Privacy policy

1. Data Protection at a Glance
General Information

The following notes provide a simple overview of what happens to your personal data when you visit this website. Personal data includes all data with which you can be personally identified. Detailed information on data protection can be found in our privacy policy listed below this text.

Data Collection on This Website
Who is responsible for data collection on this website?

Data processing on this website is carried out by the website operator. Their contact details can be found in the “Information Regarding the Responsible Party” section of this privacy policy.

How do we collect your data?

Your data is collected, firstly, when you provide it to us. This may include data you enter into a contact form.

Other data is collected automatically or after your consent when you visit the website through our IT systems. This primarily includes technical data (e.g., browser type, operating system, time of page access). This data is collected automatically as soon as you access this website.

What do we use your data for?

Part of the data is collected to ensure the error-free provision of the website. Other data may be used to analyze your user behavior. If contracts can be concluded or initiated via the website, the transmitted data is also processed for contract offers, orders, or other inquiries.

What rights do you have regarding your data?

You have the right at any time to receive information, free of charge, about the origin, recipient, and purpose of your stored personal data. You also have the right to request correction or deletion of this data. If you have given consent to data processing, you may withdraw this consent at any time for the future. Furthermore, you have the right to request restriction of the processing of your personal data under certain circumstances. You also have the right to lodge a complaint with the competent supervisory authority.

You may contact us at any time regarding this or any other data protection questions.

Analytics Tools and Third-Party Tools

When visiting this website, your browsing behavior may be statistically analyzed. This is done primarily with analytics programs.

Detailed information about these programs can be found in the following privacy policy.

2. Hosting

We host our website content with the following provider:

Shopify

The provider is Shopify International Limited, Victoria Buildings, 1–2 Haddington Road, Dublin 4, D04 XN32, Ireland (“Shopify”).

Shopify is a tool for creating and hosting websites. When you visit our website, Shopify collects your IP address as well as information about your device and browser. Shopify also analyzes visitor numbers, visitor sources, customer behavior, and creates user statistics. When you make a purchase on our website, Shopify additionally collects your name, email address, shipping and billing addresses, payment data, and other information related to the purchase (e.g., phone number, transaction amounts, etc.). For analytics, Shopify stores cookies in your browser.

Details can be found in Shopify’s privacy policy: https://www.shopify.de/legal/datenschutz

.

The use of Shopify is based on Art. 6(1)(f) GDPR. We have a legitimate interest in a reliable presentation of our website. If consent has been requested, processing is carried out exclusively based on Art. 6(1)(a) GDPR and § 25(1) TDDDG, insofar as the consent includes the storage of cookies or access to information on the user’s device (e.g., device fingerprinting). Consent may be withdrawn at any time.

Data Processing Agreement

We have concluded a Data Processing Agreement (DPA) with the above-mentioned provider. This is required by data protection law and ensures that personal data of our website visitors is processed only according to our instructions and in compliance with the GDPR.

3. General Notes and Mandatory Information
Data Protection

The operators of this website take the protection of your personal data very seriously. We treat your personal data confidentially and in accordance with statutory data protection regulations as well as this privacy policy.

When you use this website, various personal data is collected. Personal data is any data with which you can be personally identified. This privacy policy explains which data we collect and how and for what purpose we use it.

We point out that data transmission over the internet (e.g., email communication) can have security gaps. Complete protection of data from third-party access is not possible.

Information Regarding the Responsible Party

The responsible party for data processing on this website is:

Kremke Handelsgesellschaft mbH
Am Kanal 4
D-19372 Garwitz

Phone: +49 (0) 38722/227 25
Email: info@soul-wool.com

The responsible party is the natural or legal person who determines, alone or jointly with others, the purposes and means of processing personal data (e.g., names, email addresses, etc.).

Storage Period

Unless a more specific storage period has been stated in this privacy policy, your personal data will remain with us until the purpose for processing no longer applies. If you request deletion or withdraw consent, your data will be deleted unless there are other legally permissible reasons for storage (e.g., tax or commercial retention periods). In the latter case, deletion occurs after these reasons no longer apply.

General Information on the Legal Basis of Data Processing

If you have consented to data processing, we process your personal data based on Art. 6(1)(a) GDPR or Art. 9(2)(a) GDPR if special categories of data under Art. 9(1) GDPR are processed. If explicit consent for data transfer to third countries has been given, processing additionally occurs based on Art. 49(1)(a) GDPR.
If you consent to the storage of cookies or access to device information (e.g., device fingerprinting), processing also occurs based on § 25(1) TDDDG. Consent may be withdrawn at any time.

If your data is required for contract fulfillment or pre-contractual measures, we process it based on Art. 6(1)(b) GDPR.
We also process your data if required to fulfill a legal obligation based on Art. 6(1)(c) GDPR.
Processing may additionally occur based on our legitimate interest under Art. 6(1)(f) GDPR.
The applicable legal basis in each case is explained in the relevant sections below.

Data Protection Officer

We have appointed a data protection officer:

Birthe Ziegler
Am Kanal 4
19372 Garwitz

Phone: +49 (0) 38722/227 25
Email: order@soul-wool.com

Notice on Data Transfer to Non-Secure Third Countries and to US-Based Providers Without DPF Certification

We use tools from companies located in third countries that are not considered secure from a data protection perspective, as well as US tools whose providers are not certified under the EU-US Data Privacy Framework (DPF). When these tools are active, your personal data may be transferred to and processed in these countries.
We point out that a level of data protection comparable to the EU cannot be guaranteed in such countries.

We also point out that the USA, as a secure third country, generally provides a level of data protection comparable to the EU. Data transfer to the USA is permitted if the recipient is certified under the DPF or has appropriate safeguards in place. Information on third-country transfers, including recipients, can be found in this privacy policy.

Recipients of Personal Data

We work with various external parties as part of our business activities. Personal data is transferred to external parties only if necessary for contract fulfillment, if required by law (e.g., tax authorities), if we have a legitimate interest under Art. 6(1)(f) GDPR, or if another legal basis permits it.
When using processors, we transfer personal data only based on a valid Data Processing Agreement.
For joint processing activities, a Joint Processing Agreement is concluded.

Withdrawal of Your Consent

Many data processing operations are only possible with your express consent. You may withdraw consent at any time. The legality of processing prior to withdrawal remains unaffected.

Right to Object to Data Processing (Art. 21 GDPR)

If data processing is based on Art. 6(1)(e) or (f) GDPR, you have the right, at any time and for reasons arising from your particular situation, to object to processing of your personal data; this also applies to profiling based on these provisions.
If you object, we will no longer process your personal data unless we can demonstrate compelling legitimate grounds that override your interests, rights, and freedoms, or processing serves to assert, exercise, or defend legal claims (objection pursuant to Art. 21(1) GDPR).

If your personal data is processed for direct marketing purposes, you have the right to object at any time to the processing of your personal data for such purposes; this also applies to profiling related to direct marketing. If you object, your personal data will no longer be used for direct marketing (objection under Art. 21(2) GDPR).

Right to Lodge a Complaint

In case of GDPR violations, data subjects have the right to lodge a complaint with a supervisory authority, particularly in the member state of their habitual residence, workplace, or the place of the alleged infringement. This right exists without prejudice to other administrative or judicial remedies.

Right to Data Portability

You have the right to receive data processed automatically based on your consent or in fulfillment of a contract in a structured, machine-readable format. If you request direct transfer to another controller, this will only occur if technically feasible.

Right to Access, Correction, and Deletion

Within the framework of legal requirements, you have the right at any time to free access to your stored personal data, its origin, recipients, and purpose of processing, as well as, if applicable, the right to correction or deletion. You can contact us at any time about this or any other questions concerning personal data.

Right to Restriction of Processing

You have the right to request restriction of processing of your personal data. You may contact us at any time for this. The right to restriction exists in the following cases:

  • If you dispute the accuracy of your personal data, we usually need time to verify this. For the duration of the verification, you have the right to restrict processing.

  • If processing is unlawful, you may request restriction instead of deletion.

  • If we no longer need your personal data, but you need it for legal claims, you may request restriction instead of deletion.

  • If you have objected pursuant to Art. 21(1) GDPR, an assessment of interests must take place. As long as it is not determined whose interests prevail, you have the right to restrict processing.

If your data processing is restricted, it may only be processed — apart from storage — with your consent, for legal claims, to protect the rights of others, or for important public interests of the EU or a Member State.

SSL/TLS Encryption

For security reasons and to protect the transmission of confidential details (such as orders or inquiries you send to us as the website operator), this site uses SSL or TLS encryption. You can recognize encrypted connections by the change in the browser address bar from “http://” to “https://” and the lock symbol in your browser.

When SSL/TLS encryption is active, data you transmit to us cannot be read by third parties.

Encrypted Payment Transactions

If, after concluding a paid contract, there is an obligation to provide us with your payment data (e.g., account number for direct debit), this data is required for payment processing.

Payment transactions via common payment methods (Visa/MasterCard, direct debit) take place exclusively through an encrypted SSL/TLS connection. You can recognize an encrypted connection by the “https://” and the lock icon in your browser's address bar.

With encrypted communication, your payment data cannot be intercepted by third parties.

Objection to Advertising Emails

We hereby object to the use of contact data published within the legal notice obligation for sending unsolicited advertising or informational materials. The operators of these pages expressly reserve the right to take legal action in the event of unsolicited advertising, including spam emails.

4. Data Collection on This Website

Cookies

Our web pages use so-called “cookies.” Cookies are small data packets and do not cause any harm to your device. They are stored either temporarily for the duration of a session (session cookies) or permanently (permanent cookies) on your device. Session cookies are automatically deleted after the end of your visit. Permanent cookies remain stored on your device until you delete them yourself or an automatic deletion is carried out by your web browser.

Cookies may originate from us (first-party cookies) or from third-party companies (so-called third-party cookies). Third-party cookies enable the integration of certain services from third-party companies within websites (e.g. cookies for processing payment services).

Cookies have various functions. Numerous cookies are technically necessary, as certain website functions would not work without them (e.g. the shopping cart function or the display of videos). Other cookies may be used to analyze user behavior or for advertising purposes.

Cookies that are required to carry out the electronic communication process, to provide certain functions you request (e.g. for the shopping cart function), or to optimize the website (e.g. cookies for measuring web audience) (necessary cookies), are stored on the basis of Art. 6(1)(f) GDPR, unless another legal basis is specified. The website operator has a legitimate interest in the storage of necessary cookies for the technically error-free and optimized provision of its services.

If consent to the storage of cookies and comparable recognition technologies has been requested, processing is carried out exclusively on the basis of this consent (Art. 6(1)(a) GDPR and § 25(1) TDDDG); consent can be revoked at any time.

You can configure your browser so that you are informed about the setting of cookies and allow cookies only in individual cases, exclude the acceptance of cookies for certain cases or generally, as well as activate automatic deletion of cookies when closing the browser. If cookies are deactivated, the functionality of this website may be limited.

Which cookies and services are used on this website can be found in this privacy policy.

Display Cookie List

Use of the Consent Management Tool “Consentmo”

We use the Consentmo GDPR Compliance App tool provided by iSenseLabs, address: Professor Georgie Bradistilov Street 4, Sofia, Bulgaria, EU Registration Number: 112660079, email: support@consentmo.com

.

This tool enables our website visitors to give their consent to the processing of personal data — particularly to the storage of cookies — and to revoke such consent at any time. The main purpose of the processing is to obtain and document the legally required consents for data processing operations in order to ensure compliance with the GDPR.

In the course of using Consentmo, the following data may be collected and transmitted to Consentmo: date and time of page access, information about the browser and device used, an anonymized IP address, as well as logs of granted or withdrawn consents. This information is not passed on to third parties.

Processing of this data is carried out on the basis of Art. 6(1)(c) GDPR (legal obligation).

Further information about data protection at Consentmo can be found at https://consentmo.com

and in the provider’s privacy policy.

Data Processing Agreement

We have concluded a Data Processing Agreement (DPA) for the use of the aforementioned service. This is a contract required by data protection law, which ensures that this provider processes the personal data of our website visitors only according to our instructions and in compliance with the GDPR.

Server Log Files

The provider of the pages automatically collects and stores information in so-called server log files, which your browser automatically transmits to us. These are:

  • Browser type and browser version

  • Operating system used

  • Referrer URL

  • Hostname of the accessing computer

  • Time of the server request

  • IP address

These data are not merged with other data sources.

Collection of these data is based on Art. 6(1)(f) GDPR. The website operator has a legitimate interest in the technically error-free presentation and optimization of its website — for this purpose, the server log files must be collected.

Contact Form

If you send us inquiries via the contact form, your information from the inquiry form, including the contact details you provide there, will be stored by us for the purpose of processing the inquiry and in case of follow-up questions. We do not pass on this data without your consent.

Processing of this data is based on Art. 6(1)(b) GDPR, provided your inquiry is related to the fulfillment of a contract or is necessary for pre-contractual measures. In all other cases, processing is based on our legitimate interest in the effective handling of inquiries addressed to us (Art. 6(1)(f) GDPR) or on your consent (Art. 6(1)(a) GDPR), if requested; consent can be revoked at any time.

The data you enter in the contact form remain with us until you request deletion, revoke your consent to storage, or the purpose for data storage no longer applies (e.g. after your inquiry has been completely processed). Mandatory statutory provisions — in particular retention periods — remain unaffected.

Inquiry by Email, Telephone, or Fax

If you contact us by email, telephone, or fax, your inquiry including all personal data resulting from it (name, inquiry) will be stored and processed by us for the purpose of handling your matter. We do not pass on this data without your consent.

Processing is based on Art. 6(1)(b) GDPR if your inquiry is related to the fulfillment of a contract or necessary for pre-contractual measures. In all other cases, processing is based on our legitimate interest in the effective handling of inquiries addressed to us (Art. 6(1)(f) GDPR) or on your consent (Art. 6(1)(a) GDPR), if this was requested; consent can be revoked at any time.

The data you send us via contact inquiries remain with us until you request deletion, revoke your consent to storage, or the purpose for data storage no longer applies (e.g. after your matter has been fully processed). Mandatory statutory provisions — in particular statutory retention periods — remain unaffected.

Registration on This Website

You may register on this website to use additional functions on the site. The data entered for this purpose will be used only for the purpose of using the respective offer or service for which you have registered.

The mandatory information requested during registration must be provided in full; otherwise, we will reject registration.

We use the email address provided during registration to inform you of important changes such as changes in the scope of the offer or technically necessary changes.

Processing of the data entered during registration is carried out for the purpose of performing the usage relationship established by registration and, if applicable, for initiating further contracts (Art. 6(1)(b) GDPR).

The data collected during registration will be stored by us as long as you are registered on this website and will then be deleted. Legal retention periods remain unaffected.

Comment Function on This Website

For the comment function on this site, information such as your comment, the time of comment creation, your email address, and your chosen username (if you are not posting anonymously) are stored.

Storage period for comments

The comments and associated data are stored and remain on this website until the commented content is completely deleted or the comments must be deleted for legal reasons (e.g. offensive comments).

Legal basis

Storage of the comments takes place on the basis of your consent (Art. 6(1)(a) GDPR). You may revoke consent at any time. A simple email to us is sufficient. The legality of the data processing operations already carried out remains unaffected by the revocation.

5. Social Media

Facebook

Elements of the social network Facebook are integrated on this website. The provider of this service is Meta Platforms Ireland Limited, Merrion Road, Dublin 4, D04 X2K5, Ireland. According to Facebook, the collected data is also transferred to the USA and other third countries.

A list of Facebook Social Media elements can be found here: https://developers.facebook.com/docs/plugins/?locale=de_DE


When the social media element is active, a direct connection is established between your device and the Facebook server. Facebook thereby receives the information that you have visited this website with your IP address. If you click the Facebook “Like” button while logged into your Facebook account, you can link the content of this website to your Facebook profile. This allows Facebook to assign your visit to this website to your user account.

We point out that, as the provider of the pages, we have no knowledge of the content of the transmitted data or their use by Facebook. Further information can be found in Facebook’s privacy policy: https://de-de.facebook.com/privacy/explanation


Use of this service is based on your consent under Art. 6(1)(a) GDPR and § 25(1) TDDDG. Consent can be revoked at any time.

Where personal data is collected on our website using the tool described here and forwarded to Facebook, we and Meta Platforms Ireland Limited, 4 Grand Canal Square, Grand Canal Harbour, Dublin 2, Ireland, are jointly responsible for this data processing (Art. 26 GDPR). Joint responsibility is limited exclusively to the collection of the data and its transmission to Facebook. The processing after transmission by Facebook is not part of the joint responsibility.

The jointly incumbent obligations have been set out in an agreement on joint processing. The wording of this agreement can be found here: https://www.facebook.com/legal/controller_addendum


According to this agreement, we are responsible for providing data protection information when using the Facebook tool and for the secure implementation of the tool on our website. Facebook is responsible for data security of Facebook products.

Data subject rights (e.g. access requests) regarding data processed by Facebook can be asserted directly with Facebook. If you assert data subject rights with us, we are obliged to forward them to Facebook.

Transfer of data to the USA is based on the EU Commission’s Standard Contractual Clauses. Details can be found at:
https://www.facebook.com/legal/EU_data_transfer_addendum


https://de-de.facebook.com/help/566994660333381
https://www.facebook.com/policy.php

The company holds certification under the “EU-US Data Privacy Framework” (DPF).
The DPF is an agreement between the European Union and the USA intended to ensure compliance with European data protection standards for data processing in the USA. Any company certified under the DPF undertakes to comply with these data protection standards. Further information is available at:
https://www.dataprivacyframework.gov/participant/4452

Pinterest
On this website, we use elements of the social network Pinterest, operated by Pinterest Europe Ltd., Palmerston House, 2nd Floor, Fenian Street, Dublin 2, Ireland. When you visit a page containing such an element, your browser establishes a direct connection to Pinterest’s servers. This social media element transmits log data to Pinterest’s servers in the USA. These log data may include your IP address, the addresses of the websites you visit that also contain Pinterest features, your browser type and settings, the date and time of your request, how you use Pinterest, and cookies. Use of this service is based on your consent under Art. 6(1)(a) GDPR and § 25(1) TDDDG. Consent can be revoked at any time. Further information on the purpose, scope, and further processing and use of data by Pinterest, as well as your rights and privacy protection options, can be found in Pinterest’s privacy policy: https://policy.pinterest.com/de/privacy-policy

6. Analytics Tools and Advertising

Google Tag Manager
We use Google Tag Manager. Provider: Google Ireland Limited, Gordon House, Barrow Street, Dublin 4, Ireland. Google Tag Manager is a tool that allows us to integrate tracking or analytics tools and other technologies on our website. Google Tag Manager itself does not create user profiles, store cookies, or perform independent analyses. It only manages and deploys the tools integrated through it. However, it records your IP address, which may also be transmitted to Google’s parent company in the USA. Use of Google Tag Manager is based on Art. 6(1)(f) GDPR. The website operator has a legitimate interest in quick and simple integration and management of various tools. If consent has been obtained, processing occurs solely on the basis of Art. 6(1)(a) GDPR and § 25(1) TDDDG, provided the consent includes cookie storage or access to information on the user’s device (e.g., device fingerprinting). Consent can be revoked at any time. The company is certified under the “EU-US Data Privacy Framework” (DPF), which ensures compliance with EU data protection standards in the USA. More information: https://www.dataprivacyframework.gov/participant/5780

Google Analytics
This website uses functions of the web analytics service Google Analytics. Provider: Google Ireland Limited, Gordon House, Barrow Street, Dublin 4, Ireland. Google Analytics allows the website operator to analyze visitor behavior. The operator receives usage data, such as page views, duration of visits, operating systems used, and user origin. These data are combined in a user ID and assigned to the respective device. Additionally, Google Analytics can track mouse and scroll movements and clicks. Google Analytics uses modeling approaches to supplement datasets and applies machine learning for data analysis. Technologies enabling user recognition for behavior analysis (e.g., cookies, device fingerprinting) are used. Data are usually transmitted to and stored on Google servers in the USA. Use is based on your consent under Art. 6(1)(a) GDPR and § 25(1) TDDDG, revocable at any time. Data transfer to the USA relies on the EU Commission’s Standard Contractual Clauses: https://business.safety.google/adscontrollerterms/sccs/

The company is certified under the EU-US Data Privacy Framework (DPF): https://www.dataprivacyframework.gov/participant/5780

IP Anonymization
Google Analytics IP anonymization is enabled, shortening your IP address within the EU or EEA before transfer to the USA. Only in exceptional cases is the full IP transmitted. Google uses this information on behalf of the website operator to evaluate usage, generate reports, and provide services related to website and internet usage. The IP is not merged with other Google data.

Browser Plugin
You can prevent data collection by Google via this plugin: https://tools.google.com/dlpage/gaoptout?hl=de

More info: https://support.google.com/analytics/answer/6004245?hl=de

Google Signals
We use Google Signals. When visiting our site, Google Analytics may capture location, search, and YouTube history, as well as demographic data. These can be used for personalized advertising. Linked to a Google account, visitor data are associated with it for personalized ads. Data are also used for anonymized user behavior statistics.

Processing Agreement
We have a data processing agreement with Google and fully comply with German data protection regulations for Google Analytics.

Google Analytics E-Commerce Tracking
This tracks purchase behavior for marketing improvement, including order info, average order value, shipping costs, and product views. Data may be combined under a transaction ID per user/device.

Google Ads, AdSense, Remarketing, Conversion Tracking
We use these services for advertising, personalization, and conversion measurement. They may collect user data (e.g., location, device info, interests) and may transmit data to the USA based on EU Standard Contractual Clauses and the EU-US Data Privacy Framework. Consent is required under Art. 6(1)(a) GDPR.

Klaviyo
We use Klaviyo, a marketing automation tool for email, SMS, push notifications, and customer reviews. Data include name, email, phone, address, IP, device info, and usage data. Consent under Art. 6(1)(a) GDPR is required and revocable. More: https://www.klaviyo.com/legal/privacy

Meta Pixel
We use Meta (Facebook/Instagram) Pixel for conversion measurement. Data may be transferred to the USA and used by Meta for advertising. We and Meta are joint controllers for data collection and transfer only. Consent under Art. 6(1)(a) GDPR applies. Details: https://www.facebook.com/legal/controller_addendum

Pinterest Tag
We use Pinterest Tag to track actions on our website and show relevant advertising. Data may include tag ID, location, referrer URL, and purchase info. Consent under Art. 6(1)(a) GDPR is required; without it, use is based on Art. 6(1)(f) GDPR. Details: https://help.pinterest.com/de/business/article/track-conversions-with-pinterest-tag

7. Newsletter

Newsletter Data
To subscribe, we need your email and confirmation that you are the owner and agree to receive the newsletter. We use newsletter service providers:

Rapidmail
Provider: Rapidmail GmbH, Germany. Data stored on German servers. Tracking pixel may measure opens and clicks. Consent under Art. 6(1)(a) GDPR required and revocable. More: https://de.rapidmail.wiki/kategorien/statistiken/

8. Plugins and Tools

YouTube
Embedded videos from YouTube (Google Ireland Limited). Cookies/device fingerprinting may be used. Logged-in users may have behavior linked to their profile. Consent required under Art. 6(1)(a) GDPR. More: https://policies.google.com/privacy?hl=de

OpenStreetMap
We use OpenStreetMap (OSM) maps served from the UK (considered a safe third country). IP and behavior may be transmitted. Consent may be required.

Google reCAPTCHA
Used to distinguish humans from bots. Analyzes behavior and sends data to Google. Consent under Art. 6(1)(a) GDPR or legitimate interest under Art. 6(1)(f) GDPR.

9. eCommerce and Payment Providers

Customer and Contract Data
We process data to establish and fulfill contracts. Basis: Art. 6(1)(b) GDPR. Data are deleted after order completion and legal retention periods.

Data Transfer for Online Shops
We share data with delivery companies and payment providers only as necessary. Basis: Art. 6(1)(b) GDPR.

Dropshipping
Orders may be shipped directly by our merchants. Data shared: name, address, phone. Purpose: delivery. Basis: Art. 6(1)(b) GDPR and Art. 6(1)(f) GDPR. Example: plus H GmbH & Co. KG, Germany.

Payment Services
We integrate third-party payment providers:

PayPal – Data transfer to the USA via Standard Contractual Clauses. Privacy: https://www.paypal.com/de/webapps/mpp/ua/privacy-fu