Data controller and general information
Data are processed by the Bonial International GmbH (“we” or “us”)
represented by CEO Maximilian Biller
as service provider in the sense of the German Telemedia Act (TMG) and data controller in terms of the Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data (Data Protection Regulation, “GDPR”). The term "OOM" in this document means www.outofmilk.com and the various apps OOM, each including all available services, contents and functionalities. Specific parts of OOM are hereinafter referred to as "online services".
Our services are intended for adult consumers and not for children. We do not knowingly collect personal data of users that are children in accordance with the national legislation.
Collection and processing of personal data
In general, you can use online services for which no payment or registration is required, without providing personal information. In certain cases, we process the below listed personal data. This is done in principle only to the extent necessary to provide a functioning website or app and our content and services. In addition, we process personal data related to the use of OOM if you provide it voluntarily, e.g. as part of a registration, a request to us, a job application or in the completion of a subscription, or because a different legal basis exists (see paragraph 4). If you do not want your data processed as described, you can not use our services or do not take full advantage of.
Categories of data processed
Once you use OOM, our system automatically collects information from the computer system of the calling computer. The following data are collected among others:
- user's browser type, language and version
- user's operating system
- the IP address of the user’s device
- date and time (time zone)
- access status / http status code
- websites from which the system of the user on our website reaches
- websites and events that are requested by the user's system via our website (e.g. certain offers, supermarkets, regions)
- search requests by the user and search results
- location region of the user (to the extend enabled by user)
- login of the user (if used)
- volume data transmitted
- web analytics data and pseudonymous user profiles (IDs)
- errors, technical malfunctions
Furthermore, we process the following personal data in case of a contractual relationship between you and us or you have the data transmitted to us otherwise e. g. login, newsletter or contact form.
We store the data in our log files. If an error occurs at an interface query, we also log the ID (pseudonymous identification), the IP address and the relevant HTTP request and, if used, the email of requesting user to enable subsequent error analysis and correction.
Legal reasons and purpose of processing
We process your data solely on the basis of one or more of the possible legal basis.
According to GDPR personal data may be processed in particular because of a contract or the implementation of pre-contractual measures, if there is an agreement, due to a legitimate interest or a law, and to protect the vital or public interests.
Users can register at OOM using login services as mentioned below. The collection and processing of this data is for the fulfillment of the usage agreement between us and the user, art. 6 para. 1 lit. b GDPR.
Your e-mail address collected during registration or during the performance of the contract is used also to generally notify you by e-mail about own similar goods or services, as well as existing subscriptions or OOM. The processing of the e-mail address in this case is based on our legitimate interest in the application of our goods and services (art. 6 para. 1 lit. f GDPR).
We also use your e-mail address to send you our newsletter if you have given us your prior express consent to receive a newsletter or advertising. In this case, we use your email address to send you the newsletter as desired (art. 6 para. 1 lit. b GDPR). You can withdraw your consent to the use of your e-mail address for such purposes at any time in writing or in text form at the above contact details with effect for the future.
On the internet, each device needs to transfer data with a unique address, called an IP address. The at least temporary storage of the IP address is technically required to enable delivery of the site to the computer of the user. Our server store your IP address for up to 8 weeks for our own security and billing purposes before pseudonymization by servers. Because the repeated automated reading of Web sites (so-called. Scraping) is complicated by acquiring the IP address. Moreover, we collect (without passing on to our advertisers) if users repeatedly click certain advertisements.
Purpose of our services is to show users regionally relevant information. This so-called geo-localization, that is the assignment of a visit of a website to the place of such visit, is provided on the basis of the anonymous IP address and within the geographical level of regions. Moreover, the user can give the consent for detecting the actual location of the device and withdraw such consent by means of the device.
Data processing operations that are not covered by one or more of the aforementioned legal bass, are carried out when it is necessary for the purposes of the legitimate interests pursued by the us or by a third party, except where such interests are overridden by the interests or fundamental rights and freedoms of the data subject which require protection of personal data, in particular where the data subject is a child (art. 6 lit. f GDPR). A legitimate interest is deemed to exist if the data subject is a client of OOM (usage agreement). If processing of personal data is based on this, our legitimate interest is in particular the implementation of our business towards the welfare of all our employees and our shareholders.
Our legitimate interest to be able to offer tailor-made products, to inform you of our products, innovations and quality characteristics, and constantly improve our services and products, thereby also increase our revenue, is the legal basis for processing data for the purposes of big data, direct marketing (own Advertising and advertising of third parties), usage-based online advertising, web analytics and advertising scoring (merging of different selection criteria for the appropriate advertising). By (also not technically necessary) cookies, we learn how the website is used and how we can improve our services constantly. We recognize that advertising prompted to visit our website (so-called. Conversion tracking). We can identify in relation to the data of the advertising campaigns, how successful the individual advertising measures are. By doing so, we are pursuing the interest to show you ads that are of interest to you, to make our website more interesting and easier for you and to achieve a fair calculation of advertising costs. For advertising and analysis services in detail see below.
Another legitimate interest is the functionality of the business processes, due to which data are processed for internal management purposes (e.g. accounting).
The processing of personal data within our company group is necessary and appropriate according to art. 6 para. 1 lit. f GDPR (see FIG. recital 49).
You have the right to object to processing of personal data based on a legitimate interest at any time (see below).
In the event that the data are processed for another purpose as specified in the data collection purposes, we will conduct a compatibility check pursuant to art. 6 para. 4 GDPR. Further processing is then only casually when the original purpose of the new purpose is compatible or allowed due to a separate legal basis. Recognized compatible purposes include among others the establishment, exercise or defense of civil claims unless there is an overriding interest of the person concerned. In this case, we will inform you of the change in purpose. Is the new purpose incompatible with the specified collection for the purpose, a new survey is due to a new legal basis. Again, we will inform you of the change in purpose.
Place of processing
We do not transfer your personal data to countries outside the European Economic Area except in cases where it is permitted by the GDPR. Whether third parties with whom you have your own contractual relationship (such as with Facebook, if you have a Facebook account) transfer data to countries outside the European Economic Area, is neither under our control nor in our knowledge.
We process data in states outside the European Economic Area ("EEA"). In order to ensure the protection of your personal information in the context of data transfers, we agree in contractual relationships with the recipients in third countries to standard contractual clauses of the European Commission in accordance with art. 46 para. 2 lit. c GDPR. The European Commission has made by order of 12. July 2016 the decision that under the provisions of the EU-US Privacy Shields an adequate level of protection exists (adequacy decision, art. 45 GDPR). More information - including the certification of service providers used by us - get you under https://www.privacyshield.gov.
Transfer of your data to third parties
We transmit your personal information to third parties only if (i) the transfer is necessary to fulfill our contractual obligations to you, (ii) we are entitled by law to, (iii) or you have given us your consent.
We process personal data within our corporate group, including by OOM International GmbH, Berlin, Germany.
In certain cases, we also use external service providers who are engaged by us, as data processors. Such service providers are contractually obliged by us to the strict specifications of GDPR as data processors and may not use your data for any other purpose.
The transfer of data to processors are made on the basis of art. 28 para. 1 GDPR, or based on our legitimate interests using specialized processors and technical advantages, art. 6 para. 1 lit. f GDPR.
To the extent we are required by law or it is permitted by data protection laws, we will transmit personal data to authorities, such as the police or public prosecutor (art. 6 para. 1 lit. c GDPR). Sharing this data is based on our legitimate interest in combating abuse, the prosecution of criminal offenses and the assurance, assertion and enforcement of claims provided that your rights and interests in the protection of your personal data are not predominate, art. 6 para. 1 lit f GDPR.
Cookies and similar technologies
We use two types of cookies. On the one hand technical necessary cookies, without there use the functionality of our site would be restricted, and optional cookies to make our website more user-friendly. By analyzing cookies we learn how the site is used and can improve our services constantly. For more information on the individual analysis services see below.
You can turn off or limit the processing of cookies in we use service providers using the links above. The objection is valid as long as the associated “opt out cookie” is not deleted. This cookie is set for the domain, the browser and device. If you access our website from multiple devices and browsers, you must therefore contradict separately and again on each of these devices and in any browser data collection.
When using apps a comparable function is implemented instead of the cookie.
Advertising and analytics services
We use some services that collect data on our website or in the app and analyze it for us. This is implemented to improve our content and adapt our services to the interests of our users, as well as remunerate our services.
Some of these service providers are themselves responsible for the data protection. Others process the pseudonymous user data based on an data processing agreement with us. You can always disable the individual analysis services for the future. Below you can find out details about the analytical services we use:
Below you can find out details about the analytical services we use:
We use Sentry for tracking errors and crashes. This service is operated by Functional Software, Inc., 132 Hawthorne Street, San Francisco, California 94107, USA. Sentry adheres to the Privacy Shield. Sentry tracks based on cookie technology and reports us in case of technical malfunctions. This is used for error aggregation and finding problems in the production code. Sentry sends out summary reports for new Error Types. Each Error has the information that it needs to reproduce it, that are including user-IDs and request details (e.g. IP address and email if required).
For further information see https://sentry.io/privacy/
OOM own analysis technology
OOM stores pseudonymous data for user profiles and uses this to recognize users with comparable services from OOM. This is based on cookies.
You may object to the analysis technology by opting out from your user profile.
Social Networks and Google Maps
You can also find us on social networks. A social network is a social meeting place operated on the Internet, an online community that allows users usually communicate with each other and interact in virtual space. A social network can serve as a platform for exchanging views and experiences or allows the Internet community to provide personal or business-related information.
We have integrated on this website social network services of Facebook.
Operator of Facebook is the Facebook Inc., 1 Hacker Way, Menlo Park, CA 94025, USA. For the processing of personal data is in charge if an affected person outside the US or Canada lives that Facebook Ireland Ltd., 4 Grand Canal Square, Grand Canal Harbor, Dublin 2, Ireland.
With our website, we provide users the ability to register by personal information.
Logging in and creating an account is necessary in order to save a shopping list to Out of Milk’s back-end so a user can access the list from any device, and share the list with others.
You can register with by login service providers connecting the profile of the logged in user with our service. The data listed below are processed by service providers listed below and transmitted to us. Specifically:
Facebook Connect may be used by registered Facebook users.
Google User Login
Amazon Cognito of Amazon Web Services, Inc., 410 Terry Avenue North, Seattle, WA 98109-5210, USA, is used to manage the log-in accounts. This is part of an data processing agreement and appropriate level of data protection (see above to EU-US Privacy Shield). For more information: https://aws.amazon.com/de/cognito/. The processing by service Amazon Cognito takes place in our legitimate interest.
Contact by form and email
We provide a contact form. In case of a message its content, the IP address of the device and the date is sent to us and saved. Alternatively, a contact via the provided email address is possible. The data will (only) be used for the processing of the conversation.
We store personal data only as long as we are entitled to and the processing purpose is necessary. The relevant legal retention period applies for the duration of the storage of personal data. After the deadline, the relevant data is routinely deleted, provided it is no longer required to fulfill the contract or contract negotiations.
Contact information and your rights as a data subject
Please contact for any questions or suggestions concerning data protection and to enforce your rights our data protection officer:
Bonial International GmbH
Data Protection Officer
Right of access (art. 15 GDPR) and right to rectification (art. 16 GDPR)
You can obtain from us at any time free of charge confirmation as to whether or not personal data concerning you are being processed. Where that is the case, you get access to the personal data. You may request a copy of the stored data. You can also rectify inaccurate data and complete it.
Right to erasure (‘right to be forgotten’) (art. 17 GDPR)
You have the right to obtain from the controller the erasure of personal data concerning you without undue delay and the controller shall have the obligation to erase personal data without undue delay if one of the grounds according to art. 17 (i) GDPR applies. Please note that the erasure shall not apply to the extent that processing is necessary. In case your data is still required for legal purposes, it will be marked with the aim of limiting their processing in future.
Right to data portability (art. 20 GDPR)
If applicable, you also have the right that the personal data concerning you shall be transmitted in a structured, consistent and machine-readable format to you or another responsible if the processing on the consent or a contract is based and is carried out through automated procedures. However, this does not apply if the processing is not necessary for the performance of a task carried out in the public interest or done in the exercise of official authority, which has been transferred to the person responsible. You also have the right to obtain, that the personal data transmitted directly from one controller to another, where technically feasible.
Right to withdraw consent and to object (art. 21 GDPR)
Your may withdraw your consent to process your data at any time with effect for the future. Specifically, you can opt-out the usage of your email address for the purpose of newsletter mailings at any time to email@example.com or Bonial International GmbH, Hussitenstraße 32-33, 13355 Berlin (without incurring other costs than the transmission costs for the base rates).
You have the right to object, on grounds relating to your particular situation, at any time to processing of personal data concerning your which is based on art. 6 (1) point (e) or (f) GDPR (legitimate interest), including profiling based on those provisions. In this case the controller shall no longer process the personal data unless the controller demonstrates compelling legitimate grounds for the processing which override the interests, rights and freedoms of the data subject or for the establishment, exercise or defence of legal claims. Please use our contact details mentioned above.
Where personal data are processed for direct marketing purposes, you have the right to object at any time to processing of personal data concerning you for such marketing, which includes profiling to the extent that it is related to such direct marketing. Please use our contact details mentioned above.
Right to lodge a complaint with a supervisory authority (art. 77 GDPR)
You lodge a complaint with the supervisory authority. The supervisory authority with which the complaint has been lodged shall inform the complainant on the progress and the outcome of the complaint including the possibility of a judicial remedy pursuant to art. 78 GDPR.
Automated individual decision-making, including profiling (art. 22 GDPR)
There is no automated individual decision-making, including profiling, used by OOM according to art. 22 GDPR.
Validity of this data protection declaration
Date: May 25, 2018