Privacy Policy of Out of Milk (“OOM”)

We are very pleased about your interest in OOM. In order to offer OOM, we need some information about you. We take the protection of personal data very seriously and handle these cases in compliance with applicable data protection regulations, in particular the EU Data Protection Regulation. This privacy policy provides you with full information about the nature, scope and purpose of we process personal data and your rights as a data subject.

• Data controller and general information

  Data are processed by the Bonial International GmbH (“we” or “us”)
  represented by CEO Maximilian Biller
  Hussitenstraße 32-33
  13355 Berlin
  Email: dataprotection@outofmilk.com

  as service provider in the sense of the German Telemedia Act (TMG) and data controller in terms of the Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data (Data Protection Regulation, “GDPR”). The term "OOM" in this document means www.outofmilk.com and the various apps OOM, each including all available services, contents and functionalities. Specific parts of OOM are hereinafter referred to as "online services".

  Our services are intended for adult consumers and not for children. We do not knowingly collect personal data of users that are children in accordance with the national legislation.

• Collection and processing of personal data

  In general, you can use online services for which no payment or registration is required, without providing personal information. In certain cases, we process the below listed personal data. This is done in principle only to the extent necessary to provide a functioning website or app and our content and services. In addition, we process personal data related to the use of OOM if you provide it voluntarily, e.g. as part of a registration, a request to us, a job application or in the completion of a subscription, or because a different legal basis exists (see paragraph 4). If you do not want your data processed as described, you can not use our services or do not take full advantage of.

• Categories of data processed

  Once you use OOM, our system automatically collects information from the computer system of the calling computer. The following data are collected among others:

  • user's browser type, language and version
  • user's operating system
  • the IP address of the user’s device
  • date and time (time zone)
  • access status / http status code
  • websites from which the system of the user on our website reaches
  • websites and events that are requested by the user's system via our website (e.g. certain offers, supermarkets, regions)
  • search requests by the user and search results
  • location region of the user (to the extend enabled by user)
  • login of the user (if used)
  • volume data transmitted
  • web analytics data and pseudonymous user profiles (IDs)
  • errors, technical malfunctions

  Furthermore, we process the following personal data in case of a contractual relationship between you and us or you have the data transmitted to us otherwise e. g. login, newsletter or contact form.

  We store the data in our log files. If an error occurs at an interface query, we also log the ID (pseudonymous identification), the IP address and the relevant HTTP request and, if used, the email of requesting user to enable subsequent error analysis and correction.

• Legal reasons and purpose of processing

  We process your data solely on the basis of one or more of the possible legal basis.

  According to GDPR personal data may be processed in particular because of a contract or the implementation of pre-contractual measures, if there is an agreement, due to a legitimate interest or a law, and to protect the vital or public interests.

  Users can register at OOM using login services as mentioned below. The collection and processing of this data is for the fulfillment of the usage agreement between us and the user, art. 6 para. 1 lit. b GDPR.

  Your e-mail address collected during registration or during the performance of the contract is used also to generally notify you by e-mail about own similar goods or services, as well as existing subscriptions or OOM. The processing of the e-mail address in this case is based on our legitimate interest in the application of our goods and services (art. 6 para. 1 lit. f GDPR).

  We also use your e-mail address to send you our newsletter if you have given us your prior express consent to receive a newsletter or advertising. In this case, we use your email address to send you the newsletter as desired (art. 6 para. 1 lit. b GDPR). You can withdraw your consent to the use of your e-mail address for such purposes at any time in writing or in text form at the above contact details with effect for the future.

  On the internet, each device needs to transfer data with a unique address, called an IP address. The at least temporary storage of the IP address is technically required to enable delivery of the site to the computer of the user. Our server store your IP address for up to 8 weeks for our own security and billing purposes before pseudonymization by servers. Because the repeated automated reading of Web sites (so-called. Scraping) is complicated by acquiring the IP address. Moreover, we collect (without passing on to our advertisers) if users repeatedly click certain advertisements.

  Purpose of our services is to show users regionally relevant information. This so-called geo-localization, that is the assignment of a visit of a website to the place of such visit, is provided on the basis of the anonymous IP address and within the geographical level of regions. Moreover, the user can give the consent for detecting the actual location of the device and withdraw such consent by means of the device.

  Data processing operations that are not covered by one or more of the aforementioned legal bass, are carried out when it is necessary for the purposes of the legitimate interests pursued by the us or by a third party, except where such interests are overridden by the interests or fundamental rights and freedoms of the data subject which require protection of personal data, in particular where the data subject is a child (art. 6 lit. f GDPR). A legitimate interest is deemed to exist if the data subject is a client of OOM (usage agreement). If processing of personal data is based on this, our legitimate interest is in particular the implementation of our business towards the welfare of all our employees and our shareholders.

  Our legitimate interest to be able to offer tailor-made products, to inform you of our products, innovations and quality characteristics, and constantly improve our services and products, thereby also increase our revenue, is the legal basis for processing data for the purposes of big data, direct marketing (own Advertising and advertising of third parties), usage-based online advertising, web analytics and advertising scoring (merging of different selection criteria for the appropriate advertising). By (also not technically necessary) cookies, we learn how the website is used and how we can improve our services constantly. We recognize that advertising prompted to visit our website (so-called. Conversion tracking). We can identify in relation to the data of the advertising campaigns, how successful the individual advertising measures are. By doing so, we are pursuing the interest to show you ads that are of interest to you, to make our website more interesting and easier for you and to achieve a fair calculation of advertising costs. For advertising and analysis services in detail see below.

  Another legitimate interest is the functionality of the business processes, due to which data are processed for internal management purposes (e.g. accounting).

  The processing of personal data within our company group is necessary and appropriate according to art. 6 para. 1 lit. f GDPR (see FIG. recital 49).

  You have the right to object to processing of personal data based on a legitimate interest at any time (see below).

  In the event that the data are processed for another purpose as specified in the data collection purposes, we will conduct a compatibility check pursuant to art. 6 para. 4 GDPR. Further processing is then only casually when the original purpose of the new purpose is compatible or allowed due to a separate legal basis. Recognized compatible purposes include among others the establishment, exercise or defense of civil claims unless there is an overriding interest of the person concerned. In this case, we will inform you of the change in purpose. Is the new purpose incompatible with the specified collection for the purpose, a new survey is due to a new legal basis. Again, we will inform you of the change in purpose.

• Place of processing

  We do not transfer your personal data to countries outside the European Economic Area except in cases where it is permitted by the GDPR. Whether third parties with whom you have your own contractual relationship (such as with Facebook, if you have a Facebook account) transfer data to countries outside the European Economic Area, is neither under our control nor in our knowledge.

  We process data in states outside the European Economic Area ("EEA"). In order to ensure the protection of your personal information in the context of data transfers, we agree in contractual relationships with the recipients in third countries to standard contractual clauses of the European Commission in accordance with art. 46 para. 2 lit. c GDPR. The European Commission has made by order of 12. July 2016 the decision that under the provisions of the EU-US Privacy Shields an adequate level of protection exists (adequacy decision, art. 45 GDPR). More information - including the certification of service providers used by us - get you under https://www.privacyshield.gov.

• Transfer of your data to third parties

  We transmit your personal information to third parties only if (i) the transfer is necessary to fulfill our contractual obligations to you, (ii) we are entitled by law to, (iii) or you have given us your consent.

  We process personal data within our corporate group, including by OOM International GmbH, Berlin, Germany.

  In certain cases, we also use external service providers who are engaged by us, as data processors. Such service providers are contractually obliged by us to the strict specifications of GDPR as data processors and may not use your data for any other purpose.

  The transfer of data to processors are made on the basis of art. 28 para. 1 GDPR, or based on our legitimate interests using specialized processors and technical advantages, art. 6 para. 1 lit. f GDPR.

  To the extent we are required by law or it is permitted by data protection laws, we will transmit personal data to authorities, such as the police or public prosecutor (art. 6 para. 1 lit. c GDPR). Sharing this data is based on our legitimate interest in combating abuse, the prosecution of criminal offenses and the assurance, assertion and enforcement of claims provided that your rights and interests in the protection of your personal data are not predominate, art. 6 para. 1 lit f GDPR.

• Cookies and similar technologies

  We use cookies. Cookies are small files stored by your browser on your device in a designated directory. By cookies can be determined if you visited a site before. If you agree, login information for an online service can be saved in cookies. Many cookies contain a so-called cookie ID. A cookie ID is a unique identifier of the cookie. It consists of a string by which websites and servers can be assigned to specific internet browser, in which the cookie is saved. This enables the visited websites and servers to distinguish the individual browser of the person affected from other internet browsers containing other cookies. A specific internet browser can be recognized through the unique cookie ID and identified.

  We use two types of cookies. On the one hand technical necessary cookies, without there use the functionality of our site would be restricted, and optional cookies to make our website more user-friendly. By analyzing cookies we learn how the site is used and can improve our services constantly. For more information on the individual analysis services see below.

  Advertisements are usually provided by third party. This may and to the extent permitted by your device settings use information about your visits so that ads can appear on products and services that you may be interested. Specific contact information such as your name, address, or phone number won’t be transferred unless stated otherwise in this privacy policy.

  You can always prevent the use of cookies by us by the settings of the internet browser used and thus contradict permanently the use of cookies. Furthermore, already set cookies can be deleted within the browser or by other software every time. If you disable the use of cookies in the browser, not all features of our website are fully usable with.

  You can turn off or limit the processing of cookies in we use service providers using the links above. The objection is valid as long as the associated “opt out cookie” is not deleted. This cookie is set for the domain, the browser and device. If you access our website from multiple devices and browsers, you must therefore contradict separately and again on each of these devices and in any browser data collection.

  When using apps a comparable function is implemented instead of the cookie.

  You cannot identify a person by cookies. The use of cookies is justified on the basis of our legitimate interest in a customized design and statistical analysis of OOM (art. 6 para. 1 lit. f GDPR).

• Advertising and analytics services

  We use some services that collect data on our website or in the app and analyze it for us. This is implemented to improve our content and adapt our services to the interests of our users, as well as remunerate our services.

  Some of these service providers are themselves responsible for the data protection. Others process the pseudonymous user data based on an data processing agreement with us. You can always disable the individual analysis services for the future. Below you can find out details about the analytical services we use:

  Below you can find out details about the analytical services we use:

  Adjust

  We use the analysis technology adjust of the adjust GmbH, Saarbrücker Str. 36, 10405 Berlin. The adjust service has been tested according to the ePrivacy seal (European Seal for your privacy) and certified (see http://www.eprivacy.eu/vergebene-siegel/). Adjust collects installation and event data. It creates anonymous evaluations and graphics on the number of visits, number of pages viewed per user or open app so on. We use this information solely for our own market research and the optimization and the customized design of the website or app uses. For such an analysis Adjust uses your anonymous IDFA or Android ID as well as your anonymous IP and MAC address. It is not possible to identify you individually. You opt-out here: https://www.adjust.com/opt-out/.

  Google Analytics

  We use Google Analytics, a web analytics service provided by Google. Google Analytics also uses cookies, which enable the analysis of the user's navigation through and use of the website. The data generated by the cookie about your use of this website (including your IP address) is generally transferred and stored on a Google server in the USA. OOM has activated IP anonymisation on the websites via the supplemental code “ga('set', 'anonymizeIp', true)” so that Google will truncate your IP address (known as IP masking) within Member States of the European Union or other parties to the Agreement on the European Economic Area. In exceptional cases only, the full IP address will first be transferred to a Google server in the USA and then truncated there. Google will use this information on behalf of OOM for the purpose of analysing your use of the website, compiling reports on website activity for OOM and providing other services relating to website and Internet use. Google may also transfer this data to third parties where required to do so by law or insofar as third parties have been commissioned by Google to process this data. Any information that Google receives within the scope of Internet-based advertising and from third party providers (e.g. demographic characteristics, gender and interests) could also be included in the cookie information. Google offers a Google Analytics Opt-Out Browser Add-on, which prevents data from being collected by Google Analytics and processed by Google. This add-on can be downloaded and installed here: https://tools.google.com/dlpage/gaoptout?hl=en.

  OOM own analysis technology

  OOM stores pseudonymous data for user profiles and uses this to recognize users with comparable services from OOM. This is based on cookies.

  You may object from the analysis technology by opt-out link below. In this case for each visit a new cookie is placed thus no tracking possible anymore.

• Social Networks and Google Maps

  You can also find us on social networks. A social network is a social meeting place operated on the Internet, an online community that allows users usually communicate with each other and interact in virtual space. A social network can serve as a platform for exchanging views and experiences or allows the Internet community to provide personal or business-related information.

  We have integrated individual functions of these networks into our online services. Both can however only be used if you are registered with the respective social network and logged-in. Please note that in case of your log-in you confirm the respective social network usage and privacy policy, to which we have no control. But we can explain how the data process in this context works:

  Facebook

  We have integrated on this website social network services of Facebook.

  Operator of Facebook is the Facebook Inc., 1 Hacker Way, Menlo Park, CA 94025, USA. For the processing of personal data is in charge if an affected person outside the US or Canada lives that Facebook Ireland Ltd., 4 Grand Canal Square, Grand Canal Harbor, Dublin 2, Ireland.

  When you visit one of our pages the plugin establishes a direct connection between your browser and the Facebook server. Thus, Facebook receives the information that you (your IP address) visited our website. If you click the Facebook “Like” button while logged in to your facebook account you can link content from our pages to your Facebook profile. This enables Facebook to associate your visit to our pages with your user account. Please note that we as provider of the pages have no knowledge as to the contents of the submitted data or its use by Facebook. For further information please see Facebook’s privacy policy at http://de-de.facebook.com/policy.php. If you do not want Facebook to associate the data concerning your visit to our website with your member data, please log off Facebook before entering our website.

• Login

  With our website, we provide users the ability to register by personal information.

  Logging in and creating an account is necessary in order to save a shopping list to Out of Milk’s back-end so a user can access the list from any device, and share the list with others.

  You can register with by login service providers connecting the profile of the logged in user with our service. The data listed below are processed by service providers listed below and transmitted to us. Specifically:

  Facebook Connect

  Facebook Connect may be used by registered Facebook users.

  Facebook Connect is operated by Facebook Ireland Limited, 5-7 Hanover Quay, Dublin 2, Ireland. The use of Facebook Connect is subject to the privacy policy and terms of use of Facebook. If you decide to register with your Facebook account, you will be routed directly to Facebook. There, Facebook asks to specify the credentials and log in to Facebook or register. If you are already connected with Facebook, this query is skipped for registration. Important: We will not get a login information. When logging in using Facebook Connect Facebook profile data, according to Facebook’s definition of "public information" https://www.facebook.com/about/privacy/your-info/) will be transmitted from your Facebook profile to us. "Public" means in the context of Facebook is that everyone can see this data outside of Facebook. This includes your name, your profile and cover picture, gender, networks, user name (Facebook URL) and user identification number (Facebook ID). Conversely, data from us can be transferred to your Facebook profile. By signing up through Facebook Connect with us, we store and process your data transmitted to us for the purpose of registration.

  The following data of Facebook is sent to us: email address, gender, age range and any information that identifies the user on Facebook as "public". The use of Facebook Connect is subject to the privacy policies of Facebook. Facebook processes the data on your behalf. This is done in the appropriate level of data protection (see above to EU-US Privacy Shield). For more information about Facebook Connect and the privacy settings, read the privacy policy of Facebook: https://de-de.facebook.com/about/privacy/.

  Google User Login

  From Google The following data is transmitted to us: E-mail address, gender, age range. Google processes the data on your behalf. This is done in the appropriate level of data protection (see above to EU-US Privacy Shield). Using Google sign-in is subject to the privacy policy of Google, which is available here: https://www.google.com/intl/de/policies/privacy/.

  Amazon Cognito

  Amazon Cognito of Amazon Web Services, Inc., 410 Terry Avenue North, Seattle, WA 98109-5210, USA, is used to manage the log-in accounts. This is part of an data processing agreement and appropriate level of data protection (see above to EU-US Privacy Shield). For more information: https://aws.amazon.com/de/cognito/. The processing by service Amazon Cognito takes place in our legitimate interest.

• Contact by form and email

  We provide a contact form. In case of a message its content, the IP address of the device and the date is sent to us and saved. Alternatively, a contact via the provided email address is possible. The data will (only) be used for the processing of the conversation.

  We use the software as a service of Zendesk Inc. Software, 1019 Market St San Francisco, CA 94103 ( "Zendesk") to handle customer inquiries. Emails from customers are processed by Zendesk based on an data processing agreement and appropriate level of data protection (see to EU-US Privacy Shield above). For more information on data processing by Zendesk, see the privacy policy of Zendesk under http://www.zendesk.com/company/privacy.

• Storage limitation

  We store personal data only as long as we are entitled to and the processing purpose is necessary. The relevant legal retention period applies for the duration of the storage of personal data. After the deadline, the relevant data is routinely deleted, provided it is no longer required to fulfill the contract or contract negotiations.

• Contact information and your rights as a data subject

  Please contact for any questions or suggestions concerning data protection and to enforce your rights our data protection officer:

  Bonial International GmbH
  Data Protection Officer
  Hussitenstraße 32-33
  13355 Berlin
  Email: dataprotectionofficer@outofmilk.com

  1. Right of access (art. 15 GDPR) and right to rectification (art. 16 GDPR)

     You can obtain from us at any time free of charge confirmation as to whether or not personal data concerning you are being processed. Where that is the case, you get access to the personal data. You may request a copy of the stored data. You can also rectify inaccurate data and complete it.

  2. Right to erasure (‘right to be forgotten’) (art. 17 GDPR)

     You have the right to obtain from the controller the erasure of personal data concerning you without undue delay and the controller shall have the obligation to erase personal data without undue delay if one of the grounds according to art. 17 (i) GDPR applies. Please note that the erasure shall not apply to the extent that processing is necessary. In case your data is still required for legal purposes, it will be marked with the aim of limiting their processing in future.

  3. Right to data portability (art. 20 GDPR)

     If applicable, you also have the right that the personal data concerning you shall be transmitted in a structured, consistent and machine-readable format to you or another responsible if the processing on the consent or a contract is based and is carried out through automated procedures. However, this does not apply if the processing is not necessary for the performance of a task carried out in the public interest or done in the exercise of official authority, which has been transferred to the person responsible. You also have the right to obtain, that the personal data transmitted directly from one controller to another, where technically feasible.

  4. Right to withdraw consent and to object (art. 21 GDPR)

     Your may withdraw your consent to process your data at any time with effect for the future. Specifically, you can opt-out the usage of your email address for the purpose of newsletter mailings at any time to datenschutz@bonial.de or Bonial International GmbH, Hussitenstraße 32-33, 13355 Berlin (without incurring other costs than the transmission costs for the base rates).

     You have the right to object, on grounds relating to your particular situation, at any time to processing of personal data concerning your which is based on art. 6 (1) point (e) or (f) GDPR (legitimate interest), including profiling based on those provisions. In this case the controller shall no longer process the personal data unless the controller demonstrates compelling legitimate grounds for the processing which override the interests, rights and freedoms of the data subject or for the establishment, exercise or defence of legal claims. Please use our contact details mentioned above.

     Where personal data are processed for direct marketing purposes, you have the right to object at any time to processing of personal data concerning you for such marketing, which includes profiling to the extent that it is related to such direct marketing. Please use our contact details mentioned above.

  5. Right to lodge a complaint with a supervisory authority (art. 77 GDPR)

     You lodge a complaint with the supervisory authority. The supervisory authority with which the complaint has been lodged shall inform the complainant on the progress and the outcome of the complaint including the possibility of a judicial remedy pursuant to art. 78 GDPR.

  6. Automated individual decision-making, including profiling (art. 22 GDPR)

     There is no automated individual decision-making, including profiling, used by OOM according to art. 22 GDPR.

  7. Validity of this data protection declaration

     We reserve the right to change this privacy policy from time to time. The current version is available on our website. If a change significantly restricts the rights of registered users, we will notify them. Furthermore, the current privacy policy is valid for our users.

Date: May 25, 2018