Privacy Policy

The protection of your personal data is very important to us. That's why we have assigned the implementation of all related topics to the external partner HeyData.

1. Introduction

In the following, we provide information about the collection of personal data when using

our website www.duplo-frank.de
our profiles in social media.

Personal data is any data that can be related to a specific natural person, such as their name or IP address.

1.1. Contact Details

The controller within the meaning of art. 4 para. 7 EU General Data Protection Regulation (GDPR) is H. Frank Kunststofftechnik GmbH, Vorderfreundorfer Straße 20, 94143 Grainet, Germany, email: info@duplo-frank.de. We are legally represented by Hubert Frank and Julia Reif.

Our data protection officer is heyData GmbH, Schützenstraße 5, 10117 Berlin, Germany, www.heydata.eu, E-Mail: datenschutz@heydata.de.

1.2. Scope of Data Processing, Processing Purposes and Legal Bases

We explain the scope of data processing, processing purposes and legal bases in detail below. In principle, the following legal bases may apply to data processing:

Art. 6 para. 1 s. 1 lit. a GDPR serves as the legal basis for processing operations for which we obtain consent.
Art. 6 para. 1 s. 1 lit. b GDPR is the legal basis insofar as the processing of personal data is necessary for the performance of a contract, e.g. if a website visitor purchases a product from us or we provide a service to them. This legal basis also applies to processing that is necessary for pre-contractual measures, for example in the case of inquiries about our products or services.
Art. 6 para. 1 s. 1 lit. c GDPR applies if we fulfill a legal obligation by processing personal data, as may be the case, for example, under tax law.
Art. 6 para. 1 s. 1 lit. f GDPR serves as the legal basis if we rely on legitimate interests for processing personal data, for example for cookies that are necessary for the technical operation of our website.

1.3. Data Processing outside the EEA

Insofar as we transfer data to service providers or other third parties outside the EEA, adequacy decisions of the EU Commission pursuant to Art. 45 para. 3 GDPR guarantee the security of the data during the transfer, provided such decisions exist, as is the case, for example, for the United Kingdom, Canada and Israel.

When transferring data to service providers in the USA, the legal basis for the data transfer is an adequacy decision of the EU Commission, provided that the service provider is additionally certified under the EU-US Data Privacy Framework.

If no adequacy decision exists (e.g. for the USA), the legal basis for the data transfer is generally, unless otherwise stated, standard contractual clauses. These are a set of rules adopted by the EU Commission and form part of the contract with the respective third party. Pursuant to Art. 46 para. 2 lit. b GDPR, they ensure the security of the data transfer. Many providers have given contractual guarantees that go beyond the standard contractual clauses and provide additional protection for the data. These include, for example, guarantees regarding the encryption of data or an obligation on the part of the third party to inform data subjects if law enforcement authorities seek access to the data.

1.4. Storage Duration

Unless expressly stated otherwise in this privacy policy, the data stored by us will be deleted as soon as they are no longer necessary for their intended purpose and no statutory retention obligations prevent deletion. If the data are not deleted because they are required for other legally permissible purposes, their processing is restricted, i.e. the data are blocked and not processed for other purposes. This applies, for example, to data that we must retain for commercial or tax law reasons.

1.5. Rights of Data Subjects

Data subjects have the following rights against us regarding their personal data:

right of access,
right to rectification or erasure,
right to restriction of processing,
right to object to the processing,
right to data portability,
right to withdraw consent at any time.

Data subjects also have the right to lodge a complaint with a data protection supervisory authority regarding the processing of their personal data. The contact details of the data protection supervisory authorities are available at https://www.bfdi.bund.de/EN/Service/Anschriften/Laender/Laender-node.html.

1.6. Obligation to Provide Data

Within the scope of a business or other relationship, customers, prospective customers or third parties must provide us only with the personal data that is necessary for the establishment, performance and termination of the business or other relationship or that we are legally obliged to collect. Without this data, we will generally have to refuse to conclude a contract or provide a service or will no longer be able to perform an existing contract or other relationship.

Mandatory information is marked as such.

1.7. No Automated Decision-Making in Individual Cases

As a matter of principle, we do not use automated decision-making pursuant to article 22 GDPR for the establishment and performance of a business or other relationship. Should we use such procedures in individual cases, we will inform you separately if this is required by law.

1.8. Contact

When contacting us, e.g. by e-mail or telephone, the data provided to us (e.g. names and e-mail addresses) will be stored by us in order to answer questions. The legal basis for the processing is our legitimate interest (Art. 6 para. 1 s. 1 lit. f GDPR) in responding to inquiries addressed to us. We delete the data arising in this context once storage is no longer necessary or restrict the processing if statutory retention obligations exist.

1.9. Customer Surveys

From time to time, we conduct customer surveys in order to better understand our customers and their wishes. In doing so, we collect the data requested in each case. It is our legitimate interest to better understand our customers and their wishes, so the legal basis for the associated data processing is Art. 6 para. 1 s. 1 lit. f GDPR. We delete the data once the results of the surveys have been evaluated.

2. Data Processing on our Website

2.1. Notice for Website Visitors from Germany

Our website stores information on the end device of website visitors (e.g. cookies) or accesses information that is already stored on the end device (e.g. IP addresses). Details of the specific information concerned can be found in the following sections.

This storage and access are carried out on the basis of the following provisions:

Insofar as this storage or access is strictly necessary in order to provide the service on our website expressly requested by website visitors (e.g. to operate a chatbot used by the website visitor or to ensure the IT security of our website), it is carried out on the basis of § 25 para. 2 no. 2 of the Telecommunications Digital Services Data Protection Act (TDDDG).
Otherwise, this storage or access is carried out on the basis of the consent of the website visitors (§ 25 para. 1 TDDDG).

The subsequent data processing is carried out in accordance with the following sections and on the basis of the provisions of the GDPR.

2.2. Informative Use of the Website

When using the website for information purposes only, i.e. when website visitors do not otherwise provide us with information, we collect the personal data that the browser transmits to our server in order to ensure the stability and security of our website. This constitutes our legitimate interest, so the legal basis is Art. 6 para. 1 s. 1 lit. f GDPR.

These data are:

IP address
date and time of the request
time zone difference to Greenwich Mean Time (GMT)
content of the request (specific page)
access status/HTTP status code
amount of data transferred in each case
website from which the request originates
browser
operating system and its interface
language and version of the browser software.

These data are also stored in log files. They are deleted when their storage is no longer necessary, at the latest after 14 days.

2.3. Web Hosting and Provision of the Website

Our website www.duplo-frank.de is hosted by IT-CSW, Andreas Wagner, Säumerweg 10, 94556 Neuschönau, Germany. The provider processes the personal data transmitted via the website (e.g. content data, usage data, meta/communication data or contact data) in the EU. Further information can be found in the provider’s privacy policy at https://www.it-csw.com/privatsphaere-und-datenschutz/.

It is our legitimate interest to provide a website, so the legal basis for the data processing is Art. 6 para. 1 s. 1 lit. f GDPR.

We use a content delivery network to support the provision of our website. The provider is IT-CSW, Andreas Wagner, Säumerweg 10, 94556 Neuschönau, Germany. The provider processes the personal data transmitted via the website (e.g. content data, usage data, meta/communication data or contact data) in the USA. Further information can be found in the provider’s privacy policy at https://www.it-csw.com/privatsphaere-und-datenschutz/.

We have a legitimate interest in using sufficient storage and delivery capacities in order to ensure optimal data throughput even during peak loads. The legal basis for the described data processing is therefore Art. 6 para. 1 s. 1 lit. f GDPR.

The legal basis for the transfer to a country outside the EEA is standard contractual clauses. The security of the data transferred to the third country is ensured by standard data protection clauses adopted pursuant to the examination procedure under art. 93 para. 2 GDPR (art. 46 para. 2 lit. c GDPR), which we have agreed with the provider.

2.4. Job Postings

We publish vacant positions in our company on our website, on pages linked to the website or on third-party websites.

The personal data provided as part of the application process are processed for the purpose of carrying out the application procedure. Insofar as these data are necessary for our decision to establish an employment relationship, the legal basis is art. 88 para. 1 GDPR in conjunction with § 26 para. 1 BDSG. We have marked the data required for carrying out the application procedure accordingly or refer to them. If applicants do not provide these data, we cannot process the application. Further data are voluntary and not required for an application. If applicants provide additional information, the legal basis is their consent (art. 6 para. 1 s. 1 lit. a GDPR).

We ask applicants to refrain from providing information on political opinions, religious beliefs and similarly sensitive data in their CV and cover letter. Such information is not required for an application. If applicants nevertheless provide such information, we cannot prevent their processing as part of the processing of the CV or cover letter. Their processing is then also based on the applicants’ consent (art. 9 para. 2 lit. a GDPR).

Finally, we process applicants’ data for further application procedures if they have given us their consent to do so. In this case, the legal basis is art. 6 para. 1 s. 1 lit. a GDPR.

We pass on applicants’ data to the responsible employees in the HR department, to our processors in the area of recruiting and to other employees involved in the application process.

If we enter into an employment relationship with the applicant following the application process, we delete the data only after the employment relationship has ended. Otherwise, we delete the data no later than six months after rejecting an applicant.

If applicants have given us their consent to use their data for further application procedures, we delete their data only one year after receipt of the application.

2.5. Customer Account

Website visitors can open a customer account on our website. We process the data requested in this context on the basis of the website visitor’s consent. The legal basis for the processing is therefore art. 6 para. 1 s. 1 lit. a GDPR.

Consent may be revoked at any time, e.g. by using the contact details provided in our privacy policy. The revocation does not affect the lawfulness of the processing carried out until the revocation. If consent is revoked, we delete the data unless we are obliged or entitled to retain them.

2.6. Reviews

Website visitors may leave reviews on our website regarding our goods, services or our company in general. For this purpose, we process meta data or communication data in addition to the data entered. We have a legitimate interest in receiving feedback from website visitors about our offerings. The legal basis for the data processing is therefore art. 6 para. 1 s. 1 lit. f GDPR. Insofar as we use a third-party tool for this purpose, the relevant information can be found under "Third Parties".

2.7. Offer of Goods

We offer goods via our website. In the course of the ordering process, we process the following data:

name
address
contact details
payment method

The data are processed for the performance of the contract concluded with the respective website visitor (art. 6 para. 1 s. 1 lit. b GDPR).

We involve DHL Paket GmbH, Sträßchensweg 10, 53113 Bonn, Germany, in the ordering process or shipping. The provider receives only the personal data required in each case for shipping.

The legal basis for the processing is art. 6 para. 1 s. 1 lit. b GDPR, as it is necessary for the performance of the contract.

2.8. Payment Service Providers

For the processing of payments, we use payment processors, who are themselves controllers within the meaning of art. 4 no. 7 GDPR. Insofar as they receive the data and payment data entered by us during the ordering process, we thereby fulfill the contract concluded with our customers (art. 6 para. 1 s. 1 lit. b GDPR).

These payment service providers are:

giropay GmbH (on-site only)
PayPal (Europe) S.à r.l. et Cie, S.C.A., Luxembourg

2.9. Technically Necessary Cookies

Our website uses cookies. Cookies are small text files that are stored in the web browser on the end device of a website visitor. Cookies help to make the website more user-friendly, effective and secure. Insofar as these cookies are necessary for the operation of our website or its functions (hereinafter "technically necessary cookies"), the legal basis for the associated data processing is art. 6 para. 1 s. 1 lit. f GDPR. We have a legitimate interest in providing customers and other website visitors with a functional website.

Specifically, we use technically necessary cookies for the following purpose or purposes:

cookies that store language and country settings
cookies that store the shopping cart
cookies that remember search terms
cookies that store log-in data
cookies set by payment providers for payment processing that do not analyze user behavior

2.10. Third Parties

2.10.1. YouTube Videos

We use YouTube videos on our website. The provider is Google Ireland Limited, Gordon House, Barrow Street, Dublin 4, D04e5w5, Ireland. The provider processes usage data (e.g. visited websites, interest in content, access times) and meta/communication data (e.g. device information, IP addresses) in the USA.

The legal basis for the processing is art. 6 para. 1 s. 1 lit. a GDPR. The processing is based on consent. Data subjects may revoke their consent at any time, for example by contacting us using the contact details provided in our privacy policy. The revocation does not affect the lawfulness of the processing carried out until the revocation.

The transfer of personal data to a country outside the EEA is based on consent.

Further information can be found in the provider’s privacy policy at https://policies.google.com/privacy?hl=en.

2.10.2. Google Tag Manager

We use Google Tag Manager for analytics and advertising purposes. The provider is Google Ireland Limited, Gordon House, Barrow Street, Dublin 4, Ireland. The provider processes usage data (e.g. visited websites, interest in content, access times) in the USA.

The transfer of personal data to a country outside the EEA is based on an adequacy decision. The security of the data transferred to the third country (i.e. a country outside the EEA) is ensured because the European Commission has decided, within the framework of an adequacy decision pursuant to art. 45 para. 3 GDPR, that the third country provides an adequate level of protection.

We delete the data once the purpose of their collection no longer applies. Further information can be found in the provider’s privacy policy at https://policies.google.com/privacy?hl=en.

2.10.3. Google Search Console

We use Google Search Console for search functions in our application. The provider is Google Ireland Limited, Gordon House, Barrow Street, Dublin 4, D04e5w5, Ireland. The provider processes usage data (e.g. visited websites, interest in content, access times) and meta/communication data (e.g. device information, IP addresses) in the USA.

The legal basis for the processing is art. 6 para. 1 s. 1 lit. f GDPR. We have a legitimate interest in making our website easy to find.

The legal basis for the transfer to a country outside the EEA is standard contractual clauses. The security of the data transferred to the third country (i.e. a country outside the EEA) is ensured by standard data protection clauses adopted pursuant to the examination procedure under art. 93 para. 2 GDPR (art. 46 para. 2 lit. c GDPR), which we have agreed with the provider.

The data are deleted once the purpose of their collection no longer applies and no statutory retention obligation prevents their deletion. Further information can be found in the provider’s privacy policy at https://policies.google.com/privacy?hl=en.

2.10.4. Google Merchant Center

We use Google Merchant Center to operate an online shop. The provider is Google Ireland Limited, Gordon House, Barrow Street, Dublin 4, D04e5w5, Ireland. The provider processes meta/communication data (e.g. device information, IP addresses) in the USA.

2.10.5. xt:Commerce

We use xt:Commerce for customer reviews. The provider is xt:Commerce GmbH, Maximilianstrasse 9, 6020 Innsbruck, Austria. The provider processes usage data (e.g. visited websites, interest in content, access times) in the United Kingdom.

2.10.6. Google Analytics

We use Google Analytics for analytics purposes. The provider is Google Ireland Limited, Gordon House, Barrow Street, Dublin 4, Dublin, Ireland. The provider processes usage data (e.g. visited websites, interest in content, access times) and meta/communication data (e.g. device information, IP addresses) in the USA.

2.10.7. WhatsApp Business

We use WhatsApp Business to communicate with customers. The provider is WhatsApp Ireland Limited, 4 Grand Canal Square, Grand Canal Harbour, Dublin 2, Ireland. The provider processes usage data (e.g. visited websites, interest in content, access times), content data (e.g. entries in online forms), contact data (e.g. e-mail addresses, telephone numbers), meta/communication data (e.g. device information, IP addresses) and master data (e.g. names, addresses) in the EU.

The legal basis for the processing is art. 6 para. 1 s. 1 lit. b GDPR.

2.11. Data Processing for the Screening of Sanctions Lists

As part of order processing, we process our customers’ first and last names by carrying out an automated sanctions list screening. We do this with the support of our processor IT-CSW. The provider is IT-CSW, Andreas Wagner, Säumerweg 10, 94556 Neuschönau, Germany. Further information can be found in the provider’s privacy policy at https://www.it-csw.com/privatsphaere-und-datenschutz/.

The legal basis for the processing is art. 6 para. 1 lit. f GDPR. We have a legitimate interest in comparing our customer database with sanctions lists in order to enforce them. The data are deleted once the purposes of the processing no longer apply and no further retention obligation exists.

3. Data Processing on Social Media Platforms

We maintain a presence on social media networks in order to present our company and our services there. The operators of these networks regularly process their users’ data for advertising purposes. Among other things, they create user profiles based on users’ online behavior, which are used, for example, to display advertising on the pages of the networks and elsewhere on the internet that corresponds to users’ interests. For this purpose, the network operators store information about user behavior in cookies on users’ computers. It cannot be ruled out that the operators combine this information with other data. Users can find further information as well as instructions on how to object to processing by the network operators in the privacy policies of the respective operators listed below. It is also possible that the operators or their servers are located in non-EU countries and therefore process data there. This may result in risks for users, for example because the enforcement of their rights may be more difficult or government authorities may gain access to the data.

If users of the networks contact us via our profiles, we process the data provided to us in order to respond to the inquiries. This constitutes our legitimate interest, so the legal basis is art. 6 para. 1 s. 1 lit. f GDPR.

Please note that we have not objected to Meta’s possible use of publicly visible content (e.g. comments and posts) for AI training purposes.

3.1. Facebook

We maintain two profiles on Facebook. The operator is Meta Platforms Ireland Ltd., 4 Grand Canal Square, Grand Canal Harbour, Dublin 2, Ireland. The privacy policy is available here: https://www.facebook.com/policy.php. A possibility to object to data processing arises via the advertisement settings: https://www.facebook.com/settings?tab=ads.

On the basis of an agreement pursuant to art. 26 GDPR, we are jointly responsible with Facebook for the processing of the data of visitors to our profile. Facebook explains which data are processed in detail at https://www.facebook.com/legal/terms/information_about_page_insights_data. Data subjects may exercise their rights both against us and against Facebook. However, under our agreement with Facebook, we are obliged to forward requests to Facebook. Data subjects will therefore receive a faster response if they contact Facebook directly.

3.2. Instagram

We maintain two profiles on Instagram. The operator is Meta Platforms Ireland Ltd., 4 Grand Canal Square, Grand Canal Harbour, Dublin 2, Ireland. The privacy policy is available here: https://help.instagram.com/519522125107875.

3.3. YouTube

We maintain a profile on YouTube. The operator is Google Ireland Limited, Gordon House, Barrow Street, Dublin 4, D04e5w5, Ireland. The privacy policy is available here: https://policies.google.com/privacy?hl=en.

3.4. Pinterest

We maintain a profile on Pinterest. The operator is Pinterest Inc., 635 High Street, Palo Alto, CA, 94301, USA. The privacy policy is available here: https://policy.pinterest.com/de/privacy-policy. A possibility to object to data processing arises via the advertisement settings: https://policy.pinterest.com/de/privacy-policy.

4. Changes to this Privacy Policy

We reserve the right to amend this privacy policy with effect for the future. A current version is available here at any time.

5. Questions and Comments

If you have any questions or comments regarding this privacy policy, please feel free to contact us using the contact details provided above.

6. Final Provisions

Should any provision of this privacy policy be invalid, the remaining provisions shall remain unaffected. In place of the invalid provision, the applicable statutory provisions shall apply.

This privacy policy has been translated from our German privacy policy (https://duplo-frank.de/de/datenschutz). If any part of the translation is incorrect, the relevant provision of the German privacy policy applies.

Latest Update: 2026-02-19