Privacy Policy

We, NEOCHEMA GmbH (hereinafter: ‘NEOCHEMA’, ‘we’ or ‘us’) wish to inform you about data protection in our company.

This privacy policy is divided into different segments. The segments consist of a general part, which is always applicable and provides general information for all our data processing operations.

This is followed by information on data processing that is tailored to specific situations along with the name of the respective service, such as processing on the website.

Below is an overview of the structure of this information, with which you can find the parts that are relevant to you:

Part A: General

This part is always relevant for you and applies to all data processing by us.

Part B: Website

This part is relevant for you if you visit our website.

Part C: Business partners

This part is relevant for you if you maintain or have maintained business relationships with us as a customer, supplier or similar business partner.

A. GENERAL

1. Definitions

In this privacy policy, we use the terminology from Article 4 of the EU General Data Protection Regulation (Regulation (EU) 2016/679; hereinafter: ‘GDPR’), the most important of which and the ones most used in this policy you can find below:

  • ‘Personal data’ (GDPR Art 4(1)) means all information relating to an identified or identifiable natural person (‘data subject’). A person is identifiable if he or she can be identified directly or indirectly, in particular by reference to an identifier such as a name, identification number, online identifier, location data or by means of information about his or her physical, physiological, genetic, psychological, economic, cultural or social identity characteristics. Identifiability may also be achieved by linking such information or other additional knowledge. The origin, form or embodiment of the information is irrelevant (photos, video or sound recordings may also contain data) (hereinafter only ‘data’).
  • ‘Processing’ (GDPR Art 4(2)) means any operation in which data is handled, whether or not by automated means. This includes, in particular, the collection, recording, organisation, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment, combination, restriction, erasure or destruction of data, and changing an objective or purpose on which data processing was originally based.
  • ‘Controller’ (GDPR Art 4(7)) means the natural or legal person, public authority, agency or other body which, alone or jointly with others, decides on the purposes and means of processing data.
  • ‘Third party’ (GDPR Art 4(10)) means a natural or legal person, public authority, agency or other body other than the data subject, controller, processor and persons who, under the direct authority of the controller or processor, are authorised to process personal data; this includes other legal persons belonging to the group of companies.
  • ‘Processor’ (GDPR Art 4(8)) means a natural or legal person, public authority, agency or other body that processes data on behalf of the controller, in particular in accordance with his or her instructions. For the purposes of data protection law, a processor does not necessarily have to be a third party.
  • ‘Consent’ (GDPR Art 4(11)) of the data subject means any freely given, specific, informed and unambiguous indication of the data subject’s wishes by which he or she, by a statement or by a clear affirmative action, signifies agreement to the processing of personal data relating to him or her.

2. Responsibility

The party responsible for the processing of your data within the meaning of GDPR Art 4(7) is:

NEOCHEMA GmbH
Uwe-Zeidler-Ring 10
55294 Bodenheim
Germany

Telefon: +49 6135 933199 0
Fax: +49 6135 933199 19
info@neochema.com

Further information about our company can be found in the imprint information on our Webseite.

3. Data protection officer

Under the GDPR, there is currently no obligation for us to appoint a data protection officer. As soon as this becomes necessary, we will provide the contact details here.

4. Legal grounds for data processing

The GDPR only allows the processing of data if there are the following grounds for permission (legal grounds):

  • GDPR Art 6(1)(a) (‘consent’): where the data subject has provided a freely given, informed and unambiguous indication, by a statement or other clear affirmative action, that he or she agrees to the processing of the data concerning him or her for one or more specific purposes;
  • GDPR Art 6(1)(b): where the processing is necessary for the performance of a contract to which the data subject is party or to take steps at the request of the data subject prior to entering into a contract;
  • GDPR Art 6(1)(c): if the processing is necessary for compliance with a legal obligation to which the controller is subject (e.g. a statutory retention obligation);
  • GDPR Art 6(1)(d): where the processing is necessary to protect the vital interests of the data subject or another natural person;
  • GDPR Art 6(1)(e): where the processing is necessary for the performance of a task carried out in the public interest or in the exercise of official authority vested in the controller; or
  • GDPR Art 6(1)(f) (‘legitimate interests’): if the processing is necessary for the purposes of the legitimate interests (especially legal or economic ones) pursued by the controller or by a third party, except where such interests are overridden by the interests or fundamental rights and freedoms of the data subject, in particular where the data subject is a child.

In the case of the data processing mentioned by us below, we will state the applicable legal grounds from the above list. Processing may also be based on more than one legal ground.

5. Storage duration and retention periods

When we process data, we generally indicate below how long the data will be stored and when it will be deleted or blocked. If no storage period is specified below, your data will be deleted or blocked as soon as the purpose or legal ground for storage ceases to apply. Your data will only be stored on our servers in Bodenheim and Falkenstein, Germany, subject to possible disclosure in accordance with the provisions in subsections A(7) and A(8).

Storage may extend beyond the specified time in the event of an (impending) legal dispute with you or other legal proceedings or if the storage is mandated for us by statutory provisions (e.g. German Fiscal Code s 147, German Commercial Code s 257). After expiry of the legally prescribed storage period, the data will be blocked or deleted unless further storage by us is required and there is a legal ground for it.

6. Data security

We and the contractors engaged by us (who are obliged to comply with data protection law) use appropriate technical and organisational security measures to protect your data against accidental or intentional manipulation, partial or complete loss or destruction; and against unauthorised access by third parties (e.g. TSL encryption for our website), taking into account the state of the art, the implementation costs and the nature, scope, context and purpose of the processing as well as the existing risks of a data breach (including its probability and consequences) for the data subject. Our security measures are constantly being improved in line with technological developments.

7. Collaboration with processors

Like any company, we use external domestic and foreign service providers (e.g. for IT, logistics, telecommunications, sales and marketing) to handle our business transactions. They only act in accordance with our instructions and have been contractually obliged (processing contract) to comply with the provisions of data protection law in accordance with GDPR Art 28.

We also indicate to which other third parties data can or must be transmitted. Unless otherwise described below, or other third parties are described below, the following third parties may be relevant:

  • State bodies/authorities insofar as this is necessary for the fulfilment of a legal obligation. The legal ground for the transfer is GDPR Art 6(1)(c);
  • Persons employed to carry out our business (e.g. auditors, banks, insurance companies, legal advisers, supervisory authorities, parties involved in company acquisitions or the creation of joint ventures). The legal ground for the transfer is GDPR Art 6(1)(b) or (f);
  • Carriers and freight forwarders engaged to deliver our products. The legal ground for the transfer is GDPR Art 6(1)(b) or (f).

8. Requirements for the transfer of data to third countries

As part of our business relationships, your data may be transferred or disclosed to third-party companies. They may also be located outside the European Economic Area (EEA), i.e. in third countries. Such processing takes place solely for the fulfilment of contractual and business obligations and for the maintenance of your business relationship with us. We inform you about the respective details of the transfer below at the relevant points.

For some third countries, the European Commission certifies data protection comparable to EEA standards by means of so-called adequacy decisions (a list of these countries and a copy of the adequacy decisions can be found here: http://ec.europa.eu/justice/data-protection/international-transfers/adequacy/index_en.html). However, other third countries to which data may be transferred may not have a consistently high level of data protection due to a lack of legal provisions. Where this is the case, we ensure that data protection is adequately guaranteed. This is possible through binding corporate rules, which are standard data protection clauses of the European Commission for data protection, certificates and recognised codes of conduct. The explanation below indicates, where applicable, which of the above documents is available.

9. No automated decision-making (including profiling)

We do not intend to use your data for any automated decision-making process (including profiling).

10. No obligation to provide data

If you use our services for informational purposes, you are not obliged to provide us with your data. However, we may be able to provide certain services only to a limited extent or not at all if you do not provide the necessary data. If this should exceptionally be the case among the following products offered by us, you will be informed of this separately.

11. Legal obligation to transfer certain data

We may be subject to a special statutory or legal obligation to provide the lawfully processed data to third parties, in particular public bodies (GDPR Art 6(1)(c)).

12. Your rights

As a user of our website, you have various rights under the GDPR, which derive in particular from GDPR Arts. 15 to 18, 20, 21 and 77. You can assert the following rights against us at any time (for contact details see subsection A(2)):

a. Right to access:
You can obtain access to the personal data of yours that is processed by us. In your request for access, you should provide precise details about what you are enquiring for to make it easier for us to compile the necessary data.

b. Right to rectification:
If the information concerning you is not or no longer accurate, you can obtain its rectification. If your data is incomplete, you can ask for it to be completed.

c. Right to erasure:
You may obtain the erasure of your personal data under the conditions of GDPR Art 17. Your right to erasure depends, among other things, on whether the data concerning you is covered by a right of retention or is still required by us to fulfil our legal obligations and insofar as the processing is not necessary for the exercise of the right to freedom of expression and information, for reasons of public interest or for the establishment, exercise or defence of legal claims;

d. Right to restriction of processing:
Within the scope of the provisions of GDPR Art 18, you have the right to obtain the restriction of processing of data concerning you.

e. Right to object:
You have the right, for reasons relating to your particular situation, to object at any time to the processing of data concerning you if the processing is carried out on the basis of GDPR Art 6(1)(e) or (f). This applies in particular if we process your data out of a legitimate interest that is overriding in the respective situation. Furthermore, we cannot always satisfy an objection, e.g. if we are obliged to archive the data for audit purposes in accordance with the provisions of tax law or because the fulfilment of a contract is pending. Unless it concerns an objection to direct marketing, we ask you to explain the reasons why we should not process your data as we have done. If we receive a justified objection from you, we will examine the situation and will either cease or adapt the data processing or show you our compelling legitimate grounds on the basis of which we continue the processing.

f. Right to withdraw consent:
If you have given us your consent to the processing of your data, you have the right to revoke your consent at any time. This will not affect the lawfulness of the processing carried out on the basis of the consent until the cancellation of the processing.

g. Right to data portability:
You have the right to receive the data concerning you that you have provided to us in a structured, commonly used and machine-readable format. If you have provided the data on the basis of consent or on the basis of a contract, you have the right for us to transfer the data to a controller designated by you insofar as the processing has been carried out using automated methods and this is technically feasible.

h. Right to appeal:
We are always open to your concerns, so you are welcome to contact us using the contact option mentioned in subsection A(2). If you believe that we have not complied with data protection regulations when processing your data, you can also lodge a complaint with a data protection supervisory authority which will investigate your complaint.

The contact details of the data protection authority responsible for us are as follows:

Der Landesbeauftragte für den Datenschutz und die Informationsfreiheit Rheinland-Pfalz
Prof. Dr. Dieter Kugelmann
Hintere Bleiche 34
55116 Mainz
Germany

Telefon: +49 (0) 6131 8920-0
Telefax: +49 (0) 6131 8920-299
Webseite: https://www.datenschutz.rlp.de/
E-Mail: poststelle@datenschutz.rlp.de

13. Privacy policy amendments and version

If data protection law develops further or there are technical or organisational changes, we will regularly review our privacy policy to make changes or additions. You will be informed of changes, including in particular on our website at https://www.neochema.com/en/Privacy-Policy/.

This privacy policy is current as of June 2023.

B. Data processing on website

1. Subject matter

Information about our companies and services can be found especially at www.neochema.com and the corresponding sub-pages (hereinafter: ‘website’). When you visit our website and other websites, the data processing specified below is carried out. The following information provides details on how we process the data on our websites.

2. Processed data

When using the website for purely informational purposes, the following categories of data are processed by us:

a. ‘Log data’:
When you visit our website, a server log file is temporarily stored on our server. It consists of:

  • the date and time of the request
  • the IP address of the requesting computer
  • the page from which the file was requested
  • the name of the file being accessed
  • the amount of data transmitted
  • the access status (file transferred, file not found, etc.)
  • the type of access (GET, POST)
  • the browser or operating system used (user agent)

b. ‘Contact form details’:
When using our contact form, the mandatory and voluntarily provided information and data will be processed (in particular, gender, surname and first name, company, email address, content of the message and the time of transmission).

The provision of this data under subsections B(2)(a) and (b) is not contractually or legally required or necessary for the conclusion of a contract. Without this information, however, the desired content on our website will not be provided to you or your contact requests will not be processed.

c. ‘Contractual data’:
When commissioning our services, the mandatory and voluntarily provided information and data (in particular, gender, surname and first name, company, email address and account or payment information) will be processed. The provision of this data is necessary for the conclusion of a contract. Without this information, a contract cannot be concluded between you and us.

3. Purpose and legal ground for data processing

We process the data described above in accordance with the relevant data protection regulations and only to the extent necessary. Insofar as the processing of the data is based on GDPR Art 6(1)(f), the aforementioned purposes also represent our legitimate interests.

a. The processing of the log data is technically necessary and serves statistical purposes and the improvement of the quality of our website, in particular the stability and security of the connection, as well as the prosecution of illegal activities on our website, in particular the detection, elimination and legally admissible documentation of malfunctions (e.g. DDoS attacks) (legal ground is GDPR Art 6(1)(f)).

b. The processing of contact form data is carried out for the purpose of processing customer enquiries voluntarily sent to us by customers (legal ground is GDPR Art 6(1)(b), (a) or (f)).

c. The processing of contractual data takes place for the purpose of concluding, executing and terminating a contract between you and us (legal ground is GDPR Art 6(1)(b), (a) or (f)).

4. Duration of data processing

Your data will only be processed for as long as is necessary to achieve the aforementioned processing purposes; the legal grounds indicated with the processing purposes apply to this correspondingly.

Third parties engaged by us will store your data on their system for as long as is necessary in connection with the provision of services for us in accordance with the respective order.

The server log files mentioned in subsection B(2), above, are stored for 8 weeks and then deleted. The purpose of them is to trace attacks and unlawful use of our website.

For more information on the storage duration, see subsection A(5).

5. Transfer of data to third parties; legal grounds

The following categories of recipients, who are usually processors (see subsection A(7)), may have access to your data:

  • Service providers for the operation of our website and the processing of data stored or transmitted by the systems (e.g. for data centre services, payment processing, IT security). The legal ground for the transfer is GDPR Art 6(1)(b) or (f), insofar as processors are not involved.

It is currently the following hosting service provider (only server location in Falkenstein, Germany) with which a processing contract has been concluded (see subsection A(7) above):

Hetzner Online GmbH
Industriestr. 25
91710 Gunzenhausen
Germany

For guarantees of an adequate level of data protection when data is transferred to third countries, see subsection A(8).

In addition, we will only transfer your data to third parties if you have given your express consent to this in accordance with GDPR Art 6(1)(a).

6. Use of plug-ins, other services and links on our website

We do not use social media plug-ins on our website.

If our website contains symbols of social media providers (e.g. Xing or LinkedIn) or other providers, we only use them for passive links to the pages of the respective providers. No data of yours will be processed as long as you do not click on the link. When you click on any link on our website, you will be taken to the external site of the respective third party provider, which processes your data entirely independently. Please do not click on the links on our website if you do not want your data to be processed by the third parties to which we offer a link.

Despite careful checks of their content, Neochema assumes no liability for the content of external links. Solely the operator of a linked page is responsible for its content. If we set links, it is because we believe that these websites may be of interest to you. We have no control over the content and design of this website and we cannot control how the providers of linked websites handle your information, so this privacy policy and our responsibility do not extend to these websites. If you have any questions, please contact the providers of these websites directly.

7. Use of cookies

In addition to the aforementioned data, cookies are stored on your computer when you use our website. Cookies are data that is stored on your hard drive and associated with the browser you use. Through them, certain information is provided to the entity that set the cookie (in this case, us). Cookies cannot execute programs or transmit viruses to your computer. They serve to make the website as a whole more user-friendly and effective. This website uses the following types of cookies, the scope and operation of which are explained below:

  • Transient cookies (subsection (a))
  • Persistent cookies (subsection (b))

a. Transient cookies:
Transient cookies are automatically deleted when you close your browser. This includes session cookies in particular. They store a so-called session ID, with which different requests from your browser can be matched to the same session. This allows your computer to be recognised when you return to our website. The session cookies are deleted when you log out or close your browser.

b. Persistent c Cookies:
Persistent cookies are automatically deleted after a specified period of time, which may vary depending on the cookie. You can delete the cookies at any time in the security settings of your browser.

c. Preventing cookies via your browser settings:
You can configure your browser settings according to your wishes and, for example, refuse to accept third-party cookies or all cookies. Please be aware that in this case you may not be able to use all the functions of the website, or use them in a convenient way.

d. Cookies used:
We use the following cookies on our website:

Name of the cookie Description Duration of storage
cookie-preference This cookie is used to recognise whether you have already been shown the cookie notice, whether you have fully accepted or rejected it; and which specific settings you have selected. 1 month
csrf[frontend.account.addressbook] csrf[frontend.account.login] csrf[frontend.account.nc_company.edit.save.billing] csrf[frontend.account.nc_company.edit.save.common] csrf[frontend.account.nc_company.edit.save.deliver_to] csrf[frontend.account.nc_request_mix.create] csrf[frontend.account.newsletter] csrf[frontend.account.payment.save] csrf[frontend.account.profile.email.save] csrf[frontend.account.profile.password.save] csrf[frontend.account.profile.save] csrf[frontend.account.register.save] csrf[frontend.checkout.configure] csrf[frontend.checkout.finish.order] csrf[frontend.checkout.line-item.add] csrf[frontend.checkout.line-item.change-quantity] csrf[frontend.checkout.line-item.delete] csrf[frontend.checkout.product.add-by-number] csrf[frontend.checkout.promotion.add] csrf[frontend.checkout.switch-language] csrf[frontend.form.contact.send] csrf[frontend.store-api.proxy] csrf[frontend.wishlist.product.add] csrf[frontend.wishlist.product.delete] csrf[frontend.wishlist.product.merge.pagelet] csrf[frontend.wishlist.product.merge] csrf[frontend.wishlist.product.remove] These cookies serve the security of the website and protection of the user against cross-site request forgery (CSRF) attacks by providing each request from the client to the server with a unique ‘token’ that ensures that the request comes from the client. The individual cookies listed here are set during the respective performance of the specific action (e.g. newsletter subscription, profile changes, pressing the buttons in the online shop) and serve as CSRF protection for the respective action. More information on CSRF attacks and this website’s defence against them can be found at https://developers.shopware.com/developers-guide/csrfprotection/

These cookies are set based on a legitimate interest in accordance with GDPR Art 6(1)(f).		 Session
session-
This cookie is a piece of information that is stored on your device. A session cookie stores a randomly generated sequence of numbers and letters which helps us to distinguish the visitors of the website. Since the setting of the cookie is absolutely necessary for the secure operation of this websites, there is a legitimate interest in setting the cookie, GDPR Art 6(1)(f). Session
sw-cache-hash
sw-states 		These cookies are required for the functionality and security of the online shop. They store information such as the status of the shopping cart and whether the user is logged in. Session timezone This cookie is used to determine the time zone in which the user’s browser is located.
Session
timezone This cookie is used to determine the time zone in which the user’s browser is located. 1 month
wishlist-enabled This cookie makes it possible to remember products. Session

8. YouTube (with Google Fonts)

Our website uses services of the YouTube website. YouTube is operated by YouTube, LLC, 901 Cherry Ave., San Bruno, CA 94066, United States. YouTube LLC is a subsidiary of Google Ireland Limited (‘Google’), Gordon House, Barrow Street, Dublin 4, Ireland.

We use YouTube with the ‘two-click solution’. This technology means that YouTube does not store information about visitors to this website before they give their consent to data processing by Google and YouTube by double-clicking on the video.

YouTube is integrated on our website by means of an ‘iframe’. When the integration is loaded after activating the two-click solution, YouTube or Google may collect information (including personal data) and process it for its own purposes, too. It cannot be excluded that YouTube or Google may also transmit the information to a server in a third country or, with requests, to public authorities and other third parties.

Please avoid double-clicking on the two-click solution if you do not want the uncertain data processing by Google and YouTube. The two-click solution does not necessarily exclude the transfer of data to YouTube partners. Whether or not you are watching a video, YouTube connects to the Google DoubleClick network.

As soon as you start a YouTube video on our website, a connection is established to the servers of YouTube and Google. The server is informed of which of our pages you have visited. In particular, your IP address is transmitted. If you are logged in to your YouTube account, you enable YouTube to associate your visit directly with your personal profile. You can prevent this by logging out of your YouTube account.

Furthermore, YouTube may store various cookies on your device after starting a video. With the help of these cookies, YouTube can obtain information about visitors of our website. This information is used, among other things, to collect video statistics, improve user-friendliness and prevent fraud attempts. The cookies remain on your device until you delete them.

The legal ground for the processing of personal data described here is, in accordance with GDPR Art 6(1)(a), your consent previously given by double-clicking on the video.

YouTube also includes Web fonts provided by Google Ireland Limited, Gordon House, Barrow Street, Dublin 4, Ireland. Your browser loads the required Web fonts, that is, a certain font for a consistent appearance across each device, into your browser cache. YouTube and Google also have a legitimate interest in the collected (personal) data in order to improve their own services. For more information about data protection at YouTube, please refer to its privacy policy at https://policies.google.com/privacy.

C. Business Partners

1. Subject matter

We, NEOCHEMA GmbH, are pleased about your interest in getting to know NEOCHEMA products better and in using them. When determining your interest in our products and in possible collaboration, we may process some of your personal data. Below we inform you about the processing of personal data.

2. Processed data

In the context of determining your interest in Neochema’s products or in the context of pre-contractual and contractual cooperation, we process the following categories of personal data of prospective and actual customers of Neochema (collectively ‘Business Partners’):

  • Your basic details voluntarily provided verbally, by phone, by email or via our contact form (including in particular: name, gender, addresses, contact details)
  • Your contact details voluntarily provided verbally, by phone, by email or via our contact form or obtained by us via the internet (e.g. website imprint, social networks) (including in particular: name, sex, address, email address, telephone number)

The provision of this data is not contractually or legally required. However, it is necessary to establish a contract or to provide advice on our products.

3. Purpose and legal ground for data processing

All personal data is processed only for the following purposes:

  • determination of your interest in our products and in collaboration
  • initiation, establishment, implementation and termination of a business relationship
  • management and organisation within the company
  • safeguarding and enforcing our legitimate interests
  • making reports and declarations that are based on a legal obligation or otherwise required by law
  • the fulfilment of our obligations under tax law
  • the investigation of criminal offences if and to the extent necessary

Processing for other purposes does not take place.

The legal grounds for the processing of your data are:

  • GDPR Art 6(1)(a)
  • GDPR Art 6(1)(b)
  • GDPR Art 6(1)(c)
  • GDPR Art 6(1)(f)
  • GDPR Art 6(2b) insofar as special categories of personal data are processed

4. Duration of data processing

Your data will only be processed for as long as is necessary to achieve the aforementioned processing purposes; the legal grounds indicated with the processing purposes apply to this correspondingly.

For the determination of your interest in our products or establishment of a business relationship, this means: Your data will be retained for the duration of the determination of your interest in our products and in collaboration and, if applicable, for the duration of the business relationship and, beyond that, for a maximum period of ten years from the end of the year in which the business relationship was terminated and until there is no longer any possibility for a potential legal consequence that requires us to provide proof for explanatory or evidential reasons. Due to pending litigation and/or statutes of limitation, the period may also extend over a further period of time. Longer storage only takes place if and insofar as we are legally obliged to do so in individual cases, for example through commercial and tax laws. Your data is not processed for other purposes.

Third parties engaged by us will store your data on their system for as long as is necessary in connection with the provision of services for us in accordance with the respective order.

For more information on storage duration, see subsection A(5) above.

5. Transfer of data to third parties; legal grounds

The following categories of recipients, who are usually processors (see subsection A(7)), may have access to your data:

  • Companies that we use for the dispatch of the ordered products receive the postal address. This transfer takes place for the purpose of fulfilling the contract if you are unable to collect the purchased products from our premises. If personal data is used at all, which it often is not as the addressee is often a company, the legal ground for forwarding the postal address is GDPR Art 6(1)(a).
  • Technical service providers that we use to provide our services. These include the office software Microsoft Office 365 as well as file servers from the provider Synology.

In addition, we will only transfer your data to third parties if you have given your express consent to this in accordance with GDPR Art 6(1)(a) or if it is contractually required pursuant to GDPR Art 6(1)(b).