Privacy Policy

We, the Hemro International AG, Thurgauerstrasse 80, 8050 Zürich, Switzerland (Hemro/we), thank you for visiting our website and for your interest in Hemro. In the following, we provide information about the type, scope, and purpose of the collection and use of your personal data on this website. Personal data is any information relating to an identified or identifiable natural person. This includes in particular your name, address, and email address. If provisions of the General Data Protection Regulation (GDPR) are named in this Privacy Policy, these shall apply in accordance with Art. 3 GDPR. In all other respects, the applicable statutory provisions on data protection shall apply.

1. Data processing to enable the use of the website

Every time you access content on our website, connection data is transferred to our web server. This connection data includes:

  • the IP address (Internet Protocol address) of the respective users
  • the date and time of the query 
  • the referrer URL
  • device numbers such as your unique device identifier (UDID) and comparable device numbers, device information (e.g., device type)
  • the browser type/version

    This connection data is neither used to determine a user’s identity nor is it combined with data from other sources. Rather, it serves to make the website available. The legal basis for processing your data is Art. 6 (1) (1) (f) GDPR. After no more than seven days, the connection data is anonymized by truncating the IP address at the domain level. 

    2. Data processing on request

    The use of our website is generally possible without providing personal data. You are neither obliged to visit this website nor to provide any personal data. Personal data, except for orders, also does not have to be provided in order for a contract to be concluded. If you do not provide us with the personal data listed below, you may not be able to use certain functions or services of this website. Other than that there will be no consequences for you. 

    We process your personal data when you use our following services:

    2.1. Order in the shop

    When you place an order with us, we process the following data from you:
    • registration data from the customer account (see Section 2.2 or Section 2.3) or your guest data
    • purchase data (order/shopping cart)
    • payment data (payment method, account data, and credit card data, billing addresses)
    Your personal data is processed based on Art. 6 (1) (1) (b) GDPR.

    2.2. Dealer area

    If you register with us as a dealer and use the dealer area on our website, we will process your data for this purpose.

    When using a password, please take appropriate security measures. For example, a password should contain a minimum of 8 characters and should always consist of a combination of upper- and lowercase letters, numbers, and special characters. Trivial words such as “ABC” or keyboard sequences (e.g., “qwert” or “asdfgh”), all kinds of names (e.g., of friends, acquaintances, colleagues, family members, pets), city and building names, cartoon characters, car brands, license plates, terms, dates of birth, telephone numbers, common abbreviations, etc. are thus problematic.

    Your personal data is processed based on Art. 6 (1) (1) (b) GDPR.

    2.3. Registration as customer

    If you would like to register as a customer, we will collect the required mandatory information from you (first name, last name, e-mail address, password).

    Registration is not necessary, but it will make the ordering process easier for you for future orders, as you can reuse the data you have already saved. Alternatively, you ca

    If you wish to register as our customer, we collect the mandatory information required from you (first name, last name, email address, password). 

    Registration is not necessary, but it will make the ordering process easier for you for future orders, as you can reuse the data you have already saved. Alternatively, you can place an order as a guest. In this case, we collect the same data from you as during the registration, with the exception of a password. This data, however, is not stored in a customer account for you, meaning you do not have access to a customer account. 

    After registration has been completed, you can log in by providing your email address and password. Please always make sure to log out before leaving the website.

    When using a password, please take appropriate security measures. For example, a password should contain a minimum of 8 characters and should always consist of a combination of upper- and lowercase letters, numbers, and special characters. Trivial words such as “ABC” or keyboard sequences (e.g., “qwert” or “asdfgh”), all kinds of names (e.g., of friends, acquaintances, colleagues, family members, pets), city and building names, cartoon characters, car brands, license plates, terms, dates of birth, telephone numbers, common abbreviations, etc. are thus problematic.

    The processing of your personal data is based on your consent pursuant to Art. 6 (1) (1) (a) GDPR. 

    We also store your IP address and the time of registration during the registration process. This is necessary to ensure the security of our information technology systems. The legal basis for processing your data in this case is Art. 6 (1) (1) (f) GDPR.

    2.4. Login

    If you are a Hemro customer, you may be able to access separate information or updates about the product you are using through this website’s login feature.

    Login data must be kept strictly confidential. If a password has nevertheless been shared, for example, to enable third parties to access certain databases in an emergency, the password must be changed immediately. For your own protection, passwords that have already been used before may not be used again.

    We also store your IP address and the time of access during the login process. This is necessary to ensure the security of our information technology systems.

    We also set a session cookie each time you log in. This session cookie prevents automatic logout during active use of the account or related services. After the respective logout, the session cookie is automatically deleted within a few minutes.

    The legal basis for processing your data is Art. 6 (1) (1) (f) GDPR and, if your contractual relationship is affected, Art. 6 (1) (1) (b) and/or (f) GDPR.

    2.5 Contact form

    If you use the contact form we provide to contact us, your details will be stored so that they can be used to process your query. Provision of your email address is sufficient for us to contact you. The additional voluntary information about your person serves only to personalize the address for you.

    The legal basis for processing your data is Art. 6 (1) (1) (f) GDPR. Our legitimate interest then lies in responding to your query. 

    In the event that (pre)contractual measures are implemented, the legal basis is Art. 6 (1) (1) (b) GDPR. 

    2.6 Newsletter

    If you expressly consented to receiving our newsletter, information about company news, current events, and the latest coffee grinding product highlights will be sent regularly to the email address you provided. Provision of your email address is sufficient for us to send you the newsletter. The additional voluntary information about you is only used to personalize the newsletter for you. 

    In order to subscribe to our newsletter, we use the so-called double-opt-in procedure. This means that once you have subscribed, we will send you an email to the email address you provided, asking you to confirm that you want us to send you the newsletter. If you do not complete your subscription within 3 months, your information will be automatically deleted. In the context of registration and the double opt-in process, we use the services of the service provider Shopify International Limited, Victoria Buildings, 2nd Floor, 1-2 Haddington Road, Dublin 4, D04 XN32, Ireland (Shopify).

    If you have confirmed receipt of the newsletter, we use the online marketing platform Mailchimp ("Mailchimp"), which is operated by Intuit Inc, 2700 Coast Ave, Mountain View, CA 94043, 650-944-6000, USA, in connection with our newsletter. Mailchimp is a service that can be used to organize the sending of newsletters, among other things. Our newsletters sent with Mailchimp enable us to analyze the behavior of newsletter recipients via a tracking pixel (so-called web beacons). Here, among other things, it can be analyzed how many recipients have opened the newsletter message and how often which link in the newsletter was clicked. For more information about Mailchimp's data protection, please visit: https://mailchimp.com/legal/cookies/#Cookies_served_through_the_Service and https://www.intuit.com/privacy/statement/

    The processing of your personal data is based on your consent pursuant to Section 25 (1) sentence 1 TTDSG for the storage and access to information in terminal equipment and Art. 6 (1) sentence 1 lit. a DSGVO for our further processing of your data. You may withdraw your consent at any time with effect for the future. The withdrawal of consent shall not affect the lawfulness of processing based on consent before its withdrawal. A link is provided at the end of each newsletter for you to exercise your right to withdraw. Alternatively, you can also withdraw your consent at any time, for example, by sending an email to marketing@hemrogroup.com. 

    Please note that Intuit Inc. is a company from the USA. According to a recent ruling by the European Court of Justice (ECJ), no adequate level of data protection exists in the USA, meaning that there is a risk to the protection of your data. For example, under certain conditions, US authorities may therefore process your data for control and monitoring purposes. For further information regarding the legal basis for the transfer of data, please refer to Art. 49 GDPR for now. After EU standard data protection clauses have been implemented, this shall provide the legal basis for the transfer of data to third countries.

    When you subscribe to a newsletter, we also store your IP address and the time of registration in order to fulfill our legal duty to document. The legal basis for data processing in this case is Art. 6 (1) (1) (c) GDPR.

    3. Data processing for the demand-oriented design of the website

    In order to make your user experience of our website as pleasant as possible, we use so-called “web tracking systems.” Cookies are generally used for this purpose. These are small text files, which are sent from a web server to your browser and stored on your computer’s hard drive. This enables us to recognize the end device you are using when you access our website. We are thus able to determine, for example, whether you are logged in, have an active shopping cart, and what the contents of your shopping cart are. The session cookies deployed for using the shop are deleted at the end of the browser session. Other cookies remain on your end device and allow us to recognize your device on your next visit

    A list of the tracking tools and other services that we use and that use cookies is provided in Section 3.1 et seq.

    Most browsers are set to accept cookies by default. You can deactivate the storage of cookies in your browser and delete them from your hard drive at any time. However, you can also use your browser to prevent certain cookies (e.g., from third parties) from being set – to prevent web tracking, for example. Further information about your browser’s help function is available here.  

    We would like to point out that you can also install a plug-in in your browser to protect your privacy. Plug-ins such as AdBlock, Ghostery, or NoScript can prevent tracking (please refer to the privacy policy of the respective plug-in provider).  

    Finally, we would like to point out that if cookies are deactivated, it may not be possible to use all functions of this website to their full extent. Please also note that deactivation may have to be carried out for each browser and each end device.

    Details of the cookies used on the website can be found in the cookie banner and in the following terms and conditions. Unless otherwise stated in the following provisions in Section 3.1 ff., the legal basis for processing your data is Art. 6 (1) (1) (f) GDPR. Our legitimate interest lies in the needs-oriented design of the website. 

    3.1. Cookie consent with the cookie consent tool

    In order to be able to manage your consent to the use of tracking tools, we use the cookie consent tool "GDPR Legal Cookie" from the provider beeclever GmbH, Friedrich-Mohr-Straße 1, 56070 Koblenz. In addition to the connection data, the granting or refusal of your consent or the withdrawal of consent is processed in this context. In order to be able to make the corresponding assignment, the cookie consent tool also sets a cookie in your browser. If you wish to undo these settings, simply delete the cookies in your browser (also see Section 3) or configure your individual cookie settings via the cookie banner. For more information on data protection, please visit: https://gdpr-legal-cookie.com/pages/terms-conditions.

    We use the cookie consent tool to obtain the declarations of consent mandated by law for the use of cookies. The legal basis in this case is Art. 6 (1) (1) (c) GDPR.

    In addition to the information in the cookie banner, please also note the following information in sections 3.2 ff.

    3.2. YouTube

    Our website uses plug-ins from YouTube, which is operated by Google. If you visit one of our websites featuring a YouTube plug-in and actively click on the corresponding field, a connection to YouTube servers is established. Here the YouTube server is informed about which of our pages you have visited. If you’re logged in to your YouTube account, you allow YouTube to associate your browsing behavior directly with your personal profile. You can prevent this by logging out of your YouTube account. 

    The legal basis for the use of YouTube is based on your consent pursuant to Section 25 (1) (1) of the Federal Act on the Regulation of Data Protection and Privacy in Telecommunications and Telemedia (TTDSG) for the storage and access to information in end devices, as well as pursuant to Art. 6 (1) (1) (a) GDPR for the further processing of your data. You give your corresponding consent via our cookie banner. Please note that Google is a company from the USA. According to a recent ruling by the European Court of Justice (ECJ), no adequate level of data protection exists in the USA, meaning that there is a risk to the protection of your data. For example, under certain conditions, US authorities may therefore process your data for control and monitoring purposes. If you nevertheless wish to consent to the use of this tool, you can select this via the cookie banner. After EU standard data protection clauses have been implemented, this shall provide the legal basis for the transfer of data to third countries.

    Further information on how user data is handled is available in see YouTube’s Privacy Policy at: https://www.google.de/intl/de/policies/privacy. 

    3.3. Google Analytics

    Our website uses the “Google Analytics” tracking tool. This is a service provided by Google Ireland Limited, a company registered and operated in accordance with Irish law, headquartered at Gordon House, 4 Barrow Street, Dublin, Ireland (“Google”). This tracking tool helps us to make our online offers more interesting for you and to improve the user experience. Data on the use of our website is stored in pseudonymized user profiles. Cookies can also be used for this purpose. Data from different devices, sessions, and interactions can additionally be linked to a user ID. This information is generally transferred to a Google server in the USA and stored there.

    By default, Google already automatically anonymizes user IP addresses when collecting user data. Google also does not log or store the IP addresses. The truncating of IP addresses does not mean that data is processed entirely in anonymized form. Thus, when Google Analytics is used, usage data is collected that is to be evaluated as personal data, such as identification features of the individual users, which also allow a link to an existing Google account, for example.

    On our behalf, Google will use this information to evaluate your usage of our website, to compile reports on website activity, and to provide other services related to website and Internet usage to us. The pseudonymized user profiles are not combined with personal data about the bearer of the pseudonym unless separate consent has been obtained for this.

    For more information on Google Analytics, see:
    https://support.google.com/analytics/answer/12017362

    Please note that Google also has independent access to your data collected via Google Analytics and may also use this data for its own purposes. Google may, for example, link this data to other information about you, such as search history, personal account, usage data from other devices, and all other data that Google has about you.

    The legal basis for the use of Google Analytics is based on your consent pursuant to Section 25 (1) (1) of the Federal Act on the Regulation of Data Protection and Privacy in Telecommunications and Telemedia (TTDSG) for the storage and access to information in end devices, as well as pursuant to Art. 6 (1) (1) (a) GDPR for the further processing of your data. You give your corresponding consent via our cookie banner. Please note that Google is a company from the USA. According to a recent ruling by the European Court of Justice (ECJ), no adequate level of data protection exists in the USA, meaning that there is a risk to the protection of your data. For example, under certain conditions, US authorities may therefore process your data for control and monitoring purposes. The new EU standard data protection clauses were agreed as appropriate safeguards to ensure an adequate level of protection for the transfer of data.

    3.4 Google Maps

    We use Google Maps via an API on our website. This is a service provided by Google. Your IP address must be stored to use the Google Maps functions. This information is generally transferred to a Google server in the USA and stored there. We have no control over this data transfer. We have also concluded an agreement with Google on mutual responsibility for the processing of personal data. You can view our agreement with Google by clicking the following Link. The legal basis for the use of Google Maps is based on your consent pursuant to Section 25 (1) (1) of the Federal Act on the Regulation of Data Protection and Privacy in Telecommunications and Telemedia (TTDSG) for the storage and access to information in end devices, as well as pursuant to Art. 6 (1) (1) (a) GDPR for the further processing of your data. You give your corresponding consent via our cookie banner. Please note that Google is a company from the USA. According to a recent ruling by the European Court of Justice (ECJ), no adequate level of data protection exists in the USA, meaning that there is a risk to the protection of your data. For example, under certain conditions, US authorities may therefore process your data for control and monitoring purposes. The new EU standard data protection clauses were agreed as appropriate safeguards to ensure an adequate level of protection for the transfer of data.

    Further information on how user data is handled is available in Google’s Privacy Policy at: https://www.google.de/intl/de/policies/privacy/.

    3.5 Google Tag Manager

    We use Google Tag Manager. This Google service allows website tags to be managed via an interface. Google Tag Manager only implements tags, however. This means that no cookies are set and no personal data is recorded. Google Tag Manager may instead trigger tags, which may record data. Google Tag Manager, however, does not access this data. The data is evaluated exclusively in the respective tool (for more details, see the aforementioned explanations in Section 3).

    3.6 Privy

    For our online marketing activities, we use the Privy service provided by Privy, LLC, 201 South St, 2nd Floor, Boston, MA 02111, USA (“Privy”). This service allows us to set up marketing campaigns in the form of pop-ups on our website and analyze the success of these campaigns. Privy collects the data you enter in the pop-up window, as well as your IP address and device and browser information. Cookies are used for this purpose.

    The legal basis for the use of Privy is based on your consent pursuant to Section 25 (1) (1) of the Federal Act on the Regulation of Data Protection and Privacy in Telecommunications and Telemedia (TTDSG) for the storage and access to information in end devices, as well as pursuant to Art. 6 (1) (1) (a) GDPR for the further processing of your data. You give your corresponding consent via our cookie banner. Please note that Privy is a company from the USA. According to a recent ruling by the European Court of Justice (ECJ), no adequate level of data protection exists in the USA, meaning that there is a risk to the protection of your data. For example, under certain conditions, US authorities may therefore process your data for control and monitoring purposes. If you nevertheless wish to consent to the use of this tool, you can select this via the cookie banner. After EU standard data protection clauses have been implemented, this shall provide the legal basis for the transfer of data to third countries.

    Further information on how user data is handled is available at: https://www.privy.com/privacy-policy and https://www.privy.com/data-processing-addendum

    4. Social media presence

    4.1. Links to social networks

    Our website contains links to social networks (Facebook/Meta, Twitter, LinkedIn, Pinterest, Instagram, and YouTube). These websites are operated exclusively by third parties. If you click the links, the respective provider may process your personal data. Please refer to the providers’ privacy policies for further information in this regard.

    4.2. Data processing by Hemro and legal basis

    Our social media presences (Facebook/Meta, Twitter, LinkedIn, Pinterest, Instagram, and YouTube) are intended to provide you with information about Hemro as well as about our new developments, services, and products. Depending on the respective provider’s offer, you have the option to interact in different ways (comments, recommendations, etc.), for example, in connection with our social media presence. The interaction of users is an important criterion for us in order to carry out targeted marketing. For example, we can determine which posts users prefer to read. We therefore also use the statistics determined by the providers in this regard for our own purposes. If we process the users’ personal data, the legal basis for this is Art. 6 (1) (1) (f) GDPR. Our legitimate interest thus lies in particular in targeted information/advertising. The providers will inform you separately about the legal basis on which they process your data for their own purposes.

    4.3. Joint responsibility

    In some cases, we may share responsibility for the processing of your personal data with social media providers. In this case, you may assert your rights both against us and against the social media provider (see Section 9). However, the first point of contact is always the social media provider.

    We have concluded an agreement with Facebook Ireland Limited, 4 Grand Canal Square, Grand Canal Harbour, Dublin 2, Ireland (Facebook or Meta) on joint responsibility for the processing of personal data. This applies to the processing of so-called “insights data” – page statistics, in particular on the interactions of Facebook users. Further information on page insights is available here: https://www.facebook.com/business/pages/manage#page_insights. Our agreement with Facebook can be viewed by clicking the following link: https://www.facebook.com/legal/controller_addendum 

    In relation to “page insights,” we have also concluded an agreement with LinkedIn Ireland on joint responsibility. With Page Insights, LinkedIn does not provide us with any personal data about you. We only have access to your aggregated data. It is not possible for us to draw conclusions about individual users by means of page insights information. Detailed information about page insights and our agreement with LinkedIn Ireland can be viewed by clicking the following link:
    https://legal.linkedin.com/pages-joint-controller-addendum.

    Please note that social media providers also process your data outside the EU/EEA. According to a recent ruling by the European Court of Justice (ECJ), no adequate level of data protection exists in the USA, meaning that there is a risk to the protection of your data. For example, under certain conditions, US authorities may therefore process your data for control and monitoring purposes.

    With regard to the storage period for your data processed by us for our own purposes, please refer to our explanations provided under Section 7. Otherwise, please observe the respective social media provider’s privacy policy.

    5. Data transfer

    We will only transfer personal data to third parties or other recipients if this is necessary for the provision of services, if you have given your consent, if there is a legal obligation to do so, or if the transfer of data is permitted on another legal basis. For example, data is transferred to the Hemro Group’s technical service providers (e.g., in connection with orders) – or in the case of a company transaction – to interested parties/buyers, etc. We also use the services of the service provider Shopify International Limited, Victoria Buildings, 2. Floor, 1-2 Haddington Road, Dublin 4, D04 XN32, Ireland (Shopify), for the purposes of hosting our website and in connection with the cookie consent tool. Where necessary, we have concluded data processing agreements with the recipients of your data in accordance with Art. 28 GDPR.

    Payments made through our website are processed by the payment service provider Wallee Group AG, headquartered at Neuwiesenstrasse 15, CH-8400 Winterthur, Switzerland (“Wallee”). When you make a payment, Wallee processes the following personal data as well as other types of personal data: Payment data, IP address, Internet browser, and device type. If data is transferred to Wallee in Switzerland, the adequacy decision of the European Commission guarantees the appropriate level of data protection. Please click the following link for more information on how Wallee processes data: https://app-wallee.com/s/1/resource/order-processing-contract.pdf

    Please also note the separate data protection provisions of the payment methods you have selected.

    PayPal: https://www.paypal.com/de/webapps/mpp/ua/privacy-full

    VISA: https://www.visa.co.uk/legal/privacy-policy.html

    MasterCard: https://www.mastercard.de/de-de/datenschutz.html  

    6. Data transfer to countries outside the EU

    As far as necessary for our purposes, we will only transfer personal data to recipients outside the EU if you have given your consent, if there is a legal obligation to do so, or if the transfer of data is permitted on another legal basis. Your data will also be transferred to recipients based in the USA within the scope of processing data. Please note: According to a recent ruling by the European Court of Justice (ECJ), no adequate level of data protection exists in the USA, meaning that there is a risk to the protection of your data. For example, under certain conditions, US authorities may therefore process your data for control and monitoring purposes. For further information regarding the legal basis for the transfer of data, please refer to Art. 49 GDPR for now. An appropriate level of data protection will be ensured in the future by concluding the new so-called EU standard contractual clauses.

    By using Shopify (see Section 5), personal data may be transmitted to Shopify Inc. in Canada or the USA. If data is transferred to Shopify Inc. in Canada, the adequacy decision of the European Commission guarantees the appropriate level of data protection. For more information about Shopify’s Privacy Policy, please visit the website below: https://www.shopify.de/legal/datenschutz. 

    7. Storage period for personal data / criteria for determining the duration

    We will store your personal data for as long as this is necessary for the aforementioned processing purposes or in case of an objection that no compelling reasons worthy of protection exist for Hemro or in case of a withdrawal of consent if no other legal basis for data processing exists. In certain cases (e.g., if there is a legal obligation to store data), your personal data will not be deleted immediately, but rather blocked initially. For example, the storage period for messages sent via the contact form with business-related content can be ten years. 

    8. Security measures to protect your personal data

    We use technical and organisational measures to protect your data from unauthorized access, loss, or destruction. Our security measures are continuously adapted in line with technical developments. Our employees and all persons involved in data processing are obliged to comply with data protection laws and to treat personal data confidentially. Our employees are trained accordingly.

    To protect your personal data on this website, we use a secure online transmission procedure known as “Secure Socket Layer” (SSL) transmission. This can be recognized by the closed lock symbol displayed on the https:// address. Click on this symbol for details of the SSL certificate used. Display of this symbol depends on the browser version used.  SSL encryption guarantees the encrypted and complete transmission of your data. 

    9. Your rights

    Within the framework of the legal requirements, you are in principle entitled to request from Hemro:

    • confirmation of whether Hemro is processing your personal data
    • information about this data and the circumstances of processing
    • correction if this data is incorrect
    • deletion if there is no justification for processing and no obligation to store your personal data (any longer)
    • restriction of processing in certain cases specified by law
    • objection in case of data processing based on Art. 6 (1) (1) (f) GDPR
    • transfer of your personal data – insofar as you have provided it – to you or a third party in a structured, common and machine-readable format

    If you have given your consent to the processing of your personal data, you have the right to withdraw your consent again at any time. Processing of your personal data will then not be allowed in the future. However, this will not affect the lawfulness of the processing carried out with your consent before you withdrew your consent. 

    Please address your specific request to our data protection officer in writing or via email, clearly identifying your person:

    krupna LEGAL
    Data Protection Officer
    Rotating track 7
    20354 Hamburg

    Email: office@krupna.legal

    Insofar as we use your data in joint responsibility with third parties in the sense of Art. 26 GDPR, the third party is primarily responsible for the exercise of all data subject rights. However, you are also free to assert your rights against us.

    Finally, we would like to draw your attention to your right to lodge a complaint with a supervisory authority.

    10. No automated individual decision

    We do not use your personal data for automated individual decisions.

    11. Amendment of the privacy policy

    New legal requirements, business decisions or technical developments may require changes to our privacy policy. The privacy policy will then be adjusted accordingly. The latest version can always be found on our website.