H&M System Software > Privacy Policy

3.2 Access Data
We collect information about you when you use our website. We automatically collect information about your usage behaviour and interaction with us and record data about your computer or mobile device. We collect, store and use data about every access to our website (so-called server log files). Access data includes:

·	URL of the requested file, including protocol, host and file name
·	Date and time of request
·	Transmitted data volume and response time
·	Request type (HTTP method)
·	Result of the request (HTTP and operating system response codes of the server)
·	Browser identification, including type, version and operating system
·	Referrer URL (i.e. the previously visited page)
·	Websites accessed by the user's system via our website
·	IP address and port number

We use this log data without allocation to your personal identity or other profiling for statistical evaluations for the purpose of operation, security and optimisation of our website, but also for anonymous recording of the number of visitors to our website (traffic) and the extent and type of use of our website and services. Based on this information, we can provide personalised and location-based content, analyse data traffic, troubleshoot and correct errors and improve our services.

This also involves our legitimate interest pursuant to Article 6, paragraph 1, sentence 1 f) of the GDPR.

We reserve the right to check the log data subsequently if there is a justified suspicion of illegal use based on concrete evidence. We store IP addresses as a part of the server logs. We also store IP addresses if we have a concrete suspicion of a criminal offence in connection with the use of our website. In addition, we store the date of your last visit as a part of your account (e.g. at the time of registration, logging in, clicking on links, etc.).

1. General Information
This data protection declaration is applicable for using our entire website that we have provided at www.hm-software.com (hereinafter referred to as "the website")

We ensure adherence to statutory data protection including all legal data protection regulations, especially the General Data Protection Regulation (GDPR), the Federal Data Protection Act (BDSG) as well as the Telemedia Act (TMG). We will process personal data pursuant to Article 4, paragraph 1, no. 1 of the GDPR exclusively for our own purposes and only to the extent necessary for the execution of the contract. Profiling does not take place explicitly.

With this data protection declaration, we comply with our duty to inform according to Article 13 of the GDPR and will explain how, which and for what purpose personal data is collected and processed by us and which rights you can assert in this conjunction.

By using our website, you agree to the processing of your personal data in accordance with this data protection declaration.

2. Responsible Entity as per Article 4, Paragraph 1, No. 7 of the GDPR
The responsible entity for the processing of your personal data is

H&M System Software GmbH i.L.
Senefelderstraße 16
63322 Rödermark
Germany

Mailbox@HM-Software.com
+49 (0) 6074 913-0
Fax: +49 (0) 6074 913-101

If you wish to object to the processing of your personal data by us in accordance with this data protection declaration as a whole or for individual measures, you can send your objection to the responsible entity.

You can save and print out this data protection declaration at any time.

3.3 Cookies
We use so-called session cookies to optimise our website. A session cookie is a small text block that is sent by the respective servers when you visit a website and stored temporarily on your end device. This text block as such contains a so-called session ID, with which different requests of your browser can be assigned to the common session. As a result, your browser is recognised as long as you remain on our website. They are used to enable you to use the shopping basket function across several pages. These cookies are deleted from your browser when you close it.

We also use persistent cookies (small text files that are stored on your end device) to a small extent, which enable us to recognise your browser the next time you visit. These cookies remain on your end device and are deleted from your browser after the specified time. Their life span is 1 month to 10 years. This enables us to present our services in a more user-friendly, effective and secured manner and, for example, to display information that is specifically tailored to your interests on the website.

Our legitimate interest in the use of cookies pursuant to Article 6, paragraph 1, sentence 1 f) of the GDPR is to make our website more user-friendly, effective and secure.

The following data and information are stored in the cookies:

·	Customer identification
·	Language settings, presentation selections and similar control features
·	Search terms entered
·	Information on the number of visits to our website and use of individual functions of our website.

When the cookie is activated, a session identification number is assigned to it; your personal data is not assigned to this session identification number. Your name, IP address or similar data that would allow the cookie to be assigned to you will not be stored in the cookie. Based on the cookie technology, we only receive pseudonymous information, e.g. about which pages of our shop have been visited, which products have been viewed, etc.

You can set your browser so that you are informed in advance about the setting of cookies and can decide whether you want to exclude the acceptance of cookies for certain cases or in general, or that cookies are completely prevented. This may restrict the functionality of the website.

3.1 Hosting
The hosting services we use help in providing the following services: Infrastructure and platform services, computing capacity, storage space and database services, security services and technical maintenance services that we use to operate the website.

We or our hosting providers process inventory data, contact data, content data, contract data, usage data, meta- and communication data of customers, interested parties and visitors of this website on the basis of our legitimate interests in an efficient and secure provision of this website according to Article 6, paragraph 1, sentence 1 f) of the GDPR in conjunction with Article 28 of the GDPR.

4.1 Online Shop
For an order in our online shop, we need your master, communication and payment data so that we can confirm your order receipt, communicate with you and process your order. For this purpose, you can register on our website by entering your personal data. For the new registration, we collect master data (e.g. name, address), communication data (e.g. email address) and payment data (bank details) as well as access data (user name and password).

To ensure your proper registration and to prevent unauthorised registrations by third parties, you will receive an activation link by email after registration to activate your account. We store the data transmitted by you permanently in our system only after successful registration.

Once a customer account has been created, you can ask us to delete it at any time without incurring any costs other than the transmission costs according to the basic tariffs. A message in text form to the contact data (e.g. email, fax, letter) mentioned under point 1 is sufficient for this purpose. We will then delete your stored personal data, provided we do not have to store it for the processing of orders or due to legal storage obligations.

4.2 Newsletter
We use the so-called double opt-in procedure to be able to send our newsletter to you. Only if you have expressly confirmed beforehand that you wish to receive the newsletter, we will send you an activation email and ask you to confirm that you wish to receive our newsletter by clicking on a link contained in this email.

You can always revoke your registration without incurring any costs other than the transmission costs according to the basic tariffs. A message in text form to the contact data (e.g. email, fax, letter) mentioned under point 1 is sufficient for this purpose. You will obviously find a unsubscribe link in every newsletter.

4.3 Legal Bases anf Storage Period
Article 6, paragraph 1, sentences 1 a), b) and f) of the GDPR form the legal basis for data processing in accordance with the above paragraphs. Our interests in data processing are in particular the initiation, conclusion and fulfilment of contracts as well as direct advertising and product information.

Unless specifically stated, we store personal data only until it is necessary to fulfil the desired purposes or if it legally prescribed.

5.1 Right to Confirmation and Information
You have the right to receive confirmation from us at any time as to whether we are processing personal data relating to you. If this is the case, you have the right to request information about your personal data stored together with a copy of this data from us free of charge. Furthermore, you have a right to obtain the following information:

·	The processing purposes;
·	The categories of personal data that is processed;
·	The recipients or categories of recipients to whom the personal data has been or is still being disclosed; especially the recipients in

third countries or international organisations;

·	If possible, the planned duration for which the personal data will be stored or, if this is not possible, the criteria for determining this

duration;

·	Existence of a right to rectify or delete your personal data or to ask the responsible entity to restrict or object to such processing;
·	Existence of a right to lodge a complaint with a supervisory authority;
·	If the personal data is not collected from you, all available information about the origin of this data;
·	Existence of automated decision making, including profiling in accordance with Article 22, paragraphs 1 and 4 of the GDPR, and - at

least in these cases - meaningful information about the logic used as well as the scope and intended effects of such processing for you.

If personal data is transferred to a third country or an international organisation, you have the right to be informed of the appropriate guarantees in accordance with Article 46 of the GDPR in connection with such data transfer.

5.3 Right for Deletion (Right for Being Forgotten)
In accordance with Article 17, paragraph 1 of the GDPR, you have the right to demand immediate deletion of your personal data; we are obliged to delete personal data without delay if one of the following reasons applies:

·	The personal data is no longer required for the purposes for which it was collected or processed otherwise.
·	You revoke your consent on which the processing was based pursuant to Article 6, paragraph 1, sentence 1 a) of the GDPR or Article

9, paragraph 2 a) of GDPR and there is no other legal basis for the processing.

·	You object to processing pursuant to Article 21, paragraph 1 of the GDPR and there are no overriding legitimate grounds for

processing, or you object to processing pursuant to Article 21, paragraph 2 of the GDPR.

·	The personal data has been processed unlawfully.
·	The deletion of personal data is necessary to fulfil a legal obligation under Union Law or the law of the member states that govern us.
·	The personal data was collected in relation to information society services offered in accordance with Article 8, paragraph 1 of DS-

GVO.

If we have made the personal data public and we are obliged to delete it pursuant to Article 17, paragraph 1 of the GDPR, we will take appropriate measures, including technical measures by taking into account the available technology and the implementation costs, to inform data processors who process the personal data that you have requested to delete all links to your personal data or copies or replications of your personal data.

5.4 Right to Limitation of Processing
You have the right to request us to restrict processing if one of the following prerequisites is met:

·	The accuracy of the personal data is disputed by you for a period of time that enables us to verify the accuracy of the personal data,
·	The processing is unlawful and you have refused the deletion of personal data and have instead requested the restriction of the use of

personal data;

·	We no longer need the personal data for the purposes of processing, but you need the data to assert, exercise or defend legal claims,

·	You have lodged an objection to the processing pursuant to Article 21, paragraph 1 of the GDPR as long as it is not yet clear whether

the justified reasons of our company outweigh yours.

5.5 Right to Data Transferability
You have the right to receive your personal data that you have provided to us in a structured, commonly used and machine-readable format; you also have the right to send this data to another data controller without our interference, provided

·	The processing is based on a consent as per Article 6, paragraph 1, sentence 1 a) of the GDPR or Article 9, paragraph 2 a) of the

GDPR or a contract as per Article 6, paragraph 1, sentence 1 b) of GDPR and

·	The processing is done using an automated method.

When exercising your right to data transferability in accordance with paragraph 1, you have the right to request that the personal data is directly transferred by us to another data controller, provided this is technically feasible.

5.6 Right of Objection
You have the right to object to the processing of your personal data at any time on the basis of Article 6, paragraph 1, sentence 1 e) or f) of the GDPR for reasons arising from your particular situation. We no longer process personal data unless we can prove compelling grounds for processing that outweigh your interests, rights and freedoms, or the processing is essential to assert, exercise or defend legal claims.

If we process personal data for direct marketing purposes, you always have the right to object to the processing of your personal data for the purpose of such advertising.

7. Forwarding the Data to Third Parties
In principle, we use your personal data only within our company.
If we involve third parties in the execution of contracts (e.g. logistics service providers), they receive personal data only to the extent to which such a data transfer is essential for the corresponding service.

If we outsource certain parts of data processing ("order processing"), we contractually oblige the contractors to use the personal data only in accordance with the requirements of data protection laws and to ensure the protection of the rights of the affected persons.