Privacy policy

 

Who are we and what is the scope of this Privacy Policy?

As the data controller, OpenELAB (“we”, “us” or “our”) processes certain personal data to enable you to make use of our e-commerce shop situated on our website as well as enjoy our products. This Privacy Policy describes our data processing operations and provides you with information on your rights related to your data.

This Privacy Policy applies to all websites operated under our domain (openelab.io), including our e-commerce store and related activities such as organizing delivery and carrying out marketing operations. Kindly observe that in some events our websites may include links to external third-party websites that are not operated By us. This Privacy Policy applies to all websites operated under our domain (openelab.io), including our e-commerce store and related activities such as organizing delivery and carrying out marketing operations. Kindly observe that in some events our websites may include links to external third-party websites that are neither operated By this This Privacy Policy applies to all websites operated under our domain (www.openelab.io), including our e-commerce store and related activities such as organizing delivery and carrying out marketing operations. Kindly observe that in some events our websites may include links to external third-party websites that are neither operated By these third parties we advise you to review their privacy policies.

Furthermore, if you order our products through a third-party website (e.g., Amazon) such third parties may process your data for their purposes and act as the data controller. For further information regarding their data processing operations please see their applicable privacy policies.

If you wish to learn more about which cookies and similar technologies, we use kindly see our Cookie Policy.

 

What personal data do we process, for what purposes, and based on which lawful bases?

Provision of services

It is necessary for OpenELAB to process your contact information including name, phone number, email address, and delivery address data, as well as your payment and order information (e.g., payment method, product information, order date, and shipping method) to:

  • Execute the purchase agreements including dispatch, delivery, and payment processing;
  • Respond to inquiries, manage your account, and provide other customer service;
  • Manage claims and process returns, complaints, and warranty claims;
  • Provide non-promotional service communications to you relating to e.g., technical, security-related topics and contractual matters (e.g., fraud warnings, account blocking, or contractual changes);
  • Provide further services requested By you.

     Furthermore, we may process your social security number or birth date for credit check purposes, if required. The lawful basis for processing this data for the listed purposes is our contract as per Art. 6(1)(b) GDPR in the form of our Terms of Service.

    Marketing

    We also process your contact information, including your email address and phone number, for marketing purposes. To the extent content of the marketing communications is personalized, we may also process your order history (i.e., products bought before) as well as your interests as indicated By the cookies that you have accepted (for further information see Cookie Policy). The marketing operations include:

    • sending newsletters, reminders, product updates, recommendations, promotional offers, and other promotional communications to your email address or By post to your delivery address;
    • communicating promotional messages to you via text messages and WhatsApp or Facebook Messenger applications;
    • targeting promotional content to you and third parties on social media platforms including Facebook, Instagram, and TikTok;
    • Sending push notifications, including marketing communications, to you.

      The applicable lawful basis for marketing communications and social media targeting is either consent (Art. 6(1)(a) GDPR) or legitimate interests of OpenELAB to provide direct marketing (Art. 6(1)(f) GDPR). The applicable lawful basis depends on whether you are an existing client or a new client, on the approach we have chosen as well as on the content of the promotions. Kindly observe that push notifications require your consent which is also the lawful basis for processing any personal data collected to provide such notifications.

      When you first sign up for the services, OpenELAB wishes to process your data for marketing communications and social media targeting operations to provide you with information relating to similar products or services in which you have shown interest. OpenELAB gives you the option to object to our use of your data for marketing operations, upon sign-up or at any time thereafter through the unsubscribe links or By changing the marketing settings in your profile. In the event, we instead ask for you to opt-in to our marketing operations or you do so later in your profile or through functions of our website (e.g., to receive a notification once an out-of-stock product is back), the lawful basis for processing is your consent. 

      To enhance your experience, provide you with tailored communications and promotions as well as enable you to collect loyalty points and receive personalized discounts, we collect certain information to assign you to a customer segment and create a client profile. In addition to the personal data defined above, including your name and address information, the assigned segment and created profile are based on:

      • your purchase history;
      • your device and network information;
      • your actions on our website and third-party websites, provided you have accepted cookies;
      • your interaction with our communications, including social media pages via pixels and personalized URLs;
      • your birthday if you have provided it.

        The lawful basis for creating these segments and profiles as well as using them to personalize the services and marketing communications is our legitimate interest to carry out personalized marketing and your legitimate interest to receive personalized discounts and recommendations based on your interests by Art. 6(1)(f) GDPR).

        Blog

        We operate a blog on our website and enable you to interact with our blog and other readers By submitting We operate a blog on our website and enable you to interact with our blog and other readers By subscribing to notifications when new comments or blog articles are posted. If you choose to leave a comment the personal data processed is your name or your chosen username (pseudonym) that is publicly available on the website as well as your email address and IP address which are processed in a non-public manner. The lawful basis for processing such data is our legitimate interests by Art. 6(1)(f) GDPR to enable you to interact with our bloggers and other commentators and your legitimate interests to do so. Where you decide to subscribe to comment notifications the lawful basis is consent as per Art. 6(1)(a) GDPR.

        Community

        We hope you are happy with our products and welcome your feedback and suggestions for improvements or new products. For this purpose, we may operate a client community on Facebook. We process group insights metrics about the group, including member activity and engagement within the group to e.g., understand how you engage within the group, see who the most active group members are, and learn which posts have the most engagement. The lawful basis for processing such group information is our legitimate interests by Art. 6(1)(f) GDPR to interact with our clients to create better products and your legitimate interests to engage with us and provide feedback.

        We have created a referral program where you recommend us and our products to your friends. To do so you can either share your code with your friends or submit your friends’ contact details, and they will be notified through the given channel (e.g., via email). The lawful basis for such processing is our legitimate interest in getting in touch with potential new clients, your legitimate interest in sending your friend recommendations, and your friends’ legitimate interest in receiving recommendations that might interest them. We will inform your friend of your referral and provide adequate information about our privacy practices in the first communication. In the event your friend does not become a client, we will not store their contact details. If you choose the share your code and your friend uses it or if you are the friend using the code, we will maintain this information in your customer profile to provide you with discounts or other benefits related to the use of the code.

        Other purposes

        We may also use the categories of personal data mentioned from over as well as further data, that can be defined as personal data, collected By our essential cookies or otherwise for the following purposes:

        • maintenance of security of our website and services, including preventing data breaches;
        • fraud prevention;
        • research and development of our website and services provided that the data is in summarized, pseudonymized, or anonymized form;
        • compliance with laws or court orders (e.g., to carry out applicable anti-money laundering or know your customer checks);
        • establishment, exercise, or defense of legal claims.

          For these operations, we rely on our legitimate interests to detect and prevent fraud, maintain the security of our services, and improve the same as well as to pursue or defend legal claims by Art. 6(1)(f) GDPR). Where we need to process your data to comply with legal obligations e.g., applicable laws and regulations or court order the applicable lawful basis for processing is legal obligation as per Art. 6(1)(c) GDPR.

           

          From where do we get your data and with whom do we share it?

          In general, we process personal data that is directly provided By you to us or that is derived from your use of our services. Our business operations, also require us to engage service providers who assist us in providing our services and products to you, and who may, subject to appropriate agreements and security measures, disclose your data to us or with whom we may share your data. Such service providers may include:

          • e-commerce platforms;
          • payment service providers;
          • credit check agencies;
          • customer service and relationship management platforms;
          • customer support services (e.g., chat providers);
          • marketing platforms and services, including social media platforms and conversion tracking services;
          • delivery companies;
          • collection service providers;
          • loyalty, reward, and referral program providers;
          • companies belonging to the same group as us;
          • third parties upon a business transaction (e.g., a merger and acquisition, or a liquidation).

            Furthermore, in the event we are obliged By law Furthermore, in the event we are obliged By court decision to disclose your data or where we need to do so to establish, exercise, or defend legal claims, we may forward your data to prosecution authorities or other relevant third parties.

             

            Do third parties act as joint controllers?

            Where personal event data is processed via Facebook’s social plugins, pixels, or Software Development Kits (SDKs) in the course of OpenELAB’s use of the Facebook Business Tools services, Facebook Ireland acts as a joint controller. This is also the case for processing personal data in events for Facebook Page Insights, the aggregation of such events as well as provision of such information to the Facebook page admins. For further information on how Facebook processes your data, including the lawful bases for such processing, and how you can exercise your rights please see the applicable privacy policy.

             

            Where is your data processed?

            OpenELAB is a European company located in Germany. However, we may transfer your data to other countries within the EU/EEA as well as to third countries. Where personal data is transferred to third countries that are not covered By a relevant adequacy decisionwe ensure that a relevant transfer mechanism (e.g., Standard Contractual Clauses) and any required additional technical and organizational security measures are in place.

             

            How is your data protected?

            OpenELAB has in place comprehensive technical and organizational security measures to ensure your data is secured. These are reviewed and updated regularly to ensure they comply with the state of the art.

            We also review our vendors and sign appropriate agreements with them to ensure that they comply with our defined security measures.

             

            When will we delete your data?

            Your data is only stored for as long as it is necessary for the purposes defined in this policy including to comply with our legal obligations e.g., to provide product warranty or to store financial documentation.

             

            What are your rights regarding our data processing operations and how to contact us?

            In addition to your right to receive information in the form of this privacy policy, you have the following rights under the relevant legal conditions:

            • right to access your data;
            • right to rectify your incorrect or incomplete data;
            • right to be forgotten (data deletion/anonymization);
            • right to restrict processing;
            • right to data portability;
            • right not to be subject to a decision based solely on automated processing, including profiling, which produces legal effects concerning you or similarly significantly affects you; and
            • right to complain to a supervisory authority.

              Furthermore, in the event we process your data relying on legitimate interests, you have the right to object to this processing with effect for the future. If you exercise your right to object, we will stop the processing of the relevant data. However, further processing may occur provided that we can prove comprehensive reasons for processing that override your interests, fundamental rights, and fundamental freedoms, or if the processing is for the certification, exercise, or defense of legal claims. If we process your data for direct advertising purposes, you have the right to object at any time to such processing and we will stop processing your data for direct marketing purposes.

              Kindly observe that we do not sell your data. However, in the event of a business transaction, your data may be transferred to a new controller entity.

              To exercise your rights, please send us an email to info@openelab.io. Please note that the group has appointed a Data Protection Officer (DPO) who monitors our privacy compliance officers and can answer any further questions you may have regarding our data processing operations.

              You can also reach us via post:

              OpenELAB GmbH i.G.

              Attn: Data Protection Officer

              Zeppelinstraße 33, 85748 Garching bei München

              Kindly note that as an e-commerce operator, we process your data in electronic form and therefore, upon a request to access your data, we provide such data in a commonly used machine-readable format (e.g., PDF).

               

              Who is our group data protection officer?

              Ping Chen

              c/o OpenELAB GmbH i.G.

              Zeppelinstraße 33

              85748

              Garching bei München

               

              When was this Privacy Policy last reviewed?

              This Privacy Policy was last reviewed and updated on 03/2024. Upon material changes to this Privacy Policy, we will notify you via your given email address.