Privacy Policy

Welcome to our website and thank you very much for your interest in our company. Protection of your personal data is of highest priority in our company. We process your data in accordance with applicable personal data protection legislation, in particular the GDPR and the German Federal Data Protection Act (BDSG) which provide comprehensive information about the processing of your personal data executed by PhytoLab GmbH & Co. KG and your rights as a data subject.

Personal data is any information enabling to identify a natural person. This includes, in particular name, date of birth, address, telephone number, email address and IP address. Anonymous data is present if no personal reference to the individual/user can be made.

Responsible body and data protection officer

AdressPhytoLab GmbH & Co. KG
Dutendorfer Str. 5-7
91487 Vestenbergsgreuth
Contact informationTel: +49 9163 88-216
Fax: +49 9163 88-349
Contact data protection

Your rights as a data subject

We would first like to notify you on your rights as a data subject. These rights are set out in Articles 15 - 22 GDPR and consist of:

To exercise these rights, please contact: The same applies if you have any questions on data processing in our company or to withdraw your consent. You also have a right of appeal to a data protection supervisory authority.

Right to object

Please note the following with respect to your right to object:

When we process your personal data for the purpose of direct marketing, you have the right to object to this data processing at any time without providing the reasons for such objection. This also applies to profiling insofar as it is associated with direct marketing.

If you object to the processing for direct marketing, we will no longer process your personal data for such purposes. The objection is free of charge and can be made informally, preferably but not exclusively to:

Should we process your data to protect legitimate interests, you may object to such processing at any time for reasons from your specific situation; this also applies to profiling based on these provisions.

We will then stop to process your personal information unless we can demonstrate compelling legitimate grounds for processing such information that prevail over your interests, rights and freedoms, or the processing is intended to assert, exercise or defend legal claims.

Purposes and legal bases of data processing

The processing of your personal data complies with the provisions of the GDPR and all other applicable data protection sources of law. Legal bases for data processing arise in particular from Art. 6 GDPR.

We use your data to initiate business, to fulfil contractual and legal obligations, for the contractual relationship, to offer products and services and to consolidate customer relationships, which may include marketing and direct marketing.

Your consent may also constitute legal basis for data processing. In this regard, we will inform you of the purposes of data processing and the right to withdraw your consent. If the consent also relates to the processing of special categories of personal data, we will explicitly notify you in the consent process.

Processing of special categories of personal data within the meaning of Art. 9 (1) GDPR may only take place where required on the grounds of legal regulations and if there is no reason to assume that your legitimate interests should prevail over our interest in processing such data.

Data transfers / Disclosure to third parties

We will transmit your data to third parties solely within the scope of statutory provisions present or based on consent. In any further case, information will not be transferred to third parties unless we are obliged to by mandatory legal regulations (disclosure to external controllers, including the supervisory authorities or law enforcement authorities).

Data recipients / categories of recipients

In our organisation, we ensure that only individuals who are required to process the relevant data to fulfil their contractual and legal obligations are authorised to handle personal data.

Where service providers assist our corporate departments to fulfil their tasks, the required data protection contract has been concluded.

Transfers of personal data to third countries

A transfer of data to third countries (outside the European Union or the European Economic Area) shall only take place if required by law or if you have provided your consent for such a transfer.

We currently do not transfer your personal data to service providers or group companies outside the European Economic Area.

Period of data storage

We are storing your data for as long as such is required for the relevant processing purposes. Please note that numerous retention periods require data to be stored for a specified period of time. This relates in particular to retention obligations for commercial or fiscal purposes (e.g. commercial code, tax code, etc.). The data will be routinely deleted after use unless a further retention is mandatory.

Should you create a personal user account in our web-shop, we will automatically delete it, if the account has been inactive for a period of three years beforehand. Applicable legal obligations to store your data beyond that period (e.g. storing executed to comply with tax-regulations) remain unaffected.

We may also retain data if you have given us your permission to do so, or in the event of any legal disputes and we use the evidence within the statutory limitation period, which may be up to 30 years; the standard limitation period is 3 years.

Secure transfer of data

We implement the appropriate technical and organisational security measures to ensure the optimal protection of the data stored by us against accidental or intentional manipulation, loss, destruction or access by unauthorised persons. The security levels are continuously reviewed in collaboration with security experts and adapted to new security standards.

The data exchange to and from our website is encrypted. We provide https as a transfer protocol for our website, and always use the latest encryption protocol. In addition, we offer our users content encryption in our contact forms and applications.

Obligation to provide data

A range of personal data is required to establish, implement and terminate the obligation and the fulfilment of the relevant contractual and legal obligations. The same applies to the use of our website and the various functions we provide.

In some cases, legal regulations require data to be collected or made available. Please note that it will not be possible to process your request or execute the underlying contractual obligation without this information.

Data categories, sources and origin of data

The data we process is defined by the relevant context:

We may process the following data when you visit our website:

We may process the following data if you create a user account or place an order:

Automated decisions in individual cases

We do not use completely automated processing to make decisions.

Web shop (Article 6 (1) lit b GDPR)

We process the data provided by you within the scope of the order form solely to execute and fulfil the underlying contractual relationship, unless you agree to a further use.

The principle of data minimization is observed here, as we only request data that is required to execute the contract or to fulfil our contractual obligations (i.e. your name, address, email address, a billing address or a shipping address) In addition, you may provide further information like an academic degree to correctly address our delivery to you in person.

Your IP-address will also be processed for technical reasons and legal protection. If this data is not provided, we will have to decline the conclusion of the contract, as we cannot then perform the contract or will be obliged to terminate an existing contract, where appropriate.

Registration / Customer account (Article 6 (1) lit a, b GDPR)

Users can provide personal data to enable them to register on our website. This enables you to view your order history and save your data for your next order, without having to repeatedly submit the data.

Your registration therefore is either required or offered to execute a contract (via our web-shop) or to execute pre-contractual measures. Providing data may also happen for the sole purpose of placing an order, where there is no requirement to create a user-account for that purpose. If you should decide to not creating a user-account, you may order as a guest (where providing the mandatory data is required), without the creation of a user-account as a consequence. In the latter case, entering your data again upon placing a subsequent order is required.

The principle of data minimization is also observed where user accounts are created, as only data marked with an asterisk (*) must be filled on a mandatory basis.

When registering with us, your IP address and the date and time of registration is stored (technical background data). By clicking the “Register now”-button you can declare your consent to the processing.

Please note: We will store your password under encryption. As this measure prevents our staff from accessing your password, they may not assist you in case you lost or forgot your password.

In such event, please use the “Forgotten password” function, which will result in the automated creation and provision of a new password via e-mail. Furthermore, no employee is authorised to request your password. Please do never disclose your password upon request.

Upon completion of the registration process, your data will be stored with us for use in the protected customer area. When you log in to our website with your email address as your username and your password, this data will be made available to you on our website (e.g. for orders in our online shop). Completed orders can be tracked in the order history. You can specify changes to the billing or delivery address here.

Registered persons are entitled to adjust the information provided on the billing or delivery address. You can also contact our customer service team to execute any changes / corrections. You can of course cancel or delete the registration or your customer account. For this purpose please contact our customer service team.

Online offers to children

Persons under the age of 16 years may not submit personal data to us or give a declaration of consent without the authorisation of their legal representative. We encourage parents and further legal representatives to actively participate in the online activities and interests of their children.

Marketing purposes (Article 6 (1) lit f GDPR)

PhytoLab GmbH & Co. KG is interested to nurture the customer relationship with you and to send you information and offers about our products and services. We therefore may process your data to send you the relevant information and offers via email.

You may object to the use of your personal data for the purpose of direct marketing at any time; this also applies to profiling insofar as it is associated with direct marketing. If you object, we will cease processing your personal information for this purpose.

You can withdraw your consent at any time free of charge and informally without stating the reasons via any communication channel.