Privacy Policy
Status May 2024
- Name and address of the responsible party
- Contact details of the data protection officer
- General information on data processing
- Rights of the data subject
- Provision of the website and creation of log files
- Use of cookies
- Registration
- Order
- Payment options
- Credit assessment
- Fraud prevention and Abuse Detection Measures
- Newsletter
- Postal advertising
- Competitions
- Product Reviews / Comments
- Customer Surveys
- Hosting
- Press Portal
- Appointments Use of eAppointment
- Guarantee claim / warranty claim / repair order
- Direct delivery
- Returns processing
- Use of corporate presences in social networks
- Use of the Data Subject Request Tool (DSR) for managing data subject requests
- Use of the whistleblower portal
I. Name and address of the controller
The controller within the meaning of the General Data Protection Regulation (GDPR) and other data protection regulations is:
ROSE Bikes GmbH
Schersweide 4
46395 Bocholt
Germany
customerservice@rosebikes.com
Management: Erwin Rose, Stefanie Rose, Thorsten Heckrath-Rose.
II. Contact details of the data protection officer
The data protection officer of the responsible party is:
DataCo GmbH
Nymphenburger Str. 86
80636 Munich, Germany
Germany
E-mail: datenschutz@dataguard.de
III. General information on data processing
1. Scope of the processing of personal data
- We only process our users' personal data to the extent necessary to provide a functional website as well as our content and services. The processing of personal data of our users is only carried out with the consent of the user. An exception applies in cases where prior consent cannot be obtained for factual reasons and the processing of the data is required by law.
2. Legal basis for the processing of personal data
- Whenever we obtain the consent of the data subject for the processing of personal data, Art. 6 para. 1 sentence 1 lit. a GDPR serves as the legal basis. For the processing of personal data necessary for the performance of a contract to which the data subject is party, Art. 6 para. 1 sentence 1 lit. b GDPR serves as the legal basis. This also applies to processing operations that are necessary for the implementation of pre-contractual measures. Insofar as the processing of personal data is required to fulfil a legal obligation to which our company is subject, Art. 6 para. 1 sentence 1 lit. c GDPR is the legal basis. In the event that vital interests of the data subject or another individual require the processing of personal data, Art. 6 para. 1 sentence 1 lit. d GDPR is the legal basis. If the processing is necessary to safeguard a legitimate interest of our company or a third party and if the interests, fundamental rights and freedoms of the data subject do not outweigh the first-mentioned interest, Art. 6 para. 1 sentence 1 lit. f GDPR serves as the legal basis for processing.
3. Data deletion and retention period
- The personal data of the data subject will be deleted or blocked as soon as the purpose of storage no longer applies. Data may also be stored if this has been provided for by the European or national legislator in EU regulations, laws or other provisions to which the controller is subject. The data will also be blocked or deleted if a retention period prescribed by the aforementioned standards expires, unless there is a need for further storage of the data for the conclusion or fulfilment of a contract.
IV. Rights of the data subject
If your personal data is processed, you are a data subject within the meaning of the GDPR and you have the following rights vis-à-vis the controller:
1. Right to information (Art. 15 EU GDPR)
You have the right to request confirmation from us as to whether personal data concerning you is being processed.
If this is the case, you have a right of access to this data and to the following information:
- Processing purposes
- Categories of personal data
- Recipients or categories of recipients
- Planned duration of storage or criteria for determining this duration
- The existence of the rights to rectification, erasure, restriction or objection
- Right of appeal to the competent supervisory authority
- If applicable origin of the data (if collected from a third party)
- If applicable the existence of automated decision-making including profiling with meaningful information about the logic involved, the scope and the expected effects
- If applicable transfer of personal data to a third country or international organisation
2. Right to rectification (Art. 16 EU GDPR)
If your personal data is incorrect or incomplete, you have the right to request immediate correction or completion of the personal data.
3. Right to restriction of processing (Art. 18 EU GDPR)
If one of the following conditions is met, you have the right to request that the processing of your personal data is restricted:
- You contest the accuracy of your personal data for a period enabling us to verify the accuracy of the personal data.
- In the event of unlawful processing, you object to the erasure of the personal data and instead request the restriction of the use of the personal data.
- WWe no longer need your personal data for the purposes of processing, but you need your personal data for the establishment, exercise or defence of legal claims or, after you have objected to processing, for the period necessary to verify whether our legitimate grounds override your grounds.
4. Right to erasure (Art. 17 EU GDPR)
If one of the following reasons applies, you have the right to demand that your personal data be deleted immediately:
- Your data is no longer necessary for the processing purposes for which they were originally collected.
- You withdraw your consent and there is no other legal basis for the processing.
- You object to the processing and there are no overriding legitimate grounds for the processing or you object to the processing pursuant to Art. 21 para. 2 GDPR.
- Your personal data is processed unlawfully.
- The deletion is necessary to fulfil a legal obligation under EU law or the law of the member state to which we are subject.
- The personal data was collected in relation to information society services offered in accordance with Article 8 para. 1 GDPR.
Please note that the above reasons do not apply if the processing is necessary:
- To exercise the right to freedom of expression and information;
- To fulfil a legal obligation or to perform a task that is in the public interest and to which we are subject.
- For reasons of public interest in the area of public health.
- For archiving purposes in the public interest, scientific or historical research purposes or for statistical purposes.
- Assertion, exercise or defence of legal claims.
5. Right to data portability (Art. 20 EU GDPR)
You have the right to receive your personal data in a structured, commonly used and machine-readable format or to request that it be transmitted to another controller.
6. Right to object to certain data processing (Art. 21 GDPR)
You have the right to object at any time, on grounds relating to your particular situation, to the processing of personal data concerning you which is carried out on the basis of Art. 6 para. 1 sentence 1 lit. e or f of the GDPR. This also applies to profiling based on these provisions. If your personal data is processed for the purpose of direct marketing, you have the right to object at any time to the processing of your personal data for the purpose of such marketing; this also applies to profiling, insofar as it is related to such direct marketing.
7. Right of appeal to the competent supervisory authority (Art. 77 EU GDPR)
Without prejudice to any other administrative or judicial remedy, you have the right to lodge a complaint with a supervisory authority if you consider that the processing of personal data concerning you infringes the GDPR. The supervisory authority to which the complaint has been submitted shall inform the complainant of the status and outcome of the complaint, including the possibility of a judicial remedy pursuant to Art. 78 GDPR. A list of the competent supervisory authorities in Germany can be found on the website of the Federal Commissioner for Data Protection under the following link: https://www.bfdi.bund.de/DE/Service/Anschriften/Laender/Laender-node.html
You have the right to complain to a data protection supervisory authority about the processing of your personal data.
State Commissioner for Data Protection and Freedom of Information of North Rhine-Westphalia
PO Box 20 04 44
40102 Düsseldorf
Phone: 0211/38424-0
Fax: 0211/38424-10
Email: poststelle@ldi.nrw.de
V. Provision of the website and creation of log files
1. Description and scope of data processing
Every time our website is accessed, our system automatically collects data and information from the computer system of the accessing computer.
The following data is collected:
- Name of your internet service provider
- Visitor source
- Name of the requested file
This data is stored in the log files of our system. This data is not stored together with other personal data of the user.
2. Purpose of data processing
The temporary storage of the IP address by the system is necessary to enable the website to be delivered to the user's computer. For this purpose, the user's IP address must remain stored for the duration of the session. Storage in log files takes place to ensure the functionality of the website. We also use the data to optimise the website and to ensure the security of our information technology systems. The data is not analysed for marketing purposes in this context. These purposes also constitute our legitimate interest in data processing pursuant to Art. 6 para. 1 sentence 1 lit. f GDPR.
3. Legal basis for data processing
The legal basis for the temporary storage of data and log files is Art. 6 para. 1 sentence 1 lit. f GDPR.
4. Duration of storage
The data will be deleted as soon as they are no longer required to achieve the purpose for which they were collected. When data is collected for the provision of the website, this is the case when the respective session has ended. If the data is stored in log files, this is the case after seven days at the latest. Storage beyond this is possible. In this case, the IP addresses of the users are deleted or anonymised so that it is no longer possible to identify the accessing client.
5. Possibility of objection
The collection of data for the provision of the website and the storage of data in log files is absolutely necessary for the operation of the website. The user can object to this. Whether the objection is successful must be determined as part of a balancing of interests.
XXIII. Use of corporate presences in social networks
Instagram and Facebook:
Meta Platforms Ireland Ltd, 4 Grand Canal Square Grand Canal Harbour, Dublin 2 Ireland
AWe provide information on our company page and offer Instagram and Facebook users the opportunity to communicate. If you carry out a campaign on our Instagram and Facebook corporate presence (e.g. comments, posts, likes, etc.), it is possible that you may thereby disclose personal data (e.g. name or photo of your user profile). However, since we generally or to a large extent have no influence on the processing of your personal data by the Meta company that is co-responsible for the ROSE Bikes GmbH company page, we cannot provide any binding information on the purpose and scope of the processing of your data.
Further information on joint responsibility with Meta can be found here:
Facebook: https://www.rosebikes.com/privacy-policy/facebook
Instagram: https://www.rosebikes.com/privacy-policy/instagram
You can object at any time to the processing of your personal data that we collect during your use of our corporate presence on social media and exercise your data subject rights as set out in IV. of this privacy policy. To do so, please send an informal email to customerservice@rosebikes.com. You can find more information on the processing of your personal data by the platforms and the corresponding objection options here:
Facebook: https://de-de.facebook.com/policy.php
Instagram: https://help.instagram.com/519522125107875
TikTok:
TikTok Technology Limited, 10 Earlsfort Terrace, Dublin, D02 T380, Ireland
On our company page or our company account, we provide information in auditory, visual or textual form and offer TikTok users the opportunity to communicate, in particular information about the company and our educational offers as well as engagement with us, for user contact and feedback. If you carry out a campaign on our corporate presence (e.g. comments, posts, likes, etc.), it is possible that you may thereby disclose personal data (e.g. name, user name or photo of your user profile). However, since we generally or to a large extent have no influence on the processing of your personal data by the companies that are co-responsible for the ROSE Bikes GmbH company page, we cannot provide any binding information on the purpose and scope of the processing of your data. Further information on joint responsibility with TikTok can be found here: https://www.rosebikes.com/privacy-policy/tiktok
You can object at any time to the processing of your personal data that we collect during your use of our corporate presence on social media and exercise your data subject rights as set out in IV. of this privacy policy. To do so, please send an informal email to customerservice@rosebikes.com. You can find more information on the processing of your personal data by the platforms and the corresponding objection options here:
TikTok: https://ads.tiktok.com/i18n/official/policy/privacy
Strava:
Strava, Inc., 208 Utah Street, San Francisco, CA USA 94103, USA
On our company page on Strava, our Strava Club, we offer you the possibility to interact with our posts, in particular to comment on them. If you contact us via the comments, please check whether you want to send the relevant information publicly via Strava, or whether you consider another contact option. As members of our Strava Club, your activities are also shared with other Club members. There is also the chance to be included in our leaderboards. Please also note that, depending on your privacy settings, we – like all other users – have access to the information stored in your profile (e.g. name or photo of your user profile). However, since we generally or to a large extent have no influence on the processing of your personal data for the ROSE Bikes GmbH company page on Strava, we cannot provide any binding information on the purpose and scope of the processing of your data. You can object at any time to the processing of your personal data that we collect during your use of our corporate presence on social media and exercise your data subject rights as set out in IV. of this privacy policy. To do so, please send an informal email to customerservice@rosebikes.com. You can find more information on the processing of your personal data by the platforms and the corresponding objection options here:
Strava: www.strava.com/legal/privacy
Facelift:
1. Description, scope and purpose of data processing
We use “Facelift Cloud” to efficiently manage our social media channels. The provider of the tool is Facelift Brand Building Technologies GmbH, Gerhofstrasse 19, 20354 Hamburg, Germany. Further information on data protection by Facelift can be found here: https://www.facelift-bbt.com/de/imprint. “Facelift Cloud” is a platform for process support and implementation of digital marketing with a focus on social media for companies. With the “Facelift Cloud” software, it is possible to add content to and moderate profiles in the social networks Facebook, Instagram, Tik Tok, YouTube and Strava.
2. Recipients and type of your personal data
When Facelift is used, data needs to be stored temporarily by the licensing service provider, Facelift Brand Building Technologies GmbH. The data is stored on a server located in the European Union.
The following data is transmitted:
3. Duration of storage
The data is stored by the service provider for a period of six months and then deleted.
4. Legal basis for data processing
The legal basis for data processing is Art. 6 para. 1 lit. f GDPR. We have a legitimate interest in analysing the social media presence of our company in the above-mentioned social networks and in timely and efficient communication in order to optimise our social media communication, customer service and customer experience, as well as our advertising.
XXIV. Use of the Data Subject Request Tool (DSR) for managing data subject requests
1. Scope of the processing of personal data
We use functionalities of the data protection plugin "DSR" of DataCo GmbH, Nymphenburger Str. 86, 80636, Munich, Bavaria, Germany (hereinafter: called DataCo). By using the "Submit data subject request" button, all visitors of our website have the opportunity to make use of their data subject rights. To do this, you indicate your relationship with our company, which data subject right you wish to exercise, provide further optional information and, if necessary, identify yourself with further characteristics. The data subject enquiry will then be processed by us.
The following personal data is processed by DataCo:
Further information on the processing of data by DataCo can be found here: https://www.dataguard.de/en-de/privacy-policy/
In addition, log files containing the following may be forwarded to DataCo GmbH to ensure technical functionality:
2. Purpose of data processing
The use of DSR serves to safeguard the data subject rights of our website visitors. This enables you to make use of your rights as a data subject and to contact us fast and easily.
3. Legal basis for the processing of personal data
The legal basis for the use of the DSR tool and the sending of corresponding data is your declaration of consent in accordance with Art. 6 para. 1 sentence 1 lit. a of the EU GDPR. The legal basis for the use of log files is our legitimate interest in ensuring the technical functionality of the tool in accordance with Art. 6 para. 1 sentence 1 lit. f GDPR.
4. Duration of storage
Your personal information will be retained for as long as is necessary to fulfil the purposes described in this privacy policy or as required by law.
5. Possibility of objection and removal
You can object to the collection as well as the processing of your personal data or revoke your declaration of consent by contacting the responsible person by e-mail or using the DSR tool.
Changes to the privacy policy
We reserve the right to make changes to this privacy policy at any time. The privacy policy is updated regularly and any changes are automatically published on our website. This privacy policy was created with the support of DataGuard.
XXV. Use of the whistleblower portal
1. Scope of the processing of personal data
Generally, it is possible to use the whistleblower system – as far as legally permissible – without providing personal data. However, you can voluntarily disclose personal data as part of the whistleblowing process, in particular information about your identity
As a matter of principle, we do not request or process any special categories of personal data, e.g. information on racial and/or ethnic origin, religious and/or philosophical beliefs, trade union membership or sexual orientation. However, due to free text fields in the registration form, such special categories of personal data can be disclosed voluntarily by you.
DThe report you make may also contain personal data of third parties to which you refer in your report. Affected persons are given the opportunity to comment on the report. In this case, we will inform the affected persons about the report. In this case, too, your confidentiality is protected, as no information about your identity is given to the person concerned – as far as legally possible – and your report is used in such a way that your anonymity is not jeopardised.
For more information on the processing of data, click here: Privacy Policy
The technical implementation of the whistleblower system is carried out on our behalf by EQS Group AG("EQS").
2. Purpose of data processing
Using the whistleblower system allows you to contact us and report any suspected compliance and legal violations quickly and easily.
The corresponding processing of your personal data is based on your consent given when reporting via the whistleblower system (Art. 6 para. 1 lit. a of the European General Data Protection Regulation).
3. Duration of storage
Your personal information will be retained for as long as is necessary to fulfil the purposes described in this privacy policy or as required by law.
4. Possibility of objection and removal
You can object to the collection as well as the processing of your personal data or revoke your declaration of consent by contacting the responsible person by e-mail or using the whistleblower portal.
Changes to the privacy policy
We reserve the right to make changes to this privacy policy at any time. The privacy policy is updated regularly and any changes are automatically published on our website. This privacy policy was created with the support of DataGuard.
Legal Notice
TERMS & CONDITIONS