Privacy Policy & Data Protection

Privacy Policy & Data Protection

Dear SmallStore customers,

dear visitors to the SmallStore website, protecting your personal data is very important to us. The following information explains which data we collect and process in connection with your use of our website.


1. Who is responsible for data protection on this website?

SmallStore, Sonnenstrasse 15, D-80331 Munich, Germany is responsible for the processing of personal data on this website.

You can get in touch with our Data Protection Officer via email: [email protected]

2. Which data is processed on our website?

When you visit the SmallStore website your web browser sends various data to our servers. This serves only to optimise the technology, configuration and stability of our website as well as the system security. We gather log file data, including IP addresses.

3. Do we use cookies on the website?

Yes, various cookies are also used. For details about how cookies used on the website, their specific purpose and how to delete them or stop them from being stored, please see Information on the Right to Object to the Processing of Data and Cooking and Opt-Out Settings.

4. Do we use web analytics tools on our website?

Yes, we work with various service providers to design and optimise our website, in line with our requirements. Detailed information about these service providers, the functionality of the analysis tools and how you can deactivate these tools can also be found under Cookie and Opt Out Settings.

5. Is there user-targeted advertising?

Yes. We work with service providers who can use cookies and advertising IDs to display user and interest-based advertising for us or our advertising partners. Detailed information on these service providers, the functionality of the advertising tools and the ways in which you can deactivate these tools can also be found in the section Information on the Right to Object to the Processing of Data and Cooking and Opt-Out Settings.

6. Do we pass your data on to third parties?

No. We will never pass your data on to unauthorised third parties. Furthermore, we guarantee that we have contractual agreements with all external providers. Some of these service providers are based in other countries (USA). They have the necessary certification for the US-European data protection convention "Privacy Shield" and therefore ensure compliance with data protection levels applicable in the EU.

7. Who do I contact if I have a query?

If you have any questions about data protection, please get in touch with us or contact our data protection officer.

Data Protection Information

A. General information about data protection at SmallStore

1. Scope and Definition

1.1 This Privacy Statement includes information referred to in the General Data Protection Regulation (GDPR) Article 13 about data processing in the context of visiting our website and using the shop accessible via this website.

1.2 Information on the type and purpose of data processing in connection with the use of our app, the contact functions on the website (customer care), as well as Community Services (zooblog!, zooforum, zooClub), job application platform, our social media appearances, can be found separately in the corresponding portal, or when using them the respective application.

1.3 In as much as we link to other pages, we have neither influence nor control over the linked content nor the respective data protection regulations. We recommend that you check the privacy policies on the linked web pages to determine whether and to what extent personal data is collected, processed, used and made accessible to third parties.

1.4 The full text of the General Data Protection Regulation (GDPR) along with further definitions and terms can be found here.


2. Location of Data Storage

2.1 All personal data that we collect and process via the website and our shop are stored and secured both on local servers in Germany and at Amazon Web Services EMEA SARL (AWS), a specialised cloud provider. Based on the technical and organisational measures, AWS is able to guarantee the greatest possible protection of your customer and user data against loss and unauthorised access. The data storage takes place exclusively in the Amazon Web Services data centres located in Europe (Dublin).

2.2 The purpose of this data processing is the hosting of our web servers and databases, as well as the data backup based of a comprehensive order processing contract.


3. Common Data Processing

3.1 SmallStore has many branches and subsidiaries in Europe. SmallStore AG, headquartered in Munich, Germany is solely responsible for data protection as well as complying and guaranteeing the technical and organisational measures necessary to protect your personal data.

3.2 In order to ensure group-wide process control and customer service, the data will also be made available to other branches and subsidiaries, whereby this will done based on the corresponding contract for order process (GDPR Article 28) and these companies are obliged to process the personal data only in accordance with the instructions and under the responsibility of SmallStore. These companies do not store this data locally.

3.3 SmallStore also processes data in so-called joint responsibility with bitiba GmbH. The basis for this is a comprehensive contact in accordance with GDPR Article 26, which regulates the respective accountabilities and responsibilities of the two companies. Further details may be obtained from our Customer Care team or from our Data Protection Officer.


4. General IT Services

We work together with various IT service providers who maintain our IT infrastructure and continually develop it further (in terms of security). If and insofar as these service providers have access to personal data in the course of these activities, this is always done under the supervision of SmallStore and it is guaranteed that no personal data is stored outside of SmallStore.

B. Data Processing on the SmallStore website

1. Logfiles

When you call up the SmallStore website, SmallStore gathers so-called access data, which includes the IP address, and stores it in a log file. This log file also stores the name of the web page you requested, the retrieved file, the date and time of retrieval, the amount of data transferred, a notification of successful retrieval, the browser type and version, the operating system, the so-called referrer URL (the previously visited page) as well as the requesting provider.

We do not pass this data onto third parties. The log files are automatically deleted tow (2) months after collection. Prior to that the IP is anonymised and stored only for administrative / technical and security-related purposes. The collect of data is only necessary for the technical operation of the website.


2. Cookies & Pixels

In addition to the log files, so-called cookies and similar technologies (e.g. pixels) are used when you visit our website and use the services that can be accessed via it. Details on the cookies and technologies used when using our website, length of storage and information on how you can delete the data collected can be found in the Cookie and Opt-out settings. Please note that a general deactivation of cookies can lead to functional restrictions of our website.

We differentiate between the following types of cookies:

2.1 Necessary (technical) Cookies

Certain cookies are necessary for the functioning of the website and cannot be deactivated in your system. Please refer to the Cookie and Opt-out settings for more information.

2.2 Functional Cookies

With these cookies we are able to provide extended functionalities and personalisation options. They can be set by us or by third parties whose services we use on our pages. You can also find further information here in the cookie and opt-out settings.

2.3 Targeting Marketing

These cookies can be set via our website by our advertising partners. They may be used by these companies to profile your interests and show you relevant ads on other websites. They do not store personal information directly, but are based on a unique identification of your browser and Internet device. Please refer to the cookie and opt-out settings for more information.


3. Plugins

Plugins are used on our websites. They are normally used to interact with other services or websites (plugin providers). We use the so-called “Shariff” solution (Shariff Wrapper), with which you yourself can determine whether and when data is transmitted to the operators of the respective networks. Only when you click on the relevant consent button will your browser establish a connection to the servers of the respective network.

Please note that SmallStore is only responsible for collecting the IP address using the plugin. The provider is responsible for subsequent processing including data protection and duration of data storage.

In addition to the IP address collected by us, the plug-in provider may use available personal data for advertising purposes (also for third parties), market research and / or the needs-based design of its own website and to inform other users of the respective network about your activities on our website. The provider also acts as the controller for data protection. We have no knowledge of the extent to which the provider uses the data obtained once you have clicked on the relevant consent button. Further information about the purpose and scope of data processing by the plugin provider and information about exercising your rights (e.g. disclosure and objection) can be found in the data protection statements links below.

C. Data Processing when using online shops

1. Registration and use of the "my SmallStore account"

When you create a user (customer) account with your first order we collect the following data:

Registration data (e.g. first and last name, address, email address); login data (email address, password; customer data (invoice address, delivery address); connection data (IP address).

This data is processed in order to provide you with access to your user account. The login details verify your customer account so that you can check your orders, manage your data settings, including delivery, payment and newsletter preferences and view your order history. You can also access your Points loyalty account.

This data is never passed on to unauthorised third parties. We store this data for the duration of the existence of your customer account, unless you request that we delete it beforehand and that there are no other legal storage obligations. The provision of the above-mentioned personal data is a contractual obligation otherwise you would not be able to use or manage your account. 

2. Order Process & Delivery

We process payment, processing and delivery data in connection with an order:

Customer data (e.g. first and last name, email address, invoice address, delivery address, phone number, customer ID); connection data (IP address); payment data (e.g. payment information).

We process the data within the framework of an order in order to be able to record and process your order with the help of the data provided, to adapt the product selection according to your preferences and preferences and to make appropriate recommendations

Your data will not be passed on to unauthorised third parties. We share details of your delivery address to the logistics and shipping companies commissioned by us (see Logistics & Shipping) solely on the basis of contracts relating to order processing and only insofar as it is necessary for the contractual provision of the services. We store the data collected while executing the contract only for the duration of the contractual relationship, unless you request that we delete it beforehand, but at least until the statutory warranty claim expires. After expiry of these deadlines we retain the information of contractual relationship required by commercial and tax law for the legally determined period.

a) Logistics & Shipping

In order for the customer to receive information about the shipping status, SmallStore sends the respective delivery company the email address and - if specified - the customer's phone number (only for freight forwarding deliveries), which you can use to find out about the delivery status of your order. SmallStore respects the interest of its customers as well as its own. Delivery companies are obliged to protect your personal data and can use this data solely for shipping and dispatch purposes. You can find details about our logistics and shipping partners here.

b) Payment

Depending on your selected payment method, your payment data is transferred to the corresponding payment service provider. SmallStore does not store any credit card information apart from in connection with your payment.

Details of the providers with whom we work and who act as so-called contract processors and in some cases as companies responsible for data protection can be obtained at any time by contacting our Customer Care Team or from our Data Protection Officer.

We store this data for the duration of the existence of your customer account, unless you request that we delete it beforehand and that there are no other legal storage obligations. The provision of the above-mentioned personal data is a contractual obligation otherwise you would not be able to use or manage your account.

Please contact the relevant provider in regard to the duration of the respective data storage.

c) Credit Checks

SmallStore permits its customers to pay for goods by bank transfer. When the customer uses this payment method, SmallStore reserves the right to check the customer's creditworthiness in advance. In order to do this we process the following data:

Customer data (first and last name, email address, address, invoice address, delivery address, customer ID).

SmallStore is entitled to use the information given in the order to calculate the payment default probability (internal scoring). The data used for internal scoring is taken from a combination of the following data categories:

Address data (invoice address, delivery address), age, desired payment terms, ordering method and product groups.

When the customer selects this payment method (purchase on account), SmallStore is also entitled to obtain credit information about the customer from an external credit agency. For details of these providers please contact our Customer Care Team or from our Data Protection Officer.

d) Fraud Prevention

SmallStore uses information about atypical ordering processes (e.g. simultaneous ordering of large amounts of goods using different customer accounts registered at the same address), to help avoid payment defaults and to protect our customers from misuse of their accounts or their identities. The risk assessment of the likelihood of attempted fraud also takes into account whether the end device has dialled in via different service providers, whether the end device has a frequently changing geo-reference, how many transactions have been made via the end device and whether a proxy connection is used.

The following data is processed:

Customer data (first and last name, email address); Invoice data (invoice address, delivery address, payment information, customer ID); connection data (IP address, browser information)

SmallStore is legally obliged to secure customer authentication (3DS2) as part of the payment process, which also includes the encrypted transmission of the payment information to the banks concerned.

SmallStore works with various credit agencies and providers within the framework of fraud prevention. Details of the providers responsible for the extent and duration of data storage can be obtained from our Customer Care Team or from our Data Protection Officer. 

e) Sanctions List Check

Under European Union legislation, SmallStore is obliged to prevent the supply of goods to persons on so-called sanctions lists (terrorist groups, organisations and individuals). For this purpose, the names and invoice addresses are compared with the sanctions lists. No data processing beyond the initial query is carried out.

3. Points Loyalty Programme

The Points programme is a loyalty programme where registered customers can earn loyalty points based on their purchases. The Points programme is an integral part of the contractual relationship between the customer and SmallStore. Points can be redeemed in the Points reward shop. We only process the following data:

Customer data (email address; customer number, order history)

We process this data exclusively to give you access to the Points loyalty programme. The data is not linked to any other data or stored in a separate profile. After registering, the customer receives information about the Points programme and is subsequently informed by email about the status and expiry of their Points.

This data is not shared with third parties. We store this data for the duration of the existence of your customer account. If you do not wish to receive email notifications about the status of your Points please let us know via the above-mentioned contact details. 

4. Product Preferences and Favourites

We collect information in connection with the use of the "my SmallStore" and your orders so that we can learn about your product favourites and preferences. This is to make your shopping experience more pleasant and enjoyable. You can adjust the data processing settings yourself via "my SmallStore account". We only process the following data:

Customer number, order history, preferred delivery service, preferred payment method

This data is never passed on to third parties. We store this data for the duration of the existence of your customer account, unless you request that we delete it beforehand. The provision of the above-mentioned personal data is not a contractual or legal obligation.

5. Buying Behaviour and Profile Building

We want to provide our customers with an optimal shopping experience when using our online shop and show them personalised offers including special offers, based on previous purchases and product research. For this purpose, we internally process the customer number, product searched for or purchased, each shopping cart and the order history to analyse the buying and user behaviour. The results of this analysis have no legal consequences or negative effects for the customer. The customer has the right to object to associated profile formation at any time.

5.1 SmallStore Savings Plan

As part of the SmallStore Savings Plan, we evaluate your purchase history and product preferences in our online shop. Depending on the number and volume of your orders, you may be offered the purchase of the so-called SmallStore savings plan which permits you to receive special discounts.

5.2 SmallStore Product Recommendation

By evaluating data gathered from your "my SmallStore account" and the purchases you make, we are able to prioritise which products are shown to you according to your preferences, favourites, and them make appropriate recommendations. This information is used only to improve our range of services to enhance the customer's shopping experience.

6. Customer Survey

We use Google customer review software on our websites for the purposes of customer reviews and internal quality management. We want to provide our customers with the opportunity to evaluate their purchases once they have received them. Google does not get any customer data from our database. Only order numbers, customer number and email address are transmitted.

D. Customer Communication Data Processing

1. Newsletter

When you register for our email newsletter, we only process your email address. The data will only be used to send you information about SmallStore products and promotions at regular intervals, depending on your selected areas of interest.

When you receive the newsletter, we use so-called web beacons or tracking pixels, which can help us to determine whether you have received or opened the newsletter and if you have clicked on links within the newsletter. With the data obtained, we create a user profile to tailor the newsletter to your individual interests. We may use tracking to link this data to actions you have taken on our website.

We do not pass on the personal data you provide when registering for the newsletter to unauthorised third parties. However, the newsletter tool is provided by an external provider, which is why we have concluded a contract for the processing of data with this provider.

Details of the providers can be obtained from our Customer Care Team or from our Data Protection Officer.

You can object to the receipt of newsletters, at any time, including the processing of your aforementioned data. The legality of the processing based on the consent until your revocation remains unaffected. Furthermore, if you do not wish an automated evaluation and analysis of your user behaviour in connection with the newsletter, you must unsubscribe from the newsletter service. Until then, the data will be stored for as long as you have subscribed to the newsletter. After cancellation we store the data anonymously, only for statistical purposes only. The provision of personal data is not required by law or contract. However, it is not possible to send or receive the newsletter without providing the email address.

2. Facebook and Google Custom Audience

On some websites and as part of our newsletter registration, you will be given the opportunity to participate in the Custom Audience or Audience Match marketing programme. This allows us to connect with you through social media and networks, better understand your product preferences and display interest-based advertising where appropriate. However, this requires a separate consent and is not automatically done when you register for our newsletter. Your email address collected in the process is "hashed" in advance and forwarded to the following recipients as independent responsible parties. If you do not maintain a user account with these providers, your email address will be automatically deleted.

Go to the following providers for details about their data protection:

You can object to the data processing at any time by contacting us. The legality of the processing based on your consent until revocation remains unaffected.

3. Product Availability Reminder

You have the possibility to be informed by email about the availability of certain products. For this purpose, we will send you a one-time information if the product you are interested in is back in our assortment.

We do not pass on the data to third parties. We delete your email address for this purpose of data processing automatically after 95 days. The provision of the above-mentioned personal data is contractually stipulated, otherwise you would not receive a reminder. 

4. Marketing (email)

In as much as it is permitted by law and provided that the customer has concluded a contract with SmallStore and provided an email address, SmallStore has the right to use the customer's email address for direct advertising for its own similar goods or services. The customer has the right to object to the use of this email address at any time, without incurring any costs other than the basic rate transmission costs.

5. Marketing (postal)

In as much as it is permitted by law and unless the recipient has objected to receipt, SmallStore may send postal advertising to customers. For the purpose of printing and sending these advertising materials, we work together with service providers as contract processors. The right of the customer to object at any time to the use of the address for advertising purposes at any time shall remain unaffected.

E. Your Rights

You have the right to request confirmation from SmallStore at any time as to whether we are processing your personal data and the right to receive information about this personal data. You also have the right to correct, delete and restrict data processing, as well as the right to object to the processing of personal data at any time, or to revoke your consent for data processing at any time or to request the transfer of data.

For any information needs or requests, revocations or objections to the processing of data, please contact us or send an email to our Data Protection Officer. In addition, you have the right to complain to a supervisory authority if violations of privacy should occur.

F. Notes on specific rights of objection

You have the right to object at any time, for reasons arising from a specific situation, to the processing of your personal data. We will cease processing of your personal data unless we can provide compelling protection reasons for processing which outweigh your interests, rights and freedoms, or if the processing serves to assert, exercise or defend legal claims. If you wish to exercise your right to objection, please contact us.