Privacy policy

Privacy notice

This privacy notice describes how Thomann GmbH (hereinafter also referred to as "Musikhaus Thomann") processes the data you provide when using our websites and protects it in accordance with the General Data Protection Regulation (GDPR) and the relevant German data protection laws, in particular the BDSG.

The security of personal data such as name, address, telephone number, or email address is a serious and important business concern for us. Therefore, we conduct our online activities in accordance with the applicable data protection and data security laws. Below you will find information about what data we process.

Responsible party, contact person for questions or exercising your data subject rights, contact

The controller responsible for all data processing activities taking place via the websites of Musikhaus Thomann, in accordance with data protection regulations, is:

Thomann GmbH, Hans-Thomann-Straße 1, 96138 Burgebrach, Germany

For questions, comments, complaints, and to exercise your data subject rights in connection with this privacy notice and the processing of your personal data via the Thomann websites, you can contact the Thomann Data Protection Officer directly by email ( privacy@thomann.de ). They will be happy to address your data protection concerns.

Personal data/Types of use

At Thomann Music House, the protection of your personal data is of utmost importance to us. You decide whether or not you wish to provide us with this data, for example, during registration, surveys, or similar activities. This information is relevant to your inquiry but is provided to us voluntarily. An exception applies in cases where obtaining prior consent is not possible for practical reasons and the processing of the data is permitted by law.

Legal basis for the processing of personal data

Insofar as we obtain the consent of the data subject for processing operations involving personal data, Article 6(1)(a) GDPR serves as the legal basis for the processing of personal data.

When processing personal data necessary for the performance of a contract to which the data subject is a party, Article 6(1)(b) GDPR serves as the legal basis. This also applies to processing operations necessary for carrying out pre-contractual measures.

Insofar as the processing of personal data is necessary for the fulfillment of a legal obligation to which Musikhaus Thomann is subject, Art. 6 para. 1 lit. c GDPR serves as the legal basis.

In the event that the processing of personal data is necessary to protect the vital interests of the data subject or of another natural person, Article 6(1)(d) GDPR serves as the legal basis.

If processing is necessary for the purposes of the legitimate interests pursued by our company or by a third party, and the interests or fundamental rights and freedoms of the data subject do not override those interests, then Article 6(1)(f) GDPR serves as the legal basis for the processing.

If we access your device and the information stored there, or if we ourselves store information on your device through our processing (e.g., by using cookies), the primary legal basis is Section 25 Paragraph 1 Sentence 1 TDDDG, insofar as we need to obtain your consent for this access, or Section 25 Paragraph 2 No. 2 TDDDG, insofar as the access concerns technically essential processing.

Data deletion and storage period

The personal data of the data subject will be erased or blocked as soon as the purpose of storage no longer applies. Storage may also take place if this is provided for by European or national legislation in EU regulations, laws, or other provisions to which the controller is subject. Data will also be blocked or erased when a storage period prescribed by the aforementioned regulations expires, unless further storage of the data is necessary for the conclusion or performance of a contract.

Exchange of data / contractual relationships with partners/third parties

In addition to the uses described above, Thomann Music House shares your data with third parties involved in processing your order or other requests. For example, if you have submitted an order via our website, we will forward your order information to Thomann Music House's partner companies and contractors who process and deliver your order and provide us with operational and technical support in the processes related to the delivery of your order (e.g., delivery, shipment tracking, handling complaints, and improving the efficiency of these processes). Data is only shared to the extent necessary to fulfill your order, deliver it, or process an inquiry. The legal basis for this is the performance and execution of the contract concluded with you (e.g., for orders) or the initiation of a contract (Art. 6 para. 1 lit. b GDPR).

Furthermore, when shipping goods whose value exceeds the insured liability limit of our contracted shipping company, we forward the type and value of the goods, as well as the recipient's name and address, to our supplementary transport insurance company. This is done in our legitimate interest to protect our goods, particularly against accidental loss or damage during transport. Without such supplementary transport insurance, we would be unable to offer you shipping, especially for higher-value goods. We have contractually obligated the insurance company to maintain confidentiality and process the transmitted data solely for the purpose of handling an insurance claim. The legal basis for this is Article 6(1)(f) GDPR.

We will also disclose personal data to third parties if we are legally obligated to do so. In this case, the legal basis is Article 6(1)(c) GDPR.

Data that is automatically collected on our website / Usage data

We welcome everyone to visit and use our site free of charge and to view the products offered there. When you visit our website, we log the following general usage data to assess which parts of our website you visit and how long you stay there:

Information about the browser type and version used

The user's operating system

The user's IP address

Date and time of access

Websites from which the user's system accessed our website

The services and functions used on our websites

This data is combined with the usage data of all visitors to our website to measure the number of visitors, the average time spent on our website, the pages viewed, etc. This data we collect is aggregated and used for internal purposes only.

The legal basis for the temporary storage of data and log files is Article 6(1)(f) GDPR.

We use this aggregated data to evaluate our products and services, including the news we make available via our website, and to measure website usage and improve its content overall.

The temporary storage of the IP address by the system is necessary to enable the delivery of websites to the user's computer. For this purpose, the user's IP address must be stored for the duration of the session.

The data is stored in log files to ensure the functionality of the websites. We also use the data to optimize the websites and to ensure the security of our IT systems. These purposes constitute our legitimate interest in data processing pursuant to Art. 6 para. 1 lit. f GDPR.

The data will be deleted as soon as it is no longer needed for the purpose for which it was collected. In the case of data stored in log files, this is after a maximum of seven days. Storage beyond this period is possible. In this case, the users' IP addresses will be deleted or anonymized so that it is no longer possible to identify the requesting client.

The collection of data for the provision of the website and the storage of data in log files is essential for the operation of the website. Therefore, there is no possibility for the user to object.

Third-party advertisements or links to other websites displayed on our website may collect user data if you click on them or otherwise follow their instructions. We have no control over the data collected voluntarily or involuntarily through third-party advertisements or websites. We recommend reviewing the privacy policies of the advertised websites if you have concerns about the collection and use of your data.

Cookies

Like many other commercial websites, Musikhaus Thomann may use the common technology known as "cookies" to collect data about how you use the website and to ensure that your visit runs smoothly.

Cookies are text files that are stored in or by the web browser on the user's computer system. When a user visits a website, a cookie can be stored on the user's operating system. This cookie contains a unique string of characters that allows the browser to be uniquely identified when the website is visited again.

Cookies cannot read information from your computer or interact with other cookies on your hard drive. However, cookies allow us to recognize you on a subsequent visit to our website.

You can find information about the data stored in cookies in the cookie settings.

Our websites use so-called transient cookies, persistent cookies, tracking/web bugs and local storage.

Transient and persistent cookies

Transient cookies are automatically deleted when you close your browser. This includes session cookies, which store a session ID that allows different requests from your browser to be associated with the same session. This allows your computer to be recognized when you return to our websites. Session cookies are deleted when you close your browser.

We use transient cookies to make our websites more user-friendly. Some elements of our websites require that the requesting browser can be identified even after a page change.

We also use persistent cookies on our websites , which allow us to analyze the browsing behavior of our users. Persistent cookies are automatically deleted after a predetermined period, which can vary depending on the cookie. This allows us to transmit information such as IP address, search terms entered, or the use of certain website functions.

Most cookies do not store any personal data of a user. However, the user's email address and customer ID may be stored server-side along with the cookie ID.

Tracking/Web Bugs

Some of our services also use so-called tracking or web beacons, or tracking pixels. These are usually small code snippets measuring only 1x1 pixel, which are able to identify and recognize your browser type via the browser ID – your browser's unique fingerprint. This allows the service provider to see when and how many users have accessed the pixel, or whether and when an email was opened or a website was visited.

To block web bugs on our websites, you can use tools such as WebWasher, Bugnosys, or AdBlock. Without your explicit consent, we will not use web bugs to collect personal data about you without your knowledge or to transmit such data to third parties and marketing platforms.

Purposes and legal basis for the use of cookies and other identifiers

The legal basis for the processing of personal data using technically necessary cookies is Section 25 Paragraph 2 No. 2 TDDDG for setting such cookies on your device, as well as Article 6 Paragraph 1 Sentence 1 Letter f GDPR for any subsequent processing required on our systems.

The purpose of using technically essential cookies is to simplify website use for users. Some functions of our websites cannot be offered without the use of cookies. For these functions, it is necessary that the browser is recognized even after a page change.

The right to object is excluded for technically essential cookies, as these are absolutely necessary to display our website and its content to you and to provide you with the website's functionalities.

The user data collected through technically essential cookies will not be used to create user profiles.

The use of analytics and marketing cookies serves the purpose of improving the quality of our websites and their content. Analytics cookies allow us to understand how the website is used and thus continuously optimize our offerings. Processing, particularly on your device, that is based on cookies or other identifiers (e.g., browser fingerprints, pixels) and is not technically necessary for the functioning of our websites, is only carried out with your consent, which you can grant via the cookie banner displayed when you access our websites. The legal basis for this cookie-based processing is Section 25 Paragraph 1 Sentence 1 of the German Telemedia Act (TMG) for setting cookies on your device, and Article 6 Paragraph 1 Letter a of the GDPR for any subsequent processing outside your device on our systems or the systems of our technology partners. Cookies that are not necessary for the functioning of our websites will not be set until you have given your consent.

Revocation of granted consent for the use of cookies and other identifiers/tags

You can revoke your consent to data collection via cookies at any time by disabling cookies here .

You can also disable all or individual cookies using the toggle switches in the cookie settings. You can reject cookies that are not technically necessary directly via our cookie banner when you first visit our website.

If you do not want your browser to accept cookies, you also have the option to disable or restrict them. Cookies that have already been saved can be deleted or disabled at any time via your internet browser. Disabling cookies may prevent this website from functioning properly. You may not be able to access all the features and information on this website. Please also note that you must disable cookies for each browser you use.

For more information on how to delete or manage cookies via your browser settings, please visit the help pages of the respective browser.

Registration, other web forms (e.g. for registering for events or themed days)

On our website, we offer users the opportunity to register by providing personal data or to register for specific events or themed days organized by us or our partners via a separate web form. The data is entered into an input form, transmitted to us, and stored. The data will not be shared with third parties. The following data is collected during the registration process:

First and Last Name

address

E-mail address

Company/Institution/Band (optional)

The following data is regularly collected via our web forms:

Inventory data: First name, last name, postal address, email address

Further data relating to the respective event and evident from the respective form, in particular: interests (e.g. regarding products, training opportunities, jobs), information on school or professional qualifications

Additional data may be requested, the collection of which is necessary for the specific purpose for which the web form was set up. The type of personal data relevant can then be found directly on the web form.

Registration is necessary for the performance of a contract to which the user is a party, or for taking steps prior to entering into a contract, such as initiating a contract. The legal basis for processing the data is Article 6(1)(b) GDPR.

User registration is required to access certain content and services on our website.

Registration is necessary for the performance of a contract with the user or for taking steps prior to entering into a contract.

The data will be deleted as soon as it is no longer required for the purpose for which it was collected.

This applies to data collected during the registration process when the registration on our website is canceled or modified, or when the data is no longer required for the performance of the contract or for initiating a contract. Even after the contract has been concluded, it may be necessary to store the contracting party's personal data in order to comply with contractual or legal obligations.

As a user, you have the option to cancel your registration at any time. You can have your stored data modified at any time via customer support or the customer center.

Data processed via web forms will also be deleted when the purpose for which the data was collected no longer applies or the data is otherwise no longer required for the original purpose of collection. In the case of events or themed days, this is the case at the latest when the event has ended and the processing of the data is no longer necessary for other purposes, e.g., to more concretely initiate a training or employment relationship.

If the data is required for the fulfillment of a contract or for the implementation of pre-contractual measures, premature deletion of the data is only possible insofar as no contractual or legal obligations preclude such deletion.

Applications

Our websites may include forms that allow you to apply online for job openings we have advertised. You can either use the application form, providing your relevant application information and uploading your application documents if this option is provided at the respective point of contact. Alternatively, you can send your application electronically via email or by regular mail if these options are indicated in the job posting.

If you use the "Upload CV" function to help you fill out the application form, automatic recognition will assign your personal data to the correct form fields, thus reducing the amount of data you need to enter. You can also apply using your Finest Jobs profile; the data processing associated with your Finest Jobs profile is governed by Finest Jobs' privacy policy, which you can access at https://www.finest-jobs.com/Datenschutz .

Purpose of processing and type of applicant data

We process the data you submitted with your application to assess your suitability for the position (or, if applicable, other open positions within our company) and to conduct the application process. We only process information that is essential for the specific application process and its execution.

The categories of personal data processed include, firstly, data that you voluntarily provide to us with your application, such as your first name, last name, and contact details (address, telephone number, email address). Special categories of personal data, such as your religious affiliation, may also be relevant for processing if you have included such data, for example, in your CV.

Legal basis for processing

The processing of the aforementioned data categories primarily serves the purpose of handling the application process and initiating an employment relationship, without this necessarily creating an entitlement to such an employment relationship. The primary legal basis for this processing is Article 6(1)(b) GDPR in conjunction with Section 26(1) of the German Federal Data Protection Act (BDSG).

Insofar as special categories of personal data are processed pursuant to Article 9(1) GDPR, this serves solely the purpose of processing your application and the subsequent selection procedure within the application process. The legal basis for this is Article 9(2)(b) GDPR.

Any processing of your personal data for purposes other than those mentioned above requires that we inform you beforehand and, if necessary, obtain your consent.

Recipients of the data

Once you have applied for a job posting, only the HR department and the department that posted the job will have access to your data, unless you have expressly consented to your data being shared with other recipients. If you have submitted a speculative application, your information will be made available to those departments whose vacancies show a clear match with your applicant profile.

For the application process, we use the services of our technology partner, rexx systems GmbH, Süderstraße 75-79, 20097 Hamburg ("rexx systems"), which provides the online form for integration into our websites and supports the internal electronic administration of applications. We have contractually obligated the technology partner to comply with data protection regulations.

For the application process, we use a specialized technology partner who provides the online form for integration into our websites and supports the internal electronic management of applications. We have contractually obligated this technology partner to comply with data protection regulations.

Storage period and deletion

If you are hired, all your data will be transferred to your personnel file or our human resources information system. If your application does not result in employment, your data will be completely deleted six months after the last contact with you, or stored in our applicant pool for two years if you have given your explicit consent.

Job alert (job newsletter via email)

If provided on the relevant website, you can also subscribe to our job alert (email newsletter) to be informed about interesting new job openings. For this purpose, only your email address is processed via the registration form; the other information is voluntary. This data is used to personalize our communications with you.

We use a double opt-in process for job alert registration. This means that after you register, we will send an email to the address you provided, asking you to confirm that you wish to receive job alerts. If you do not confirm your registration, your information will be automatically deleted after seven days. After your confirmation, we will store your email address for the purpose of sending you the newsletter until you unsubscribe. We also store your IP address (current at the time of registration), the date and time of registration, and your confirmation for up to three years. This period begins at the end of the year in which you registered for the job alert (statute of limitations). The purpose of this procedure is to be able to prove your registration if necessary and to investigate any misuse of your personal data. The legal basis for logging the registration is our legal obligation to implement technical and organizational measures, especially in the context of data security, pursuant to Art. 6 para. 1 lit. c, 32 GDPR, and additionally our legitimate interest pursuant to Art. 6 para. 1 lit. f GDPR in proving previously given consent, see also Art. 7 para. 1 GDPR.

Right of withdrawal

You can withdraw your consent to receive job alerts and unsubscribe at any time. You can declare your withdrawal by clicking on the link provided in every job alert email .

Contact form and email contact

Our website offers the option to provide feedback, use live support, and submit comments/notes regarding your order. If a user takes advantage of this option, the data entered in the input form will be transmitted to us and stored. This data includes:

"Give feedback": Your message (if it contains voluntary information from you including personal data), email address (optional)

Live support and order notes/comments: only data necessary for your individual support request or that you voluntarily provide in your note/comment.

Alternatively, you can contact us via the email addresses provided on our website. In this case, the personal data you transmit with your email will be stored. This

data will not be shared with third parties. It will be used solely for processing your inquiry.

The legal basis for processing data transmitted via email is Article 6(1)(f) GDPR. If the email contact aims at concluding a contract, the additional legal basis for processing is Article 6(1)(b) GDPR.

The processing of personal data from the input form serves solely to process your contact request. In the case of contact via email, this also constitutes the necessary legitimate interest in processing the data.

The other personal data processed during the sending process serves to prevent misuse of the contact form and to ensure the security of our information technology systems.

The data will be deleted as soon as it is no longer required for the purpose for which it was collected. For personal data from the contact form and data transmitted by email, this is the case when the respective conversation with the user has ended. A conversation is considered ended when it is clear from the circumstances that the matter in question has been resolved.

Email newsletter – registration, subscription, performance and reach measurement

Newsletter registration and subscription

On our websites, you have the option to subscribe to free promotional emails and, among other things, sign up for our email newsletter. Only your email address will be processed. In addition, the following technical usage data will be collected during registration:

IP address of the requesting computer

Date and time of newsletter registration

Information about the browser used

Information about the operating system used

Country and language settings in the Thomann webshop

We use your data to send you the newsletter by email. This is done for the purpose of sending it to you.

of the regularly published newsletter with interesting information, offers and promotions related to our product range as well as related to products from our partners ;

from voucher, loyalty and prize draw promotions;

Surveys for product and opinion research purposes;

Shopping cart reminders when you have added items to your shopping cart but have not completed your order;

invitations to product or service evaluations;

from feedback requests regarding our newsletter and other promotions;

notifications of changes to your wish list or shopping cart;

To remind you of your customer status and invite you to place a new order ("We miss you!").

During the registration process, your consent for the processing of your data for the aforementioned purposes of email advertising will be obtained, and you will be referred to this section of the privacy policy. The legal basis for this is Article 6(1)(a) and Article 7 of the GDPR, and Section 7(2)(2) of the German Unfair Competition Act (UWG).

The collection of other data during the registration process serves to prevent misuse of the services or the email address provided during registration.

The data will be deleted as soon as it is no longer needed for the purpose for which it was collected. Data collected for sending emails will therefore be stored for as long as your subscription to promotional emails is active, i.e., until you unsubscribe. An exception to this is your email address, which we will add to our blocklist after you unsubscribe from promotional emails. In this case, the processing of your email address is justified under Article 6(1)(f) GDPR, and our legitimate interest in this processing lies in protecting your interest in not receiving any further promotional emails from us. Therefore, your email address will not be deleted, but its processing will be restricted in accordance with Article 18 GDPR.

The sending of advertising emails is carried out on our behalf via the SendGrid service provided by Twilio Germany GmbH, Rosenheimer Str. 143C, 81671 Munich (data processor, hereinafter "Twilio"). We have contractually obligated Twilio to comply with data protection regulations and to implement appropriate technical and organizational measures through a data processing agreement. As part of this data processing, Twilio receives the newsletter data as the recipient in order to deliver the newsletter and to provide us with further services, e.g., for analyzing newsletter click behavior (see section below: Success and Reach Measurement via the Newsletter ).

Right of withdrawal

You can withdraw your consent to receive the email newsletter at any time. Each email contains a corresponding link that allows you to unsubscribe.

This also allows for the revocation of consent to the storage of personal data collected during the registration process.

Success and reach measurement via the newsletter

The promotional emails we send contain a pixel that transmits information to us as soon as you open the newsletter. We then retrieve this information to generate statistical analyses and measure the success of our email campaigns. This information includes:

Your IP address

Information about the browser used

Information about the operating system used

Time of retrieval

This information allows us to determine whether newsletters are opened, when they are opened, and which links within these emails are clicked. Technically, it is possible to link this data to individual email recipients; however, this is not used to track or monitor individual users. The analyses serve solely to tailor the email content to the wishes and interests of our newsletter subscribers based on their reading habits and to personalize it within the legal framework.

For the aforementioned evaluation and analysis, we use both Sendgrid and Google Analytics (see section Google Analytics).

The legal basis for data processing for the aforementioned analysis purposes is also consent pursuant to Section 25 Paragraph 1 Sentence 1 TDDDG for access to your device and pursuant to Article 6 Paragraph 1 Sentence 1 Letter a, Article 7 GDPR for any subsequent processing outside your device on our systems or systems of our technology partners Twilio and Google.

Right of withdrawal

By withdrawing your consent to receive the email newsletter, you can also withdraw your consent to the processing of your data for the purposes of performance and reach measurement.

Userlike Chat

On our websites, we use Userlike, a service provided by Userlike UG (limited liability), Probsteigasse 44-46, 50670 Cologne (hereinafter "Userlike"). We have contractually obligated Userlike UG, as our technology partner, to comply with data protection regulations when processing personal data on our behalf, through a corresponding data protection agreement.

Using Userlike, you can start a live chat and contact us via the widget embedded on our websites. In this case, we process the following data:

Communication content of the chat

Date and time of the chat

Name of our employee with whom the chat is being conducted

Chat language

Length of time

Starting URL where the chat was initiated

Target URL where the chat ended

IP address

The data will be processed exclusively for the purpose of chat communication.

The legal basis for processing your data, if you have given your consent, is Article 6(1)(a) of the GDPR. You can grant and withdraw your consent via our cookie banner. If you withdraw your consent during an ongoing chat conversation, we will be unable to continue it and it will be terminated.

The technical usage data we process during a live chat serves to prevent misuse of the chat and to ensure the security of our IT systems. This constitutes our legitimate interest pursuant to Art. 6 para. 1 lit. f GDPR.

Further information can be found in Userlike's privacy policy: https://www.userlike.com/de/terms#privacy-policy .

The data will be deleted as soon as it is no longer required for the purpose for which it was collected. Data processed by us during the use of the live chat will be deleted no later than one month after collection.

Contact and customer support via WhatsApp

You can contact us via WhatsApp at any time, for example, with questions about order processing, our products, or other customer support inquiries. This is facilitated by including a click-to-chat link to WhatsApp in the chat area of ​​our website and by providing our WhatsApp contact number in the appropriate place in customer communications or on our website. We will only contact you via WhatsApp at your explicit request, i.e., only if you initiate communication with us via WhatsApp.

By initiating communication via WhatsApp and sending us a WhatsApp message with your inquiry to our WhatsApp contact number, you agree to these data protection provisions and simultaneously consent, in accordance with Article 6 Paragraph 1 Letter a of the GDPR, to the processing of your personal data (first and last name, telephone number, Messenger ID, profile picture if applicable, and message history) within the context of using WhatsApp in order to send you messages. Messages sent via WhatsApp are end-to-end encrypted. This means that the content of the sent message is only visible to the sender and the recipient. WhatsApp has no access to the sent messages. An active WhatsApp account is required to use WhatsApp.

Communication takes place via the WhatsApp messaging service provided by WhatsApp Ireland Limited, 4 Grand Canal Square, Grand Canal Harbour, Dublin 2, Ireland. WhatsApp cannot view the content of sent messages, but can determine at any time that and when you communicated with us and retrieve technical information about the device you are using. Further information on how WhatsApp handles your data and the security measures WhatsApp has implemented to protect communication can be found in the detailed information for our WhatsApp contact and at https://faq.whatsapp.com/general/security-and-privacy/end-to-end-encryption-for-business-messages .

Our WhatsApp for Business account is provided by 360dialog GmbH, Torstraße 61, 10119 Berlin, and connected to our chat environment and the communication dashboard used internally by our customer support via a technical interface. We have contractually obligated 360dialog GmbH, as our technology partner, to comply with data protection regulations when processing personal data on our behalf, through a corresponding data processing agreement. Even though the processing of personal data on our behalf is not part of the contract, the possibility of 360dialog GmbH technically accessing personal data when providing our WhatsApp for Business account cannot be ruled out.

You can withdraw your consent to the processing of your personal data at any time; simply notify us, for example by sending an email to privacy@thomann.de . Generally, we delete the data we receive from you via WhatsApp as soon as we have answered your questions and no further inquiries or messages are expected from you. Longer retention periods may apply if the content of the messages necessitates legal retention obligations. Further information can be found in the respective privacy policies of WhatsApp and Userlike .

WhatsApp's privacy policy also states that WhatsApp may process your data outside the EU. However, this does not apply to the content of your communications, but rather to technical metadata generated during communication. This data includes, among other things, your phone number, your device, the type and time of use, your location, and your IP address. Please be aware that you have already consented to this processing by accepting WhatsApp's privacy policy when setting up your WhatsApp account and using WhatsApp for the first time.

Use of services for marketing and analysis purposes

Microsoft Clarity

On our websites, we use Microsoft Clarity (“Clarity”), a service provided by Microsoft Ireland Operations Ltd., One Microsoft Place, South County Business Park, Leopardstown, Dublin 18, D18 P521, Ireland (“Microsoft”). Clarity is a comprehensive analytics and evaluation tool that allows us to record and analyze user activity on our websites. For example, Clarity enables us to create heat maps of the websites and view and analyze them via dashboards, particularly to identify and optimize content and product offerings in less frequently visited areas. Furthermore, by recording user actions, especially during the checkout process, we can determine where users may have difficulty progressing to the next step of the order process or performing specific actions to successfully complete checkout. Additional purposes are listed in the table below. Your personal account data is neither processed nor linked to the data processed via Clarity. Any other potentially relevant personal information is masked through appropriate settings. Clarity uses an ID (Clarity ID) to target users of our websites, but no personal data is processed through this ID.

The following data is processed via this service:

IP address

Time information (e.g., event time)

Location information (country and region only)

Behavioral data (e.g., browsing, clicking, and scrolling behavior)

Browser information (e.g. browser version)

Device information (e.g., operating system)

Product data on webshop sites

Further information about the processed data can be found at https://learn.microsoft.com/en-us/clarity/setup-and-installation/clarity-data .

The processing is carried out for the following purposes, assigned to the respective processes:

Purpose of processing process

Tracking using Clarity ID ID-related analysis of user behavior based on the aforementioned usage data

analysis Analysis of user behavior and user interaction, especially with content on our websites and product offerings in the online shop, using predominantly technical user data and interaction data (e.g., device, browser, OS, IP addresses).

Heat Mapping Aggregation of usage data to determine which areas of our websites are used particularly frequently or particularly infrequently and are frequented by users.

Recordings of user behavior on thomann.de, especially the checkout process Recording of user behavior on our websites (e.g. clicks, scrolls, mouse movements) in pseudonymized sessions while masking numerical shop data (such as prices) and personal form fields

The legal basis for processing the data is the user's consent pursuant to Section 25 Paragraph 1 of the German Telemedia Act (TDDG) and Article 6 Paragraph 1 Letter a of the GDPR. You can grant and withdraw your consent via our cookie banner.

Right of withdrawal

You can find information on how to revoke the consent you have given via our cookie layer in the section "Revocation of consent given for the use of cookies and other identifiers/tags" .

The data will be deleted as soon as it is no longer required for the purpose for which it was collected.

We routinely delete collected dashboard data after 13 months.

It is possible that Microsoft, as our technology partner, also operates servers in the USA to provide its cloud services for Clarity. Microsoft Ireland Operations Limited is also a subsidiary of Microsoft Corporation, which is based in the USA. Therefore, it is also possible that your data collected by Microsoft may be transferred to the USA. Data transfers to the USA are secured under Article 45 of the GDPR via the EU-US Data Privacy Framework (DPF). Further information about Clarity can be found at https://learn.microsoft.com/en-us/clarity/setup-and-installation/about-clarity . Microsoft's privacy policy is available at https://privacy.microsoft.com/de-de/privacystatement .

Kevel

On our websites, we use services from Adzerk, Inc., 505 South Duke Street, Ste. 500, Durham, NC 27701 USA (“Kevel”), for conversion tracking purposes.

With the Ad Serving service, we can display advertising messages related to our online shop, such as interesting product offers on our website. Furthermore, the integrated Conversion Tracking function allows us to identify which ads you have seen and clicked, which other pages you subsequently visited, and which products you may have purchased. Including product purchases in the conversion analysis is only possible if you are logged into your customer account and other technical requirements are met (see below in this section).

For this purpose, we have implemented Kevel pixels as identifiers on our websites. These are code snippets that are able to identify and recognize the following information:

HTTP header information (e.g., IP address, web browser, website URL, date and time)

Measurement pixel-specific data (e.g., pixel ID and cookie ID)

additional information about browsing behavior and activities on our website (e.g. orders placed and products clicked on, as well as products added to the shopping cart and wish list)

When you visit our website, a direct connection to Kevel's servers is established via the pixel. Kevel processes the data collected via the pixel in order to provide us with the aforementioned services.

We ourselves are not able to personally identify you via Kevel's pixels, as no further personal data other than your browser ID is stored with us via Kevel's pixels.

We also use Kevel to analyze product purchases made by users of our websites and, based on these analysis results, to display relevant advertisements and enrich the conversion data available through the Ad Serving service. However, this only occurs if you are logged into your customer account and have given us your consent via the cookie banner. Technically, a so-called userKey is generated for this purpose, which is permanently stored either in local storage or as a cookie in your browser. The userKey contains your consent for this processing, which is necessary for this processing and is referred to as the CookieSession ID (if you have given it), the Thomann UserID (if you are logged into your customer account, referred to as the CMUID), and a purchaseID assigned to each product you purchased. The userKey allows us to display advertisements tailored to your purchasing behavior. Further information on the technical process can be found in the Kevel technical documentation at https://dev.kevel.com/reference/purchase-event .

The legal basis for processing the data is the user's consent pursuant to Section 25 Paragraph 1 of the German Telemedia Act (TDDG) and Article 6 Paragraph 1 Letter a of the GDPR. You can grant and withdraw your consent via our cookie banner.

Right of withdrawal

You can find information on how to revoke the consent you have given via our cookie layer in the section "Revocation of consent given for the use of cookies and other identifiers/tags" .

The data will be deleted as soon as it is no longer required to achieve the purpose for which it was collected.

We routinely delete collected conversion data after 1 month.

We have contractually obligated Kevel, our technology partner, to comply with data protection regulations when processing personal data on our behalf, through a corresponding data processing agreement. Kevel has assured us that we will use a data center in Frankfurt am Main as the data processing location. Data transfers to the USA are secured by standard contractual clauses with Kevel, which are part of the aforementioned data processing agreement; you can access these at https://dev.kevel.com/docs/kevel-data-processing-agreement . Further information on Kevel's compliance with general data protection requirements can be found at https://dev.kevel.com/docs/gdpr-kevel and in Kevel's privacy policy, available at https://dev.kevel.com/docs/privacy-policy-customers .

Braze

On our websites, we use Braze, a service provided by Braze, Inc., 318 West 39th Street, 5th Floor, New York, NY 10018 (hereinafter "Braze"). Braze is a comprehensive communication and customer engagement platform. Through Braze, we have access to data on the use of our mobile applications and newsletter subscribers to enable the targeting and delivery of newsletters, push notifications, in-app messages, web push notifications, and content cards. We use the Braze platform for our direct marketing communications. The following data is processed via this service:

Customer data such as first name, last name, address

E-mail address

IP address

Marketing information (e.g. campaign ID)

App data (e.g., app installation date)

Purchase information (e.g., shopping cart value, order history in customer account)

Time information (e.g., event time)

Location information (e.g., city)

Behavioral data (e.g., browsing behavior)

Browser information (e.g. browser version)

Device information (e.g., advertising ID)

The processing is carried out for the following purposes, assigned to the respective processes:

Purpose of processing

process

Marketing and Communication

Sending newsletters, push notifications, and displaying content cards

analysis

Analysis of user behavior and user interaction with communication content using the processing of predominantly technical user data, such as email address, tokens, interaction data (e.g. device and browser, IP addresses)

Targeting

Segmentation into marketing-relevant interest and behavioral groups

API

Collection and processing of additional information from the customer account about a customer's purchasing behavior

The legal basis for processing the data is the user's consent pursuant to Section 25 Paragraph 1 of the German Telemedia Act (TDDG) and Article 6 Paragraph 1 Letter a of the GDPR. You can grant and withdraw your consent via our cookie banner.

Right of withdrawal

You can find information on how to revoke the consent you have given via our cookie layer in the section "Revocation of consent given for the use of cookies and other identifiers/tags" .

The data is deleted as soon as it is no longer needed to fulfill the purpose for which it was collected. Braze itself conducts a weekly review process, according to which, for certain actions, inactive or non-interacting customers and their associated data are deleted from the Braze platform for more than 6 or 12 months.

We have contractually obligated Braze, our technology partner, to comply with data protection regulations when processing personal data on our behalf, through a corresponding data processing agreement. Braze has assured us of a data processing location in Frankfurt am Main. Additional data transfers to the USA are secured by a standard contractual clause agreement with Braze; these can be accessed at https://www.braze.com/company/legal/scc or directly at https://marketing-assets.braze.com/production/legacy/documents/2021-EU-Standard-Contractual-Clauses-Oct-2022.pdf?v=1665677603 . Further information regarding our data processing agreement with Braze can be found at https://www.braze.com/company/legal/dpa and in Braze's privacy policy, available at https://www.braze.com/company/legal/privacy .

SearchHub Analytics

On our websites, we use SearchHub Analytics, a service provided by CXP Commerce Experts GmbH, Am Schoßgatter 3, 75172 Pforzheim, Germany (“CXP Commerce Experts”). The SearchHub Analytics script allows us to record and analyze user activity on our websites originating from website searches, specifically analyzing search queries and subsequent behavior on our websites based on these queries. This enables us to better understand how our website's search function is used and, based on the analytical data obtained, to optimize our search function and its search results, thereby enhancing the user experience, particularly by delivering improved search results.

For the aforementioned purposes, we analyze the path from a search term to the shopping cart, including the products that are viewed, clicked, and added to the cart after a search. Our partner, CXP Commerce Experts, uses this information on our behalf to provide you with more relevant search results and suggestions. To enable this, the script uses a temporary, anonymous session ID stored in a cookie, as well as browser storage (local storage). No directly identifiable personal data is collected, and your IP address is removed before any information is sent to our partner. The data is also not used for advertising purposes. Furthermore, your personal account data is neither processed nor linked to data processed via SearchHub Analytics.

The following data is processed via this service:

Time information (e.g., event time)

Behavioral data (e.g. search query text, click and scroll behavior)

Browser information (e.g. browser version)

Device information (e.g., operating system)

Product data on webshop sites

Further information about SearchHub Analytics can be found at https://www.searchhub.io/how-it-works/ and in detailed documentation from our partner at https://docs.searchhub.io/integration-guide.html .

The processing is carried out for the following purposes, assigned to the respective processes:

Purpose of processing

process

Tracking based on session ID

ID-related analysis of user behavior based on the aforementioned usage data (pseudonymized)

analysis

Analysis of user behavior and user interaction, especially with the search function, the content accessed by the user based on the search results on our websites and product offerings in the online shop, using the processing of predominantly technical user data and interaction data (e.g., device, browser, OS).

The legal basis for processing the data is the user's consent pursuant to Section 25 Paragraph 1 of the German Telemedia Act (TDDG) and Article 6 Paragraph 1 Letter a of the GDPR. You can grant and withdraw your consent via our cookie banner.

Right of withdrawal

You can find information on how to revoke the consent you have given via our cookie layer in the section "Revocation of consent given for the use of cookies and other identifiers/tags" .

The data is deleted as soon as it is no longer needed for the purpose for which it was collected. We routinely delete collected analytics data after 24 months. The session ID is deleted after the user ends a browser session, or at the latest after 48 hours.

We have also contractually obligated our partner CXP Commerce Experts to comply with data protection regulations through a data processing agreement (Art. 28 GDPR).

Google Analytics

On our websites, we use Google Analytics, a web analytics service provided by Google Ireland Limited, Gordon House, Barrow Street, Dublin 4, Ireland ("Google"). Google Analytics uses "cookies," which are text files placed on your computer, to help the website analyze how users use the site. The information generated by the cookie about your use of the website will generally be transmitted to and stored by Google on servers in the United States. On our behalf, Google will use this information for the purpose of evaluating your use of the website, compiling reports on website activity, and providing us, as the website operator, with other services relating to website activity and internet usage. The IP address transmitted by your browser as part of Google Analytics will not be associated with any other data held by Google. We would also like to point out that on our websites, Google Analytics is used with the extension anonymizeIP, meaning that IP addresses are processed in truncated form only, thus preventing them from being linked to a specific individual. You can prevent the storage of cookies by selecting the appropriate settings in your browser software. However, please note that in this case you may not be able to fully utilize all the functions of this website. Furthermore, you can prevent the collection and transmission of data generated by the cookie at www.thomann.de and related to your use of the website to Google, as well as the processing of this data by Google, by downloading and installing the browser plug-in available at the following link: https://tools.google.com/dlpage/gaoptout/eula.html?hl=de .

Right of withdrawal

You can find information on how to revoke the consent you have given via our cookie layer in the section "Revocation of consent given for the use of cookies and other identifiers/tags" .

Further information on how Google Analytics works and on the terms of use and privacy policy applicable to this service can be found at http://www.google.com/analytics/terms/de.html and http://www.google.de/intl/de/policies/privacy/ .

Google Ireland Ltd. is a subsidiary of Google LLC, which is based in the USA. It is possible that your data collected by Google may also be transferred to the USA.

Google Tag Manager

We use Google Tag Manager to manage website tags. Tags are small code elements on our websites that are executed during certain interactions with the website and send measured data to the third-party programs we use (e.g., Google Analytics). The Tag Manager itself does not use cookies and does not collect any personal data. The Tag Manager triggers other tags, which may in turn collect data and set cookies (e.g., the third-party programs we use). The Tag Manager does not access this data.

Facebook Remarketing

On our websites, we use the "Vanilla Custom Audiences Pixel," a service provided by Meta Platforms Ireland Ltd., 4 Grand Canal Square, Grand Canal Harbour, Dublin 2, Ireland ("Facebook"). This service allows us to directly target our customers via the Facebook network by displaying so-called Facebook ads to visitors of our websites when they visit the Facebook social network.

For this purpose, we have implemented so-called remarketing pixels from Facebook on our websites. These are code snippets that can identify your browser type via the browser ID – your browser's unique fingerprint – and recognize that you have visited our websites and what exactly you viewed. When you visit our websites, the pixel establishes a direct connection to Facebook's servers. Facebook is able to identify you using the browser ID because it is linked to other data stored about you in your Facebook user account. Facebook then delivers personalized advertisements from us, tailored to your needs, in your Facebook timeline or elsewhere on Facebook.

We ourselves are not able to personally identify you via the Facebook pixel, as no further personal data other than your browser ID is stored by us via the Facebook remarketing pixel.

Further information about Facebook's Custom Audiences, the details of data processing via this service, and Facebook's privacy policy can be found at https://www.facebook.com/about/privacy/ .

Right of withdrawal

You can find information on how to revoke the consent you have given via our cookie layer in the section "Revocation of consent given for the use of cookies and other identifiers/tags" .

Meta Platforms Ireland Ltd. is a subsidiary of Meta Platforms, Inc., based in the USA. It is possible that your data collected by Facebook may also be transferred to the USA.

Google Ads Conversion Tracking

On our websites, we use the Google Ads Conversion Tracking function, a service provided by Google Ireland Limited, Gordon House, Barrow Street, Dublin 4, Ireland ("Google"). When you click on an ad placed by Google, a so-called conversion tracking cookie is stored on your computer. This cookie is valid for 30 days and does not contain any personal data, so we cannot personally identify you.

Conversion tracking allows us and Google to identify which Google Ads ads you clicked on and whether you were redirected to our websites via those ads, provided you visit our websites and the cookie is still valid. We receive a unique cookie from Google, distinct from those of other Google Ads customers, so we can only measure reach with respect to our own cookie and not across all websites of Google Ads customers. This cookie is used to generate our own conversion statistics for customers who visit our websites via Google Ads ads.

Right of withdrawal

You can find information on how to revoke the consent you have given via our cookie layer in the section "Revocation of consent given for the use of cookies and other identifiers/tags" .

Google Ireland Ltd. is a subsidiary of Google LLC, which is based in the USA. It is possible that your data collected by Google may also be transferred to the USA.

Further information on how Google uses your data, how the various Google technologies work, and Google's privacy policy can be found at https://business.safety.google/intl/de/privacy/ .

Google reCAPTCHA

To protect input forms (e.g., newsletter subscription, registration, login) on our websites, we use the "reCAPTCHA" service provided by Google Ireland Ltd, Google Building Gordon House, 4 Barrow St, Dublin, D04 E5W5, Ireland ("Google"). This service helps distinguish whether the input is from a human or is being processed automatically, especially for malicious purposes.

By interacting with reCAPTCHA, the referrer URL, IP address, website visitor behavior, information about the operating system, browser and session duration, cookies, display instructions and scripts, user input behavior, and mouse movements within the "reCAPTCHA" checkbox area are transmitted to Google. The IP address transmitted as part of "reCAPTCHA" is not combined with other Google data unless you are logged into your Google account at the time of using the "reCAPTCHA" plugin. If you wish to prevent this transmission and storage of data about you and your behavior on our website by Google, you must log out of your Google account before visiting any of our websites that use the reCAPTCHA plugin.

The use of the "reCAPTCHA" service and the information obtained through it is subject to Google's privacy policy, which you can access at https://www.google.com/intl/de/policies/privacy/ .

The legal basis for data processing is Article 6(1)(c) in conjunction with Article 32 GDPR on the one hand, and Article 6(1)(f) GDPR on the other. Securing our websites against misuse and spam using the reCAPTCHA plugin constitutes a technically necessary security measure and simultaneously our legitimate interest within the meaning of Article 6(1)(f) GDPR. In this context, the collection and transmission of the IP address to Google also serves to verify the source of the request to the respective website and to make an automated decision regarding further authentication requirements to defend against automated, especially abusive, website requests and distributed denial-of-service attacks.

If cookies are placed on your device when the reCAPTCHA plugin is integrated, this is done on the basis of Section 25 Paragraph 2 No. 2 of the German Telemedia Act (TMG). Our aforementioned legitimate security interests in protecting against misuse of input forms are safeguarded in a user-oriented manner. Users of our websites expect to find a secure online system free from malicious code.

Google Marketing Platform and Google Ads Remarketing

On our websites, we use remarketing services from the Google Marketing Platform and Google Ads, both services of Google Ireland Limited, Gordon House, Barrow Street, Dublin 4, Ireland ("Google"). These services allow us to display advertising messages related to our online shop, such as interesting product offers, on the websites of other providers who also use these Google services ("Partners" in the Google Display Network). Furthermore, Google Ads Remarketing allows us to remind you to complete your order via messages on other providers' websites in the Google Display Network if you recently abandoned an order in our online shop. This is done using cookie technology.

Google stores a small file containing a string of numbers (a so-called cookie ID) in your browser to remember you as a visitor to our websites and to collect further anonymous data about your website usage. We store the cookie ID, and it serves solely to uniquely identify your browser and not to identify you personally. No personal data about you is collected or stored through these services.

We also use Google Remarketing across devices. This means that if, for example, you start shopping in our online store on your smartphone and complete your purchase on your laptop, we can reach you with the aforementioned personalized advertising messages on the other device you use. However, this only happens if you have consented to Google linking your web and app browsing history to your Google account and using information from your Google account to personalize ads you see on the web. In this case, Google uses the data of these logged-in users together with Google Analytics data to create and define target audience lists for cross-device remarketing. To support this function, Google Analytics collects Google-authenticated IDs of these users. This data from Google is temporarily linked with our Google Analytics data to create our target audiences.

Please check your Google account privacy settings to prevent Google from linking your web and app browsing history to your Google account.

In order to remind you of an abandoned order in our online shop via message, no personal data is transmitted to Google, but only the fact that you wanted to place an order in our online shop under the recorded cookie ID and cancelled it, as well as the total price of the intended order ("shopping cart transfer").

Right of withdrawal

You can find information on how to revoke the consent you have given via our cookie layer in the section "Revocation of consent given for the use of cookies and other identifiers/tags" .

Google Ireland Ltd. is a subsidiary of Google LLC, which is based in the USA. It is possible that your data collected by Google may also be transferred to the USA.

Further information on Google's remarketing services, details of data processing via these services and Google's corresponding privacy policy can be found at http://www.google.com/policies/technologies/ads/ and at https://business.safety.google/intl/de/privacy/ .

Bing Ads

On our websites, we use the remarketing technology "Bing Ads" from Microsoft Ireland Operations Limited, One Microsoft Place, South County Business Park, Leopardstown, Dublin 18, D18 P521, Ireland ("Microsoft"). Microsoft places a cookie on your computer ("conversion cookie") when you access our websites via a Microsoft Bing ad. This allows Microsoft and "Bing Ads" customers to recognize that you clicked on the ad and were redirected to our websites. In this way, you can be re-engaged with targeted product recommendations and interest-based advertising on the websites of Microsoft and other "Bing Ads" customers.

The information collected using the conversion cookie is also used to generate conversion statistics. We learn the total number of users who clicked on a Microsoft Bing ad and were thus redirected to our websites. Additional anonymous data (e.g., the number of page views and the time spent on the websites) is also collected. We do not receive any personally identifiable information.

Right of withdrawal

You can find information on how to revoke the consent you have given via our cookie layer in the section "Revocation of consent given for the use of cookies and other identifiers/tags" .

Microsoft Ireland Operations Limited is a subsidiary of Microsoft Corporation, which is based in the USA. It is possible that your data collected by Microsoft may also be transferred to the USA.

Further information about Microsoft's ad services, details of data processing via these services, and Microsoft's privacy policy can be found at https://privacy.microsoft.com/de-de/ .

TikTok Pixel

On our websites, we use the remarketing technology of TikTok Technology Limited, 10 Earlsfort Terrace, Dublin, D02 T380, Ireland (“TikTok”). For this purpose, we have implemented so-called TikTok remarketing pixels (“TikTok Pixel”) on our websites. When you visit our websites, the TikTok Pixel establishes a direct connection to TikTok's servers. TikTok is able to identify you using your browser ID, as this is linked to other data stored about you in TikTok for your user account. TikTok then delivers personalized advertisements from us, tailored to your needs, on your TikTok page or elsewhere on TikTok.

As part of the TikTok pixel process, in addition to the aforementioned technical data, your email address will also be transmitted to TikTok, provided you have given us this information and your consent to this processing. The email address is initially transmitted to TikTok in plain text, but immediately afterwards, it is hashed to make it unreadable to third parties. The hashed email address is then implemented in the pixel to improve the recognition of your device. This transmission allows TikTok to generate statistics about user behavior on our website after being redirected from an advertisement, which we use to optimize our offerings. All processing described above, in particular the use of the pixel and your hashed email address, will only take place if you have given us your consent via our cookie banner.

We ourselves are unable to personally identify you via the TikTok Pixel, as no personal data other than your browser ID is stored by us via the TikTok Pixel. The information collected using the TikTok Pixel allows us to create conversion statistics. We learn the total number of users who clicked on a TikTok ad and were thus redirected to our websites. Additional anonymous data (e.g., the number of page views and the time spent on the websites) is also collected. We do not receive any information that could personally identify users.

Further information about TikTok Pixel, details of data processing via this service, and TikTok's privacy policy can be found at https://www.tiktok.com/legal/privacy-policy-eea?lang=de and https://ads.tiktok.com/i18n/official/policy/controller-to-controller .

TikTok also processes your data in the USA. Please also note that the transfer of your data to TikTok's Chinese parent company, based in China, and other TikTok partners, which are also not based in the EU, cannot be ruled out.

Right of withdrawal

You can find information on how to revoke the consent you have given via our cookie layer in the section " Revocation of consent given for the use of cookies and other identifiers/tags" .

Pinterest Pixel (Pinterest Tag)

For remarketing purposes, we use the Pinterest Pixel or Pinterest Tag on our websites, a service provided by Pinterest Europe Ltd., Palmerston House, 2nd Floor, Fenian Street, Dublin 2, Ireland ("Pinterest"). This service allows us to target you with advertising by displaying so-called Pinterest ads to visitors of our websites when they visit the Pinterest social network.

For this purpose, we have implemented so-called Pinterest tags, or Pinterest Pixels, on our websites. When you visit our websites, the pixel establishes a direct connection to Pinterest's servers. Pinterest is able to identify you using your browser ID, as this is linked to other data stored about you in your Pinterest user account. Pinterest then delivers personalized advertisements from us, tailored to your needs, on your Pinterest profile page or elsewhere on Pinterest.

As part of the Pinterest pixel process, in addition to the aforementioned technical data, your email address will also be processed, provided you have given us your consent for this processing. We will anonymize your email address using a hashing process and then transmit it to Pinterest in this hashed form, i.e., not in plain text. The hashed email address will then be implemented in the pixel to improve the recognition of your device. This transmission allows Pinterest to generate statistics about user behavior on our website after being redirected from an advertisement, which we use to optimize our offerings. All processing described above, in particular the use of the pixel and your hashed email address, will only take place if you have given us your consent via our cookie banner.

We ourselves are unable to personally identify you via the Pinterest Pixel, as no personal data other than your browser ID is stored by us via the Pinterest Pixel. The information collected using the Pinterest Pixel allows us to generate conversion statistics. We learn the total number of users who clicked on a Pinterest ad and were thus redirected to our websites. Additional anonymous data (e.g., the number of page views and the time spent on the websites) is also collected. We do not receive any information that could personally identify users.

We also use remarketing via the Pinterest Pixel across devices. This means that if, for example, you start your purchase in our online shop on your smartphone and complete it on your laptop, we can reach you with the aforementioned personalized advertising messages on the other device you are using.

Further information about Pinterest Pixel, details of data processing via this service and Pinterest's privacy policy can be found at https://policy.pinterest.com/de/privacy-policy .

Right of withdrawal

You can find information on how to revoke the consent you have given via our cookie layer in the section "Revocation of consent given for the use of cookies and other identifiers/tags" .

Snap Pixel

On our websites, we use the remarketing technology of Snap Inc., 772 Donald Douglas Loop North, Santa Monica, CA 90405, USA (“Snap”). For this purpose, we have implemented so-called remarketing pixels from Snap (“Snap Pixel”) on our websites. When you visit our websites, the Snap Pixel establishes a direct connection to Snap's servers. Snap is able to identify you using your browser ID, as this is linked to other data stored about you in Snap's user account. Snap then delivers personalized advertisements from us on the Snap social network, tailored to your needs.

As part of the Snap pixel process, in addition to the aforementioned technical data, your email address will also be processed, provided you have given us your consent for this processing. We will anonymize your email address using a hashing process and then transmit it to Snap in this hashed form, i.e., not in plain text. The hashed email address will then be implemented in the pixel to improve the recognition of your device. This transmission allows Snap to generate statistics about user behavior on our website after being redirected from an advertisement, which we use to optimize our offerings. All processing described above, in particular the use of the pixel and your hashed email address, will only take place if you have given us your consent via our cookie banner.

We ourselves are unable to personally identify you via the Snap Pixel, as no personal data other than your browser ID is stored by us via the Snap Pixel. The information collected via the Snap Pixel allows us to generate conversion statistics. We learn the total number of users who clicked on a Snap ad and were thus redirected to our websites. Additional anonymous data (e.g., the number of page views and the time spent on the websites) is also collected. We do not receive any information that could personally identify users.

Further information about Snap Pixel, the details of data processing via this service and Snap's privacy policy can be found at https://www.snap.com/de-DE/privacy/privacy-center and https://businesshelp.snapchat.com/s/article/snap-pixel-faq?language=en_US .

Snap Inc. is a company based in the USA, so your data will be transferred to and processed by a recipient outside the EU/EEA. To secure this data transfer, we have entered into a data processing agreement with Snap Inc., based on the EU Commission's Standard Contractual Clauses. These serve as the legal basis for securing the data transfer to the USA, Art. 46 para. 2 lit. c GDPR. The data processing agreement can be accessed at https://www.snap.com/en-US/terms/data-processing-agreement .

Right of withdrawal

You can find information on how to revoke the consent you have given via our cookie layer in the section "Revocation of consent given for the use of cookies and other identifiers/tags" .

Adform

On our websites, we use services from Adform A/S, Wildersgade 10B, 1st floor, 1408 Copenhagen, Denmark ("Adform"), for retargeting and conversion tracking purposes. With the Ad Serving service, we can, firstly, display advertising messages related to our online shop, such as interesting product offers, on the websites of other providers who also use Adform. Secondly, Ad Serving and the integrated Conversion Tracking function allow us and Adform to identify which ads you have clicked on and whether you were redirected to our websites via these ads, provided you visit our websites.

For this purpose, we have implemented Adform pixels as identifiers on our websites. These are code snippets that can identify your browser type via the browser ID – your browser's unique fingerprint – and recognize that you have visited our websites and what exactly you viewed. When you visit our websites, a direct connection to Adform's servers is established via the pixels. Adform processes the data collected via the pixels to provide us with the aforementioned services.

We ourselves are not able to personally identify you via Adform's pixels, as no personal data other than your browser ID is stored with us via Adform's pixels.

Right of withdrawal

You can find information on how to revoke the consent you have given via our cookie layer in the section "Revocation of consent given for the use of cookies and other identifiers/tags" .

Further information about the services offered by Adform, the details of data processing via these services and Adform's privacy policy can be found at https://site.adform.com/privacy-center/platform-privacy/product-and-services-privacy-policy/ .

Embedding YouTube videos

By visiting a website that embeds YouTube videos, Google receives information that you have accessed this website. In addition, the data mentioned in the "Usage Data" section above is transmitted. This occurs regardless of whether Google provides a user account that you are logged into, or whether no user account exists. If you are logged into your Google account, this data will be directly associated with your account. If you do not want this data to be associated with your Google profile, you must log out before visiting websites that embed YouTube videos.

Google stores this data as user profiles and uses it for advertising, market research, and/or to tailor its websites to user needs. This analysis is carried out in particular (even for users who are not logged in) to provide targeted advertising. Further information can be found in Google's privacy policy: https://policies.google.com/privacy .

The legal basis for the use of YouTube videos on our websites is our legitimate interest (Art. 6 para. 1 sentence 1 lit. f GDPR) in a needs-based and visually optimized presentation of our websites, primarily through videos.

Right to object

You have the right to object to the creation of these user profiles, and to exercise this right, you must contact Google. You can also configure how Google may use your data for advertising or other purposes in the privacy settings of your Google account. This includes settings for the delivery of advertisements (so-called ads).

Classified ads

On our websites, you can place classified ads free of charge. For this purpose, we collect your name, address, and email address via a registration form. This information is then stored in our system and used to generate the classified ad. The classified ad will publish your name or, optionally, a pseudonym, as well as your country, city, postal code, and email address. Additionally, details describing the equipment, any images you upload, and your telephone number (optional) will be included in the published classified ad.

The legal basis for processing this data is Article 6(1)(f) of the GDPR.

This is done for the purpose of contacting interested parties and for fraud prevention. Furthermore, we compare the data you provide when placing the classified ad with our customer database. This is done to correct any incorrect customer data and to assign the classified ad to your customer account, provided you are already a Thomann Music House customer. This allows you to conveniently manage your classified ad via your regular customer center login.

The data will be deleted as soon as it is no longer required for the purpose for which it was collected. This applies to data collected during the registration process when the registration on our website is cancelled or modified.

As a user, you have the option to cancel your registration at any time. You can have your stored data modified at any time via customer support. You must request the deletion of your customer account from us. To do so, please contact our customer support (e.g., using the contact details of your personal contact person displayed on the left side of your customer account). In individual cases, your personal data will only be blocked before deletion if legal retention obligations or official orders prevent its deletion.

Data subject rights

If your personal data is being processed, you are a data subject within the meaning of the GDPR and you have the following rights against the controller:

1. Information, correction, restriction and deletion

You have the right to request information, free of charge, about the data stored about you at Thomann Music House, its origin and recipients, and the purpose of data processing via Thomann's websites. Furthermore, you have the right to rectification, erasure, and restriction of the processing of your personal data, provided the legal requirements for this are met.

Details can be found in the relevant legal provisions, Articles 15 to 19 of the GDPR.

2. Right to data portability

You have the right to receive the personal data concerning you, which you have provided to Musikhaus Thomann as the data controller, in a structured, commonly used and machine-readable format. Musikhaus Thomann can fulfill this right by providing a CSV export of the customer data processed about you.

3. Right to information

If you have asserted your right to rectification, erasure or restriction of processing against the controller, the controller is obliged to communicate this rectification or erasure of data or restriction of processing to all recipients to whom the personal data concerning you have been disclosed, unless this proves impossible or involves disproportionate effort.

They have the right to be informed about these recipients by the data controller.

4. Right to object

You have the right to object, on grounds relating to your particular situation, at any time to processing of personal data concerning you which is based on point (e) or (f) of Article 6(1) of the GDPR, including profiling based on those provisions.

The controller will no longer process your personal data unless they can demonstrate compelling legitimate grounds for the processing which override your interests, rights and freedoms, or the processing serves the purpose of establishing, exercising or defending legal claims.

If your personal data is processed for direct marketing purposes, you have the right to object at any time to the processing of your personal data for such marketing; this also applies to profiling insofar as it is related to such direct marketing.

If you object to processing for direct marketing purposes, your personal data will no longer be processed for these purposes.

You have the option, in connection with the use of information society services – notwithstanding Directive 2002/58/EC – to exercise your right to object by means of automated procedures using technical specifications.

5. Revocability of data protection consent declarations

Furthermore, you can revoke your consent at any time with effect for the future by contacting Musikhaus Thomann using the contact details provided below.

6. Right to lodge a complaint with a supervisory authority

Without prejudice to any other administrative or judicial remedy, you have the right to lodge a complaint with a supervisory authority, in particular in the Member State of your habitual residence, your place of work or the place of the alleged infringement, if you consider that the processing of personal data relating to you infringes the GDPR.

The supervisory authority with which the complaint was lodged shall inform the complainant of the progress and outcome of the complaint, including the possibility of a judicial remedy pursuant to Article 78 GDPR.

Update to the privacy notice

Thomann Music House may update this privacy notice from time to time. Such changes will be displayed on the website. If you have any comments or questions about this privacy notice or other policies of this website, please contact us in writing.

10/2025