Data Privacy Policy

Privacy policy

Thank you for your interest in how we process your data. The protection of your privacy is very important to us. Below you will find detailed information on how we handle your data.

1. in general

The controller within the meaning of data protection law is

Zippo GmbH
Groendahlscher Weg 87
46446 Emmerich on the Rhine
E-mail: shop.de@zippo.com
Telephone: 028227134100

Data protection officer:

Trusted Shops SE
Subbelrather Str. 15c
50823 Cologne
Cologne, Germany
E-mail: dsgvo@trustedshops.de

This privacy policy applies to the processing of personal data of visitors to our website, business partners, applicants and newsletter subscribers.

As part of the above-mentioned activities, we make use of various Group companies that support us in these activities, in particular Zippo Manufacturing Company, 33 Barbour Street, Bradford, Pennsylvania 16701, United States (“Zippo US”) and Zippo UK Limited, 5 Squire Patton Boggs (Uk) Llp (Ref: Csu) Rutland House, 148 Edmund Street, Birmingham, England, B3 2JR (“Zippo UK”). In principle, we only use our Group companies as processors. However, Zippo US and Zippo UK will act as joint controllers with us in accordance with Art. 26 para. 1 sentence 1 GDPR for some processing activities as described below. In these cases, we are available to you as a contact person.

2. information for visitors to our website

You can visit our website without providing any personal data. Each time a website is accessed, the web server only automatically saves a so-called server log file, which contains, for example, the name of the requested file, your IP address, the date and time of access, the amount of data transferred and the requesting provider (access data) and documents the access. This access data is analyzed exclusively for the purpose of ensuring trouble-free operation of the site and improving our offer. This serves to safeguard our legitimate interests, which predominate in the context of a balancing of interests, in a correct presentation of our offer in accordance with Art. 6 para. 1 sentence 1 lit. f GDPR. All access data will be deleted no later than seven days after the end of your visit to the site.

2.1 Hosting

We use the Shopifiy plus service from Shopify Inc, 151 O'Connor Street Ground Floor Ottawa, Ontario K2P2L8, Canada (“Shopify”) to host our website.

Shopifiy acts as a processor in this respect. Unless otherwise stated in this privacy policy, all access data and all data collected in the forms provided on this website will be processed on its servers. If you have any questions about Shopify and the basis of our cooperation with them, please use the contact details described in this privacy policy.

Shopify uses servers in Canada, for which the European Commission has determined an adequate level of data protection by decision.

2.2 Cookies and other technologies

  • General information

In order to make visiting our website attractive and to enable the use of certain functions, we use various technologies including so-called cookies. Cookies are small text files that are automatically stored on your end device. Some of the cookies we use are deleted again at the end of the browser session, i.e. after you close your browser (so-called “session cookies”). Other cookies remain on your end device and enable us to recognize your browser on your next visit (“persistent cookies”).

When using our online offer, we use absolutely necessary technologies in order to be able to provide the expressly requested telemedia service. We also use technologies that are absolutely necessary for the use of certain functions of our website (e.g. shopping cart function). These technologies are used to collect and process the IP address, time of visit, device and browser information as well as information about your use of our website (e.g. information about the contents of the shopping cart).

The storage of information on your end device or access to information that is already stored on your end device does not require consent in this respect, but takes place on the basis of Section 25 (2) No. 2 TDDDG.

Among other things, we use the following technically necessary cookies:

  • The “PHPSESSID” cookie for security reasons. This cookie is a session cookie and is deleted as soon as you close your browser.
  • A cookie that allows the website administrators to access back office information. This cookie has a lifespan of 480 hours.
  • A cookie that enables our cookie banner to be hidden. This cookie has a lifespan of one year.

For all other functions that are not absolutely necessary, the storage of information on your end device or access to information that is already stored on your end device requires your consent in accordance with Section 25 (1) sentence 1 TDDDG. Any consent you have given will remain in place until you adjust or reset the respective settings on your device. You can change your settings at any time by clicking on the fingerprint button in the bottom right or left-hand corner of the page. If you do not accept cookies, the functionality of our website may be restricted.

You can also set the storage of cookies directly in your browser. You can find the cookie settings for your respective browser under the following links  Microsoft Edge™ / Safari™ / Chrome™ / Firefox™ / Opera™

We also use technologies to fulfill the legal obligations to which we are subject (e.g. to be able to prove consent to the processing of your personal data) as well as for web analysis and online marketing. Further information on this, including the respective legal basis for data processing, can be found in the following sections of this privacy policy. Further information on these technologies, including the respective legal basis for data processing, can be found on the Usercentrics platform. You can access this by clicking on the fingerprint button in the bottom right or left-hand corner of the page.

  • Use of the Usercentrics Consent Management Platform to manage consents

We use the Usercentrics Consent Management Plattform (“Usercentrics”) on our website to inform you about the cookies and other technologies we use on our website and to obtain, manage and document your consent to the processing of your personal data by these technologies, where required by law. This is necessary pursuant to Art. 6 para. 1 sentence 1 lit. c GDPR in order to comply with our legal obligation pursuant to Art. 7 para. 1 GDPR to be able to prove your consent to the processing of your personal data.

Usercentrics is a service provided by Usercentrics GmbH, Sendlinger Straße 7, 80331 Munich, Germany, which processes your data on our behalf. When you visit our website, the Usersentrics web server stores a so-called server log file, which also contains your anonymized IP address, the date and time of your visit, device and browser information and information about your consent behavior. Your data will be deleted after three years, unless you have expressly consented to further use of your data in accordance with Art. 6 para. 1 sentence 1 lit. a GDPR or we reserve the right to use data beyond this, which is permitted by law and about which we inform you in this declaration.

  • Google Analytics

Our website uses Google Analytics, a web analytics service provided by Google Ireland Ltd, Gordon House, Barrow Street, Dublin 4, Ireland (“Google”). Google Analytics uses cookies to analyze the way you use the website. The information generated by the cookie about your use of this website is usually transmitted to a Google server in the USA and stored there. If IP anonymization is activated on this website, your IP address will first be shortened by Google within the member states of the European Union or other states of the European Economic Area. Only in exceptional cases will the full IP address be transmitted to a Google server in the USA and shortened there. Google will use this information for the purpose of evaluating your use of the website, compiling reports on website activity for website operators and providing other services relating to website activity and internet usage for website operators. The IP address transmitted by your browser as part of Google Analytics will not be merged with other data by Google. You can also prevent the collection of data generated by the cookie and related to your use of the website (including your IP address) and the processing of this data by Google by downloading and installing the browser plug-in available at the following link: http://tools.google.com/dlpage/gaoptout?hl=de

 

[We have activated “Google Signals” in Google Analytics for advertising purposes. This complements the existing Google Analytics functions to obtain aggregated data on the age, gender, location, search history and interests of website visitors, provided they have allowed personalized ads in their Google account. By activating Google Signals, data is collected and linked to the Google account].

You can prevent the collection of data by Google Analytics by clicking on the following link. This will set an opt-out cookie that will prevent the future collection of your data when you visit this website: Deaktivieren Sie Google Analytics. [You can deactivate the “Google Signals” function at any time via the settings in your Google account: https://adssettings.google.com]

Further information on terms of use and data protection can be found at http://www.google.com/analytics/terms and  https://policies.google.com/?hl=en. [We would like to point out that on this website Google Analytics has been extended by the code “anonymizeIp” in order to ensure an anonymized collection of IP addresses (IP masking).

  • Elevar

We use the web analysis service Elevar on our website or parts of our website to record the use of our website by its visitors and to evaluate and optimize the effectiveness of our advertising and marketing measures. Elevar is a web analytics service provided by Elevar LLC in Charleston, USA (“Elevar”). Elevar LLC acts as a processor for us on the basis of a data processing agreement pursuant to Art. 28 GDPR.

Elevar automatically collects data such as your IP address, the time of your visit, information about your device and browser and your use of our website. This data is used to create usage profiles that are managed using pseudonyms. Cookies may also be used for these purposes. These pseudonymized profiles are not linked to personal data without your express consent.

3. information for customers

You can order our products directly from us via our webshop. We require various data in order to process and fulfill your order. In the following sections of this privacy policy you will find information on the processing of your data, in particular on the transfer to our service providers for the purpose of order, payment and shipping processing.
In principle, your data will be restricted for further processing after the contract has been fully processed and deleted after expiry of the retention periods under tax and commercial law, unless you have expressly consented to further use of your data in accordance with Art. 6 para. 1 sentence 1 lit. a GDPR or we reserve the right to use data beyond this, which is permitted by law and about which we inform you in this declaration.

3.1 Customer account

You have the option of opening a customer account with us and saving your data for future orders on our website. The legal basis for this is Art. 6 para. 1 sentence 1 lit. b GDPR, i.e. you provide us with the data on the basis of the contractual relationship between you and Zippo. Deletion of your customer account is possible at any time and can be done either by sending a message to the contact option described in this privacy policy or via a function provided for this purpose in the customer account. After deletion of your customer account, your data will be deleted unless you have expressly consented to further use of your data in accordance with Art. 6 para. 1 sentence 1 lit. a GDPR or we reserve the right to use data beyond this, which is permitted by law and about which we inform you in this declaration.

3.2 Data processing for contract processing

For the purpose of contract processing (including inquiries about and processing of any existing warranty and service disruption claims as well as any statutory updating obligations) in accordance with Art. 6 para. 1 sentence 1 lit. b GDPR, we collect personal data if you voluntarily provide it to us as part of your order. Mandatory fields are marked as such, as in these cases we absolutely need the data to process the contract and we cannot send the order without it. Which data is collected can be seen from the respective input forms.

Further information on the processing of your data, in particular on the transfer to our service providers for the purpose of order, payment and shipping processing, can be found in the following sections of this privacy policy. After completion of the contract, your data will be restricted for further processing and deleted after expiry of the retention periods under tax and commercial law in accordance with Art. 6 para. 1 sentence 1 lit. c GDPR, unless you have expressly consented to further use of your data in accordance with Art. 6 para. 1 sentence 1 lit. a GDPR or we reserve the right to use data beyond this, which is permitted by law and about which we inform you in this declaration.

3.3 Data processing for the purpose of shipping processing

In order to fulfill the contract in accordance with Art. 6 Para. 1 S. 1 lit. b GDPR, we pass on your data to the shipping service provider commissioned with the delivery, insofar as this is necessary for the delivery of ordered goods.

If you have given us your express consent to this during or after your order, we will pass on your e-mail address to the selected shipping service provider in accordance with Art. 6 para. 1 sentence 1 lit. a GDPR so that they can contact you before delivery for the purpose of delivery notification or coordination.
Consent can be revoked at any time by sending a message to the contact option described in this privacy policy or directly to the shipping service provider at the contact address listed below. After revocation, we will delete your data provided for this purpose, unless you have expressly consented to further use of your data or we reserve the right to use data beyond this, which is permitted by law and about which we inform you in this declaration.

General Logistics Systems Germany GmbH & Co. OHG
GLS Germany-Straße 1 - 7
DE-36286 Neuenstein
Germany

United Parcel Service Germany S.à.r.l. & Co. OHG
Görlitzer Straße 1
41460 Neuss
Germany

DHL Paket GmbH
Sträßchensweg 10
53113 Bonn
Bonn, Germany

3.4 Data processing for payment processing

We work with the following partners to process payments in our online store: technical service providers, credit institutions, payment service providers

Data processing for transaction processing
Depending on the selected payment method, we pass on the data necessary for processing the payment transaction to our technical service providers, who work for us as part of order processing, or to the commissioned credit institutions or to the selected payment service provider, insofar as this is necessary for processing the payment. This serves to fulfill the contract in accordance with Art. 6 para. 1 sentence 1 lit. b GDPR. In some cases, the payment service providers collect the data required for processing the payment themselves, e.g. on their own website or via a technical integration in the ordering process. In this respect, the privacy policy of the respective payment service provider applies.

If you have any questions about our partners for payment processing and the basis of our cooperation with them, please use the contact option described in this privacy policy.

  • Data processing for the purpose of fraud prevention and optimization of our payment processes

If necessary, we transmit further data to our service providers in accordance with Art. 6 para. 1 sentence 1 lit. f GDPR, which they process together with the data necessary for processing the payment as our processors for the purpose of fraud prevention and the optimization of our payment processes (e.g. invoicing, processing of disputed payments, accounting support).

  • Installment purchase

If the payment method “installment purchase” is selected and the necessary data protection consent is granted in accordance with Art. 6 para. 1 sentence 1 lit. a GDPR, personal data (first name, last name, address, e-mail address, telephone number, date of birth, IP address, gender) together with data required for transaction processing (article, invoice amount, due dates, total amount, invoice number, taxes, currency, order date and order time) will be transmitted to our partner PayPal (Europe) S.à.r.l. et Cie, S.C.A. for the purpose of processing this payment method, 22-24 Boulevard Royal, L-2449 Luxembourg, Luxembourg (“PayPal”).

In order to verify the identity or creditworthiness of the customer, our partner carries out queries and obtains information from publicly accessible databases and credit reference agencies. The providers from whom information and, if applicable, creditworthiness information is obtained on the basis of mathematical-statistical procedures, as well as further details on the processing of your data after transmission to our partner PayPal, can be found in their privacy policy, which you can find here: https://www.paypal.com/de/webapps/mpp/ua/privacy-full


Our partner PayPal uses the information received on the statistical probability of a payment default to make a balanced decision on the establishment, execution or termination of the contractual relationship. You have the option of contacting our partner PayPal to explain your point of view and contest the decision. The consent to data transfer given during the ordering process can be revoked at any time, even without giving reasons, with effect for the future.

3.5 Making contact

In the context of customer communication, we collect personal data to process your inquiries in accordance with Art. 6 para. 1 sentence 1 lit. b GDPR if you voluntarily provide us with this data when contacting us (e.g. via contact form or e-mail). Mandatory fields are marked as such, as in these cases we absolutely need the data to process your contact. Which data is collected can be seen from the respective input forms. Once your request has been fully processed, your data will be deleted unless you have expressly consented to further use of your data in accordance with Art. 6 para. 1 sentence 1 lit. a GDPR or we reserve the right to use data beyond this, which is permitted by law and about which we inform you in this declaration.

4. information for business partners

If you are or wish to become a business partner of Zippo, we need to collect and use certain information about you and/or people within your organization in order to fulfill our contractual obligations or communicate with you. Without this data, we will generally have to refuse to conclude the contract or execute the order or will no longer be able to perform an existing contract and may have to terminate it.

If required, we collect the first and last name, any titles and academic degrees, the company name, the area of responsibility, the address, telephone data, the e-mail address, the gender and the language preference of our business partners.

We use the aforementioned data to fulfill our contractual obligations and/or to communicate with you. The legal basis for the processing of your personal data is Art. 6 para. 1 lit. b, GDPR. We delete the personal data of our business partners ten (10) years after the last documented communication. This does not affect your data subject rights below, including the right to erasure.

5. social media

If you have given your consent to the respective social media operator in accordance with Art. 6 para. 1 sentence 1 lit. a GDPR, your data will be automatically collected and stored for market research and advertising purposes when you visit our online presences on the following social media, from which user profiles are created using pseudonymous data. These can be used, for example, to place advertisements within and outside the platforms that presumably correspond to your interests. Cookies are generally used for this purpose. For detailed information on the processing and use of data by the respective social media operator as well as a contact option and your rights and settings options for protecting your privacy, please refer to the providers' data protection notices linked below. If you still need help in this regard, you can contact us.

5.1 Facebook

Facebook is a service provided by Meta Platforms Ireland Ltd, 4 Grand Canal Square, Dublin 2, Ireland (“Meta Platforms Ireland”). The information automatically collected by Meta Platforms Ireland about your use of our online presence on Facebook is usually transmitted to a server of Meta Platforms, Inc, 1 Hacker Way, Menlo Park, California 94025, USA and stored there. Data processing in the context of a visit to a Facebook fan page is based on an agreement between jointly responsible parties in accordance with Art. 26 GDPR. Further information on Insights data can be found hier.

5.2 X

X is a service provided by Twitter Unlimited International Company, One Cumberland Place, Fenian Street, Dublin 2, D02 AX07, Ireland (“X”). The information automatically collected by X about your use of our online presence on Twitter is generally transmitted to a server of X Corp, 1355 Market Street, Suite 900, San Francisco, CA 94103, USA and stored there.

5.3 Instagram

Instagram is a service provided by Meta Platforms Ireland. The information automatically collected by Meta Platforms Ireland about your use of our online presence on Instagram is usually transferred to a server of Meta Platforms, Inc, 1 Hacker Way, Menlo Park, California 94025, USA and stored there. Data processing in the context of visiting an Instagram fan page is based on an agreement between jointly responsible parties in accordance with Art. 26 GDPR. Further information on Insights data can be found hier.

5.4 YouTube

YouTube is a Google service. The information automatically collected by Google about your use of our online presence on YouTube is usually transferred to a server of Google LLC, 1600 Amphitheatre Parkway Mountain View, CA 94043, USA and stored there.

5.5 Pinterest

Pinterest is a service provided by Pinterest Europe Ltd, Palmerston House, 2nd Floor, Fenian Street, Dublin 2, Ireland (“Pinterest”). The information automatically collected by Pinterest about your use of our online presence on Pinterest is usually transmitted to a server of Pinterest, Inc, 505 Brannan St., San Francisco, CA 94107, USA and stored there. Data processing in the context of visiting our LinkedIn presence is based on an agreement between jointly responsible parties in accordance with Art. 26 GDPR.

5.6 LinkedIn

LinkedIn is a service provided by LinkedIn Ireland Unlimited Company, Wilton Place, Dublin 2, Ireland (“LinkedIn”). The information automatically collected by LinkedIn about your use of our online presence on LinkedIn is generally transmitted to a server of LinkedIn Corporation, 1000 W. Maude Avenue, Sunnyvale, CA 94085, USA and stored there. Data processing in the context of visiting our LinkedIn presence is based on an agreement between jointly responsible parties in accordance with Art. 26 GDPR.

5.7 TikTok:

TikTok is a service provided by TikTok Technology Ltd, 10 Earlsfort Terrace, Dublin 2, Ireland (“TikTok”). The data collected from users during use is stored in data centers in the USA, Malaysia and Singapore. The processing by TikTok is carried out partly as joint controllers on the basis of an agreement between joint controllers pursuant to Art. 26 GDPR and partly as order processing on the basis of an order processing agreement pursuant to Art. 28 GDPR.

6 Information for applicants

You have the opportunity to apply for the positions advertised on our website by sending an email to bewerbung@zippo.com. Our application form is available on our website for this purpose. If you do not provide the necessary data, we may not be able to consider your application.

In this respect, we collect your first and last name, any titles and academic degrees, address, date of birth, nationality, telephone data and e-mail address as well as all other data contained in your application documents and CV. The provision of this personal data is voluntary. Your data will be processed in accordance with Art. 6 para. 1 sentence 1 lit. b GDPR exclusively for the purpose of deciding on the establishment of an employment relationship.

If your application is successful, we will store your data for the duration of the employment relationship. If your application is not successful, we will generally delete your application data after six months, taking into account time limits under the law of evidence, unless you have consented to further storage in accordance with Art. 6 para. 1 sentence 1 lit. a GDPR, for example in order to be considered for future positions.

We use Join Solutions AG, Schönhauser Allee 36, 10435 Berlin (“Join Solutions”) as a contractor for applications.

7. information for newsletter subscribers:

On our website, we offer you the opportunity to subscribe to our newsletter so that we can inform you about news and events from Zippo. We collect your e-mail address, surname, first name and title.

The newsletter is sent and the associated processing of your personal data takes place exclusively on the basis of your consent in accordance with Art. 6 para. 1 sentence 1 lit. a GDPR.

We use technology from our service provider HubSpot, Inc. Two Canal Park, Cambridge, MA 02141 USA (“HubSpot”) to send the newsletter and analyze behavior. HubSpot analyzes deliveries, openings, clicks, country of origin and the medium used to open the newsletter on our behalf. HubSpot uses servers in the USA to provide its services. In this respect, our cooperation with them is based on standard data protection clauses of the European Commission.

You can revoke your consent at any time. If you no longer wish to receive the newsletter in the future, you can unsubscribe at any time directly via the unsubscribe link, which you will find in every newsletter, or by sending an email to shop.de@zippo.com. We will delete your personal data after you withdraw your consent.

8. information on third country transfer (data transfer to third countries)

We use technologies from service providers whose registered office and/or server locations may be located in third countries outside the EU or the EEA. If there is no adequacy decision by the EU Commission for this country, we ensure an adequate level of data protection by means of other suitable guarantees.

We have generally agreed the standard data protection clauses issued by the EU Commission with the technology providers we use who process personal data in a third country for which there is no adequacy decision.  

Notwithstanding this, it may happen that, despite all contractual and technical measures, the level of data protection in the third country does not correspond to that of the EU. In these cases, we will obtain your consent in accordance with Art. 49 para. 1 sentence 1 lit. a GDPR for the transfer of your personal data to a third country.

In particular, there is a risk that local authorities in the third country may not have sufficiently limited access rights to your personal data from a European data protection perspective, that we as the data exporter or you as the data subject may not be aware of this and/or that you may not have sufficient legal remedies to prevent this and/or to take action against such access.  

You can find out which third countries we transfer data to in the data protection notices for the respective tool and/or service used by us for consent management/ Consent Manager Platform (CMP). 

9. your rights as a data subject

As a data subject, you have the following rights

  • in accordance with Art. 15 GDPR, the right to request information about your personal data processed by us to the extent specified therein
  • in accordance with Art. 16 GDPR, the right to demand the immediate rectification of incorrect or incomplete personal data stored by us
  • in accordance with Art. 17 GDPR, the right to request the erasure of your personal data stored by us, unless further processing is necessary
    • to exercise the right to freedom of expression and information
    • for compliance with a legal obligation;
    • for reasons of public interest or
    • is necessary for the establishment, exercise or defense of legal claims;
  • in accordance with Art. 18 GDPR, the right to demand the restriction of the processing of your personal data, insofar as
    • the accuracy of the data is disputed by you
    • the processing is unlawful, but you oppose the erasure of the data
    • we no longer need the data, but you need it for the establishment, exercise or defense of legal claims; or
    • you have objected to the processing pursuant to Art. 21 GDPR
  • in accordance with Art. 20 GDPR, the right to receive your personal data that you have provided to us in a structured, commonly used and machine-readable format or to request that it be transmitted to another controller
  • in accordance with Art. 77 GDPR, the right to lodge a complaint with a supervisory authority. As a rule, you can contact the supervisory authority of your usual place of residence or workplace or our company headquarters.
  • If we process personal data as explained above in order to safeguard our legitimate interests, which outweigh your interests, you can object to this processing with effect for the future. If the processing is carried out for direct marketing purposes, you can exercise this right at any time as described above. If the processing is carried out for other purposes, you only have the right to object on grounds relating to your particular situation.

After exercising your right to object, we will no longer process your personal data for these purposes unless we can demonstrate compelling legitimate grounds for the processing which override your interests, rights and freedoms, or if the processing serves the establishment, exercise or defense of legal claims.

This does not apply if the processing is for direct marketing purposes. In this case, we will no longer process your personal data for this purpose.

10. contact

If you have any questions about the collection, processing or use of your personal data, information, correction, restriction or deletion of data and revocation of any consent given or objection to a particular use of data, please contact our company data protection officer.