According to the General Data Protection Regulation (“GDPR”), personal data means “any information relating to an identified or identifiable natural person (hereinafter: “data subject”); an identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person.”

In the following we will show you which data we process on which legal basis within the scope of the functions we offer you, how long we store your data for, and who may receive your data.

a) Provision of the website and storage in log files

You can visit our website without giving any personal information. Each time a website is called up, the web server automatically saves only a so-called server log file, which contains the following data:

• Browser type / browser version
• Operating system used and its interface
• Referrer URL
• IP address
• Host name of the accessing computer
• Date and time of the server request
• Time zone difference between local and Greenwich Mean Time (GMT)
• Content of the request (specific page and/or file)
• Notification of successful retrieval
• Access status/THHTP status code
• Data message transmitted in each case
• Language and version of the browser software
• Requesting provider

These access data are processed exclusively for the purpose of ensuring trouble-free operation of the site and for improving our offer. The legal basis for this data processing is our overriding legitimate interest in accordance with Art. 6 para. 1 lit. f GDPR and § 165 para. 3 TKG [Austrian Telecommunications Act] in the provision of the website and a correct presentation of our offer. To host the website, we use an IT service provider: PROBASE APPLICATIONS LIMITED, 185 Fleet Road, Fleet, Hampshire, GU51 3BL, UK, who processes your data on our behalf. All access data will be deleted no later than seven days after the end of your visit to the site.

b) Contact us via our contact form or our email address

We offer you the option to contact us either by using a contact form or via our contact email. When using the contact form, you must provide us with your email address and your specific message so that we can reply to your request. In addition, you can optionally and voluntarily provide us with your name, telephone number and address. If you contact us at the email address given on our website, you at least provide us with your email address and any other information that you disclose in your email. We need to process this data so that we can process your request. The processing takes place in the context of establishing contact so that we can process and reply to your request. The legal basis for the processing of your data is always the implementation of pre-contractual measures and the fulfilment of our contract in accordance with Art. 6 para. 1 lit. b GDPR. If your request is not related to a contractual relationship, the legal basis for data processing is our legitimate interest in accordance with Art. 6 para. 1 lit. f GDPR in processing your request. We save your emails and contacts for as long as is necessary to process your request and then save them for a period of 12 months. This does not apply if you initiate a contractual relationship with us in the email or if your establishment of contact relates to an existing contractual relationship. In this case, the storage period depends on the underlying contract. If that is the case, you will be informed separately about the data processing taking place there.

c) Newsletter

If you want to subscribe to our newsletter, you must register for the newsletter. The registration takes place via the so-called double opt-in process, i.e., after you register for the newsletter, we will send you a confirmation email in which we ask you to give your consent by clicking on the confirmation link contained in the email.

In order to be able to send you our newsletter, we process the email address you provide. The legal basis for this and for the transmission of the email address to Mona is your consent in accordance with Art. 6 para. 1 lit. a GDPR.

You can unsubscribe from the newsletter at any time by sending us a corresponding message (e.g. email, letter) or by clicking the unsubscribe link contained in every newsletter. We save your data for the purpose of sending the newsletter until you revoke your consent.

Newsletter tracking: Our newsletters contain so-called web beacons or tracking pixels, by means of which we can recognize whether and when an email was opened and which links in the email were followed by the personalized recipient. This data is stored by us so that we can optimally tailor our newsletter to the wishes and interests of our subscribers. Accordingly, the data collected in this way is used to send personalized newsletters to the respective recipient. The legal basis for processing your data in connection with newsletter tracking is our legitimate interest in accordance with Art. 6 para. 1 lit. f GDPR in optimizing our advertising materials. We save your data for 90 days.

For the newsletter we use the service provider Sendinblue GmbH, Köpenicker Str. 126, 10179 Berlin, who processes your data on our behalf. For this purpose, the data saved when you subscribed to the newsletter (email address, possibly name, IP address, date and time of your subscription) will be transmitted to Sendinblue GmbH. Further information on data protection at Sendinblue can be found at: https://www.brevo.com/de/datenschutz-uebersicht/. 

We process data of our customers and suppliers as well as of their employees for the purpose of establishing and administering the business relationship and fulfilling the contract as well as complying with related legal obligations. For example, the following categories of data are processed: Master data (such as name, company, registered office, address, contact details, internet address), contract data (such as subject matter, term, conditions), delivery note data (such as order number, date, quantity and description of the individual goods) as well as billing and payment data (such as IBAN, BIC, UID). These data are known to us because they are either disclosed to us by the data subjects themselves or we determine the data from publicly accessible sources (e.g. company register, UID directory of the Federal Ministry of Finance, website of the business partner). Insofar as the data subject is our contractual partner, the data processing is generally based on the necessity for the fulfilment of the concluded contract or the implementation of pre-contractual measures (Art. 6 para. 1 lit. b DSGVO). The legal basis for processing the data of employees of our contractual partners is the necessity to achieve our predominant legitimate interest in managing the business relationship (Art. 6 para. 1 lit. f DSGVO). Insofar as we collect, process and store personal data due to a legal obligation, the data processing is based on the necessity to fulfil this obligation (Art. 6 para. 1 lit. c DSGVO).

We generally store the master and contract data of our customers and suppliers for the duration of the contractual relationship. Insofar as we are obliged to do so according to company and tax law regulations, we keep data of business partners for at least 7 years from the end of the respective calendar year. In addition, we store the personal data necessary for the assertion, defense or defense of legal claims and their enforcement in official or judicial proceedings; in this respect, the data is stored until the expiry of the relevant limitation periods or the legally binding conclusion of the proceedings.

In addition to the transfer of data to third parties described under functions of the website, we use various IT service providers for the provision of individual IT services (e.g. IT service providers, IT security).

In the case of enquiries or complaints concerning products of our group companies, such enquiries are mainly forwarded anonymously to our group companies. However, there are cases in which anonymous processing is not possible, for example when processing warranties. In this case, we forward your personal data on the basis of predominant legitimate interests in the processing of your enquiry by the relevant group company, Mona Naturprodukte GmbH, FN 232453v, Schottengasse 10, 2nd floor, 1010 Vienna, to the extent necessary.

Depending on the situation, we may pass on data relating to our customers and suppliers or their employees to competent authorities (e.g. tax offices), legal representatives (e.g. when examining contracts and enforcing legal claims) and certification bodies.

For hosting our servers we use an IT service provider, PROBASE APPLICATIONS LIMITED, 185 Fleet Road, Fleet, Hampshire, GU51 3BL, UK, which processes your data on our behalf.

We use software services offered by Microsoft, One Microsoft Way 157th Avenue NE, Redmond, WA 98052-7329, US, (so-called, for example, Microsoft Office, Microsoft Teams) for the following purposes: document storage and management, calendar management, e-mail dispatch, spreadsheets and presentations, exchange of documents, as well as chats and participation in audio and video conferences. In principle, these Microsoft services used are operated in the EU data centres of the geographical region Europe as well as in the UK. Insofar as the operation takes place in the UK, we rely on the decision of the EU Commission regarding the adequacy of the level of data protection for the United Kingdom.

We use sproof GmbH (Urstein Süd 19/2 5412 Puch b. Hallein Österreich, https://www.sproof.io/en/ ) to obtain electronic signatures.

Where service providers process personal data for us as processors, this is done on the basis of commissioned data processing contracts. The commissioned data processors process their personal data exclusively on our instructions and are only given access to their personal data to the extent that this is absolutely necessary for the performance of their tasks.

We are aware of the high importance of your data and therefore generally do not transfer it to countries outside the European Economic Area (so-called "Third countries"). If individual data processing is nevertheless associated with the transmission of your data to a third country, we will expressly inform you of this fact in this Privacy Policy and will inform you about the measures we have taken to ensure the required level of protection of your data.

The Hain Celestial Group, Inc. complies with the EU-U.S. Data Privacy Framework (EU-U.S. DPF), the U.K. Extension to the EU-U.S. DPF, and the Swiss-U.S. Data Privacy Framework (collectively “DPF”). Hain has certified to the U.S. Department of Commerce that it adheres to the EU-U.S. Data Privacy Framework Principles (EU-U.S. DPF Principles) with regard to the processing of personal data received from the European Union in reliance on the EU-U.S. DPF.  To learn more please read our Privacy Policy for the EU-U.S. Data Privacy Framework, U.K. Extension to the EU-U.S. Data Privacy Framework and the Swiss-U.S. Data Privacy Framework for non-HR data. 

The General Data Protection Regulation guarantees you certain rights that you can assert vis-à-vis us - provided that the legal requirements are met.

• Art. 15 GDPR - data subject’s right of access: You have the right to request confirmation from us as to whether personal data relating to you is being processed and, if so, which data this is, as well as the details of the data processing.
• Art. 16 GDPR - right to rectification: You have the right to request of us that we rectify any incorrect personal data concerning you without delay. In doing so, taking into account the purposes of the processing, you also have the right to request the completion of incomplete personal data - including by means of a supplementary statement.
• Art. 17 GDPR - right to erasure: You have the right to demand that we erase personal data relating to you immediately. We will then erase your data insofar as we are legally obliged to do so.
• Art. 18 GDPR - right to restriction of processing: You have the right to request that we restrict processing.
• Art. 20 GDPR - right to data portability: In the event of processing based on consent or for the fulfilment of a contract, you have the right to receive the personal data relating to you that you have provided to us in a structured, common and machine-readable format, and to have this data transmitted to another controller without hindrance on our part, or to have the data transmitted directly to the other controller, insofar as this is technically feasible.
• Art. 21 GDPR - right of objection: You have the right, for reasons that arise from your particular situation, to object at any time to the processing of personal data relating to you, which is necessary on the basis of a legitimate interest on our part or to safeguard a task that is in the public interest.
  
  If you object, we will no longer process your personal data unless we can prove compelling legitimate reasons for the processing that outweigh your interests, rights and freedoms, or the processing serves to assert, exercise or defend legal claims.
  
  If we process your personal data in order to send direct marketing, you have the right to object to the processing at any time. If you object to the processing for direct marketing purposes, we will no longer process your personal data for these purposes.
• Art. 77 GDPR in conjunction with § 24 Data Protection Act - right to complain to a supervisory authority: You have the right to lodge a complaint with a supervisory authority at any time, in particular in the member state of your place of residence, your place of work, or the place of the alleged violation, if you believe that the processing of your personal data violates applicable law. In Austria, the competent supervisory authority is the Austrian data protection authority.
  
  If you have given us your consent, you have the right to revoke your consent at any time. In such an event, all data processing that we have carried out up to your revocation remains lawful.

In connection with the data processing activities described in this Privacy Policy, you have no contractual or legal obligation to provide us with personal data. However, without the data you have provided, we will not be able to offer you our services.

We do not use automated decision-making, including profiling, within the meaning of Art. 13 para. 2 lit. f and Art. 14 para. 2 lit. g GDPR.

We use so-called “cookies” to expand the functionality of our website and to make it more convenient for you to use it. With the aid of these “cookies”, data can be saved on your computer when you visit our website.

When you use the website, cookies are stored on your computer. Cookies are small text files that are stored on your hard drive and assigned to the browser you are using and through which certain information flows to the party that placed the cookie (in this case us). Cookies cannot run programs or transmit viruses to your computer. They serve to make the Internet offer more user-friendly and effective overall.

The website uses cookies to the following extent: Transient cookies (temporary use), persistent cookies (limited-time use), third-party cookies (from third-party providers)

Transient cookies are automatically deleted when you close the browser. This includes, in particular, session cookies. These store a so-called session ID, with which various requests from your browser can be assigned to the common session. This allows your computer to be recognized when you return to the website. The session cookies are deleted when you log out or close the browser.

Persistent cookies are automatically deleted after a specified period, which can differ depending on the cookie. You can delete the cookies at any time in the your browser’s security settings.

You can configure your browser settings according to your wishes and, for example, reject the acceptance of third-party cookies or all cookies. We would like to point out, however, that our website may not function properly if the cookies that are necessary for it to function cannot be placed. In your browser settings, you can specify that cookies require your consent each time before they are saved and activated on your computer. You can find detailed information on your browser settings for the most common browsers on the providers’ websites or in these instructions.

a) Functional cookies:

When using functionally required cookies, we process your personal data in order to be able to provide basic functions of our website and the services you have requested, as well as to temporarily save your cookie settings. Functional restrictions could arise if these cookies are not used.

The legal basis for the processing of your data when using functionally necessary cookies is our legitimate interest in the provision of a fully functional website and the services you have requested, as well as in the temporary storage of your cookie settings (Art. 6 para. 1 lit. f GDPR, § 165 para. 3 TKG).

The following cookies are used on our website:

b) Non-essential cookies:

With your consent, we use non-functional cookies and similar tracking technologies (collectively: "non-functional cookies") in order to be able to statistically analyze and evaluate the use of our website, to adapt our website to the interests of our website visitors, and to optimally display the content of our website as well as to be able to show you personalized advertising.

The legal basis for the data processing is the consent you have given in accordance with Art. 6 para. 1 lit. a GDPR and § 165 para. 3 TKG. You can revoke your consent at any time with effect for the future or otherwise change your cookie settings subsequently by deleting the cookies in your browser and then reopening the page.

If you withdraw your consent for certain cookies, we will no longer save these cookies on your device when you visit our website in the future. The legality of the data processing carried out before the revocation is not affected by the revocation. Please note, however, that for technical reasons we cannot delete cookies that have already been saved with your consent. However, you can delete these cookies manually using your browser settings.

The following non-functional cookies are used on our website:

Personio
Personio SE & Co. KG Seidlstraße 3 80335 München, Deutschland
https://www.personio.de/datenschutzerklaerung/

Persiono provides the tool to display the open job positions on our career page (only available in German: https://joya.info/de/karriere/offene-stellen/ ).  The cookie determines the preferred language and country-setting of the visitor - This allows the website to show content most relevant to that region and language.

Google Analytics

Google LLC (“Google”), 1600 Amphitheater Parkway, Mountain View, CA 94043 USA

We use Google Analytics on our website. Google Analytics is used for web analysis and optimization of use on the website. The IP address transmitted by your browser as part of Google Analytics will not be merged with other Google data. In the context of the tracking, information is also transmitted about the products ordered.

You can find more information on terms of use and data protection at https://www.google.com/analytics/terms/de.html or at
https://policies.google.com/?hl=de.

You can prevent tracking by Google by using the following plug-in: http://tools.google.com/dlpage/gaoptout?hl=d

You can find more information on terms of use and data protection at https://www.google.com/intl/de_de/help/terms_maps.html or at
https://policies.google.com/?hl=de.

We maintain profiles on several social networks by which you can use to contact us. Currently these are Facebook, Instagram, YouTube, Pinterest and TikTok. As rule, for all processing of personal data that takes place there, for example when you visit the profile or leave a comment, only the respective network operator is the controller under data protection law. We ourselves have no knowledge of the data that the respective operator processes or of the individual data processing carried out by the operator. In particular, these will not be shared with us – at least in personally identifiable form. Like every other user of these social networks, we can only access the information you have published in your profile or otherwise made accessible in this context. At the following URLs, you can find more detailed information on the data processing taking place in the individual networks:

• Pinterest: https://policy.pinterest.com/en-gb/privacy-policy
• YouTube: https://policies.google.com/privacy?hl=en-GB&gl=de
• Instagram: https://de-de.facebook.com/help/instagram/155833707900388
• Facebook: https://www.facebook.com/privacy/policy/
• TikTok: https://www.tiktok.com/legal/page/row/privacy-policy/en

However, you do provide us with personal data when you send us a message or leave a post on our site. We use this personal data to respond to your message. For this purpose, your message from the social network may be imported into our own processing systems, so that we can respond more quickly and efficiently. For this reason, we use the service provider Falcon.io ApS, H.C. Andersens Boulevard 27, 1553 Copenhagen V, Denmark, which processes your data on our behalf, to respond to the messages.. We store your messages for as long as is necessary to process your request, and then we store them for a period of 3 years in case you contact us again with reference to your original inquiry. These purposes also represent our legitimate interest, for which we carry out this data processing (Art. 6 para. 1 lit. f) GDPR).

Special features apply to data processing on our Facebook profile page, which you can find out under the separate Facebook privacy policy https://www.facebook.com/about/privacy/

We take all possible precautions to ensure the protection and security of your data. We welcome your questions and comments concerning data protection. If you have any questions about the collection, processing or use of your personal data, access, rectification, blocking or erasure of data or the revocation of your consent, please contact: dataprivacy@hain-celestial.eu