no. 2 TDDDG. The purpose of storing and accessing the information in your terminal equipment is to make it easier for you to use our website and to be able to offer you our services as you have requested. Some functions of our website do not work without the use of these cookies and could therefore not be offered. The cookies are generally deleted after the end of the session (e.g. logging out or closing the browser) or after the expiry of a specified period. Information on deviating storage periods for cookies can be found in the following sections of this privacy policy.

Insofar as cookies are used that are not technically necessary, this is done on the basis of your express consent, which you can give via the cookie banner. In this case, the basis for the storage and access to information is § 25 para. 1 TDDDG in conjunction with Art. 6 para. 1 sentence 1 lit. a, Art. 7 GDPR. You can revoke your consent at any time with effect for the future or grant it again at a later date by configuring your cookie settings accordingly. Alternatively, you can prevent the storage of cookies by making the appropriate settings in your browser software. Please note that the browser settings you make only apply to the browser you are using.

If personal data is processed following the storage of and access to the information on your terminal equipment, the provisions of the GDPR apply. Information on this can be found in the following sections of this privacy policy.

As part of the Digital Market Act (DMA), the EU Commission has imposed various obligations on the gatekeepers (Alphabet, Amazon, Apple, ByteDance, Meta and Microsoft). Die gatekeepers are obliged to ensure compliance with all legal requirements of the Digital Market Act. According to this, Google has introduced Google Consent Mode V2.

We use the BASIC Google Consent Mode V2.
Based on your consent, the Consent Mode v2 decides whether or not Google tags may be loaded or executed. If you consent to the use of cookies, Google tags and trackers for Google services will be loaded and your personal data will be processed in accordance with our website settings. If you do not give your consent, the Google tags will be delayed or not loaded at all. Your personal data will not be forwarded to Google.

VII. Registration

1. Description and scope of data processing

On our website, we offer you the opportunity to register by providing personal data. The data is entered in an online form and transmitted to us and stored.

The following data is collected as part of the registration process:

  • First name, name
  • Date of birth
  • Email address

The following data will also be saved at the time the message is sent:

  • IP address of the user
  • Date and time of the booking

2. Purpose of data processing

In the case of contact by e-mail, this also constitutes the necessary legitimate interest in the processing of the data.

3. Legal basis for data processing

The legal basis for processing the data collected during registration is the initiation of a purchase contract. Art. 6 para. 1 lit.b GDPR. The other personal data that are processed during the submission process serve to prevent misuse of the registration form and to ensure the security of our information technology systems.

4. Duration of storage

The data will be deleted as soon as they are no longer required to achieve the purpose for which they were collected. This is the case for the data collected during the registration process if the registration on our website is cancelled or modified. The additional personal data collected during the sending process will be deleted at the latest after a period of 30 days.

5. Possibility of objection

As a user, you have the option of cancelling the registration and thus objecting to the processing.

VIII. Order

1. Description and scope of data processing

On our website, we offer you the opportunity to order products by providing personal data. During the ordering process, personal data is entered into an online form and transmitted to us and stored.

  • First name, name
  • Date of birth
  • Address
  • If applicable Phone number (optional)
  • If applicable Bank details (depending on the selected payment method)
  • Email address

The following data will also be saved at the time the order is sent:

  • IP address of the user
  • Date and time of the booking

2. Purpose of data processing

The data entered during the order is processed for the purpose of establishing and implementing a purchase contract (Art. 6 para. 1 lit. b) GDPR). The other personal data that are processed during the submission process serve to prevent misuse of the ordering form and to ensure the security of our information technology systems.

3. Duration of storage

The data will be deleted as soon as they are no longer required to achieve the purpose for which they were collected. After the purchase contract has been fulfilled, your data will be deleted, unless we are obliged to store the data beyond this due to commercial and/or tax law regulations. The additional personal data collected during the sending process will be deleted at the latest after a period of 30 days.

IX. Payment options

1. Description and scope of data processing 

We offer our customers various payment options for processing their order. Depending on the payment option, we redirect customers to the platform of the corresponding payment service provider. After completion of the payment process, we receive the customers' payment data from the payment service providers or our bank and process them in our systems for the purposes of invoicing and accounting.

Credit card payment 

It is possible to complete the payment process by credit card.  If you have chosen payment by credit card, payment data will be passed on to payment service providers for payment processing. All payment service providers comply with the specifications of the "Payment Card Industry (PCI) Data Security Standards" and have been certified by an independent PCI Qualified Security Assessor.  

The following data is regularly transferred for credit card payments: 

  • Purchase amount 
  • Date and time of purchase 
  • First name and name 
  • Address 
  • Email address 
  • Credit card number 
  • Expiration date of the credit card 
  • Security code (CVC) 
  • IP address 
  • Phone / mobile phone number 

Payment data is passed on to the following payment service providers: 

  • Visa

You can find more information on the data protection guidelines as well as revocation and removal options towards payment service providers here: https://www.visa.de/legal/privacy-policy.html

Other payment options

It is possible to process the payment via PayPal. For this purpose, we use the payment service provider Unzer (formerly Heidelpay). In addition to the PayPal payment method, Unzer also offers credit card payments.  Unzer is Unzer GmbH, Vangerowstraße 18, 69115 Heidelberg. If you choose to pay via PayPal, the payment service provider Unzer will first automatically transfer your data that is required for the payment process to PayPal.

This involves the following data:  

  • Name 
  • Address 
  • Email address 
  • Phone / mobile phone number 
  • IP address 
  • Bank details 
  • Number of products 
  • Product code 
  • Data on goods and services 
  • Transaction amount and tax dues 
  • Information about previous purchasing behaviour 

The data transferred to Unzer and thus also to PayPal may be transferred to credit reference agencies by PayPal. This transfer is required for the identity and creditworthiness check.  PayPal may also pass on your data to third parties if this is necessary for the fulfilment of contractual obligations or if the data is to be processed on behalf. When transferring your personal data within companies affiliated with PayPal, the Binding Corporate Rules approved by the relevant supervisory authorities apply. You can find them here: https://www.paypal.com/de/webapps/mpp/ua/bcr. Other data transfers may be based on contractual safeguarding provisions. All PayPal transactions are subject to PayPal's privacy policy. You can find them here: https://www.paypal.com/de/webapps/mpp/ua/privacy-full/. You can find Unzer's privacy policy here: https://www.unzer.com/de/datenschutz/.

Bank transfer

If you wish to pay in advance via bank transfer, we will only process the data transferred by your bank. This data is only used to check the receipt of payment.

2. Purpose of data processing 

2. Purpose of data processing 

3. Legal basis for data processing 

The legal basis for data processing is Art. 6 section 1 sentence 1 lit. b of the EU GDPR, because data processing is indispensable for implementing the closed purchase contract. 

4. Duration of storage 

All payment data as well as data on possible chargebacks will only be stored for as long as they are needed for payment processing, possible processing of chargebacks, debt collection as well as for combating misuse.  Furthermore, payment data may be stored beyond this if and as long as this is necessary to comply with statutory retention periods or to prosecute a specific case of misuse.  Your personal data will be deleted after the expiry of statutory retention obligations, i.e. after 10 years at the latest. 

5. Possibility of objection and removal 

You can revoke your consent to the processing of your payment data at any time by notifying the responsible person or the payment service provider used. However, the payment service provider used may still be entitled to process your payment data if and as long as this is necessary for the contractual processing of payments. 

X. Credit assessment

1. Description and scope of data processing

We may use the services of rating agencies and credit agencies to determine the creditworthiness of our customers (e.g. when purchasing via invoice), including an analysis of the risk of payment and credit default.

We use the services of the following providers of credit information:

  • informa Solutions GmbH, Rheinstr. 99, 76532 Baden-Baden
  • Creditreform Boniversum GmbH, Hellersbergstraße 11, 41460 Neuss

The data transmitted is:

  • Last name
  • First name
  • Address
  • Email address
  • Telephone number
  • Date of birth
  • Gender
  • If applicable IP address

2. Purpose of data processing

We transmit the data for the purpose of checking the creditworthiness of our customers. This serves to reduce the default rate and protect against credit risks.

3. Legal basis for data processing

The legal basis for data processing for the credit assessment of the customer by the controller is Art. 6 para. 1 sentence 1 lit. a GDPR with the user’s previous consent. The legal basis for data processing to check the customer's creditworthiness for high-risk payment methods is Art. 6 para. 1 sentence 1 lit. f GDPR due to our legitimate interest in securing our advance services.

4. Duration of storage

Your personal information will be retained for as long as is necessary to fulfil the purposes described in this privacy policy or as required by law, for example for tax and accounting purposes.

XI. Fraud prevention and Abuse Detection Measures

1. Scope of the processing of personal data

In order to secure the ordering process against fraudulent and/or abusive behaviour, we automatically check during the ordering process whether there are any anomalies in the specific order for the contract. For this reason, the 1) data for the execution of the contract (e.g. object of purchase, name, postal address, email address, delivery address, payment method and bank information) and 2) usage data of the website visits of this online shop (e.g. details on the beginning, end and scope of the visited websites as well as click paths) together with a cookie and/or a visitor ID, each of which may contain anonymous data about the end devices used when visiting the websites (e.g. the screen resolution or the operating system version) and which has some probability of being recognised via the end devices on future visits, are processed by this ROSE BIKES online shop with the purpose of enabling your user account to be used in the future. The ROSE BIKES online shop processes this data for the purpose of managing your user account, the websites that you visit and the services that you use on the website at [https://www. rosebikes.com] against fraud (e.g. through the takeover of user accounts, the automated creation of fake user accounts by bots, the use of stolen identities or payment data or incorrect ratings for services), for product optimisation and further development, or against misuse (e.g. through attacks on the IT infrastructure, "man-in-the-middle" attacks, brute force attacks or the use of malware) on the basis of legitimate interest pursuant to Art. 6 Section 1 f) of the EU GDPR in conjunction with Recital 47. The ROSE BIKES online shop also transmits the previously named data to the Device Transaction Pool (DTP) and stores it there. The purpose of the DTP is to protect the member companies participating in the DTP from abuse and from bad debts due to fraud, which can occur while providing commercial, remunerated telecommunications services or digital services to contract partners who are unwilling or unable to pay, especially due to fraud. In the case of a request from a member company to the DTP, only the results of the suspicion check on the request are transmitted to this member company. Positive data can also be used, meaning, for example, that an end device used to make frequent and punctual payments can be rated positively. Results data for individual member companies, beyond the specific case of an particular use, are not stored. The DTP is operated by infoscore Profile Tracking GmbH (IPT), Kaistraße 7, 40221 Düsseldorf, Germany as the data processing company of the member company. The data is automatically deleted after five months. The ROSE Bikes online shop has contracted infoscore Tracking Solutions GmbH, Kaistraße 7, 40221 Düsseldorf, Germany with conducting the fraud prevention and abuse detection measures in accordance with Art. 28 of the EU GDPR. Recipients of the data are exclusively contractual partners of the ROSE Bikes online shop. In this case, the recipients are infoscore Tracking Solutions GmbH, Kaistraße 7, 40221 Düsseldorf, Germany; infoscore Profile Tracking GmbH, Kaistraße 7, 40221 Düsseldorf, Germany; infoscore Tracking Technology GmbH, Kaistraße 7, 40221 Düsseldorf, Germany; as well as data centre service providers that are tasked with storing the data. If fraud or misuse is suspected, a ROSE Bikes employee examines the results and the evidence on which they are based. If a contract is declined, this will be communicated to you and also, if requested, the principal reasons for this decision. You then have the opportunity to make your case by contacting info@rosebikes.com, whereupon a ROSE Bikes employee will reexamine the decision.

2. Purpose of data processing

The processing serves to prevent fraud and to safeguard against abusive behaviour during the ordering process.

3. Legal basis for data processing

The legal ground for processing personal data is our legitimate interest pursuant to Art. 6 para. 1 lit. f of the EU GDPR in conjunction with Recital 47.

4. Duration of storage

Your personal information will be retained for as long as is necessary to fulfil the purposes described in this privacy policy or as required by law.

XII. Newsletter

1. Scope of the processing of personal data

It is possible to subscribe to a free newsletter. When you register for the newsletter, the following data from the input screen is transmitted to us:

  • First name
  • Name
  • Email address
  • Pseudonym
  • IP address of the accessing computer
  • Date and time of the registration

Your consent is obtained for the processing of the data as part of the registration process and reference is made to this privacy policy. Furthermore, the newsletter can be used to send direct advertising for similar services. This is also possible without your consent.

2. Purpose of data processing

The purpose of collecting the user's e-mail address is to deliver the newsletter. The collection of other personal data as part of the registration process serves to prevent misuse of the services or the e-mail address used.

3. Legal basis for data processing

The legal basis for the processing of data after the user’s registration for the newsletter is Art. 6 para. 1 sentence 1 lit. a GDPR with the user’s previously given consent. The legal basis for sending the newsletter after the sale of goods or services is § 7 para. 3 UC.

4. Duration of storage

The data will be deleted as soon as they are no longer required to achieve the purpose for which they were collected. The user's e-mail address is therefore stored for as long as the subscription to the newsletter is active. The other personal data collected during the registration process is generally deleted after a period of seven days.

5. Possibility of objection and removal

The subscription to the newsletter can be cancelled by the user concerned at any time. For this purpose, you will find a corresponding link in every newsletter. This also makes it possible to withdraw consent to the storage of personal data collected during the registration process.

XIII. Postal advertising

1. Extent of data processing

Our customers automatically receive our customer magazine and further offer mailings by post. The following personal data is processed for this purpose:

  • Name
  • First name
  • Address

2. Purpose of data processing

The sending of postal advertising serves marketing purposes.

3. Legal basis for data processing

The legal basis for the processing is our legitimate interesting pursuant to Art. 6 para. 1 lit. f GDPR.

4. Duration of storage

The data will be deleted as soon as they are no longer required to achieve the purpose for which they were collected. The user's address is therefore stored until active objection to the sending.

XIV. Competitions

1. Extent of data processing

If you register for and participate in competitions organised by ROSE Bikes GmbH, we will use the data you provide when you participate. Detailed information on the competition can be found in the respective conditions of participation for each competition.


The following personal data (depending on the information provided in the competition) will be processed:

  • Name
  • First name
  • Address
  • Email address

2. Purpose of data processing

Implementation of the participation contract, in particular for prize notification and, if applicable, advertising for our offers.

3. Legal basis for data processing

The legal basis for this processing is art. 6 para. 1 lit. a of the EU GDPR and art. 6 para. 1 lit.b of the EU GDPR.

4. Duration of storage

The data will be deleted as soon as they are no longer required to achieve the purpose for which they were collected. The user's address is therefore stored until active objection to the sending./p>

XV. Product Reviews / Comments

1. Extent of data processing

Once you’ve submitted your order, you will receive an email asking you to write a product review (please note that only reviews related to the product can be published). You will receive this email regardless of whether you have subscribed to our newsletter or not. Please note that these emails comply strictly with the legal regulations of the Protection Against Unfair Competition Act (UC). We will use the provided email address to promote own products you’ve already bought from us. By writing a review or leaving a comment, the data is transferred back to us and stored. We may use your email address to assign a product review, contact you for verification or to react to complaints. The product review is published with your first name and the first letter of your last name. By submitting a review and/or a comment you grant ROSE Bikes GmbH a non-exclusive, royalty-free, perpetual and irrevocable right to use, reproduce, modify, adapt, translate, distribute, publish, create derivative works from and publicly display such review and/or comment on- or offline. This means, for example, that ROSE Bikes may publish the comment and use the review for advertising/marketing purposes. Please note that all product reviews are analysed to make sure we can offer you new and even better products.

2. Purpose of data processing

The processing serves marketing purposes.

3. Legal basis for data processing

The legal basis for the processing is our legitimate interesting pursuant to Art. 6 para. 1 lit. f GDPR.

4. Duration of storage

The data will be deleted as soon as they are no longer required to achieve the purpose for which they were collected. The user's data is therefore stored until they actively object.

XVI. Customer Surveys

1. Processing of your personal data within the framework of our survey

We use Microsoft Forms to conduct the survey. Microsoft Forms is a service of Microsoft Corporation, One Microsoft Way, Redmond, WA 98052-6399, USA and its agent in the European Union: Microsoft Ireland Operations, Ltd, One Microsoft Place, South County Business Park, Leopardstown, Dublin 18, D18 P52) (hereinafter: called Microsoft).

The survey results are evaluated on the basis of the anonymous responses. Nevertheless, we cannot rule out the possibility that the linking of the personal data listed below will enable a connection to your person:

  • IP address
  • Day and time you tried to reach us (optional information)
  • Your age
  • Your personal data, which you voluntarily provide in the context of the question (optional information)
  • Microsoft account details (only if you are logged in with a Microsoft account while completing the survey form. To minimise the risk of establishing a personal connection, we recommend that you log out of your Microsoft account before completing the survey questionnaire.)

We would like to ask you not to enter any personal data in the free text field of our survey. Personal data of the participants entered in the free text field will not be taken into account by us within the framework of the evaluation.

Further information on the processing of your personal data by Microsoft can be found here: https://privacy.microsoft.com/de-DE/privacystatement#mainnoticetoendusersmodule

2. Purpose and legal basis for data processing

Your personal data will be processed for the following purposes:

  • Our entrepreneurial interest to optimise the quality of our services and products
  • Our entrepreneurial interest in determining the individual needs as well as the general satisfaction of our customers with our services and products
  • For market research

3. Legal basis for the data processing:

Processing on the basis of consent. Your participation in our survey is voluntary. Your data will only be evaluated if you give your express consent in advance. The legal basis in this case is Art. 6 para. 1 sentence 1 lit. a in conjunction with Art. 7 GDPR. For the possible transfer of your personal data to other Microsoft locations in third countries (including the USA), we use Art. 49 para. 1 lit. a GDPR).

4. Recipients of your personal data

Within our company, only those departments and employees will have access to your personal data who need it to fulfil the stated purposes. An active transfer of your personal data to a third country or to an international organisation does not take place and is not planned. Please note, however, that Microsoft may process your personal data through the Forms application in countries outside the EU/EEA, such as the USA. In particular, this means that it cannot be ruled out that third parties (such as the responsible regulatory authorities in the USA) could have unrestricted access to your personal data. We have concluded an order processing agreement with Microsoft in accordance with Art. 28 EU GDPR and Microsoft is certified under the EU-US Data Privacy Framework. For the data processing in the USA, there is thus a cooperation agreement with the European Commission pursuant to Art. 45 EU GDPR.

5. Duration of the storage of your personal data

We will delete your personal data as soon as the stated purposes for storing it no longer apply. This will be done at the latest with the final evaluation of the results from our survey. Furthermore, we will delete your personal data if you revoke your previously given consent.

XVII. Hosting

The website is hosted on servers of a service provider commissioned by us.

Our service provider is: Google Ireland Limited, Velasco, Clanwilliam Place, Dublin 2, Ireland

The servers automatically collect and store information in so-called server log files, which your browser automatically transmits when you visit the website. The stored information is:

  • Browser type and browser version
  • Operating system used
  • Referrer URL
  • Host name of the accessing computer
  • Date and time of the server request
  • IP address

This data is not merged with other data sources. This data is collected on the basis of Art. 6 para. 1 lit. f GDPR. Our legitimate interest in processing this data is to display our website without errors and to optimise its functions. The website server is geographically located in the European Union (EU) or the European Economic Area (EEA).

XVIII. Press Portal

1. Extent of data processing

On our press portal, we provide press releases and other information and offer users the opportunity to get in touch with us. For the hosting of our press portal, we use the following service provider:

Neovaude GmbH, Hohenzollernstr. 26, 44135 Dortmund, Germany

2. Legal basis for data processing

The legal basis for the processing of your data in connection with the use of our corporate presence is Art. 6 para. 1 pg. 1 lit f of the GDPR.

3. Purpose of data processing

Our press portal serves to inform journalists about our products and services and to offer them the opportunity to get in touch with us.

4. Duration of storage

The data will be deleted as soon as they are no longer required to achieve the purpose for which they were collected.

5. Possibility of objection and removal

You have the right to object at any time, on grounds relating to your particular situation, to the processing of personal data concerning you which is carried out on the basis of Art. 6 para. 1 pg. 1 lit. e or f of the GDPR.

6. Cookies

Only cookies essential for proper functioning are used for our press portal. The legal basis for the use of these essential cookies is Art. 6 para. 1 sentence 1 lit. f of the EU GDPR.

XIX. Appointments Use of eAppointment

1. Description and scope of data processing

We use the function of eTermin GmbH, Im Wiesengrund 8, 8304 Wallisellen, Switzerland (hereinafter referred to as "eTermin").

2. Purpose of data processing

The use of eTermin serves to arrange appointments. The following information is required to book an appointment via eTermin:

  • Details of the appointment (date and time, type of appointment)
  • Salutation
  • First name
  • Name
  • Address
  • Telephone number
  • Email address
  • IP address

The specific data required for your appointment may require further information not included in this list. After completing the appointment booking, you will receive a confirmation email to your email address, which you can use to change or cancel the booked appointment. The confirmation email is sent unencrypted and contains recorded appointment data to the extent set by the service provider. The appointment data can be sent in plain text or partially anonymised.

The use of smapOne is only activated if you have booked an appointment in one of our shops and confirm on site, e.g. the collection of a bike with a digital signature. Your surname, first name, e-mail address, customer number, order number, bike model, frame number, bike ID and your signature will then be saved in smapOne.

3. Legal basis for the processing

An order processing contract has been concluded with this service provider. The service provider processes the data on our behalf and is bound by instructions. The processing of the data takes place exclusively in the territory of Switzerland and/or in a member state of the European Union or in another state party to the Agreement on the European Economic Area. The processing of the data entered by you via eTermin takes place on the basis of Art. 6 para. 1 lit. b of the EU GDPR, insofar as your request is related to the fulfilment of a contract or is necessary for the implementation of pre-contractual measures, e.g. a consultation appointment to prepare an offer or for a workshop appointment/repair order. In all other cases, the processing is based on our legitimate interest in a proper, uncomplicated and quick processing of appointments (Art. 6 para. 1 lit. f of the EU GDPR). The legal basis for the processing of the personal data (IP address) transmitted by the Iframe is Section 25 para. 2 no. 2 of the TTDSG. Setting the Iframe is absolutely necessary to make the appointment booking available to you.

4. Duration of storage

Your personal information will be retained for as long as is necessary to fulfil the purposes described in this privacy policy or as required by law, for example for tax and accounting purposes. In addition, you can make use of your right to early deletion.

5. Possibility of objection

AAs a user, you have the option of cancelling the registration and thus objecting to the processing. Further information on data processing by the service provider can be found here: https://www.etermin.net/online-terminbuchung-datenschutz.

XX. Guarantee claim / warranty claim / repair order

1. Description and scope of data processing

If you contact us with a guarantee or warranty claim, or a repair request, your details and contact data will be processed for the purpose of handling your request. Depending on the product, it could also be forwarded to one of our external service partners or to the manufacturer.

2. Purpose of data processing

The latter will then use the transmitted data exclusively for processing the guarantee or warranty claim or the repair order.

The following data is transmitted:

  • First name
  • Name
  • Address
  • Telephone number
  • Email address
  • Order data (product data such as date of purchase)

Any further transfer and use of the data will only take place with your consent. The purpose of passing it on is to process your order quickly.

3. Legal basis for the processing

The legal basis for this required data transfer is based on Article 6 para. 1 lit. b DSGVO.

4. Duration of storage

Your personal information will be retained for as long as is necessary to fulfil the purposes described in this privacy policy or as required by law, for example for tax and accounting purposes. In addition, you can make use of your right to early deletion.

XXI. Direct delivery

1. Description and scope of data processing

Insofar as necessary for the processing of the contract for delivery purposes, the personal data collected by us will be passed on in accordance with Art. 6 para. 1 lit. b DSGVO to our contractual or cooperation partners for direct delivery.

For this purpose, the personal data necessary for the shipment information will be passed on:

  • Name
  • First name
  • Address
  • Order number
  • Order content

2. Legal basis for data processing

The legal basis for processing the data collected during registration is the initiation of a purchase contract. Art. 6 para. 1 lit.b GDPR.

3. Duration of storage

Our contractual partners and cooperation partners may only use the data provided to fulfil their function to process your order.

4. Possibility of objection

As a user, you have the option of cancelling the registration and thus objecting to the processing.

XXII. Returns processing

1st Description / scope and purpose of data processing

For the processing of returns we use "Trusted Returns", a service of Trusted Returns GmbH, Peter-Joseph-Lenné-Str. 5, D-51377 Leverkusen. By integrating the service, you have the option of initiating a returns process directly on our website (www.rosebikes.com). For this purpose, customer data (first name, surname, address, e-mail address), data about the order and return as well as about dispatch and delivery are processed via the form provided and personal data are transferred to Trusted Returns on the basis of our legitimate interest in the efficient processing of the return. Based on the entries made and using the software provided by Trusted Returns, we check the returns authorisation and work out the optimum returns solution for you.

2. Legal basis for data processing

The legal basis for this required data transfer is based on Art. 6 para. 1 lit. b GDPR and Art. 6 para. 1 lit. f GDPR on the basis of our legitimate interest in effective and appropriate returns management.

3. Duration of storage

Once the returns process is complete, the data provided will be deleted by Trusted Returns. We have concluded an order processing agreement with Trusted Returns in which we oblige Trusted Returns to protect your data in accordance with the legal requirements. Details of Trusted Returns' privacy policy can be found here: https://trustedreturns.com/en.

4. Possibility of objection and removal

You have the right to object at any time, on grounds relating to your particular situation, to the processing of personal data concerning you which is carried out on the basis of Art. 6 para. 1 pg. 1 lit. e or f of the GDPR.

XXIII. Use of corporate presences in social networks

Instagram and Facebook:

Meta Platforms Ireland Ltd, 4 Grand Canal Square Grand Canal Harbour, Dublin 2 Ireland

AWe provide information on our company page and offer Instagram and Facebook users the opportunity to communicate. If you carry out a campaign on our Instagram and Facebook corporate presence (e.g. comments, posts, likes, etc.), it is possible that you may thereby disclose personal data (e.g. name or photo of your user profile). However, since we generally or to a large extent have no influence on the processing of your personal data by the Meta company that is co-responsible for the ROSE Bikes GmbH company page, we cannot provide any binding information on the purpose and scope of the processing of your data.

Further information on joint responsibility with Meta can be found here:

Facebook: https://www.rosebikes.com/privacy-policy/facebook
Instagram: https://www.rosebikes.com/privacy-policy/instagram

You can object at any time to the processing of your personal data that we collect during your use of our corporate presence on social media and exercise your data subject rights as set out in IV. of this privacy policy. To do so, please send an informal email to customerservice@rosebikes.com. You can find more information on the processing of your personal data by the platforms and the corresponding objection options here:

Facebook: https://de-de.facebook.com/policy.php
Instagram: https://help.instagram.com/519522125107875

TikTok:

TikTok Technology Limited, 10 Earlsfort Terrace, Dublin, D02 T380, Ireland

On our company page or our company account, we provide information in auditory, visual or textual form and offer TikTok users the opportunity to communicate, in particular information about the company and our educational offers as well as engagement with us, for user contact and feedback. If you carry out a campaign on our corporate presence (e.g. comments, posts, likes, etc.), it is possible that you may thereby disclose personal data (e.g. name, user name or photo of your user profile). However, since we generally or to a large extent have no influence on the processing of your personal data by the companies that are co-responsible for the ROSE Bikes GmbH company page, we cannot provide any binding information on the purpose and scope of the processing of your data. Further information on joint responsibility with TikTok can be found here: https://www.rosebikes.com/privacy-policy/tiktok

You can object at any time to the processing of your personal data that we collect during your use of our corporate presence on social media and exercise your data subject rights as set out in IV. of this privacy policy. To do so, please send an informal email to customerservice@rosebikes.com. You can find more information on the processing of your personal data by the platforms and the corresponding objection options here:

TikTok: https://ads.tiktok.com/i18n/official/policy/privacy

Strava:

Strava, Inc., 208 Utah Street, San Francisco, CA USA 94103, USA

On our company page on Strava, our Strava Club, we offer you the possibility to interact with our posts, in particular to comment on them. If you contact us via the comments, please check whether you want to send the relevant information publicly via Strava, or whether you consider another contact option. As members of our Strava Club, your activities are also shared with other Club members. There is also the chance to be included in our leaderboards. Please also note that, depending on your privacy settings, we – like all other users – have access to the information stored in your profile (e.g. name or photo of your user profile). However, since we generally or to a large extent have no influence on the processing of your personal data for the ROSE Bikes GmbH company page on Strava, we cannot provide any binding information on the purpose and scope of the processing of your data. You can object at any time to the processing of your personal data that we collect during your use of our corporate presence on social media and exercise your data subject rights as set out in IV. of this privacy policy. To do so, please send an informal email to customerservice@rosebikes.com. You can find more information on the processing of your personal data by the platforms and the corresponding objection options here:

Strava: www.strava.com/legal/privacy


Facelift:

1. Description, scope and purpose of data processing

We use “Facelift Cloud” to efficiently manage our social media channels. The provider of the tool is Facelift Brand Building Technologies GmbH, Gerhofstrasse 19, 20354 Hamburg, Germany. Further information on data protection by Facelift can be found here: https://www.facelift-bbt.com/de/imprint. “Facelift Cloud” is a platform for process support and implementation of digital marketing with a focus on social media for companies. With the “Facelift Cloud” software, it is possible to add content to and moderate profiles in the social networks Facebook, Instagram, Tik Tok, YouTube and Strava.

2. Recipients and type of your personal data

When Facelift is used, data needs to be stored temporarily by the licensing service provider, Facelift Brand Building Technologies GmbH. The data is stored on a server located in the European Union.

The following data is transmitted:

  • Profile and account names
  • Profile picture
  • Content of the enquiry
  • Number of followers and profiles that the profile follows
  • 3. Duration of storage

    The data is stored by the service provider for a period of six months and then deleted.

    4. Legal basis for data processing

    The legal basis for data processing is Art. 6 para. 1 lit. f GDPR. We have a legitimate interest in analysing the social media presence of our company in the above-mentioned social networks and in timely and efficient communication in order to optimise our social media communication, customer service and customer experience, as well as our advertising.

    XXIV. Use of the Data Subject Request Tool (DSR) for managing data subject requests

    1. Scope of the processing of personal data

    We use functionalities of the data protection plugin "DSR" of DataCo GmbH, Nymphenburger Str. 86, 80636, Munich, Bavaria, Germany (hereinafter: called DataCo). By using the "Submit data subject request" button, all visitors of our website have the opportunity to make use of their data subject rights. To do this, you indicate your relationship with our company, which data subject right you wish to exercise, provide further optional information and, if necessary, identify yourself with further characteristics. The data subject enquiry will then be processed by us.

    The following personal data is processed by DataCo:

    • Last name
    • First name
    • Reference to the person responsible (employee, customer, interested party, etc.)
    • Email address
    • Other voluntarily communicated personal data

    Further information on the processing of data by DataCo can be found here: https://www.dataguard.de/en-de/privacy-policy/

    In addition, log files containing the following may be forwarded to DataCo GmbH to ensure technical functionality:

    • Information about the browser type and version used
    • The user's operating system
    • The user's internet service provider
    • The IP address of the user
    • Date and time of access
    • Websites from which the user's system made the request

    2. Purpose of data processing

    The use of DSR serves to safeguard the data subject rights of our website visitors. This enables you to make use of your rights as a data subject and to contact us fast and easily.

    3. Legal basis for the processing of personal data

    The legal basis for the use of the DSR tool and the sending of corresponding data is your declaration of consent in accordance with Art. 6 para. 1 sentence 1 lit. a of the EU GDPR. The legal basis for the use of log files is our legitimate interest in ensuring the technical functionality of the tool in accordance with Art. 6 para. 1 sentence 1 lit. f GDPR.

    4. Duration of storage

    Your personal information will be retained for as long as is necessary to fulfil the purposes described in this privacy policy or as required by law.

    5. Possibility of objection and removal

    You can object to the collection as well as the processing of your personal data or revoke your declaration of consent by contacting the responsible person by e-mail or using the DSR tool.

    Changes to the privacy policy

    We reserve the right to make changes to this privacy policy at any time. The privacy policy is updated regularly and any changes are automatically published on our website. This privacy policy was created with the support of DataGuard.

    XXV. Use of the whistleblower portal

    1. Scope of the processing of personal data

    Generally, it is possible to use the whistleblower system – as far as legally permissible – without providing personal data. However, you can voluntarily disclose personal data as part of the whistleblowing process, in particular information about your identity

    • First name
    • Last name
    • Reference to the person responsible (employee, customer, interested party, etc.)
    • Country of residence
    • Telephone number
    • Email address

    As a matter of principle, we do not request or process any special categories of personal data, e.g. information on racial and/or ethnic origin, religious and/or philosophical beliefs, trade union membership or sexual orientation. However, due to free text fields in the registration form, such special categories of personal data can be disclosed voluntarily by you.

    DThe report you make may also contain personal data of third parties to which you refer in your report. Affected persons are given the opportunity to comment on the report. In this case, we will inform the affected persons about the report. In this case, too, your confidentiality is protected, as no information about your identity is given to the person concerned – as far as legally possible – and your report is used in such a way that your anonymity is not jeopardised.

    For more information on the processing of data, click here: Privacy Policy

    The technical implementation of the whistleblower system is carried out on our behalf by EQS Group AG("EQS").

    2. Purpose of data processing

    Using the whistleblower system allows you to contact us and report any suspected compliance and legal violations quickly and easily.

    The corresponding processing of your personal data is based on your consent given when reporting via the whistleblower system (Art. 6 para. 1 lit. a of the European General Data Protection Regulation).

    3. Duration of storage

    Your personal information will be retained for as long as is necessary to fulfil the purposes described in this privacy policy or as required by law.

    4. Possibility of objection and removal

    You can object to the collection as well as the processing of your personal data or revoke your declaration of consent by contacting the responsible person by e-mail or using the whistleblower portal.

    Changes to the privacy policy

    We reserve the right to make changes to this privacy policy at any time. The privacy policy is updated regularly and any changes are automatically published on our website. This privacy policy was created with the support of DataGuard.

    Legal Notice

    TERMS & CONDITIONS