1. Data protection at a glance

General information

This privacy policy informs you about what personal data we collect when you visit our website or shop in our online store, and for what purposes we use this data.
Personal data is any data that can be used to personally identify you. This privacy policy is regularly reviewed and updated to reflect new legal or technical requirements.

Who is responsible?

The entity responsible for data processing on this website is:

RU21 GmbH

Victor-Goerttler-Straße 2

07745 Jena

Germany

Email: office@ru-21.com

How do we collect your data?

• You provide us with data yourself, e.g. when placing an order, creating a customer account, using the contact form or subscribing to the newsletter.

• Further data is collected automatically or with your consent by our IT systems when you visit the website (e.g. IP address, browser, time of page access, cookies).

What do we use your data for?

• to provide the website and the online shop,

• for processing orders (contract fulfillment),

• for payment and shipping processing via external service providers,

• to answer inquiries,

• for consent management (cookie/consent),

• possibly for analysis and security purposes.

What rights do you have?

You have, among other things, the right to information, rectification, erasure, restriction of processing, data portability, withdrawal of consent, and the right to lodge a complaint with a supervisory authority. Details can be found below under "Rights of Data Subjects".

2. Hosting and shop system

Our website and online shop are hosted by an external service provider and/or provided via a shop system. Our online shop is operated by the service provider Shopify. For users in the European Economic Area (EEA) and Switzerland, the provider is Shopify International Ltd., 2nd Floor, Victoria Buildings, 1-2 Haddington Road, Dublin 4, D04 XN32, Ireland. As part of providing the service, data may also be transferred to the parent company, Shopify Inc., 151 O'Connor Street, Ground Floor, Ottawa, Ontario K2P 2L8, Canada, and to other affiliated companies. This may involve the transfer of data to third countries (in particular Canada and the USA). Shopify processes personal data on the basis of data processing agreements and, where data is transferred to third countries,
will be based on suitable safeguards (e.g. EU Standard Contractual Clauses, Privacy Framework).

The legal basis is Article 6(1)(b) GDPR (performance of a contract) or Article 6(1)(f) GDPR (legitimate interest in
a secure and efficient operation of our online service).
Personal data collected on our website is stored on the servers of this service provider. This may include, in particular: IP addresses, contact requests, metadata and communication data, order data, contract data, contact details, names, access times, and newsletter data.

The use of the hosting/shop provider is for the purpose of fulfilling the contract with our customers (Art. 6 para. 1 lit. b).
GDPR) and in the interest of a secure, fast and efficient provision of our online service (Art. 6 para. 1 lit. f GDPR).

A data processing agreement pursuant to Art. 28 GDPR exists with the provider.

3. General information and mandatory disclosures

Data protection

We treat your personal data confidentially and in accordance with the statutory data protection regulations (in particular the GDPR) and this privacy policy. Please note that data transmission over the Internet (e.g., email communication) can have security vulnerabilities.

Storage duration

Unless a more specific retention period is stated in this privacy policy, personal data will remain with us until the purpose of processing no longer applies. If data must be retained for a longer period for commercial or tax reasons, it will be deleted after these periods have expired.

Legal basis for processing

• Art. 6 para. 1 lit. b GDPR (contract/initiation) – e.g. in the case of orders.

• Art. 6 para. 1 lit. a GDPR and § 25 para. 1 TDDDG – e.g. for non-technically necessary cookies, tracking, marketing, newsletters.

• Article 6 paragraph 1 letter c GDPR – in the case of legal obligations.

• Art. 6 para. 1 lit. f GDPR – in the case of legitimate interests (e.g. IT security, fraud prevention, economic operation).

Recipients of personal data

We only transfer personal data to third parties if this is necessary.

• is necessary for the fulfillment of the contract (e.g. shipping by fulfillment/logistics companies),

• is required for payment processing (e.g., to payment service providers),

• a legal obligation exists or

• a legitimate interest exists and your interests do not outweigh it.

This can include, in particular:

• IT/Hosting/Shop service providers

• Fulfillment/logistics service provider

• Payment service provider

• Providers of consent management systems

• possibly a newsletter/email service provider

Data processing agreements (DPAs) exist with data processors in accordance with Article 28 GDPR.

Data transfers to third countries

Where service providers we use process data outside the EU/EEA (e.g., the USA or Canada), this only occurs if an adequate level of data protection exists (e.g., the EU-US Data Privacy Framework) or suitable safeguards such as EU Standard Contractual Clauses are in place. Transfers to third countries (especially the USA and Canada) may occur in connection with individual providers (e.g., Shopify, Klaviyo, other service providers). We will gladly provide further details upon request.

4. Your rights

You have the right at any time:

• to information pursuant to Article 15 GDPR,

• to rectification pursuant to Article 16 GDPR,

• to erasure pursuant to Article 17 GDPR,

• to restriction of processing pursuant to Article 18 GDPR,

• to data portability pursuant to Article 20 GDPR,

• to object pursuant to Article 21 GDPR to processing based on Article 6(1)(f) GDPR,

• as well as the right to withdraw consent at any time with effect for the future (Art. 7 para. 3 GDPR).

Furthermore, there is a right to lodge a complaint with a data protection supervisory authority, e.g. the Thuringian State Commissioner for Data Protection and Freedom of Information.

Contact for data subject rights: support@ru-21.com

5. Data collection on our website

5.1 Cookies and consent management

We use cookies and similar technologies.
Technically necessary cookies are set on the basis of Art. 6 para. 1 lit. GDPR. For all other cookies/tracking technologies, we obtain consent in accordance with Art. 6 para. 1 lit. a GDPR in conjunction with Section 25 para. 1 TDDDG.
We recommend using the consent banner to set your cookie preferences on your first visit. You can also change your selection at any time later in the shop.

You can change or withdraw your consent at any time via the consent tool integrated into the shop.

5.2 Server log files

When you access this website, technical data is automatically collected (IP address, date/time, browser, operating system, referrer URL). This data is used to ensure stability and security and is processed on the basis of Article 6(1)(f) GDPR.

5.3 Making contact

When you contact us via contact form or email, we process your information to answer your request.
The legal basis is Art. 6 para. 1 lit. b GDPR (contractual/quasi-contractual) or Art. 6 para. 1 lit. f GDPR (legitimate interest in communication).

6. Orders in the webshop, customer account, shipping and payment processing

6.1 Orders

When you order products from our online shop, we process your order, address, and contact details for contract fulfillment, delivery, and invoicing. The legal basis for this is Article 6(1)(b) GDPR. For sensitive product categories (e.g., dietary supplements), we would like to point out that additional legal requirements may apply, and we will gladly provide further information or explanations regarding data usage upon request.

6.2 Transfer to fulfillment/logistics service providers

To deliver your order, we will forward the necessary data (name, delivery address, and, if applicable, email/phone number for delivery notification) to our fulfillment/logistics company and shipping company (e.g., DHL). The legal basis for this is Article 6(1)(b) GDPR.

6.3 Payment service providers

We use external payment service providers (e.g., credit card, PayPal, Klarna, etc.) to process payments.
Your payment data is processed independently by the respective payment service provider. The legal basis for this processing is Article 6(1)(b) GDPR.

We use payment service providers to process payments in our online shop. Depending on the payment method selected, the necessary payment data is transmitted to the respective payment service provider. The legal basis for this is Article 6(1)(b) GDPR.

Payment service providers used may include, in particular: EC, Apple Pay, Google Pay, VISA, Mastercard, American Express, PayPal, Klarna, Shop, Union Pay, Shopify Payments (operated by Shopify International Ltd., Ireland).

The processing of data is the sole responsibility of the respective payment service provider. Further information can be found in the respective provider's privacy policy.

The specific payment methods and providers will be displayed during the ordering process.

6.4 Customer account

When you create a customer account, we process the necessary data to process future orders more quickly. The legal basis for this is your consent (Art. 6 para. 1 lit. a GDPR) or – if ordering via the account – Art. 6 para. 1 lit. b GDPR. You can have the account deleted at any time.

7. Newsletter / Direct Marketing

If you subscribe to our newsletter, we process your email address (and any other voluntary information you may provide) based on your consent in accordance with Article 6(1)(a) of the GDPR. You can withdraw this consent at any time via the unsubscribe link. You can also object to receiving advertising at any time by email or via the unsubscribe option integrated into the newsletter. In the event of an objection or withdrawal of consent, no further direct marketing will be sent.

If you have already made a purchase from us, we may, within certain limits, send you advertising for our own similar products via email without separate consent (Section 7 Paragraph 3 of the German Unfair Competition Act). You can object to this use at any time by email or via the unsubscribe link integrated into the newsletter. In the event of an objection, no further direct marketing will be sent to you.

8. Use of analysis and
Marketing tools

We may use a tag manager (e.g., Google Tag Manager) to manage and deploy scripts/tags. The tag manager itself does not create user profiles but may process IP addresses. The legal basis for this is Article 6(1)(f) GDPR or, if consent is given, Article 6(1)(a) GDPR in conjunction with Section 25 of the German Telemedia Act (TMG).

Other analytics/marketing tools (e.g., Google Analytics, Meta Pixel) will only be used if you have given your consent via the consent tool. The specific tools and their functionality will then be described in the consent tool or in a supplementary section of this statement.

Email marketing / marketing automation (Klaviyo):

We use the Klaviyo service, provided by Klaviyo, Inc., 125 Summer St, Floor 7, Boston, MA 02110, USA, for sending newsletters and for certain marketing automations. Klaviyo processes, among other things, your email address, IP address, and usage data (e.g., open and click rates) to send newsletters, personalize content, and optimize our communication. The legal basis for this is your consent pursuant to Art. 6 para. 1 lit. a GDPR (e.g., newsletter registration) or our legitimate interest pursuant to Art. 6 para. 1 lit. f GDPR in effective customer communication. Data may be transferred to the USA. Klaviyo relies on appropriate safeguards for this (e.g., EU Standard Contractual Clauses / possibly the EU-US Data Privacy Framework). You can find further information in Klaviyo's privacy policy. You can withdraw your consent at any time with effect for the future (unsubscribe link in the newsletter).

Other tracking/marketing tools

Our online shop is technically operated by an external service provider. As part of the technical implementation, this service provider may integrate additional analytics or marketing tools (e.g., for measuring reach or improving shop performance).
Such tools are only used,

• if they are technically necessary for the operation of the business (Art. 6 para. 1 lit. f GDPR), or
• if you have previously given your consent via our consent tool (Art. 6 para. 1 lit. a GDPR, § 25 TDDDG).

The specific tools used and their providers are displayed in the consent tool (cookie banner). You can change your selection there at any time.

9. Security of processing

We use SSL/TLS encryption, role-based access control, and contractually bound data processors to protect your data from unauthorized access. Furthermore, technical and organizational measures for detecting and reporting data breaches are implemented.

In the event of a data breach, the necessary steps will be taken to protect the data subjects and cooperation will be maintained with the relevant supervisory authorities.

10. Worldwide accessibility /
Delivery restriction

Our website is accessible worldwide. However, we currently only ship to the delivery countries listed in our shop (Germany, Austria, Switzerland, and Switzerland). Different requirements may apply to orders from other countries due to local legal regulations. The information provided at checkout is definitive.