Data protection

1. Controller

Mittelweser Heilquellen GmbH
Auf dem Kampe 3a
31582 Nienburg/Weser
Phone: 05021 / 60390
E-Mail: info@thesourcelab.de

2. Hosting and Shop Platform

Our online shop is provided via Shopify. For the processing of personal data of individuals in the European Economic Area, the United Kingdom, and Switzerland, processing is generally carried out by Shopify International Ltd. initially, according to Shopify. In the context of service provision, data may also be transmitted to other Shopify companies and service providers in third countries, especially Canada and the USA.

Further information can be found at:
https://www.shopify.com/legal/privacy

3. Processed Data

When you visit our website, place an order, or contact us, we process the following personal data in particular:

• First and last name

• Billing and shipping address

• Email address

• Phone number, if provided

• Order and payment data

• Information about purchased products, quantities, and prices

• Technical usage data such as IP address, browser information, device information, and access times

This data is processed to provide our online shop, process orders, handle payments, answer inquiries, and ensure the security of our services.

4. Purposes of Processing

Processing is carried out in particular for the following purposes:

• Provision and operation of our online shop

• Contract execution and order processing

• Shipping and returns processing

• Customer service and communication

• Payment processing

• Analysis, marketing, and retargeting, provided that corresponding consent has been given

• IT security and fraud prevention

5. Tools and Services Used

a) Consent Management / Cookie Consents
To obtain and manage consents for cookies and tracking technologies, we use Cookiebot from Usercentrics A/S, Havnegade 39, 1058 Copenhagen, Denmark.

Further information:
https://www.cookiebot.com/de/privacy-policy/

b) Web Analytics
If you have given your consent, we use Google Analytics 4, a web analytics service provided by Google Ireland Limited, Gordon House, Barrow Street, Dublin 4, Ireland.

Further information:
https://policies.google.com/privacy

c) Marketing and Retargeting
If you have given your consent, we use Meta technologies such as the Meta Pixel to analyze the use of our website, measure the effectiveness of our advertising, and display interest-based advertising.

Further information:
https://www.facebook.com/privacy/policy

d) Payment Service Providers
For payment processing, we transmit the data necessary for payment to the payment service providers offered at checkout. This may particularly concern providers such as PayPal, Klarna, Shopify Payments, Apple Pay, Google Pay, or Shop Pay, if these are offered in the order process.

e) Shipping and Logistics
For shipping and, if necessary, for tracking or processing returns, we pass on personal data to the shipping and logistics service providers used, in particular in connection with Post & DHL Shipping and other shipping and fulfillment services used by us.

f) Review and Trust Services
If integrated on our website or used in the order process, review and trust services such as Trustpilot Reviews and TrustWILL (Trustoo) may process personal data, particularly for displaying, collecting, or managing reviews.

g) Email and Communication Services
If you contact us, use forms, or receive emails from us, services such as Seguno Email, FlowMail, Forms, Messaging, or Shopify Inbox may be used for this purpose.

h) Affiliate Programs and Partnerships
If used, we process personal data via UpPromote Affiliate within the framework of affiliate programs, for example, for assigning recommendations, purchases, and commissions.

i) Surveys, Quizzes, and Fraud Prevention
If used, services such as Gojiberry Survey & Quiz may be employed to collect voluntary information. To detect and prevent abusive orders or access, fraud prevention services, such as Blocky Fraud Blocker, may also be used.

j) Sales and Integration Channels
If orders, product data, or customer data are processed via other sales channels or interfaces, this may particularly concern Facebook & Instagram, Google & YouTube, TikTok, Pinterest, Shop, Point of Sale, Cymbio, Bilbee, or CS Amazon Sync.

6. Legal Basis

The processing of personal data is based in particular on:

• Art. 6 para. 1 lit. b GDPR for the implementation of pre-contractual measures and for contract fulfillment

• Art. 6 para. 1 lit. c GDPR for the fulfillment of legal obligations

• Art. 6 para. 1 lit. a GDPR for consent-based processing, especially for analysis and marketing cookies

• Art. 6 para. 1 lit. f GDPR based on our legitimate interests, in particular in the technical provision, security, optimization, and economic management of our offering

7. Storage Period

We store personal data only as long as necessary for the respective purposes or as required by legal retention obligations. Commercial and tax law retention obligations may lead to storage for up to ten years.

8. Your Rights

You have the following rights under the GDPR, in particular:

• Right to information

• Right to rectification

• Right to erasure

• Right to restriction of processing

• Right to data portability

• Right to object

• Right to withdraw granted consents with effect for the future

• Right to lodge a complaint with a data protection supervisory authority

The competent supervisory authority may in particular be the State Commissioner for Data Protection of Lower Saxony.

9. Data Security

We implement appropriate technical and organizational security measures to protect personal data from loss, manipulation, unauthorized access, or unauthorized disclosure. This includes, in particular, encrypted transmissions via TLS/SSL and internal access restrictions.

10. Up-to-dateness

We reserve the right to adapt this privacy policy if this becomes necessary due to technical changes, new services, or changed legal requirements.