Data protection
PRIVACY POLICY
Status: July 17, 2026
1. CONTROLLER
Mittelweser Heilquellen GmbH
Auf dem Kampe 3a
31582 Nienburg/Weser
Germany
Phone: +49 5021 60390
Email: info@thesourcelab.de
2. GENERAL INFORMATION ON DATA PROCESSING
We only process personal data to the extent necessary for the provision of our online shop, the execution of orders, communication with customers, the fulfillment of legal obligations, or other purposes described below.
Depending on the processing, we rely in particular on the following legal bases:
– Art. 6 para. 1 lit. a GDPR for consent given
– Art. 6 para. 1 lit. b GDPR for the implementation of pre-contractual measures and for contract fulfillment
– Art. 6 para. 1 lit. c GDPR for the fulfillment of legal obligations
– Art. 6 para. 1 lit. f GDPR for safeguarding our legitimate interests, in particular in a secure, functional, and commercially operated online shop
– Art. 9 para. 2 lit. a GDPR, if in the context of care consultation, health-related information is processed exceptionally based on explicit consent
Insofar as information is stored on an end device or read from an end device, its permissibility is additionally governed by Section 25 TDDDG.
3. PROVISION OF THE ONLINE SHOP AND SHOPIFY
Our online shop is operated via Shopify.
The provider for customers from the European Economic Area, the United Kingdom, and Switzerland is generally:
Shopify International Limited
Ireland
When you visit our shop, the following data may be processed in particular:
– IP address
– Date and time of access
– Pages and files accessed
– Referrer URL
– Browser type and browser version
– Operating system and device information
– Language and approximate region
– Technical error and security information
– Shopping cart, session, and checkout data
The processing takes place for the technical provision of the shop, the display of content, ensuring security, detecting technical errors, and defending against abusive access.
The legal basis is Art. 6 para. 1 lit. f GDPR. Our legitimate interest lies in the secure and undisturbed operation of our online shop. Technically absolutely necessary storage and access are additionally carried out on the basis of Section 25 para. 2 TDDDG.
Shopify may use other affiliated companies and subcontractors. Data may be processed in particular in Canada and the USA. Shopify states that it uses appropriate data protection safeguards for this, in particular adequacy decisions, the EU-US Data Privacy Framework, and standard contractual clauses.
Further information:
https://www.shopify.com/legal/privacy
https://www.shopify.com/legal/dpa
https://help.shopify.com/de/manual/privacy-and-security/privacy/subprocessors
4. COOKIES AND CONSENT MANAGEMENT
Our online shop uses cookies and similar technologies, such as local storage, pixels, tags, scripts, and device identifiers.
Technically necessary technologies are used to provide basic functions of the shop. These include in particular:
– Shopping cart and checkout
– Language selection and country settings
– Login and customer account
– Security and fraud prevention
– Storage of privacy settings
– Technically necessary session control
The storage or retrieval of technically necessary information is based on Section 25 para. 2 TDDDG. The subsequent processing of personal data is based on Art. 6 para. 1 lit. b or lit. f GDPR, depending on the purpose.
Analysis, marketing, affiliate, and personalization technologies are only activated after corresponding consent has been given. The legal bases are Section 25 para. 1 TDDDG and Art. 6 para. 1 lit. a GDPR.
To obtain, store, and manage consents, we use Cookiebot, a service of:
Usercentrics A/S
Havnegade 39
1058 Copenhagen
Denmark
In particular, the consent decision, time, browser information, a pseudonymous identifier, and parts of the IP address may be processed.
Given consent can be revoked or changed at any time with effect for the future via the cookie settings in the footer of our shop.
Further information:
https://www.cookiebot.com/de/privacy-policy/
5. ORDERS, CHECKOUT, AND CONTRACT PROCESSING
When placing an order, we process in particular:
– First and last name
– Billing and shipping address
– Email address
– Phone number, if provided
– Ordered products, quantities, and prices
– Payment method and payment status
– Shipping and return information
– Customer and order number
– Content of voluntary communications
– If applicable, VAT and company data
Data processing is carried out for the execution of the order, payment, delivery, processing of returns, complaints, and refunds, as well as for communication about the order status.
The legal basis is Art. 6 para. 1 lit. b GDPR. Insofar as legal documentation and retention obligations exist, processing is additionally based on Art. 6 para. 1 lit. c GDPR.
6. CUSTOMER ACCOUNT
When creating a customer account, we process the master, contact, address, and order data entered. The customer account facilitates future orders and enables the display of previous orders.
The legal basis is Art. 6 para. 1 lit. b GDPR. The customer account can be deleted at any time, provided that there are no legal retention obligations preventing this.
7. PAYMENT PROCESSING
For processing payments, we transmit the necessary data to the payment service provider selected in the checkout. Depending on the selected payment method, the following providers may be involved in particular:
– Shopify Payments or Shop Pay
– PayPal
– Klarna
– Apple Pay
– Google Pay
– Credit card and banking service providers
– Other payment providers displayed in the checkout
Payment providers process identity, contact, order, payment, and device information in particular. Individual providers may carry out creditworthiness, identity, or fraud checks under their own responsibility.
The legal bases are Art. 6 para. 1 lit. b GDPR and, insofar as checks for fraud prevention are necessary, Art. 6 para. 1 lit. f GDPR.
Further information on data processing can be found in the privacy policies of the respective selected payment provider.
8. PAYPAL PAY LATER MESSAGING
Insofar as PayPal's later payment options are displayed on product or checkout pages, PayPal may process technical usage data such as IP address, browser information, device information, and the visited page.
Non-technically necessary PayPal content and tracking technologies are only loaded after consent. The legal bases are Section 25 para. 1 TDDDG and Art. 6 para. 1 lit. a GDPR.
9. SHIPPING, FULFILLMENT, AND RETURNS
For storage, picking, packaging, shipping, and returns processing, we transmit the necessary order and address data to our shipping and fulfillment service providers.
These include in particular:
– Hive Technologies GmbH or HIVE
– DHL or Post & DHL Shipping
– Other shipping service providers selected in the checkout
Processed data includes in particular name, delivery address, email address, phone number, order content, package and shipment number, and return information.
The legal basis is Art. 6 para. 1 lit. b GDPR. The transfer of email address or phone number for shipment announcements only takes place if this is necessary for the desired shipping communication or if corresponding consent is available.
10. ERP, ACCOUNTING, REPORTING AND SALES INTERFACES
For internal order processing, merchandise management, inventory management, invoicing, accounting, tax documentation and evaluation, we use the following services and interfaces in particular:
– HIVE
– Billbee
– Better Reports
– Rechnungssprinter Pro / DATEV
– DATEV Buchhaltungsexport Pro
– CS Amazon Sync
– Omega Feed
– Shopify Flow
– Other activated Shopify interfaces
In this context, customer, order, invoice, payment, shipping, return, and product data may be processed in particular.
The legal bases are Art. 6 para. 1 lit. b GDPR for contract fulfillment, Art. 6 para. 1 lit. c GDPR for legal accounting and documentation obligations, and Art. 6 para. 1 lit. f GDPR for internal evaluations, inventory control, and the optimization of operational processes.
Service providers generally process data on the basis of corresponding order processing agreements, insofar as they act as processors.
11. SALES CHANNELS AND MARKETPLACES
Insofar as products or orders are offered or synchronized via external sales channels, product, order, and customer data may be transmitted to the respective platform provider.
This may concern the following channels in particular:
– Amazon
– Google & YouTube
– Facebook & Instagram
– TikTok
– Pinterest
– Shop
– Other activated marketplace and feed interfaces
When placing an order via an external marketplace, the data protection provisions of the respective platform operator also apply.
The legal basis for order processing is Art. 6 para. 1 lit. b GDPR. The synchronization of product and inventory data without personal reference does not take place on the basis of the GDPR.
12. CONTACT, FORMS AND SHOPIFY MESSAGING
When you contact us via email, contact form, chat, or other communication channels, we process the information you provide. This may include your name, email address, phone number, order number, and the content of the message.
For forms and messages, Shopify Forms, Shopify Messaging or Shopify Inbox, and WorkflowMail may be used in particular.
Processing takes place to handle the request. The legal basis is Art. 6 para. 1 lit. b GDPR if the request relates to a contract or an order. In other cases, the legal basis is Art. 6 para. 1 lit. f GDPR. Our legitimate interest lies in reliable customer communication.
13. AI CHATBOT HEICHAT
We may use HeiChat as an automated customer service and product information chat on our website.
The provider according to the app documentation is Heicarbook.
When using the chat, the following data may be processed in particular:
– Entered messages
– Product and service inquiries
– Technical device and usage information
– IP address
– Time and course of communication
– Contact details, if entered voluntarily
Processing takes place to answer inquiries and to provide automated customer communication. The legal basis is Art. 6 para. 1 lit. b GDPR for contract-related inquiries, otherwise Art. 6 para. 1 lit. f GDPR.
Please do not submit diagnoses, health records, payment data, passwords, or other particularly confidential information in the chat.
The chatbot's responses are generated automatically. They do not replace medical or healthcare advice.
Further information:
https://docs.heichat.net/guide/policies/privacy-policy
14. WHATSAPP COMMUNICATION
Insofar as we offer contact via WhatsApp, its use is voluntary.
When communicating, telephone number, profile name, message content, timestamp, and other technical data collected by WhatsApp may be processed in particular.
The provider for users in the European Economic Area is generally WhatsApp Ireland Limited. A transfer to affiliated companies, in particular Meta companies in the USA, may take place.
The legal basis is Art. 6 para. 1 lit. b GDPR for contract-related inquiries, otherwise Art. 6 para. 1 lit. f GDPR. For advertising messages via WhatsApp, prior consent according to Art. 6 para. 1 lit. a GDPR is required.
15. NEWSLETTER, SEGUNO EMAIL, AND SEGUNO POPUPS
For newsletters, registration forms, pop-ups, and automated email communication, we use Seguno Email and Seguno Popups in particular.
The provider is:
Seguno Software, LLC
USA
When subscribing to the newsletter, we process in particular the email address, the time of registration, the consent information, and, if applicable, the name.
The sending of promotional newsletters takes place exclusively after consent in accordance with Art. 6 para. 1 lit. a GDPR and Section 7 UWG. The double opt-in procedure may be used to confirm registration.
Consent can be revoked at any time via the unsubscribe link in every promotional email or by sending us a message.
Opening and click measurements and tracking pixels contained in emails are only used if sufficient consent is available for this. Without corresponding consent, no personal analysis of opening or click behavior takes place.
Service and transactional messages that are necessary for the processing of an order are sent regardless of newsletter consent on the basis of Art. 6 para. 1 lit. b GDPR.
Seguno may process data in the USA. The EU-US Data Privacy Framework and standard contractual clauses are particularly relevant as a basis for transfer.
Further information:
https://www.seguno.com/privacy
16. GOOGLE ANALYTICS 4
With your consent, we use Google Analytics 4 to analyze the use of our online shop.
The provider is:
Google Ireland Limited
Gordon House
Barrow Street
Dublin 4
Ireland
The following data may be processed in particular:
– IP address
– Device and browser information
– Pages accessed
– Referrer
– Events and interactions
– Approximate location information
– Purchase and shopping cart events
– Pseudonymous user and device identifiers
Google can create usage statistics from the collected information. A transfer to Google LLC in the USA cannot be ruled out.
Google Analytics is only activated after consent. The legal bases are Section 25 para. 1 TDDDG and Art. 6 para. 1 lit. a GDPR.
Further information:
https://policies.google.com/privacy
17. GOOGLE ADS, CONVERSION MEASUREMENT AND GOOGLE & YOUTUBE
With your consent, we use Google Ads and the Google & YouTube integration to display advertisements, measure their success, and build target audiences.
The following procedures may be used in particular:
– Google Ads Conversion Tracking
– Remarketing
– Google Merchant Center
– Google Tag
– Enhanced conversions
– Customer Match, if activated
– YouTube advertising
Device, browser, usage, purchase, and interaction data, as well as pseudonymous identifiers, may be processed in particular. For enhanced conversions or Customer Match, contact information may be hashed before transmission. Hashed data also remains personal data.
Processing only takes place after consent on the basis of Section 25 para. 1 TDDDG and Art. 6 para. 1 lit. a GDPR.
18. META PIXEL AND CONVERSIONS API
With your consent, we use technologies from Meta Platforms Ireland Limited, in particular the Meta Pixel and, if applicable, the server-side Conversions API.
The following data may be processed in particular:
– IP address
– Browser and device information
– Visited pages
– Product views
– Shopping cart processes
– Checkout and purchase events
– Pseudonymous identifiers
– If applicable, hashed contact information
The processing serves to measure advertising campaigns, build target audiences, retargeting, and display interest-based advertising.
The legal bases are Section 25 para. 1 TDDDG and Art. 6 para. 1 lit. a GDPR.
Meta may also process data in the USA.
Further information:
https://www.facebook.com/privacy/policy/
19. TIKTOK AND PINTEREST
Insofar as corresponding marketing integrations are activated, TikTok or Pinterest technologies may be used after consent.
Providers may include in particular:
TikTok Technology Limited
Ireland
Pinterest Europe Ltd.
Ireland
Device, browser, usage, purchase, and interaction data, as well as pseudonymous identifiers, may be processed. The processing serves for success measurement, target audience formation, and personalized advertising.
The legal bases are Section 25 para. 1 TDDDG and Art. 6 para. 1 lit. a DSGVO.
20. REVIEWS VIA TRUSTPILOT AND TRUSTWILL
For the display, management, and collection of product and company reviews, we use Trustpilot and TrustWILL, formerly Trustoo.
The following data may be processed in particular:
– Name or publicly chosen display name
– Email address
– Order and product information
– Review content
– Star rating
– Uploaded images or videos
– Technical usage data
Reviews are only published if the user submits them personally. The published content is then visible to other visitors.
Invitations to submit a review are only sent by email if sufficient consent is available or the message is otherwise legally permissible.
The legal bases are Art. 6 para. 1 lit. a GDPR for review requests and Art. 6 para. 1 lit. f GDPR for the display of voluntarily published reviews and ensuring their authenticity.
Trustpilot is operated by Trustpilot A/S in Denmark. TrustWILL is provided by CWILL or Channelwill, according to the app's information.
21. SKINCARE CONSULTATION AND PRODUCT RECOMMENDATION QUIZ
To provide voluntary product recommendations, we may use Product Recommendation Quiz by RevenueHunt and Gojiberry Survey & Quiz.
The following data may be processed in particular:
– Answers regarding skin type, skincare goals, and product preferences
– Recommended products
– Technical usage data
– IP address and device information
– Email address, if voluntarily provided
– Quiz and interaction history
Participation is voluntary. The legal basis is Art. 6 para. 1 lit. a GDPR, insofar as consent is obtained, otherwise Art. 6 para. 1 lit. b GDPR, if an individual product recommendation is expressly requested.
The collection of medical diagnoses or specific illnesses is avoided as much as possible. If, in exceptional cases, answers contain health data within the meaning of Art. 9 GDPR, processing will only take place after explicit consent in accordance with Art. 9 para. 2 lit. a GDPR.
The recommendation is generated automatically based on the given answers. It has no legal effect and does not replace a medical diagnosis or treatment.
22. SURVEYS AND CUSTOMER FEEDBACK
For voluntary customer surveys and feedback, we may use Gojiberry Survey & Quiz.
Voluntarily provided answers and technical information regarding participation are processed. If a connection to an order is made, the order number, product information, and time of purchase may also be processed.
The legal basis is Art. 6 para. 1 lit. a GDPR. For purely anonymous surveys, no processing of personal data takes place.
23. AFFILIATE PROGRAM AND UPPROMOTE
For our affiliate and referral program, we use UpPromote by Secomapp.
The following data may be processed in particular:
– Affiliate and partner data
– Name and contact details
– Referral links and partner identifiers
– IP address and device information
– Click, cart, and purchase events
– Order value and commission amount
– Cookie or tracking identifiers
Affiliate cookies and comparable tracking technologies are only set with consent. The legal bases are § 25 para. 1 TDDDG and Art. 6 para. 1 lit. a GDPR.
Contract and billing data of registered affiliate partners are processed on the basis of Art. 6 para. 1 lit. b and lit. c GDPR.
UpPromote states that it also processes data on servers in the USA.
Further information:
https://docs.uppromote.com/privacy-policy/privacy-policy
24. FRAUD PREVENTION AND BLOCKY FRAUD BLOCKER
To protect our shop, our customers, and our payment processes, Shopify's own security and fraud analyses, as well as Blocky Fraud Blocker, may be used.
The following data may be processed in particular:
– IP address
– Browser and device information
– Location and country information
– VPN or proxy characteristics
– Email address and phone number
– Order and payment information
– Suspicious usage or order patterns
– Risk assessments
Processing is carried out on the basis of Art. 6 para. 1 lit. f GDPR. Our legitimate interests consist of preventing fraud, misuse, bot access, payment defaults, and attacks on our shop.
Automatically generated risk warnings are generally reviewed before we make a final decision with significant implications. Affected parties can request a review of a blocked or rejected order by our customer service.
25. SHOP FUNCTIONS, BUNDLES AND PERSONALIZATION
For product display, bundles, search, translation, landing pages, and other shop functions, we use, among others:
– Shopify Bundles
– Kaching Bundles
– Shopify Search & Discovery
– Shopify Translate & Adapt
– Shopify Flow
– Shogun Landing Page Builder
– Section Store
– BOOSTER SEO
– Other theme and display functions
Insofar as these functions are technically necessary for an expressly requested shop function, access to end devices takes place on the basis of Section 25 para. 2 TDDDG. Subsequent data processing takes place on the basis of Art. 6 para. 1 lit. b or lit. f GDPR.
Insofar as individual services use additional analysis, marketing, or personalization technologies, these will only be activated after consent.
26. SOCIAL NETWORKS AND EXTERNAL LINKS
Our shop contains links to external profiles and offers, particularly on Facebook, Instagram, YouTube, TikTok, and Pinterest.
With simple links, no data is initially transmitted to the respective provider. Only when the link is clicked will the external platform be accessed.
Insofar as content from external platforms is embedded directly, its activation only takes place with consent, provided that non-essential cookies, pixels or comparable technologies are used.
27. THIRD COUNTRY TRANSFERS
Individual service providers may process personal data outside the European Economic Area, particularly in the USA, Canada or other third countries.
A transfer only takes place if the requirements of Art. 44 et seq. GDPR are met. Guarantees may include in particular:
– An adequacy decision by the European Commission
– The participation of a US provider in the EU-US Data Privacy Framework
– Standard contractual clauses of the European Commission
– Additional technical and organizational safeguards
The adequacy decision for participating US companies under the EU-US Data Privacy Framework only applies to providers whose active certification has been verified.
28. STORAGE DURATION
We store personal data only for as long as necessary for the respective purpose or as required by legal retention obligations.
In particular, the following criteria generally apply:
– Contract and order data are stored for the duration of contract processing and thereafter in accordance with statutory limitation periods and retention periods.
– Accounting records and invoices are generally retained for eight years.
– Annual financial statements, opening balances and certain other tax-relevant documents may be retained for ten years.
– Commercial and business letters are generally retained for six years.
– Contact data and correspondence are usually stored until the request is completed and then in accordance with possible limitation periods.
– Newsletter data is stored until consent is revoked. A minimal blocking information may then remain stored to prevent further mailings.
– Proof of consent is stored for as long as necessary to prove lawfulness.
– Customer accounts are stored until the account is deleted, unless there are legal obligations to the contrary.
– Data from quizzes, surveys or chats are deleted as soon as they are no longer needed for the respective purpose, unless a longer retention period has been agreed or is required by law.
After the respective periods have expired, data is deleted or anonymized.
29. NO SALE OF PERSONAL DATA
We do not sell personal data to advertisers or other companies.
30. RIGHTS OF DATA SUBJECTS
Data subjects have the following rights, in particular, in accordance with the legal requirements:
– Right to information pursuant to Art. 15 GDPR
– Right to rectification pursuant to Art. 16 GDPR
– Right to erasure pursuant to Art. 17 GDPR
– Right to restriction of processing pursuant to Art. 18 GDPR
– Right to data portability pursuant to Art. 20 GDPR
– Right to object pursuant to Art. 21 GDPR
– Right to withdraw consent pursuant to Art. 7 para. 3 GDPR
– Right to lodge a complaint with a data protection supervisory authority pursuant to Art. 77 GDPR
To exercise these rights, simply send a message to:
info@thesourcelab.de
31. WITHDRAWAL OF CONSENT
Granted consent can be withdrawn at any time with effect for the future. The lawfulness of the processing carried out before the withdrawal remains unaffected.
Cookie and tracking consents can be changed or revoked via the cookie settings in the footer. Newsletter consents can be revoked via the unsubscribe link in every promotional email.
32. RIGHT TO OBJECT
Insofar as we process personal data on the basis of Art. 6 para. 1 lit. f GDPR, there is the right to object to the processing at any time for reasons arising from the data subject's particular situation.
If personal data is processed for direct marketing purposes, the processing can be objected to at any time without giving reasons.
33. RIGHT TO COMPLAINT
Data subjects can lodge a complaint with a data protection supervisory authority.
Our competent authority is generally:
The State Commissioner for Data Protection of Lower Saxony
Prinzenstraße 5
30159 Hanover
Mailing address:
Postfach 221
30002 Hanover
Phone: 0511 120-4500
Email: poststelle@lfd.niedersachsen.de
https://www.lfd.niedersachsen.de/
34. DATA SECURITY
We use appropriate technical and organizational security measures to protect personal data against loss, manipulation, unauthorized access, and unauthorized disclosure.
These include, in particular, encrypted data transmissions via TLS, access restrictions, authorization concepts, data backups, and security controls.
35. CHANGES TO THIS PRIVACY POLICY
We may adapt this privacy policy if legal requirements, our data processing, or the services used change.
The version published on this website at the time of access applies.