Data protection policy for United States of America

tonies GmbH (the operator of the tonies.com website, the domains and subdomains associated with them and the app ‘mytonies’ for iOS and Android (hereinafter ‘app’) takes the protection of your personal data very seriously and ensures that your privacy is maintained. We treat your personal data as confidential and in accordance with statutory data protection regulations (including the EU General Data Protection Regulation (GDPR), German Federal Data Protection Act (Bundesdatenschutzgesetz, BDSG)), UK-GDPR and California Consumer Privacy Act (CCPA)) as well as this Data Protection Policy. Please take note of the following information in order to ensure that you are fully informed about the collection, use and purpose-based processing of your personal data on our website and about the rights to which you are entitled.

Note to US residents: our US store located at https://us.tonies.com/ is operated by our United States subsidiary tonies US, Inc., which shares your personal information with tonies GmbH.

At or before the time of collection, California residents may have a right to receive notice of our practices, including the categories of personal information to be collected (see “Supplemental Notice for California Residents” below), the purposes for which such information is collected or used (see “Data Usage in Detail” below), whether such information is sold or shared (see “Supplemental Notice for California Residents” below) and how to opt-out of such uses (see “Supplemental Notice for California Residents” below), and how long such information is retained (see “Duration of storage of your data” below).

See the section “Supplemental notice for US residents” below for more information on our processing of personal data that is subject to US laws.

Note to UK residents: If the subject of processing activity is personal data from individuals inside the United Kingdom, the processing of personal data will be secured by the application of the UK-GDPR. In such cases, references made in this Privacy Policy to the GDPR shall be interpreted as reference to the corresponding regulation in the applicable UK-GDPR.

Controller’s name and address and whom you can contact

The controller (or similar term), within the meaning of the General Data Protection Regulation (GDPR), other applicable data protection laws and other provisions of a data protection nature, is:

tonies GmbH Oststra?e 119 40210 Düsseldorf Germany Contact: Contact form (EN), contact form (DE)

You can contact tonies GmbH′s privacy officer at:

Philipp Herold www.mein-datenschutzbeauftragter.de Hafenstrasse 1 A 23568 Lübeck Germany Contact: Contact form (EN), contact form (DE)

For US inquiries, please contact tonies Inc Inc.:

tonies US, Inc. 3000 El Camino Real Building 4, Suite 200 Palo Alto, CA 94306 USA privacy.us@tonies.com

Purpose and legal basis for processing your data

The use of our website and apps for informational purposes is designed in such a way that as little data as possible is collected from you and is usually possible without providing any personal data. This does not apply if personal data is required as part of an order from our online shops, for the creation of a Tonie-Account, for use of mytonies (my.tonies.com) (hereinafter ‘mytonies’), including orders from the Audio Library; as part of customer care enquiries, as part of a newsletter subscription that you have requested, through our general contact form or for use of our blog or for information about our own similar products and services. As a network-based system with a server (mytonies) and client systems (the Tonieboxes and Tonies with audio content), there are also other data exchange processes without which it is impossible to use the system to its full extent. Further information about the general functionality of our system can also be found on our US website, our UK Website and on our German website.

We only ever collect personal data on a voluntary basis where this is possible for the performance of our service. If there exist no legal grounds for such processing, we generally obtain your consent as required by applicable law. You can at any time withdraw any consent that you have given. Your data is not disclosed to third parties. Excepted from this are our service providers including those who require personal data in order to process any orders of yours from our online shop or Audio Library or as part of customer care enquiries (e.g. delivery companies contracted for delivery, financial and payment institutions contracted to process payment, our service partners for customer care enquiries and our technical support), and companies we work with to tailor and deliver personalized or targeted advertisements to you. However, in these cases the extent of data that is transferred is limited to the minimum necessary for the relevant service; all personal data is of course also treated as strictly confidential by our service providers and processed in accordance with the GDPR (as applicable). In the event of a credit check, address and credit history data may be exchanged with a recognised, external company (Schufa or Creditreform), within a legally permitted framework and incorporating the protection of your legitimate interests. However, we do not assume liability for third parties unless such liability is declared separately.

In addition, if we are involved in a merger, acquisition, financing due diligence, reorganization, bankruptcy, receivership, purchase or sale of assets, or transition of service to another provider, then your personal information may be sold or transferred as part of such a transaction, solely as permitted by law and/or contract.

We may also disclose any information we store associated with you if we, in good faith, believe doing so is required or appropriate: to comply with law enforcement or national security requests and legal process; protect your, our or others’ rights, property, or safety; enforce our policies or contracts; collect amounts owed to us; or assist with an investigation or prosecution of suspected or actual illegal activity.

If we make adjustments to our business processes and these adjustments have consequences for information obligations pursuant to applicable laws, we will update our Data Protection Policy accordingly and notify you as required under applicable law. Likewise, we will incorporate changes of data protection law and case law and update our Data Protection Policy to reflect them. We recommend that you read our Data Protection Policy regularly for this reason.

Purposes of data processing and legal grounds

To the extent applicable, we process your personal data in accordance with the provisions of the EU General Data Protection Regulation (GDPR) and German Federal Data Protection Act (BDSG). More details on our processing of personal data that is subject to the GDPR and/or the BDSG can be found below:

Data entered into the contact form is processed on the basis of your consent (GDPR Article 6(1)(a)). The legal grounds for processing data that is transferred when sending an email are provided in GDPR Article 6(1)(f). If the email contact is for the purpose of entering into a contract, there are additional legal grounds for processing provided in GDPR Article 6(1)(b).

Your personal data is processed primarily for the performance of our contractual services in our online shops and mytonies (GDPR Article 6(1)(b)), that is, as part of the performance of our contracts with our customers and, if relevant, also for the implementation of pre-contractual measures taken pursuant to a request for our products and services.

In order to provide our contractual services, we use processors with whom we have concluded a Data Processing Agreement in accordance with GDPR Article 28. If the processors are located outside the EU or EEA and there is no adequacy decision of the European Commission, the processing is permitted under GDPR Article 46 (2) (c), as we have concluded a contract including the standard contractual clauses of the European Commission (“EU Standard Contractual Clauses”), the wording of which is available here: https://eur-lex.europa.eu/legal-content/EN/TXT/PDF/?uri=CELEX:32021D0914&from=DE.

If you have given us your consent to the processing of your personal data for specific purposes (e.g. a newsletter subscription), this data is processed based on your consent. You can withdraw your consent at any time. Such withdrawal only takes effect for the future and does not affect the lawfulness of data processed before the time of withdrawal. (GDPR Article 6(1)(a))

If we are subject to a legal obligation that requires us to process personal data, for example to fulfil tax obligations, such processing of personal data is based on the grounds provided in GDPR Article 6(1)(c).

In the context of balancing interests: If we process personal data that is not covered by the above legal bases, the processing may also be necessary to respect a legitimate interest of our company or a third party, provided that your interests, fundamental rights and freedoms are not overridden. This is the case, for example, if we use your personal data to inform you about our own similar goods and services, provided that we have informed you of this when collecting the data used for this purpose (such as your e-mail address) and you have not objected to this, or if data is exchanged with a recognized third party company (Schufa or Kreditreform) for the purpose of checking creditworthiness, possibly as part of order processing. (GDPR Article 6 (1) lit. f, § 7 (3) (2) UWG.

The following applies as part of a balancing of interests: if we process personal data that is not included within the aforementioned legal grounds, such processing may also be required if it is necessary to safeguard a legitimate interest of our company or a third party, unless your interests, fundamental rights and fundamental freedoms are overriding. For example, this could be the case if we use your personal data for our own marketing of our products, provided you have not objected to such usage of your data, or if data is exchanged with a recognised external company (Schufa or Creditreform) for a credit check that may form part of an order’s fulfilment. (GDPR Article 6(1)(f), German Unfair Competition Act (UWG) Section 7(3))

Your privacy rights

As required under applicable law and depending on the jurisdiction you reside, you may have the following rights in relation to your personal data:

right to know whether we are processing your personal data

access

rectification

erasure

restriction of processing (on the relevant provider’s website)

objection

data portability (transfer of the household in your account)

opt out of certain processing activities including, as applicable, if we process your personal data for “targeted advertising” (as “targeted advertising” is defined by applicable privacy laws), if we “sell” your personal data (as “sell” is defined by applicable privacy laws), or if we engage in “profiling” in furtherance of certain “decisions that produce legal or similarly significant effects” concerning you (as such terms are defined by applicable privacy laws)

appeal our decision to decline to process your request

To exercise your rights, you may complete this Contact form (EN), make changes directly from directly within your profile, or contact us via the contact listed in the section “Controller’s name and address and whom you can contact” above. In some cases, you may be able to exercise your rights by clicking links on our homepage or by using our cookie preference manager.

The restrictions set out in BDSG Sections 34 and 35 apply with regard to the rights to access and erasure. Moreover, you have the right to lodge a complaint with the relevant supervisory authority for data protection (GDPR Article 77 in connection with BDSG Section 19).

If applicable laws grant you an appeal right and you would like to appeal our decision with respect to your request, you may do so by informing us of this and providing us with information supporting your appeal.

Note to users in California: additional rights information is listed in “Additional Privacy Rights for California Residents” below.

Data usage in detail

The following explains to you in detail how our systems use your data.

Server log files

The provider of this website automatically gathers and saves information in server log files automatically transferred to us by your browser. This information includes:

browser type/version

operating system used

referrer URL

host name of the accessing computer

time of server request

IP address

request authorisation

We do not match this data with a specific person or merge it with other data sources. However, we do reserve the right to review this data at a later date if we gain knowledge of concrete indications of unlawful use. The data is required to provide the contents of our website correctly. We do not infer details about specific persons when using this general data and information. Rather, this data/information is required to (1) present the content of our website correctly, including directing you to the correct version of our site for your region, (2) optimise the content and advertisement of our website, (3) assure ongoing operability of our IT systems and our website’s technology and (4) supply information required for criminal prosecution to prosecution authorities in the event of a cyberattack. This data and information is analysed by us for statistical purposes and, moreover, with the goal of increasing the protection and security of data in our organisation so that an optimal level of protection for the personal data processed by us can ultimately be assured. The data in the server log files is stored separately from all personal data provided by the data subject. The stored customer data of yours is not sold.

Data use with Toniebox, Tonies, mytonies and the Tonie-Account

Every Toniebox by default comes with an individual client certificate that it can use for unique authentication with mytonies. In addition to this client certificate, there is another Toniebox ID stored in mytonies for each Toniebox. This Toniebox ID is also affixed to the bottom of the Toniebox. When setting up the Toniebox for the first time and connecting it to a new Wi-Fi network, you are asked to enter the Toniebox ID for it to be matched with mytonies. This serves to ensure that only authorised Tonieboxes can make contact with mytonies.

The Toniebox is coupled with a Tonie-Account through the Toniebox ID. All you need to create this account in mytonies is a valid email address and a password that you choose. Furthermore, you must provide your Toniebox ID to link your Toniebox with your Tonie-Account. Creating a Tonie-Account is a requirement for using (and also configuring) the Toniebox, using Creative-Tonies and the Audio Library, connecting with other members and using other functions in the Toniebox ecosystem. If a Tonie-Account is deleted after being used to set up the Toniebox, these special functions of mytonies will no longer be able to be used. Further information about deleting Tonie-Accounts and the effects of doing so can be found here.

When you use your Toniebox, the following events will cause it try to establish a connection with mytonies: initial set-up, powering on, putting on a Tonie unknown to the Toniebox and starting a search for new content. If the connection with mytonies is successfully established, the Toniebox sends your individual client certificate, your IP address and a timestamp. When you use Tonies and Tonieboxes, we also receive data about operational events (Tonie put on or removed, including the Tonie’s identifier (e.g. Creative-Tonie or Benjamin the Elephant Tonie); volume changes, fast-forwarding and skipping, connecting or disconnecting headphones or connecting or disconnecting the charging station) and the content that is assigned to your Tonie at a particular time. When setting up the Toniebox or adding another WiFi, the available networks and the connected network (SSID) are also transmitted. In doing this, we seek to improve our service and product for you on an ongoing basis. The transferred data described above is generally collected by us and stored in server log files so that we can analyse it as necessary. If you contact our customer care and state the Toniebox ID as part of a support enquiry (e.g. because your Tonie has a technical problem or because a Toniebox and/or Tonie is/are lost in transit), the Toniebox ID will potentially be linked with the personal data given by you in relation to the enquiry. The customer care staff will actively let you know about this in such cases. Using data in the manner described here makes it possible for us to process your support enquiry, track down Tonieboxes or Tonies that are lost in transit, resolve problems with Audio Library content and uncover instances of misuse or breach of law and defend ourselves against them. The data that is linked in the described manner is deleted as soon as your support enquiry has been brought to a full conclusion. In cases where there has potentially been a breach of the law, we will store the data until the breach of law has been resolved, or until legal proceedings have concluded if such proceedings are opened, and will only erase it when we no longer need the data for evidence and defence purposes or to comply with retention obligations.

After you have set up a Tonie-Account and linked your Toniebox with this account using the Toniebox ID, we can link your customer data with the aforementioned data and will then be able to customise our newsletter (if you have opted in for it) and other marketing activities to you and your personal interests and thus improve our marketing activities and their benefits on an ongoing basis. If you do not wish for this to occur, you of course have the option to deactivate this at any time from within your profile on my.tonies.com.

If you upload audio files for your Creative-Tonies to mytonies (through the app or our website), these files will be converted by our server into the required format and then made available for playback on the Creative-Tonies. The data you originally upload will be automatically deleted after seven days. The converted data will be stored in mytonies. You can upload new files for the desired Creative-Tonie as often as you like. As soon as the maximum run time of 90 minutes has been reached for each Creative-Tonie, you must delete your old files so that they can be replaced by new ones. We do not save old data, though for technical reasons the converted data will be stored for at least seven days following conversion. We reserve the right to sample uploaded data and check if it potentially violates applicable law (including copyrights, personality rights or competition law), applicable case law and/or common decency. If we find such a violation, we reserve the right to delete your data in mytonies and cancel your Tonie-Account.

If you cancel/close your Tonie-Account, your Audio Library content and the files you have uploaded for your Creative-Tonies will be deleted after cancelling. If you cancel your Tonie-Account, your order history and any personal information provided voluntarily or to place orders will also be deleted. It is impossible to transfer this information to another user before cancelling your account.

Data use with app and Toniebox QR code packaging

If you use our app, you require a Tonie-Account and must also log into the app with your email address and password before you can use the app. The apps enable you to record speech and combine it with a selected Creative-Tonie through the app by uploading it from the smartphone or tablet to mytonies.

In order for you to be able to use our app and its functions to their full extent, the app must be able to access various functions and data. You must grant the relevant permissions so that we receive this access (representing a declaration of consent under laws such as GDPR Article 6(1)(a)). We only obtain permissions that are actually required for usage in practice. Please be aware that you cannot use the full extent of our app’s functionality unless all permissions are provided.

All users must ensure they have the proper consent of any individual they record via the app (or, in the case of a child’s voice, the child’s parent or legal guardian) when uploading content to the app. Please see the relevant Terms and Conditions/Terms of Use for your territory for more information.

The app uses the following data:

audio recordings, titles uploaded to mytonies

customer data for verification

Toniebox name

Push token (for sending push notifications)

The app accesses the following items for specific purposes:

identity/accounts on the device and usage of it

photographs/media/files for transfer as part of the app’s defined usage

microphone for recording audio files

network for the display of network connections

stopping the device from entering sleep mode

changing audio settings

Finally, we would also like to point out that every Toniebox package is given a QR code during manufacturing. This primarily serves internal purposes (our ERP system); as a rule, this information is not linked with your Tonie-Account. The contrary only applies if we have sufficient evidence of fraud. In this case, we link the QR code with your Tonie-Account to detect Tonieboxes that have not arrived, which serves to protect us from breaches of the law. We delete the personal data used in this process as soon as the suspicion of fraud proves unsubstantiated and/or the fraud investigation process has been concluded and the data is no longer needed for evidence and legal defence purposes.

We may send you push notifications through our app. You may at any time opt-out from receiving these types of communications by changing the settings on your mobile device by activating or deactivating.

Newsletter, marketing emails, and other promotional activities

If you wish to receive our newsletter by email, we require an email address from you; you may also provide your first and last name and your preferred addressing voluntarily and share the birthday of one or more children you entertain in order to receive personalized advertising and offers tailored to their age group. Additional data is not collected. We use this data exclusively for sending the requested information and pass it on to our instructed service provider in the United States. We have concluded corresponding contracts with our service provider in order to guarantee the data protection requirements for the protection of your personal data.

We obtain statistics through the means described here. They include information about whether the newsletter is opened and the links that are clicked on. While this information can be matched with individual newsletter recipients, it is not the purpose of the processing for our analyses. The analyses serve solely to identify the reading habits of our users and adapt our content to you or send different content in line with the interests of users, including individual ones. You have the opportunity to receive personalized advertising and offers if you give us your consent to determine your preferences by analyzing your purchases and actual usage. We use this data exclusively for the personalization of marketing emails. You can at any time withdraw the consent you give for the storage and usage of data and your email address for delivery of the newsletter fee of charge by clicking on the ‘Unsubscribe’ link in the newsletter.

The data will be retained until you unsubscribe, request modification or deletion, or submit an advertising objection. The usage information collected in the course of the personalized marketing emails and communicated birthdays will then be kept anonymized by removing the link to your account, so that a link between the date and the usage data to your account is no longer possible.

If you choose to do so, you can still receive newsletters. These are then not tailored to you.

If you have consented to us using your profile information to also customize the content of our platforms (website and app) according to your preferences, we can show you recommendations, for example, via push notifications through the app, or banner ads on our platforms.

By providing additional information, your profile will be enriched. If you have ordered personalized advertising, we use the usage data of your mytonies account (e.g. items purchased, Tonies assigned to your household, playtime) together with the birthday (if provided by you) of a child you entertain to provide you with personalized recommendations based on your and the child’s thereby implied interests. If we do not yet have products for your child’s age group, you will only receive recommendations based on your purchasing behavior. In this case, we will add the date of birth to your profile so that we can recommend suitable products to you at the right time (this can also be revoked at any time).

We may offer various tools and functionalities to allow you to share information from third parties. For example, we may allow you to provide information about your friends through our referral services. Our referral services may allow you to forward or share certain content with a friend, such as an email inviting your friend to use our services. If you use these features, we will retain your friend’s email solely to enable the referral. Note that we may also provide surveys, sweepstakes, contests, or other social media content, which may entail the collection of personal information. Contact information you provide may be used to reach you about the sweepstakes or contest and for other promotional, marketing and business purposes, if permitted by law. In some jurisdictions, we are required to publicly share information of winners.

Participation in surveys via the Userlytics platform

We use Userlytics’ user experience testing platform, through which we publish tests from time to time with the goal of improving the customer experience on our platforms. Userlytics provides the ability to generate various types of tests, including single/multiple choice tests and verbal tasks, which are recorded by Userlytics and made available to us for retrieval through the Platform. Participants should have entered into a user agreement with the Userlytics’ terms and conditions referenced therein as part of the registration process. The use of the Userlytics’ service is also subject to the Userlytics’ Privacy Policy, which should have been provided to you as part of the registration process.

We may define tests based on country, gender, age, education, employment and income. If you take a test that we have created, Tonies US INC may ask you to provide personal information (e.g., age, gender, marital status). If you participated in a test via video, Userlytics stores this recording on its platform and makes it available to Tonies US INC for retrieval.

Data Processing as independent data controller

Tonies US INC has entered into a data processing agreement for independent data controllers, with Userlytics Corporation, a Delaware corporation, registered at 1200 Brickell Avenue, Suite 1950, Miami, FL 33131 pursuant applicable Data Protection law. For more information, please see Userlytics’ privacy policy at https://www.userlytics.com/privacy-policy-testers/.

Under the independent controller relationship for the described processing, you may exercise your Personal Data Inquiries and Requests. under the Data Protection law, separately with Tonies US INC and with Userlytics for the personal data each organization processes.

Online shop

We require your personal data in order to process your order from our online shop. To this end, we require your title, first names, surnames, email address, delivery address, billing address and telephone number for queries regarding your order. If you wish to create a Tonie-Account in our online shop, we will store your personal data so that you do not have to re-enter it for every order. This saves you time and stops you from making any mistakes when typing. Furthermore, it gives you personalised access to your order history and you can specify individual user settings if you desire them. You also need a Tonie-Account to set up the Toniebox and use special functions ofmytonies, including the Audio Library. When you create a Tonie-Account in the shop, all you need to begin is your email address and a password chosen by you. Later when you make an order the following personal data of yours is additionally stored: title, forename, surname, delivery address, billing address, payment method (setting the default during the first purchase) and your telephone number (information for queries regarding your order).

Data processing for order fulfilment through Amazon

Orders are fulfilled by the service provider ‘Amazon’ (Amazon EU S.à r.l., 5, Rue Plaetis 2338, Luxembourg) as part of the ‘Fulfilment by Amazon’ program. Your personal data is shared with Amazon exclusively for the purpose of fulfilling your online order. It is transferred in accordance with GDPR Article 6(1)(b) and only to the extent necessary for the order’s fulfilment. Furthermore, we obtain your data when you use Amazon customer service in connection with your order.

Any other data processing that extends beyond the data processing explained above is the responsibility of Amazon. Further information about data protection at Amazon and Amazon’s privacy notice can be viewed here.

Audio Library

If you possess a Tonie-Account and log in with it at my.tonies.com, you can use our Audio Library. When creating a Tonie-Account in mytonies, all you need is your email address and a password that you choose. For orders for Audio Library content, we also require your personal data in order to fulfil your order. To this end, we require your title (voluntary), forename, surname, billing address, the country to which your IP address belongs (but not the IP address itself) and telephone number (voluntary information for queries regarding your order). If you use the Audio Library to assign previously purchased Audio Library content to your Tonies and manage your purchased content, we do not require any personal data for this apart from your Tonie-Account log-in details.

Tonie-Blog

We offer the option of commenting on our Tonie-Blog posts on our website at tonies.com . If you use this option, your comment, information about the time the comment was submitted and the username or pseudonym chosen by you will be stored and published. Additionally, the IP address assigned by your Internet service provider will be logged as well. We will also ask for your email address, and while we will store it, we will not publish it. We store this personal data for security reasons and in case you violate third-party rights through a comment that you leave or in case you post unlawful content. Storing this personal data enables us to clear ourselves of wrongdoing in the event of a breach of law. We do not disclose your personal data to third parties except when such disclosure is legally required or serves as legal defence for us.

Customer care by telephone

If you contact our customer care by telephone, your telephone number and email address, as well as other information that you provide to our customer care staff, are recorded, stored and assessed for the purpose of processing your enquiry. Doing this serves the purpose of answering your enquiry and improving our products and the quality of our service. If you are required to provide your Toniebox ID for an answer to your enquiry as part of such a support request, the data of yours about operational events may possibly be linked with the personal data that you provide in connection with the enquiry. However, our customer care staff will actively let you know about this in such cases before a link is made, and you can, of course, refuse it at any time.

Customer care through the contact form

If you send us enquiries through our contact form, your information from the contact form, including the contact details that you voluntarily provide on it (personal data), your name and your email address, are automatically stored with us for the purpose of processing your enquiry and in case of follow-up questions until the relevant matter has been conclusively resolved. Naturally we do not share this data without your consent except as permitted under this Data Protection Policy.

Customer care by live chat (guuru) (EU, UK, and Swiss customers only)

We provide a chat function operated by guuru-AG on our website; the principal place of business for guuru AG is B?sch 67, 6331 Hünenberg, Switzerland. However, no data for it is collected through our website and no data for it is stored with tonies GmbH. If you ask a question through this chat function, a real person from a selected group of customers of tonies GmbH answers you. tonies GmbH is not responsible for content that is exchanged in chats. The data sent in chats is transferred directly to guuru and stored for analysis purposes. The personal data provided is treated as confidential and regularly erased by guuru after the relevant enquiry is processed. Data is not forwarded to third parties for marketing purposes.

Further information about the processing of data by guuru can be found in the guuru privacy policy. If you have questions, you can also contact the guuru data protection officer directly: dataprotection@guuru.com.

Parts of our website use what are called cookies. Cookies do not cause any harm to your computer and do not contain any viruses. Cookies serve to make our offering more user-friendly, effective and secure. Cookies are small text files that are stored on your computer by your browser. We notify you about the use of cookies, this Data Protection Policy and your options for protection in relation to them through a corresponding banner on our websites when you open them. If you continue to visit our websites, we assume that you agree to the use of cookies on our websites.

Most of the cookies that we use are so-called session cookies. They are automatically deleted after you finish your visit. Other cookies remain stored on your device until you delete them. These cookies enable us to recognise your browser when you next visit so that our websites are made more user-friendly. The following data, in particular, is stored in such cookies and transferred: items in the shopping basket and log-in details.

Furthermore, our websites use cookies that enable an analysis of your surfing patterns. The aim of this is to improve the quality of our websites and the content on them and for us to be able to optimise our offering constantly. The following data, in particular, may be transferred: frequency of page visits, utilisation of website functions. This user data is made pseudonymous through the technical precautions that we have taken, which leaves us unable to match the data with the visiting user. The data is not stored together with other personal data of our users.

You can configure your browser’s settings to inform you when cookies are set and to allow cookies only in certain situations, to prohibit cookies in certain situations or in general or to delete cookies automatically when you close your browser. Furthermore, you can at any time delete cookies that have already been set using your browser or other software programs. If you deactivate cookies, the functionality of our websites may be restricted.

If you want to adjust the cookie settings on my.tonies.com, you can do so here. To change the cookie settings on meine.tonies.de, please click here.

A current list of cookies that are set by us can be found on our website by clicking, the link to “Cookie Preferences” on the footer of our US site: https://us.tonies.com.

“Do Not Track”. Do Not Track (“DNT”) is a privacy preference that users can set in certain web browsers. Please note that we do not respond to or honor DNT signals or similar mechanisms transmitted by web browsers.

Third-party systems on our website and in our apps

Consent with Usercentrics

This website uses the consent technology of Usercentrics to obtain your consent to the storage of certain cookies on your device or for the use of specific technologies, and to document the former in a data protection compliant manner.

The party offering this technology is Usercentrics GmbH, Sendlinger Stra?e 7, 80331 München, Germany, website: https://usercentrics.com/ (hereinafter referred to as “Usercentrics”).

Whenever you visit our website, the following personal data will be transferred to Usercentrics:

Your declaration(s) of consent or your revocation of your declaration(s) of consent Your IP address

Information about your browser

Information about your device

The date and time you visited our website

Moreover, Usercentrics shall store a cookie in your browser to be able to allocate your declaration(s) of consent or any revocations of the former. The data that are recorded in this manner shall be stored until you ask us to eradicate them, delete the Usercentrics cookie or until the purpose for archiving the data no longer exists. This shall be without prejudice to any mandatory legal retention periods.

Usercentrics uses cookies to obtain the declarations of consent mandated by law. The legal basis for the use of specific technologies is Art. 6(1)(c) GDPR.

Data processing

We have concluded a data processing agreement (DPA) for the use of the above-mentioned service. This is a contract mandated by data privacy laws that guarantees that they process personal data of our website visitors only based on our instructions and in compliance with the GDPR.

Data protection policy for use of Bing

We place Microsoft Bing for the purposes of personalized online ads based on interests and location. Advertisements are displayed based on search requests on websites in the Microsoft Ad Network. Bing is provided by Microsoft Ireland Operations Limited, Attn: Data Protection Officer, One Microsoft Place, South County Business Park, Leopardstown, Dublin 18, Ireland.

When a user clicks on an ad, Bing places a cookie on the user’s device. For more information on the cookie technology used, please see their Microsoft Bing Ads privacy policy.

With the use of this technology, Bing, and we as their customer, receive the information that a user has clicked on an ad and was redirected to our websites. The information acquired this way is solely used for statistical analysis related to ad optimization. We do not receive any information that would allow us to personally identify a visitor. The statistics provided to us by Bing include the total number of users who have clicked on one of our ads and, where applicable, whether they were redirected to a page on our website that has a conversation tag. These statistics allow us to track which search terms most often lead to our ads receiving clicks, and which ads lead to the user contacting us via the contact form.

If you do not want this, you can prevent the storage of the cookies required for this technology by, for example, using the settings in your browser or your App. Should you do so, your visit will not be incorporated into user statistics.

You also have the option to choose the types of Bing Ads or deactivate interest-based ads on Bing through Ad settings. Alternatively, you can deactivate third-party use of cookies by using the Network Advertising Initiative’s opt-out tool.

Data protection policy for the use of Facebook plug-ins (Like button)

Plug-ins for the Facebook social network provided by Facebook Inc., 1 Hacker Way, Menlo Park, California 94025, United States, are integrated into our website. You can identify a Facebook plug-in on our website through the Facebook logo or ‘Like’ button. You can find an overview of Facebook plug-ins here. If you do not live in the United States or Canada, the controller for the processing of personal data is Facebook Ireland Ltd., 4 Grand Canal Square, Grand Central Harbour, Dublin 2, Ireland.

A direct connection between your browser and the Facebook server is established through the plug-in when you visit our website. This provides Facebook with the information that you have visited our website with your IP address. If you click on the Facebook ‘Like’ button while logged in to your Facebook account, you can link to the content on our website from your Facebook profile. Facebook will be able to match your visit of our website with your user account as a result. We would like to point out that we as the website provider have no knowledge of the content of transferred data nor the way in which Facebook uses it. Further information about the collection, processing and use of personal data by Facebook and possible settings for protecting your privacy can be found in Facebook’s privacy policy.

If you do not wish for Facebook to be able to match your visit of our website with your Facebook account, please log out of your Facebook account before visiting our website.

Data protection policy for the use of Facebook Website Custom Audiences

Also used on our website is the ‘Website Custom Audiences’ beacon from the social network Facebook, 1601 South California Avenue, Palo Alto, CA 94304, United States. It involves the use of a Web beacon to identify website visitors.

A direct connection between your browser and the Facebook server is established through this Web beacon when visiting our website. This provides Facebook with the information that you have visited our website with your IP address. Facebook can then match the visit to our website with your user account and will use this information to personalise the display of Facebook advertisements (the legitimate interest here within the meaning of GDPR Article 6(1)(f) is the optimisation of the shopping experience). We as the website provider have no knowledge of the content of transferred data nor the way in which Facebook uses it.

For further information, please look at Facebook’s privacy policy. You can of course opt out from the collection of data through Custom Audiences. To do this, click on this link. If you do not live in the United States or Canada, the controller for the processing of personal data is Facebook Ireland Ltd., 4 Grand Canal Square, Grand Central Harbour, Dublin 2, Ireland.

Data protection policy for the use of TikTok Pixel

Nature of the processing: We use TikTok Pixel from TikTok Technology Limited, 10 Earlsfort Terrace, Dublin, D02 T380, Ireland and TikTok Information Technologies UK Limited, WeWork, 125 Kingsway, London, WC2B 6NH, United Kingdom (both jointly responsible parties and hereinafter collectively referred to as “TikTok”).

This processing is done by us and TikTok as joint controllers. The contents of the relevant agreement with TikTok can be found at TikTok: https://ads.tiktok.com/i18n/official/policy/jurisdiction-specific-terms. According to this agreement, we are in particular responsible for providing all information according to Art. 13, 14 of the GDPR about the joint processing of personal data and TikTok is responsible for enabling your rights according to Art. 15 to 20 of the GDPR regarding the personal data stored by TikTok after the joint processing. TikTok is solely responsible for such further processing by TikTok. It also comes to the transfer of data to service providers or other companies of TikTok located in countries without a level of data protection comparable to the GDPR under the conclusion of the EU standard contractual clauses. For more information on how TikTok processes personal data, including the legal basis and how you can exercise your rights against TikTok, please see TikTok’s Privacy Policy at https://www.tiktok.com/legal/privacy-policy.

Purpose and legal basis: The use of TikTok Pixel is for the above purposes based on your consent pursuant to Art. 6 Sec. 1 lit. a. GDPR and § 25(1) TTDSG. You can revoke your consent at any time via our Consent Management Tool.

Storage period: The concrete storage period of the processed data cannot be influenced by us, but is determined by TikTok. Further information can be found in the privacy policy of TikTok: https://www.tiktok.com/legal/privacy-policy.

TikTok Pixel for checkout process via Shopify

We connect our TikTok For Business account to Shopify using a pixel. This allows us to detect various events:

Add payment info: Visitors* add payment information in the “Checkout” flow.

Add to cart: Visitors add an item to the shopping cart.

Complete payment: Visitors make a payment. This is considered a purchase event.

Complete registration: Visitors register for an account or something else.

Initiate checkout: Visitors make a purchase and proceed to checkout.

Search: Visitors perform a search.

View content: Visitors are viewing an important page. We recommend tracking important pages on your website that are relevant to your business. For example, a product comparison page, announcements, new releases, etc.

Via this technology, a direct connection between your browser and the TikTok server is established when you visit our websites in case of consent. Through this, TikTok receives the information that you have visited our website. TikTok can associate the visit to our websites with your user account and will use this information to display TikTok Ads in order to personalize them. We may use the information for targeting our ads and improving ad delivery, as well as for personalized advertising. This processing is done by us and TikTok as joint controllers. The contents of the relevant agreement with TikTok can be found at TikTok: https://ads.tiktok.com/i18n/official/policy/jurisdiction-specific-terms. According to this agreement, we are in particular responsible for providing all information according to Art. 13, 14 of the GDPR about the joint processing of personal data and TikTok is responsible for enabling your rights according to Art. 15 to 20 of the GDPR regarding the personal data stored by TikTok after the joint processing. TikTok is solely responsible for such further processing by TikTok. It also comes to the transfer of data to service providers or other companies of TikTok located in countries without a level of data protection comparable to the GDPR under the conclusion of the EU standard contractual clauses. For more information on how TikTok processes personal data, including the legal basis and how you can exercise your rights against TikTok, please see TikTok’s Privacy Policy at https://www.tiktok.com/legal/privacy-policy.

Data Protection Policy for the use of Google AdWords

We place Google AdWords display advertisements and use Google conversion tracking for the purposes of personalized online ads based on interests and location. Advertisements are displayed based on search requests on websites in the Google ad network. Google AdWords is provided by Google LLC, Gordon House, Barrow Street, Dublin 4, Ireland.

When a user clicks on an ad, Google places a cookie on the user’s device. For more information on the cookie technology used, please see Google’s statements on website statistics and their data privacy policy.

With the use of this technology, Google, and we as their customer, receive the information that a user has clicked on an ad and was redirected to our websites. The information acquired this way is solely used for statistical analysis related to ad optimization. We do not receive any information that would allow us to personally identify a visitor. The statistics provided to us by Google include the total number of users who have clicked on one of our ads and, where applicable, whether they were redirected to a page on our website that has a conversation tag. These statistics allow us to track which search terms most often lead to our ads receiving clicks, and which ads lead to the user contacting us via the contact form.

You also have the option to choose the types of Google ads or deactivate interest-based ads on Google through ad settings. Alternatively, you can deactivate third-party use of cookies by using the Network Advertising Initiative’s opt-out tool.

Data protection policy for use of Google Web analytics services

We use the functions of the Google Analytics service (Google Tag Manager, Firebase, Google Analytics) on our website and in the apps. The provider is Google Inc., 1600 Amphitheatre Parkway, Mountain View, CA 94043, United States. Google Analytics uses cookies. Cookies are small text files that are stored on your computer to enable an analysis of your use of this website. The information generated by the cookie about your use of this website is usually transmitted to a Google server in the United States and stored there.

However, if IP anonymisation is enabled on this website, Google will truncate your IP address within member states of the European Union or in other countries party to the Agreement on the European Economic Area beforehand. Only in exceptional cases is the full IP address transferred to a Google server in the United States and truncated there. Google uses this information on behalf of the operator of this website to analyse your use of the website, compile reports on website activity and perform other services associated with website activity and Internet usage for the website operator. The IP address transmitted from your browser through Google Analytics will not be merged with other Google data.

You can stop cookies being stored by choosing the relevant settings in your browser, though you should be aware that you may not be able to use all of this website’s functions fully in this case. Furthermore, you can stop Google from storing and processing the cookie-generated data relating to your usage of this website (including your IP address) by downloading and installing the browser plug-in available over the following link.

Further information and Google’s applicable data protection provisions (with information about the collection, processing and use of personal data by Google and your options for protection in relation to it) can be viewed in the privacy policy and terms of service. Google Analytics is explained in more detail here.

Data protection policy for use of Google Optimize

We use Google Optimize from Google LLC, Gordon House, Barrow Street, Dublin 4, Ireland, to carry out so-called A/B tests on our online offering. This involves various versions of our online offering being published and measured simultaneously.

When testing different versions, data such as the operating system used, the browser’s user agent and the time of viewing may be collected to measure the success of a version. Web-tracking technologies are used to connect the aforementioned data with the version of our online offering undergoing testing.

The use of Google Optimize is based on our legitimate interests, i.e. our interest in optimising our online offering pursuant to GDPR Article 6(1)(f).

We cannot influence the actual duration of time for which processed data is stored, as this is determined by Google LLC. More information can be found in the Google Optimize privacy policy.

Data protection policy for use of Amplitude

On our website, we use the Amplitude service provided by Amplitude Inc, 201 Third Street, Suite 200, San Francisco, CA 94103, USA. Amplitude is a product and usage analysis tool that enables us to better understand the behavior of our users and optimize our digital offering. In particular, it collects information about the use of our website, such as pages visited, click behavior, length of stay, technical characteristics of the end device used and the time and frequency of use.

The processed data is analyzed pseudonymously and is not used to identify individual users. The processing takes place exclusively on the basis of your express consent (Art. 6 para. 1 lit. a GDPR), which you can give via our cookie banner. You can withdraw your consent at any time. The withdrawal of consent shall not affect the lawfulness of processing based on consent before its withdrawal.

Since Amplitude is a US provider, data transfer to third countries, in particular the USA, cannot be excluded in the context of processing. In order to ensure an adequate level of data protection, we have concluded the Standard Contractual Clauses (SCCs) approved by the European Commission with Amplitude.

Further information on data protection at Amplitude can be found in the provider’s privacy policy at https://amplitude.com/ privacy

Data protection policy for use of Hotjar

Type and scope of processing

We have integrated Hotjar Behavior Analytics on our website. Hotjar Behavior Analytics is a service of Hotjar Ltd. and provides optimization tools that analyze the behavior and feedback of users of our website through analysis and feedback tools.

We use Hotjar in order to better understand our users’ needs and to optimize this service and experience. Hotjar is a technology service that helps us better understand our users’ experience (e.g. how much time they spend on which pages, which links they choose to click, what users do and don’t like, etc.) and this enables us to build and maintain our service with user feedback. Hotjar uses cookies and other technologies to collect data on our users’ behavior and their devices. This includes a device’s IP address (processed during your session and stored in a de-identified form), device screen size, device type (unique device identifiers), browser information, geographic location (country only), and the preferred language used to display our website. Hotjar stores this information on our behalf in a pseudonymized user profile. Hotjar is contractually forbidden to sell any of the data collected on our behalf.

For further details, please see the ‘about Hotjar’ section of Hotjar’s support site.

Hotjar Behavior Analytics uses cookies and other browser technologies to evaluate user behavior and recognize users. This information is used, among other things, to compile reports on website activity and to statistically analyze visitor data. Furthermore, Hotjar Behavior Analytics records clicks, mouse movements and scroll heights in order to create so-called heat maps and session replays. In this case, your data is passed on to the operator of Hotjar Behavior Analytics, Hotjar Ltd, Hotjar Ltd, Level 2, St Julians Business Centre 3 Elia Zammit Street St Julians STJ 3155 Malta.

Purpose and legal basis

We process your data with the help of Hotjar Behavior Analytics for the purpose of optimizing our website and for marketing purposes based on your consent pursuant to Art. 6 para. 1 lit. a. GDPR.

Storage period

The concrete storage period of the processed data cannot be influenced by us, but is determined by Hotjar Ltd. Further information can be found in the privacy policy for Hotjar Behavior Analytics: Hotjar privacy policy.

Data protection policy for use of Instagram

Our website uses plug-ins from the Instagram social network operated by Instagram LLC, 1 Hacker Way, Building 14 First Floor, Menlo Park, CA, United States. You can recognise the Instagram plug-in on our website through the Instagram button. When you click on the Instagram button while logged in to your Instagram account, links to the content on our website may be published on your Instagram profile. Instagram will be able to match your visit of our website with your user account as a result. We as the website provider have no knowledge of the content of transferred data nor the way in which Instagram uses it. If you do not wish for this information to be transferred to Instagram in the described manner, you can stop it being transferred by logging out of your Instagram account before visiting our website. Further information about this and about the collection, processing and use of personal data by Instagram can be found in the Instagram privacy policy.

Data protection policy for use of Klaviyo

We have integrated components of Klaviyo into our website. Klaviyo is a service provided by Klaviyo, Inc. and offers marketing automation software for marketing services and products, including SEO, content creation, lead management, newsletters, marketing via email and SMS; and Web analytics.

Klaviyo uses cookies and other browser technologies to analyse usage patterns and recognise users. This information is used for purposes including the compilation of reports about activity on the website. Furthermore, Klaviyo is used to store and transfer data entered in forms using cookies and to store and transfer your IP address. In this case, your data is disclosed to the operator of Klaviyo, Klaviyo, Inc., 125 Summer Street, Boston, Massachusetts, 02111, United States.

We process your data with the help of Klaviyo for the purpose of optimising our website and for marketing purposes, based on your consent within the meaning of GDPR Article 6(1)(a).

We cannot influence the actual duration of time for which processed data is stored, as this is determined by Klaviyo, Inc. More information can be found in the Klaviyo privacy policy.

Data Protection Policy for the use of Braze

To use the features of the App, you are required to log in to the App. To log in to the App, you need a user account.

When you register in our App or on my.tonies.com, we store the information you provide, such as your email address, first and last name. For these purposes, we use a CRM service provided by Braze Inc, 330 West 34th Street, New York, NY 10001, USA (“Braze”). In this context, Braze acts for us as a so-called data processor.

The processing of personal data in the context of registration, logging in and the use of the functions is carried out for the performance of our service offered via the mytonies App and is therefore based on GDPR Article 6 (1) lit. b.

We use Braze in our App and on mytonies.com to analyze your usage behavior. This allows us to draw conclusions about your usage behavior in order to improve our notifications and ensure that you only receive information that is of interest to you. When you use the App or services on mytonies.com, the information listed below is collected and analyzed by Braze. Braze uses an identifier (ID) that allows analysis of your use of our services. Braze collects information about your newsletter registration, your user behavior regarding the newsletter, the push notoficatoins (e.g. open rates) as well as the use of our App and website, purchase information as well as campaign information for the purpose of direct targeting (direct marketing) as well as analysis and campaign optimization.

The legal basis for this processing activity is a legitimate interest according to GDPR Article 6 (1) lit. f. The legitimate interest we pursue in processing the data explained above is our interest in a user- and needs-oriented design of our offers. A conflicting interest is not apparent in particular because you can object to the processing at any time. If you no longer wish to be recorded by Braze in the future, you can contact us at any time by contacting us at privacy.us@tonies.com.

When using Braze, there is no transfer of personal data processed by Braze to a third country. Braze is based in a third country, i.e. a country in which there is no level of data protection equivalent to the GDPR. Your data will be stored and processed exclusively on European servers. Nevertheless, we would like to point out that due to the company’s headquarters in the USA, a data transfer to the USA cannot be completely excluded.

The transfer of data to Braze is permissible according to GDPR Article 46 (2) lit. c as we have concluded the standard contractual clauses of the European Commission (“EU Standard Contractual Clauses”), the wording of which is available here https://eur-lex.europa.eu/legal-content/EN/TXT/PDF/?uri=CELEX:32021D0914&from=DE.

For more information about Braze’s compliance with data protection laws, please visit https://www.braze.com/privacy/.

We use Braze to link advertising campaigns to registration and subsequent use of the tonies services and to measure their success. We also use the functionality provided by Braze to contact you and provide you with news about our products and services and our campaigns in various ways. For these purposes, we use your email address, your first and last name, a pseudonymized user ID automatically generated by Braze, and your advertising IDs automatically generated by your mobile device’s operating system (Identifier for Advertising (“DFA”) for iOS or Google Advertising ID (“AAID”) for Android).

If you have given your consent, you will receive personalized advertising and marketing content via the following communication channels: Email, SMS, push notification, in-app notifications.

The legal basis for this is your consent (GDPR Article 6 (1) lit. a). Your consent is optional and can be revoked at any time. You can unsubscribe from push notifications at any time by changing the settings on your mobile device.

We use your email address, which we have received in the context of the sale of a good or service, for the electronic sending of advertising for our own goods or services that are similar to those that you have already purchased from us, unless you have objected to this use.

The legal basis for the processing is our overriding legitimate interest in direct advertising (GDPR Article 6 (1) lit. f). You can object to this use at any time by notifying us by contacting us at privacy.us@tonies.com You can also use the link provided for this purpose in the advertising medium, e.g. in the e-mail.

Data used for marketing purposes will be stored in pseudonymized form and passed on to Braze. This data will be deleted as soon as you have revoked your consent given for marketing purposes.

We delete data relevant to the contract, such as your e-mail address and name, five years after the termination of the contract for the use of our service. The contract for the use of our service ends, for example, by deleting your mytonies account.

Data protection policy for use of Outbrain

A visitor pixel provided by Outbrain Inc., 39 West 13th Street, 3rd floor, New York, NY 10011, United States, is used on our website to measure conversion rates.

Doing this allows us to track the actions of users after they have been redirected to our website by clicking on an Outbrain advertisement. This process serves to analyse the effectiveness of our Outbrain advertisements for statistical and market research purposes and can contribute to the optimisation of future marketing activities.

Further information about data protection at Outbrain can be found here. You can object at any time to tracking for the purpose of displaying interest-based recommendations; to do this, click on the ‘Opt Out’ field in the Outbrain privacy policy available to read at https://www.outbrain.com/legal/privacy#privacy-policy.

tonies US INC operates a Pinterest page. You can access tonies’ Pinterest page by interacting with a Pinterest feature embedded on us.tonies.com (which is usually a button in the shape of the Pinterest logo). On this Pinterest page, we upload photos and/or videos of our own products to inspire and encourage Pinterest members to buy.

If you have agreed to cookies for marketing purposes, information about the use of this website (e.g. information about viewed items) will be collected by the respective tracking technology (e.g. cookie or pixel) under joint responsibility of Pinterest Europe Limited and tonies and transmitted to Pinterest. If you belong to the target group based on your interests or your activities on our website, Pinterest can show you corresponding interest-based ads from us (so-called retargeting).

Pinterest is a social network operated by Pinterest Europe Ltd, Palmerston House, 2nd Floor, Fenian Street, Dublin 2, Ireland (“Pinterest”).

Insofar as the data you submit via our Pinterest page is processed exclusively by Pinterest and Pinterest alone decides on the purposes and means of the processing, Pinterest is the data controller within the meaning of the GDPR. Please note that cookies and tracking technologies are used by Pinterest each time our Pinterest page is visited. This enables Pinterest to track and analyze your user behavior. This happens regardless of whether you are logged into Pinterest or even have a Pinterest user account. If you are logged into your Pinterest user account, you enable Pinterest to assign your user behavior directly to your personal profile across devices. According to Pinterest, you can prevent this by logging out of your Pinterest user account. For more information about Pinterest’s privacy policy, please see Pinterest’s Privacy Policy and Cookie Policy at: https://policy.pinterest.com/en/privacy-policy and https://policy.pinterest.com/en/cookies.

When you interact with an embedded Pinterest feature (the provided button) on our platforms, your browser establishes a direct connection to Pinterest’s servers. Through your interaction, you are usually redirected to our Pinterest page. In the process, log data is transmitted to the Pinterest server. This log data includes, among other things, your email-address, your IP address, the website from which you reached Pinterest, the web address of the visited websites that also contain Pinterest functions, type and settings of the browser, date and time of the request, your use of Pinterest as well as cookies and tracking technologies.

If you have consented that your data may be processed and stored by integrated social media elements, the use of the above-mentioned service is based on Art. 6 para. 1 lit. a DSGVO and § 25 TTDSG. The consent can be revoked at any time.

Insofar as personal data is collected on our website with the help of the embedded Pinterest function and forwarded to Pinterest, we and Pinterest Europe Ltd, Palmerston House, 2nd Floor, Fenian Street, Dublin 2, Ireland are jointly responsible for this data processing in the form of data collection and forwarding in accordance with Art. 26 DSGVO by enabling the evaluation of user behavior and the measurement and optimization of advertising by providing our services. The joint responsibility is limited exclusively to the collection of data and its forwarding to Pinterest through tracking technologies. The subsequent processing of activity data by Pinterest after the forwarding is not part of the joint responsibility.

Our joint obligations have been set forth in a Joint Controller Agreement. You can find the text of the agreement at: https://business.pinterest.com/en-gb/pinterest-advertising-services-agreement/united-kingdom/

Under this agreement, we are responsible for providing the privacy information of the embedded Pinterest feature and for the privacy-secure implementation of the on our website. You can find Pinterest’s contact information and that of Pinterest’s data protection officer here: https://policy.pinterest.com/en/privacy-policy. You can also contact Pinterest’s data protection officer via this contact form: https://help.pinterest.com/en/data-protection-officer-contact-form.

Pinterest is responsible for the data security of Pinterest products. You can assert data subject rights (e.g., requests for information) regarding the data processed by Pinterest directly with Pinterest. If you assert your data subject rights with us, we are obliged to forward them to Pinterest.

Data protection policy for use of Twitter

Functions for the Twitter service are integrated into our website. These functions are offered by Twitter Inc., 1355 Market Street, Suite 900, San Francisco, CA 94103, United States. By using Twitter and the ‘retweet’ function, the websites you visit will be linked with your Twitter account and shared with other users. Data will also be transferred to Twitter as part of this. We would like to point out that we as the website provider have no knowledge of the content of transferred data nor the way in which Twitter uses it. Further information about the collection, processing and use of personal data by Twitter can be found in the Twitter privacy policy.

You can change your privacy settings for Twitter in your Twitter account settings. You can also stop information being transferred to Twitter by logging out of your Twitter account before visiting our website.

Data protection policy for use of Yotpo

We use the SMS Bump service provided by Yotpo, Inc. and SMSBump Ltd. to send marketing text/SMS messages to those who opt in. Yotpo may collect your phone number and text communications to provide this service. You can contact Yotpo at Yotpo, Inc., 400 Lafayette Street, 4th Floor, New York, NY 10003. Further information about the processing of data by Yotpo/SMS Bump can be found in the Yotpo privacy policy. If you have questions, you can also contact the SMS Bump data protection officer directly: privacy@yotpo.com.

We value your privacy and the information you consent to share in relation to our SMS marketing service. We use this information to send you text notifications (for your order, including abandoned checkout reminders), text marketing offers, and transactional texts, including requests for reviews from us.Opt-in data and consent for text messaging will not be shared with any third parties except for messaging partners,for the purpose of enabling and operating our text messaging program.

Opt-in data and consent for text messaging will not be shared with any third-parties except for messaging partners, for the purpose of enabling and operating our text messaging program.

Our website uses cookies to keep track of items you put into your shopping cart, including when you have abandoned your checkout. This information is used to determine when to send cart reminder messages via SMS.

Data protection policy for use of Zendesk

To process customer enquiries, we use the Zendesk ticket system, a customer service platform provided by Zendesk Inc., 989 Market Street #300, San Francisco, CA 94102. The required data, such as your name and email address, is collected through our website for this purpose.

Further information about the processing of data by Zendesk can be found in the Zendesk privacy policy. If you have questions, you can also contact the Zendesk data protection officer directly: privacy@zendesk.com.

By sending the form, the data is transferred to our section at Zendesk and serves the sole purpose of processing the relevant enquiry. The collected data is stored on servers located within the EU and treated as confidential in accordance with the GDPR. The data is archived at Zendesk for documentation purposes after the relevant enquiry has been processed. Data is not forwarded to third parties for marketing purposes.

Data protection policy for online marketing and partner programs

Affiliate Programs on this website and app We participate in affiliate partner programs. In conjunction with affiliate partner programs, ads of businesses (advertisers) are placed on websites of other enterprises within the affiliate partner network (publisher). If you click on one of these affiliate ads, you will be transferred to the promoted offer. If you should subsequently engage in a certain transaction (conversion), the publisher will receive a respective commission in exchange for the service. To be able to compute the commission amount, the affiliate network operator must be in a position to track the ad that has resulted in you seeing the offer and in you completing the predefined transaction. To make this possible, cookies or comparable recognition technologies are deployed (e.g., device fingerprinting).

Data is stored and analyzed on the basis of Art. 6(1)(f) GDPR. The website operator has a legitimate interest in the correct computation of its affiliate compensation. If appropriate consent has been obtained, the processing is carried out exclusively on the basis of Art. 6(1)(a) GDPR and § 25 (1) TTDSG, insofar the consent includes the storage of cookies or the access to information in the user’s end device (e.g., device fingerprinting) within the meaning of the TTDSG. This consent can be revoked at any time.

We participate in the following affiliate programs:

Impact Shopify Plugin

Disclosure of personal data to outside of our company when shopping in our online shops or Audio Library

The personal data collected by us is disclosed to the delivery company contracted for delivery as part of the performance of the contract, provided this is necessary for the delivery of the goods. We forward your payment data to the contracted financial institution for the purpose of processing payments.

When paying with PayPal in our DE/UK online shops or Audio Library, we forward your payment data to PayPal (Europe) S.à.r.l. et Cie, S.C.A., 22-24 Boulevard Royal, L-2449 Luxembourg (PayPal), for the purpose of processing payments. By selecting the ‘PayPal’ payment option, you give your consent to the transfer of personal data required to process payment. This personal data usually includes your forename, surname, address, email address, IP address, telephone number, mobile number and other data required to process payment and fulfil the order. The data is transferred for the purpose of processing payment and preventing fraud. Further information related to privacy law, including the credit agencies used by PayPal and your rights as a data subject, can be found in the PayPal privacy policy.

If you have decided to pay in our online shops with credit/debit cards issued by Visa or Mastercard, the payment will be processed by HUELLEMANN & STRAUSS ONLINESERVICES S.à.r.l., 1, Place du Marché, L-6755 Grevenmacher, R.C.S. Luxembourg B 144133. By selecting this payment option, you give your consent to the transfer of personal data required to process payment. The data is transferred for the purpose of processing payment.

Duration of storage of your data

We only process and store your personal data for as long as it is required to fulfil our contractual and legal obligations or to reasonably carry out the purposes for which it was collected. If the reason for storage ceases to apply, your personal data will be erased by us on a regular basis unless it is necessary to keep processing it for a further, limited period of time in order to satisfy retention obligations under commercial and tax laws or to preserve evidence in accordance with statutes of limitation.

Protection of your personal data

We endeavour to implement appropriate protective measures to ensure the security, integrity and confidentiality of the information that you provide. For this reason, we have established technological security strategies that are intended to protect the personal information that we draw from you. Furthermore, we uphold security measures that require compliance with applicable data protection regulations. Your personal data is transferred over the Internet via SSL in an encrypted format during the order process and in mytonies. We secure our website and other systems against loss, destruction, access, modification and dissemination of your data by unauthorised persons using technical and organisational measures.

It is only possible to access your Tonie-Account after entering your personal password. The same applies to the app. You should always treat your log-in details as confidential and close your browser window when you have finished communicating with us, especially if you share your computer, tablet or smartphone with others.

Job applications

You can also apply for a job within our company by electronic means. We have contracted Personio GmbH, Rundfunkplatz 4, 80335 Munich, to support us with IT services for the application and recruitment processes. Detailed information about data protection at Personio can be found here. Your details are of course only ever used to process your application and generally are not shared with third parties. Please note that emails sent without encryption are transferred in a manner that is not protected against unauthorised access. For this reason, you should use the application form provided by us for the purpose at tonies.de and consider the dedicated privacy policy applicable to applications sent to us. This policy contains extensive information about data protection in connection with job applications.

Children’s Information

Although our services are intended to be enjoyed by users of all ages, we only collect personal information from adult users, and do not knowingly collect personal information from children under 16 (or other age as required under applicable law) as part of our services. Users may not upload audio of a child or other personal information that may identify a child without first obtaining the explicit consent of that child’s parent or guardian. Parents or guardians should supervise their children’s use of our services at all times.

If you are a parent or guardian and learn that your child has provided us with personal information without your consent, you may contact us as set forth below. If we learn that we have collected any personal information from a child in violation of applicable law, we will promptly take steps to delete such information, unless we have a legal obligation to retain it, and terminate the child’s account as applicable.

The following section applies to our US customers and supplements our Data Protection Policy.

Your Choices regarding Cookies.

You may stop or restrict the placement of cookies and similar technologies on your device or remove them by adjusting your preferences as your browser or device permits. However, if you adjust your preferences, our services may not work properly. Please note that cookie-based opt-outs are not effective on mobile applications. However, you may opt-out of personalized advertisements on some mobile applications by following the instructions for Android, iOS, and others.

The online advertising industry also provides websites from which you may opt out of receiving targeted ads from companies that participate in self-regulatory programs. You can access these and learn more about targeted advertising and consumer choice and privacy by visiting the Network Advertising Initiative and the Digital Advertising Alliance.

Supplemental Notice for California Residents

This Supplemental Notice for California Residents supplements our Data Protection Policy and only applies to our processing of personal information that is subject to the California Consumer Privacy Act of 2018 (as amended from time to time) (“CCPA”).

The CCPA provides California residents with the right to know what categories of personal information Tonies has collected about them, whether Tonies disclosed that personal information for a business purpose (e.g., to a service provider), whether Tonies “sold” that personal information, and whether Tonies “shared” that personal information for “cross-context behavioral advertising” in the preceding twelve months. California residents can find this information below:

Category of Personal Information Collected Examples Category of Third Parties to Whom We Disclose Information

A. Identifiers. A real name, alias, postal address, unique personal identifier, online identifier, Internet Protocol address, email address, account name, or other similar identifiers. Service Providers, Data analytics providers, Advertising networks

B. Personal information categories listed in the California Customer Records statute (Cal. Civ. Code § 1798.80(e)). A name or address. Service Providers

C. Protected classification characteristics under California or federal law. Age (40 years or older) Service Providers, Data analytics providers

D. Commercial information. Records of products or services purchased, obtained, or considered, or other purchasing or consuming histories or tendencies. Service Providers, Data analytics providers, Advertising networks

E. Internet or other electronic network activity. Profile reflecting a consumer’s preferences. Service Providers, Data analytics providers, Advertising networks

F. Inferences drawn from other personal information to create a profile about a consumer. Profile reflecting a consumer’s preferences. Service Providers, Data analytics providers, Advertising networks

The categories of sources from which we collect personal information and our business and commercial purposes for using and disclosing personal information are set forth in “Data usage in detail” and “Purpose and legal basis for processing your data” above, respectively. We will retain personal information in accordance with the time periods set forth in “Duration of storage of your data”.

We “sell” and “share” your personal information to provide you with “cross-context behavioral advertising” about Tonies’ products and services.

Additional Privacy Rights for California Residents

Opting Out of “Sales” of Personal Information and/or “Sharing” for Cross-Context Behavioral Advertising under the CCPA. California residents have the right to opt out of the “sale” of personal information and the “sharing” of personal information for “cross-context behavioral advertising.” California residents may exercise these rights by visiting the following website: https://us.tonies.com/pages/ccpa-compliance, by using our cookie preference configuration tool, or by otherwise contacting us.

Disclosure Regarding Individuals Under the Age of 16. Tonies does not have actual knowledge of any “sale” of personal information of minors under 16 years of age. Tonies does not have actual knowledge of any “sharing” of personal information of minors under 16 years of age for “cross-context behavioral advertising.”

Disclosure Regarding Opt-Out Preference Signals.

Disclosure Regarding Sensitive Personal Information. Tonies only uses and discloses sensitive personal information for the following purposes:

To perform the services or provide the goods reasonably expected by an average consumer who requests those goods or services

To prevent, detect, and investigate security incidents that compromise the availability, authenticity, integrity, and or confidentiality of stored or transmitted personal information.

To resist malicious, deceptive, fraudulent, or illegal actions directed at Tonies and to prosecute those responsible for those actions.

To ensure the physical safety of natural persons.

To verify or maintain the quality or safety of a product, service, or device that is owned, manufactured, manufactured for, or controlled by Tonies, and to improve, upgrade, or enhance the service or device that is owned, manufactured by, manufactured for, or controlled by Tonies.

For purposes that do not infer characteristics about individuals.

Non-Discrimination. California residents have the right not to receive discriminatory treatment by us for the exercise of their rights conferred by the CCPA.

Authorized Agent. You, or someone legally authorized to act on your behalf, may make a verifiable consumer request related to your personal information. To designate an authorized agent, please contact us as set forth in the section “Controller’s name and address and whom you can contact” above and provide written authorization signed by you and your designated agent.

Verification. To protect your privacy when you make a request, we will ask you to provide sufficient information that allows us to reasonably verify you are the person about whom we collected personal information or an authorized representative, which may include asking you to answer questions regarding your use of our services.

Refer-a-Friend and Similar Incentive Programs. We may offer referral programs or other incentivized data collection programs. For example, we may offer incentives to you such as discounts or promotional items or credit in connection with these programs, wherein you provide your personal information in exchange for a reward, or provide personal information regarding your friends or colleagues (such as their email address) and receive rewards when they sign up to use our Services. (The referred party may also receive rewards for signing up via your referral.) These programs are entirely voluntary and allow us to grow our business and provide additional benefits to you. The value of your data to us depends on how you ultimately use our Services, whereas the value of the referred party’s data to us depends on whether the referred party ultimately becomes a User of our Services. Said value will be reflected in the incentive offered in connection with each program.

Exercising Your Rights Under the CCPA. If you are a California resident and would like to exercise any of your rights under the CCPA, please contact us as set forth in the section “Controller’s name and address and whom you can contact” above. We will process such requests in accordance with applicable laws.

Information for residents of Nevada

If you are a resident of Nevada, you have the right to opt-out of the sale of certain Personal Information to third parties who intend to license or sell that Personal Information. You can exercise this right by contacting us at privacy.us@tonies.com with the subject line “Nevada Do Not Sell Request” and providing us with your name and the email address associated with your account. Please note that we do not currently sell your Personal Information as sales are defined in Nevada Revised Statutes Chapter 603A

Updated July 2024

Data protection policy for United States of America

About

Info

Shop

Login

Register