Privacy policy for GROHE website

We would like to thank you for your interest in our company and in our products and services. The protection of your privacy when using our website is of particular importance to us at GROHE. This privacy policy therefore provides you with information about how we, GROHE (“provider”, “we”, “us”) process your personal data in the context of using our website and about the rights you have under data protection regulations.

1. Who is responsible for processing your personal data and who can you contact?

The company named in the legal information is responsible for processing your personal data in connection with the use of the website. We can be contacted, as the controller, using the contact details provided in the legal information. You can also contact our Group Data Protection Officer at any time. They can be contacted using the following email: DataProtection_UK@grohe.com

2. For what purpose do we process your data and on what legal basis?

We process your personal data in accordance with the relevant data protection regulations, in particular the General Data Protection Regulation (GDPR) and the national data protection laws which apply in each case.

The legal basis for the processing essentially comprises the following: Processing based on your consent (Article 6(1) point (a) GDPR), for the performance of contractual obligations (Article 6(1) point (b) GDPR), for compliance with a legal obligation (Article 6(1) point (c) GDPR) and/or for the purpose of legitimate interests (Article 6(1) point (f) GDPR). Other legal bases may also be relevant.

When using our website, the personal data or data categories we process, the purposes for which we do this and on which legal basis this occurs depend largely on the respective services and features you use on the website. Below you will find information on the individual personal data or data categories, processing purposes and the respective legal bases in connection with this website.

2.1. Technical provision of the website

2.1.1. Hosting, content delivery and web security

To ensure the smooth running of the website and of the functions, services and content provided, as well as to guarantee the security of the website, we use services from providers in the areas of web hosting, content delivery and web security in connection with the provision of our website.

As part of hosting, the data processed in connection with the operation and use of the website as well as all of the content and applications provided on the website are stored on the servers of the web hosting provider. Where the services of content delivery network (CDN) providers are used, these allow us to process – at all times and in a highly effective manner – the data used in connection with the use of the website and the content and applications provided on the website and to make this available to users. As part of our use of services from web security providers, we draw on the web security and performance services they provide in order to monitor the security and performance of the website. This involves, in particular, the processing of technical protocol data (see below).

When using the providers referred to above, the data you provide in connection with use of the website is transmitted to these providers or collected by them and processed by these providers for the purposes referred to above. Personal data is processed for the purpose of protecting our legitimate interests, in particular for ensuring both the smooth and secure use of the website and of the functions, services and content provided on the website. The legal basis in this case is Article 6(1) point (f) GDPR.

2.1.2. Automated collection of protocol data and server log files

We process technical protocol data when you visit the website. We process this technical protocol data to ensure a smooth connection to the website. We also store technical protocol data in the form of log files to ensure the security and stability of the website.

The protocol data or log files include the following data: IP address of the requesting computer, date and time of access, name and URL of the file retrieved, website from which the access was made (referrer URL), browser used and, if applicable, the operating system of your computer and the name of your access provider. In general, log files are stored for seven days and then automatically deleted.

Your data is processed for the purposes referred to above and is carried out for the purpose of protecting our legitimate interest, in particular for ensuring the security and functionality of the website and of the functions provided on the website. In this case, the legal basis for the processing of your data for the purposes listed is Article 6(1) point (f) GDPR.

2.1.3. Use of cookies and similar technologies

Cookies and similar technologies are used to provide the website and specific services and functions available on the website.

Cookies are small text files which are stored on your end device when you visit the website. They enable specific information to be stored on the end device as well as access to information already stored on the device (e.g. language settings or login information). Depending on the information which is stored or retrievable, cookies make it possible to identify the user of the platform.

Certain cookies we use for the website are automatically deleted at the end of the browser session, i.e. after you close your browser (these are referred to as session cookies). Other cookies remain on your end device and enable us to recognise your browser on your next visit (these are referred to as persistent cookies). A distinction must also be made between first-party cookies and third-party cookies. First-party cookies are managed and read directly by us. In contrast, the specific feature of third-party cookies is that they are controlled and managed by a third-party provider.

Besides cookies, we also use similar technologies which also store and/or read information in your browser or device and use local shared objects or local memory. These include JavaScripts, web storage objects, plugins and web beacons or counting pixels. Other technologies include the use of fingerprinting technologies as well as the use of devices or user IDs and entity tags (eTags). Counting pixels involve an electronic graphic embedded in a website for collecting information about your visit to a website (e.g. type of device and browser used, IP address, access to the website, clicking on certain links or objects). In the case of web storage objects, data is stored and read in a user's browser using JavaScripts (either session-related as session storage or across sessions as local storage). In the case of fingerprint tracking, data is not collected via cookies set in the browser and instead is captured via specific hardware and software features. An eTag (entity tag) is a reference file which is assigned to an object – such as an image, text or other file. The eTag shows which of these files are already in the cache and which are not. In each case, the eTag is unique and can therefore be assigned to a specific user.

In some cases, we also use cookies and similar technologies in connection with the provision of the website and its services and features without accessing information in your browser or device or storing information there. Instead, in this case the relevant data is collected in each instance directly on servers operated by us (server-side tracking). Your data is then forwarded to third-party providers depending on the purpose of the respective service or function.

Please note that the use and the scope of use of cookies and similar technologies are always subject to your consent. This does not apply to cookies and similar technologies which are essential, in particular, for the operation, functions and services of the website. Such cookies and similar technologies are used without your explicit consent.

Consent can be granted and revoked at any time via the consent management software integrated on the website (“Consent Management Platform”). The Consent Management Platform can be accessed via the "cookie banner” when the website is accessed for the first time. You can also access the Consent Management Platform at any time during a visit to the website via the “cookie settings” and change your selection by activating or deactivating cookies and similar technologies which require consent. Cookie settings can be found at the bottom of the website.

You can also configure your browser so that the acceptance of cookies is prevented in specific cases or in all cases. You can delete cookies which have already been stored via your browser. Please note that the functions of our website may be restricted if you delete or do not accept certain cookies.

Further information about the cookies we use and about activating or deactivating specific cookies can be found in the Consent Management Platform (see the link labelled “Cookie settings” or similar at the bottom of the website).

2.1.4. Consent Management Platform (OneTrust)

We use the Consent Management Platform from the provider OneTrust to ensure that the use of cookies and similar technologies is legally compliant (see also the previous section about cookies and similar technologies).

The Consent Management Platform is consent management software integrated in our website which gives you the opportunity to control the use of cookies and similar technologies requiring consent in a legally compliant way by granting or refusing your consent. You can also revoke your consent relating to this at any time. The consent is also documented for the purposes of providing legal proof.

In connection with this, your IP address and device-related data (pseudonymised browser ID, browser type, country, device type) are processed. Cookies are also used by the Consent Management Platform. These cookies store your cookie settings on our website. This means your cookie settings can be retained when you visit our website again as long as you do not delete the cookies beforehand. You can change your settings at any time.

The processing of personal data is for the purpose of protecting our legitimate interests, in particular for ensuring legally compliant use of cookies and similar technologies. The legal basis in this case is Article 6(1) point (f) GDPR.

2.1.5. User verification (Google reCAPTCHA)

We use Google reCAPTCHA on our website. Google reCAPTCHA is an identification service from Google. Google Ireland Ltd, Gordon House, Barrow Street, Dublin 4, Ireland, is responsible for providing Google reCAPTCHA in the European region.

We use Google reCAPTCHA in online forms and application processes to check whether our website is being used by a human or by an automated programme. This enables us to protect our website from abusive automated spying and spam and to ensure the availability of our services.

When using Google reCAPTCHA, your IP address and other device-related data (web request, browser type, browser language, date and time of the request) are processed and sent to Google. A range of different cookies are also set when using Google reCAPTCHA.

The legal basis for the processing of personal data is your consent in accordance with Article 6(1) point (a) GDPR. You can revoke your consent at any time with effect for the future by accessing "Cookie settings" and changing your selection. Please note that this does not affect the legality of processing carried out on the basis of the consent up until the point of revocation.

Further information on the use of Google reCAPTCHA is available here:

• https://www.google.com/recaptcha/about/
• https://policies.google.com/privacy

2.1.6. Webfonts from Fonts.com

This website uses webfonts provided by Fonts.com to display fonts. Monotype Imaging Inc. is responsible for providing Fonts.com.

When you view a page, your browser loads the required webfonts into your browser cache in order to display texts and fonts correctly. For this, the browser you are using must connect to the fonts.com servers in the US. This provides Fonts.com with the information that our website has been accessed via your IP address. Fonts.com also collects other usage data (including URL accessed, referrer URL, font type, date and time of the page impression).

The service is used based on your consent. The legal basis for the processing of personal data in connection with the use of Fonts.com is Article 6(1) point (a) GDPR. You can revoke your consent at any time by deactivating the use of the service in the “Cookie settings”.

Further information regarding data processing by Fonts.com is available here:

• https://www.fonts.com/info/legal
• https://www.fonts.com/info/legal/privacy/

2.1.7. Webfonts from Google Fonts

We use Google Fonts on our website. Google Fonts is a webfont hosting service from Google. Google Ireland Ltd, Gordon House, Barrow Street, Dublin 4, Ireland is responsible for providing Google Fonts in the European region.

In order to display the fonts required correctly, the fonts used on our website are downloaded from Google servers each time our website is visited. In this context, your browser sends HTTP requests to the Google Fonts Web API, which implements the Google Fonts Cascading Style Sheets (CSS) and subsequently the font files specified in the CSS for the users. These HTTP requests include (1) the IP address used by the respective user to access the internet, (2) the requested URL on the Google server, and (3) the user agent, which describes the version of the browser and operating system you are using, as well as the referrer (i.e. the webpage on which the Google font is to be displayed). Since the Google servers are located in the US and are operated by Google LLC, your data will also be stored on Google servers in the US.

The service is used based on your consent. The legal basis for the processing of personal data in connection with the use of Google Fonts is Article 6(1) point (a) GDPR. You can revoke your consent at any time by deactivating the use of the service in the “Cookie settings”.

Further information regarding data processing by Google is available here:

• https://policies.google.com/privacy

2.2. Website-specific services and functions

2.2.1. Cross-user services and functions

You have the option of accessing the functions, services and content provided on the website.

2.2.1.1. Creating and managing a personal user account (GROHE user account)

The website has various services and functions, the use of which without restrictions is only possible with a personal GROHE user account (e.g. use of the GROHE web shops and creating personal notepads containing GROHE products).

To create a GROHE user account, you must complete the registration process provided for this purpose. As part of the registration process, we process the data required to create the personal user account (title, name, email address, password). A separate GROHE ID is also created for the GROHE user account. The GROHE ID is an individual identification number assigned to the GROHE user account. This enables you to use our services across platforms (e.g. on this website and the GROHE webshops).

Once you have successfully created your user account, you can use it to log into the website and access the relevant functions and services. A secure login is used to log into the personal user account. Your login data (email address, password, time of login, GROHE ID) will be processed. You also have the option to view and edit your personal details in your user account (e.g. email address or password).

The processing is for the purpose of protecting our legitimate interests, in particular to provide you with the above features on the website in a proper manner and without interruption. In this case, the legal basis for the processing of your personal data is Article 6(1) point (f) GDPR. If you also use the GROHE user account for accessing services and functions which result in concluding a contract with us, this processing supports the contract initiation and implementation process. In this case, the legal basis for the processing of your data is Article 6(1) point (b) GDPR.

2.2.1.2. Logging in via single sign-on services

With your GROHE user account, you are able to log into a range of services offered by us on this website or on other websites run by us or by our group companies. Depending on the service, you can also log in via the single sign-on procedure.

A single sign-on procedure gives you the option of logging into the respective service on the website via a user account of another provider. This requires that you are already registered with the respective provider and that you confirm the login via the single sign-on procedure on our website using the relevant button. Authentication then occurs directly in each case with the provider of the single sign-on procedure.

We offer the following single sign-on procedures in our app:

Facebook Connect: The service provider for the Facebook Connect service in Europe is Meta Platforms Ireland Limited, 4 Grand Canal Square, Dublin 2, Ireland (previously: Facebook Ireland Limited).

• Privacy policy: https://www.facebook.com/about/privacy
• Opt-out option: https://www.facebook.com/settings?tab=ads

Google single sign-on: Service provider: for the Google Single Sign-On service: Google Ireland Limited, Gordon House, Barrow Street, Dublin 4, Ireland.

• Privacy policy: https://policies.google.com/privacy
• Settings for displaying ads: https://adssettings.google.com/authenticated

A range of data is processed and exchanged between us and the provider in connection with use of the above single sign-on procedures. The data includes a user ID with the information that the user is logged in to the respective single sign-on provider under this user ID. Whether or not additional data is transferred to us depends on the single sign-on procedure used, on the data disclosures selected as part of authentication and also on which data you have shared in the privacy settings or other settings of the user account with the single sign-on provider. This may include: Email address, profile data (profile name, profile photo). The password entered as part of the single sign-on procedure is stored by the operator of the procedure only and cannot be viewed by us.

The processing is for the purpose of protecting our legitimate interests, in particular to provide you with the above features on the website in a proper manner and without interruption. In this case, the legal basis for the processing of your personal data is Article 6(1) point (f) GDPR. If you use the single sign-on procedure to log into the GROHE user account in order to use services and functions which result in concluding a contract with us, the processing supports the contract initiation and implementation process. In this case, the legal basis for the processing of your data is Article 6(1) point (b) GDPR.

2.2.1.3. Product registration for extending the GROHE manufacturer's guarantee (product registration portal)

We offer our customers the option of extending the manufacturer's guarantee on their GROHE products. This requires that you register your product via the website by completing the registration process provided in the product registration portal on the website.

To register, you must have a user account in the product registration portal. We collect your personal user data (title, first name, surname, email address) in the process of creating the user account. After creating your user account, you can log into the product registration portal using the email address and the password you provided and register the approved GROHE products in the portal. We process the relevant product data (name of the product, item number, serial number) as well as data relating to the purchase of the product (date of purchase). Following successful product registration, the guarantee period will be extended and other benefits granted in accordance with the applicable conditions of the guarantee.

The processing of the above data is needed for product registration and for extending the guarantee period. Without this data it is not possible for us to register the product and to extend the guarantee period. The basis for the processing of your data described is the initiation and implementation of the guarantee contract concluded with you. The above data is processed accordingly on the basis of Article 6(1) point (b) GDPR.

2.2.1.4. Search function

You can search for products and content using the search function available on the website. The search terms you enter are stored during your visit to the website. The search terms are automatically deleted at the end of the visit.

The processing is for the purpose of protecting our legitimate interests, in particular to provide you with the above features on the website in a proper manner and without interruption. The legal basis for the processing of your personal data is Article 6(1) point (f) GDPR.

2.2.1.5. Rating and sharing content

We regularly publish new content about our GROHE products on the website (e.g. articles with impressions). You can rate this content using the features provided with a “Like” by clicking on the corresponding heart symbol. You can also share the content on social media and via email. We store your “Likes” together with the “Likes” of other users in order to show the popularity of the content to others.

In connection with sharing content on social media, the content to be shared is transferred to the provider of the respective social media network.

The legal basis for the processing of your personal data is Article 6(1) point (f) GDPR. The processing is for the purpose of protecting our legitimate interests, in particular to provide you with the above features on the website in a proper manner and without interruption and in order to show the popularity of the content on the website.

2.2.1.6. Retailer and showroom finder (Store Locator)

The website allows you to use the Store Locator to search specifically for retailers, installers and showrooms which sell, install and/or showcase our GROHE products.

We use Google Maps to display the map. Google Maps is a service from Google. The provider of the service in the European region is Google Ireland Limited, Google Building Gordon House, 4 Barrow St, Dublin, D04 E5W5, Ireland.

You must first specify a location to display the cooperating retailers in your area. The location can either be entered manually or determined automatically using the internet browser's localisation function. Your IP address needs to be processed in order to automatically determine your location using the internet browser’s localisation function. In this case, the processing is subject to your consent which the internet browser requests when you access the map. The IP address is also processed by Google.

The legal basis for the processing of your personal data is Article 6(1) point (f) GDPR. The processing is for the purpose of protecting our legitimate interests, in particular to provide you with the above features on the website in a proper manner and without interruption.

Further information about Google’s privacy terms is available here:

• https://policies.google.com/privacy

2.2.1.7. Notepad function (notebook)

You can create and manage one or multiple notepads on the website. You can save the GROHE products available on the website in a notepad and access them up again the next time you visit the website. This involves storing your personal selection in the notepad you have selected.

The notepad also has a range of other functions which you can only use if you have a personal user account. For example, you can store your notepad as an individual project and supplement each project with additional project data (e.g. project title, project number, location, object type). You can also create an individual PDF list showing the GROHE products you have saved in your notepad or project. You can also create additional details for the PDF list (e.g. list title, description). You can also enter individual specifications for the GROHE products saved in your notepad, for example by specifying product information and adding personal details (e.g. list title, specification description, addresses and notes).

The legal basis for the processing of your personal data is Article 6(1) point (f) GDPR. The processing is for the purpose of protecting our legitimate interests, in particular to provide you with the above features on the website in a proper manner and without interruption.

2.2.1.8. Use of the GROHE Help Center

We have the GROHE Sense Help Centre (https://helpdesk.senseguard.com/) available for our end customers and professionals as part of the customer support for our GROHE Smart Home products (including Sense and Senseguard). A specific Water Help Center is also available for professionals (https://grohesense.atlassian.net). The Water Help Centre is run by SURU.

Further information regarding the processing of your personal data in connection with the use of the GROHE Sense Help Center and the Water Help Center can be found in the respective privacy policies.

2.2.1.9. Integration of video content (YouTube Player plugin)

We have integrated various YouTube videos on our website. YouTube is a video portal of YouTube LLC., 901 Cherry Ave., 94066 San Bruno, CA, USA YouTube is part of the Google Group and the responsible authority for processing personal data in connection with the use of YouTube in the Europe region is Google Ireland Limited, Google Building Gordon House, 4 Barrow St, Dublin, D04 E5W5, Ireland.

If you would like to view a YouTube video embedded on our website, you must first activate this video. When activating a video, your browser automatically connects with the YouTube servers in the US and (depending on the settings) a range of data is transferred using cookies. This includes your IP address and the URL of our website as well as session duration, bounce rate, approximate location, technical information such as browser type, screen resolution and your internet provider.

The YouTube videos embedded on our website have the “Privacy Enhanced Mode” enabled. This means that viewing a video displayed in the privacy-enhanced mode of the embedded player will not be used to personalise the YouTube browsing experience, neither within the player embedded in privacy-enhanced mode nor in the viewer's subsequent YouTube experience. If advertising is shown for a video displayed in the privacy-enhanced mode of the embedded player, this advertising is also not personalised. In addition, the viewing of a video displayed in the privacy-enhanced mode of the embedded player is not used to personalise advertising displayed to the viewer outside of our website.

The legal basis for the processing of personal data is your consent in accordance with Article 6(1) point (a) GDPR. You can revoke your consent at any time with effect for the future by accessing "Cookie settings" and changing your selection. Please note that this does not affect the legality of processing carried out on the basis of the consent up until the point of revocation.

2.2.1.10. Newsletter

You can register for our newsletter on the website in order to receive regular information about our offers, products, promotions and services.

When you register for the newsletter, we process the data you enter during the registration process (name, address, email address, areas of interest, target group, company, country). In addition, we use “web beacons” (small graphics in HTML emails) to collect information about whether our newsletter has been delivered, whether it has been opened and whether links have been clicked. This provides us with statistical analyses and allows us to see, in detail, exactly how well our newsletter has been received by you. This enables us to adapt and improve our newsletter.

The double opt-in procedure is used to register for the newsletter. This means that following your registration we will send you an email asking you to confirm your registration. Your registration is logged in order to be able to provide evidence of the registration process in line with statutory requirements. This concerns the time of registration for the newsletter, the time of confirmation as well as your IP address.

The legal basis for providing the newsletter service and for the data processing associated with this is your consent in accordance with Article 6(1) point (a) GDPR. You can revoke your consent at any time, for example via the unsubscribe link contained in every newsletter email. Please note that this does not affect the legality of processing carried out on the basis of the consent up until the point of revocation.

2.2.1.11. Requesting customer service

You can request our customer service team to support you on site via the website. Customer service can be requested using the online form provided for this purpose on the website.

We process the data provided by you in the online form. This includes your personal details as the client (e.g. name, address, email address, telephone, fax, client group). Data on the job location is also recorded if this differs from your address as the client. In this case, we record the contact details of the respective contact person at the specific job location (e.g. name, address, telephone number, email address). Data is also processed relating to the specified installer or reference partner and additional contact persons (e.g. name, address, email address, telephone, fax), information on the product concerned (e.g. type and quantity of the defective item, item number, product description, product photos) and any other information provided (e.g. additional comments and descriptions).

The legal basis for the processing is Article 6(1) point (b) GDPR. The processing is necessary for the initiation and implementation of the contract on which the customer service assignment in question is based.

2.2.1.12. WhatsApp channels

We offer you the opportunity to access and respond to the latest information on our products and offers via our WhatsApp channels. WhatsApp Ireland Limited, 4 Grand Canal Square, Dublin 2, Ireland is responsible for the WhatsApp channels service in Europe.

If you access one of our WhatsApp channels, we process information about how you interact with our channel content (including your reaction to our content) and your profile picture. If you are also stored as a contact, we also process your full telephone number and your name. Beyond this, we do not process any of your data in connection with our WhatsApp channels.

The legal basis for the use of our WhatsApp channels is Article 6(1) point (f) GDPR. The purpose of data processing and our legitimate interest in this case is to make information about our products and offers available to a wide audience and to record user interaction with this information.

Please note that when using WhatsApp channels, your data will be transmitted to WhatsApp Ireland Limited. WhatsApp Ireland Limited may process this data in accordance with its own privacy policy. Further information is available in WhatsApp's privacy policy:

• https://www.whatsapp.com/legal/channels-privacy-policy-eea

2.2.1.13. WhatsApp Business

We provide you with the option of contacting us via WhatsApp. For this we use the WhatsApp Business service. WhatsApp Ireland Limited, 4 Grand Canal Square, Dublin 2, Ireland is responsible for the WhatsApp Business service in Europe.

WhatsApp Business is used for the following purposes: Responding to enquiries, providing information and offers, customer service and support.

We process the following personal data when you use WhatsApp Business: Telephone number, name, chat history and other information and content provided by you (e.g. transmitted images).

Provided the contact concerns the initiation and/or implementation of an existing contractual relationship with you, the legal basis for this processing is Article 6(1) point (b) GDPR. Otherwise, the legal basis for this is Article 6(1) point (f) GDPR. The purpose of data processing and our legitimate interest in this case is to be able to respond to requests sent to us in the proper manner.

Please note that when using WhatsApp channels, your data will be transmitted to WhatsApp Ireland Limited. We have concluded a processing agreement with WhatsApp Ireland Limited for this purpose.

2.2.1.14. Making contact

The website contains various options for contacting us. If you contact us using the contact options provided in this privacy policy or via the other contact options provided on the website (e.g. by email, online contact form, support hotline), we shall process your data in order to address the enquiry and in the event of follow-up questions (e.g. in the event of product queries or press enquiries).

The data processed includes your contact details. This may include the following information, depending on which contact option you use: name, address, area of activity, company, email address, telephone number and fax number. We also process the other information you provide when you contact us (e.g. message content, uploaded or attached files).

Provided the response to the request sent to us concerns the initiation and/or implementation of an existing contractual relationship with you, the legal basis for this processing is Article 6(1) point (b) GDPR. Otherwise, the legal basis for this is Article 6(1) point (f) GDPR. The purpose of data processing and our legitimate interest in this case is to be able to respond to requests sent to us in the proper manner.

2.2.2. Use of the GROHE webshops

You can use our webshops on the website to order products and accessories. In connection with the use of the GROHE webshops, we process your personal data for the purposes described below:

2.2.2.1. Shopping basket, order process

You must have a personal GROHE user account and login (see above) to place an order in the GROHE webshops

We also process the following categories of data as part of the fulfilment of your order: contact details (e.g. name, address, telephone number, email address), invoice data (e.g. name and address of the invoice recipient) and transaction data (e.g. selected products, price, delivery costs, discounts). Depending on the payment method selected, the required payment details are also processed and forwarded to the payment service provider involved (see below).

In order to fulfil the order, we forward your contact details to the company instructed to make the delivery. Should it be necessary for the purposes of fulfilling the order, we will also transmit your email address or your telephone number to the company instructed to make the delivery (e.g. to agree a delivery date).

When using the webshop, cookies are stored in your browser to ensure the basic functions of the webshop are implemented. The basic functions include storing the contents of the shopping basket and storing login data while you browse the individual pages of the webshop.

The processing of your data is necessary for the initiation and fulfilment of your order on the basis of the underlying contractual relationship. The legal basis for the processing of your data for the purposes listed is Article 6(1) point (b) GDPR.

2.2.2.2. Optimisation of our product and service information

In order to be able to provide you with customised offers and information via email about the products you have purchased or services you have booked, we compile specific information from various internal sources such as the online shop and product registration. However, this only occurs subject to the requirement (existing customer advertising or consent) that we are already authorised to provide information in this way and subject to the requirement that you have already verified your email address via a so-called double opt-in procedure.

We process the following categories of data as part of this data processing:

contact details (surname, first name, address), contract data, transaction journals, consumption data, order data and shopping baskets, product data (SKU, date of purchase, serial number), user ID, country, device and consumption data.

For this we use the SalesForce Data Cloud, which is operated on our behalf by Salesforce UK Limited, Village 9, Floor 26 Salesforce Tower, 110 Bishopsgate, London, UK.

A relevant adequacy decision from the European Commission is in place in the event of third-country data transmission to the United Kingdom. In the event of data transmission to the US. Salesforce has certification under the “EU-US Data Privacy Framework” (DPF).

Data is processed in the context of these measures on the basis of Article 6(1) point (f) GDPR (legitimate interest) as the data processing is necessary for optimising marketing strategies and for improved customer relations.

2.2.2.3. Payment processing, payment services

During the ordering process in our online shop, you have the option of selecting a payment method. The payment is then processed directly via the payment service provider used for processing the relevant payment method. The necessary contact, payment and transaction data is forwarded to the respective payment service provider for this purpose. Depending on the payment service provider you use, further data will be processed (e.g. login data for using the user account with the respective payment service provider).

The transfer of your data to the payment service providers and the subsequent processing of your data by these companies is necessary for the initiation and processing of your order and for the underlying contractual relationship. The legal basis for the processing of your data for the purposes listed is Article 6(1) point (b) GDPR.

2.2.2.3.1. Adyen

Credit card payments are processed by the payment service provider Adyen N.V., Simon Carmiggeltstraat 6-50, 1011 DJ Amsterdam, Netherlands. This involves processing the necessary credit card data and forwarding it to Adyen (cardholder's name, card number, check digit, expiry date and credit card type).

Further information regarding data processing by Adyen is available here:

• https://www.adyen.help/hc/en-us/categories/360002679940-Adyen-on-my-bank-statement

2.2.2.3.2. Klarna

When selecting the payment method “Klarna Rechnungskauf” [Klarna Pay Later] and “Klarna Sofort” [Klarna Pay Now], personal data is automatically transmitted to Klarna. Klarna is a payment service provided by Klarna Bank AB, Sveavägen 46, 111 34 Stockholm, Sweden. If you decide to process the payment using Klarna, Klarna will process the following personal data: contact details, payment data, transaction data and Klarna account data. Klarna uses this data for payment processing. Klarna can also process the data for credit checks and identity verification.

Further information regarding data processing by Klarna is available here:

• https://www.klarna.com/international/privacy-policy/

2.2.2.3.3. PayPal

When selecting “PayPal” as the payment method, personal data is automatically transmitted to PayPal. PayPal is a payment service from PayPal (Europe) S.à.r.l. et Cie, S.C.A., 22-24 Boulevard Royal, L-2449 Luxembourg. The following data is transferred to PayPal and processed by PayPal in connection with the use of PayPal: contact details, payment data, transaction data and PayPal account data (name, address, email address, telephone number). In addition to payment processing, PayPal also uses this data for identity verification and credit checks.

Further information regarding data processing by PayPal is available here:

• https://www.paypal.com/de/webapps/mpp/ua/privacy-full

2.2.2.4. Use of Zoovu as an online assistant

We use the online assistant from Zoovu on the website. The provider of the service is Zoovu (Germany) GmbH, Skalitzer Straße 104, 10997 Berlin.

We use the service to support the product search function on the website. This enables users to access appropriate product results on the website. The user's click and usage behaviour is evaluated as part of the product search function (e.g. time spent on a product page). This is so that we can further optimise our product pages. When using the product search, the following data is therefore processed with the aid of cookies: content of your search query, IP address, device data (browser, operating system, device), session ID, query ID, click behaviour.

The service is used on the basis of Article 6(1) point (f) GDPR. As a website operator, we have a legitimate interest in enabling our customers to optimise their product search and thereby improving the reach and sales of our products.

2.2.3. Services and functions for professionals

On the website we also provide specific functions, services and content for professionals, i.e. in particular installers, architects and designers as well as showroom operators.

2.2.3.1. Use of the GROHE Training Companion platform

On the website, we provide the GROHE Training Companion platform for GROHE Group employees and professionals. The platform can be accessed at https://training.grohe.com/. The platform gives users access to a range of training offers (e.g. in the form of online tutorials and quizzes) and learning content on GROHE products (e.g. information on product ranges and features).

Further information regarding the processing of your personal data in connection with the use of the platform can be found in the specific privacy policy on the platform.

2.2.3.2. Participation in GROHE seminars

We provide the opportunity for professionals to take part in GROHE seminars (e.g. on the installation and maintenance of GROHE specialist taps). As a professional, you can register for the respective GROHE seminars via the website. The registration portal is hosted by an external provider.

When you register, we collect the relevant participant data (title, name, address, email address, role) as well as data about your company (company name, address, country). If catering is included in a seminar, you can also enter further information about your dietary requirements (e.g. food intolerances). At the end, you can also add additional comments in the free text field provided.

If the seminars are online events, we use the services of relevant technical providers who offer the necessary services and infrastructure (including web conferencing and webinar services). Personal data is also processed when using these services. Further information can be found in the privacy policies of the relevant technical provider, which can be accessed on the service's website.

The legal basis for the processing is Article 6(1) point (b) GDPR. The processing is necessary for the initiation and implementation of the contract on which participation in the relevant GROHE seminar is based.

2.2.3.3. Request for BIM data

Professionals can request BIM files for GROHE products via the website. For this, in your role as a professional, you must use the online form provided and enter the necessary request information (e.g. article number, job title, title, name, address, telephone number, email address).

The legal basis for the processing of your personal data is Article 6(1) point (f) GDPR. The processing is for the purpose of protecting our legitimate interests, in particular to provide you with the above features on the website in a proper manner and without interruption.

2.2.3.4. Order tracking

In your role as a professional, you can manage your orders on our website. We have provided an order tracking portal on our website for this purpose. Here you can search for and view both current orders and orders which have already been archived. The relevant order data is processed for each order.(e.g. GROHE order number, order date, delivery date, items and status). You can also be notified by email by registering using corresponding function in the portal.

The legal basis for this processing is Article 6(1) point (b) GDPR. The processing is necessary for the implementation of the existing contractual relationship with you. The legal basis for this is otherwise Article 6(1) point (f) GDPR. The processing is for the purpose of protecting our legitimate interests, in particular to provide you with the above features on the website in a proper manner and without interruption.

2.3. Use of analytics and marketing tools

We use the following analytics and marketing tools from third-party providers on our website in order to better understand and analyse the behaviour of our users and to improve the marketing of our products and range.

2.3.1. Google Tag Manager

We use Google Tag Manager on the website. Google Tag Manager is a tag management system (TMS) that allows us to manage and update tracking codes and associated code snippets (“website tags”) on our website. The provider of Google Tag Manager in the European region is Google Ireland Limited, Google Building Gordon House, 4 Barrow St, Dublin, D04 E5W5, Ireland.

Website tags are small pieces of code which are inserted into a website and can come from a range of different providers (e.g. providers of analytics and marketing services). These website tags make it possible to track actions performed by users (e.g. clicking on a button or advert, accessing a specific page).

Google Tag Manager enables us to integrate these website tags on our website and to define the actions to be recorded. If a tag is triggered by an action, the data recorded by the tag is sent to the analytics or marketing services which have been integrated via Google Tag Manager. Google Tag Manager itself does not create any user profiles and does not undertake any independent analyses.

The Google Tag Manager records data in the standard HTTP request logs. These will all be deleted within 14 days of receipt. Google also collects aggregated data relating to tag triggering in order to monitor the stability, performance and installation quality of the system. This aggregated data contains no addresses or measurement IDs linked to a specific person.

We have also activated the conversion linker in Google Tag Manager. This is a specific website tag which helps to measure click data so that conversions can be recorded effectively. Specifically, information on click behaviour in relation to advertising is recorded and stored.

The legal basis for the use of Google Tag Manager is Article 6(1) point (f) GDPR. As the website operator, we have a legitimate interest in the fast and straightforward integration and management of different tools on our website. If the relevant consent is requested, the processing is carried out solely on the basis of Article 6(1) point (a) GDPR Consent can be revoked at any time.

2.3.2. Google Analytics

We use Google Analytics on our website. We use Google Analytics to track the use of our website and the functions and services provided and, from this, to identify which functions and services are of particular interest to users and how we can improve the website. The provider responsible for the operation of Google Analytics in the European region is Google Ireland Limited, Google Building Gordon House, 4 Barrow St, Dublin, D04 E5W5, Ireland.

During your visit to the website, your user behaviour is recorded in the form of “events”. Events can be: page views, first visit to the website, start of the session, your “click path”, interaction with the website, scrolls (whenever a user scrolls to the bottom of the page (90%)), clicks on external links, internal search queries, interaction with videos, file downloads, adverts viewed/clicked, language setting. The following data is also recorded: your approximate location (region), your IP address (in abbreviated form), technical information about your browser and the end devices you use (e.g. language setting, screen resolution, device model), your internet service provider, the referrer URL (via which website/promotional tool did you come to this website). An individual ID for the end device is also recorded. This is the Android Advertising ID or Advertising Identifier for iOS (if activated) or another individual ID (Vendor Identifier).

Google Analytics uses cookies which enable your use of our website to be analysed. Information collected by the cookie about your use of this website is usually transmitted to a Google server in the US and stored there. These servers are operated by Google LLC. Google Analytics has activated IP address anonymisation by default. Using IP address anonymisation, your IP address is shortened by Google within member states of the EU or in other contracting states of the Agreement on the European Economic Area (EEA). Only in exceptional circumstances will the full IP address be transferred to a Google server in the US and shortened there. According to Google, the IP address transmitted by your browser as part of Google Analytics will not be merged with other Google data.

Google processes the above information in order to analyse your use of the website and to compile reports on website activity on our behalf. The reports provided to us by Google Analytics are used to analyse the performance of the website. On this basis, we are able to continuously improve individual functions and services and adapt them to the needs of our users. The data collected and linked to the cookies set by Google Analytics is automatically deleted after the specified retention period has expired. Data for which the retention period has expired will be automatically deleted once per month.

The use of the service is based on your consent. The legal basis for the processing of personal data in connection with the use of Google Analytics is Article 6(1) point (a) GDPR. You can revoke your consent at any time by deactivating the use of the service in the “Cookie settings”. In addition, you may prevent the collection by Google of data generated by the cookie relating to your use of the website (including your IP address), and the processing of this data by Google, by downloading and installing the browser add-on provided by Google for deactivating Google Analytics:

• https://tools.google.com/dlpage/gaoptout?hl=de

Further information about Google’s privacy terms is available here:

• https://policies.google.com/privacy

2.3.3. New Relic

We use New Relic performance analytics on the website. The provider of the service is New Relic Inc, 188 Spear Street, Suite 1000 San Francisco, CA 94105, USA.

The service enables the technical performance of our services to be evaluated statistically (e.g. the duration of a specific database query, the stability and accessibility of our servers, or the response time of our servers). For this purpose, application and browser data (e.g. IP address, time of access, browser type) are collected using cookies and stored on the New Relic servers.

The use of the service is based on your consent. The legal basis for the processing of personal data in connection with the use of New Relic is Article 6(1) point (a) GDPR. You can revoke your consent at any time by deactivating the use of the service in the “Cookie settings”.

Further information about New Relic’s privacy terms is available here:

• https://newrelic.com/termsandconditions/privacy

2.3.4. TikTok Pixel

We use the TikTok Pixel analytics on our website. The TikTok Pixel is a service operated by the two providers in the European region: TikTok Technology Limited, 10 Earlsfort Terrace, Dublin, D02 T380, Ireland, and TikTok Information Technologies UK Limited, WeWork, 125 Kingsway, London, WC2B 6NH, United Kingdom (jointly referred to as "TikTok").

The TikTok Pixel is a JavaScript code snippet which is integrated into our website and enables us to understand and track the activities of visitors to our website. For this purpose, the Tiktok Pixel collects and processes information about visitors to our website and the devices they use. The data collected using the TikTok Pixel is processed by TikTok and provided to us in aggregated form. This allows us to measure traffic to our website, measure ad campaign performance, personalise and optimise our ad campaigns and find new customers.

The information collected includes information on the actions triggered by the visitor on the website (e.g. clicking on an advert), time of the action, IP address, device data (device model, operating system, browser information) and metadata. The metadata includes page titles and product information, page performance data (e.g. page load times) and button clicks (e.g. button name, descriptive text and attributes).

TikTok users are able to manage the data collected via the TikTok pixel in their pixel settings on the TikTok platform.

The use of the service is based on your consent. The legal basis for the processing of personal data in connection with the use of TikTok is Article 6(1) point (a) GDPR. You can revoke your consent at any time by deactivating the use of the service in the “Cookie settings”.

The event data is collected and transmitted by us and TikTok as joint controllers. There is an agreement in place with TikTok regarding processing as joint controllers. This agreement determines the distribution of data privacy obligations between us, as the provider of the website, and TikTok. In this agreement, both parties have agreed, among other things,

that we, as the provider of the website, are responsible for providing visitors with information in accordance with Article 13 and 14 GDPR on the joint processing of personal data;

that TikTok is responsible for enabling data subjects to exercise their rights in accordance with Articles 15 to 20 GDPR with regard to the personal data stored by TikTok after joint processing.

The existing agreement with TikTok on joint controllership containing the provision agreed as well as information on data processing by TikTok can be accessed here:

• https://ads.tiktok.com/i18n/official/policy/jurisdiction-specific-terms
• https://www.tiktok.com/legal/page/eea/privacy-policy/

2.3.5. Visual Website Optimizer

We use the Visual Website Optimizer service . The provider of the service is Wingify Software Pvt. Ltd., 14th Floor, KLJ Tower North, Netaji Subhash Place, Pitam Pura, New Delhi-110034, Delhi, India.

The purpose of the Visual Website Optimizer is to carry out A/B testing and multivariate testing to improve the user-friendliness of websites. This includes processing personal data to analyse user interactions. A/B testing, also known as split testing, involves a randomised experimental procedure. Different segments of website visitors see two or more versions of a variable (web page, page element, etc.) at the same time. The reactions show which version achieves the maximum effect and improves the KPIs.

We also use Visual Website Optimizer for conversion rate optimisation (CRO). This refers to the systematic improvement of a website or landing page based on user behaviour. The aim is to increase the probability that visitors will carry out the desired actions (conversions) on the page in question.

The following categories of data are processed in connection with Visual Website Optimiser: Information on the user's interaction, device and browser data, IP address, geolocation data, tracking data; conversion data.

The use of the service is based on your consent. The legal basis for the processing of personal data in connection with the use of Visual Website Optimizer is Article 6(1) point (a) GDPR. You can revoke your consent at any time by deactivating the use of the service in the “Cookie settings”.

2.3.6. YouTube Analytics

We use the YouTube Analytics service on our website. The provider of the service in the European region is Google Ireland Limited, Google Building Gordon House, 4 Barrow St, Dublin, D04 E5W5, Ireland.

YouTube Analytics allows us to obtain aggregated statistical evaluations on the reach of our YouTube channel, users’ interaction with our content (viewing, commenting, subscribing) and on the target groups (e.g. age, gender, location) of visitors and the number of views of our videos. This enables us to make our YouTube channel more attractive to viewers.

YouTube Analytics uses specific events to create the statistical evaluations – e.g. viewing or commenting on one of our videos or subscribing to our channel – and also uses the data collected when interacting with our YouTube channel. This data is logged by Google servers. The data collected by YouTube Analytics includes data which you provide to Google yourself (e.g. user name or comments written by the user with, or on, Google services), data on apps, browsers and devices used by the visitor when accessing Google services, data on the visitor's activities on YouTube (e.g. which videos you view and like) and the visitor's location data (e.g. IP address).

YouTube Analytics creates the statistical evaluations on the basis of the above data. In terms of YouTube Analytics, we obtain no personal data from you, nor can we link the information from YouTube Analytics to you or to other individual viewers.

The use of the service is based on your consent. The legal basis for the processing of personal data in connection with the use of YouTube Analytics is Article 6(1) point (a) GDPR. You can revoke your consent at any time by deactivating the use of the service in the “Cookie settings”.

2.3.7. Webtrekk (Mapp)

We use the Webtrekk (Mapp) analytics from the provider Webtrekk GmbH, Boxhagener Str. 76-78, 10245 Berlin on our website. Webtrekk has been part of the Mapp Digital group of companies since 2020. Since then, the Webtrekk software has been continued under the Mapp brand. The data hosting location is in Germany (unchanged).

Webtrekk is an analytics service which carries out statistical analyses of our website and the offers provided on the website. Based on the statistical evaluations, we are able to constantly optimise our website and the offers provided. For this purpose, the service collects and analyses information transmitted by your browser when you use the website. This is achieved using cookies and pixels, which are integrated into every website.

The information processed is device data (request – i.e file name of the requested file, browser type/version, browser language, operating system used, internal resolution of the browser window, screen resolution), referrer URL, IP address (collected only in anonymised form and deleted immediately after use), time of access, clicks, anonymised form content (e.g. whether or not a telephone number was entered).

It is not possible at any time to trace the data back to a specific person. The data collected in this way is used to create anonymous user profiles, which form the basis for statistical analyses.

The use of the service is based on your consent. The legal basis for the processing of personal data in connection with the use of Webtrekk is Article 6(1) point (a) GDPR. You can revoke your consent at any time by deactivating the use of the service in the “Cookie settings”.

2.3.8. Meta Pixel

We use the "Meta Pixel" service (originally Facebook Pixel) on our website for marketing and targeting purposes. Meta Platforms Ireland Limited, 4 Grand Canal Square, Dublin 2, Ireland is responsible for the Meta Pixel service in Europe. Facebook Ireland Limited).

The Meta pixel is a JavaScript code integrated in our website which allows users’ action on our website to be tracked via cookies. In connection with this, user interactions on our website and interactions with ads placed by us on other websites are recorded and stored on Meta's servers (e.g. whether a user clicks on an ad and subsequently registers on our website). These servers are located in the US and are operated by Meta Platforms, Inc. The information collected also includes the IP address and other data from the device used (e.g. device ID, operating system). The respective information and interactions are generally recorded by storing cookies on the user's end device and analysing tags embedded on our website.

Using the information and interactions collected, we are able to improve the targeting of our advertising and optimise the offers and functions on our website. We can also draw users' attention to our offers and products again, e.g. by placing customised advertising tailored to the interests of the respective user on other websites of the respective third-party providers and the advertising networks operated by them.

In addition, Meta is able to match the information collected with your Facebook account data. This means that if you are a Facebook user and logged into your Facebook account, your visit to our website will be automatically associated with your Facebook user account. Meta uses the data collected for analysis purposes and for its own adverts. Users can adjust their settings and objections to the use of data for advertising purposes in the Facebook profile settings. The profile settings can be accessed here:

• https://www.facebook.com/ads/preferences/?entry_product=ad_settings_screen

The use of the service is based on your consent. The legal basis for the processing of personal data in connection with the use of Meta Pixel is Article 6(1) point (a) GDPR. You can revoke your consent at any time by deactivating the use of the service in the “Cookie settings”.

Further information on the processing of your data by Meta and on exercising your rights as a data subject with respect to Meta can be found here:

• https://www.facebook.com/about/privacy

2.3.9. Amazon Advertising (AdSystem)

We use the Amazon Advertising (AdSystem) analytics on the website. The provider of the service in the European region is Amazon Europe Core S.à r.l., 38 Avenue John F. Kennedy, L-1855, Luxembourg.

Amazon Advertising is an advertising network which specialises in providing targeted advertising. We use the Amazon Advertising tag in connection with Amazon Advertising. This is a tool which uses cookies or similar technologies to collect information on how users interact with adverts.

The tool collects the following specified information: HTTP header (e.g. information on the browser, device type, website location, referrer website), tag ID and information specified by us as the website operator (name and ID of the website operator, timestamp of the last website activity, event name, attribute name and values).

Amazon processes the information collected to create campaign reports for us about the website target group, conversion tracking, click events and targeted advertising outside our website (retargeting). This enables us to optimise our advertisements and ad campaigns as a whole, and to design them in line with user interests.

The use of the service is based on your consent. The legal basis for the processing of personal data in connection with the use of Amazon Advertising is Article 6(1) point (a) GDPR. You can revoke your consent at any time by deactivating the use of the service in the “Cookie settings”.

2.3.10. Akamai mPulse

We use mPulse on our website. The provider responsible for the operation of mPulse in the European region is Akamai Technologies GmbH, Parkring 22, 85748 Garching, Germany.

mPulse is a solution from Akamai for measuring the actual web traffic on our website. The solution enables us to obtain a precise overview of the performance of our website and to identify any causes of latencies and lost revenue. For this, mPulse collects a range of information using a web beacon, analyses this information and makes it available to us in a prepared form.

The information processed includes information about the domain (e.g. domain URL, timestamp and IP address), session data (e.g. session ID and session start time), user agent (e.g. browser family, major version and device type), geographic data (e.g. country and region), bandwidth (e.g. in kbit/s and bandwidth block), timers (e.g. website response time), user-defined metrics (e.g. conversion and revenue) and, depending on the configuration, also analytics data from third party providers (e.g. Google)

The use of the service is based on your consent. The legal basis for the processing of personal data in connection with the use of mPulse is Article 6(1) point (a) GDPR. You can revoke your consent at any time by deactivating the use of the service in the “Cookie settings”.

Further information regarding data processing by Akamai is available here:

• https://www.akamai.com/legal/privacy-statement

2.3.11. Hotjar

We use Hotjar on the website. The service provider is Hotjar Ltd, Business Centre 5th Floor, Dragonara Road, Paceville St Julian's STJ 3141 Malta.

Hotjar is a service for analysing user behaviour on our website. This service allows us to better understand the needs of our users and to optimise the offer on this website. Using Hotjar's technology, we obtain an improved understanding of our users' experience based on aggregated information (e.g. how much time users spend on which pages, which links they click on, what they like and dislike, etc.) and this helps us to tailor our offer based on our users' feedback.

Hotjar works with cookies and other technologies to collect information about the behaviour of our users and about their end devices (in particular, IP address of the device (collected and stored only in anonymised form), screen size, device type (unique device identifiers), information about the browser used, location (country only) and information on usage in the context of clicks and scrolls on the individual pages. Hotjar stores this information in a pseudonymised user profile. The information is used neither by Hotjar nor us to identify individual users nor is it merged with other data about individual users.

Hotjar uses this information to create aggregated heat maps which can be used to determine which areas of the website individual users prefer to view. We also receive aggregated information on how long users stayed on a page and when they left it. We can also determine at which point users break away from their entries in the forms provided (so-called conversion funnels).

The use of the service is based on your consent. The legal basis for the processing of personal data in connection with the use of Hotjar is Article 6(1) point (a) GDPR. You can revoke your consent at any time by deactivating the use of the service in the “Cookie settings”.

For more information, please see Hotjar's privacy policy:

• https://www.hotjar.com/legal/policies/privacy

2.3.12. Pinterest Tag

We use the Pinterest Tag analytics on the website. The provider of the service in the European region is Pinterest Europe Ltd, Palmerston House, 2nd Floor, Fenian Street, Dublin 2, Ireland

The Pinterest tag is a code snippet integrated in the pages of our website. The Pinterest tag allows information on website visitors’ browsing habits to be collected, stored and analysed in pseudonymised form. The information can be assigned to a user as a specific person with the help of additional information that Pinterest has stored about the user, e.g. based on ownership of an account on the "Pinterest” social network.

Pinterest uses an algorithm to analyse surfing behaviour and can then display specific product recommendations to visitors as personalised ad campaigns. Pinterest can also combine the information collected via the Pinterest tag with other information which Pinterest has collected via other websites or in connection with the use of the social network "Pinterest" and in this way create pseudonymised user profiles.

The use of the service is based on your consent. The legal basis for the processing of personal data in connection with the use of the Pinterest Tag is Article 6(1) point (a) GDPR. You can revoke your consent at any time by deactivating the use of the service in the “Cookie settings”.

Further information on the processing of your data by Pinterest and on exercising your rights as a data subject with respect to Pinterest can be found here:

• https://policy.pinterest.com/privacy-policy

2.3.13. LinkedIn Insight Tag

Our website uses the “LinkedIn Insight Tag” service from LinkedIn. The provider of this service in the European region is LinkedIn Ireland Unlimited Company, Wilton Plaza, Wilton Place, Dublin 2, Ireland.

The LinkedIn Insight Tag enables information about visitors to our website to be collected. This information enables user behaviour of visitors to our website to be measured (e.g. whether visitors to our website take a specific action – conversion measurement). Conversion measurement can also take place across all devices. We can use the data obtained in this way to improve the relevance of our ads. The LinkedIn Insight Tag also offers a retargeting function which allows us to display targeted advertising to visitors to our website outside of the website. According to LinkedIn, this does not involve identification of the advertising recipient.

In connection with the use of LinkedIn Insight Tag, a unique LinkedIn browser cookie is created in a user's browser and allows collection of the following data: URL, referrer URL, IP address, device and browser properties (user agent) and timestamp. The IP addresses are shortened or (if they are used to reach members across devices) hashed. The direct identifiers of LinkedIn members are deleted by LinkedIn within seven days in order to pseudonymise the data. The remaining pseudonymised data is then deleted within 180 days. If a website visitor is registered with LinkedIn, LinkedIn can link the key professional data stored (e.g. career level, company size, country, location, industry and job title) with the above data and analyse it.

LinkedIn does not share the personal data of members with us and provides reports and communications (in which members are not identified) about the website audience and ad performance. LinkedIn members can control the use of their personal data for advertising purposes in their account settings. To deactivate the Insight Tag on our website ("opt-out") click here.

The use of the service is based on your consent. The legal basis for the processing of personal data in connection with the use of the LinkedIn Insight Tag is Article 6(1) point (a) GDPR. You can revoke your consent at any time by deactivating the use of the service in the “Cookie settings”.

Further information on the processing of your data by LinkedIn and on exercising your rights as a data subject with respect to LinkedIn can be found here:

• https://linkedin.com/legal/privacy-policy

2.3.14. Bazaarvoice Analytics

We work with Bazaarvoice to provide customers with rating options for our products. Bazaarvoice uses cookies to process information from users and to monitor user behaviour on multiple websites. The provider of the service is Bazaarvoice, Inc, 10901 Stonelake Blvd Austin, TX 78759, USA.

The data you provide each time you submit a product review (e.g. name, email address, rating) is recorded. Your IP address is also stored temporarily to prevent fraud (for 18 months; if fraud is suspected, indefinitely). The data provided will be processed for the purpose of using the product review and is displayed on the website.

We also use Bazaarvoice for analysis purposes. This is to understand how submitted product reviews are used by users, how the content and offers offered on our website are used after the product reviews have been accessed and which sub-pages on the website are opened. Cookies and similar technologies are used for this purpose on our website. Information is also collected on the browser used by you. Identification with you occurs via a randomly generated numerical value only. The information is not combined indirectly with personal data such as your name or email address.

The processing of personal data in connection with submitting product reviews is Article 6(1) point (f) GDPR. The purpose of data processing and our legitimate interest in this case is to facilitate a review of our products. If personal data is processed for analysis purposes and cookies are used for this, then the processing is based on your consent. The legal basis for the processing in this case is Article 6(1) point (a) GDPR. You can revoke your consent at any time by deactivating the use of the service in the “Cookie settings”.

2.3.15. Conversion Tracking

On our website, we use a range of services from providers for the purpose of conversion tracking. These services enable us to statistically record and improve the effectiveness of our offers and adverts.

Conversion tracking involves recording information and user interactions in connection with the use of the offers and functions provided on our website and with the use of the functions and advertising placed by us on other websites (example: If you click on one of our adverts on another website and then register for our newsletter on our website).

The information collected as part of this includes the IP address and data on the device used (e.g. device ID, operating system, browser type), the nature and time of interaction, the content of the respective function or advert and the user's reaction (e.g. registration for newsletters, accessing a product website, entering certain search queries, clicking on individual adverts).

The respective information and interactions are usually recorded by the respective third-party providers storing cookies on the user's end device and analysing tags integrated on our website. When an interaction is carried out, your browser sends a request from the cookie via the respective implemented tag to the advertising network or the server of the respective third-party provider. The request is used to transmit specific information about the action.

Based on the information and interactions collected, we receive statistics from the third-party providers about user behaviour on our website. This enables us to improve the targeting of our advertisements and to optimise the offers and functions provided on our website. We are also able to draw users' attention to our offers and products again, e.g. by placing customised advertising tailored to the interests of the respective user on other websites of the respective third-party providers and the advertising networks operated by them.

Conversion tracking services are used on the basis of your consent. The legal basis for the processing of your personal data is Article 6(1) point (a) GDPR You can revoke your consent at any time by deactivating the use of the service in the “Cookie settings”.

Further information is available below on the conversion tracking services we use:

2.3.15.1. Google Conversion Tracking

Google Conversion Tracking is a tracking and analysis tool that links data from the Google Ads advertising network to actions on our website. The provider in Europe is Google Ireland Limited, Gordon House, 4 Barrow St, Dublin, D04 E5W5, Ireland.

Further information regarding data processing by Google is available here:

• https://support.google.com/google-ads/answer/1722022
• https://policies.google.com/privacy?hl=de
• https://policies.google.com/technologies/ads

2.3.15.2. DoubleClick Floodlights

DoubleClick Floodlights is a conversion tracking and analysis tool for the Google Marketing Platform. This involves the recording of conversions from the individual functional areas of the Google Marketing Platform (e.g. Campaign Manager 360, Display & Video 360 and Search Ads 360) from and other tracking systems (e.g. Google Ads and Google Analytics) and linking them to actions on our website. The provider in Europe is Google Ireland Limited, Google Building Gordon House, 4 Barrow St, Dublin, D04 E5W5, Ireland.

Further information regarding data processing by Google is available here:

• https://support.google.com/searchads/answer/7298761?hl=de
• https://policies.google.com/privacy?hl=de
• https://policies.google.com/technologies/ads

2.3.15.3. Meta Conversion Tracking

Meta Conversion Tracking is a conversion tracking and analysis tool that links data from the Meta advertising network to actions on our website. The provider in Europe is Meta Platforms Ireland Limited, 4 Grand Canal Square, Dublin 2, Ireland (previously: Facebook Ireland Limited).

Further information on data processing by Meta is available here:

https://www.facebook.com/about/privacy/

2.3.15.4. Pinterest Conversion Tracking

Pinterest Conversion-Tracking is a conversion tracking and analysis tool that links referrals from a pin on the Pinterest platform to our website and the actions taken there. The provider in Europe is Pinterest Europe Ltd, Palmerston House, 2nd Floor, Fenian Street, Dublin 2, Ireland.

Further information on data processing by Pinterest is available here:

• https://help.pinterest.com/en/business/article/track-conversions-with-pinterest-tag
• https://policy.pinterest.com/de/privacy-policy

2.3.16. Use of social media plugins

Social media plugins from various social network providers are integrated on this website. These plugins allow you to interact with the content on this website by sharing or saving the content, for example, in the social networks you are a member of. The plugins are identified by a logo of the provider or an addition (e.g. “Like” or “Share”).

When you visit our website, a direct connection is established via the plugin between your browser and the provider's server. In this way, the provider is informed that you have visited this website with your IP address. Further data is typically also sent to the provider's servers, such as browser type and version, date and time of the visit, user ID, websites visited, HTTP headers and interaction (clicking on the plugin). If you have a profile on the respective social network, the social network provider can link this information to your profile. If you do not want the provider to be able to match your visit to this website with your profile, please log out of your user account on the social network.

Please note that certain plugins are only supported if you are logged into your account on the respective social network and have given your consent to the use of cookies. Certain plugins are otherwise not supported.

The legal basis for the use of these plugins and the data processing this entails is your consent. The legal basis for the processing in this case is Article 6(1) point (a) GDPR.

We use social media plugins from the following providers on the website:

2.3.16.1. Meta

We use social media plugins from Meta, such as the Meta Share Button or Meta Sharer (previously Facebook Like Button). The provider of this service in the European region is Meta Platforms Ireland Limited, 4 Grand Canal Square, Grand Canal Harbour, Dublin 2, Ireland.

In connection with the use of Meta's social media plugins, your data will be transmitted to servers of Meta Platforms, Inc. in the USA. Meta Platforms, Inc. has certification under the “EU-US Data Privacy Framework” (DPF).

Further information on the processing of your data by Meta and on exercising your rights as a data subject with respect to Meta can be found here:

• https://www.facebook.com/about/privacy

2.3.16.2. Pinterest

We use social media plugins from Pinterest, such as the Pinterest “Save” button. The provider of this service in the European region is Pinterest Europe Ltd, Palmerston House, 2nd Floor, Fenian Street, Dublin 2, Ireland.

In connection with the use of Pinterest's social media plugins, your data will be transferred to servers of Pinterest, Inc. in the US. Data between Pinterest Europe Ltd. and Pinterest, Inc. is transferred based on the EU Standard Contractual Clauses.

Further information on the processing of your data by Pinterest and on exercising your rights as a data subject with respect to Pinterest can be found here:

• https://policy.pinterest.com/privacy-policy

2.3.16.3. LinkedIn

We use social media plugins from LinkedIn. The provider of this service in the European region is LinkedIn Ireland Unlimited Company, Wilton Plaza, Wilton Place, Dublin 2, Ireland.

In connection with the use of LinkedIn's social media plugins, your data will be transferred to servers of the LinkedIn Corporation in the US. The LinkedIn Corporation has certification under the “EU-US Data Privacy Framework” (DPF).

Further information on the processing of your data by LinkedIn and on exercising your rights as a data subject with respect to LinkedIn can be found here:

• https://linkedin.com/legal/privacy-policy

2.3.17. Remarketing

We use remarketing technologies to display targeted advertising based on your previous interactions with our website. Third-party providers such as Google, Meta, Amazon, TikTok, LinkedIn, YouTube and DoubleClick may use cookies or similar technologies to track which pages you have visited in order to show you personalised advertising on other websites or platforms. You can object to remarketing cookies at any time using the opt-out functions of the respective providers:

• Google & YouTube: https://adssettings.google.com/
• Meta (Facebook): https://www.facebook.com/settings/?tab=ads
• Amazon: https://www.amazon.com/adprefs
• TikTok: https://support.tiktok.com/en/account-and-privacy/personalized-ads-and-data/personalization-and-data
• LinkedIn: https://www.linkedin.com/psettings/advertising

Please refer to the respective data privacy policies for further information on how our remarketing partners process data, as well as the sections above in chapter 2.3.

The legal basis for the processing of your personal data is Article 6(1) point (a) GDPR You can revoke your consent at any time by deactivating the use of the services in the “Cookie settings”.

2.4. Other processing purposes

In addition to the above processing purposes, we also process your personal data for the following reasons:

To fulfil our statutory retention obligations, our statutory accountability obligations, our statutory monitoring obligations or our obligations under data protection law. The legal basis for this processing is Article 6(1) point (c) GDPR.

To exercise any legal rights or to defend ourselves against claims. The legal basis for this processing is Article 6(1) point (f) GDPR and Section 24 of the Federal Data Protection Act, BDSG.

To respond to and comply with official requests. The legal basis for this processing is Article 6(1) point (c) and (e) GDPR.

In the context of transactions or reorganisations. The legal basis for this processing is Article 6(1) point (b) and (f) GDPR.

2.5. To what extent do we process your data under joint controllership?

As a basic principle, we process your data under our own responsibility. We also process your data for the purpose of specific processing activities with other companies under joint controllership in accordance with Article 26 GDPR. Further information is provided below regarding those processing activities for which this is the case and the consequences in terms of data protection associated with this.

2.5.1. Joint controllership with Meta Platforms

We are joint controllers with Meta Platforms Ireland Limited, 4 Grand Canal Square, Grand Canal Harbour, Dublin 2, Ireland in relation to the use of the Meta Pixel, Meta Conversion Tracking and Meta Social Media Plugins (Meta Sharer) services.

If personal data is collected on our website in connection with the use of this service and transferred to Meta, then we and Meta Platforms Ireland Limited are jointly responsible for this data processing (Article 26 GDPR). The joint controllership is limited exclusively to the collection of data and its transfer to Meta Platforms Ireland Limited. The processing by Meta Platforms Ireland Limited following the transfer is not part of the joint responsibility. The obligations for which we are jointly responsible are set out in a joint controllership agreement.

According to this arrangement, we are responsible for issuing data protection information when using social media plugins and for the correct technical implementation on our website. Meta Platforms Ireland Limited is responsible for safeguarding the rights of data subjects insofar as this concerns data processed within the scope of joint controllership. For this purpose, you are able to contact Meta Platforms Ireland Limited directly to exercise your rights as a data subject. If you contact us to exercise your rights as a data subject, we will forward this to Meta Platforms Ireland Limited.

Further information on the joint controllership agreement, the processing of your data by Meta Platforms and the exercising of your data subject rights with respect to Meta Platforms can be found here:

• https://www.facebook.com/legal/controller_addendum
• https://www.facebook.com/about/privacy

2.5.2. Joint controllership with Pinterest

We are joint controllers with Pinterest Europe Ltd, Palmerston House, 2nd Floor, Fenian Street, Dublin 2, Ireland in connection with the Pinterest Tag,Pinterest Conversion Tracking service and Pinterest social media plugins.

Insofar as personal data is collected on our website using these services and transferred to Pinterest, we and Pinterest Europe Ltd. are jointly responsible for this data processing (Article 26 GDPR). The joint controllership is limited exclusively to the collection of data and its transfer to Pinterest Europe Ltd. The processing carried out by Pinterest Europe Ltd. following the referral is not part of the joint controllership. The obligations for which we are jointly responsible are set out in a joint controllership agreement.

According to this arrangement, we are responsible for issuing data protection information when using social media plugins and for the correct technical implementation on our website. Pinterest Europe Ltd is responsible for safeguarding the rights of data subjects insofar as this concerns data processed within the scope of joint controllership. For this purpose, you are able to contact Pinterest Europe Ltd. directly to exercise your right as a data subject. If you contact us to exercise you rights as a data subject, we will forward this to Pinterest Europe Ltd.

Further information on the joint controllership agreement, the processing of your data by Pinterest and the exercising of your data subject rights with respect to Pinterest can be found here:

• https://business.pinterest.com/de/pinterest-advertising-services-agreement
• https://policy.pinterest.com/privacy-policy

2.5.3. Joint controllership with TikTok

We are joint controllers with TikTok Information Technologies UK Limited, 6th Floor, One London Wall, London, EC2Y 5EB, United Kingdom ("TikTok UK") and TikTok Technology Limited, 10 Earlsfort Terrace, Dublin, D02 T380, Ireland ("TikTok Ireland") in relation to the TikTok Pixel service.

The joint controllership encompasses the collection and transfer of event data processed in connection with the service. There is an agreement in place with TikTok regarding processing as joint controllers. This agreement determines the distribution of data privacy obligations between us, as the provider of the website, and TikTok. In this agreement, both parties have agreed, among other things,

that we, as the provider of the website, are responsible for providing visitors with information in accordance with Article 13 and 14 GDPR on the joint processing of personal data;

that TikTok is responsible for enabling persons concerned to exercise their rights as data subjects in accordance with Articles 15 to 20 GDPR with regard to the personal data stored by TikTok after joint processing.

The existing agreement with TikTok on joint controllership containing the determinations made as well as information on data processing by TikTok and the possibility of asserting the rights of data subjects can be accessed here:

• https://ads.tiktok.com/i18n/official/policy/jurisdiction-specific-terms
• https://www.dataprivacyframework.gov/list

3. For how long do we store your data?

We generally process your personal data in connection with the use of our website for the duration of the respective user session, unless storage beyond this time is necessary for the fulfilment of the respective processing purposes. In this case, we process your personal data provided this is necessary for the fulfilment of the respective processing purpose. This is determined, in particular, by the nature and functionality of the respective service or function which you use on the website.

We are also subject to various statutory retention and documentation obligations. The retention and documentation periods specified in these cases are up to ten years.

Finally, the storage period is also determined by the statutory limitation periods, which, for example, can be up to thirty years in accordance with Sections 195 et seqq. of the German Civil Code (BGB), although the regular limitation period is three years.

4. Who do we transfer your data to?

We transfer your personal data to a range of recipients outside our company.

This includes external service providers who support us in connection with the provision of the app and its content. Your personal data is processed by external service providers exclusively on our behalf and in accordance with our instructions. These recipients are so-called processors (see Article 4(8) GDPR). Your personal data is also transmitted to recipients who process your personal data under their own responsibility (see Article 4(7) GDPR).

These recipients or categories of recipients are listed below:

Recipient and Nature of the services

• Adyen N.V., Simon Carmiggeltstraat 6-50, 1011 DJ Amsterdam, Netherlands Payment service provider
• Adobe Systems Software Ireland Limited, 4-6 Riverwalk, Citywest Business
• Park, Dublin 24, Ireland Online platform provider for webinars (Adobe Connect)
• Akamai Technologies GmbH, Parkring 22, 85748 Garching, Germany
• Akamai Technologies, Inc., 145 Broadway, Cambridge, MA 02142
• USA Provider of content delivery (Akamai Edge) and analytics services (Akamai mPulse)
• Amazon Europe Core S.à r.l., 38 Avenue John F. Kennedy, L-1855, Luxembourg Provider of Amazon Advertising;
• Amazon Web Services EMEA SARL, 38, avenue John F. Kennedy, L-1855 Luxembourg Hosting services provider
• Bazaarvoice, Inc., 10901 Stonelake Blvd Austin, TX 78759, USA Provider of online services for product reviews
• Cloudflare, Inc., 101 Townsend Street San Francisco, CA 94107, USA Provider of web performance and security services
• Google Ireland Limited, Google Building Gordon House, 4 Barrow St, Dublin, D04 E5W5, Ireland Provider of Google reCAPTCHA, Google Analytics, Google Tag Manager, Google Conversion Tracking, DoubleClick Floodlights, Google Maps, YouTube Analytics, Google Fonts
• Hotjar Ltd, Business Centre 5th Floor, Dragonara Road, Paceville St Julian's STJ 3141 Malta Analytics provider (Hotjar)
• IBM Deutschland GmbH, IBM-Allee 1 71139 Ehningen, Germany Hosting services provider
• Klarna Bank AB, Sveavägen 46, 111 34 Stockholm, Sweden Payment service provider
• LinkedIn Ireland Unlimited Company, Wilton Plaza, Wilton Place, Dublin 2, Ireland Provider of LinkedIn Insight Tag, social media plugins
• Mastercard International Incorporated, 2000 Purchase Street in the hamlet of Purchase, New York, USA Providers of credit card services, payment service providers
• Meta Platforms Ireland Limited, 4 Grand Canal Square, Dublin 2, Ireland Provider of Meta Pixel, Meta Conversion Tracking
• Microsoft Ireland Operations Limited, One Microsoft Place, South County Business Park, Leopardstown, Dublin 18, Ireland Provider of Azure AD (identity and access management service)
• Monotype Imaging Inc., 600 Unicorn Park Drive, Woburn, Massachusetts 01801, USA Provider of online service for fonts
• New Relic Inc., 188 Spear Street, Suite 1000 San Francisco, CA 94105, USA Provider of New Relic Analytics
• F5, Inc., 801 5th Avenue, Seattle, WA 98104, USA (formerly: Nginx, Inc.) Provider of web server management and traffic processing services.
• OneTrust GmbH, Friedentraße 22B, 81671 Munich, Germany Provider of Consent Management Platform
• PayPal (Europe) S.à r.l. et Cie, S.C.A., 22-24 Boulevard Royal L-2449, Luxembourg Payment service provider
• Pinterest Europe Ltd, Palmerston House, 2nd Floor, Fenian Street, Dublin 2, Ireland Provider of Pinterest Tag, Conversion Tracking
• salesforce.com Germany GmbH, Erika-Mann-Strasse 31-37, 80636 Munich, Germany Provider of online customer management platform (CRM system)
• Salesforce UK Limited, village 9, floor 26 Salesforce Tower, 110 Bishopsgate, London, United Kingdom Provider of online customer management platform (CRM system)
• STR8 GmbH & Co. KG, Callinstraße 43, 30167 Hanover, Germany Provider of the online portal for seminar portal hosting
• SAP Deutschland SE & Co. KG, Hasso-Plattner-Ring 7 69190 Walldorf, Germany Webshop software provider
• Stripe, Inc., 354 Oyster Point Boulevard, San Francisco, California, 94103, USA Payment services provider
• TikTok Technology Limited, 10 Earlsfort Terrace, Dublin, D02 T380, Ireland
• TikTok Information Technologies UK Limited, WeWork, 125 Kingsway, London, WC2B 6NH, United Kingdom TikTok Pixel provider
• Webtrekk GmbH, Schönhauser Allee 148, 10435 Berlin, Germany Provider of the Webtrekk analytics
• Webex Communications Deutschland GmbH, Hansaallee 249 c/o Cisco Systems GmbH, 40549 Düsseldorf, Germany Provider of online web communication platform
• Wingify Software Pvt. Ltd., 1104, KLJ TOWER, North, Netaji Subhash Place, Pitampura, Delhi, 110034, India Visual Website Optimiser provider
• United Parcel Service Deutschland S.à r.l. & Co. OHG, Görlitzer Straße 1, 41460 Neuss, Germany Transport company (transport of orders)
• WhatsApp Ireland Limited, 4 Grand Canal Square, Dublin 2, Ireland. Provider of WhatsApp Channels and Business
• Zoovu (Germany) GmbH, Skalitzer Straße 104, 10997 Berlin Provider of online assistance services
• Group companies of the Lixil Group, of which GROHE is a part. Support in the operation of the website (technical support, hosting, support with processing requests), provision of services relating to logistics, IT security, administration, sales and customer care, communication

5. Is data transferred to a third country?

In connection with the use of the website, your personal data will also be transferred to recipients in third countries, i.e. countries outside the EU and the European Economic Area (EEA).

Data will only be transferred to third countries if there is a relevant legal basis for this. This means that we will only transfer your data provided the EU Commission has decided there is an adequate level of data protection for the respective third country (a so-called EU adequacy decision, see Article 45 GDPR), appropriate guarantees are provided for the protection of your personal data (see Article 46 GDPR) or there is a statutory derogation (see Art. 49 GDPR). Appropriate guarantees within the meaning of Article 46 GDPR include the EU standard data protection clauses published by the EU Commission.

There is currently a Data Privacy Framework (DPF) agreement for the transfer of data into the US. This is an agreement between the European Union and the US, the purpose of which is to ensure compliance with European data protection standards for data processing in the US in accordance with Article 45 GDPR. Every DPF-certified company undertakes to comply with these data protection standards. Further information about this can be found under the following link:

• https://www.dataprivacyframework.gov/list

In connection with your use of the website, your data will be transferred to the following recipients, who process your data in a third country.

Recipient and Legal basis

• Akamai Technologies, Inc., 145 Broadway, Cambridge, MA 02142 USA EU-U.S. Data Privacy Framework (EU adequacy decision)
• Bazaarvoice, Inc., 10901 Stonelake Blvd Austin, TX 78759, USA EU-U.S. Data Privacy Framework (EU adequacy decision)
• Cloudflare, Inc., 101 Townsend Street San Francisco, CA 94107, USA EU-U.S. Data Privacy Framework (EU adequacy decision)
• F5, Inc., 801 5th Avenue, Seattle, WA 98104, USA EU-U.S. Data Privacy Framework (EU adequacy decision)
• Monotype Imaging Inc., 600 Unicorn Park Drive, Woburn, Massachusetts 01801, USA EU-U.S. Data Privacy Framework (EU adequacy decision)
• New Relic Inc., 188 Spear Street, Suite 1000 San Francisco, CA 94105, USA EU-U.S. Data Privacy Framework (EU adequacy decision)
• Salesforce, Inc., Salesforce Tower, 415 Mission Street, 3rd Floor, San Francisco, CA 94105, USA EU-U.S. Data Privacy Framework (EU adequacy decision)
• Stripe, Inc., 354 Oyster Point Boulevard, San Francisco, California, 94103, USA EU-U.S. Data Privacy Framework (EU adequacy decision)
• Salesforce UK Limited, village 9, floor 26 Salesforce Tower, 110 Bishopsgate, London, United Kingdom EU adequacy decision for the UK
• TikTok Information Technologies UK Limited, WeWork, 125 Kingsway, London, WC2B 6NH, United Kingdom EU adequacy decision for the UK
• Wingify Software Pvt. Ltd., 1104, KLJ TOWER, North, Netaji Subhash Place, Pitampura, Delhi, 110034, India EU standard data protection clauses (Module 2)
• Group companies of the Lixil Group, of which GROHE is a part. EU standard data protection clauses (Module 2)

If you would like further information on the transfer to third countries, please contact the office named in section 1.

Please note that the respective recipients who process your data may also transfer your data to recipients in third countries. Further information regarding this can be found in the corresponding data protection information for these recipients. Where possible, links are provided for these recipients in this data privacy policy.

6. Which sources does your data come from?

We process personal data which you provide to us directly or which we receive from third parties. These third parties include the respective providers and service providers we use in connection with the operation of the website and the functionalities and services provided on the website (see the above information in section 4).

7. Do you have an obligation to provide your data?

You are neither legally nor contractually obliged to provide us with personal data. This does not apply to data required for registration and logging into the GROHE user account or for services for which binding registration is required (product registration, registration for GROHE seminars). Without this data, we cannot provide you with these services or functions.

When you use the website, protocol data is also automatically transmitted by your browser (see section 2.1.2). The website cannot be viewed without this technical data.

You will otherwise only be asked to provide the data required for the provision of our functions and services on the website. Please note that without this personal data, we may not be able to provide you with the full range of functions on the website and our functions and services may be limited.

8. Does automated decision-making including profiling take place in line with Article 22 GDPR?

Automated decision-making including profiling in accordance with Article 22 GDPR does not take place.

9. What rights do you have?

You have the right of access under Article 15 GDPR, the right to rectification under Article 16 GDPR, the right to erasure under Article 17 GDPR, the right to restriction of processing under Article 18 GDPR and the right to data portability under Article 20 GDPR. If we process your personal data on the basis of your consent, you can revoke this consent at any time. There are no formal requirements relating to how consent is revoked.

If your personal data is processed for the purpose of our legitimate interests in accordance with Article 6(1) point (f) GDPR, you can object to this processing in accordance with the legal requirements in Article 21 GDPR.

To exercise the above rights, you can contact the office named in section 1.

10. Information about your right to object pursuant to Article 21 and your right to lodge a complaint pursuant to Article 77 GDPR

You have the right to object, on grounds relating to your particular situation, at any time to processing of personal data concerning you which is based on Article 6(1) point (f) GDPR; this also applies to any profiling based on this provision within the meaning of Article 4(4) GDPR.

Where you object to the processing, we will no longer process your personal data unless we can demonstrate compelling legitimate grounds for the processing which override your interests, rights and freedoms or unless the data is being processed for the establishment, exercise or defence of legal claims.

There are no formal requirements relating to how the objection is made and, where possible, it should be submitted to the office named under section 1 of the privacy policy.

There is also the right to lodge a complaint with a data protection supervisory authority in accordance with Article 77 GDPR if you believe that your personal data is being processed unlawfully. The right to lodge a complaint exists without prejudice to any other administrative or judicial remedy.

An overview of the European data protection supervisory authorities is available here:

• https://www.edpb.europa.eu/about-edpb/about-edpb/members_en

An overview of the data protection supervisory authorities operating in Germany is available here:

• https://www.bfdi.bund.de/DE/Service/Anschriften/

11. Data security

We use 128-bit TLS encryption to ensure the security of the data transferred to us. You are able to recognise encrypted connections such as these by the prefix “https://” in the page link in the address bar of your browser. Unencrypted pages are identified by “http://”. SSL encryption means that all of the data you transmit to our website cannot be read by third parties.

12. Changes to the privacy policy

In order to ensure our privacy policy complies with the current legal requirements and reflects the technical setup of our websites at all times, we reserve the right to make changes at any time.

Status 11.7.2025