The controller responsible for data processing is:

Merlin Cycles GmbH
Robert-Bosch-Str. 17
73760 Ostfildern-Nellingen
datenschutz@merlincycles.de

We appreciate your interest in our online shop. Protecting your privacy is very important to us. Below, we provide detailed information about how we handle your data.

1. Access data and hosting

You can visit our websites without providing any personal information. Each time a webpage is accessed, the web server automatically stores so-called server log data, which includes, for example, the name of the requested file, your IP address, the date and time of access, the amount of data transferred, and the requesting provider (access data), and documents the access.

This access data is evaluated solely for the purpose of ensuring the smooth operation of the website and improving our services. This serves our legitimate interests, which, in accordance with Article 6, Paragraph 1, Sentence 1, Letter f of the GDPR, override any conflicting interests, in the correct presentation of our services. All access data is deleted no later than seven days after the end of your visit to the website.

Hosting services provided by a third-party provider

As part of processing on our behalf, a third-party provider hosts and displays our website. This serves our legitimate interest in the correct presentation of our offerings, which outweighs any conflicting interests. All data collected through the use of this website or via forms provided in the online shop, as described below, is processed on their servers. Processing on other servers only takes place within the scope described herein.

This service provider is located within a country of the European Union or the European Economic Area.

Content Delivery Network

To ensure faster loading times, we use a Content Delivery Network (CDN). With this service, content, such as large media files, is delivered via regionally distributed servers of our CDN provider. Therefore, access data is processed on the provider’s servers. Our provider acts as a data processor on our behalf. Our provider is located and/or uses servers in countries outside the EU and the EEA. There is no adequacy decision from the European Commission for these countries. Our cooperation with them is based on standard contractual clauses for data protection issued by the European Commission. If you have any questions about our provider and the basis of our cooperation with them, please contact us using the contact details provided in this privacy policy.

2. Data collection and use for contract processing and when opening a customer account

For the purpose of contract processing in accordance with Art. 6 para. 1 sentence 1 lit. b GDPR, we collect personal data when you voluntarily provide it to us as part of your order. Required fields are marked as such, as we absolutely need this data for contract processing and cannot ship the order without it. The specific data collected is evident from the respective input forms.

We also collect personal data when you voluntarily provide it to us when contacting us (e.g., via contact form or email). Required fields are marked as such, as we absolutely need this data to process your inquiry. The specific data collected is evident from the respective input forms.

We use the data you provide in accordance with Article 6, Paragraph 1, Sentence 1, Letter b of the GDPR for contract processing and handling your inquiries. After complete contract fulfillment or deletion of your customer account, your data will be restricted from further processing and deleted after the statutory retention periods under tax and commercial law have expired, unless you have expressly consented to further use of your data or we reserve the right to use your data beyond this scope, which is permitted by law and about which we inform you in this statement. You can delete your customer account at any time by contacting us using the contact details provided below.

3. Data sharing

For the purpose of fulfilling the contract in accordance with Article 6, paragraph 1, sentence 1, letter b GDPR, we will pass on your data to the shipping company commissioned with the delivery, so that it can contact you before delivery for the purpose of delivery notification or coordination.

You can withdraw your consent at any time by sending a message to the contact details provided below or directly to the shipping provider at the contact address listed below. After withdrawal, we will delete the data you provided for this purpose, unless you have expressly consented to further use of your data or we reserve the right to use your data beyond this scope, which is permitted by law and about which we inform you in this statement.

DHL Parcel GmbH
Sträßchensweg 10
D-53113 Bonn

General Logistics Systems Germany GmbH & Co. OHG
GLS Germany-Straße 1 – 7
D-36286 Neuenstein

Depending on which payment service provider you select during the ordering process, we will forward the payment data collected for this purpose to the bank commissioned with processing the payment and, if applicable, to payment service providers commissioned by us, or to the selected payment service. This serves the purpose of fulfilling the contract in accordance with Art. 6 Para. 1 Sentence 1 lit. b GDPR. In some cases, the selected payment service providers also collect this data themselves if you create an account with them. In this case, you will need to log in to the payment service provider with your access data during the ordering process. The data privacy policy of the respective payment service provider applies in this respect.

We use payment service providers located in a country outside the European Union. Personal data is only transferred to this company to the extent necessary for the performance of the contract.

If you have any questions about our payment processing partners and the basis of our cooperation with them, please contact us using the contact details provided in this privacy policy.

4. Email newsletter and postal advertising

Email advertising with newsletter registration
When you subscribe to our newsletter, we use the data required for this purpose or data you have separately provided to send you our email newsletter regularly based on your consent in accordance with Article 6, paragraph 1, sentence 1, letter a GDPR.

You can unsubscribe from the newsletter at any time, either by sending a message to the contact address provided below or by using the unsubscribe link in the newsletter. After unsubscribing, we will delete your email address unless you have expressly consented to further use of your data or we reserve the right to use your data for other purposes permitted by law, which we will inform you about in this privacy policy.

Email advertising without newsletter registration and your right to object
If we receive your email address in connection with the sale of goods or services and you have not objected, we reserve the right, based on Section 7 Paragraph 3 of the German Unfair Competition Act (UWG), to regularly send you offers for similar products from our range by email. This serves our legitimate interest in marketing to our customers, which outweighs your interests in this context.

You can object to this use of your email address at any time by sending a message to the contact details provided below or via a link provided in the advertising email, without incurring any costs other than the transmission costs according to the basic rates.

Direct mail advertising and your right to object
Furthermore, we reserve the right to use your first and last name as well as your postal address for our own advertising purposes, e.g., to send you interesting offers and information about our products by mail. This serves our legitimate interest in contacting our customers for advertising purposes, which outweighs your interests in accordance with Article 6, paragraph 1, sentence 1, letter f GDPR.

5. Data usage during payment processing

installment purchase

When selecting the payment method “Financing” and granting the necessary data protection consent in accordance with Article 6, Paragraph 1, Sentence 1, Letter a GDPR, personal data (first name, last name, address, email, telephone number, date of birth, IP address, gender) together with data required for processing the transaction (item, invoice amount, due dates, total amount, invoice number, taxes, currency, order date and order time) will be transmitted to our partner Santander Consumer Bank AG, Santander-Platz 1, 41061 Mönchengladbach for the purpose of processing this payment method.

To verify your identity and/or creditworthiness, our partner conducts inquiries and obtains information from publicly accessible databases and credit bureaus. For details on the providers from whom information and, where applicable, creditworthiness information based on mathematical-statistical methods is obtained, as well as further details on the processing of your data after transmission to our partner Santander Consumer Bank AG, please refer to their privacy policy, which you can find here: https://www.santander.de/privatkunden/service-kontakt/datenschutz/

Our partner, Santander Consumer Bank AG, uses the information obtained regarding the statistical probability of a payment default to make a balanced decision about establishing, executing, or terminating the contractual relationship. You have the option to contact our partner, Santander Consumer Bank AG, to explain your position and contest the decision.

The consent to data transfer given during the ordering process can be revoked at any time, even without giving reasons, with effect for the future.

Credit card purchase

When selecting the payment method “credit card” and granting the necessary data protection consent in accordance with Article 6, paragraph 1, sentence 1, letter a GDPR, personal data (email address, delivery country of the order) together with data required for the transaction processing (total amount, invoice number, taxes, currency, order date and order time) will be transmitted to our partner SIX Payment Services (Europe) SA (10, Rue Gabriel Lippmann, L-5365 Munsbach, Luxembourg) for the purpose of processing this payment method.

For statistical risk assessment, your email address and delivery country will be forwarded by our partner to Fraugster Ltd. (Engeldamm 64b, 10179 Berlin, Germany). Based on the results of this risk assessment, SIX Payment Services will decide whether you need to complete the 3D Secure process, which reverses liability for credit card payments to protect us from the risk of payment default. This risk assessment does not otherwise affect the availability of the “credit card” payment method; it simply serves to simplify the payment process for you.

6. Integration of the Trusted Shop Trustbadge

To display our Trusted Shops seal of approval and the collected reviews, as well as to offer Trusted Shops products to buyers after an order, the Trusted Shops Trustbadge is integrated on this website.

This serves to protect our overriding legitimate interests in the optimal marketing of our services, as defined in Article 6, Paragraph 1, Sentence 1, Letter f of the GDPR. The Trustbadge and the services advertised with it are offered by Trusted Shops GmbH, Subbelrather Str. 15c, D-50823 Cologne, with whom we are jointly responsible for data protection under Article 26 of the GDPR. In the following, we inform you about the essential contractual content pursuant to Article 26, Paragraph 2 of the GDPR within the framework of this privacy notice.

The Trustbadge is provided by a US-based CDN (Content Delivery Network) provider under joint controllership. An adequate level of data protection is ensured through standard data protection clauses and other contractual measures. Further information on data protection at Trusted Shops GmbH can be found here [https://www.trustedshops.de/impressum/#datenschutz].

When the Trustbadge is accessed, the web server automatically saves a server log file, which also contains your IP address, the date and time of access, the amount of data transferred, and the requesting provider (access data), and documents the access. The IP address is anonymized immediately after collection, so the stored data cannot be associated with you personally. The server log file is stored in a security database for the analysis of security incidents and is automatically deleted or anonymized no later than 90 days after creation. This serves the legitimate interests of us and Trusted Shops, in accordance with Article 6 Paragraph 1 Sentence 1 Letter f GDPR, for the prevention of misuse and fraud, for the optimization of our offerings and website, and for ensuring the smooth operation of the website, the Trustbadge, or other Trusted Shops widgets.

Further personal data will be transferred to Trusted Shops GmbH if you decide to use Trusted Shops products after completing an order or if you have already registered to use them. For this purpose, personal data is automatically collected from the order data. Whether you, as a buyer, are already registered to use a product is automatically checked using a neutral parameter: your email address hashed via a cryptographic one-way function. Before transmission, the email address is converted into this hash value, which is undecipherable for Trusted Shops. After checking for a match, the parameter is automatically deleted.

This serves to verify whether you are already registered for services with Trusted Shops GmbH and is therefore necessary for the fulfillment of our and Trusted Shops’ overriding legitimate interests in providing buyer protection and transactional review services linked to the specific order, in accordance with Art. 6 Para. 1 Sentence 1 lit. f GDPR. If this is the case, further processing will take place in accordance with the contractual agreement between you and Trusted Shops. If you are not yet registered for the services, you will then have the opportunity to do so for the first time. Further processing after successful registration is also governed by the contractual agreement with Trusted Shops. If you do not register, all transmitted data will be automatically deleted by Trusted Shops, and personal identification will then no longer be possible.

Due to the joint responsibility between us and Trusted Shops GmbH, please direct any data protection questions and the assertion of your rights primarily to Trusted Shops GmbH, whose contact details can be found here [https://www.trustedshops.de/impressum/#datenschutz]. Further information on data protection can be found at the following link here.[https://www .trustedshops.com/tsdocument/CONSUMER_MEMBERSHIP_TERMS_de.pdf] You can find this information elsewhere. Regardless, you can always contact us using the contact details provided in this privacy policy. If necessary, your inquiry will be forwarded to the relevant data controller for processing.

7. Cookies and web analytics

To make your visit to our website more attractive and to enable the use of certain functions, to display suitable products, or for market research, we use so-called cookies on various pages. This serves to protect our legitimate interests, which outweigh your interests, in an optimized presentation of our offerings in accordance with Article 6, paragraph 1, sentence 1, letter f GDPR.

Cookies are small text files that are automatically stored on your device. Some of the cookies we use are deleted after the end of your browser session, i.e., after you close your browser (session cookies). Other cookies remain on your device and allow us to recognize your browser on your next visit (persistent cookies). You can find information about the storage duration in the cookie settings of your web browser.

You can configure your browser to notify you when cookies are being set, allowing you to decide whether to accept them individually, or to block cookies in certain cases or entirely. Each browser manages cookie settings differently. This is described in the help menu of each browser, which explains how to change your cookie settings. You can find this information for the respective browsers at the following links:

• Internet Explorer™: http://windows.microsoft.com/de-DE/windows-vista/Block-or-allow-cookies
• Safari™: https://support.apple.com/kb/ph21411?locale=en_DE
• Chrome™: http://support.google.com/chrome/bin/answer.py?hl=en&hlrm=en&answer=95647
• Opera™: http://help.opera.com/Windows/10.20/de/cookies.html
• Firefox™: https://support.mozilla.org/de/kb/cookies-erlauben-und-ablehnen

 

If you do not accept cookies, the functionality of our website may be limited.

Use of Google (Universal) Analytics for web analytics

This website uses Google (Universal) Analytics, a web analytics service provided by Google LLC (www.google.de), for website analysis. This serves our legitimate interests in an optimized presentation of our website, which outweigh any conflicting interests, in accordance with Article 6, paragraph 1, sentence 1, letter f GDPR.

Google (Universal) Analytics uses methods that allow us to analyze your use of the website, such as cookies. The information automatically collected about your use of this website is generally transmitted to and stored on a Google server in the USA. By activating IP anonymization on this website, your IP address is shortened before transmission within member states of the European Union or in other contracting states of the Agreement on the European Economic Area. Only in exceptional cases will the full IP address be transmitted to a Google server in the USA and shortened there. The anonymized IP address transmitted by your browser as part of Google Analytics will not be merged with other Google data. The data collected in this context will be deleted once the purpose for its collection has been fulfilled and we have ceased using Google Analytics.

US-based providers are required to share their data with US authorities. Therefore, the US is considered a country with an inadequate level of data protection according to EU standards (third-country consent).

As an alternative to the browser plugin, you can click this link to prevent Google Analytics from collecting data on this website in the future. This will place an opt-out cookie on your device. If you delete your cookies, you will need to click the link again.

Our online presence on Facebook, Google, Instagram

Our presence on social networks and platforms serves to improve active communication with our customers and prospective customers. We use these platforms to provide information about our products and current special offers. When you visit our online presence on social media, your data may be automatically collected and stored for market research and advertising purposes. This data is used to create so-called usage profiles using pseudonyms. These profiles can be used, for example, to display advertisements both on and off the platforms that are likely to match your interests.

For this purpose, cookies are generally used on your device. These cookies store visitor behavior and user interests. This serves our legitimate interests, which, in accordance with Article 6(1)(f) GDPR, override your interests, in optimizing the presentation of our offerings and communicating effectively with customers and prospective customers. If you are asked by the respective social media platform operators for your consent to data processing, e.g., via a checkbox, the legal basis for data processing is Article 6(1)(a) GDPR.

Insofar as the aforementioned social media platforms are headquartered in the USA, the following applies: US-based providers are required to transfer data to US authorities. Therefore, the USA is considered a country with a level of data protection that is inadequate according to EU standards (third-country consent). Detailed information on the processing and use of data by the providers on their websites, as well as contact options and your related rights and settings for protecting your privacy, in particular your right to object (opt-out), can be found in the providers’ privacy policies linked below. Should you still require assistance, please feel free to contact us.

• Facebook: https://www.facebook.com/about/privacy/ is a service provided by Facebook Ireland Ltd., 4 Grand Canal Square, Dublin 2, Ireland (“Facebook Ireland”)
  The information about your use of our online presence on Facebook, automatically collected by Facebook Ireland, is generally transferred to and stored on a server of Facebook, Inc., 1601 Willow Road, Menlo Park, California 94025, USA. The European Commission has not issued an adequacy decision for the USA. Our cooperation with them is based on standard data protection clauses issued by the European Commission. Data processing in connection with visits to a Facebook fan page is based on a joint controllership agreement pursuant to Article 26 GDPR. You can find further information (information on Insights data) here.[https://www .facebook.com/legal/terms/information_about_page_insights_data] .
• Google/YouTube: https://policies.google.com/privacy?hl=de is a service provided by Google Ireland Ltd., Gordon House, Barrow Street, Dublin 4, Ireland (“Google”). The information automatically collected by Google about your use of our online presence on YouTube is generally transmitted to and stored on a server of Google LLC, 1600 Amphitheatre Parkway, Mountain View, CA 94043, USA. The European Commission has not issued an adequacy decision for the USA. Our cooperation with them is based on standard data protection clauses issued by the European Commission.
• Instagram: https://help.instagram.com/519522125107875 is a service provided by Facebook Ireland Ltd., 4 Grand Canal Square, Dublin 2, Ireland (“Facebook Ireland”)
  The information about your use of our online presence on Instagram, automatically collected by Facebook Ireland, is generally transferred to and stored on a server of Facebook, Inc., 1601 Willow Road, Menlo Park, California 94025, USA. The European Commission has not issued an adequacy decision for the USA. Our cooperation with them is based on standard data protection clauses issued by the European Commission. Data processing in connection with visiting an Instagram fan page is based on a joint controllership agreement pursuant to Article 26 GDPR. You can find further information (information on Insights data) here:[https://www .facebook.com/legal/terms/information_about_page_insights_data] .

Sending review reminders via email

HIBIKE may contact you by email to invite you to rate the service and/or products you received from us in order to gather your feedback and improve our service and products. Since we work with an external company, Trustpilot A/S (“Trustpilot”), to collect customer feedback, we will share your name, email address, and reference number with Trustpilot for this purpose. If you would like to learn more about how Trustpilot processes your data, you can view the company’s privacy policy here .

9. Voucher offers from Sovendus GmbH

To select a voucher offer that is currently of interest to you, we transmit the pseudonymized and encrypted hash value of your email address and your IP address to Sovendus GmbH, Moltkestr. 11, 76133 Karlsruhe (Sovendus) (Article 6, paragraph 1, letter f GDPR). The pseudonymized hash value of the email address is used to take into account any objection you may have to receiving advertising from Sovendus (Article 21, paragraph 3 and Article 6, paragraph 1, letter c GDPR).

Sovendus uses the IP address exclusively for data security purposes and, as a rule, anonymizes it after seven days (Article 6, paragraph 1, letter f GDPR). We also transmit the pseudonymized order number, order value with currency, session ID, coupon code, and timestamp to Sovendus for billing purposes (Article 6, paragraph 1, letter f GDPR).

If you are interested in a voucher offer from Sovendus, there is no objection to advertising on your email address, and you click on the voucher banner displayed only in this case, we will transmit your title, name and email address to Sovendus in encrypted form for the purpose of preparing the voucher (Article 6, paragraph 1, letters b,f GDPR).

For further information on how Sovendus processes your data, please refer to the online privacy policy at http://www.sovendus.de/datenschutz

10. Your rights and contact options

As an affected party, you have the following rights:

• In accordance with Article 15 GDPR, you have the right to request information about your personal data processed by us to the extent specified therein;
• In accordance with Article 16 GDPR, you have the right to request the immediate rectification of inaccurate or incomplete personal data concerning you that we hold;
• In accordance with Article 17 GDPR, you have the right to request the erasure of your personal data stored by us, unless further processing is necessary.
  • to exercise the right to freedom of expression and information;
  • to fulfill a legal obligation;
  • for reasons of public interest or
  • for the establishment, exercise or defense of legal claims

  is required;

• According to Article 18 GDPR, you have the right to request the restriction of the processing of your personal data, insofar as
  • The accuracy of the data is disputed by you;
  • the processing is unlawful, but you refuse its deletion;
  • we no longer need the data, but you require it for the establishment, exercise or defense of legal claims or
  • You have objected to the processing pursuant to Article 21 GDPR;
• According to Article 20 GDPR, you have the right to receive your personal data that you have provided to us in a structured, commonly used and machine-readable format or to request its transmission to another controller;
• According to Article 77 of the GDPR, you have the right to lodge a complaint with a supervisory authority. Generally, you can contact the supervisory authority in your place of habitual residence, your place of work, or the location of our company headquarters.

If you have any questions about the collection, processing or use of your personal data, for information, correction, blocking or deletion of data, as well as for the revocation of granted consent or objection to a specific use of data, please contact us directly using the contact details in our legal notice.

Data Protection Officer

Merlin Cycles GmbH
Data Protection Officer
Westerbachstraße 9
61476 Kronberg

datenschutz@merlincycles.de

As of March 1, 2025