PRIVACY PROTECTION

General Information

The following information is intended to provide you with an overview of how we process your personal data and of your data protection rights when you visit the Bionella.info brand website. Information regarding data processing when visiting the general corporate website of Rapunzel Naturkost GmbH & Co. KG can be found there.

In general, you can use Bionella.info without providing any personal data. However, if you wish to use specific services on our website or take advantage of other options, the processing of personal data may be necessary. If the processing of personal data is necessary and there is no legal basis for such processing, we will generally seek your consent.

As the data controller, we always strive to ensure the most comprehensive protection possible of the personal data processed via this website using up-to-date technical and organizational measures, just as we place great emphasis on security and data protection in our other processing activities.

However, internet-based data transmissions may inherently involve security risks, meaning that absolute protection—such as against unauthorized access by third parties—cannot be guaranteed. For this reason, you are free to contact us by phone or mail and to provide us with personal data through these channels as well.

Data Controller

RAPUNZEL Naturkost GmbH & Co. KG
Rapunzelstr. 1
D-87764 Legau
Phone: +49 (0) 8330 - 529 - 0
Fax: +49 (0) 8330 - 529 1139
Web: rapunzel.de | bionella.info
Email: info@rapunzel.de
For further information, please refer to our Legal Notice.

Data Protection Officer

If you have any questions regarding data processing or data protection at our company, you can contact our Data Protection Officer at DAISECO GmbH at any time.

You can reach them by mail at the address above (please mark the envelope “Attn: Data Protection Officer”), by email at datenschutzbeauftragter@rapunzel.de, or confidentially via our data protection portal.

Disclosure of Data to Third Parties

We do not disclose your personal data to third parties for purposes other than those listed below when you visit our website. We will only disclose your personal data to third parties if:
1. you have given us your explicit consent to do so pursuant to Article 6(1)(a) of the GDPR,
2. the disclosure is permissible to safeguard our legitimate interests pursuant to Article 6(1)(f) of the GDPR and there is no reason to assume that you have an overriding legitimate interest in the non-disclosure of your data,
3. in the event that there is a legal obligation to disclose pursuant to Article 6(1)(c) of the GDPR, and
4. this is legally permissible and necessary for the performance of contractual relationships with you pursuant to Article 6(1)(b) of the GDPR.

As part of the processing activities described in this Privacy Policy, personal data may be transferred to the United States. The United States does not have an adequate level of data protection (ECJ: Schrems II ruling). In particular, U.S. law enforcement agencies may compel U.S. companies to hand over or disclose personal data without the data subjects having an effective legal remedy against such actions. Consequently, there is a possibility that your personal data may be processed by U.S. investigative authorities. We have no influence over these processing activities. To protect your data, we have entered into data processing agreements based on the European Commission’s Standard Contractual Clauses. If the Standard Contractual Clauses are insufficient to ensure an adequate level of security, your consent pursuant to Art. 49(1)(a) GDPR may serve as the legal basis for the transfer to third countries. This does not apply, however, to data transfers to third countries for which the European Commission has issued an adequacy decision pursuant to Art. 45 GDPR.

SSL/TLS Encryption

This site uses SSL or TLS encryption to ensure the security of data processing and to protect the transmission of confidential information—such as orders, login credentials, or contact requests—that you send to us as the site operator. You can recognize an encrypted connection by the fact that “https://” appears in the browser’s address bar instead of “http://,” and by the lock icon in your browser bar. We use this technology to protect the data you transmit.

Data Collection When Visiting the Website

When you use our website for informational purposes only—that is, without registering or otherwise transmitting information to us—we collect only the data that your browser transmits to our server (in so-called “server log files”). Our website collects a range of general data and information each time you or an automated system accesses a page. This general data and information is stored in the server’s log files. The following may be collected:

1. the types and versions of browsers used,
2. the operating system used by the accessing system,
3. the website from which an accessing system reaches our website (known as a referrer),
4. the subpages accessed on our website via an accessing system,
5. the date and time of access to the website,
6. an Internet Protocol address (anonymized IP address), and
7. the Internet service provider of the accessing system.

We do not draw any conclusions about your identity when using this general data and information. Rather, this information is required to

1. correctly deliver the content of our website,
2. optimize the content of our website as well as the advertising on it,
3. ensure the continued functionality of our IT systems and the technology of our website, and
4. provide law enforcement authorities with the information necessary for criminal prosecution in the event of a cyberattack.

We therefore evaluate this collected data and information both for statistical purposes and with the aim of enhancing data protection and data security within our company, ultimately to ensure an optimal level of protection for the personal data we process. The anonymous data from the server log files is stored separately from any personal data provided by a data subject.

The legal basis for data processing is Article 6(1)(f) of the GDPR. Our legitimate interest arises from the purposes of data collection listed above.

Plugins and other services

a) Google Tag Manager
We use the Google Tag Manager service on this website. The operator of Google Tag Manager is Google Ireland Limited, Gordon House, Barrow Street, Dublin 4, Ireland. Google Ireland Limited is part of the Google group of companies, headquartered at 1600 Amphitheatre Parkway, Mountain View, CA 94043, USA.

This tool allows “website tags” (i.e., keywords embedded in HTML elements) to be implemented and managed via an interface. By using Google Tag Manager, we can automatically track which button, link, or personalized image you have actively clicked on and can then determine which content on our website is of particular interest to you. The tool also triggers other tags, which may in turn collect data. Google Tag Manager does not access this data. If you have disabled tracking at the domain or cookie level, this setting will apply to all tracking tags implemented using Google Tag Manager. These processing operations are carried out exclusively upon the granting of explicit consent in accordance with Art. 6(1)(a) GDPR. Google’s Privacy Policy: https://www.google.com/intl/de/policies/privacy/.

b) YouTube (Videos)
We have integrated YouTube components into this website. YouTube is operated by YouTube, LLC, 901 Cherry Ave., San Bruno, CA 94066, USA. YouTube, LLC is a subsidiary of Google Ireland Limited, Gordon House, Barrow Street, Dublin 4, Ireland. YouTube is an online video portal that allows video publishers to upload video clips free of charge and enables other users to view, rate, and comment on them, also free of charge. YouTube permits the publication of all types of videos, which is why complete films and television programs, as well as music videos, trailers, or user-generated videos, are available via the portal. Each time you visit a page on this website operated by us that includes a YouTube component (YouTube video), the web browser on your computer is automatically prompted by the respective YouTube component to download a display of that YouTube component from YouTube.

Further information about YouTube is available at https://www.youtube.com/yt/about/de/. As part of this technical process, YouTube and Google receive information about which specific page of our website you are visiting.

If you are logged into YouTube at the same time, YouTube will recognize which specific page of our website you are visiting when you access a page that contains a YouTube video. This information is collected by YouTube and Google and associated with your YouTube account.

YouTube and Google receive information via the YouTube component that you have visited our website whenever you are logged into YouTube at the time of visiting our website; this occurs regardless of whether you click on a YouTube video or not. If you do not wish for this information to be transmitted to YouTube and Google, you can prevent the transmission by logging out of your YouTube account before visiting our website. These processing operations take place exclusively upon the granting of explicit consent in accordance with Art. 6(1)(a) GDPR. YouTube’s privacy policy: https://www.google.de/intl/de/policies/privacy/.

c) Font Awesome (locally hosted)
Our website uses Font Awesome to ensure consistent font display. The fonts are provided by Fonticons Inc., 307 S Main St Ste 202 Bentonville, AR, USA. Font Awesome is installed locally. No connection is established with Fonticons Inc.’s servers. For more information about Font Awesome, please refer to the Font Awesome Privacy Policy at: https://fontawesome.com/privacy.

d) Google Web Fonts (locally hosted)
Our website uses so-called web fonts to ensure a consistent font display. Google Web Fonts are provided by Google Ireland Limited, Gordon House, Barrow Street, Dublin 4, Ireland. Google Ireland Limited is part of the Google group of companies, headquartered at 1600 Amphitheatre Parkway, Mountain View, CA 94043, USA.
The Google Fonts are installed locally. No connection to Google’s servers is established. For more information about Google Web Fonts, please visit https://developers.google.com/fonts/faq and Google’s Privacy Policy: https://policies.google.com/privacy?hl=de.

Content and Contact

Here, we provide information about our Bionella Nut Nougat Cream—from production to where to buy it—as well as recipes, our Rapunzel HAND IN HAND Fair Trade Program, and links to other websites within our corporate family. We offer various ways to contact us via our corporate website at Rapunzel.de, such as for product inquiries and complaints, distribution inquiries, and similar matters. You can find the relevant privacy policy information in the privacy policy section there.
For detailed information, feedback, praise, and similar matters, please feel free to contact us via our general contact form on the Rapunzel corporate website. For product complaints or issues regarding our products, please contact us via our complaint form on Rapunzel.de. By doing so, you will leave this website and be redirected to our corporate website, where your data will then be processed to address your inquiry. You can find the privacy policy information in the privacy policy on that site.

Our Social Media Activities

a) Links to Social Media Profiles
Our website does not include any social media plugins or other interfaces, nor does it use analytics from these services. We simply provide links to our profiles on Instagram, Facebook, Pinterest, YouTube, and LinkedIn, which are marked with an icon. When you click on these links, you will be redirected to the respective provider’s website; that is, user information is only transferred to the respective provider at that point. For information on how your personal data is handled when using these websites, please refer to the respective providers’ privacy policies.

b) Presence on Social Media
We use the social media platforms listed to inform users about our products and informational offerings, engage in discussions with interested parties, and provide our audience with insights into our business, environmental, economic, social, and political activities, as well as to share recipes and news.
You may contact us directly via the respective platform at your own request and initiative. The social media channels listed above complement our website and offer an additional, supplementary means of information and communication.
As soon as you access Rapunzel’s respective social media profile on the relevant network, the terms of service and privacy policies of the respective operators apply there. We process visitor data on our social media profiles only if you contact and communicate with us, for example through comments or direct messages.
The controllers of the respective platforms process data for their own purposes in accordance with their own privacy policies, over which we have no influence. Furthermore, we are not aware of the full scope of data processing, its purposes, or retention periods. In certain cases, we process your data jointly with the social network provider based on joint controllership within the meaning of Article 26 of the GDPR.

The processing of your personal data is necessary for you to use the social media platform.

We are not the original provider of these sites, but merely use them within the scope of the options offered to us by the respective providers. Therefore, as a precaution, we would like to point out that your data may also be processed outside the European Union or the European Economic Area. Use of these platforms may therefore involve data protection risks for you, as it may be difficult to exercise your rights—such as the right to access, erasure, or objection—and processing on social networks is often carried out directly by the providers for advertising purposes or to analyze user behavior, without us being able to influence this. If the provider creates usage profiles, cookies are often used, or your usage behavior is linked to the social media profile you have created.
The processing of personal data described above is carried out in accordance with Article 6(1)(f) of the GDPR on the basis of our legitimate interest and the legitimate interest of the respective provider in communicating with you in a modern manner and informing you about our services.

If you are required to provide consent to data processing as a user with the respective providers, the legal basis is Article 6(1)(a) of the GDPR in conjunction with Article 7 of the GDPR.

Since we do not have access to the providers’ data, we would like to point out that, despite possible joint responsibility with the social media portal operators, it is best to exercise your rights (e.g., to access, rectification, erasure, etc.) directly with the respective provider.

Further information regarding the processing of your data on social networks and the possibility of exercising your right to object or withdraw consent (so-called “opt-out”) is provided below for each social media provider we use.

c) Social Media Services
Facebook
(Joint) Data Controller in Europe:
Meta Platforms Ireland Ltd., 4 Grand Canal Square, Grand Canal Harbour, Dublin 2, Ireland
Privacy Policy: https://www.facebook.com/about/privacy
Opt-out and ad settings: https://www.facebook.com/ads/preferences/?entry_product=ad_settings_screen

Instagram
(Joint) controller for data processing in Germany:
Meta Platforms Ireland Ltd., 4 Grand Canal Square, Grand Canal Harbour, Dublin 2, Ireland
Privacy Policy (Data Policy): https://instagram.com/legal/privacy/

Matomo QR Code Tracking

We use Matomo—a service provided by InnoCraft Ltd., 150 Willis St, 6011 Wellington, New Zealand—to track campaigns using QR codes. Matomo is a web analytics software tool designed to collect, gather, and analyze data on the behavior of website visitors. We only evaluate how often specific QR codes were scanned by visitors and what interactions with our pages occur as a result. We use this information to understand user behavior on our site, evaluate the use of our subpages, and subsequently make potential improvements to our campaigns.
To ensure the privacy of our users, IP addresses are anonymized. We do not collect any personal data from QR code users and do not track individual users. Our analyses are used exclusively for feedback analysis, optimizing our offerings, and assessing the success of our campaigns. We are not interested in the identities of our visitors or any other data.

We have therefore configured Matomo so that it does not use cookies. We also do not engage in so-called “device fingerprinting.” No profiling or retargeting takes place.

Matomo is hosted on our own servers, ensuring that data remains within the EU and is not shared with third parties.

When tracking QR codes, Matomo processes visitors’ anonymized IP addresses.
The legal basis for our processing is Art. 6(1)(f) of the GDPR. We have a legitimate interest in the security and technically appropriate design of our website’s functionality, as well as in the non-personal analysis of our campaigns.
Further information and Matomo’s applicable privacy policy can be found here: https://matomo.org/privacy-policy.

Web Analytics with Google Analytics 4

On our websites, we use Google Analytics 4 (GA4), a web analytics service provided by Google Ireland Limited, Gordon House, Barrow Street, Dublin 4, Ireland (“Google”). In this context, pseudonymized user profiles are created and cookies are used (see the “Cookies” section). The information generated by the cookie regarding your use of this website may include, among other things:

• Temporary recording of the IP address without permanent storage
• Location data
• Browser type/version
• Screen resolution
• Browser language
• Browser information
• Device information
• Operating system used
• Referrer URL (previously visited page)
• Date and time of the visit
• Click path
• Interaction data
• User behavior
• Visited URL
• Cookie ID
• Hostname

The pseudonymized data may be transferred by Google to a server in the United States and stored there. The information is used to evaluate the use of the website, to compile reports on website activity, and to provide other services related to website and internet usage for the purposes of market research and to tailor the design of these web pages to user needs. This information may also be transferred to third parties where required by law or where such third parties process the data on Google’s behalf.

These processing operations take place exclusively upon the granting of explicit consent in accordance with Art. 6(1)(a) of the GDPR. Google’s default data retention period is 14 months. Otherwise, personal data is retained for as long as necessary to fulfill the purpose of processing. The data is deleted as soon as it is no longer necessary to achieve the purpose. The parent company, Google LLC, is a U.S. company certified under the EU-U.S. Data Privacy Framework. An adequacy decision pursuant to Art. 45 GDPR is in place, meaning that personal data may be transferred even without further guarantees or additional measures.
Further information on data protection when using GA4 can be found at: https://support.google.com/analytics/answer/12017362?hl=de.

IP Anonymization
We have enabled the IP anonymization feature on this website. This means that Google will truncate your IP address within member states of the European Union or in other signatory states to the Agreement on the European Economic Area before transmitting it to the United States. Only in exceptional cases will the full IP address be transmitted to a Google server in the United States and truncated there. On behalf of the operator of this website, Google will use this information to evaluate your use of the website, to compile reports on website activity, and to provide other services related to website and internet usage to the website operator. The IP address transmitted by your browser as part of Google Analytics will not be merged with other Google data.

Browser Plugin
You can prevent the storage of cookies by adjusting your browser settings accordingly; however, we would like to point out that in this case, you may not be able to use all functions of this website to their full extent. You can also prevent the collection of data generated by the cookie and related to your use of the website (including your IP address) by Google, as well as the processing of this data by Google, by downloading and installing the browser plugin available at the following link:
Download page for the browser add-on to disable Google Analytics:
https://tools.google.com/dlpage/gaoptout?hl=de

a) Additional information on Consent Mode, simple implementation
Under the Digital Markets Act, Google is required to obtain users’ consent before processing user data for personalized advertising. Google complies with this requirement through “Consent Mode.” Website operators are required to implement this feature and thereby demonstrate that they have obtained consent from website visitors. Google offers two implementation modes: simple and advanced.

We use the simple implementation method of Google Consent Mode. Only if you give your consent to the use of Google Analytics (see above) will a connection to Google be established, a Google code be executed, and the processing described above take place. If you refuse to give consent, Google merely receives a notification that consent has not been granted. The Google code is not executed, and no Google Analytics cookies are set.

Advertising

Under the Digital Markets Act, Google is required to obtain users’ consent before processing user data for personalized advertising. Google complies with this requirement through “Consent Mode.” Website operators are required to implement this feature and thereby demonstrate that they have obtained consent from website visitors. Google offers two implementation modes: simple and advanced. We use the simple implementation method of Google Consent Mode. Only if you give your consent to the use of Google Analytics (see above) will a connection to Google be established, a Google code be executed, and the processing described above take place. If you refuse to give consent, Google merely receives a notification that consent has not been granted. The Google code is not executed, and no Google Analytics cookies are set.

Cookies

a) General Information About Cookies
We use cookies on our website. These are data records containing information that your browser automatically creates and that are stored on your IT system or device (laptop, tablet, smartphone, etc.) when you visit our site. The cookie stores information that is specific to the device you are using. However, this does not mean that we thereby gain direct knowledge of your identity. The use of cookies serves, on the one hand, to make your experience of our website more pleasant. For example, we use so-called session cookies to recognize that you have already visited individual pages of our website. These are automatically deleted when you leave our site.

In addition, to optimize user-friendliness, we also use temporary cookies that are stored on your device for a specific, predetermined period of time. If you visit our site again to use our services, the system automatically recognizes that you have previously visited us and recalls the entries and settings you made, so you do not have to re-enter them.

In addition, we use cookies to collect statistical data on the use of our website and to analyze this data in order to optimize our services for you. These cookies allow us to automatically recognize that you have visited our site before when you return. These cookies are automatically deleted after a specified period of time. The specific retention periods for these cookies can be found in the settings of our consent tool.

b) Instructions for blocking cookies in common browsers
You can use your browser’s settings to delete cookies, allow only certain cookies, or disable cookies entirely at any time. For more information, please visit the support pages of the respective providers:
Chrome: https://support.google.com/chrome/answer/95647
Safari: https://support.apple.com/de-at/guide/safari/sfri11471/mac
Firefox: https://support.mozilla.org/de/kb/cookies-und-website-daten-in-firefox-loschen
Microsoft Edge: https://support.microsoft.com/de-de/microsoft-edge/cookies-in-microsoft-edge-l%C3%B6schen-63947406-40ac-c3b8-57b9-2a946a29ae09

c) Usercentrics (Consent Management Platform / CMP)
We use the “Usercentrics” consent management platform provided by Usercentrics GmbH, Sendlinger Str. 7, 80331 Munich, Germany. This service enables us to obtain and manage website users’ consent for data processing. Usercentrics collects data generated by end users who use our website. When an end user gives consent, Usercentrics automatically logs the following data:

• Browser information.
• Date and time of access.
• Device information.
• The URL of the page visited.
• Geographic location.
• Page path of the website.

The end user’s consent status, which serves as proof of consent.
The consent status is also stored in the end user’s browser so that the website can automatically read and honor the end user’s consent for all subsequent page requests and future end user sessions for up to 12 months. The consent data (consent and withdrawal of consent) is stored for three years. The retention period corresponds to the standard statute of limitations pursuant to Section 195 of the German Civil Code (BGB). The data is then immediately deleted or, upon request, provided to the data subject in the form of a data export.

The website cannot function properly without the processing described above. Users have no right to object as long as there is a legal obligation to obtain their consent for certain data processing operations (Art. 7(1) and Art. 6(1)(c) of the GDPR). Usercentrics is the recipient of your personal data and acts as a processor on our behalf. Detailed information on the use of Usercentrics can be found at: https://usercentrics.com/privacy-policy/.
Change your privacy settings

Your Rights as a Data Subject

Right to Confirmation - You have the right to request confirmation from us as to whether personal data concerning you is being processed.
Right of access under Article 15 of the GDPR – You have the right to obtain from us, at any time and free of charge, information regarding the personal data stored about you, as well as a copy of such data, in accordance with the provisions of the law.

Right to rectification under Article 16 of the GDPR – You have the right to request the rectification of inaccurate personal data concerning you. Furthermore, you have the right to request the completion of incomplete personal data, taking into account the purposes of the processing.

Right to erasure under Article 17 of the GDPR – You have the right to request that we erase personal data concerning you without undue delay, provided that one of the grounds provided for by law applies and insofar as processing or storage is not necessary.

Right to restriction of processing under Article 18 of the GDPR – You have the right to request that we restrict processing if one of the legal requirements is met.
Right to data portability under Article 20 of the GDPR – You have the right to receive the personal data concerning you that you have provided to us in a structured, commonly used, and machine-readable format. You also have the right to transmit this data to another controller to whom the personal data has been provided, without hindrance from us, provided that the processing is based on consent pursuant to Article 6(1)(a) of the GDPR or Article 9(2)(a) of the GDPR or on a contract pursuant to Article 6(1)(b) of the GDPR, and the processing is carried out by automated means, provided that the processing is not necessary for the performance of a task carried out in the public interest or in the exercise of official authority vested in us.

Furthermore, when exercising your right to data portability under Article 20(1) of the GDPR, you have the right to have the personal data transmitted directly from one controller to another, provided this is technically feasible and does not infringe upon the rights and freedoms of others.

Right to object under Article 21 of the GDPR – You have the right to object at any time, on grounds relating to your particular situation, to the processing of personal data concerning you that is carried out on the basis of Article 6(1)(e) (data processing in the public interest) or (f) (data processing based on a balancing of interests) of the GDPR. This also applies to profiling based on these provisions within the meaning of Article 4(4) of the GDPR. If you object, we will no longer process your personal data unless we can demonstrate compelling legitimate grounds for the processing that override your interests, rights, and freedoms, or if the processing is necessary for the establishment, exercise, or defense of legal claims.

In certain cases, we process personal data for the purpose of direct marketing. You may object at any time to the processing of your personal data for such marketing purposes. This also applies to profiling to the extent that it is related to such direct marketing. If you object to the processing of your personal data for direct marketing purposes, we will no longer process your personal data for these purposes.

In addition, you have the right to object, on grounds relating to your particular situation, to the processing of personal data concerning you that we carry out for scientific or historical research purposes or for statistical purposes pursuant to Article 89(1) of the GDPR, unless such processing is necessary for the performance of a task carried out in the public interest.
You are free to exercise your right to object in connection with the use of information society services, notwithstanding Directive 2002/58/EC, by means of automated procedures using technical specifications.
Right to withdraw consent under data protection law - You have the right to withdraw your consent to the processing of personal data at any time with future effect.

Right to lodge a complaint with a supervisory authority - You have the right to lodge a complaint with a supervisory authority responsible for data protection regarding our processing of personal data. A list of contact information for data protection officers in the federal states and supervisory authorities for the non-public sector, as well as in other countries, can be found on the website of the Federal Commissioner for Data Protection and Freedom of Information (BfDI) under Addresses and Links.

Automated Decision-Making & Profiling
We do not use profiling within the meaning of Article 22 of the GDPR in connection with the use of our websites.

Storage, Deletion, and Blocking
We process and store your personal data only for the period necessary to achieve the purpose of storage or to the extent required by the legal provisions to which our company is subject. If the purpose of storage no longer applies or a prescribed retention period expires, the personal data is routinely blocked or deleted in accordance with legal requirements.

Retention Period

The criterion for the duration of the storage of personal data is the respective statutory retention period. Upon expiration of the retention period, the relevant data is routinely deleted, provided it is no longer required for the performance of a contract or for entering into a contract.

Additional Privacy Questions

On our website, you will find further information about our products, our company, and our privacy practices. If you have any additional questions, comments, or other inquiries regarding your personal data that are not addressed here, please feel free to contact us using the contact information provided or by emailing us at: datenschutzbeauftragter@rapunzel.de.