Privacy policy

Thank you for your interest in our online portal. It is extremely important to us to make sure that your privacy is protected. Detailed information about how personal data is processed in accordance with Article 13 of the General Data Protection Regulation (GDPR) can be found below. If you have any questions or comments about this data protection information, please contact our data protection officer at or the party responsible for our data processing,

C.Hafner GmbH + Co. KG
Maybachstraße 4
71299 Wimsheim

Tel.: 07044 90333-0
Fax: 07044 90334-0

Personal data is processed in two categories:

1. For contract implementation and advertising purposes, e.g. for sending out newsletters and advertising mail, we process all necessary data. Data is supplied to external service providers who play a part in implementing a contract (e.g. delivery firms, payment processors) to the extent necessary in each individual case.

2. When you visit our website, a range of information is automatically exchanged between your device and our server. This may include personal data. We use the information gathered in this way to optimise our website or to show advertising in your device's browser.

In this section, you can learn more about the purposes for which personal data is processed, the legal basis for this processing, the legitimate interests that we and some third parties have in processing it and the different categories of recipient to whom it may be supplied.

Data collection and use for the purpose of implementing a contract and opening a customer account

We process personal data for the purpose of implementing a contract and opening a customer account if it is supplied voluntarily when placing an order, when contacting us (e.g. by e-mail or using our contact form) or when opening a customer account. The data being collected can be seen from the different input forms used.

The data concerned is principally the following:

  • first name, last name
  • invoice address, delivery address
  • e-mail address
  • invoicing and payment data
  • date of birth, if necessary
  • telephone number, if necessary.

The legal basis for the processing of personal data for the purpose of contract implementation is Article 6 (1) (b) GDPR. Upon subscription to our newsletter using an e-mail address, a confirmation e-mail will be sent in accordance with Article 6 (1) (c) GDPR. Once a purchase has been made, we reserve the right, in accordance with Article 6 (1) (f), to send a newsletter containing offers for similar goods, unless explicitly informed otherwise. If contact details are not used for advertising purposes, we are permitted to store the data collected for contract implementation purposes until the end of the statutory or any contractual warranty/guarantee period. On the expiry of this period, we will continue to store contract information that is required by commercial and tax law for the relevant statutory periods. During this period (generally 10 years from conclusion of the contract), data will only be processed again if the tax authorities conduct an audit.

Opening of a customer account is voluntary. The legal basis for opening such an account is consent within the meaning of Article 6 (1) (a) GDPR. We are happy to inform customers, which data is stored in their account upon request.

In order to fulfil the contract concluded upon making a purchase, the following data processing is also necessary:

Disclosure of data for contract fulfilment and identity and credit checks

We supply e-mail addresses and possibly telephone numbers to the delivery firm we employ if this is necessary for delivery of the goods ordered, and as long as consent has been given either during or after placing an order, so that the firm can contact the customer itself in order to arrange delivery or inform the customer of arrival times.

Consent can be withdrawn at any time by contacting us or the delivery firm. To do this through us, please write to the e-mail or postal address included in our Company Details. If direct contact to our delivery firm is preferred, please write to so that we can provide contact details.

For payment processing purposes, we supply the necessary data to the relevant bank and the payment service provider we employ or the payment service provider selected by the customer upon ordering.

We use a payment service provider based outside of the European Union. Personal data is only supplied to this company to the extent necessary for the fulfilment of a contract.

If necessary, we will conduct identity checks, on the legal basis of Article 6 (1) (b) and (f) GDPR, by obtaining information from service providers. This is to protect a customers identity and prevent attempts to commit fraud at our expense. Our enquiry and the results will be stored together with the corresponding customer account/guest account for the duration of our contractual relationship.

Credit checks and scores
If we supply goods before receiving payment, e.g. purchasing on invoice, we reserve the right to protect our legitimate interests by obtaining identity and credit rating information from providers specialising in this area (commercial credit agencies). For this purpose we supply personal data as required for a credit check to the following company/companies:

Creditreform Pforzheim Müller & Schott KG
Maximilianstraße 46
75172 Pforzheim, Germany.

The credit report obtained may include probability figures (credit scores) calculated using scientifically recognised mathematical/statistical methods and based, for example, on address data. We use the information obtained about the statistical likelihood of a payment default in order to make a balanced decision about whether or not to accept an order. The legitimate interests of customers will be protected as required by law.

The legal basis for these information transfers is Art. 6 (1) (b) and Art. 6 (1) (f) GDPR. Data may only be transferred in accordance with these regulations if this is necessary in order to protect legitimate interests of our company or a third party and provided these interests are not overridden by the basic rights and freedoms of those affected to have their personal data protected.

Cases can be stated to the aforementioned credit agency and decisions can be contested.

Data processing for advertising

In accordance with Art. 6 (1) (f) GDPR, the party responsible for processing data for advertising purposes has a legitimate interest in doing so. On this legal basis, we reserve the right to make use of first name, last name, date of birth, street name, postcode and town for the purpose of personalised customer contact. The length of time for which personal data is stored for advertising purposes is determined by whether the storage is necessary for the purpose of targeted advertising. Our general policy is to delete data when no use has been made of it for advertising purposes for two years at the latest.

Own and third-party advertising

If a contract has been concluded or advertising materials requested, the recipients will be filed details as an existing or potential customer. In such cases names and addresses will be processed in order to send information about new products and services. In pursuit of our legitimate interests, we reserve the right to forward postal addresses to other companies belonging to our group and possibly to selected contract partners so that customer can also be informed about associated products.

Making advertising relevant

To ensure that we only send targeting advertising, we categorise and add additional information to customer profiles. This includes both statistical information and information about an individual (e.g. basic data from the customer profile). As stated, our aim is to only send advertising which is relevant to customer needs.


Processing to send out advertising

We have a service provider who sends out advertising for us, and we supply this provider with data for that purpose.

Right to object

Customers are entitled to object to future data processing for the above-mentioned purposes free of charge at any time, separately for each communication channel. To do this, it is sufficient to e-mail or write to the contact address supplied above.

Upon objection, relevant contact addresses will be blocked for any further data processing for advertising purposes. In exceptional cases, advertising may continue to be sent for a short period after the objection has been received as some advertising would already have been in the system and this should not be seen as an indication that the objection has not been acted upon.

Data use when you subscribe to the e-mail newsletter

When subscribing to our newsletter using the double opt-in procedure, we will use the data necessary or supplied separately in order to send the newsletter regularly. In this double opt-in procedure, enter your e-mail address on the form and we then send a confirmation link. After clicking on the confirmation link, the e-mail address is entered into our e-mail distribution list. E-mail address data will then be processed on the basis of consent as per Art. 6 (1) (a) GDPR. Consent can be withdrawn to any further such processing at any time. Newsletter registration can also be cancelled at any time by contacting us using the contact information supplied in our Company Details or by clicking on the link provided for this purpose at the end of each newsletter.


Data use for e-mail advertising without any newsletter subscription and right to object

If an e-mail adress is provided when purchasing goods or services, and if permission has not been refused, we reserve the right to pursue our legitimate interests by sending regular offers by e-mail which relate to products from our range similar to those already purchased. The e-mail address will then be processed in accordance with Art. 6 (1) (f) GDPR. Customers can object to the use of their e-mail address at any time by sending us a message using the contact information supplied in our Company Details or by clicking on the link provided for this purpose at the end of each newsletter.

Newsletter processing

We have a service provider who sends our newsletter out for us, and whom we supply with a customer's e-mail address for that purpose.

Tracking in newsletters

In our newsletters, anonymised tracking is carried out by a special tool, purely to determine whether the newsletter has been opened and, if so, how often a link in the newsletter has been clicked on. No other data, especially personal data, is collected.


Internet technologies

Use of cookies

In order to ensure a good experience when visiting our website and to enable the use of certain functions, we use so-called "cookies" on some pages. The legal basis for any processing of personal data with these cookies is Art. 6 (1) (f) GDPR. Our interest in optimising our website by this means is legitimate within the meaning of that statutory provision. Cookies are small text files which are installed on a device. Some of the cookies we use are deleted at the end of the browser session, i.e. when a customer browser has been closed (so-called session cookies). Others remain on the device and enable us to recognise the browser when visits our website again (persistent cookies). Browser settings can be set to inform the user when cookies are going to be stored on the device, leaving teh user free to decide whether to accept them on a case-by-case basis, or to exclude cookie installation in specific cases or in general. If cookies are not accepted, some website functions may be restricted.

Google Analytics

In accordance with Art. 6 (1) (f) GDPR, we use Google Analytics – a web analysis service provided by Google Inc. ("Google") – to help us design and constantly optimise our web pages so as to best meet your needs. For this purpose, pseudonymised usage profiles are created and cookies are used. The information produced by the cookie about the customers use of this website, e.g.

  • browser type/version,
  • operating system in use,
  • referrer URL (last page/site visited),
  • IP address of computer used for access,
  • time of server request,

is sent to a Google server in the USA and stored there. The information is used to analyse the use of the website, to produce reports on website activity and to provide other services relating to website and Internet use in order to carry out market research and make sure that our web pages meet our customers' needs. The data may also be supplied to third parties if this is required by law or if the third parties concerned process the data on our behalf. IP addresses will under no circumstances be linked to other Google data. The IP addresses collected are anonymised so that it is impossible to link them to individual users (IP masking).

The installation of cookies can be prevented at any time by changing the settings on the browser software. However, in that case it may not be possible to fully utilise all of this website's functions. In addition, by downloading and installing this browser add-on, the data collection produced by the cookie regarding website use (including your IP address) and processing by Google can be blocked. As an alternative to the browser add-on, in particular for browsers on mobile devices, data collection by Google Analytics can also be prevented by clicking on this link. This will install an opt-out cookie which will prevent any future collection of data when visiting this website. The opt-out cookie, which is installed on the device, will only work on this browser and for our website. If cookies are deleted on this browser, the opt-out cookie will need to be reinstalled. Further information about Google Analytics and data protection can be found on the Google Analytics website.


We use the targeting measures listed below in accordance with Art. 6 (1) (f) GDPR. Our purpose in doing this is to ensure that only relevant advertising appears on devices. The distibution of unnecessary or irrelevant advertising material is not intended to cause aggravation.

On-site targeting
Use of web analysis technologies

For the purpose of website analysis, data from this website is collected and stored automatically and then used to create pseudonymised usage profiles. This is done in pursuit of our, on balance, overriding legitimate interest in optimising the presentation of our offering, and cookies may be installed for the purpose. The pseudonymised usage profiles created will never be linked to personal data about the bearer of the pseudonym without the relevant party's separate, express consent. Future data collection and storage can be objected to at any time by clicking on this link. Following an objection, an opt-out cookie will be stored on the device. If cookies are deleted, the user will need to click on the link again. The cookie will be deleted automatically after 30 days.


We also use Google AdWords re-targeting technologies, and this enables us to tailor our online offering to make it more interesting. For this purpose a cookie will be installed to collect pseudonymised interest data. Using this information, adverts for products/services from our range which are relevant to customers interests will be displayed on our partners' websites. No direct personal data will be stored, and no usage profiles will be linked to personal data. The relevant cookie will be stored for 30 days and then deleted automatically.


In addition to the aforementioned deactivation methods, the use of the described targeting technologies can be blocked by changing your browser's cookie setting. You can also deactivate preference-based advertising using the preference manager, which can be accessed here.

Social media plug-ins

In accordance with Art. 6 (1) (f) GDPR, we use social plug-ins from the social media providers Facebook, Google+, Xing and YouTube in order to raise our company's profile. This is a form of advertising which qualifies as a legitimate interest within the meaning of the GDPR. Each individual provider is responsible for ensuring that operation of the plug-ins complies with data protection regulations. We use the so-called two-click method for these plug-ins to ensure the best-possible protection for visitors to our website.


Our website uses Facebook plug-ins supplied by Facebook Inc. They are marked with a Facebook logo or have "Like" and/or "Share" buttons. A list of Facebook plug-ins, showing what they look like, can be found, by clicking on the following link. When such a plug-in (first click) is activated, the browser will establish a direct connection with Facebook's servers. The content of the plug-in will be sent directly to the browser by Facebook and integrated into the relevant page. By means of this integration, Facebook will learn that the browser has accessed the relevant page on our website, even without a Facebook profile or one that is inactive at the time. This information (including the IP address) will be sent by the browser directly to a Facebook server in the USA and stored there. If  logged into Facebook, Facebook will be able to link the visit to our website directly with the users Facebook profile. If plug-ins have been interacted with, for example by pressing the "Like" button, this information will likewise be sent directly to a Facebook server and stored there. The information will also be published as part of the users Facebook profile and shown to all Facebook friends.

For information about the scope and purpose of this data collection, processing and use by Facebook and related rights and setting options to protect privacy, please see Facebook's data protection information. If the customer does not wish Facebook to link the collected information regarding the customer's website visit directly to their Facebook profile, Facebook must be logged out of prior to accessing website.


The Google Plus plug-ins used on our website are supplied by Google Inc. These plug-ins can be identified by buttons marked "+1" on a white or coloured background, for example. A list of Google plug-ins, showing what they look like, can be found here.

If such a plug-in (first click) is activated, the browser will establish a direct connection with Google's servers. The content of the plug-in will be sent directly to the browser by Google and integrated into the relevant page. By means of this integration, Google will learn that the browser has accessed the relevant page on our website, even without Google Plus profile or are not logged into Google Plus at that time. This information (including the IP address) will be sent by the browser directly to a Google server in the USA and stored there. If logged into Google Plus, Google can link the visit to our website directly with the user's Google Plus profile. If plug-ins have been interacted, for example by pressing the "+1" button, this information will likewise be sent directly to a Google server and stored there. The information will also be published on Google Plus and shown to all contacts.

For information about the scope and purpose of this data collection, processing and use by Google and your related rights and setting options to protect your privacy, please see the Google data protection information, which can be accessed. If you do not want Google to link the information collected about your visit to our website directly to your Google Plus profile, you need to log out of Google Plus before accessing our website. Google plug-ins can also be prevented from loading altogether by using add-ons for the browser, e.g. the script-blocker "NoScript".

YouTube video plug-ins

Content from third-party providers is integrated into this website. This content is made available by Google Inc. ("providers"). YouTube is operated by Google Inc., 1600 Amphitheatre Parkway, Mountain View, CA 94043, USA ("Google").
When YouTube videos are integrated into our website, the data protection setting is higher. This means that no website visitor data can be collected or stored in YouTube unless visitors play the video.
For information about the scope and purpose of this data collection, processing and use by providers and your related rights and setting options to protect your privacy, please see
Google's data protection information.


Web Fonts

For the consistent display of fonts, this site uses so-called web fonts provided by Google and Monotype Imaging Inc., 600 Unicorn Park Drive, Woburn, Massachusetts 01801 USA. When you visit a page, your browser loads the required web fonts into your browser cache in order to display texts and fonts correctly.

For this purpose, the browser you are using must connect to the Google and Monotype servers. When this happens, the providers are informed that our website was accessed via your IP address. The use of Google and Monotype web fonts is in the interest of presenting our online offerings in a consistent and aesthetically pleasing way. This constitutes a legitimate interest within the meaning of Art. 6 (1) (f) of the GDPR.

If your browser does not support web fonts, your computer will use a standard font. You can find further information on and in Google's privacy policy:


Recipients outside of the EU

With the exception of the processing described under the headings of Internet technologies and Social media plug-ins, we do not supply your data to recipients registered outside of the European Union or the European Economic Area. The aforementioned processing entails the transmission of data to servers operated by the tracking/targeting technology providers used by us. These servers are located in the USA. Transmission takes place in accordance with the principles of the "privacy shield" and standard contract clauses formulated by the EU Commission.

Your rights

In addition to the right to revoke consents given the following additional rights can be exercised if the relevant statutory conditions are fulfilled:

  • right to receive information about personal data stored by us in accordance with Art. 15 GDPR; in particular, information about the purposes of the data processing, the category of personal data, the categories of recipients to whom data has been or will be disclosed, the planned storage period and the source of data if it was not collected directly can be obtained by the customer,
  • right to amend incorrect data or to complete accurate, but incomplete data in accordance with Art. 16 GDPR,
  • right to have the data we hold about you deleted in accordance with Art. 17 GDPR, as long as this is not contrary to any statutory or contractual retention periods or other legal obligations/rights requiring continued storage,
  • right to restric the processing of data in accordance with Art. 18 GDPR, if the accuracy of the data is disputed, if the processing is illegitimate but the customer do not want the data to be deleted, if the party responsible no longer needs the data but the customer requires it in order to enforce, exercise or defend legal rights/claims, or if the customer have objected to the processing in accordance with Art. 21 GDPR,
  • right to data portability in accordance with Art. 20 GDPR, i.e. the right to have selected stored data sent in a commonly used, machine-readable format, or to demand its transmission to another responsible party,
  • right to complain to a regulatory authority; the regulatory authorities responsible for customary place of residence or place of work, or our registered place of business can, in general, be approached.

Right to object

Subject to the conditions of Art. 21 (1) GDPR, the processing of data may be objected to on grounds arising out of the particular circumstances of the person affected.

The aforementioned general right to object applies to all of the purposes of processing in accordance with Art. 6 (1) (f) GDPR described in this data protection information. In contrast to the special right to object which applies in the case of data processing for advertising purposes, we are only obliged to implement such a general objection if overriding reasons has been supplied (e.g. possible danger to life or health). Another option is to contact the regulatory authority responsible for us or our data protection officer.

Data security

All data personally supplied, including payment details, are transmitted by means of the generally used, safe SSL (Secure Socket Layer) standard. SSL is a secure, tried-and-tested standard which is also used, for example, in online banking. One method by which  the safe SSL connection can be checked is to look for the "s" added to the "http" (thus "https://...") or a padlock symbol in the browser's address bar.

We also implement appropriate technical and organisational security measures to protect your personal data stored by us against manipulation, partial or complete loss and unauthorised third-party access. These security measures are constantly improved in line with technological developments.