Privacy

Privacy Policy

1. Overview

What is personal data?

Personal data means any information relating to an identified or identifiable natural person – for example, your name, IP address, email address, or browsing behaviour. This Privacy Policy explains what data we collect when you visit extragroup.com, how we use it, and what rights you have.

Where does your data come from?

Some data is collected automatically when you access our website (e.g. technical log data). Other data you provide to us directly, for example when filling in a contact form or placing an order. For analytics and marketing tools, we ask for your consent via a cookie banner before these services become active.

Your rights at a glance

You have the right to access, rectify, or erase your stored personal data, to restrict or object to its processing, and to receive your data in a portable format. You may also withdraw any consent you have given at any time. For any questions, please contact our Data Protection Officer or reach us directly.

2. Data Controller

The controller responsible for processing personal data on this website is:

extragroup GmbH
Pottkamp 19
48149 Münster, Germany
Phone: +49 (0) 251 390 89-0
Email: info@extragroup.de

3. Data Protection Officer

We have appointed an external Data Protection Officer:

lexICT GmbH
Kai Korte
Ostfeldstraße 49
30559 Hannover, Germany
Phone: +49 (0511) 165 80 40 9
Email: korte@lexict.de

4. Hosting

This website is hosted on servers operated by Hetzner Online GmbH:

Hetzner Online GmbH
Industriestr. 25
91710 Gunzenhausen, Germany

We use Hetzner to ensure secure, fast, and reliable operation of our website (Art. 6(1)(f) GDPR). We have entered into a data processing agreement (DPA) with Hetzner pursuant to Art. 28 GDPR; Hetzner processes your data exclusively according to our instructions and in compliance with the GDPR.

5. Server Log Files

Our web server automatically records the following technical information each time a page is requested:

IP address of the requesting device
Date and time of access
Requested URL and HTTP method used
HTTP status code and amount of data transferred
Previously visited page (referrer)
Browser identifier (user-agent: browser type, operating system)

This information is essential for the technical delivery of the website and helps us diagnose errors and detect attacks. Log files are automatically deleted after 14 days. No data is merged with other sources or passed on to third parties.

Legal basis: Art. 6(1)(f) GDPR (legitimate interest in operational security and error analysis).

6. Encrypted Transmission (HTTPS)

This website is accessible exclusively via an encrypted HTTPS connection. Unencrypted HTTP requests are automatically redirected to HTTPS. TLS encryption protects all data exchanged between your browser and our server from unauthorised access.

7. Cookies and Consent Management (CookieYes)

Our website uses cookies – small text files stored locally by your browser. Technically necessary cookies enable core functions (e.g. shopping cart, login state) and may be set without consent. All other cookies – for analytics, marketing, or tracking – are only set after you have given your explicit consent.

Consent management is handled by the CookieYes plugin from WebToffee Solutions Ltd. (Ground Floor, No. 9 Victoria Buildings, Haddington Road, Dublin 4, Ireland). On your first visit, a consent banner appears where you can accept or decline individual cookie categories. You can change or withdraw your choices at any time using the “Cookie Settings” link in the footer.

CookieYes stores your consent decision in a cookie (cookieyes-consent) for up to one year. It also performs an anonymised geolocation check via geoip.cookieyes.com to apply country-specific consent requirements.

Legal basis: Art. 6(1)(a) GDPR for cookies requiring consent; Art. 6(1)(f) GDPR for technically necessary cookies.
CookieYes Privacy Policy: https://www.cookieyes.com/privacy-policy/

8. Google Tag Manager

We use Google Tag Manager (Google Ireland Limited, Gordon House, Barrow Street, Dublin 4, Ireland). The Tag Manager is a container tool that does not itself collect personal data or set cookies. It controls when the analytics and marketing tags described below are loaded – only after you have activated the respective cookie category in the consent banner. Without your consent, these tags are not executed.

Legal basis: Art. 6(1)(f) GDPR for the technical operation of the container.

9. Google Analytics

With your consent, we use Google Analytics (Google Ireland Limited), a web analytics service that statistically evaluates usage behaviour on our website. Google Analytics helps us understand how visitors interact with our content so we can improve it. We have enabled IP anonymisation, which means IP addresses are shortened within the EU before being forwarded to Google’s servers.

Data may be transferred to the USA. Google LLC is certified under the EU-US Data Privacy Framework (DPF), which the European Commission recognised as providing an adequate level of data protection in July 2023 (Art. 45 GDPR).

Legal basis: Art. 6(1)(a) GDPR. Consent may be withdrawn at any time via the Cookie Settings.
Google Privacy Policy: https://policies.google.com/privacy

10. Google Ads and Conversion Tracking

With your consent, we run advertisements via Google Ads (Google Ireland Limited). Google Ads allows us to display adverts in Google Search and on the Google Display Network. Conversion tracking lets us analyse which actions users take after clicking on one of our adverts (e.g. purchases, contact requests). Remarketing features enable us to show relevant adverts to past visitors on other websites. Google sets cookies for this purpose (e.g. _gcl_au, IDE).

Data may be transferred to the USA; Google LLC is DPF-certified.

Legal basis: Art. 6(1)(a) GDPR.

11. Facebook Pixel / Meta

With your consent, we use the Meta Pixel from Meta Platforms Ireland Limited (4 Grand Canal Square, Dublin 2, Ireland). The Meta Pixel transmits certain actions taken on our website (e.g. page views, product views, purchases) to Meta. We use this data to measure the effectiveness of our advertising campaigns on Facebook and Instagram and to build target audiences for future campaigns.

Data may be transferred to the USA. Meta Platforms, Inc. is DPF-certified.

Legal basis: Art. 6(1)(a) GDPR.
Meta Privacy Policy: https://www.facebook.com/privacy/policy/

12. Google Fonts

We use Google Fonts (Google Ireland Limited) to display fonts (Roboto) consistently across our website. When a page loads, your browser retrieves the required font files from Google servers. Your IP address is transmitted to Google in the process. Servers are primarily located in the USA; Google LLC is DPF-certified.

Legal basis: Art. 6(1)(f) GDPR (legitimate interest in a consistent visual presentation of our website).

13. Leaflet Maps (OpenStreetMap)

We embed interactive maps using Leaflet, an open-source JavaScript library. Map tiles are loaded from OpenStreetMap servers (unpkg.com). When a map is displayed, your IP address is transmitted to the tile server. No personal data is stored permanently by us in connection with map displays.

Legal basis: Art. 6(1)(f) GDPR (legitimate interest in providing location information).
OpenStreetMap Privacy Policy: https://wiki.osmfoundation.org/wiki/Privacy_Policy

14. YouTube Videos

Some pages embed videos from YouTube (Google Ireland Limited). We use YouTube’s enhanced privacy mode, which means no tracking cookies are set until you actively start playing a video. Once you play a video, YouTube and Google may collect data about your usage behaviour.

Data may be transferred to the USA; Google LLC is DPF-certified.

Legal basis: Art. 6(1)(a) GDPR for cookies set on playback; Art. 6(1)(f) GDPR for embedding the video player itself.
Google/YouTube Privacy Policy: https://policies.google.com/privacy

15. WooCommerce / Online Shop

We operate our online shop using WooCommerce, an open-source WordPress plugin. When you place an order, we process the data required to fulfil the contract: name, delivery address, email address, telephone number, and order and payment information. This data is retained for the statutory retention periods (generally 10 years for tax-relevant records) and then deleted.

Legal basis: Art. 6(1)(b) GDPR (contract performance) and Art. 6(1)(c) GDPR (legal retention obligations).

16. Stripe (Payment Processing)

We use Stripe to process credit card payments and other payment methods. The European operator is Stripe Payments Europe, Ltd. (1 Grand Canal Street Lower, Grand Canal Dock, Dublin, Ireland). Your payment data is transmitted directly and exclusively to Stripe; we do not store complete payment details ourselves. Stripe processes data in accordance with PCI-DSS standards.

Data may be transferred to the USA; Stripe, Inc. is DPF-certified.

Legal basis: Art. 6(1)(b) GDPR.
Stripe Privacy Policy: https://stripe.com/privacy

17. Contact Forms and Email Contact

When you contact us via a form on this website or by email, we process the information you submit (name, email address, message, and any other fields) in order to handle your enquiry. This data is not passed on to third parties unless necessary for processing your request. Data is deleted once your enquiry has been fully resolved, provided no statutory retention obligations apply.

Legal basis: Art. 6(1)(f) GDPR (legitimate interest in handling enquiries), or Art. 6(1)(b) GDPR if the enquiry relates to a contract.

18. International Data Transfers

Some of the services we use (in particular Google, Meta, and Stripe) process data outside the European Union, primarily in the USA. For such transfers, we rely – where the providers are appropriately certified – on the European Commission’s adequacy decision for the EU-US Data Privacy Framework (DPF) of July 2023 (Art. 45 GDPR). Google LLC, Meta Platforms, Inc., and Stripe, Inc. are each DPF-certified. For third-country recipients not covered by the DPF, we rely on the Standard Contractual Clauses (SCCs) approved by the European Commission pursuant to Art. 46(2)(c) GDPR.

19. Retention Periods

Personal data is not retained longer than necessary for the respective purpose, unless statutory retention obligations require longer storage:

Server log files: 14 days
Contact enquiries: until fully resolved
Order data: 10 years (commercial and tax retention obligations)
Cookie consent (CookieYes): 1 year

If you request deletion of your data or withdraw your consent, your data will be erased promptly unless statutory retention obligations apply.

20. Your Rights as a Data Subject

Right of access (Art. 15 GDPR)

You have the right to obtain free-of-charge information about the personal data stored about you, its origin, recipients, and the purposes of processing.

Right to rectification (Art. 16 GDPR)

If data about you is inaccurate or incomplete, you have the right to have it corrected without delay.

Right to erasure (Art. 17 GDPR)

You may request deletion of your data once the purpose for processing has ceased and no statutory retention obligations apply.

Right to restriction of processing (Art. 18 GDPR)

Under certain conditions, you may request that your data be restricted – meaning it may only be stored but not actively processed.

Right to data portability (Art. 20 GDPR)

You have the right to receive data that you have provided to us on the basis of consent or for contract performance in a structured, commonly used, machine-readable format, or to have it transferred to another controller.

Right to object (Art. 21 GDPR)

WHERE DATA IS PROCESSED ON THE BASIS OF ART. 6(1)(E) OR (F) GDPR, YOU MAY OBJECT AT ANY TIME. IF YOU OBJECT TO DIRECT MARKETING, WE WILL IMMEDIATELY CEASE USING YOUR DATA FOR THAT PURPOSE.

Withdrawal of consent (Art. 7(3) GDPR)

You may withdraw any consent to data processing at any time with effect for the future – for example via the “Cookie Settings” link in the footer. Withdrawal does not affect the lawfulness of processing carried out before withdrawal.

Right to lodge a complaint (Art. 77 GDPR)

You have the right to lodge a complaint with a supervisory authority, in particular in the EU member state of your habitual residence, place of work, or the place of the alleged infringement. In Germany, the competent authority for extragroup GmbH is the Landesbeauftragte für Datenschutz und Informationsfreiheit NRW (LDI NRW), Kavalleriestraße 2–4, 40213 Düsseldorf, www.ldi.nrw.de.

To exercise your rights, please contact our Data Protection Officer (see Section 3) or reach us directly at info@extragroup.de.

Cookie	Duration	Description
cookielawinfo-checkbox-advertisement	1 year	Set by the GDPR Cookie Consent plugin, this cookie is used to record the user consent for the cookies in the "Advertisement" category .
cookielawinfo-checkbox-analytics	11 months	This cookie is set by GDPR Cookie Consent plugin. The cookie is used to store the user consent for the cookies in the category "Analytics".
cookielawinfo-checkbox-functional	11 months	The cookie is set by GDPR cookie consent to record the user consent for the cookies in the category "Functional".
cookielawinfo-checkbox-necessary	11 months	This cookie is set by GDPR Cookie Consent plugin. The cookies is used to store the user consent for the cookies in the category "Necessary".
cookielawinfo-checkbox-others	11 months	This cookie is set by GDPR Cookie Consent plugin. The cookie is used to store the user consent for the cookies in the category "Other.
cookielawinfo-checkbox-performance	11 months	This cookie is set by GDPR Cookie Consent plugin. The cookie is used to store the user consent for the cookies in the category "Performance".
MATOMO_SESSID	session	Matomo sets this cookie when Matomo opt-out feature is used, to prevent CSRF security issues.
PHPSESSID	session	This cookie is native to PHP applications. The cookie is used to store and identify a users' unique session ID for the purpose of managing user session on the website. The cookie is a session cookies and is deleted when all the browser windows are closed.
viewed_cookie_policy	11 months	The cookie is set by the GDPR Cookie Consent plugin and is used to store whether or not user has consented to the use of cookies. It does not store any personal data.

Cookie	Duration	Description
_ga	2 years	The _ga cookie, installed by Google Analytics, calculates visitor, session and campaign data and also keeps track of site usage for the site's analytics report. The cookie stores information anonymously and assigns a randomly generated number to recognize unique visitors.
_gat_gtag_UA_3143095_8	1 minute	Set by Google to distinguish users.
_gid	1 day	Installed by Google Analytics, _gid cookie stores information on how visitors use a website, while also creating an analytics report of the website's performance. Some of the data that are collected include the number of visitors, their source, and the pages they visit anonymously.

Cookie	Duration	Description
_pk_id.13.17a2	1 year 27 days	No description
_pk_ses.13.17a2	30 minutes	No description