Data protection

Santaverde GmbH
Borsteler Bogen 27B
22453 Hamburg, Deutschland
Amtsgericht Hamburg, HRB 40 426
Geschäftsführung: Sabine Beer
Tel.: +49 40 460 99 110
E-Mail: This email address is being protected from spambots. You need JavaScript enabled to view it.

Stand: 04.06.2018

1.    Basic Information on Data Processing and Legal Principles

1.1.    This data privacy policy explains the type, scope and purpose of the processing of personal data within our online offering and the associated web pages, functions and contents (hereinafter jointly referred to as “online offering” or “website”). The data privacy policy applies, irrespective of the domains, systems, platforms and devices (e.g. desktop or mobile) on which the online offering is used.
1.2.    For an explanation of the terms used, such as “personal data” or their “processing”, we would refer you to the definitions in Art. 4 of General Data Protection Regulation (GDPR).
1.3.    The personal data of users processed within the scope of this online offering include master data (e.g. names and addresses of customers), contract data (e.g. services used, names of responsible clerks, payment information), usage data (e.g. the web pages of our online offering visited, interest in our products) and content data (e.g. entries in the contact form).
1.4.    The term “user” covers all categories of persons affected by the data processing (‘data subjects’). These include our business partners, customers, potential customers and other visitors to our online offering. The terms used, such as “user”, shall be understood as applying to both female and male genders.
1.5.    We process personal data of the users only in accordance with the applicable data protection regulations. This means that the users’ data are only processed with their legal consent, i.e. in particular where data processing is necessary in order to provide our contractual services (e.g. processing of orders) and online services or where this is required by law, where the users have given their consent, and also on the grounds of our legitimate interests (i.e. interest in analysis, optimisation and cost-efficient operation and security of our online offering) as defined in Art. 6 (1) lit. f. GDPR, in particular the measurement of the reach, preparation of profiles for advertising and marketing purposes, collection of access data and the use of third-party services.
1.6.    We should point out that the legal basis for the consents is Art. 6 (1) lit. a. and Art. 7 GDPR, the legal basis for the processing of data for the provision of our services or the discharge of contractual measures is Art. 6 (1) lit. b. GDPR, the legal basis for the processing of data for the fulfilment of our legal obligations is Art. 6 (1) lit. c. GDPR, and the legal basis for the processing of data for the purposes of our legitimate interests is Art. 6 (1) lit. f. GDPR.

2.    Security Measures

2.1.    We take state-of-the-art organisational, contractual and technical security measures to ensure that the provisions of the data protection laws are observed, and hence to protect the data processed by us against accidental or deliberate manipulation, loss, destruction or access by unauthorised persons.
2.2.    These security measures include in particular the encrypted transmission of data between your browser and our server.

3.    Disclosure of Data to Third Parties and Third-party Providers

3.1.    Data are disclosed to third parties only where required by law. We pass on user data to third parties only where this is necessary e.g. on the basis of Art. 6 (1) lit. b) GDPR for the performance of a contract or on the basis of legitimate interests in accordance with Art. 6 (1) lit. f. GDPR in the cost-efficient and effective conduct of our business operations.
3.2.    Where we use sub-contractors to provide our services, we take appropriate legal safeguards and corresponding technical and organisational measures to ensure the protection of the personal data in accordance with the relevant statutory regulations.
3.3.    Where, within the context of this data privacy policy, contents, tools or other means from other providers (hereinafter jointly referred to as “third-party providers”) are employed and their stated offices are located in a third country, it can be assumed that a data transfer to the countries of domicile of the third-party providers takes place. Third countries shall be understood as countries in which the GDPR does not directly apply, i.e. effectively countries outside the EU or the European Economic Area (EEA). Data are transmitted to third countries either when there is an adequate level of data protection, the consent of the users has been given or there is some other statutory authorisation.

4.    Santaverde Online Shop

4.1.    We process master data (e.g. names and addresses and contact data of users), contract data (e.g. services used, names of contact persons, payment information) in order to fulfil our contractual obligations and to provide our services in accordance with Art. 6 (1) lit b. GDPR.
4.2.   Users can optionally create a user account in which they can view in particular their orders. During the registration, the users will be prompted to enter the necessary mandatory data. The user accounts are not public and cannot be indexed by search engines. When users have terminated their user account, their data are deleted with respect to the user account unless their retention is required in accordance with commercial and tax law pursuant to Art. 6 (1) lit. c GDPR. When terminating their user account, it is the responsibility of the users to save their data before the end of the contract. We are entitled to irretrievably delete all data saved on the user during the period of the contract.
4.3.    During the registration, on renewed login and when using our online services, the IP address and the time of the respective user action will be stored. Storage is performed on the basis of our legitimate interests and those of the users in protecting the data against misuse and other unauthorised use. These data are not passed on to third parties unless this is necessary in order to pursue our claims or there is a legal obligation to do so in accordance with Art. 6 (1) lit. c GDPR.
4.4.    We process usage data (e.g. the web pages of our online offering visited, interest in our products) and content data (e.g. entries in the contact form or user profile) for advertising purposes in a user profile in order to display e.g. product tips to the user based on the services previously used.

5.    Contacting Us

5.1.    When you contact us (via the contact form or by e-mail), the user data are processed in accordance with Art. 6 (1) lit. b) GDPR for the purposes of dealing with the contact.
5.2.    The user data can be stored in our ERP system or comparable enquiry organisation.

6.    Collection of Access Data and Logfiles

6.1.    On the basis of our legitimate interests as defined in Art. 6 (1) lit. f. GDPR, we collect data on every access to the server on which this service is located in the form of “server logfiles”. The access data include the name of the visited web page, file, date and time of the access, data volume transmitted, report on successful access, browser type and version, user’s operating system, referrer URL (the page previously visited), IP address and requesting provider.
6.2.    For security reasons (e.g. to clarify cases of misuse or fraud), logfile data are stored for a maximum period of seven days and are then deleted. Data that have to be retained for a longer period as evidence are excluded from the deletion until final clarification of the respective incident.

7.    Cookies & Reach Measurement

7.1.    Cookies are data that are transmitted from our web server or the web servers of third parties to the user’s web browser where they are stored for future retrieval. The cookies can be small files or other forms of information storage.
7.2.    We use session cookies that are stored only for the duration of the current visit to our online offering (e.g. to enable storage of your login status or the shopping basket function, and hence to make the use of our online offering possible in the first place). An unambiguous identification number, or “session ID”, generated at random is stored in a session cookie. In addition, a cookie contains information on its origin and the storage period. These cookies cannot store any other data. Session cookies are deleted when you terminate the use of our online offering, e.g. by logging out or closing the browser.
7.3.    Users are informed about the use of cookies within the context of pseudonymous reach measurement in this data privacy policy.
7.4.    If users do not wish for cookies to be stored on their computer, they should deactivate the respective option in the system settings of their browser. Stored cookies can be deleted in the browser system settings. The blocking of cookies can result in limitations on the functions of this online offering.
7.5.    You can oppose the storage of cookies used for reach measurement and advertising purposes via the deactivation page of the network advertising initiative (, and also on the US American website ( or European website (

8.    Google Analytics

8.1.   On the basis of our legitimate interests (i.e. interest in analysis, optimisation and cost-efficient operation of our online offering as defined in Art. 6 (1) lit. f. GDPR), we employ Google Analytics, a web analysis service of Google Inc. (“Google”). Google uses cookies. The information on the use of the online offering by the users generated by the cookie is generally transmitted to a Google server in the USA and stored there.
8.2.    Google is certified under the Privacy Shield Agreement and therefore warrants compliance with European data protection law (
8.3.    Google will use this information on our behalf to analyse the use of our online offering by the users, to compile reports on the activities within this online offering and to provide other services related to the use of thus online offering and the Internet for us. Pseudonymous use profiles on the users may be created from the processed data.
8.4.    We employ Google Analytics in order to display advertisements posted as part of advertising services from Google and its partners only to such users who have shown an interest in our online offering or who have certain characteristics (e.g. interest in certain topics or products identified from the web pages visited) that we pass on to Google (“remarketing or Google Analytics audiences”). By using the remarketing audiences, we aim to ensure that our advertisements meet the potential interest of the users and are not disturbing.
8.5.    We employ Google Analytics only with activated IP anonymisation. This means that the IP address of the user is abridged by Google within member states of the European Union or in other contracting parties to the Agreement on the European Economic Area. Only in exceptional cases is the full IP address transmitted to a Google server in the USA and abridged there.
8.6.    The IP address transmitted by the user’s browser is not associated with any other data held by Google. Users can prevent the storage of the cookies by a corresponding setting in their browser software; users can also prevent the transmission of the data generated by the cookie relating to their use of the online offering to Google and the processing of these data by Google by downloading and installing the browser plug-in available under the following link
8.7.    In addition to or as an alternative to the browser add-on, you can prevent tracking by Google Analytics on our websites by clicking this link. This will install an opt-out cookie on your device. This will prevent the collection of data through Google Analytics for this website and for this browser in future as long as the cookie remains installed in your browser.
8.8.    Further information on the use of the data by Google and on setting and objection possibilities can be found on the Google websites: (“Use of data by Google from your use of websites or apps of our partners”), (“Use of data for advertising purposes”), (“Management of information used by Google to display advertising to you”).

9.    Facebook Social Plug-ins

9.1.    On the basis of our legitimate interests (i.e. interest in analysis, optimisation and cost-efficient operation of our online offering as defined in Art. 6 (1) lit. f. GDPR), we use social plug-ins ("plug-ins") of the social network that is operated by Facebook Ireland Ltd., 4 Grand Canal Square, Grand Canal Harbour, Dublin 2, Ireland ("Facebook"). The plug-ins can represent interaction elements or contents (e.g. videos, graphics or texts) and are recognisable from one of the Facebook logos (white “f” on a blue tile, the words "Like", "Gefällt mir" or a “thumbs up” symbol) or are marked with the "Facebook social plug-in” suffix. The list and the appearance of the Facebook social plug-ins can be viewed here:
9.2.    Facebook is certified under the Privacy Shield Agreement and therefore warrants compliance with European data protection law (
9.3.    If a user calls up a function of this online offering that contains such a plug-in, the user’s device sets up a direct link to the Facebook servers. The content of the plug-in is transmitted by Facebook directly to the user’s device and is integrated into the online offering. Use profiles on the users may thereby be created from the processed data. We therefore have no influence on the scope of the data that Facebook collects using this plug-in and can therefore only inform users in line with our level of knowledge.
9.4.    The incorporation of the plug-ins provides Facebook with the information that a user has called up the corresponding page of the online offering. If the user is logged in to Facebook, Facebook can link the visit to the user’s Facebook account. If users interact with the plug-ins, for example by clicking the “Like” button or entering a comment, the corresponding information is transmitted by your device directly to Facebook and stored there. If a user is not a member of Facebook, it is nevertheless possible that Facebook can discover and store the user’s IP address. According to Facebook, only an anonymised IP address is stored in Germany.
9.5.    The purpose and scope of the data collection and further processing and use of the data by Facebook and the associated rights and setting possibilities for protection of the users’ privacy can be found in the Facebook data privacy notices:
9.6.    If a user is a member of Facebook and does not wish for Facebook to collect data about him/her via this online offering and link these data for his/her member data stored by Facebook, he must log out of Facebook and delete his cookies before using our online offering. Further settings and objections to the use of data for advertising purposes are possible within the Facebook profile settings: or via the US American page or the EU page The settings are platform-independent, i.e. they are used for all devices, such as desktop computer or mobile devices.

10.    Newsletter

10.1.    The following information explains the contents of our newsletter and the registration, dispatch and statistical evaluation procedures and your rights of objection. With your subscription to our newsletter, you declare your consent to the receipt of the newsletter and to the procedures described.
10.2.    Content of the newsletter: We send newsletter, e-mails and other electronic notifications with advertising information (hereinafter referred to as “newsletter”) only with the consent of the recipient or with statutory authorisation. If the contents of the newsletter are described in concrete terms during the subscription to our newsletter, then these are binding for the users’ consent. In general, our newsletters contain information on our products, offers, campaigns, indications of competitions and surveys, on our company and topics associated with cosmetics, organics and sustainability.
10.3.    Double opt-in and logging: Subscription to our newsletter follows the double opt-in procedure. This means that after your subscription, you receive an e-mail from us in which you are requested to confirm your subscription. This confirmation is necessary so that no-one can subscribe using the e-mail addresses of other persons. The subscriptions to the newsletter are logged in order to be able to register the subscription process in accordance with the legal requirements. This includes the storage of the time of subscription and confirmation, and the IP address. The changes to your data stored with the dispatch service provider are also logged.
10.4.    Dispatch service provider: Newsletter2Go is used as newsletter software. Your data are thereby transmitted to Newsletter2Go GmbH. Newsletter2Go is forbidden from selling your data or using them for purposes other than the dispatch of newsletters. Newsletter2Go is a certified German service provider that was selected in accordance with the demands of the EU General Data Protection Regulation (GDPR) and the German Federal Data Protection Act.
Further information can be found here:
You can revoke your consent to the storage of the data, your e-mail address and their use for the dispatch of the newsletter at any time, for example via the “Unsubscribe” link in the newsletter.
The data protection measures are subject to constant technical innovation; for this reason we would ask you to inform yourself about our data protection measures at regular intervals by consulting our data privacy policy.
10.5.    Furthermore, the dispatch service provider can, according to its own information, use these data in pseudonymous form, i.e. without identification of a user, to improve or optimise its own services, e.g. for technical optimisation of the dispatch and the presentation of the newsletters, or for statistical purposes in order to determine from which countries the subscribers come. The dispatch service provider does not, however, use the data on our newsletter subscribers to contact them directly or to pass them on to third parties.
10.6.    Subscription data: The provision of your e-mail address is sufficient for subscription to the newsletter. We ask you to optionally indicate a name to allow us to address you personally in the newsletter.
10.7.    Statistical collection and analyses - The newsletters contain a “web beacon”, i.e. a pixel-sized file, that is called up by the dispatch service provider’s server when the newsletter is opened. During this call, initially technical information is collected, such as information on the browser and your system, together with your IP address and the time of the call. This information is used for technical improvement of the services on the basis of the technical data or the target groups and their reading behaviour according to the location of the call (that can be identified using the IP address) or the access times. The statistical data collected also include information on whether the newsletter was opened, when it was opened and which links are clicked. Although for technical reasons this information can be linked to the individual newsletter subscribers, it is neither our intention nor that of the dispatch service provider to observe individual users. The analyses are used to identify the reading habits of our users and to tailor our contents to them, or to send different contents according to the interests of our users.
10.8.    The employment of the dispatch service provider, the conduct of the statistical data collections and analyses and the logging of the subscription procedure are performed on the basis of our legitimate interests in accordance with Art. 6 (1) lit. f GDPR. Our interest is directed to the use of a user-friendly and secure newsletter system that both serves our business interests and meets the expectations of the users.
10.9.    Unsubscribe/revocation - You can unsubscribe from our newsletter, i.e. revoke your consents, at any time. At the same time, you revoke your consent to the dispatch of the newsletter by the dispatch service provider and the statistical analyses. Separate revocation of the dispatch of the newsletter by the dispatch service provider or the statistical analysis is unfortunately not possible. A link for unsubscribing from the newsletter can be found at the end of every newsletter. If the users have only subscribed to the newsletter and have cancelled this subscription, their personal data will be deleted.

11.    Integration of Third-party Services and Contents

11.1.    Within our online offering and on the basis of our legitimate interests (i.e. interest in analysis, optimisation and cost-efficient operation of our online offering as defined in Art. 6 (1) lit. f. GDPR), we employ content or service offerings from third-party providers in order to incorporate their contents and services, such as videos or fonts (hereinafter collectively referred to as “contents”). This always presupposes that the third-party providers of these contents can perceive the IP address of the users, as without the IP address they could not send the contents to their browsers. The IP address is therefore necessary for the presentation of the contents. We attempt to use only such contents whose respective providers use the IP address only for the delivery of the contents. Third-party providers can furthermore use pixel tags (invisible graphics, also known as "web beacons") for statistical or marketing purposes. The pixel tags allow information such as the visitor traffic on the pages of this website site to be evaluated. The pseudonymous information can furthermore be stored in cookies on the users’ device and may contain i.a. technical information on the browser and operating system, referring web pages, time of visit and further information on the use of our online offering, and may be linked to such Information from other sources.
11.2.    The following list shows an overview of third-party providers and their contents together with links to their data privacy policies where further information on their processing of data and the objection possibilities (opt-outs) – in some cases already described here – can be found:
- If our clients use third-party payment services (e.g. PayPal), then the general terms and conditions and the data privacy policies of the respective third-party provider apply that can be found within the respective website or transaction applications.
- External fonts of Google, Inc., (“Google fonts”). Google fonts are incorporated through a server call to Google (generally in the USA). Data privacy policy:, opt-out:
- Maps from the “Google Maps” service operated by the third-party provider Google Inc., 1600 Amphitheatre Parkway, Mountain View, CA 94043, USA. Data privacy policy:, opt-out:
- Videos from the “YouTube” platform operated by the third-party provider Google Inc., 1600 Amphitheatre Parkway, Mountain View, CA 94043, USA. Data privacy policy:, opt-out:
- Our online offering incorporates functions of the Instagram service. These functions are offered by Instagram Inc., 1601 Willow Road, Menlo Park, CA, 94025, USA. If you are logged in to your Instagram account, you can link the contents of our pages to your Instagram profile by clicking the Instagram button. As a result, Instagram can link the visit to our pages to your user account. We should point out that as providers of the pages, we receive no knowledge of the content of the transmitted data or of their use by Instagram. Data privacy policy:
- We use social plug-ins of the Pinterest social network that is operated by Pinterest Inc., 635 High Street, Palo Alto, CA, 94301, USA (“Pinterest”). If you call up a page that contains such a plug-in, your browser sets up a direct link to the Pinterest servers. The plug-in transmits protocol data to the Pinterest server in the USA. These protocol data may contain your IP address, the addresses of visited websites that also contain Pinterest functions, the type and settings of your browser, date and time of the request, your method of use of Pinterest and cookies. Data privacy policy:
- External code of the “jQuery” JavaScript framework provided by the third-party provider, jQuery Foundation,

12.    Rechte der Nutzer

12.1.    Users have the right on demand to receive information free of charge on the personal data that we have saved on them.
12.2.    In addition, the users have to the right to correction of incorrect data, to restrict the processing of their data and to deletion of their personal data, where applicable, to exercise their rights to data portability and, in the case of a suspicion of unlawful data processing, to submit a complaint to the responsible supervisory authority.
12.3.    Users can also revoke consents, always with effect for the future.

13.    Deletion of Data

13.1.    The data stored by us are deleted as soon as they are no longer required for their intended purpose and deletion does not contravene statutory retention obligations. If the data on the users are not deleted because they are required for other legally permitted purposes, their processing will be restricted, i.e. the data will be blocked and not processed for any other purposes. This applies e.g. to user data that have to be retained for commercial and tax law reasons.
13.2.    In accordance with the statutory regulations, they are stored for 6 years in accordance with § 257 (1) German Commercial Code (HGB) (trading books, inventories, opening balance sheets, annual accounts, commercial letters, accounting dockets, etc.) and for 10 years in accordance with § 147 (1) German Fiscal Code (AO) (books, records, status reports, accounting dockets, commercial letters, tax-relevant documents, etc.).

14.    Right of Objection

Users can object to the future processing of their personal data in accordance with the legal requirements at any time. The objection can be made in particular against the processing for purposes of direct advertising.

15.    Amendments to the Data Privacy Policy

15.1.    We reserve the right to amend the data privacy policy in order to adapt them to changes in the legal framework, or in the event of changes to the service and the data processing. This applies only, however, with respect to declarations on data processing. Where the consent of users is necessary or parts of the data privacy policy contain provisions from the contractual relationship with the users, these changes will only be made with the consent of the users.
15.2.    The users are requested to inform themselves about the contents of our data privacy policy at regular intervals.


Cookies make it easier for us to provide you with our services. With the usage of our services you permit us to use cookies.
More information Ok