Data protection
Privacy Policy of hajoona GmbH for Consumers
Translation. In case of discrepances the German version shall prevail.
§ 1 Information on the Collection of Personal Data
In the following, we provide information about the processing of personal data when using our website. Personal data is all data that can be related to you personally, e.g. name, address, e-mail addresses, user behaviour. In this way, we would like to inform you about our processing operations and at the same time comply with legal obligations, in particular from the EU General Data Protection Regulation (GDPR).
The controller according to Art. 4 para. 7 GDPR is:
hajoona GmbH, Heinrich-Fuchs-Straße 94-96, 69126 Heidelberg
Phone: +49 (0) 6221 64702-77, E-mail: office@hajoona.com
We have appointed a data protection officer for our company:
Frank Flader, Heinrich-Fuchs-Straße 94-96, 69126 Heidelberg
Phone: +49 (0) 6221 64702-77E-Mail: datenschutz@hajoona.com
If you have any questions about data protection, please feel free to contact the contact mentioned above.
If we want to use commissioned service providers for individual functions of our offer or use your data for advertising purposes, we will always carefully select and monitor these service providers and inform you in detail about the respective processes below. We also mention the defined criteria for the storage period.
§ 2 Processing of personal data when visiting our website
a) Technical log data (server log files)
When using the website for informational purposes, i.e. merely viewing it without registering and without you otherwise providing us with information, we process the personal data that your browser transmits to our server. The data described below is technically necessary for us to display our website to you and to ensure stability and security and must therefore be processed by us. The legal basis is Art. 6 para. 1 sentence
1 lit. f GDPR:
- Specifically, this data is as follows:
- Browser type and version
- operating system used
- Referrer URL
- Hostname of the accessing computer
- Time of the server request
- IP address
b) Cookies and consent management
Our websites use so-called "cookies". Cookies are small text files that are stored on your device. They do not cause any damage and do not contain viruses. Cookies can be stored temporarily for the duration of a session (session cookies) or permanently (persistent cookies). Session cookies are automatically deleted at the end of your visit. Permanent cookies remain stored on your device until you delete them yourself or your browser automatically removes them.
In some cases, cookies from third-party companies may also be stored on your device when you enter our website (third-party cookies). These enable us or you to use certain services of the third-party company (e.g. payment processing, integration of videos or analysis tools).
Cookies have different functions. Many cookies are technically necessary because certain website functions could not be provided without them (e.g. shopping cart function, secure login, viewing videos). Other cookies are used to evaluate user behavior or fulfill marketing purposes.
For technically necessary cookies, the processing is carried out on the basis of Art. 6 (1)
(f) GDPR (legitimate interest in a technically error-free and optimized provision of our services). All other cookies (e.g. statistics, marketing, external media) are only set after your explicit consent. The legal basis is Art. 6 para. 1 lit. a GDPR. You can revoke your consent at any time with effect for the future.
In order to obtain and document consent in a legally compliant manner, we use the consent management tool "Borlabs Cookie" from Borlabs GmbH, Rübenkamp 32, 22305 Hamburg, Germany. When you visit our website, a banner will be displayed that you can use to make your selection. Your settings are stored in a cookie ("borlabs-cookie") on your device. This cookie stores which consents you have given, so that they do not have to be asked again on future visits. The storage period is 1 year.
You can change or revoke your consent at any time by clicking on the "Cookie Settings" link in the footer of our website.
You can also set your browser so that you are informed about the setting of cookies and only allow cookies in individual cases, exclude the acceptance of cookies for certain cases or in general, and activate the automatic deletion of cookies when you close the browser. If you disable cookies, the functionality of this website may be limited.
§ 3 Hosting und Content Delivery Networks (CDN)
This website is hosted by an external service provider (hoster). The personal data collected on this website is stored on the hoster's servers. This can include, but is not limited to, IP addresses, contact requests, meta and communication data, contract data, contact data, names, website accesses and other data generated via a website.
The hoster is used for the purpose of fulfilling the contract with our potential and existing customers (Art. 6 para. 1 lit. b GDPR) and in the interest of a secure, fast and efficient provision of our online offer by a professional provider (Art. 6 para. 1 lit. f GDPR).
Our host will only process your data to the extent necessary to fulfil its performance obligations and follow our instructions with regard to this data.
In order to ensure data protection-compliant processing, we have concluded a contract for order processing with our hoster.
§ 4 Data security
This site uses SSL or TLS encryption for security reasons and to protect the transmission of confidential content, such as orders or inquiries that you send to us as the site operator. You can recognize an encrypted connection by the fact that the address bar of the browser changes from "http://" to "https://" and by the lock symbol in your browser line.
If SSL or TLS encryption is activated, the data you transmit to us cannot be read by third parties.
§ 5 Use of our webshop
a) Contract/order processing
If you want to order in our webshop, it is necessary for you to provide your personal data, which we need for the purpose of processing your order. In the course of contract processing, we process the following personal data in particular: first and last name, delivery and billing address, date of birth, e-mail address, telephone number, bank details, credit card data and – if relevant – tax or VAT identification number. Mandatory information required for the execution of the contracts is marked separately, further information is voluntary. For payment, you can provide your payment details to our payment service providers, whereby these third parties are each independently responsible for payment processing. The legal basis for this is Art. 6 (1) sentence 1 (b) GDPR.
We may also process the data you provide to inform you about other interesting products from our portfolio or to send you emails with technical information.
Due to commercial and tax law requirements, we are obliged to store your address, payment and order data for a period of ten years.
b) Credit check
If we make advance payments, for example in the case of purchase on account, we reserve the right to carry out a credit check to protect our legitimate interests. For this purpose, we transmit the personal data required for a credit check (name, address) to credit agencies, e.g. SCHUFA Holding AG or Creditreform Boniversum GmbH.
The legal basis is Art. 6 para. 1 sentence 1 lit. f GDPR. Our legitimate interest lies in the assessment of solvency and the avoidance of payment defaults.
Further information on data processing by Creditreform Boniversum GmbH in accordance with Art. 14 GDPR can be found at: https://www.boniversum.de/eu-dsgvo
§ 6 Data transmission upon conclusion of a contract for services and digital content
We only transmit personal data to third parties if this is necessary in the context of the execution of the contract, for example to the bank commissioned to process the payment.
The data will not be transmitted further or will only take place if you have expressly consented to the transfer. Your data will not be passed on to third parties without explicit consent, for example for advertising purposes.
The basis for data processing is Art. 6 (1) (b) GDPR, which permits the processing of data for the performance of a contract or pre-contractual measures.
§ 7 Contact form
If you send us enquiries via the contact form, your details from the enquiry form, including the contact details you provide there, will be stored by us for the purpose of processing the enquiry and in the event of follow-up questions. We do not pass on this data without your consent.
The processing of this data is carried out on the basis of Art. 6 (1) (b) GDPR if your request is related to the performance of a contract or is necessary for the implementation of pre-contractual measures. In all other cases, the processing is based on our legitimate interest in the effective processing of the enquiries addressed to us (Art. 6 para. 1 lit. f GDPR) or on your consent (Art. 6 para. 1 lit. a GDPR), if this has been requested.
The data you enter in the contact form will remain with us until you ask us to delete it, revoke your consent to the storage or the purpose for which the data is stored no longer applies (e.g. after your enquiry has been processed). Mandatory statutory provisions – in particular retention periods – remain unaffected.
§ 8 Enquiry by e-mail, telephone or fax
If you contact us by e-mail, telephone or fax, your enquiry, including all personal data resulting from it (name, enquiry), will be stored and processed by us for the purpose of processing your request. We do not pass on this data without your consent.
The processing of this data is carried out on the basis of Art. 6 (1) (b) GDPR if your request is related to the performance of a contract or is necessary for the implementation of pre-contractual measures. In all other cases, the processing is based on your consent (Art. 6 para. 1 lit. a GDPR) and/or on our legitimate interests (Art. 6 para. 1 lit. f GDPR), as we have a legitimate interest in the effective processing of the inquiries addressed to us.
The data you send to us via contact requests will remain with us until you ask us to delete it, revoke your consent to its storage or the purpose for which it was stored no longer applies (e.g. after your request has been processed). Mandatory statutory provisions – in particular statutory retention periods – remain unaffected.
§ 9 Handling of Applicant Data
We offer you the opportunity to apply to us (e.g. by e-mail, post or via the online application form). In the following, we inform you about the scope, purpose and use of your personal data collected as part of the application process. We assure you that the collection, processing and use of your data will be carried out in accordance with applicable data protection law and all other legal provisions and that your data will be treated in the strictest confidence.
If you send us an application, we will process your associated personal data (e.g. contact and communication data, application documents, notes in the context of job interviews, etc.) insofar as this is necessary to decide on the establishment of an employment relationship. The legal basis for this is § 26 BDSG-neu under German law (initiation of an employment relationship), Art. 6 (1) (b) GDPR (general contract initiation) and – if you have given consent – Art. 6 (1) (a) GDPR. The consent can be revoked at any time. Your personal data will only be passed on within our company to persons who are involved in processing your application.
If the application is successful, the data you submit will be stored in our data processing systems on the basis of Section 26 of the new Federal Data Protection Act (BDSG) and Article 6 (1) (b) of the GDPR for the purpose of carrying out the employment relationship.
If we are unable to make you a job offer, you reject a job offer or withdraw your application, we reserve the right to store the data you provide on the basis of our legitimate interests (Art. 6 para. 1 lit. f GDPR) for up to 6 months from the end of the application process (rejection or withdrawal of the application). The data will then be deleted and the physical application documents destroyed. The storage serves in particular for the purpose of providing evidence in the event of a legal dispute. If it is evident that the data will be required after the expiry of the 6-month period (e.g. due to an imminent or pending legal dispute), deletion will only take place if the purpose for further storage no longer applies.
Longer storage may also take place if you have given your consent (Art. 6 para. 1 lit. a GDPR) or if statutory retention obligations preclude deletion.
§ 10 Analysis Tools and Advertising
a) Google Analytics
This website uses the web analysis service Google Analytics of Google Ireland Limited, Gordon House, Barrow Street, Dublin 4, Ireland ("Google"). The purpose of the assignment is to analyse the use of our website and to compile statistics and reports to improve our offer.
Google Analytics uses cookies that enable an analysis of your interactions with our website. In particular, data on the device/browser, IP addresses (in anonymized form) and website activity are collected. We have activated the IP anonymization ("IP masking") function on this website. This shortens your IP address within the member states of the European Union or other contracting states of the Agreement on the European Economic Area before transmission. Only in exceptional cases is the full IP address transmitted to a Google server in the USA and shortened there.
Google processes the collected data on our behalf. To this end, we have concluded a contract processing agreement with Google. If a transfer to the USA takes place, Google is certified according to the EU-U.S. Data Privacy Framework, which ensures an appropriate level of data protection.
The legal basis for the processing is your consent in accordance with Art. 6 (1) sentence 1 (a) GDPR. The storage period of the data stored with Google is a maximum of 14 months. You can revoke your consent at any time with effect for the future. You can revoke your consent via our consent manager or alternatively by installing the browser add-on provided by Google: https://tools.google.com/dlpage/gaoptout?hl=deb.
b) Meta Pixel
This website uses the Meta Pixel service of Meta Platforms Ireland Limited, 4 Grand Canal Square, Grand Canal Harbour, Dublin 2, Ireland ("Meta"). By integrating the Meta Pixel, we can understand how users interact with our website after clicking on one of our ads. The purpose is to evaluate the effectiveness of our meta ads for statistical and market research purposes and to optimize them. The legal basis for the use is your consent in accordance with Art. 6 (1) sentence 1 (a) GDPR; the integration takes place exclusively after your consent.
When you visit our website, your browser automatically establishes a direct connection to Meta's servers. This gives Meta the information that you have accessed our website or clicked on an ad from us. If you are registered with a Meta service, Meta can assign the visit to your account. Even if you are not registered with Meta or have not logged in, it is possible that Meta will collect your IP address and other identifiers and use them for profiling purposes.
The data collected is stored and processed by Meta and may also be transferred to third countries, in particular the USA. For transfers to the United States, Meta relies on the EU-U.S. Data Privacy Framework, to which it is a party, and thus ensures an adequate level of data protection.
The revocation of your consent is possible at any time with effect for the future, without affecting the lawfulness of the processing carried out up to the revocation. The easiest way to revoke your consent is via our Consent Manager. In addition, logged-in users can deactivate the collection by Meta in the area of the advertising settings of the respective network:
https://www.facebook.com/ads/preferences/?entry_product=ad_settings_screen
§ 11 Newsletter
If you would like to subscribe to the newsletter offered on the website, we need an email address from you as well as information that allows us to verify that you are the owner of the e-mail address provided and that you agree to receive the newsletter.
We use the so-called double opt-in procedure for registration. After your registration, you will receive an e-mail in which we ask you to confirm that you would like to receive the newsletter. Only after this confirmation will your registration become effective. This procedure serves to prevent abusive registration with foreign e-mail addresses. The registration and confirmation are logged in order to be able to legally prove your consent.
The legal basis for the processing of your data is your consent in accordance with Art. 6 (1) (a) GDPR. You can revoke your consent at any time, for example via the unsubscribe link contained in each newsletter or by sending a message to the contact details provided in the imprint. The lawfulness of the processing carried out up to the revocation remains unaffected.
Your data will only be used to send the newsletter and will not be passed on to third parties. After you unsubscribe from the newsletter, your data will be deleted from the mailing list, unless there are statutory retention obligations to the contrary.
§ 12 Plugins and Tools
a) YouTube with extended data protection
This website embeds videos from YouTube. The operator of the pages is Google Ireland Limited ("Google"), Gordon House, Barrow Street, Dublin 4, Ireland.
We use YouTube in extended privacy mode. According to YouTube, this mode means that YouTube does not store any information about visitors to this website before they watch the video. The disclosure of data to YouTube partners, on the other hand, is not necessarily excluded by the extended data protection mode. Here's how YouTube connects to the Google DoubleClick network whether you're watching a video.
As soon as you start a YouTube video on this website, it connects to YouTube's servers. The YouTube server is informed which of our pages you have visited. If you are logged in to your YouTube account, you enable YouTube to assign your surfing behavior directly to your personal profile. You can prevent this by logging out of your YouTube account.
Furthermore, YouTube can store various cookies on your device after starting a video. With the help of these cookies, YouTube can obtain information about visitors to this website. This information is used, among other things, to collect video statistics, improve the user experience and prevent fraud attempts. The cookies remain on your device until you delete them.
If necessary, further data processing operations may be triggered after the start of a YouTube video, over which we have no influence. YouTube is used in the interest of an appealing presentation of our online offerings. This constitutes a legitimate interest within the meaning of Art. 6 (1) (f) GDPR. If a corresponding consent has been requested (e.g. consent to the storage of cookies), the processing is carried out exclusively on the basis of Art. 6 (1) (a) GDPR; consent can be revoked at any time.
For more information about privacy at YouTube, please see their privacy policy at:
https://policies.google.com/privacy?hl=de.
b) Google Web Fonts
This site uses so-called web fonts, which are provided by Google, for the uniform display of fonts. When you call up a page, your browser loads the required web fonts into its browser cache in order to display texts and fonts correctly.
For this purpose, the browser you use must connect to Google's servers. This makes Google aware that this website has been accessed via your IP address. The use of Google WebFonts is based on Art. 6 para. 1 lit. f GDPR. The website operator has a legitimate interest in the uniform presentation of the typeface on its website. If a corresponding consent has been requested (e.g. consent to the storage of cookies), the processing is carried out exclusively on the basis of Art. 6 (1) (a) GDPR; consent can be revoked at any time.
If your browser does not support Web Fonts, a default font will be used by your computer.
For more information about Google Web Fonts, see
https://developers.google.com/fonts/faq and Google's privacy policy:
https://policies.google.com/privacy?hl=de.
c) Google Maps
This site uses the Google Maps map service via an API. The provider is Google Ireland Limited ("Google"), Gordon House, Barrow Street, Dublin 4, Ireland.
In order to use the functions of Google Maps, it is necessary to store your IP address. This information is usually transmitted to a Google server in the USA and stored there. The provider of this site has no influence on this data transfer.
The use of Google Maps is in the interest of an appealing presentation of our online offers and to make it easy to find the places we indicate on the website. This constitutes a legitimate interest within the meaning of Art. 6 (1) (f) GDPR.
More information on the handling of user data can be found in Google's privacy policy: https://policies.google.com/privacy?hl=de.
d) Social Media Links and Profiles
On our website you will find links to our social media presences (e.g. Instagram, Facebook, LinkedIn). These are only linked buttons. As long as you visit our website, no personal data is automatically transferred to these providers.
Only when you click on the respective button and are thus redirected to the platform, your browser leaves our website and establishes a direct connection to the servers of the respective network. From this point on, your data will be processed by the respective provider under its own responsibility under data protection law.
We would like to point out that user data may be transferred to third countries, in particular the USA, and that we have no influence on the type and scope of data processing carried out by the platforms.
Further information on data processing by the respective providers as well as on your rights and setting options to protect your privacy can be found in the data protection notices of the providers:
Instagram: https://privacycenter.instagram.com/policy/
Facebook: https://www.facebook.com/privacy/policy/
LinkedIn: https://www.linkedin.com/legal/privacy-policy
YouTube: https://policies.google.com/privacy?hl=de
§ 13 Data Processing in Third Countries
(1) A transfer of personal data to a third country (outside the European Union or the European Economic Area) will only take place if this is necessary for the fulfilment of our contractual obligations, on the basis of your express consent or on the basis of a legal permission.
(2) If we use services from providers based in a third country (e.g. Google, Meta/Facebook, YouTube), data will only be transferred if there is an adequacy decision by the European Commission for the third country in question (Art. 45 GDPR), if we have concluded EU standard contractual clauses (Art. 46 (2) (c) GDPR) with the service provider or if other suitable safeguards exist.
(3) For data transfers to the USA, we use providers who are certified according to the EU-U.S. Data Privacy Framework, as far as possible. This recognises an adequate level of data protection. If a provider is not certified according to the Data Privacy Framework, we base the transfer on EU standard contractual clauses and, if necessary, supplementary technical and organizational measures.
§ 14 Rights of data subjects
a) Information, deletion and correction
Within the framework of the applicable legal provisions, you have the right to free information about your stored personal data, its origin and recipients and the purpose of the data processing at any time and, if necessary, a right to rectification or deletion of this data. For this and other questions on the subject of personal data, you can contact us at any time at the address given in the imprint.
b) Right to restriction of processing
You have the right to request the restriction of the processing of your personal data. You can contact us at any time at the address given in the imprint. The right to restriction of processing exists in the following cases:
- If you contest the accuracy of your personal data held by us, we will usually need time to verify this. For the duration of the audit, you have the right to request the restriction of the processing of your personal data.
- If the processing of your personal data was/is unlawful, you can request the restriction of data processing instead of deletion.
- If we no longer need your personal data, but you need it to exercise, defend or assert legal claims, you have the right to request the restriction of the processing of your personal data instead of erasure.
- If you have filed an objection in accordance with Art. 21 (1) GDPR, a balancing of your interests and ours must be carried out. As long as it has not yet been determined whose interests prevail, you have the right to request the restriction of the processing of your personal data.
If you have restricted the processing of your personal data, this data may only be processed with your consent or for the establishment, exercise or defence of legal claims, or for the protection of the rights of another natural or legal person, or for reasons of important public interest of the European Union or of a Member State.
c) Withdrawal of your consent to data processing
Many data processing operations are only possible with your explicit consent. You can revoke any consent you have already given at any time. All you need to do is send us an informal message by e-mail. The lawfulness of the data processing carried out up to the time of revocation remains unaffected by the revocation.
d) Objection to advertising e-mails
The use of contact details published in the context of the imprint obligation for the sending of unsolicited advertising and information material is hereby contradicted. The operators of the pages expressly reserve the right to take legal action in the event of the unsolicited sending of advertising information, for example by spam e-mails.
e) Right to object to data collection in special cases as well as to direct marketing (Art. 21 GDPR)
If the data processing is carried out on the basis of Art. 6 (1) (e) or (f) GDPR, you have the right to object to the processing of your personal data at any time on grounds relating to your particular situation; this also applies to profiling based on these provisions. If you object, we will no longer process your personal data unless we can demonstrate compelling legitimate grounds for the processing that outweigh your interests, rights and freedoms, or the processing serves to assert, exercise or defend legal claims (objection pursuant to Art. 21 para. 1 GDPR).
If your personal data is processed for the purpose of direct marketing, you have the right to object at any time to the processing of personal data concerning you for the purpose of such marketing; this also applies to profiling, insofar as it is related to such direct advertising. If you object, your personal data will no longer be used for the purpose of direct marketing (objection pursuant to Art. 21 para. 2 GDPR).
f) Right to lodge a complaint with the competent supervisory authority
In the event of violations of the GDPR, the data subjects have the right to lodge a complaint with a supervisory authority, in particular in the Member State of their habitual residence, their place of work or the place of the alleged infringement. The right of appeal exists without prejudice to other administrative or judicial remedies.
g) Right to data portability
You have the right to have data that we process automatically on the basis of your consent or in fulfilment of a contract handed over to you or to a third party in a common, machine-readable format. If you request the direct transfer of the data to another controller, this will only be done to the extent that it is technically feasible.
Status of the data protection declaration: 01.02.2026