Furthermore, if you order our products through a third-party website (e.g., Amazon) such third parties may process your personal data for their own purposes and act as the data controller. For further information regarding their data processing operations please see their applicable privacy policies.
What personal data do we process, for what purposes and based on which lawful bases?
Provision of services
It is necessary for Health Metric to process your contact information including name, phone number, email address and delivery address data, as well as your payment and order information (e.g., payment method, product information, order date and shipping method) in order to:
- Execute the purchase agreements including dispatch, delivery and payment processing;
- Respond inquiries, manage your account and provide other customer service;
- Manage claims and process returns, complaints and warranty claims;
- Provide non-promotional service communications to you relating to e.g., technical, security-related topics and contractual matters (e.g., fraud warnings, account blocking or contractual changes);
- Provide further services requested by you.
Furthermore, we may process your social security number or birth date for credit check purposes, if required. The lawful basis for processing this data for the listed purposes is our contract as per Art. 6(1)(b) GDPR in the form of our Terms of Service.
- sending newsletters, reminders, product updates, recommendations, promotional offers and other promotional communications to your email address;
- communicating promotional messages to you via text messages and WhatsApp or Facebook Messenger applications;
- targeting promotional content to you and to third parties on social media platforms including Facebook, Instagram and TikTok;
- Sending push notifications, including marketing communications, to you.
The applicable lawful basis for marketing communications and social media targeting is either consent (Art. 6(1)(a) GDPR) or legitimate interests of Health Metric to provide direct marketing (Art. 6(1)(f) GDPR). The applicable lawful basis depends on whether you are an existing client or a new client, on the approach we have chosen as well as on the content of the promotions. Kindly observe that push notifications require your consent which is also the lawful basis for processing any personal data collected to provide such notifications.
When you first sign up for the services, Health Metric wishes to process your data for marketing communications and social media targeting operations in order to provide you information relating to similar products or services in which you have shown interest. Health Metric gives you the option to object to our use of your personal data for marketing operations, upon sign up or at any time thereafter through the unsubscribe links or by changing the marketing settings in your profile. In the event we instead ask for you to opt-in to our marketing operations or you do so later in your profile or through functions of our website (e.g., to receive a notification once an out-of-stock product is back), the lawful basis for processing is your consent.
In order to enhance your experience, provide you with tailored communications and promotions as well as to enable you to collect loyalty points and receive personalized discounts, we collect certain information to assign you to a customer segment and create you a client profile. In addition to the personal data defined above, including your name and address information, the assigned segment and created profile are based on:
- your purchase history;
- your device and network information;
- your actions on our website and on third-party websites, provided you have accepted cookies;
- your interaction with our communications, including social media pages via pixels and personalized URLs;
- your birthday if you have provided it.
The lawful basis for creating these segments and profiles as well as using them to personalize the services and marketing communications is our legitimate interests to carry out personalized marketing and your legitimate interests to receive personalized discounts and recommendations based on your interests in accordance with Art. 6(1)(f) GDPR).
We may operate a blog on our website. This enables you to interact with our blog and other readers by submitting your comments as well as by subscribing to notifications when new comments or blog articles are posted. If you choose to leave a comment the personal data processed is your name or your chosen username (pseudonym) that is publicly available on the website as well as your email address and IP address which are processed in a non-public manner. The lawful basis for processing such data is our legitimate interests in accordance with Art. 6(1)(f) GDPR to enable you to interact with our bloggers and other commentators and your legitimate interests to do so. Where you decide to subscribe to comment notifications the lawful basis is consent as per Art. 6(1)(a) GDPR.
We hope you are happy with our products and welcome your feedback and suggestions for improvements or new products. For this purpose, we may operate a client community on Facebook. We process group insights metrics about the group, including member activity and engagement within the group in order to e.g., understand how you engage within the group, see who the most active group members are and to learn which posts have the most engagement. The lawful basis for processing such group information is our legitimate interests in accordance with Art. 6(1)(f) GDPR to interact with our clients in order to create better products and your legitimate interests to engage with us and provide feedback.
We have created a referral program where you recommend us and our products to your friends. To do so you can either share your personal code with your friends or submit your friends’ contact details, and they will be notified through the given channel (e.g., via email). The lawful basis for such processing is our legitimate interests to get in touch with potential new clients, your legitimate interests to send your friend recommendations and your friends’ legitimate interests to receive recommendations that might interest them. We will inform your friend of your referral and provide adequate information about our privacy practices in the first communication. In the event your friend does not become a client, we will not store their contact details. If you choose the share your code and your friend uses it or if you are the friend using the code, we will maintain this information in your customer profile to provide you with the discounts or other benefits related to the use of the code.
We may also use the categories of personal data mentioned above as well as further data, that can be defined as personal data, collected by our essential cookies or otherwise for the following purposes:
- maintenance of security of our website and services, including preventing data breaches;
- fraud prevention;
- research and development of our website and services, provided that the data is in in summarized, pseudonymized or anonymized form;
- compliance with laws or court orders (e.g., to carry out applicable anti-money laundering or know your customer checks);
- establishment, exercise or defense of legal claims.
For these operations we rely on our legitimate interests to detect and prevent fraud, maintaining the security of our services and improving the same as well as to pursue or defend legal claims in accordance with Art. 6(1)(f) GDPR). Where we need to process your personal data in order to comply with legal obligations e.g., applicable laws and regulations or court orders the applicable lawful basis for processing is legal obligation as per Art. 6(1)(c) GDPR.
From where do we get your personal data and with whom do we share it?
In general, we process personal data that is directly provided by you to us or that is derived from your use of our services. Our business operations, also require us to engage service providers who assist us in providing our services and products to you, and who may, subject to appropriate agreements and security measures, disclose your personal data to us or with whom we may share your personal data. Such service providers may include:
- e-commerce platforms;
- payment service providers;
- credit check agencies;
- customer service and relationship management platforms;
- customer support services (e.g., chat providers);
- marketing platforms and services, including social media platforms and conversion tracking services;
- delivery companies;
- collection service providers;
- loyalty, reward and referral program providers;
- companies belonging to the same group as us;
- third parties upon a business transaction (e.g., a merger or an acquisition or a liquidation).
Furthermore, in the event we are obliged by law or by court decision to disclose your personal data or where we need to do so to establish, exercise or defense legal claims, we may forward your data to prosecution authorities or other relevant third parties.
Do third parties act as joint controllers?
Where is your personal data processed?
Health Metric is a European company located in Germany. However, we may transfer your personal data to other countries within the EU/EEA as well as to third countries. Where personal data is transferred to third countries that are not covered by a relevant adequacy decision, we ensure that a relevant transfer mechanism (e.g., Standard Contractual Clauses) and any required additional technical and organizational security measures are in place.
How is your personal data protected?
Health Metric has in place comprehensive technical and organizational security measures to ensure your personal data is secured. These are reviewed and updated on a regular basis to ensure they comply with the state of the art.
We also review our vendors and sign appropriate agreements with them to ensure that they comply with our defined security measures.
When will we delete your data?
Your personal data is only stored for as long as it is necessary for the purposes defined in this policy. Kindly observe, we disable your account and delete the relevant data after three (3) years from the end of the year when you made your last purchase. We inform you prior to doing so. We may still retain certain personal data to comply with our legal obligations e.g., to provide product warranty or to store financial documentation.
What are your rights in relation to our data processing operations and how to contact us?
- right to access your data;
- right to rectify your incorrect or incomplete data;
- right to be forgotten (data deletion/anonymization);
- right to restrict processing;
- right to data portability;
- right not to be subject to a decision based solely on automated processing, including profiling, which produces legal effects concerning you or similarly significantly affects you; and
- right to lodge a complaint with a supervisory authority.
Furthermore, in the event we process your personal data relying on legitimate interests, you have the right to object to this processing with effect for the future. If you exercise your right to object, we will stop the processing of the relevant data. However, further processing may occur provided that we can prove comprehensive reasons for processing that override your interests, fundamental rights and fundamental freedoms, or if the processing is for the certification, exercise or defense of legal claims. If we process your personal data for direct advertising purposes, you have the right to object at any time to such processing and we will stop processing your personal data for direct marketing purposes.
Kindly observe that we do not sell your personal data. However, in the event of a business transaction your personal data may be transferred to a new controller entity.
In order to exercise your rights, please send us an email to email@example.com. Please note that the group has appointed a Data Protection Office (DPO) who monitors our privacy compliance officers and can answer any further questions you may have regarding our data processing operations.
You can also reach us via post:
SellerX Five GmbH
Attn: Data Protection Officer
c/o MXP Prime Platform GmbH
Jägerstraße 41, 10117 Berlin
Kindly note that as an e-commerce operator we process your data in electronic from and therefore, upon a request to access your personal data, we provide such data in a commonly used machine-readable format (e.g., PDF).
Who is our group data protection officer?
c/o KREMER RECHTSANWÄLTE