Privacy Policy

Version: May 2026

1. Controller

The Controller within the meaning of Article 4(7) GDPR is:

BMB Rheinland GmbH, Liefergasse 4, 40213 Düsseldorf, Germany · Telephone +49 211 9726 918-0 · E-Mail commercial@bmbrheinlandgmbh.com · Represented by the Managing Director: Dr. Bijan Baharlooei Bardshahi.

2. Categories of personal data

We process in particular the following categories of personal data:

  • Master and contact data (name, company name, address, telephone number, e-mail address, function within the company)
  • Contract and order data (order content, order number, order history, delivery address, invoice address)
  • Payment and credit data, to the extent necessary for the performance of the contract
  • Communication data (content of enquiries, correspondence, chat messages)
  • Usage and technical data when visiting the website (IP address, date and time, volume of data transferred, browser type, operating system, referrer URL)

3. Purposes of processing and legal bases

(1) Processing for the initiation, conclusion, performance and settlement of contracts, including order processing, invoicing, payment processing, shipping and complaint handling, is carried out on the basis of Article 6 para. 1 lit. b GDPR.

(2) Processing to comply with legal obligations, in particular commercial and tax-law retention obligations, is carried out on the basis of Article 6 para. 1 lit. c GDPR.

(3) Processing to safeguard the Controller's or a third party's legitimate interests, in particular for the response to commercial enquiries, the security of our IT systems, abuse prevention and direct marketing to the extent permitted by law, is carried out on the basis of Article 6 para. 1 lit. f GDPR.

(4) Processing based on consent is carried out on the basis of Article 6 para. 1 lit. a GDPR. Consent may be withdrawn at any time with effect for the future.

4. Shop system and hosting (Shopify)

The online shop is provided on the platform of Shopify International Ltd., Victoria Buildings, 1-2 Haddington Road, Dublin 4, D04 XN32, Ireland. When the shop is accessed and with every order, personal data (in particular the categories referred to in Section 2) are processed on Shopify's servers. A data-processing agreement pursuant to Article 28 GDPR is in place with Shopify. The legal basis is Article 6 para. 1 lit. b GDPR (performance of contract) and Article 6 para. 1 lit. f GDPR (provision of a secure and functional shop).

5. Payment service providers

For the processing of payments, personal data are transmitted to the payment service providers selected by the Customer in the relevant transaction. The providers actually integrated in the order process are identified by name at checkout. The legal basis of transmission is Article 6 para. 1 lit. b GDPR and, to the extent legally required, Article 6 para. 1 lit. c GDPR.

6. Shipping and logistics providers

For the purpose of delivery, delivery and contact data are transmitted to the transport and logistics partners commissioned with shipment and, in the case of deliveries outside the European Union, to the competent customs authorities and customs agents. The legal basis is Article 6 para. 1 lit. b GDPR and Article 6 para. 1 lit. c GDPR.

7. Contact

If the Customer contacts us by e-mail, telephone, contact form or chat, we process the personal data communicated for the purpose of handling the enquiry and any subsequent communication. The legal basis is Article 6 para. 1 lit. b GDPR where the communication serves the initiation or performance of a contract, otherwise Article 6 para. 1 lit. f GDPR (interest in the orderly handling of commercial enquiries).

8. Newsletter

If you subscribe to our newsletter, we process your e-mail address and, where applicable, further voluntarily provided data in order to send you technical information, product information, availability notices, B2B offer information and other business-related communications. The processing is generally based on your consent pursuant to Article 6 para. 1 lit. a GDPR. Where legally permissible, communications to existing B2B customers may also be based on legitimate interests pursuant to Article 6 para. 1 lit. f GDPR. You may unsubscribe or object to the processing at any time.

9. hCaptcha

To protect our contact forms against misuse, spam and automated submissions, we may use hCaptcha. The provider is hCaptcha / Intuition Machines, Inc., 350 Alabama Street, San Francisco, CA 94110, USA. In this context, in particular IP address, technical device and browser information, interaction data and other information required for abuse prevention may be processed. The processing is carried out on the basis of Article 6 para. 1 lit. f GDPR. Our legitimate interest lies in the security of our website, the prevention of misuse and the protection of our IT systems.

10. Cookies and similar technologies

Access to information stored on the user's terminal equipment and the storage of information on such terminal equipment are carried out in accordance with Section 25 TDDDG. Technically necessary cookies may be used without consent where they are strictly necessary to provide a service expressly requested by the user (in particular cart, session and security cookies). Non-essential cookies, in particular for analytics, marketing or external services, are used only after prior consent pursuant to Article 6 para. 1 lit. a GDPR. Consent may be withdrawn at any time via the "Cookie Settings" link in the footer with effect for the future.

11. Recipients of personal data and processors

Within our company, personal data are passed only to those positions which need access to fulfil contractual and legal obligations. Where external service providers act as processors (in particular Shopify International Ltd., payment service providers, shipping and logistics partners, IT service providers and, where applicable, newsletter and chat providers), this takes place on the basis of agreements pursuant to Article 28 GDPR.

12. International transfers

A transfer of personal data to countries outside the European Union and the European Economic Area takes place only where this is necessary for the performance of the contract, is required by law, the Customer has consented, or an adequate level of data protection is ensured. Where no adequacy decision of the European Commission exists, the transfer is carried out on the basis of appropriate safeguards within the meaning of Article 46 GDPR, in particular on the basis of the European Commission's Standard Contractual Clauses.

13. Retention periods

Personal data are erased as soon as they are no longer required for the purposes for which they were collected and no statutory retention obligations preclude erasure. Commercially and fiscally relevant records are retained pursuant to Sections 257 HGB and 147 AO for up to ten years. Contact enquiries without contractual reference are erased as a rule no later than three years after the last activity. Server log data are erased after seven days as a rule, unless longer storage is required to investigate security incidents.

14. Rights of data subjects

You have, under the conditions of the GDPR, in particular the right to information (Article 15 GDPR), rectification (Article 16 GDPR), erasure (Article 17 GDPR), restriction of processing (Article 18 GDPR), data portability (Article 20 GDPR) and the right to object (Article 21 GDPR). To exercise these rights, please contact us at the address set out in Section 1.

15. Withdrawal of consent

You have the right to withdraw any consent at any time with effect for the future. The withdrawal does not affect the lawfulness of any processing carried out on the basis of the consent before its withdrawal.

16. Right to object pursuant to Article 21 GDPR

Where processing is based on Article 6 para. 1 lit. f GDPR, you have the right to object at any time, on grounds relating to your particular situation, to such processing. In the case of direct marketing, you have an unconditional right to object at any time.

17. Right to lodge a complaint with a supervisory authority

You have the right to lodge a complaint with a data-protection supervisory authority, in particular with the State Commissioner for Data Protection and Freedom of Information of North Rhine-Westphalia (LDI NRW), Postfach 20 04 44, 40102 Düsseldorf, www.ldi.nrw.de.

18. Automated decision-making

Automated decision-making within the meaning of Article 22 GDPR, including profiling, does not take place.