The person responsible for data processing is:

Your Cocoa GmbH
Mittelgasse 27
67271 Neuleiningen

info@deinkakao.de

We appreciate your interest in our online shop. Protecting your privacy is important to us. Below, we provide detailed information about how we handle your personal data on our website.

1. Access data and hosting

Every time you visit our website, your IP address, the date and time of access, the amount of data transferred, and the requesting provider (access data) are collected. This connection data is evaluated solely for the purpose of enabling you to visit the website, ensuring smooth operation of the site, and improving our offering. The legal basis for processing is Art. 6 (1) (b) GDPR, provided the page is accessed as part of the initiation or execution of a contract, and otherwise Art. 6 (1) (f) GDPR due to our legitimate interest in enabling you to access the website and ensuring the long-term functionality and security of our systems. All access data is deleted no later than seven days after your visit to the website. We use IONOS to host our website.

2. Data processing for contract processing and contact

2.1 Orders

For the purpose of contract processing in accordance with Art. 6 (1) (b) GDPR, we collect personal data when you voluntarily provide it to us as part of your order. Mandatory fields are marked as such, as in these cases we absolutely need the data to process the contract, and without it we cannot ship the order. The data collected is evident from the respective input forms and includes, in particular, your last name, first name, address, company name, email address, and the time of transmission.

Further information on the processing of your data, in particular on the transfer to our service providers for the purpose of order, payment, and shipping processing, can be found in the following sections of this privacy policy. After the contract has been fully processed, your data will be restricted for further processing and deleted after the expiration of the retention periods under tax and commercial law, unless you have expressly consented to further use of your data in accordance with Art. 6 (1) (a) GDPR or we reserve the right to use your data in any other way that is permitted by law and about which we will inform you in this policy.

We share your personal information with third parties who help us use your personal information as described above. For example, we use Shopify to operate our online store. You can find more information about how Shopify uses your personal information here: 
https://www.shopify.com/legal/privacy
We also use Google Analytics to understand how our customers use the website. For more information about how Google uses your personal data, see:  https://policies.google.com/privacy?hl=de . You can deactivate Google Analytics here: https://tools.google.com/dlpage/gaoptout.

2.2 Customer account

If you decide to open a customer account, we will use the data you enter in the input forms in accordance with Art. 6 (1) (b) GDPR for the purpose of opening a customer account and save your data for future orders on our website. You can delete your customer account at any time and can do so either by sending a message to the contact option described in this privacy policy or via a function provided for this purpose in your customer account. After your customer account has been deleted, your data will be deleted unless you have expressly consented to further use of your data in accordance with Art. 6 (1) (a) GDPR or we reserve the right to use the data in any other way that is permitted by law and about which we will inform you in this policy.

2.3 Contact

As part of our customer communication via the contact form on our website, we process personal data that you provide as part of your inquiry and that is necessary to answer this inquiry in order to process your inquiries.

3. Data processing for the purpose of delivery

For contract fulfillment in accordance with Art. 6 (1) (b) GDPR. To process your order, we will pass on your data required for delivery in accordance with Art. 6 (1) (b) GDPR to the shipping service provider commissioned with the delivery. For parcel delivery, we use the service providers DHL Paket GmbH and United Parcel Service of America, Inc.

4. Payment process

4.1 Data processing for payment processing

For payment processing in our online shop, we offer common payment methods such as credit card, PayPal, SEPA direct debit, or invoice. Depending on the payment method selected, we pass on the data required to process the payment transaction to our technical service providers, the commissioned credit institutions, or the selected payment service provider. The legal basis is the fulfillment of the contract in accordance with Art. 6 (1) (b) GDPR. In some cases, the payment service providers collect the data required for payment processing themselves, e.g., on their own website or via a technical integration in the ordering process. The privacy policy of the respective payment service provider applies in this regard.

If you have any questions about our payment processing partners and the basis of our cooperation with them, please contact us using the contact details provided in this privacy policy.

4.2 Data processing for fraud prevention and optimization of our payment processes

If necessary, we transmit additional data to our service providers, who use this data, along with the data required for payment processing, as our processors for fraud prevention and the optimization of our payment processes (e.g., invoicing, handling payment disputes, accounting support). Pursuant to Art. 6 (1) (f) GDPR, this serves to safeguard our legitimate interests in fraud prevention and efficient payment management, which prevail within the framework of a balancing of interests. We use our service provider Endereco, UG for address validation.

5. Advertising by email and post

5.1 Registration for the email newsletter

If you subscribe to our newsletter, we will use the data required for this purpose or separately provided by you to regularly send you our e-mail newsletter based on your consent in accordance with Art. 6 (1) (a) GDPR. We use the so-called double opt-in procedure for this, i.e. we will only send you newsletters by e-mail if you first confirm that you are the owner of the specified e-mail address by clicking on a link in our notification e-mail. You can unsubscribe from the newsletter at any time and can do so either by sending a message to the contact option described below or via a link provided for this purpose in the newsletter. After unsubscribing, we will delete your e-mail address from our recipient list unless you have expressly consented to further use of your data in accordance with Art. 6 (1) (a) GDPR or we reserve the right to use the data in any other way that is permitted by law and about which we inform you in this declaration.

The email newsletter may also be sent by our service providers as part of a contract processing agreement. For this purpose, we use our service providers Mailgun, Braze, and Paqato. If you have any questions about our service providers and the basis of our collaboration with them, please contact us using the contact details provided in this privacy policy.

5.2 E-mail newsletter without registration and your right of objection

If we receive your email address in connection with the sale of a product or service and you have not objected, we reserve the right, based on Section 7 (3) of the German Unfair Competition Act (UWG) in conjunction with Article 6 (1) (f) of the GDPR, to regularly send you offers for products from our range similar to those you have already purchased. This serves to protect our legitimate interests in advertising to our customers, which prevail in the context of a balancing of interests.

You can object to this use of your e-mail address at any time by sending a message to the contact option described in this privacy policy or via a link provided for this purpose in the advertising e-mail, without incurring any costs other than the transmission costs according to the basic rates.

5.3 Sending evaluation requests by email

If you have given us your consent pursuant to Art. 6 (1) (a) GDPR as part of your order, we will use your email address to request a review of your order via our review system. This consent can be revoked at any time by sending a message to the contact option described in this privacy policy or via a link provided for this purpose in the review request.

For this purpose we use our service provider Shopify.

5.4 Online surveys, video surveys

We occasionally advertise the opportunity to participate in surveys we conduct via our newsletter or social media channels. We use the results of these surveys for market and opinion research and to improve our offerings. The legal basis for data processing when participating in the survey is your consent in accordance with Art. 6 (1) (a) GDPR. You can revoke this consent at any time by sending a message to the contact option described in this privacy policy. We use the service provider Survicate SA for our online surveys.

We conduct surveys either in person or via video conference. The conversations are recorded and automatically transcribed to capture the survey results. We use the service provider Zoom Video Communications, Inc. for video conferences.

6. Cookies and other technologies

6.1 General information

To make visiting our website more attractive and enable the use of certain functions, we use technologies on various pages, including so-called cookies. Cookies are small text files that are automatically stored on your device. Some of the cookies we use are deleted after the end of the browser session, i.e., after you close your browser (so-called session cookies). Other cookies remain on your device and enable us to recognize your browser the next time you visit (persistent cookies). These technologies collect and process your IP address, time of visit, device and browser information, and information about your use of our website (e.g., information about the contents of your shopping cart).

We use technologies necessary for the operation of the website based on our legitimate interest in accordance with Art. 6 (1) (f) GDPR to provide the basic functions of our website (e.g., shopping cart function). In certain cases, these technologies may also be required to fulfill a contract or to take steps prior to entering into a contract; in this case, processing is carried out in accordance with Art. 6 (1) (b) GDPR. 6 (1) (b) GDPR. Access to and storage of information on the device is mandatory in these cases and is carried out on the basis of the implementation laws of the ePrivacy Directive of the EU member states, in Germany in accordance with Section 25 (2) TDDDG.


We use all other non-essential (optional) technologies that provide additional functions based on your consent in accordance with Art. 6 (1) (a) GDPR. Access to and storage of information on the device is then based on the implementation laws of the ePrivacy Directive of the EU member states, in Germany in accordance with Section 25 (1) of the Telemedia Act (TDDDG). Data processing using these technologies only occurs if we have previously obtained your consent.

6.2 Obtaining your consent

When you visit our website, a banner is generated that informs you about the data processing on our website and gives you the option to consent to all, some, or no data processing using optional technologies. This banner appears the first time you visit our website and each time you access your settings to change them or revoke consent. The banner also appears on subsequent visits to our website if you have deactivated the storage of cookies or the cookies or information in the local storage have been deleted or have expired. During your website visit, your consents or revocations, your IP address, information about your browser, your device, and the time of your visit are stored. In addition, the information necessary to document your granted consents and revocations is stored on your device ("Cookie_Name" (x years)). The data processing is necessary to provide you with the legally required consent management and to fulfill our documentation obligations. The legal basis is Art. 6 (1) (f) GDPR, justified by our interest in fulfilling the legal requirements for consent management. In these cases, access to and storage of information on the end device is mandatory and is carried out on the basis of the implementation laws of the ePrivacy Directive of the EU member states, in Germany in accordance with Section 25 (2) TDDDG.

You can find the cookie settings for your browser at the following links:Microsoft Edge™ / Safari™ / Chrome™ / Firefox™ / Opera™

If you have consented to the use of the technologies in accordance with Art. 6 (1) (a) GDPR, you can revoke your consent at any time by adjusting the cookie settings or by sending a message to the contact option described in the data protection declaration.

6.3 Use of cookies and other technologies for web analysis and advertising purposes

If you have given your consent in accordance with Art. 6 (1) (a) GDPR, we use the following cookies and other third-party technologies on our website. Once the purpose no longer applies and the use of the respective technology is discontinued, the data collected in this context will be deleted. You can revoke your consent at any time with effect for the future. Further information on your options for revoking your consent can be found in the "Cookies and other technologies" section. Further information, including on the basis of our cooperation with the individual providers, can be found under the individual technologies. If you have any questions about the providers and the basis of our cooperation with them, please use the contact options described in this privacy policy.

6.3.1 Use of Google services for web analysis and advertising purposes

We use the technologies of Google Ireland Ltd., Gordon House, Barrow Street, Dublin 4, Ireland (“Google”) presented below. The information automatically collected by Google technologies about your use of our website is usually transferred to a server of Google LLC, 1600 Amphitheatre Parkway, Mountain View, CA 94043, USA and stored there. If your IP address is collected via Google technologies, it will be shortened before being saved on Google’s servers by activating IP anonymization. Only in exceptional cases will the full IP address be transferred to a Google server and shortened there. Unless otherwise stated for the individual technologies, data processing is based on an agreement concluded for the respective technology between joint controllers in accordance with Art. 26 GDPR. Further information about data processing by Google can be found inGoogle’s privacy policy.

Google Analytics:
 For website analysis, Google Analytics automatically collects and stores data (IP address, time of visit, device and browser information, as well as information about your use of our website). Pseudonymized user profiles are created from this data. Cookies may be used for this purpose. Your IP address will not be merged with other Google data. Data processing is based on a contract processing agreement with Google. You can find the most important information here.

To optimize the marketing of our website, we have activated the data sharing settings for "Google Products and Services." This allows Google to access the data collected and processed by Google Analytics and subsequently use it to improve Google services. Data sharing with Google under these data sharing settings is based on an additional agreement between the controllers. We have no influence on the subsequent data processing by Google.

To optimize the marketing of our website, we use the so-called User ID function. This function allows us to assign a unique, permanent ID to your interaction data from one or more sessions on our online presence, thus analyzing your user behavior across devices and sessions.

For web analysis and advertising purposes, the Google Analytics extension uses the so-called DoubleClick cookie to recognize your browser when you visit other websites. Google will use this information to compile reports on website activity and to provide other services related to website activity.

Google Ads
For advertising purposes in Google search results and on third-party websites, a Google remarketing cookie is set when you visit our website. This cookie automatically collects and processes data (IP address, time of visit, device and browser information as well as information about your use of our website) and uses a pseudonymous cookie ID to enable interest-based advertising based on the pages you visit. Further data processing only takes place if you have activated the "personalized advertising" setting in your Google account. If you are logged in to Google while visiting our website, Google will use your data together with Google Analytics data to create and define target group lists for cross-device remarketing.

For website analysis and event tracking, we use Google Ads Conversion Tracking to measure your subsequent usage behavior if you have accessed our website via a Google Ads ad. Cookies may be used for this purpose and data (IP address, time of visit, device and browser information, as well as information about your use of our website based on events specified by us, such as website visits or newsletter registration) may be collected, from which user profiles are created using pseudonyms.

Google Maps:
To visually display geographical information, Google Maps collects data about your use of the Maps features, in particular your IP address and location data, transmits it to Google, and processes it. We have no influence on this further data processing.

Google reCAPTCHA
To protect against misuse of our web forms and spam by automated software (so-called bots), Google reCAPTCHA collects data (IP address, time of visit, browser information, and information about your use of our website) and analyzes your use of our website using JavaScript and cookies. In addition, other cookies stored in your browser by Google services are evaluated. Personal data from the input fields of the respective form is not read or saved.

Google Fonts:
To ensure a consistent presentation of content on our website, the "Google Fonts" script code collects data (IP address, time of visit, device and browser information), transmits it to Google, and processes it there. We have no influence on this further data processing.

YouTube Video Plugin:
When you play a video, data (IP address, time of visit, device and browser information) is collected via the YouTube video plugin in the enhanced privacy mode, which we use to integrate third-party content, and transmitted to Google for processing. This only applies when you play a video.

6.3.2 Use of meta services for web analysis and advertising purposes
Use of Meta Pixel

As part of the technologies described below, we use the Meta Pixel from Meta Platforms Ireland Limited, Merrion Road, Dublin 4, D04 X2K5, Ireland. The Meta Pixel automatically collects and stores data (IP address, time of visit, device and browser information as well as information about your use of our website based on events specified by us, such as website visits or newsletter registration). Pseudonymized user profiles are created from this data. As part of the so-called extended data comparison, personal data (e.g. names, email addresses and telephone numbers) is also collected and stored in hashed form for comparison purposes. For this purpose, the Meta Pixel automatically sets a cookie when you visit our website. This cookie uses a pseudonymous cookie ID to enable automatic recognition of your browser when you visit other websites. Meta combines this information with other data from your Facebook or Instagram account and uses it to create reports on website activity and to provide other services related to website activity, in particular personalized and group-based advertising.


The information automatically collected by Meta Technologies about your use of our website is generally transferred to and stored on a server of Meta Platforms Inc., 1601 Willow Road, Menlo Park, California 94025, USA. Further information on data processing by Facebook can be found in Meta's privacy policy.

Meta for Business
We promote this website via Meta for Business on Facebook and other platforms. We determine the parameters of each advertising campaign. Meta is responsible for the precise implementation, in particular the decision regarding ad placement for individual users. Unless otherwise stated for the individual technologies, data processing is based on an agreement between joint controllers pursuant to Art. 26 GDPR. Joint controllership is limited to the collection of data and its transmission to Meta Platforms Ireland. Subsequent data processing by Meta Platforms Ireland is not included.

Based on the statistics generated via Meta Pixel regarding visitor activity on our website, we use Custom Audience to place group-based advertising on Facebook by determining the characteristics of the respective target audience. As part of the advanced data matching (see above) used to determine the respective target audience, Meta acts as our processor.

Based on the pseudonymous cookie ID set by the Meta Pixel and the data collected about your usage behavior on our website, we display personalized advertising via Meta Pixel Remarketing.
We use Meta Pixel Conversions for web analytics and event tracking to measure your subsequent usage behavior if you have accessed our website via a Meta for Business ad. Data processing is based on a joint controllership agreement. All essential information can be found here.here .

8. Social Media

8.1 Social Plugins von Facebook, Twitter (X), Instagram, Pinterest

Our website uses social buttons from social networks. These are embedded simply as HTML links, so no connection to the servers of the respective provider is established when you visit our website. Clicking on one of the buttons opens the website of the respective social network in a new browser window. There you can, for example, click "Like" or "Share."

8.2 Our online presence on Facebook, Instagram, YouTube, Pinterest

If you have given the respective social media operator your consent in accordance with Art. 6 (1) (a) GDPR, your data will be automatically collected and stored for market research and advertising purposes when you visit our online presence on the social media platforms mentioned above. User profiles are created from these data using pseudonyms. These profiles can be used, for example, to place advertisements both within and outside the platforms that presumably correspond to your interests. Cookies and other identifiers are generally used for this purpose. Detailed information on the processing and use of data by the respective social media operator, as well as a contact option and your related rights and setting options for protecting your privacy, can be found in the providers' data protection notices linked below. If you still need help in this regard, you can contact us.

Facebook is a service provided by Meta Platforms Ireland Limited, Merrion Road, Dublin 4, D04 X2K5, Ireland. The information automatically collected by Facebook Ireland about your use of our online presence on Facebook is generally transferred to a server of Meta Platforms Inc., 1601 Willow Road, Menlo Park, California 94025, USA, and stored there. Data processing when you visit a Facebook fan page is based on an agreement between joint controllers in accordance with Art. 26 GDPR. Further information (information on Insights data) can be found here.

Instagram is a service of Meta Platforms Ireland Ltd., Merrion Road, Dublin 4, D04 X2K5, Ireland ("Instagram"). The information automatically collected by Instagram about your use of our online presence on Instagram is usually transferred to a server of Meta Platforms Inc., 1601 Willow Road, Menlo Park, California 94025, USA, and stored there. Data processing when you visit an Instagram fan page is based on an agreement between joint controllers in accordance with Art. 26 GDPR. Further information (information on Insights data) can be foundhere .

YouTube is a service provided by Google Ireland Ltd., Gordon House, Barrow Street, Dublin 4, Ireland ("Google"). The information automatically collected by Google about your use of our online presence on YouTube is generally transferred to a server of Google LLC, 1600 Amphitheatre Parkway, Mountain View, CA 94043, USA, and stored there.

Pinterest is a service provided by Pinterest Europe Ltd., Palmerston House, 2nd Floor, Fenian Street, Dublin 2, Ireland ("Pinterest"). The information automatically collected by Pinterest about your use of our online presence on Pinterest is generally transferred to a server of Pinterest, Inc., 505 Brannan St., San Francisco, CA 94107, USA, and stored there.

9. Storage period

We generally only store personal data for as long as necessary to fulfill the purposes for which we collected it. After that, we delete the data immediately, unless we still need the data until the expiration of the statutory limitation period for evidentiary purposes for civil claims, due to statutory retention periods, or if there is another legal basis under data protection law for the further processing of your data in the individual case.

For evidentiary purposes, we must retain contract data, in particular, for three years after the end of the year in which our business relationship with you ends. Any claims will expire at the earliest at this point in time, in accordance with the statutory limitation period.

Even after this time, we may still need to store your data for accounting purposes. We are obligated to do so due to legal documentation requirements that may arise from the German Commercial Code (HGB), the German Fiscal Code (Abgabenordnung), the German Banking Act (Kreditwesengesetz), the German Money Laundering Act (Geldwäschegesetz), and the German Securities Trading Act (Wertpapierhandelsgesetz). The retention periods specified therein range from two to ten years.

10. Your rights and contact options

10.1 Your rights

As a data subject, you have the following rights:

  • Art. 15 GDPR – The right to request information about your personal data processed by us, to the extent specified therein.
  • Art. 16 GDPR – The right to immediately request the rectification of inaccurate or incomplete personal data stored by us.
  • Art. 17 GDPR – The right to request the deletion of your personal data stored by us, unless further processing is required:
    • to exercise the right to freedom of expression and information
    • to fulfill a legal obligation
    • for reasons of public interest
    • to establish, exercise or defend legal claims
  • Art. 18 GDPR – The right to request the restriction of the processing of your personal data, provided that:
    • you dispute the accuracy of the data
    • the processing is unlawful but you oppose its erasure
    • we no longer need the data, but you require it to assert, exercise or defend legal claims
    • you have objected to the processing pursuant to Art. 21 GDPR
  • Art. 20 GDPR – The right to receive your personal data that you have provided to us in a structured, common and machine-readable format, or to request that it be transmitted to another controller.
  • Art. 77 GDPR – The right to lodge a complaint with a supervisory authority. As a rule, you can contact the supervisory authority at your usual place of residence or work, or at our company headquarters.


Right of objection

If we process personal data as described above to protect our legitimate interests, which override ours in the context of a balance of interests, you can object to this processing with future effect. If the processing is carried out for direct marketing purposes, you can exercise this right at any time as described above. If the processing is carried out for other purposes, you only have the right to object if there are reasons arising from your particular situation.

After exercising your right of objection, we will no longer process your personal data for these purposes unless we can demonstrate compelling legitimate grounds for the processing which outweigh your interests, rights and freedoms, or the processing serves to assert, exercise or defend legal claims.

This does not apply if the processing is carried out for direct marketing purposes. In this case, we will no longer process your personal data for this purpose.

Your inquiries regarding the assertion of data protection rights and our responses to them will be retained for up to three years for documentation purposes, or longer in individual cases if there is cause to assert, exercise, or defend legal claims. The legal basis is Art. 6 (1) (f) GDPR, based on our interest in defending against any civil law claims under Art. 82 GDPR, avoiding fines under Art. 83 GDPR, and fulfilling our accountability obligations under Art. 5 (2) GDPR.