Thomann app Privacy Notice

(for Google-Android-compatible devices and iOS devices)

This Privacy Notice describes the way in which Thomann GmbH (hereinafter “Thomann”) processes and protects according to the General Data Protection Regulation (GDPR) and the relevant German data protection laws, in particular the German Federal Data Protection Act [Bundesdatenschutzgesetz – BDSG] the data you provide us with when using the Thomann app and that is required when installing the Thomann app on your Android device (e.g. compatible Android smartphone or Android tablet) or iOS device (e.g. iPhone, iPod or iPad).

1. Controller and Data Protection Officer

The responsible authority within the meaning of the data protection regulations for all data processing and data transmission processes through the Thomann app is:

Thomann GmbH
Hans-Thomann-Strasse 1
96138 Burgebrach
Germany

In the event of any questions, comments, complaints or to exercise your rights as a data subject in connection with our Privacy Notice and the processing of your personal data by Thomann’s apps, you can contact Thomann’s Data Protection Officer directly by email (privacy@thomann.de). They will gladly take care of your data protection concerns

2. Legal basis for the processing of personal data

If we obtain the consent of the data subject to process their personal data, Article 6(1)(a) GDPR serves as the legal basis for the processing of personal data.

When processing personal data necessary for the performance of a contract to which the data subject is party, Article 6(1)(b) GDPR shall serve as the legal basis. This also applies to any processing required to perform pre-contractual measures.

If processing of personal data is necessary for compliance with a legal obligation to which Thomann is subject, Article 6(1)(c) GDPR shall serve as the legal basis.

In the event that the vital interests of the data subject or of another natural person necessitate the processing of personal data, Article 6 (1)(d) GDPR shall serve as the legal basis.

If processing is necessary to safeguard the legitimate interests of our company or of a third party, except where such interests are overridden by the interests or fundamental rights and freedoms of the data subject, Article 6(1)(f) GDPR shall serve as the legal basis for processing.

Should we access your device and the information stored there or should we save information on your device as part of our processing, the primary legal basis is § 25(1)(1) TTDSG if we require your consent for this access, or § 25(2)(2) TTDSG if the access concerns processing that is technically absolutely necessary.

3. Data deletion and storage duration

The data subject’s personal data will be deleted or blocked as soon as the purpose of storage ceases to apply. Data may be stored beyond this if provisions have been made for this by the European or national legislator in Union regulations, laws or other rules to which the controller is subject. Data will also be blocked or deleted if a storage period prescribed by the standards mentioned above expires, unless there is a need for further storage of the data for the conclusion or fulfilment of a contract.

4. What data do we require from you to run the Thomann app? What data is collected and stored when using the Thomann app?

a. Downloading and installing the Thomann app

(1) From the Google Play Store (Google-Android-compatible devices)

To use the Thomann app on your Android device (e.g. Android smartphone or Android tablet), you will need to download the Thomann app from the Google Play Store and install it on your device. To do this, you must be logged into the Google Play Store with your Android user account by entering your user name (your email address) and password.

Information and data may be collected and processed by Google through the Play Store. For further information regarding the purpose and scope of data collection, and regarding the further processing and use of your data in the Play Store by Google, see Google’s privacy rules. These are available online at http://www.google.co.uk/intl/en-GB/policies/privacy/. There you will find, amongst other things, information regarding settings for the protection of your privacy and regarding your further rights regarding the collecting, processing and use of your data by Google. For further information on using the Google Play Store, please refer to the Play Store Terms of Service, which are available online at https://play.google.com/intl/en-GB/about/play-terms.html.

(2) From the App Store or iTunes

To use the app on your iOS device (e.g. iPhone, iPod or iPad), you will need to download the app from the Apple App Store (from iTunes on a Mac) and install it on your device. To do this, you must be logged into the App Store with your Apple user account by entering your Apple ID (usually your email address) and your password.

Information and data may be collected and processed by Apple through the App Store. For information regarding the purpose and scope of data collection, and regarding the further processing and use of your data by Apple, see Apple’s own privacy rules. These are available online at https://www.apple.com/legal/privacy/en-ww/. There you will find, amongst other things, information regarding settings for the protection of your privacy and regarding your further rights regarding the collecting, processing and use of your data by Apple. For further information on using the App Store and iTunes and other online services from Apple, please refer to the Apple Terms and Conditions, which are available online at http://www.apple.com/legal/internet-services/itunes/uk/terms.html.

b. Permissions for the Thomann app to access data on your device

(1) For Google-Android-compatible devices

When installing the Thomann app in the Google Play Store, you must confirm the following access permissions:

• Photos/media/files, using at least one of the following elements: files on the device such as images, videos or audio elements, as well as on the device’s external storage

If you do not wish to accept these access permissions, please do not install or use the Thomann app.

The Thomann app has permission to do the following during use:

• Access your device’s network functions (the Thomann app only works when the device is online) and Wi-Fi connection information
• Read, modify or delete storage to which access has been allowed
• Control vibrating alarm
• Deactivate “Auto screen off”

Information about how to change your app permissions can be found in the Google Play Store under https://support.google.com/googleplay/answer/9431959?p=app_permissions&rd=2&visit_id=637798269818255659-3792285856.

(2) For iOS devices

The Thomann app requires access to the following data/functions of your device during use only, which you can configure in the settings of your iOS device (under Settings/Privacy):

• Access to location
• Access to the device’s network functions (the Thomann app only works when the device is online)

If you confirm the access permissions and access during or after installation, you hereby give us your consent to such access to your device. The legal basis for the processing of this data is § 25(1)(1) TTDSG and Article 6(1)(f) GDPR. Data is processed through certain access permissions to your device for the purposes of the technical operation and use of the Thomann app and all its features.

c. Data processing when using the Thomann app, in particular the Shopping function
When using the Thomann app, in particular when viewing various Thomann products, only the product views (e.g. image material, products on shopping lists) are stored in your device’s temporary storage (“caching”).

You can use the Shopping function in the Thomann app either by logging in with the log-in details (email address, password) of your existing Thomann customer account or by entering your personal data without logging in.

If you place an order using your existing Thomann customer details, you will not need to enter any further details in the Thomann app during the order process. The details stored in your customer account (first name and surname, address) will be displayed during the order process. Of course, you can amend and/or correct these details.

If you place an order through the Thomann app without logging in, the form within the Thomann app will ask you for all the details that Thomann requires to complete and process orders: first name and surname, company (optional), postal address, telephone number (only for queries), email address.

In addition, it is possible to simply import these details directly from your device’s contacts on iOS devices. In order to do this, you have to allow the Thomann app to access your contacts in your iOS device’s settings (under Settings/Privacy).

The legal basis for the data processing during product preview and ordering through the Thomann app is Article 6(1)(b) GDPR. The product preview and order functions are used to initiate a purchase contract or to fulfil a concluded purchase contract if you generate an order via the Thomann app.

d. Data stored on the device when using the Thomann app
The following data is stored locally on your device when using the Thomann app:

• Product details, i.e. images of the items you have viewed in the Thomann app in your device’s non-temporary memory (“cache”);
• Log-in. Of your log-in details, only your email address is stored locally; your password for accessing your Thomann customer account is not saved, but rather just a “token” that allows you to conveniently log in again. This access token, which is unique to the device you are using, is generated on Thomann’s app server for authentication purposes the first time you log in to the Thomann app. The token will become invalid once the password is changed. If the app is deleted, the access token will also be deleted.

The legal basis for the storage of this data is § 25(2)(2) TTDSG and Article 6(1)(f) GDPR. We store this data for the purpose of making the product range in the Thomann app and the use thereof more appealing. This is also the basis for our legitimate interests in data processing pursuant to Article 6(1)(f) GDPR.

e. Data automatically collected by using the Thomann app (usage data)
We welcome everybody to use the Thomann app free of charge and to look at the products on offer. When you use the Thomann app, we record general usage data in order to evaluate how, to what extent and for how long you have used the Thomann app. We use Google Analytics/Firebase as an analysis tool for this app-tracking. You can find details of the data collection and processing by Google Analytics/Firebase under 8. There you will also find information on your right to prohibit data processing by Google Analytics/Firebase and on the applicable legal basis.

5. How is your data used and passed on to third parties, and for what purpose?

Thomann will transfer your data to third parties that are involved in the processing of your order made through the Thomann app. For example, if you have placed an order via the Thomann app, Thomann will transmit your order information to the Thomann partner companies and contractors that process and deliver your order to you. Data will only be transmitted to the extent required in order to fulfil or deliver your order or to process an enquiry. We will also transmit personal data to third parties where we are required to do so by law.

To complete the order through the Thomann app, depending upon the payment method you select, it will also be necessary to pass on the payment information you have provided (e.g. credit card details), to payment service providers appointed by Thomann in order to process your order.

Data is passed on for order and payment processing purposes; the legal basis for this is Article 6(1)(b) GDPR.

6. What security measures have we taken to protect your data?

Thomann has taken precautions to ensure the security of your personal data. Your data will be diligently protected against loss, destruction, manipulation and unauthorised access or unauthorised disclosure and transmission. Thomann protects data collected when using the Thomann app by saving it on servers protected by passwords and firewalls (not on the device itself), which use encryption technology to prevent unauthorised access. Thomann does its utmost and implements state-of-the-art technology to provide you with a secure environment for the completion of your order through the Thomann app; however, we cannot guarantee absolute security of your data. Thomann asks that you take every available precaution to protect your personal data when using the Thomann app. We encourage you to at least change your passwords on a regular basis and to use a combination of letters and numbers, as well as special characters where appropriate, when setting your password.

Communication between the Thomann app installed on your device and the app server operated by Thomann is always performed via a sufficiently encrypted internet connection (SSL certificate).

In addition, technical error messages and system events in the Thomann app are logged and transmitted to Thomann. No personal data is transmitted in the process, only information that caused the Thomann app to crash. These crash reports are not associated with your device’s personal data.

7. Cookie policy

In the Thomann app, we use diverse cookies and identifiers for various processing purposes to enable you to use the Thomann app and its essential functions and, for example, to enable us to create statistical analyses of the use of the Thomann app. All types of cookies and any processing based upon their use are described in detail on our cookies page. You can access the cookies page here.

For the Thomann app, we make a distinction between mandatory cookies and non-mandatory cookies.

Mandatory cookies are cookies without which we would be unable to provide you with the Thomann app, or without which using the app would not reasonably be possible. These include the shopping basket function, the wish list and the basic shop settings. These cookies can be placed without your consent. The legal basis for placing cookies on your device is § 25(2)(2) TTDSG and for the subsequent processing outside of your device on our systems is Article 6(1)(f) GDPR.

The non-mandatory cookies concern our use of Google Analytics/Firebase (see 8) and provide you with Thomann recommendations. We request your consent to these services via our cookie banner when the Thomann app is opened. The legal basis for placing cookies on your device is your consent in accordance with § 25(1)(1) TTDSG and for the subsequent processing outside of your device on our systems or the systems of our technical service providers is Article 6(1)(a) GDPR.

You can refuse or withdraw your consent to the use of non-mandatory cookies and the subsequent processing based upon these at any time via the cookie settings on our cookie page. To do this, press the button next to the relevant service so that it is no longer green and then confirm your selection by pressing “Allow selected cookies”. Or press “Reject cookies” on the initial cookie banner.

8. We use Google Analytics/Firebase. What does that mean for your data?

If you provide your consent via the cookie banner that is displayed when the app is opened, use of the Thomann app is automatically logged. To do this, Thomann uses the version of Google Analytics/Firebase specially designed for apps. Google Analytics/Firebase is an analytics service provided by Google Ireland Limited, Gordon House, 4 Barrow St, Dublin, D04 E5W5, Ireland (hereinafter referred to as “Google”). Google Analytics/Firebase sets an “anonymised identifier”, which performs the functions of a cookie on platforms such as mobile devices, on the device you are using. This is a file that enables analysis of how you use the Thomann app. The information about your use of the Thomann app generated by the anonymised identifier is usually also transmitted to and stored on a Google server in the USA. Google will use this information on behalf of Thomann for the purposes of analysing use of the Thomann app, compiling reports on app activity and providing further services related to app and internet use to Thomann, the app provider.

The following usage data is tracked and statistically evaluated using Google Analytics/Firebase:

1. Information about the device operating system
2. Date and time of access
3. The services and functions used within the Thomann app

It cannot be excluded that Google will carry out further processing, in particular if you are logged in to your Google account when using the Thomann app. In this case it is, for example, possible that Google will link the previously mentioned data with the data saved in your Google account and can collect information about your use of the Thomann app to personalise other services. We have no influence upon this processing, which is carried out by Google on its own responsibility. Information about this can be found in the Google Privacy Policy, which can be found under https://policies.google.com/privacy.

We use Firebase to process the following technical information; however, it is not separately transferred to Google:

1. App crashes (for crash reports)
2. Unique user recognition (via an anonymised identifier)
3. Location region/country (not your specific location)
4. Gender
5. Most frequently used languages
6. Devices (manufacturer, model)
7. Operating system and version
8. Browser

---

Statutory right of withdrawal

You can prevent collection and transfer of the data generated by the anonymised identifier and relating to your use of the Thomann app to Google, as well as the processing of such data by Google.

This can be achieved by changing your cookie settings. To do this on Android or iOS, take the following steps:

• Open the menu in the Thomann app.
• Select “Cookie Settings” towards the bottom of the menu.
• Press the button next to “Google Analytics & Firebase”, so that it is no longer green. Google Analytics/Firebase is then deactivated.

Here you can view and change your cookie settings at any time.

---

The legal basis for the processing of data by Google Analytics/Firebase is § 25(1)(1) TTDSG (concerning the placement of identifiers/cookies on your device) and Article 6(1)(a) GDPR (for subsequent processing outside of your device, including statistical analysis on our systems and Google servers).

9. Rights as a data subject

If your personal data is processed, you are a data subject as defined in the GDPR and you have the following rights with regard to Thomann as the controller:

a. Information, rectification, restriction and deletion

You have the right to access the data stored about you by Thomann and information concerning its origin, recipient and the purpose of data processing by Thomann’s websites free of charge at any time. In addition, you have the right to rectify, delete or restrict the processing of your personal data, provided the legal requirements to do so are met.

Details can be found in the relevant statutory provisions, Articles 15 to 19 GDPR.

b. Right to data portability

You have the right to receive the personal data concerning you that you have provided to Thomann, in a structured, commonly used and machine-readable format. Thomann can comply with this right by providing a csv export of the customer data processed about you.

c. Right to information

If you have exercised your right to rectification, deletion or restriction of processing against the controller, the controller is obliged to notify all recipients to whom your personal data has been disclosed of this rectification or deletion of data or restriction of processing, unless this proves to be impossible or involves a disproportionate effort.

You have the right to be informed about these recipients by Thomann.

d. Right to object

You have the right to object, on grounds relating to your particular situation, at any time to processing of personal data concerning you that is based upon point (e) or (f) of Article 6(1) GDPR, including profiling based upon those provisions.

The controller shall no longer process the personal data concerning you unless the controller demonstrates compelling legitimate grounds for the processing that override your interests, rights and freedoms or for the establishment, exercise or defence of legal claims.

Where your personal data is processed for direct marketing purposes, you have the right to object at any time to processing of personal data concerning you for such marketing, which includes profiling to the extent that it is related to such direct marketing.

If you object to processing for direct marketing purposes, your personal data will no longer be processed for such purposes.

In the context of the use of any information society services, and notwithstanding Directive 2002/58/EC, you may exercise your right to object by automated means using technical specifications.

e. Revocability of declarations of consent under data protection law

You may also revoke your consent with regard to Thomann at any time with effect for the future using the contact details below.

f. Right to lodge a complaint with a supervisory authority

Without prejudice to any other administrative or judicial remedy, you have the right to lodge a complaint with a supervisory authority, in particular in the Member State of your habitual residence, place of work or place of the alleged infringement if you consider that the processing of personal data relating to you infringes the GDPR.

The supervisory authority with which the complaint has been lodged will inform the complainant on the progress and the outcome of the complaint including the possibility of a judicial remedy pursuant to Article 78 GDPR.

10. Changes to this Privacy Notice

Thomann may update this Privacy Policy from time to time. Such changes will be displayed within the Thomann app. If you have any comments or questions regarding this Privacy Policy or any other guidelines on this website, please contact us in writing.

Last updated: February 2022