blu medical supply Ltd. (hereinafter “blu medical” or „we“), takes the security and protection of your data very seriously. We operate our website in accordance with applicable data protection law, in particular the provisions of the EU General Data Protection Regulation (GDPR).
By means of this Data Privacy Statement, we would like to inform you of the nature, scope, and purpose of the personal data we collect, use and process in connection with the use of our website and our web-shop, the legal basis for the processing as well as of the rights to which you are entitled in this respect.
- Applicability, Name and Address of the Controller, Hosting Provider
Operator and controller for the purposes of the GDPR and other applicable data protection regulations of the Website
Our WebSite is operated on servers of Mittwald CM Service GmbH & Co. KG, Königsberger Straße 4-6, 32339 Espelkamp, Germany (“Hosting Provider”), with whom we have entered into an agreement on commissioned processing of personal data in accordance with article 28 of the GDPR.
- General Information on Data Processing
Generally, we only collect and use your personal data to the extent necessary to provide our services. Apart from that we only process that personal data which you actively provide to us, e.g. by filling in forms, by sending e-mails or other inquiries to us, by subscribing to newsletters or by ordering products and services. We solely use the personal information provided by you for the performance of a contract or the processing of your inquiries. For other purposes, such as e.g. advertising and market analysis, we only use your personal data after having obtained your prior consent or if we are entitled or obliged to do so pursuant to applicable law.
- Provision of the WebSite and Creation of Logfiles
When using the WebSite, we only collect the personal data that your browser transmits to the servers operated by our Hosting Provider. When you visit the WebSite, we collect the following information that is technically necessary for us to enable you to visit the WebSite and to ensure stability and security (the legal basis is Art. 6 para. 1 sent. 1 lit. f GDPR):
- The website you last visited (referrer)
- Date and time of retrieval
- Name of the Internet access provider (ISP)
- Browser type/version and language
- Access status/http status code
- The amount of data transferred in each case
- Pages visited by you incl. length of stay
- Directory protection user
- IP address (anonymized, i.e. the last three digits are removed)
We evaluate this data for statistical purposes only. A person-related evaluation does not take place. Temporary storage of your IP address is necessary to enable delivery of the WebSite to your end device. For this, the IP address of the user must remain stored for the duration of the session. The IP addresses are stored anonymously. The last three digits are removed, i.e. 127.0.0.1 becomes 127.0.0.*. IPv6 addresses are also anonymized. The anonymized IP addresses are kept for 60 days. Information on the directory protection user is anonymized after one day. The data is stored in log files to ensure the functionality of the WebSite. In addition, the data serves us to optimize the WebSite and to ensure the security of our information technology systems. These purposes also constitute our legitimate interests for the data processing pursuant to Art. 6 para. 1 lit. f GDPR.
The data will be deleted as soon as it is no longer necessary to achieve the purpose for which it was collected. In the case of the collection for the provision of the WebSite, this is the case when the respective session has ended. The anonymized IP addresses will be deleted by 60 days at the latest. Error logs containing the accessing IP address and, depending on the error code, the retrieved webpage will be deleted after 7 days. Information on the directory protection user used is anonymized after one day.
The mail logs for sending e-mails from the web environment are anonymized after one day and then kept for 60 days. Anonymization removes all data about the sender/receiver, etc. Only the data at the time of sending and the information on how the e-mail was processed are retained (queue ID or not sent). Mail logs for sending via our mail server are deleted after four weeks. The longer retention time is necessary to ensure the functionality of the mail services and for spam protection purposes. An individual determination of the storage period is not possible.
If you visit our web-shop, we store the following information in order to fulfil the contract between you and blu medical or to carry out pre-contractual measures in accordance with Article 6 para. 1 lit. b) of the GDPR:Order without setting up a customer account
When placing an order via the web-shop, all data necessary for the implementation and processing is requested through the mandatory fields: Your full name, your e-mail address, your address (billing address and, if applicable, different delivery address). Your data will only be used to process your order.Customer account / Registration
Registration is not required in order to use the WebSite and the web-shop. However, we offer you, free of charge, the option to register on the Website and create a personal customer account which will make it easier for you to log in later without having to re-enter your data and to use certain additional benefits and services.
In particular, registered users will have access to their complete order information and order history as well as to their personal wish list with saved items, can manage and change their personal customer information and subscribe to and unsubscribe from our newsletter.
To register, the following personal data has to be provided via the relevant submission form:
- customer type (commercial or private)
- title/company Name
- first and last Name
- e-mail address
- self-selected Password
- date of birth
- postal address (delivery address(es) if different)
- phone (optional)
The legal basis for the processing of that personal data is Art. 6 para. 1 lit. b) GDPR. The data collected during the registration process is solely used for providing the customer account.
For the registration we use the so-called double opt-in procedure. This means that after registering successfully, you will receive a confirmation e-mail from us which will include a link to activate your customer account. In order to use your customer account after registration, you must activate your it by clicking on the link provided in the confirmation e-mail.
You can delete your customer account at any time by sending an email to our customer support: firstname.lastname@example.orgStorage of order data
If you transfer data to blu medical for an order, your data will be stored for as long as necessary to complete the purchase and in accordance with statutory retention periods. Extended storage to fulfil the retention obligations is carried out in accordance with Article 6 para. 1 lit. c) GDPR.
We store the data entered by you to set up a customer account, via which your orders are recorded, implemented and processed. We will keep your data for further orders as long as you maintain your registration. You have the right to access, correct and/or have your registration data deleted by us at any time.Product recommendations
Only anonymized data which cannot be linked to an individual user is collected and processed for the features "Customers also bought" and "Customers also viewed". This non-person related data is solely used for the provision of these features.
If you do not want us to recognize your device, please set your browser so that it deletes cookies from your device, blocks all cookies or warns you before a cookie is stored. However, you may not be able to use the full functionality of the WebSite in this case.
We use the following types of cookies for our WebSite (the legal basis for the processing of personal data by using cookies in each case is Art. 6 para. 1 lit. f GDPR):Session cookies or functional cookies
(e.g. to keep navigation elements open, to save the content of the user’s shopping cart as well as the visited products, watch list, comparison list and other information on the usage of the WebSite). Session cookies store a so-called session ID, with which different requests of your browser can be assigned to the common session. This will allow your device to be recognized when you visit the WebSite again. No other data is stored apart from the session-ID.
Language or regional settings cookies. This allows us to save the country, currency or language settings with which the WebSite is to be accessed. Some functions of the WebSite cannot be offered without the use of these cookies. For these functions it is necessary that the browser is recognized. The user data collected by technically necessary cookies is not used to create user profiles. This purpose also constitutes our legitimate interests for the processing of personal data pursuant to Art. 6 para. 1 lit. f GDPR.
Shopware cookies (see below under section 6 “Shopware”)
Session Cookies are automatically deleted when you leave the WebSite or due to expiry of the session after 15 minutes. The remaining cookies are automatically deleted after a specified period, which can vary in length depending on the cookies. You can delete the cookies we have set in the security settings of your browser at any time.
We use Shopware on our WebSite, an open source software developed and provided by Shopware AG, Schöppingen, Germany, in order to improve and optimize the use of our web-shop.
Shopware stores cookies in your browser software to guarantee the basic functions of the web-shop. Using cookies makes it possible, for example, to keep track of your login status and the contents of your shopping cart, and even to provide CSRF (cross-site request forgery) protection. If cookies are not allowed by your browser, Shopware cannot be used. Shopware only stores IDs in your browser; the association with the respective information occurs within the domain of the application.
Based on session cookies, Shopware determines whether you have an active shopping cart and whether you are logged in. Thus, it serves as the identification between your browser and the server. Except for the session ID, no other information is stored on your device. The handling of session cookies is managed on the server side via PHP and is to be viewed as independent from Shopware.
Moreover, Shopware produces an individual CSRF cookie when the web-shop is visited so that the user can navigate through the individual areas of the web-shop.
In addition, an so-called SLT (Shopware Login Token) cookie is placed that enables the web-shop to recognise customers when they return to the web-shop, even if the session has already expired. It just offers a simplified login. The SLT cookie can be deactivated in the basic settings of your browser.
If you place a product on the shopping list, a cookie with the name "sUniqueID" is placed to store the content of the shopping list. The browser's local cache history is also where information on "recently viewed items" is stored.
IP addresses are stored anonymously (i.e. the last 3 digits are shortened) via Shopware
- in orders to prevent abuse
- in internal shop statistics for the evaluation of visitors / day and temporarily for the calculation of the display of current "visitors online" - this data is deleted every 3 minutes.
- Transfer of Personal Data / Third-party Providers
No payment data will be stored in our web-shop or transferred to third parties. The payment data provided by the user is directly collected (via an encrypted and secured https connection) by our payment provider PayPal after the user has been forwarded to the site of the payment provider. If a customer account is registered, address data, name, e-mail address as well as shopping cart contents are transferred to PayPal.
The order data (address, name, ordered products etc.) are transferred to our logistics & warehouse service provider who carries out the picking and dispatch.
- Contact Forms
If you contact us via a contact form on the WebSite, the data you provide will be stored so that your message can be forwarded via e-mail to the correct contact person at blu medical. This is done in accordance with Article 6 para. 1 lit. b) GDPR for processing your request. Which data is collected can be seen from the respective input forms (e.g. contact, returns, complaints etc.). Your data provided via a contact form will not be used for any other purposes, especially not for advertising. After answering your inquiry we will delete your inquiry and the related personal data, unless we are required by applicable law to further store it, in which case the data is deleted after expiry of any retention periods under tax and commercial law.
- Product Evaluation
If you decide to write a product review after placing an order through our web-shop, the following personal data is required and stored:
- Name (freely selectable, no real name required) (shown),
- E-mail address (not shown),
- Title / summary (shown),
- Assigned points 1-10 (shown),
- Free text field for description (shown), and
- Date (shown).
The evaluation / product review is only published after activation by an administrator. The rating cannot be changed by the administrator, however, the activation can be withdrawn or the post deleted.
If you have given us your express consent to this during or after your order in accordance with Art. 6 para. 1 sentence 1 lit. a) GDPR, we will use your e-mail address to send you a reminder to submit an evaluation of your order via the evaluation system used by us 14 days after placing an order through our web-shop. This consent can be revoked at any time by sending an e-mail to the contact address given below.
We offer you to subscribe to our free newsletter on our WebSite. In this case the data entered by you into the subscription form (e-mail address, first and last name and postal address) will be transferred to us. The subscription does not require a registered user account.
For the subscription to our newsletters we use the so-called double opt-in procedure. This means that immediately after the subscription to our newsletter you will receive a verification e-mail by means of which we will ask you to confirm your subscription. If case the confirmation is granted, we will store your e-mail address as well as any other data provided by you in addition, if any, until you unsubscribe from the newsletter.
Legal basis for the processing of data after subscription to the newsletter is Art. 6 para. 1 lit. a) GDPR.
You may revoke your consent to receiving the newsletter at any time with effect for the future and automatically unsubscribe from the newsletter by clicking on the relevant link provided in each newsletter or via the input form provided on the WebSite.
- Data Security
We deploy technical and organizational security measures to protect your personal data from being manipulated unintentionally or intentionally, lost, destroyed or accessed by unauthorized persons. Our technical and organizational measures are continuously reviewed and revised in line with the latest state of technology.
The WebSite is completely SSL encrypted.
Credit card information or other payment data provided by you is not stored at blu medical, but collected via encrypted hypertext transfer protocol secure ("https") directly by the payment service provider.
Our WebSite may contain hyperlinks to the web pages of third parties. We shall have no liability for the contents of such web pages and do not make representations about or endorse such web pages or their contents as its own. The respective provider or operator of these external websites is always responsible for their content. The linked websites were checked at the time of linking for possible violations of law. Illegal contents were not recognizable. A permanent control of the linked pages is unreasonable without concrete evidence of a violation. Upon notification of violations, we will remove such links immediately.
- Your Rights
To the extent we process any personal data related to you, you are entitled to the following rights:
Right to Information
You have the right to request a confirmation from us whether we process personal data related to you.
If this is the case, you are entitled to request the following information from us:
- the purposes of the processing;
- the categories of personal data that are processed;
- the recipients or categories of recipients to whom the personal data has been disclosed or is still being disclosed;
- where possible, the intended period for which the personal data is stored or, if not possible, the criteria for the establishment of this period;
- the existence of the right to rectify or delete personal data of the data subject or the right to limit the processing by the controller or a right of objection against this processing;
- the existence of a right of repeal with a regulatory authority;
- where the personal data are not collected from the data subject, any available information as to their source.
Furthermore, you are entitled to a right of access to information about whether your personal data have been sent to a third country or an international organisation. Insofar as this is the case, you also have the right to receive information about the appropriate guarantees in connection to the transfer of the data pursuant to Art. 46 GDPR.
Right to Rectify
You have the right to request from us the immediate rectification of any inaccurate personal data as well as the completion of any incomplete personal data relating to you. In this case, we will immediately rectify your personal data.
Right to Object
If and to the extent we rely on our legitimate interests pursuant to Art. 6 para. 1 lit. f) GDPR when processing your personal data, you have the right to object to the processing of your personal data on grounds relating to your particular situation. In this case we will no longer process your personal data unless we can demonstrate compelling legitimate grounds for the processing which override your interests or the processing is necessary for the establishment or defence of legal claims.
Right to Limit the Processing
You have the right to request from us the limitation of your personal data if one of the following requirements is given:
- You have challenged the accuracy of your personal data, and this is for a period that enables the us to verify the accuracy of your personal data.
- The processing is illegal and you decline the deletion of your personal data and instead request limiting its use.
- We no longer require your personal data for the purposes of the processing, you, however, require the data for the assertion, exercise or defence of legal claims, or
- You have filed an objection to the processing in accordance to article 21 para. 1 GDPR, and it is still undetermined whether our legitimate reasons as controller outweigh yours as the data subject.
- Where processing has been restricted, such personal data shall, with the exception of storage, only be processed with your consent or for the establishment, exercise or defence of legal claims or for the protection of the rights of another natural or legal person or for reasons of important public interest of the Union or of a Member State.
- If the processing of your personal data has been restricted in accordance with the above requirements, we will immediately notify you before the restriction is lifted.
Right to Deletion
You have the right to request from us that your personal data is promptly deleted provided one of the following reasons pertains and if the processing is not necessary:
- Your personal data is recorded for such purposes or processed in another manner for which it is no longer necessary.
- In case the processing of the personal data is based on Art. 6 para. 1 lit. a GDPR, you revoke your consent on which the processing is based.
- You file an objection against the processing in accordance with article 21 section 1 of the GDPR, and there are no predominant legitimate reasons for the processing, or you file an objection against the processing in accordance with article 21 section 2 of the GDPR.
- Your personal data was unlawfully processed.
- The deletion of your personal data is necessary for the fulfilment of a legal obligation.
A right to deletion does not exist, if the processing is necessary
- for exercising the right of freedom of expression and information;
- for compliance with a legal obligation which requires processing by law or for the performance of a task carried out in the public interest or in the exercise ;
- for the establishment, exercise or defence of legal claims.
Right of appeal to a supervisory authority
Without prejudice to any other remedy, you have the right of appeal to a competent supervisory authority if you believe that the processing of your personal data violates applicable data protection law.
Right to Revocation of consent
If and to the extent the processing of your personal data is based on your consent pursuant to Art. 6 para. 1 lit. a of the GDPR, you may revoke your granted consent at any time with effect for the future by sending an email to email@example.com.
All inquiries, requests and declarations as to the use of personal data can be send via e-mail to
oder by post to
blu medical supply Ltd.