**Privacy Policy**

1. Information on the Collection of Personal Data and Contact Details of the Controller  
2. Data Collection When Visiting Our Website  
3. Contacting Us  
4. Cookies  
5. Data Processing for Order Fulfillment  
6. Data Processing for Account Creation and Contract Execution  
7. Contact for Review Reminders  
8. Use of Social Media: Social Plugins  
9. Use of Rating and Certification Graphics  
10. Tools and Miscellaneous  
11. Rights of the Data Subject  
12. Duration of Personal Data Storage  

---

### 1. Information on the Collection of Personal Data and Contact Details of the Controller
1.1 Thank you for visiting our website. The following information provides details on how we handle your personal data during your use of our website. Personal data generally includes all data that can be used to identify you personally.

1.2 The data controller responsible for processing data on our website in accordance with the General Data Protection Regulation (GDPR) is:

   **Willi Weber**  
   Sternstr. 57a  
   53111 Bonn  
   Germany  
   Tel.: 0228-9650317  
   Email: info@bonner-cigarrenhaus.de  

1.3 To protect the security of your data during transmission, we use encryption methods in line with the latest technology (e.g., SSL or TSL) via HTTPS.

---

### 2. Data Collection When Visiting Our Website
Each time our website is accessed, our system automatically collects data and information sent by your browser to our server (known as “server log files”). The following data, which is technically necessary for us, is collected:

- Our website visited
- Date and time of access
- Volume of data sent in bytes
- Source/link from which you arrived at the site
- Operating system used
- Browser used
- IP address used (if applicable, in anonymized form)

The legal basis for processing is Article 6(1)(f) of the GDPR due to our legitimate interest in improving the stability and functionality of our website. This data is not passed on or used in any other way. The temporary storage of the IP address by the system is necessary to enable the website to be delivered to the user's computer. For this, the user's IP address must remain stored for the duration of the session.

We reserve the right to subsequently check server log files if specific indications of unlawful use arise. The data is deleted as soon as it is no longer required to fulfill the purpose for which it was collected. When data is collected for website provision, this occurs once the respective session has ended. When data is stored in log files, this occurs no later than seven days after storage. Extended storage is possible, but in this case, IP addresses are deleted or anonymized so that the calling client can no longer be identified. The collection of data for website provision and the storage of data in log files are essential for operating the website. Users therefore have no option to object.

---

### 3. Contacting Us
When you contact us using a contact form, the data you enter in the form is transmitted to us and stored. The data collected in each case is shown in the respective entry form. When contacting us by email, only the data provided by you in the email is transferred to us.

The data is used solely to process the conversation and your request. The legal basis for processing is the user's consent in accordance with Article 6(1)(a) GDPR. For data processing required for contract-related emails, the legal basis is Article 6(1)(b) GDPR. The data is deleted once it is no longer needed to achieve the purpose for which it was collected, provided there are no legal storage requirements. For personal data from the contact form and emails, this is the case when the conversation with the user has ended, which is when it can be inferred from the circumstances that the matter in question has been conclusively resolved.

The user can withdraw their consent to the processing of personal data at any time. If the user contacts us by email, they may object to the storage of their personal data at any time. In this case, the conversation cannot continue.

4. Cookies

Our website uses cookies.

Cookies are text files stored on the user’s device. When a user accesses a website, a cookie may be stored on their operating system. Some features of our website cannot be provided without the use of cookies, as these are necessary for the browser to be recognized even after switching pages. The user data collected by technically necessary cookies is not used to create user profiles. This processing of personal data serves our legitimate interest under Article 6(1)(f) GDPR.

Additionally, our website may use cookies to analyze user browsing behavior (so-called third-party cookies). Further information on the scope, purpose, legal basis, and options to object can be found in the respective sections of this privacy policy.

As a user, you have full control over the use of cookies. You can disable, restrict, or delete cookies via your internet browser settings. Disabling cookies on our website may limit the full functionality of the website. Flash cookies can be disabled by adjusting the settings in the Flash Player.

Instructions for changing these settings can be found in your browser’s help menu or at the following links:

Some cookies used here are deleted after the browser is closed (session cookies). Others remain on your device and allow us or our partner companies (third-party cookies) to recognize your browser on your next visit (persistent cookies). Persistent cookies are automatically deleted after a specified duration, which can vary by cookie.

5. Data Processing for Order Fulfillment

5.1 If you wish to place an order in our online store, you must provide the personal data necessary for the contract's fulfillment. We process the data you provide to complete your order.

In some cases, we collaborate with external service providers to process your order. To do so, we may share the necessary personal data with them.

When we commission shipping companies to deliver your goods, we share the necessary data with the respective shipping company. For payment processing, we share your data with the relevant financial institution as required. If we use payment service providers, you will be informed of this below. The legal basis for sharing your data is Article 6(1)(b) GDPR.

  • SOFORT
    If you choose the "SOFORT" payment method, payment is processed through the payment service provider SOFORT GmbH, Theresienhöhe 12, 80339 Munich, Germany (hereinafter referred to as "SOFORT"). We share your personal data along with your order information solely for payment processing, as required under Article 6(1)(b) GDPR, with SOFORT.

SOFORT GmbH is part of the Klarna Group (Klarna Bank AB (publ), Sveavägen 46, 11134 Stockholm, Sweden). SOFORT’s privacy policy can be found here: https://www.klarna.com/sofort/datenschutz

6. Data Processing for Customer Account Creation and Contract Execution

When you open a customer account with us, personal data is collected and processed in accordance with Article 6(1)(b) GDPR. The scope of the data is determined by the input form. The data you provide is stored and used by us for contract processing.

You may delete your customer account at any time, either by notifying the controller or, if available, directly in the customer account. In such cases, we will restrict your data in compliance with tax and commercial retention obligations and delete it once these periods expire. Only your consent for continued storage or legally permitted further use may prevent deletion.

7. Contact for Review Reminders

Review Reminder by Ausgezeichnet.org

With your express consent under Article 6(1)(a) GDPR, we send your email address to the review platform Ausgezeichnet.org (AUBII GmbH, Alsterufer 34, 20354 Hamburg (www.ausgezeichnet.org)). You will receive a review reminder email from Ausgezeichnet.org.

You can withdraw your consent at any time by notifying the data controller or Ausgezeichnet.org.

8. Use of Social Media: Social Plugins

8.1 Facebook Plugins with Shariff Solution

Our website uses social plugins (“plugins”) from the social network Facebook (Meta Platforms Ireland Limited, 4 Grand Canal Square, Dublin 2, Ireland) (hereinafter “Facebook”).

To protect your data when visiting our website, we use the Shariff solution, which embeds buttons for these plugins using an HTML link. This ensures that a connection with Facebook’s servers is only established when you click the button, which opens the plugin in a new browser window. You may also need to log in separately. Data transfer to Facebook servers in the U.S. is possible.

Meta Platforms, Inc., located in the USA, is certified under the "EU-U.S. Data Privacy Framework" to ensure compliance with EU data protection standards. For more information, see Facebook’s privacy policy: http://www.facebook.com/policy.php and https://www.facebook.com/legal/EU_data_transfer_addendum

8.2 Instagram Plugin with Shariff Solution

We use social plugins from the online service Instagram (operated by Meta Platforms Ireland Limited, 4 Grand Canal Square, Dublin 2, Ireland) (hereinafter “Instagram”) on our website.

As with Facebook, we employ the Shariff solution for Instagram, only connecting with Instagram servers when you click the button. Interaction with Instagram may lead to data transfer to Meta’s servers in the U.S.

Meta Platforms, Inc. is certified under the "EU-U.S. Data Privacy Framework." For more information, see Instagram's privacy policy: https://instagram.com/about/legal/privacy/

8.3 Pinterest Plugin with Shariff Solution

We use social plugins from Pinterest (Pinterest Inc., 808 Brannan Street, San Francisco, CA, 94103, USA) (hereinafter “Pinterest”) on our website.

The Shariff solution applies here as well. This ensures data is only sent to Pinterest’s servers in the U.S. when you click the button. Data transfer is supported by the EU’s Standard Contractual Clauses. More information: https://policy.pinterest.com/de/privacy-policy#section-residents-of-the-eea

8.4 X (formerly Twitter) Plugin with Shariff Solution

Our website uses social plugins from X (X Corp., 1355 Market St, Suite 900, San Francisco, CA 94103, USA) (formerly Twitter).

The Shariff solution is applied, ensuring that a connection with X servers is only established when you click the button. Data transfer to the U.S. is supported by the EU’s Standard Contractual Clauses. Details can be found here: https://twitter.com/de/privacy

9. Use of Rating and Certification Graphics

Rating Seal by Ausgezeichnet.org
 

We integrate the Ausgezeichnet.org review seal (AUBII GmbH, Alsterufer 34, 20354 Hamburg) on our website to display any reviews collected and to allow users to submit their own reviews. Our legitimate interest is the optimal promotion of our services, with the legal basis under Article 6(1)(f) of the GDPR.

When the review seal is accessed, a technically necessary session cookie is set, which is automatically deleted after the session and serves for server allocation. No personal data is transmitted.

10. Tools and Miscellaneous

10.1 Google Maps

We use "Google Maps" (API) provided by Google Ireland Limited, Gordon House, 4 Barrow St, Dublin, D04 E5W5, Ireland ("Google").

Google Maps is used to display interactive maps and create driving directions. By using Google Maps, information regarding your use of this website, including your IP address and any (starting) address entered for route planning, may be transmitted to Google. When you access a page on our website that includes Google Maps, your browser establishes a direct connection to Google's servers. The map content is transmitted by Google directly to your browser and integrated into the website. Consequently, we have no influence over the extent of data that Google collects in this manner. Based on our current knowledge, this includes at least the following data:

  • Date and time of your visit to the page,
  • Internet address or URL of the accessed page,
  • IP address and any (starting) address entered during route planning.

We have no control over the further processing and use of the data by Google and can therefore assume no responsibility for it. If you are logged into Google, your data will be directly linked to your Google account. If you do not wish this association, you must log out of Google. Google stores your data (even for users who are not logged in) as user profiles and evaluates them. Such an evaluation is conducted based on your explicit consent in accordance with Article 6(1)(a) of the GDPR.

If you do not want Google to collect, process, or use your data via our website, you can disable JavaScript in your browser settings. In this case, however, you will not be able to use the map display. For information on the purpose and scope of data collection and further processing and use of data by Google, as well as your rights in this respect and settings options for protecting your privacy, please refer to Google’s privacy policy: Google Privacy Policy.

Google's terms of service can be found here: Google Terms
The terms of use for Google Maps are available here: Google Maps Terms

Google LLC, based in the USA, is certified under the EU-U.S. Data Privacy Framework, which ensures compliance with EU data protection standards. Further information about Google’s data protection can be found here: Google Privacy
Additional privacy information from Google: Google Business Safety

10.2 Google Web Fonts

We use web fonts provided by Google Ireland Limited, Gordon House, 4 Barrow St, Dublin, D04 E5W5, Ireland ("Google") to ensure consistent display of fonts.

When you access our website, your browser loads the required web fonts into your browser cache. For this, your browser must connect to Google's servers, which means Google receives your IP address. This may also lead to the transfer of your personal data to the servers of Google LLC in the USA. The legal basis for this is your explicit consent in accordance with Article 6(1)(a) of the GDPR.

If your browser does not support web fonts or you decline their use, a default font from your computer will be used instead.

Details on Google Web Fonts can be found here: Google Web Fonts FAQ
Google LLC is certified under the EU-U.S. Data Privacy Framework. More information on Google’s privacy policies can be found here: Google Privacy
Further privacy information from Google: Google Business Safety

11. Data Subject Rights

11.1 Under applicable data protection law, you have comprehensive rights (rights to information and intervention) with respect to the processing of your personal data, which we inform you about below:

  • Right of Access under Article 15 GDPR: You can request confirmation from the data controller as to whether personal data concerning you is being processed. Additionally, you have the right to information about the purpose, categories of personal data, recipients, planned duration of storage, existence of further rights such as rectification of data, or the existence of a right to lodge a complaint with a supervisory authority, the source of your data if not collected by us, the existence of automated decision-making including profiling, along with meaningful information about the involved logic, significance, and intended impact of such processing, and your right to be informed of any guarantees under Article 46 GDPR for the transfer of your data to third countries.

  • Right to Rectification under Article 16 GDPR: You have the right to obtain immediate rectification of inaccurate data concerning you and/or completion of incomplete data stored with us; the rectification or completion must take place without delay.

  • Right to Restriction of Processing under Article 18 GDPR: You have the right to request restriction of the processing of your personal data as long as the accuracy of your data contested by you is verified, if you oppose the deletion of your data due to unlawful data processing and instead request restriction of their processing, if you need your data for asserting, exercising, or defending legal claims after we no longer need them for the original purpose, or if you have objected on grounds related to your particular situation, as long as it is not determined whether our legitimate grounds prevail.

  • Right to Erasure under Article 17 GDPR: You have the right to request the immediate deletion of your personal data if the conditions of Article 17(1) GDPR are met. However, this right to deletion does not apply, particularly if processing is necessary for exercising the right to freedom of expression and information, fulfilling a legal obligation, reasons of public interest, or asserting, exercising, or defending legal claims.

  • Right to Notification under Article 19 GDPR: If you have exercised your right to rectification, erasure, or restriction of processing, the data controller is obliged to communicate any rectification, erasure of data, or restriction of processing to all recipients to whom your personal data has been disclosed, unless this proves impossible or involves disproportionate effort. You also have the right to be informed about these recipients.

  • Right to Data Portability under Article 20 GDPR: You have the right to receive the personal data you provided to us in a structured, commonly used, and machine-readable format, or to request transmission to another controller, where technically feasible.

  • Right to Withdraw Consent under Article 7(3) GDPR: You have the right to object at any time to the processing of your personal data that takes place based on Article 6(1)(e) or (f) GDPR; this also applies to profiling based on these provisions. You also have the right to withdraw your consent at any time with future effect. The lawfulness of processing based on consent before its withdrawal remains unaffected by the withdrawal.

  • Right to Lodge a Complaint under Article 77 GDPR: Without prejudice to other administrative or judicial remedies, you have the right to lodge a complaint with a supervisory authority, in particular in the Member State of your residence, workplace, or place of the alleged infringement, if you believe that the processing of your personal data infringes the GDPR.

11.2 Right to Object

You have the right to object to the processing of your data at any time with future effect if we process your data based on our overriding legitimate interest after weighing interests.

If you exercise this right to object, we will cease processing your data unless there are demonstrable compelling legitimate grounds for continuing that override your interests or the processing serves the assertion, exercise, or defense of legal claims.