Privacy policy

Thank you for your interest in our online portal. It is extremely important to us to make sure that your privacy is protected. Detailed information about how personal data is processed in accordance with Article 13 of the General Data Protection Regulation (GDPR) can be found below. If you have any questions or comments about this data protection information, please contact our data protection officer at or the party responsible for our data processing,

C.Hafner GmbH + Co. KG
Maybachstraße 4
71299 Wimsheim

Tel.: 07044 90333-0
Fax: 07044 90334-0

Personal data is processed in two categories:

1. For contract implementation and advertising purposes, e.g. for sending out newsletters and advertising mail, we process all necessary data. Data is supplied to external service providers who play a part in implementing a contract (e.g. delivery firms, payment processors) to the extent necessary in each individual case.

2. When you visit our website, a range of information is automatically exchanged between your device and our server. This may include personal data. We use the information gathered in this way to optimise our website or to show advertising in your device's browser.

In this section, you can learn more about the purposes for which personal data is processed, the legal basis for this processing, the legitimate interests that we and some third parties have in processing it and the different categories of recipient to whom it may be supplied.

Data collection and use for the purpose of implementing a contract and opening a customer account

We process personal data for the purpose of implementing a contract and opening a customer account if it is supplied voluntarily when placing an order, when contacting us (e.g. by e-mail or using our contact form) or when opening a customer account. The data being collected can be seen from the different input forms used.

The data concerned is principally the following:

  • first name, last name
  • invoice address, delivery address
  • e-mail address
  • invoicing and payment data
  • date of birth, if necessary
  • telephone number, if necessary.

The legal basis for the processing of personal data for the purpose of contract implementation is Article 6 (1) (b) GDPR. Upon subscription to our newsletter using an e-mail address, a confirmation e-mail will be sent in accordance with Article 6 (1) (c) GDPR. Once a purchase has been made, we reserve the right, in accordance with Article 6 (1) (f), to send a newsletter containing offers for similar goods, unless explicitly informed otherwise. If contact details are not used for advertising purposes, we are permitted to store the data collected for contract implementation purposes until the end of the statutory or any contractual warranty/guarantee period. On the expiry of this period, we will continue to store contract information that is required by commercial and tax law for the relevant statutory periods. During this period (generally 10 years from conclusion of the contract), data will only be processed again if the tax authorities conduct an audit.

Opening of a customer account is voluntary. The legal basis for opening such an account is consent within the meaning of Article 6 (1) (a) GDPR. We are happy to inform customers, which data is stored in their account upon request.

In order to fulfil the contract concluded upon making a purchase, the following data processing is also necessary:

Disclosure of data for contract fulfilment and identity and credit checks

We supply e-mail addresses and possibly telephone numbers to the delivery firm we employ if this is necessary for delivery of the goods ordered, and as long as consent has been given either during or after placing an order, so that the firm can contact the customer itself in order to arrange delivery or inform the customer of arrival times.

Consent can be withdrawn at any time by contacting us or the delivery firm. To do this through us, please write to the e-mail or postal address included in our Company Details. If direct contact to our delivery firm is preferred, please write to so that we can provide contact details.

For payment processing purposes, we supply the necessary data to the relevant bank and the payment service provider we employ or the payment service provider selected by the customer upon ordering.

We use a payment service provider based outside of the European Union. Personal data is only supplied to this company to the extent necessary for the fulfilment of a contract.

If necessary, we will conduct identity checks, on the legal basis of Article 6 (1) (b) and (f) GDPR, by obtaining information from service providers. This is to protect a customers identity and prevent attempts to commit fraud at our expense. Our enquiry and the results will be stored together with the corresponding customer account/guest account for the duration of our contractual relationship.

Credit checks and scores
If we supply goods before receiving payment, e.g. purchasing on invoice, we reserve the right to protect our legitimate interests by obtaining identity and credit rating information from providers specialising in this area (commercial credit agencies). For this purpose we supply personal data as required for a credit check to the following company/companies:

Creditreform Pforzheim Müller & Schott KG
Maximilianstraße 46
75172 Pforzheim, Germany.

The credit report obtained may include probability figures (credit scores) calculated using scientifically recognised mathematical/statistical methods and based, for example, on address data. We use the information obtained about the statistical likelihood of a payment default in order to make a balanced decision about whether or not to accept an order. The legitimate interests of customers will be protected as required by law.

The legal basis for these information transfers is Art. 6 (1) (b) and Art. 6 (1) (f) GDPR. Data may only be transferred in accordance with these regulations if this is necessary in order to protect legitimate interests of our company or a third party and provided these interests are not overridden by the basic rights and freedoms of those affected to have their personal data protected.

Cases can be stated to the aforementioned credit agency and decisions can be contested.

Data processing for advertising

In accordance with Art. 6 (1) (f) GDPR, the party responsible for processing data for advertising purposes has a legitimate interest in doing so. On this legal basis, we reserve the right to make use of first name, last name, date of birth, street name, postcode and town for the purpose of personalised customer contact. The length of time for which personal data is stored for advertising purposes is determined by whether the storage is necessary for the purpose of targeted advertising. Our general policy is to delete data when no use has been made of it for advertising purposes for two years at the latest.

Own and third-party advertising

If a contract has been concluded or advertising materials requested, the recipients will be filed details as an existing or potential customer. In such cases names and addresses will be processed in order to send information about new products and services. In pursuit of our legitimate interests, we reserve the right to forward postal addresses to other companies belonging to our group and possibly to selected contract partners so that customer can also be informed about associated products.

Making advertising relevant

To ensure that we only send targeting advertising, we categorise and add additional information to customer profiles. This includes both statistical information and information about an individual (e.g. basic data from the customer profile). As stated, our aim is to only send advertising which is relevant to customer needs.


Processing to send out advertising

We have a service provider who sends out advertising for us, and we supply this provider with data for that purpose.

Right to object

Customers are entitled to object to future data processing for the above-mentioned purposes free of charge at any time, separately for each communication channel. To do this, it is sufficient to e-mail or write to the contact address supplied above.

Upon objection, relevant contact addresses will be blocked for any further data processing for advertising purposes. In exceptional cases, advertising may continue to be sent for a short period after the objection has been received as some advertising would already have been in the system and this should not be seen as an indication that the objection has not been acted upon.

Data use when you subscribe to the e-mail newsletter

When subscribing to our newsletter using the double opt-in procedure, we will use the data necessary or supplied separately in order to send the newsletter regularly. In this double opt-in procedure, enter your e-mail address on the form and we then send a confirmation link. After clicking on the confirmation link, the e-mail address is entered into our e-mail distribution list. E-mail address data will then be processed on the basis of consent as per Art. 6 (1) (a) GDPR. Consent can be withdrawn to any further such processing at any time. Newsletter registration can also be cancelled at any time by contacting us using the contact information supplied in our Company Details or by clicking on the link provided for this purpose at the end of each newsletter.


Data use for e-mail advertising without any newsletter subscription and right to object

If an e-mail adress is provided when purchasing goods or services, and if permission has not been refused, we reserve the right to pursue our legitimate interests by sending regular offers by e-mail which relate to products from our range similar to those already purchased. The e-mail address will then be processed in accordance with Art. 6 (1) (f) GDPR. Customers can object to the use of their e-mail address at any time by sending us a message using the contact information supplied in our Company Details or by clicking on the link provided for this purpose at the end of each newsletter.

Newsletter processing

We have a service provider who sends our newsletter out for us, and whom we supply with a customer's e-mail address for that purpose.

Tracking in newsletters

In our newsletters, anonymised tracking is carried out by a special tool, purely to determine whether the newsletter has been opened and, if so, how often a link in the newsletter has been clicked on. No other data, especially personal data, is collected.


Internet technologies

Use of cookies

In order to ensure a good experience when visiting our website and to enable the use of certain functions, we use so-called "cookies" on some pages. The legal basis for any processing of personal data with these cookies is Art. 6 (1) (f) GDPR. Our interest in optimising our website by this means is legitimate within the meaning of that statutory provision. Cookies are small text files which are installed on a device. Some of the cookies we use are deleted at the end of the browser session, i.e. when a customer browser has been closed (so-called session cookies). Others remain on the device and enable us to recognise the browser when visits our website again (persistent cookies). Browser settings can be set to inform the user when cookies are going to be stored on the device, leaving teh user free to decide whether to accept them on a case-by-case basis, or to exclude cookie installation in specific cases or in general. If cookies are not accepted, some website functions may be restricted.

Analysis tools and advertising

Google Tag Manager

We use the Google Tag Manager. The provider is Google Ireland Limited, Gordon House, Barrow Street, Dublin 4, Ireland

The Google Tag Manager is a tool that allows us to integrate tracking or statistical tools and other technologies on our website. The Google Tag Manager itself does not create any user profiles, does not store cookies, and does not carry out any independent analyses. It only manages and runs the tools integrated via it. However, the Google Tag Manager does collect your IP address, which may also be transferred to Google’s parent company in the United States.

The Google Tag Manager is used on the basis of Art. 6(1)(f) GDPR. The website operator has a legitimate interest in the quick and uncomplicated integration and administration of various tools on his website. If the relevant consent has been requested, the processing is carried out exclusively on the basis of Art. 6(1)(a) GDPR; the consent can be revoked at any time.


Google Analytics

This website uses functions of the web analysis service Google Analytics. The provider of this service is Google Ireland Limited (“Google”), Gordon House, Barrow Street, Dublin 4, Ireland.

Google Analytics enables the website operator to analyze the behavior patterns of website visitors. To that end, the website operator receives a variety of user data, such as pages accessed, time spent on the page, the utilized operating system and the user’s origin. Google may consolidate these data in a profile that is allocated to the respective user or the user’s device.

Google Analytics uses technologies that make the recognition of the user for the purpose of analyzing the user behavior patterns (e.g., cookies or device fingerprinting). The website use information recorded by Google is, as a rule transferred to a Google server in the United States, where it is stored.

This analysis tool is used on the basis of Art. 6 Sect. 1 lit. f GDPR. The operator of this website has a legitimate interest in the analysis of user patterns to optimize both, the services offered online and the operator’s advertising activities. If a corresponding agreement has been requested (e.g., an agreement to the storage of cookies), the processing takes place exclusively on the basis of Art. 6 para. 1 lit. a GDPR; the agreement can be revoked at any time.

Data transmission to the US is based on the Standard Contractual Clauses (SCC) of the European Commission. Details can be found here:


IP anonymization

On this website, we have activated the IP anonymization function. As a result, your IP address will be abbreviated by Google within the member states of the European Union or in other states that have ratified the Convention on the European Economic Area prior to its transmission to the United States. The full IP address will be transmitted to one of Google’s servers in the United States and abbreviated there only in exceptional cases. On behalf of the operator of this website, Google shall use this information to analyze your use of this website to generate reports on website activities and to render other services to the operator of this website that are related to the use of the website and the Internet. The IP address transmitted in conjunction with Google Analytics from your browser shall not be merged with other data in Google’s possession.


Browser plug-in

You can prevent the recording and processing of your data by Google by downloading and installing the browser plugin available under the following link:

For more information about the handling of user data by Google Analytics, please consult Google’s Data Privacy Declaration at:


Contract data processing

We have executed a contract data processing agreement with Google and are implementing the stringent provisions of the German data protection agencies to the fullest when using Google Analytics.


Demographic parameters provided by Google Analytics

This website uses the “demographic characteristics” function of Google Analytics, to be able to display to the website visitor compatible ads within the Google advertising network. This allows reports to be created that contain information about the age, gender, and interests of the website visitors. The sources of this information are interest-related advertising by Google as well as visitor data obtained from third-party providers. This data cannot be allocated to a specific individual. You have the option to deactivate this function at any time by making pertinent settings changes for advertising in your Google account or you can generally prohibit the recording of your data by Google Analytics as explained in section “Objection to the recording of data”.


Google Analytics E-Commerce-Tracking

This website uses the “E-Commerce Tracking” function of Google Analytics. With the assistance of E-Commerce Tracking, the website operator is in a position to analyze the purchasing patterns of website visitors with the aim of improving the operator’s online marketing campaigns. In this context, information, such as the orders placed, the average order values, shipping costs and the time from viewing the product to making the purchasing decision are tracked. These data may be consolidated by Google under a transaction ID, which is allocated to the respective user or the user’s device.


Archiving period

Data on the user or incident level stored by Google linked to cookies, user IDs or advertising IDs (e.g., DoubleClick cookies, Android advertising ID) will be anonymized or deleted after 14 month. For details, please click the following link:


Social media plug-ins

In accordance with Art. 6 (1) (f) GDPR, we use social plug-ins from the social media providers Facebook, Google+, Xing and YouTube in order to raise our company's profile. This is a form of advertising which qualifies as a legitimate interest within the meaning of the GDPR. Each individual provider is responsible for ensuring that operation of the plug-ins complies with data protection regulations. We use the so-called two-click method for these plug-ins to ensure the best-possible protection for visitors to our website.


Our website uses Facebook plug-ins supplied by Facebook Inc. They are marked with a Facebook logo or have "Like" and/or "Share" buttons. A list of Facebook plug-ins, showing what they look like, can be found, by clicking on the following link. When such a plug-in (first click) is activated, the browser will establish a direct connection with Facebook's servers. The content of the plug-in will be sent directly to the browser by Facebook and integrated into the relevant page. By means of this integration, Facebook will learn that the browser has accessed the relevant page on our website, even without a Facebook profile or one that is inactive at the time. This information (including the IP address) will be sent by the browser directly to a Facebook server in the USA and stored there. If  logged into Facebook, Facebook will be able to link the visit to our website directly with the users Facebook profile. If plug-ins have been interacted with, for example by pressing the "Like" button, this information will likewise be sent directly to a Facebook server and stored there. The information will also be published as part of the users Facebook profile and shown to all Facebook friends.

For information about the scope and purpose of this data collection, processing and use by Facebook and related rights and setting options to protect privacy, please see Facebook's data protection information. If the customer does not wish Facebook to link the collected information regarding the customer's website visit directly to their Facebook profile, Facebook must be logged out of prior to accessing website.

YouTube with enhanced data protection

Our website uses plugins from the YouTube website. The website is operated by Google Ireland Limited ("Google"), Gordon House, Barrow Street, Dublin 4, Ireland.

We use YouTube in advanced privacy mode. According to YouTube, this mode means that YouTube does not store any information about visitors to this website before they view the video. However, YouTube's enhanced privacy mode does not necessarily preclude the sharing of information with YouTube partners. YouTube connects to the Google DoubleClick network whether or not you're watching a video.

When you start a YouTube video on our site, it connects to YouTube's servers. This will tell the YouTube server which of our pages you've visited. If you are logged in to your YouTube account, you can allow YouTube to associate your surfing behaviour directly with your personal profile. You can prevent this by logging out of your YouTube account.

In addition, YouTube may store various cookies on your device after you start a video. YouTube can use these cookies to obtain information about visitors to our website. This information is used, among other things, to collect video statistics, improve usability and prevent fraud. The cookies remain on your device until you delete them.

If necessary, after the start of a YouTube video, further data processing operations may be triggered over which we have no control.

YouTube is used in the interest of an appealing presentation of our online services. This constitutes a legitimate interest within the meaning of Art. 6 Para. 1 lit. f GDPR.

Further information on data protection at YouTube can be found in its data protection declaration at:


Web Fonts

For the consistent display of fonts, this site uses so-called web fonts provided by Google and Monotype Imaging Inc., 600 Unicorn Park Drive, Woburn, Massachusetts 01801 USA. When you visit a page, your browser loads the required web fonts into your browser cache in order to display texts and fonts correctly.

For this purpose, the browser you are using must connect to the Google and Monotype servers. When this happens, the providers are informed that our website was accessed via your IP address. The use of Google and Monotype web fonts is in the interest of presenting our online offerings in a consistent and aesthetically pleasing way. This constitutes a legitimate interest within the meaning of Art. 6 (1) (f) of the GDPR.

If your browser does not support web fonts, your computer will use a standard font. You can find further information on and in Google's privacy policy:


Recipients outside of the EU

With the exception of the processing described under the headings of Internet technologies and Social media plug-ins, we do not supply your data to recipients registered outside of the European Union or the European Economic Area. The aforementioned processing entails the transmission of data to servers operated by the tracking/targeting technology providers used by us. These servers are located in the USA. Transmission takes place in accordance with the principles of the "privacy shield" and standard contract clauses formulated by the EU Commission.

Your rights

In addition to the right to revoke consents given the following additional rights can be exercised if the relevant statutory conditions are fulfilled:

  • right to receive information about personal data stored by us in accordance with Art. 15 GDPR; in particular, information about the purposes of the data processing, the category of personal data, the categories of recipients to whom data has been or will be disclosed, the planned storage period and the source of data if it was not collected directly can be obtained by the customer,
  • right to amend incorrect data or to complete accurate, but incomplete data in accordance with Art. 16 GDPR,
  • right to have the data we hold about you deleted in accordance with Art. 17 GDPR, as long as this is not contrary to any statutory or contractual retention periods or other legal obligations/rights requiring continued storage,
  • right to restric the processing of data in accordance with Art. 18 GDPR, if the accuracy of the data is disputed, if the processing is illegitimate but the customer do not want the data to be deleted, if the party responsible no longer needs the data but the customer requires it in order to enforce, exercise or defend legal rights/claims, or if the customer have objected to the processing in accordance with Art. 21 GDPR,
  • right to data portability in accordance with Art. 20 GDPR, i.e. the right to have selected stored data sent in a commonly used, machine-readable format, or to demand its transmission to another responsible party,
  • right to complain to a regulatory authority; the regulatory authorities responsible for customary place of residence or place of work, or our registered place of business can, in general, be approached.

Right to object

Subject to the conditions of Art. 21 (1) GDPR, the processing of data may be objected to on grounds arising out of the particular circumstances of the person affected.

The aforementioned general right to object applies to all of the purposes of processing in accordance with Art. 6 (1) (f) GDPR described in this data protection information. In contrast to the special right to object which applies in the case of data processing for advertising purposes, we are only obliged to implement such a general objection if overriding reasons has been supplied (e.g. possible danger to life or health). Another option is to contact the regulatory authority responsible for us or our data protection officer.

Data security

All data personally supplied, including payment details, are transmitted by means of the generally used, safe SSL (Secure Socket Layer) standard. SSL is a secure, tried-and-tested standard which is also used, for example, in online banking. One method by which  the safe SSL connection can be checked is to look for the "s" added to the "http" (thus "https://...") or a padlock symbol in the browser's address bar.

We also implement appropriate technical and organisational security measures to protect your personal data stored by us against manipulation, partial or complete loss and unauthorised third-party access. These security measures are constantly improved in line with technological developments.


Cookie Settings