Privacy Policy

1) Introduction and Controller Contact Details

1.1 We are pleased that you are visiting our website and thank you for your interest. Below, we explain how we handle your personal data when you use our website. “Personal data” means any information that can identify you personally.

1.2 The controller responsible for data processing on this website within the meaning of the General Data Protection Regulation (GDPR) is:

Comstex GmbH & Co. KG
Am Wall 22, 14979 Großbeeren, Germany
Tel.: +49 302 325 8230
Fax: +49 302 325 82313
Email: onlineshop@comstex.com

The “controller” is the natural or legal person who determines, alone or jointly with others, the purposes and means of processing personal data.

2) Data Collection When Visiting Our Website

2.1 Server log files (informational use only).
If you use our website for information only (i.e., you do not register or otherwise submit information), we collect only the data that your browser transmits to our server (“server log files”). When you access our website, we collect the following technically necessary data to display the site:

  • The page visited on our website
  • Date and time of access
  • Amount of data transferred (bytes)
  • Referrer URL (the page from which you came)
  • Browser used
  • Operating system used
  • IP address used (possibly in an anonymized form)

Processing is based on Art. 6(1)(f) GDPR, on our legitimate interest in improving the stability and functionality of our website. We do not share these data with third parties nor use them for other purposes. However, we reserve the right to review server log files retrospectively if there are concrete indications of unlawful use.

2.2 TLS encryption.
For security reasons and to protect the transmission of personal data and other confidential content (e.g., orders or inquiries), this website uses SSL/TLS encryption. You can recognize an encrypted connection by “https://” and the lock symbol in your browser bar.

3) Hosting & Content Delivery Network

We use a provider for hosting and content delivery who performs services itself or via selected sub-processors exclusively on servers within the European Union.

All data collected on our website are processed on these servers.

We have concluded a data processing agreement with the provider to ensure the protection of our visitors’ data and to prevent unauthorized disclosure to third parties.

4) Cookies

To make our website attractive and to enable certain functions, we use cookies—small text files stored on your device. Some cookies are deleted after you close your browser (session cookies); others remain on your device for a longer period and store site settings (persistent cookies). The storage duration for persistent cookies can be found in your browser’s cookie settings.

Where cookies process personal data, the processing is based on:

  • Art. 6(1)(b) GDPR (performance of a contract), or
  • Art. 6(1)(a) GDPR (consent), or
  • Art. 6(1)(f) GDPR (our legitimate interest in optimal website functionality and a user-friendly, effective site experience).

You can set your browser to inform you about the setting of cookies and allow you to decide individually, to accept cookies in certain cases, or to refuse them altogether. Please note that disabling cookies may limit website functionality.

5) Contact

5.1 Live chat – Zammad

This website uses a live chat system provided by: Zammad GmbH, Marienstraße 11, 10117 Berlin, Germany.

Personal data transmitted via chat are processed either under Art. 6(1)(b) GDPR (required for contract initiation or performance) or Art. 6(1)(f) GDPR (our legitimate interest in effectively supporting site visitors). Data transmitted in this way are deleted—subject to statutory retention periods—once the matter is conclusively resolved.

In addition, for the purpose of creating pseudonymized usage profiles, further information may be collected and analyzed using cookies. These data are not used to personally identify you and are not combined with other data sets. Where the information relates to a person, processing is based on Art. 6(1)(f) GDPR (legitimate interest in statistical analysis for optimization). You can prevent cookies via your browser settings (which may limit functionality). You may object to the creation of pseudonymized profiles at any time with effect for the future.

We have a data processing agreement with the provider to protect visitor data and prevent unauthorized disclosure.

5.2 Ticketing – Zammad

For handling customer inquiries, we use the email ticketing system of Zammad GmbH, Marienstraße 11, 10117 Berlin, Germany.

Inquiries submitted via our website by email are stored and organized in the ticket system to enable chronological processing and improve service. You can track the status of your request via your individual ticket number.

Depending on your submission, personal data—at least first name, last name, and email address—are collected, transmitted to Zammad, stored there, and made available to us. Legal basis: Art. 6(1)(f) GDPR (legitimate interest in efficient customer service, fastest possible responses, and optimization of our support).

We have concluded a data processing agreement with Zammad.

5.3 “Make an Offer” (Buraleo Limited)

Via the “Make an Offer” service by Buraleo Limited, Suite 2, Ground Floor Orchard Brae House, Edinburgh, EH4 2HS, United Kingdom, you can submit price proposals for items offered for sale.

Your name, email, and, where applicable, phone number and delivery address are requested and, upon submission, transmitted first to Make an Offer and then to the controller named above so that we can accept, reject, or counter your offer.

Processing is based on Art. 6(1)(b) GDPR (contract initiation/handling). Data are deleted after your request has been conclusively processed unless statutory retention obligations apply. For transfers to the UK, an adequacy decision by the European Commission ensures an appropriate level of data protection.

5.4 General contact (form or email)

When you contact us (e.g., via contact form or email), we process your personal data solely to handle and answer your inquiry to the extent necessary.

Legal basis: Art. 6(1)(f) GDPR (legitimate interest in responding to inquiries). If your contact aims at concluding a contract, Art. 6(1)(b) GDPR additionally applies. Data are deleted when it is evident the matter has been conclusively resolved and there are no legal retention obligations.

6) Data Processing for Customer Accounts

Under Art. 6(1)(b) GDPR, we collect and process personal data to the extent necessary if you provide them when opening a customer account. Required data are shown in the account registration form.

You may delete your account at any time by notifying the controller at the address above. After deletion, your data are erased if all related contracts have been fully executed, no statutory retention periods apply, and we have no legitimate interest in further storage.

7) Use of Customer Data for Direct Marketing

7.1 Email newsletter sign-up (double opt-in)

If you subscribe to our email newsletter, we will regularly send you information about our offers. Only your email address is required; additional details are voluntary and help us personalize messages. We use the double opt-in procedure: you will receive emails only after you confirm your subscription via a verification link sent to your email.

By activating the confirmation link, you consent under Art. 6(1)(a) GDPR. We store the IP address assigned by your ISP as well as the date and time of subscription to document your consent and prevent misuse. Data collected for the newsletter are used strictly for this purpose.

You can unsubscribe at any time via the link in each newsletter or by contacting the controller above. After unsubscribing, your email address will be promptly removed from our mailing list unless you have expressly consented to further use or we are permitted by law to continue processing as explained in this policy.

7.2 Newsletter to existing customers

If you provided your email address when purchasing goods/services, we may email you offers for similar goods/services from our range. This does not require separate consent under § 7(3) UWG (German Unfair Competition Act). Processing is based solely on our legitimate interest in personalized direct advertising (Art. 6(1)(f) GDPR). If you initially objected, we will not send such emails. You can object at any time at basic transmission rates; after your objection, we will stop using your email for advertising.

7.3 MailChimp

We send newsletters via The Rocket Science Group, LLC d/b/a MailChimp, 675 Ponce de Leon Ave NE, Suite 5000, Atlanta, GA 30308, USA.

On the basis of our legitimate interest in effective, user-friendly newsletter marketing (Art. 6(1)(f) GDPR), we transfer your subscription data to the provider for dispatch on our behalf. With your explicit consent (Art. 6(1)(a) GDPR), the provider performs statistical performance analysis of campaigns via web beacons/pixels (e.g., open rates and interactions). Device information (e.g., access time, IP address, browser type, OS) may be collected and analyzed but not combined with other datasets. You may revoke tracking consent at any time with future effect.

We have a data processing agreement with MailChimp. For data transfers to the USA, the provider participates in the EU–US Data Privacy Framework (DPF) based on the European Commission’s adequacy decision.

7.4 “Back-in-stock” email alerts

You can subscribe to one-time availability notifications for temporarily unavailable items. Required: your email address (other data optional for personalization). We use double opt-in. By confirming, you consent under Art. 6(1)(a) GDPR. We store your IP, date, and time of subscription to prevent misuse. You can unsubscribe at any time; your email will be promptly deleted from the relevant list unless further use is permitted by law or consented to.

7.5 Cart reminders by email

If you abandon your purchase before completing the order, you can opt to receive a one-time email reminding you of the contents of your cart. Required: your email (other data optional). We use double opt-in. By confirming, you consent under Art. 6(1)(a) GDPR. We store your IP, date, and time of subscription to prevent misuse. You can unsubscribe at any time; your email will be promptly deleted from the relevant list unless further use is permitted by law or consented to.

8) Data Processing for Order Handling

8.1 Delivery and payment.
To fulfill the contract, we transfer personal data to the transport company and the credit institution commissioned, as necessary for delivery and payment (Art. 6(1)(b) GDPR).

If, under contract, we owe updates for goods with digital elements or for digital products, we process the contact data you provided in your order to personally inform you within our statutory information duties (Art. 6(1)(c) GDPR). We use your contact details strictly for communications about required updates.

We also work with service providers who assist us in performing contracts; certain personal data are transferred to them as described below.

8.2 External shipping partners.
To fulfill our contractual obligations, we work with external shipping partners. We provide your name, delivery address, and—if necessary—your telephone number solely for delivery purposes to the selected partner (Art. 6(1)(b) GDPR).

8.3 Transfer of personal data to carriers.
Depending on your consent during checkout (Art. 6(1)(a) GDPR), we may provide your email and/or phone number to the carrier for delivery scheduling/notifications; otherwise, we provide only the recipient name and address (Art. 6(1)(b) GDPR). You can withdraw consent at any time with future effect from us or the carrier.

  • DHL Paket GmbH, Sträßchensweg 10, 53113 Bonn, Germany
  • DHL Express Germany GmbH, Heinrich-Brüning-Str. 5, 53113 Bonn, Germany
  • DHL Freight GmbH, Godesberger Allee 102–104, 53175 Bonn, Germany
  • DPD Deutschland GmbH, Wailandtstraße 1, 63741 Aschaffenburg, Germany
  • FedEx Express Germany GmbH, Langer Kornweg 34k, 65451 Kelsterbach, Germany
  • Hermes Logistik Gruppe Deutschland GmbH, Essener Straße 89, 22419 Hamburg, Germany
  • Schenker Deutschland AG, Lyoner Straße 15, 60528 Frankfurt am Main, Germany
  • TNT Express GmbH, Haberstraße 2, 53842 Troisdorf, Germany
  • trans-o-flex Express GmbH & Co. KGaA, Hertzstraße 10, 69469 Weinheim, Germany
  • United Parcel Service Deutschland Inc. & Co. OHG, Görlitzer Straße 1, 41460 Neuss, Germany

8.4 Payment service providers

  • Google Pay (Google Ireland Limited, Dublin, Ireland)
    Payments are processed via the Google Pay app using a stored card or verified payment system (e.g., PayPal). For payments over €25, device unlocking (e.g., face, password, fingerprint) is required. Order information is shared with Google; Google transmits a one-time transaction number (token) back to verify payment—no real card data are shared. Legal basis: Art. 6(1)(b) GDPR. Google may collect and evaluate certain transaction-specific information under Art. 6(1)(f) GDPR (legitimate interest). Terms/privacy: see Google’s legal pages.
  • Klarna (Klarna Bank AB, Stockholm, Sweden)
    If you choose a prepayment method (e.g., card), we share your payment data and order details under Art. 6(1)(b) GDPR. For methods where Klarna pays in advance (invoice/installments/direct debit), you will provide additional personal data; to assess creditworthiness we may transmit data to Klarna under Art. 6(1)(f) GDPR. Klarna may consult credit agencies; see: https://cdn.klarna.com/1.0/shared/content/legal/terms/0/de_de/credit_rating_agencies. You can object at any time; processing necessary for payment may continue.
  • PayPal (PayPal Europe S.à r.l. et Cie, S.C.A., Luxembourg)
    For prepayment methods, we share payment/order data under Art. 6(1)(b) GDPR. Where we pay in advance, we may transmit personal data to PayPal for credit checks under Art. 6(1)(f) GDPR; score values may be used.
  • PayPal Checkout
    For payments via PayPal, credit card via PayPal, direct debit via PayPal, or “Pay Later,” data are shared with PayPal under Art. 6(1)(b) GDPR. PayPal may conduct credit checks (Art. 6(1)(f) GDPR). For “invoice purchase,” PayPal forwards data to Ratepay GmbH, which may itself perform credit checks; list of agencies: https://www.ratepay.com/legal-payment-creditagencies/. For local third-party methods, PayPal forwards your data to the respective provider (e.g., Apple Pay, Google Pay, iDEAL, Bancontact, BLIK, eps, MyBank, Przelewy24). Full PayPal privacy info: https://www.paypal.com/de/legalhub/paypal/privacy-full
  • Stripe (Stripe Payments Europe Ltd., Dublin, Ireland)
    For prepayment methods, we share payment/order data under Art. 6(1)(b) GDPR. For methods where Stripe pays in advance (e.g., invoice/installments/direct debit), additional personal data may be requested and used for credit checks under Art. 6(1)(f) GDPR; score values may be used. You may object at any time; processing necessary for payment may continue.
  • WooCommerce Payments (Automattic Inc., San Francisco, USA)
    For prepayment methods, we share payment/order data under Art. 6(1)(b) GDPR. For transfers to the USA, the provider participates in the EU–US Data Privacy Framework.

9) Web Analytics

9.1 Google Analytics 4

We use Google Analytics 4 (Google Ireland Limited, Dublin, Ireland) to analyze website usage. By default, cookies are set. Your IP address is shortened by Google to prevent direct identification. Data may be transmitted to Google LLC (USA).

Google processes data on our behalf to evaluate website usage, compile reports, and provide related services. The IP shortened by Google Analytics will not be merged with other Google data. Data collected via GA4 are stored for two months and then deleted.

All processing described above—especially setting cookies—takes place only with your explicit consent (Art. 6(1)(a) GDPR). Without consent, GA4 is not used during your visit. You can withdraw consent at any time via the cookie consent tool.

We have a data processing agreement with Google. Further legal notes:
https://business.safety.google/intl/de/privacy/
https://policies.google.com/privacy?hl=de&gl=de
https://policies.google.com/technologies/partner-sites

Demographics. GA4 uses “demographic features” to compile statistics about age, gender, and interests (not attributable to individuals) and deletes such data after two months.

Google Signals. With consent (Art. 6(1)(a) GDPR), GA4 may use Google Signals for cross-device reports if you have personalized ads enabled and devices linked to your Google account. We receive only statistics. You can disable “Personalized ads” in your Google account settings. More info: https://support.google.com/analytics/answer/7532985?hl=de

User IDs. If you consent to GA4, have an account on our site, and log in across devices, activities (including conversions) can be analyzed cross-device.

For US transfers, Google participates in the EU–US Data Privacy Framework.

9.2 Google Tag Manager

We use Google Tag Manager (Google Ireland Limited). GTM provides a technical interface to manage various web applications (including analytics) via a unified UI. GTM itself does not store or read information on devices nor perform independent analysis. However, your IP address is transmitted to Google and may be stored; transfers to Google LLC (USA) are possible.

Processing occurs only with your consent (Art. 6(1)(a) GDPR) via the cookie tool. You can withdraw consent at any time. We have a DPA with Google. Google participates in the EU–US DPF. Further info: https://business.safety.google/intl/de/privacy/ and https://policies.google.com/privacy?hl=de&gl=de

9.3 Jetpack (Automattic)

We use Jetpack (Automattic Inc., San Francisco, USA). Using cookies and/or similar technologies (tracking pixels, web beacons, device/browser fingerprinting), the service collects and stores pseudonymized visitor data (including IP and browser info) to analyze usage and create pseudonymized profiles (e.g., heatmaps, time on page, interactions such as typing, scrolling, clicks, mouseovers). Pseudonymization prevents direct identification; no merging with clear-data from other sources.

All processing—especially reading/storing info on your device—occurs only with your explicit consent (Art. 6(1)(a) GDPR), which you can withdraw at any time in the cookie tool. We have a DPA with Automattic. For US transfers, the provider participates in the EU–US DPF.

10) Site Functionality

10.1 Trusted Shops Trustbadge

We embed graphical elements from Trusted Shops AG, Subbelrather Str. 15C, 50823 Cologne, Germany to display external customer reviews and/or a quality label. When a page with such elements loads, your browser connects directly to Trusted Shops’ servers to load them; certain browser information, including your IP address, is transmitted. Processing is based on Art. 6(1)(f) GDPR (legitimate interest in optimal marketing and appealing website design).

For online orders, further processing may occur. With your explicit consent (Art. 6(1)(a) GDPR), after checkout, your order information (order amount, number, purchased product) and email may be transmitted (encrypted) to Trusted Shops to check for an existing registration for services (especially “Buyer Protection”) and, if applicable, enable a new registration. If a registration exists or is created, your order info and email are processed under Art. 6(1)(b) GDPR to provide the services.

We are joint controllers with Trusted Shops for the above processing (Art. 26 GDPR). The joint controllership agreement is available here: https://help.etrusted.com/hc/de/articles/23970817960082

10.2 Trustpilot

We embed elements from Trustpilot A/S, Pilestræde 58, 1112 Copenhagen, Denmark to display external customer reviews/quality labels. Loading these elements transmits certain browser information, including IP address, to Trustpilot. Processing is based on Art. 6(1)(f) GDPR (legitimate interest in marketing and appealing website design).

10.3 Google Maps

We use Google Maps (API) (Google Ireland Limited). Maps display our location and facilitate travel. When accessing subpages with embedded maps, usage information (e.g., IP address) is transmitted to Google servers and may be transferred to Google LLC (USA). If you are logged into Google, data may be associated with your account. You can prevent association by logging out before activation. Google may create usage profiles based on Art. 6(1)(f) GDPR (advertising/market research/needs-based design). You may object directly to Google. If you do not agree to data transfer, you can disable Google Maps by turning off JavaScript in your browser (maps will not function). Where legally required, we obtain your consent via the cookie tool (Art. 6(1)(a) GDPR), which you can withdraw at any time. Google participates in the EU–US DPF. Further privacy info: https://business.safety.google/intl/de/privacy/

10.4 Google Web Fonts

We use web fonts from Google Ireland Limited for consistent typography. Your browser connects directly to Google’s servers to load the fonts; certain browser information, including IP, is transmitted (data may also be transferred to Google LLC, USA). Processing occurs only with your consent via the cookie tool (Art. 6(1)(a) GDPR), which you can withdraw at any time. If your browser does not support web fonts, a default font is used. Google participates in the EU–US DPF. More info: https://business.safety.google/intl/de/privacy/

10.5 Google reCAPTCHA

We use Google reCAPTCHA (Google Ireland Limited; data may also be transferred to Google LLC, USA) to verify that inputs are made by a human and to block spam/DDoS/abuse. The service collects IP address, browser/OS identifiers, date and duration of visit, and may set cookies.

If cookies are involved, they are set only with your consent (Art. 6(1)(a) GDPR) via the cookie tool, which you can withdraw at any time. Where performed without cookies, processing is based on our legitimate interest (Art. 6(1)(f) GDPR) in ensuring individual responsibility online and preventing abuse/spam. We have a DPA with Google. Google participates in the EU–US DPF. More info: https://business.safety.google/intl/de/privacy/

Note: For the visual styling of the CAPTCHA window, Google Fonts are used; no additional data are processed beyond those described for reCAPTCHA.

11) Tools and Other Services

11.1 Cookie-consent tool

We use a cookie-consent tool to obtain valid user consents for cookies and cookie-based applications. The tool presents an interactive interface where users can grant consent by ticking boxes. Consent-requiring cookies/services are loaded only after the user grants consent, ensuring that such cookies are set on the user’s device only if consent is given.

The tool sets technically necessary cookies to store your preferences. Personal data are generally not processed. If, in individual cases, personal data (e.g., IP address) are processed to store/assign/log cookie settings, this is based on Art. 6(1)(f) GDPR (our legitimate interest in lawful, user-specific consent management) and Art. 6(1)(c) GDPR (our legal obligation to make non-essential cookies subject to consent). Where needed, we have a DPA with the provider. Further information is available directly in the tool’s interface on our website.

11.2 Wordfence (security)

We use Wordfence (Defiant Inc., 800 5th Ave Ste 4100, Seattle, WA 98104, USA) to protect the website and IT infrastructure from unauthorized access, cyberattacks, viruses, and malware. The provider collects IP addresses and, where applicable, other behavioral data (visited URLs, headers) to detect and block illegitimate access; IPs are compared against known attacker lists and may be blocked. Information is transmitted to and stored on the provider’s servers.

Processing is based on Art. 6(1)(f) GDPR (legitimate interest in cybersecurity and data integrity). For users with login rights, cookies may be set to evaluate device/location info, validate administrator access, and notify of irregular logins. These cookies are set only for users with login rights; if personal data are processed via cookies, the legal basis is Art. 6(1)(f) GDPR (preventing unauthorized admin access). We have a DPA with the provider. For US transfers, the provider relies on the Standard Contractual Clauses.

11.3 Elasticsearch (site search)

We use Elastic (ELASTIC, 800 West El Camino Real, Suite 350, Mountain View, CA 94040, USA) to provide a tolerant search function across articles and filters. Certain user information (e.g., user/session ID) may be collected in anonymized form. Where personal data are processed, the basis is Art. 6(1)(f) GDPR (legitimate interest in providing robust search and optimal marketing). For US transfers, the provider relies on Standard Contractual Clauses.

12) Your Rights as a Data Subject

Under applicable data protection law, you have the following rights vis-à-vis the controller with respect to your personal data (for conditions, see the cited legal bases):

  • Right of access, Art. 15 GDPR
  • Right to rectification, Art. 16 GDPR
  • Right to erasure, Art. 17 GDPR
  • Right to restriction of processing, Art. 18 GDPR
  • Right to notification, Art. 19 GDPR
  • Right to data portability, Art. 20 GDPR
  • Right to withdraw consent, Art. 7(3) GDPR
  • Right to lodge a complaint, Art. 77 GDPR

12.2 Right to Object

IF WE PROCESS YOUR PERSONAL DATA ON THE BASIS OF OUR LEGITIMATE INTERESTS FOLLOWING A BALANCING OF INTERESTS, YOU HAVE THE RIGHT TO OBJECT AT ANY TIME, ON GROUNDS RELATING TO YOUR PARTICULAR SITUATION, WITH EFFECT FOR THE FUTURE.

IF YOU EXERCISE YOUR RIGHT TO OBJECT, WE WILL STOP PROCESSING THE RELEVANT DATA.
HOWEVER, WE MAY CONTINUE PROCESSING IF WE CAN DEMONSTRATE COMPELLING LEGITIMATE GROUNDS THAT OVERRIDE YOUR INTERESTS, RIGHTS, AND FREEDOMS, OR IF THE PROCESSING SERVES THE ESTABLISHMENT, EXERCISE, OR DEFENSE OF LEGAL CLAIMS.

IF WE PROCESS YOUR PERSONAL DATA FOR DIRECT MARKETING PURPOSES, YOU HAVE THE RIGHT TO OBJECT AT ANY TIME TO PROCESSING FOR SUCH MARKETING.
IF YOU OBJECT, WE WILL NO LONGER USE YOUR PERSONAL DATA FOR DIRECT MARKETING PURPOSES.

13) Storage Duration

Storage duration depends on the legal basis, processing purpose, and—where applicable—statutory retention periods (e.g., commercial and tax law).

  • Where processing is based on your consent (Art. 6(1)(a) GDPR), data are stored until you withdraw consent.
  • Where statutory retention periods apply to data processed under Art. 6(1)(b) GDPR (contractual/contract-like obligations), data are routinely deleted when retention periods expire, provided they are no longer necessary for contract performance or initiation and/or we no longer have a legitimate interest in further storage.
  • Where processing is based on Art. 6(1)(f) GDPR, data are stored until you exercise your right to object under Art. 21(1) GDPR, unless we can demonstrate compelling legitimate grounds outweighing your interests, rights, and freedoms or processing serves legal claims.
  • For direct marketing under Art. 6(1)(f) GDPR, data are stored until you exercise your right to object under Art. 21(2) GDPR.
  • Unless otherwise stated in this policy for specific situations, personal data are deleted when they are no longer necessary for the purposes for which they were collected or otherwise processed