Privacy policy


1) Information on the Collection of Personal Data and Contact Details of the Controller

1.1
We are pleased that you are visiting our website and thank you for your interest. Below, we provide information about how we handle your personal data when you use our website. Personal data refers to all data that can be used to personally identify you.

1.2
The controller responsible for data processing on this website, as defined by the General Data Protection Regulation (GDPR), is Broke Berlin GmbH, Kastanienallee 19-20, 10435 Berlin, Germany, Tel.: +49 30 837 99533, Email: hello@brokeberlin.de.
The controller for processing personal data is the individual or legal entity that determines, alone or jointly with others, the purposes and means of processing personal data.

1.3
This website uses SSL or TLS encryption for security reasons and to protect the transmission of personal data and other confidential content (e.g., orders or inquiries sent to the controller). You can recognize an encrypted connection by the "https://" prefix and the padlock icon in your browser's address bar.

2) Data Collection When Visiting Our Website

When you use our website purely for informational purposes—meaning you do not register or otherwise transmit information to us—we collect only the data your browser sends to our server (so-called "server log files"). When you access our website, we collect the following data, which is technically necessary for displaying the website:

  • The website visited
  • Date and time of access
  • Amount of data sent in bytes
  • Source/reference from which you arrived at the page
  • Browser used
  • Operating system used
  • IP address used (if applicable: in anonymized form)

This processing is carried out in accordance with Art. 6(1)(f) of the GDPR based on our legitimate interest in improving the stability and functionality of our website.

The data is not shared or used for any other purpose. However, we reserve the right to review server log files subsequently if there are concrete indications of unlawful use.


3) Hosting

Hosting by Shopify
We use the Shopify platform provided by Shopify International Limited, Victoria Buildings, 2nd Floor, 1-2 Haddington Road, Dublin 4, D04 XN32, Ireland ("Shopify"), for hosting and displaying our online shop, based on a processing arrangement on our behalf. All data collected on our website is processed on Shopify's servers.

As part of Shopify's services, data may also be transmitted for further processing to Shopify Inc., 150 Elgin St, Ottawa, ON K2P 1L4, Canada, Shopify Data Processing (USA) Inc., Shopify Payments (USA) Inc., or Shopify (USA) Inc.

In the case of data transfers to Shopify Inc. in Canada, an adequate level of data protection is ensured by an adequacy decision by the European Commission. Shopify Data Processing (USA) Inc., Shopify Payments (USA) Inc., and Shopify (USA) Inc. in the United States are certified under the EU-US Privacy Shield framework, which guarantees compliance with EU data protection standards.

For more information about Shopify’s privacy practices, please visit the following webpage:
https://www.shopify.de/legal/datenschutz

Further data processing on servers other than those operated by Shopify occurs only within the scope specified below.


4) Cookies

To make your visit to our website more attractive and enable the use of certain features, we use cookies on various pages. Cookies are small text files stored on your device. Some of the cookies we use are deleted after you close your browser (so-called session cookies). Other cookies remain on your device and enable us to recognize your browser upon your next visit (so-called persistent cookies).

When cookies are set, they collect and process certain user information, such as browser and location data or IP address values, to varying extents. Persistent cookies are automatically deleted after a predetermined period, which may vary depending on the cookie. The specific duration of cookie storage can be found in the cookie settings of your web browser.

In some cases, cookies are used to simplify order processes by saving settings (e.g., remembering the contents of a virtual shopping cart for a later visit).

If any personal data is processed using cookies, the processing is carried out in accordance with:

  • Art. 6(1)(b) GDPR, for the execution of a contract,
  • Art. 6(1)(a) GDPR, if consent has been provided, or
  • Art. 6(1)(f) GDPR, to safeguard our legitimate interest in providing optimal website functionality and a user-friendly, effective site experience.

Cookie Management in Your Browser

Please note that you can configure your browser to notify you about the setting of cookies, allowing you to decide whether to accept cookies on a case-by-case basis or to exclude the acceptance of cookies in certain cases or entirely. Each browser handles cookie settings differently, and these settings are described in the help menu of your browser. Below are links to guides for managing cookie settings in major browsers:

Please note that if you choose not to accept cookies, the functionality of our website may be limited.

5) Contacting Us

When you contact us (e.g., via contact form or email), personal data is collected. The specific data collected through a contact form can be seen from the respective form. This data is stored and used exclusively for the purpose of responding to your inquiry or for contacting you and handling the associated technical administration.

The legal basis for processing this data is our legitimate interest in responding to your request, pursuant to Art. 6(1)(f) GDPR. If your inquiry aims to conclude a contract, the additional legal basis for processing is Art. 6(1)(b) GDPR.

Your data will be deleted once your inquiry has been fully processed, provided that the circumstances indicate the matter has been conclusively resolved and no legal retention obligations exist.

6) Data Processing for Account Creation and Contract Execution

In accordance with Art. 6(1)(b) GDPR, personal data is collected and processed when you provide it to us for the purpose of executing a contract or opening a customer account. The specific data collected is evident from the input forms used.

You can delete your customer account at any time by sending a message to the contact address provided above.

We store and use the data you provide for contract execution. Once the contract is fully executed or your customer account is deleted, your data will be restricted from further use and deleted after any applicable tax and commercial retention periods, unless you have expressly consented to further use of your data or we are legally permitted to continue using it.

7) Use of Your Data for Direct Advertising

7.1 Subscription to Our Email Newsletter

When you subscribe to our email newsletter, we send you regular information about our offers. The only mandatory information required for sending the newsletter is your email address. Any additional information is optional and is used to personalize the newsletter.

We use a "double opt-in" procedure for sending the newsletter. This means we will only send you a newsletter if you have expressly confirmed that you consent to receiving newsletters. After subscribing, we will send you a confirmation email with a link to verify your consent to receive future newsletters.

By activating the confirmation link, you consent to the use of your personal data according to Art. 6(1)(a) GDPR. When subscribing to the newsletter, we store your IP address provided by your Internet Service Provider (ISP) and the date and time of subscription to track potential misuse of your email address.

The data collected during the newsletter subscription is used solely for promotional communication through the newsletter. You can unsubscribe from the newsletter at any time by clicking the unsubscribe link provided in the newsletter or by contacting the responsible party mentioned above. After unsubscribing, your email address will be promptly removed from the newsletter distribution list unless you have expressly consented to further use of your data or we are legally permitted to use it for another purpose, as explained in this notice.

7.2 Sending Newsletters to Existing Customers

If you have provided your email address during a purchase, we reserve the right to regularly send you offers for similar goods or services. This does not require separate consent according to § 7(3) UWG (German Law Against Unfair Competition). Data processing in this context is based solely on our legitimate interest in personalized direct advertising per Art. 6(1)(f) GDPR.

You may object to the use of your email address for this purpose at any time by notifying us, at no additional cost beyond standard transmission charges. Once your objection is received, we will cease sending promotional emails.

8) Data Processing for Order Fulfillment

8.1 Collaboration with Service Providers

For fulfilling your order, we work with service providers who may receive certain personal data as necessary for processing the contract.

  • Delivery Services: Personal data required for the delivery of goods (e.g., recipient name and address) is shared with the delivery company.
  • Payment Services: Payment data required for processing payments is shared with financial institutions or payment service providers.

The legal basis for this data transfer is Art. 6(1)(b) GDPR.

8.2 Use of Specialized Service Providers

  • SendCloud: Deliveries are processed via "SendCloud" (SendCloud GmbH, Kanalstr. 10, 80538 Munich). Data required for order processing is shared with SendCloud under Art. 6(1)(b) GDPR. Further details about SendCloud’s privacy policy can be found at www.sendcloud.de/datenschutz.

8.3 Sharing Personal Data with Delivery Providers

  • DHL: If delivery is handled by DHL (DHL Paket GmbH, Sträßchensweg 10, 53113 Bonn), your email address may be shared for scheduling or delivery notifications, provided you consent during the order process (Art. 6(1)(a) GDPR). If consent is not provided, only the recipient's name and address are shared, which is necessary for delivery (Art. 6(1)(b) GDPR). Consent can be revoked at any time.

8.4 Payment Service Providers

Apple Pay

When using Apple Pay, payment data is processed via Apple Distribution International and encrypted for secure transactions. Details can be found in Apple’s privacy policy: Apple Pay Privacy.

Google Pay

Google Pay processes payments via your device's Google Pay application. Data is transmitted securely, and Google processes transaction-specific data as outlined in its privacy policy: Google Pay Privacy.

Klarna

Klarna Bank AB processes payments and may conduct identity and credit checks with your consent under Art. 6(1)(a) GDPR. Further information can be found in Klarna’s privacy policies for Germany and Austria.

PayPal

Payments via PayPal may involve sharing necessary payment data. PayPal may also conduct credit checks under Art. 6(1)(f) GDPR. More details are in PayPal’s privacy policy.

Shopify Payments

Shopify Payments, in collaboration with Stripe, processes payments. For more information, see the privacy policies of Shopify Payments and Stripe.

9) Use of Social Media: Videos

9.1 Use of Vimeo Videos

Our website integrates plugins from the video portal Vimeo, provided by Vimeo, LLC, 555 West 18th Street, New York, New York 10011, USA. When you visit a page on our website containing such a plugin, your browser establishes a direct connection to Vimeo’s servers. The plugin content is directly transmitted by Vimeo to your browser and integrated into the website. This integration allows Vimeo to receive information that your browser has accessed the corresponding page of our website, even if you do not have a Vimeo account or are not logged into Vimeo. This information (including your IP address) is transmitted directly from your browser to a Vimeo server in the USA and stored there. If you are logged into Vimeo, Vimeo can directly associate your visit to our website with your Vimeo account. If you interact with the plugins (e.g., by pressing the play button of a video), this information is also directly transmitted to a Vimeo server and stored there.

These data processing activities are carried out in accordance with Article 6(1)(f) GDPR, based on Vimeo’s legitimate interest in market research and optimizing its services to meet user needs.

To prevent Vimeo from associating data collected via our website with your Vimeo account, you must log out of Vimeo before visiting our website.

For more information about data collection, further processing, and usage by Vimeo, as well as your rights and options to protect your privacy, please see Vimeo’s privacy policy at: https://vimeo.com/privacy.

Vimeo, Inc., based in the USA, is certified under the US-EU Privacy Shield Framework, ensuring compliance with EU data protection standards. A current certificate can be viewed here: https://www.privacyshield.gov/list.

For Vimeo videos embedded on our site, the tracking tool Google Analytics, provided by Google Ireland Limited, Gordon House, 4 Barrow St, Dublin, D04 E5W5, Ireland, is automatically integrated. This tracking is proprietary to Vimeo and beyond our control. Google Analytics uses cookies to analyze website usage. Information generated by the cookies may be transmitted to Google servers, potentially in the USA.

Google LLC is certified under the US-EU Privacy Shield Framework, ensuring compliance with EU data protection standards. A current certificate can be viewed here: https://www.privacyshield.gov/list.

This processing is carried out under Article 6(1)(f) GDPR, based on Vimeo’s legitimate interest in analyzing user behavior for optimization and marketing purposes. Where legally required, we have obtained your consent under Article 6(1)(a) GDPR. You can revoke your consent at any time with future effect by following the instructions provided above.

9.2 Use of YouTube Videos

This website uses the YouTube embedding function to display and play videos from YouTube, a service provided by Google Ireland Limited, Gordon House, 4 Barrow St, Dublin, D04 E5W5, Ireland ("Google").

The enhanced privacy mode is used, which, according to YouTube, delays storing user information until the video is played. When embedded YouTube videos are played, YouTube sets cookies to collect user behavior information. This includes recording video statistics, improving user-friendliness, and preventing misuse. If you are logged into Google, your data is directly associated with your Google account when you click on a video. To prevent this association, you must log out before activating the play button. Google stores user data (even for non-logged-in users) as user profiles and analyzes them under Article 6(1)(f) GDPR, based on Google's legitimate interest in personalized advertising, market research, and service optimization. You have the right to object to the creation of these user profiles, which you can exercise by contacting YouTube directly.

When using YouTube, personal data may also be transferred to Google servers in the USA. Regardless of whether videos are played, a connection to the Google network is established each time this website is accessed, potentially triggering additional data processing.

Google LLC is certified under the US-EU Privacy Shield Framework, ensuring compliance with EU data protection standards. A current certificate can be viewed here: https://www.privacyshield.gov/list.

For further details on data protection with YouTube, refer to the provider's privacy policy at: https://www.google.de/intl/de/policies/privacy.

Where legally required, we have obtained your consent under Article 6(1)(a) GDPR. You can revoke your consent at any time with future effect by following the instructions provided above.

10) Online Marketing

Facebook Pixel for Creating Custom Audiences

We use the "Facebook Pixel" within our online offerings. This tool is provided by Facebook Ireland Limited, 4 Grand Canal Square, Dublin 2, Ireland ("Facebook"). If a user clicks on an advertisement we have placed on Facebook, a parameter is appended to the URL of our linked website. If our website allows data sharing via Facebook Pixel, this parameter is written to the user’s browser via a cookie set by our site. Facebook Pixel then reads this cookie to enable data transfer to Facebook.

The Facebook Pixel helps identify visitors to our online offerings as target audiences for ads ("Facebook Ads"). This ensures that our ads are shown only to users likely to be interested in them. The Facebook Pixel also helps us analyze ad effectiveness by tracking actions users take after clicking our ads (e.g., "Conversions").

The data collected is anonymized for us and does not provide information about user identities. However, Facebook stores and processes the data, associating it with individual user profiles. Facebook may use the data for its advertising purposes, in line with its data usage policy (https://www.facebook.com/about/privacy/), allowing Facebook and its partners to serve ads on and off Facebook.

The data processing associated with Facebook Pixel is based on our legitimate interest in analyzing and optimizing our online offerings and marketing strategies under Article 6(1)(f) GDPR. Data generated by Facebook Pixel may be transferred to servers in the USA. Facebook Inc. is certified under the US-EU Privacy Shield Framework, ensuring compliance with EU data protection standards.

To opt out of Facebook Pixel tracking, click the following link to set an opt-out cookie: Deactivate Facebook Pixel. This cookie works only in this browser and for this domain. If you delete your cookies, you must reactivate the link.

Where legally required, we have obtained your consent under Article 6(1)(a) GDPR. You can revoke your consent at any time with future effect by following the instructions provided above.

11) Web Analytics Services

Google (Universal) Analytics

This website uses Google (Universal) Analytics, a web analytics service provided by Google Ireland Limited, located at Gordon House, 4 Barrow St, Dublin, D04 E5W5, Ireland ("Google"). Google Analytics employs "cookies," text files stored on your computer, which enable analysis of website usage.

The information generated by these cookies, including a truncated IP address, is generally transmitted to and stored on a Google server. Such transmissions may include transfers to Google LLC servers in the USA.

This website employs Google Analytics exclusively with the extension _anonymizeIp(), ensuring anonymization of your IP address by truncation and preventing direct personal identification. Google processes the IP address within EU member states or other contracting states of the European Economic Area before transferring it to the USA. In rare cases, the full IP address may be transmitted to a Google LLC server in the USA and truncated there.

Such data processing is based on Article 6(1)(f) GDPR, reflecting our legitimate interest in analyzing user behavior for optimization and marketing purposes. Google, on our behalf, evaluates your use of the website, compiles activity reports, and provides further services related to website and internet usage. The IP address processed by Google Analytics is not merged with other Google data.

You can prevent cookie storage through your browser settings. However, disabling cookies might limit website functionality. Additionally, you can block Google's collection of data (including your IP address) generated by the cookie by downloading and installing a browser plugin available at:
https://tools.google.com/dlpage/gaoptout?hl=de.

For mobile browsers, click the following link to set an opt-out cookie:
Disable Google Analytics.

Further details about Google Analytics are available here:
https://policies.google.com/privacy?hl=de.

For data transfers to the USA, Google LLC complies with the EU-US Privacy Shield framework. Their certificate is viewable here:
https://www.privacyshield.gov/list.

Where legally required, data processing occurs only with your consent under Article 6(1)(a) GDPR. You may withdraw consent at any time with future effect by using the opt-out methods above.

12) Tools and Miscellaneous

12.1 Cookie Consent Tool by Shopware

This website uses Shopware’s Cookie Consent Tool (shopware AG, Ebbinghoff 10, 48624 Schöppingen, Germany) to obtain valid user consent for cookies and cookie-based applications. A banner displays upon visiting the site, allowing users to opt into cookies through checkbox selections. The tool ensures no cookies requiring consent are activated until the user provides explicit permission.

Data collected (e.g., IP address) is sent to Shopware servers for processing and stored to maintain session-specific consent management. Such processing is conducted per Article 6(1)(f) GDPR, ensuring compliance with legal obligations. Further details on data handling by Shopware can be found here:
https://www.shopware.com/de/datenschutz/.

12.2 Applications via Email

Job openings on our site allow applications via email. Submitting applications requires providing essential personal data (e.g., name, address, contact details, and qualifications). These data are processed per Article 6(1)(b) GDPR for evaluating applications and managing potential employment contracts.

Sensitive information (e.g., health data) is handled under Article 9(2)(b) GDPR to fulfill legal obligations related to social protection. If a candidate is not selected, their data will be deleted after six months unless otherwise required by law.

12.3 Online Applications via Form

For online applications, data submitted through our encrypted form is processed as outlined above. Sensitive categories of data are managed under Article 9(1)(h) GDPR for assessing work-related health conditions. Non-selected applications are deleted within six months unless further retention is legally required.

12.4 Google Maps

This website integrates Google Maps (API) for geographic information visualization. Accessing pages with Google Maps transfers user data (e.g., IP address) to Google servers, potentially including servers in the USA. If logged into Google, this data links to your Google account unless logged out beforehand.

This processing is based on Article 6(1)(f) GDPR, reflecting Google’s interest in personalized advertising. Users may disable Google Maps entirely by turning off JavaScript in their browser. More information is available here:

  1. Rights of the Data Subject

13.1 The applicable data protection laws grant you comprehensive rights regarding the processing of your personal data by the data controller, including rights to information and intervention. We provide you with the following details:

  • Right of Access under Article 15 GDPR: You have the right to request information about your personal data processed by us, including the purposes of processing, the categories of personal data, the recipients or categories of recipients to whom your data has been disclosed, the planned retention period or the criteria used to determine the retention period, the existence of a right to rectification, deletion, restriction of processing, objection to processing, or to lodge a complaint with a supervisory authority, the source of your data if it has not been collected directly from you, the existence of automated decision-making, including profiling, and meaningful information about the logic involved, as well as the significance and consequences of such processing, and your right to be informed about any safeguards pursuant to Article 46 GDPR if your data is transferred to third countries.

  • Right to Rectification under Article 16 GDPR: You have the right to obtain the immediate correction of inaccurate data concerning you or the completion of incomplete data stored by us.

  • Right to Deletion under Article 17 GDPR: You have the right to request the deletion of your personal data if the conditions outlined in Article 17(1) GDPR are met. However, this right does not apply when processing is necessary for the exercise of the right to freedom of expression and information, for compliance with a legal obligation, for reasons of public interest, or for the establishment, exercise, or defense of legal claims.

  • Right to Restriction of Processing under Article 18 GDPR: You have the right to request the restriction of the processing of your personal data while the accuracy of the data is verified, if you have objected to the deletion of your data due to unlawful processing and instead request a restriction of processing, if you need the data for the establishment, exercise, or defense of legal claims, after we no longer need the data for its original purpose, or if you have objected to processing on the grounds of your particular situation, while it is still unclear whether our legitimate reasons override yours.

  • Right to Notification under Article 19 GDPR: If you have exercised your rights to rectification, deletion, or restriction of processing, the controller must notify all recipients to whom your personal data has been disclosed about these actions, unless this proves impossible or involves disproportionate effort. You have the right to be informed of such recipients.

  • Right to Data Portability under Article 20 GDPR: You have the right to receive your personal data provided to us in a structured, commonly used, and machine-readable format, or to request the transmission of this data to another controller, as long as this is technically feasible.

  • Right to Withdraw Consent under Article 7(3) GDPR: You have the right to withdraw any consent given for data processing at any time with effect for the future. In the event of withdrawal, we will delete the affected data immediately, unless further processing can be based on a lawful basis for processing without consent. The withdrawal of consent does not affect the legality of the processing carried out prior to the withdrawal.

  • Right to Lodge a Complaint under Article 77 GDPR: If you believe that the processing of your personal data infringes the GDPR, you have the right to lodge a complaint with a supervisory authority, particularly in the member state of your residence, place of work, or where the alleged infringement occurred, without prejudice to any other administrative or judicial remedy.

13.2 Right to Object

If we process your personal data based on our legitimate interest, you have the right to object at any time, for reasons related to your particular situation, to this processing with effect for the future. If you exercise your right to object, we will cease processing your data. However, further processing may be retained if we can demonstrate compelling legitimate grounds for the processing that override your interests, rights, and freedoms, or if the processing is necessary for the establishment, exercise, or defense of legal claims.

If your personal data is processed for direct marketing purposes, you have the right to object at any time to the processing of your data for such marketing purposes. You can exercise this right as described above. If you object, we will stop processing your data for direct marketing purposes.


  1. Duration of Storage of Personal Data

The duration of the storage of personal data is determined based on the respective legal basis, the purpose of processing, and, if applicable, any legal retention periods (e.g., commercial and tax retention periods).

  • When processing personal data based on explicit consent under Article 6(1)(a) GDPR, the data will be stored until the data subject withdraws their consent.

  • If there are legal retention periods for data processed under Article 6(1)(b) GDPR (e.g., for contractual or quasi-contractual obligations), such data will be routinely deleted after the expiration of these retention periods, unless it is still necessary for contract fulfillment or contract initiation, or if we have a legitimate interest in retaining the data.

  • When processing personal data under Article 6(1)(f) GDPR, the data will be stored until the data subject exercises their right to object under Article 21(1) GDPR, unless we can demonstrate compelling legitimate reasons for the processing that override the interests, rights, and freedoms of the data subject, or the processing is necessary for the establishment, exercise, or defense of legal claims.

  • For processing personal data for direct marketing purposes under Article 6(1)(f) GDPR, the data will be stored until the data subject exercises their right to object under Article 21(2) GDPR.

Unless otherwise specified in this declaration regarding specific processing situations, personal data will be deleted when it is no longer necessary for the purposes for which it was collected or otherwise processed.