Privacy Policy - Cannadusa Marketplace

The following data protection provisions inform you about our handling, collection, use and disclosure of personal data. In particular, the General Data Protection Regulation (GDPR) serves as the legal basis for data protection.

I. Overview

Data processing by cannadusa.com can essentially be divided into three categories: For the purpose of handling the registration process, all data necessary for the registration or registration of a customer account is processed across the websites www.cannadusa.com, www.cannadusa.de. Medusa Engineering GmbH is responsible for the processing. By accessing the websites of the online marketplace and using the services offered there, various data are processed for specific purposes. This may also involve personal data. By accessing the websites of the stationary store and using the services offered there, various data are processed for specific purposes. This may also involve personal data.

II General functionalities

1. login to the customer accounts Purpose of data processing / legal basis: The logins to your customer accounts on the websites of the online marketplace and the stationary store are organized via a common, superordinate login of Medusa Engineering GmbH. The joint login allows you to use all services on the basis of one registration. The following data is processed as part of the registration process:

  • E-mail address

  • Salutation

  • Name

  • Surname

  • Phone number

  • Information about consent

  • password

  • Date of birth (age check)

The legal basis for the processing of your data is Art. 6 para. 1 f) GDPR. The legitimate interest on the part of the Cannadusa company arises from the interest in being able to provide customers with the extended functions of the overarching customer accounts.

2. social login Purpose of data processing/legal basis:

We offer you the option of registering and logging in to the Cannadusa websites or the Cannadusa app using one of your social media accounts (e.g. Facebook, Google or Apple account) ("social login"). An additional registration to one of the Cannadusa customer accounts is not required in this case. Rather, the user account of your social media account (Apple, Google, Facebook account) is "linked" to these, so that you can authenticate yourself with your social media user account to the Cannadusa customer account and log in to the Cannadusa services.

Categories of data Cannadusa receives from your social media account: By linking, we automatically receive the following maximum information from the provider of your social media account (Apple inc., Meta Platforms, Inc. or Google lnc.) depending on the privacy settings you have set on your social media account:

  • Surname, first name

  • Salutation (thus inference of gender)

  • Phone number

  • E-mail address

  • Date of birth

We store this data in your Cannadusa customer accounts created in this way and use this data exclusively for the purposes specified by you in our Cannadusa services.

Categories of data that Cannadusa automatically transmits to the provider of your social media account:

The operator of the social media account with which you authenticate yourself to the Cannadusa services automatically receives the following data from Cannadusa through the linking and each login:

The information that you have logged in to a Cannadusa service for the first time with your social media account and thus have a Cannadusa customer account,

The information when you log in to a Cannadusa service with the social login (time and date)

This data transmission is automated and is mandatory for the use of the social login of the social media provider. No further information is transmitted. In particular, the social media account operator does not receive any usage data or information about how long you have been logged in to Cannadusa services and what activities you carry out in Cannadusa services (e.g. purchases, etc.) or what other data you store in your Cannadusa customer account. A synchronization of data does not take place.

The legal basis for the processing of your data in the context of the use of the optional social login is your consent in accordance with Art. 6 para. 1 a) GDPR as described below. If you use the social login service, you consent to the collection, processing and use of your data as described below under 1) to 3):

1) I agree that the following data may be transmitted by the provider of my social media service (Apple, Twitter, Meta Platforms, Inc. or Google) to Cannadusa as part of the social login procedure:

  • Surname, first name

  • Salutation

  • Phone number

  • E-mail address

  • Date of birth

Cannadusa may store this data in my personal Cannadusa customer account and use it exclusively for registration purposes and for personal salutation in the customer account.

2) In addition, I consent to the following data being automatically transmitted from the Cannadusa servers to the provider of the social media account I use for social login as part of the voluntary optional use of the social login function:

The information that you have logged in to a Cannadusa service for the first time with your social media account and thus have a Cannadusa customer account

The information when you log in to a Cannadusa service with the social login (time and date).

3) I am aware that the provider of my social media account may be based in a country outside the European Union (EU) (e.g. in the USA), where a lower level of data protection applies than in the EU and therefore, for example, investigating authorities or companies there may have access to this data from my social media account provider. In the context of the voluntary use of the social login, I also expressly consent to the transfer of the aforementioned data to the country in which my social media account provider is based in accordance with Art. 49 para. 1 sentence 1 a) GDPR, knowing the lower level of data protection and the associated risks.

You can revoke this consent at any time by sending an e-mail to with effect for the future. In this case, you will no longer be able to use the Social Login function, but will have to register for a Cannadusa customer account in the conventional way. All data stored about you up to that point on the basis of this consent will also be deleted.

Your provider is legally responsible for processing the data transferred to the operator of your social media account. The data protection principles there therefore apply. This data protection information on Apple, Meta Platforms, Inc. and/or Google Login and the privacy settings of your social media account can be found in the data protection notices and terms of use of

  • Apple Facebook

  • Google+

Recipients/categories of recipients:

The data of your Cannadusa customer account is generally only accessible to the departments within Cannadusa that are responsible for maintaining the website of the online marketplace and the Cannadusa customer accounts, or that offer the specific Cannadusa service you use. A transfer to third parties outside, with the exception of the data presented to the provider of your social media account does not take place.

Storage period/criteria for determining the storage period:

The social login data will be stored in your Cannadusa customer account and used as described until you declare a revocation.

III Further information on the use of the websites of the online marketplace

Under "Controller", we first inform you about the controller, the data protection officer and any contact options. Under "General information on the use of the websites of the online marketplace and the app area of the online marketplace", we inform you about the information that applies to all parties.

A. Responsible body B. General information on using the websites of the online marketplace/app area of the online marketplace C. Further information for customers D. Further information for traders

If you have any further questions about the collection, processing and use of your personal data or individual processes, we ourselves or our data protection officer will be happy to answer them using the contact details below.

If there are significant changes to the data protection provisions, the marketplace operator will inform users by e-mail.

A. Responsible body

I. Name and address of the controller The controller within the meaning of the GDPR and other national data protection laws of the Member States as well as other data protection regulations is the:

Medusa Engineering GmbH

Friedrich Wilhelm Street 14

56244 Sessenhausen

HRB 28327, Montabaur Local Court

B. General information on the use of the websites of the online marketplace/app area of the online marketplace

We collect and use the personal data of our users primarily for the purpose for which the data was provided to us, in particular for the provision of contractual services, processing your order, sending newsletters or coupons ordered by you, for notifications in connection with competitions, or insofar as this is necessary for the provision of functional websites and our content and services.

The procedures in detail:

I. Provision of the websites/app area of the online marketplace and creation of log files

1. description and scope of data processing Each time our website is accessed, our system automatically collects data and information from the computer system of the accessing computer. The following data is collected if it is transmitted based on your browser settings:

Information about the browser type and version used

The user's operating system

The IP address of the user

Date and time of access

The last website from which the user's system accesses our website

Country and place of access

The data is stored temporarily in the log files of our system. This data is not stored together with other personal data of the user.

2. legal basis for data processing The legal basis for the storage of data and log files is Art. 6 para. 1 lit. f GDPR.

3. purpose of data processing The temporary storage of the IP address by the system is necessary to enable the website to be delivered to the user's computer. For this purpose, the user's IP address must remain stored for the duration of the session. The data is stored in log files to ensure the functionality of the online marketplace websites. We also use the data to optimize the websites of the online marketplace and to ensure the security of our information technology systems. These purposes constitute our legitimate interest in data processing in accordance with Art. 6 para. 1 lit. f GDPR.

4. recipients/categories of recipients The data is generally only accessible to the departments within Cannadusa that are responsible for maintaining the websites of the online marketplace. It is not passed on to third parties outside Cannadusa.

5 Duration of storage The log files are stored in the active systems for 14 days and then transferred to archives. The log files are stored there for two years, as they are needed for analysis if necessary in order to effectively combat cybercriminals.

6. right of objection and removal The collection of data for the provision of the website and the storage of data in log files is absolutely necessary for the operation of the website. You have the right to object to this data processing under the conditions of Art. 21 GDPR. However, in addition to the declaration of objection, reasons must be given against the processing that arise from your particular situation, as the processing of the data is necessary for the operation of the site.

II. use of cookies in general In addition, we, cannadusa.com, are responsible for data processing in connection with the use of so-called cookies and other technologies for processing usage data on the websites of the online marketplace. Cookies are small text files that your browser automatically creates and that are stored on your end device (laptop, tablet, smartphone, etc.) when you visit our website. The use of cookies and other technologies for processing usage data serves the following purposes, depending on the category of cookie or other technology:

Technically necessary: These are cookies and similar methods without which you cannot use our services (for example, to display our website correctly/functions you have requested, to save your registration in the login area, to fill the shopping cart when shopping online, etc).

Preferences/Convenience: These techniques allow us to take into account your actual or presumed preferences for the comfortable use of our websites. For example, we can use your settings to display the most recently viewed articles on our websites.

Statistics: These techniques enable us to compile pseudonymous statistics on the use of our services for the purpose of tailoring them to your needs. This enables us, for example, to determine how we can adapt our websites even better to the habits of users.

Self-advertising: This allows us to show you advertising content that is suitable for you based on the analysis of your pseudonymous usage behavior. Your usage behavior can also be tracked across different websites, browsers or end devices using a user ID (unique identifier). With your consent to the collection of the pseudonymous user profile and its disclosure together with the pseudonymous user ID for self-promotion, you may be shown advertising content relevant to you on other Cannadusa websites and services and possibly other third-party channels that correspond to your presumed interests resulting from your usage profile. In addition, we analyze your use of our Cannadusa websites (e.g. advertising banners viewed or clicked) on the one hand to optimize our advertisements and offers for you and other customers and on the other hand to provide our advertising partners with pseudonymous data for billing purposes and to optimize their marketing campaigns. Our advertising partners cannot trace this information back to you personally. If you do not give your consent or revoke it with effect for the future, you will only be shown random content on the corresponding banner areas on our services and websites and those of third parties.

Advertising and performance measurement using the IAB TCF:

For some advertising measures, we use a specific standard for obtaining and implementing declarations of consent, including in connection with personalized advertising, the so-called Transparency and Consent Framework ("TCF") of the Interactive Advertising Bureau Europe ("IAB") (see below for more information).

Most browsers have functions with which the acceptance of cookies can generally be rejected or with which the cookies accepted by this website can be deleted after the end of the visit to a website. The help function in the menu bar of most web browsers explains how you can prevent your browser from accepting new cookies, how you can have your browser notify you when you receive a new cookie or how you can delete all cookies you have already received and block your browser from accepting any more.

III. use of technically necessary cookies in the context of the operation of the online marketplace

1. description and scope of data processing

1a. Order processing and account services Technically necessary cookies are used, for example, to save your shopping cart or watch list to make it easier for you to place your next order. After completing the order and when you visit our website again, you will be recognized as a customer with the help of a corresponding cookie, making it easier for you to place another order.

For example, the following data is stored and transmitted in the cookies:

  • Language settings

  • Articles in a shopping cart

  • Login information

1b. Performance measurement and A/B testing We also use technically necessary cookies for performance measurement and A/B testing.

IV. Use of cookies to implement your actual or presumed preferences (preferences/convenience)

1. description and scope of data processing As already described above, cookies are used on our website to enable you to use our website conveniently based on your actual or assumed preferences. For this purpose, we use settings you have selected or information about your interactions to customize the user interface (e.g. to show you your last viewed products or to make suggestions based on your preferences determined by us). This data is not linked to a permanent identifier.

2. legal basis for the processing of personal data The legal basis for the use of cookies and similar technologies in the context of A/B tests and data processing is your consent in accordance with Section 25 (1) TTDSG and Article 6 (1) (a) GDPR.

3. purpose of data processing The processing of users' personal data enables us to improve our website and design it in a customer-oriented manner so that you receive offers that are relevant to you.

4. recipients/categories of recipients The data is generally only accessible to the specialist departments within the Cannadusa Group that are responsible for maintaining the websites of the online marketplace. If service providers receive access to personal data, contracts for order processing in accordance with Art. 28 GDPR have been concluded with these service providers.

5. duration of storage The data will be deleted as soon as it is no longer required for our recording purposes.

6. objection and removal options In this regard, please refer to the explanations under VII. objection and removal options.

V. Use of cookies for statistical web analysis of the online marketplace

1. description and scope of the processing of personal data

We use various analysis tools on our website which, among other things, provide information about the surfing behavior of our users. In detail:

1a. Google Marketing Platform/Analytics 360 Our website uses Google Analytics: a web analytics service provided by Google Ireland Limited, Gordon House, Barrow Street, Dublin 4, Ireland , which uses so-called "cookies".

When individual pages of our website are accessed, the following data in particular is stored:

  • Two bytes of the IP address of the user's calling system

  • Information on the operating system of the calling system

  • Information about the browser

  • The website accessed

  • The website from which the user accessed the website (so-called referrer URL)

  • The subpages that are accessed from the accessed website

  • The time spent on the website

  • Date and time of your visit to our website

The information about the use of our website may be transmitted to a Google server in the USA and stored there. Google will use this information for the purpose of evaluating your use of our website, compiling reports on website activity for us and providing other services relating to website activity and internet usage. In this regard, we have concluded a contract with Google for order processing in accordance with Art. 28 GDPR.

If this is required by law or if third parties process this data on behalf of Google, Google will also pass this information on to these third parties. This use is anonymized or pseudonymized. You can find more information about this directly at .

Cross-device tracking

If you log in to the third-party provider with your own user data, the respective recognition features of different browsers and end devices can be linked with each other. If, for example, the third-party provider has created a separate feature for the laptop, desktop PC or smartphone or tablet you are using, these individual features can be assigned to each other as soon as you use a service of the third-party provider with your login data. In this way, the third-party provider can also target our advertising campaigns across different end devices.

Processing in a third country under data protection law If the data is processed outside the EU or the EEA in this context, please note that there is a risk that authorities may be able to access the data for security and monitoring purposes without you being informed or having the right to appeal. If we use providers in unsafe third countries and you give your consent, the transfer to a third country is based on Art. 49 para. 1 lit. a GDPR. You can withdraw your consent to processing at any time (see explanations under point 5). Data processing is lawful until consent is withdrawn. If you do not want Google Analytics to have insight into your usage behavior as described above, you can integrate a deactivation add-on into your browser. You can find more information about this add-on and how to activate it at

Google Consent Mode (Behavioral Modeling): As your privacy is very important to us, you can refuse statistics cookies. In order to be able to determine the utilization of our website even in these cases, Google Consent Mode has developed so-called estimation models. This makes it possible to estimate the behavior of users on our website who refuse to accept cookies. For this purpose, information (these are: The page on which the user is located, device type, browser, time) is collected so that a suitable estimation model can be used. The IP address is completely replaced by a general IP address of a cannadusa.com server. This means that the user's IP address is not visible to Google. This prevents the user from being directly identified or recognized.

1a. Google Optimize We use the Google Optimize tool to test different versions of our website in so-called A/B tests in order to determine the best version. Google Optimize analyzes the use of different variants of the website so that we are able to adapt the user-friendliness to the behavior of the website users. Google Optimize is a tool integrated into Google Analytics and uses cookies.

1. legal basis for the processing of personal data The legal basis for the use of statistics cookies and similar technologies involving the various providers of web analysis services and data processing is your consent in accordance with Section 25 (1) TTDSG and Article 6 (1) (a) GDPR. The legal basis for data processing in the context of Google Consent Mode is Article 6(1)(f) GDPR.

2. purpose of data processing The processing of users' personal data enables us to analyze the surfing behavior of our users. By analyzing the data, it is possible to compile information about the use of the individual components of the website in aggregated form and to ensure and continuously improve the website and its usability. With regard to the use of Google Consent Mode, our aim is to be able to understand how many users visit our website and which parts of our website are frequented to what extent in order to avoid unpleasant user experiences and improve the use of our website.

3. recipients/categories of recipients If the service providers listed above receive access to personal data, contracts for order processing in accordance with Art. 28 GDPR have been concluded with these service providers.

4. duration of storage The data will be deleted as soon as it is no longer required for our recording purposes.

5. revocation, objection and removal options In this regard, please refer to the explanations under VIII. Objection and removal options.

VI Use of self-advertising cookies on the online marketplace

1. description and scope of the processing of personal data

We work together with various targeting service providers for advertising and marketing purposes. For this purpose, we store cookies on our server that enable us to analyze the use of our website by you and others. These cookies are used to record information about the use of our website, transfer it to a server operated by our service providers and store it there.

1a. Google Remarketing Among other things, we use the remarketing technology of Google Ireland Limited, Gordon House, Barrow Street, Dublin 4, Ireland. With this technology, users who have already visited our websites and online services and have shown an interest in what we offer are targeted again by targeted advertising on the pages of the Google Partner Network. Advertising is displayed through the use of cookies. In particular, user behavior when visiting the website is analyzed and then used for targeted product recommendations and interest-based advertising. You can deactivate the use of cookies by Google for interest-based advertising for these purposes by accessing the page or, alternatively, users can deactivate the use of cookies from third-party providers by accessing the URL. By using our services, you consent to the processing of data about you by Google in the manner and for the purposes set out above. We would like to point out that Google has its own data protection guidelines which are independent of ours. We assume no responsibility or liability for these policies and procedures. Please inform yourself before using our website at .

1b. Google Marketing Platform/Display & Video 360 and Campaign Manager With Doubleclick by Google, we use a service from Google Ireland Limited, Gordon House, Barrow Street, Dublin 4, Ireland, to show you ads that are relevant to you. Cookies that do not contain any personal information are used for this purpose. The Doubleclick cookies use a pseudonymous identification number assigned to your browser, which is used to check the display and retrieval of advertisements. This allows Google and its partner sites to serve ads based on previous visits to the online marketplace or other websites. Google transfers the information generated by the Doubleclick cookies to a server in the United States of America and stores it there. Data is only transferred to third parties within the framework of statutory regulations or commissioned data processing. By using the websites of the online marketplace, you consent to the use of the above-mentioned data and its processing by Google as described above. You can prevent the storage of cookies in your browser settings. However, we would like to point out that in this case you will not be able to use the functions of our website to their full extent and that incorrect displays may occur. If you generally agree to the storage of cookies but do not wish to use Doubleclick cookies, you can download and install a browser plugin from Google that deactivates the Doubleclick by Google service.

1c. Facebook Custom Audiences As part of usage-based online advertising, we also use communication tools from the social network Facebook, in particular the Website Custom Audiences product. In principle, a non-reversible and non-personal checksum (hash value) is generated from your usage data, which can be transmitted to Facebook for analysis and marketing purposes. For the Website Custom Audiences product, the Facebook cookie is used for this purpose. For more information about the purpose and scope of data collection and the further processing and use of the data by Meta Platforms, Inc. as well as your setting options for protecting your privacy, please refer to Facebook's privacy policy, which you can view at . If you wish to object to the use of Facebook Website Custom Audiences, you can do so at.

1d. Google Ads As an AdWords customer, we also use Google Conversion Tracking, an analysis service of Google Ireland Limited, Gordon House, Barrow Street, Dublin 4, Ireland. If you have reached our website via a Google ad, Google AdWords will set a cookie on your computer. These cookies are not used for personal identification and lose their validity after 30 days. If you visit our site within the 30 days and the cookie has not yet expired, we and Google can recognize that someone clicked on the ad and was redirected to our site. There is a different cookie for each AdWords customer. This means that cookies cannot be tracked via the websites of AdWords customers. The information collected by the conversion cookie is used to create conversion statistics for AdWords customers who have opted for conversion tracking. This tells AdWords customers the total number of users who clicked on their ad and were redirected to a page with a conversion tracking tag. However, they do not receive any information with which users can be personally identified. You can deactivate the automatic setting of cookies in your browser settings if you do not wish to participate in the tracking process. You can also deactivate cookies for conversion tracking by setting your browser to block cookies from the domain googleadservices.com.

Google Consent Mode (Conversion Modeling): As your privacy is very important to us, you can refuse self-advertising cookies. In order to be able to determine the success of marketing measures in these cases as well, Google Consent Mode has developed so-called estimation models. This makes it possible to estimate the behavior of users on our websites who reject the setting of cookies. For this purpose, information (these are: The page on which the user is located, device type, browser, time and an anonymized IP address) is collected so that a suitable estimation model can be used. The IP address is completely replaced by a general IP address of a server of the online marketplace. This means that the user's IP address is not visible to Google. This prevents the user from being directly identified or recognized. We do not store any of your data when you use Consent Mode. The recipient of the anonymized data is Google. Personal information about you will not be passed on.

1e. Google AdSense We also use Google AdSense, a web advertising service provided by Google Ireland Limited, Gordon House, Barrow Street, Dublin 4, Ireland, to place advertisements (text ads, banners, etc.). Your browser may store a cookie sent by Google or a third party. The information stored in the cookie may be recorded, collected and analyzed by Google or third parties. Google AdSense also uses small invisible graphics to collect information, which can be used to record, collect and analyze simple actions such as visitor traffic on the website. The information and/or graphics generated by the cookie are transmitted to a Google server in the USA and stored there. The information obtained in this way is used by Google to evaluate your usage behavior with regard to AdSense ads. Google may also transfer this information to third parties where required to do so by law, or where such third parties process the information on Google's behalf. Google will not associate the IP address of your computer with any other data held by Google. Here too, you can prevent cookies from being stored on your hard disk and the display of the aforementioned graphics. As described above for the other cookies, you must deactivate the acceptance of cookies in your browser settings. By using our services, you consent to the processing of data about you by Google in the manner and for the purposes set out above. We would like to point out that Google has its own data protection guidelines, which are independent of ours. We assume no responsibility or liability for these policies and procedures. Please inform yourself before using our website at .

1f. Microsoft Bing Ads Finally, we use Microsoft Bing Ads. A cookie is placed on your computer if you have reached our websites via a Microsoft Bing ad. In this way, Microsoft Bing and we can recognize that someone has clicked on an ad, has been redirected to our websites and has reached a predetermined target page (conversion page). We only learn the total number of users who clicked on a Bing ad and were then forwarded to the conversion page. No personal information about the identity of the user is disclosed. If you do not wish to participate in the tracking process, you can also reject the setting of a cookie required for this - for example, by changing your browser settings to generally deactivate the automatic setting of cookies. Further information on data protection and the cookies used by Microsoft Bing can be found on the Microsoft website: .

VII Use of cookies for advertising and performance measurement using the IAB TCF

1. description and scope of the processing of personal data In addition, data processing associated with the marketing cookies for advertising and performance measurement is also carried out using the IAB TCF to measure success. For this purpose, we collect the data specified below about your purchasing behavior on the Cannadusa online marketplace available at www.cannadusa.com.

Advertising and performance measurement using the IAB TCF includes the display of personalized advertising on digital media from third parties (i.e. outside our website), such as other websites, apps, smart TVs, etc. ("third-party media") and the measurement of the success of advertising campaigns. If you have consented to this, we may store cookies on your device that enable your browser to be recognized on these third-party media. Depending on the specific scope of your consent, the following types of personal data in particular may be processed:

 

Data about your use of our website and third-party media, e.g.

  • Contents of websites,

  • Click paths,

  • Display of and interactions with advertisements

  • Your IP address

  • The so-called TC string generated for you (a coded character string containing information about the granting and scope of your consent)

  • Your location data

  • Data about the end devices you use

  • Products you have placed in a shopping cart in our online marketplace and, if applicable, purchased

If a member of your household has also given their consent to this, we will also link your data with that of your household member, in particular with data about the devices they use.

Data about your purchasing behavior on the Cannadusa online marketplace available at www.cannadusa.com (in particular so-called EAN numbers, i.e. the product identification, the number of products you have purchased and the time of purchase)

Characteristics derived from this (e.g. age group, product interest);

2. legal basis for the processing of personal data The legal basis for the use of cookies and similar technologies for advertising and performance measurement using the IAB TCF and the associated data processing is your consent in accordance with Section 25 (1) TTDSG and Article 6 (1) a) GDPR.

3. purpose of data processing With your consent, we can create an individual profile about you and/or target groups into which we classify you (so-called segments) in order to enable third parties to play out personalized advertising on third-party media via the end devices assigned to you and your household members. In connection with the display of this advertising, processing is also carried out with your consent for ad measurement (in particular to determine the performance and success of an advertisement), to gain knowledge about target groups (in particular to learn more about the target groups to which the advertising is displayed), for product development and for the technical security and optimization of this advertising display. If a member of your household has also given their consent to this, we will also link your data with that of your household member and process it with their consent for the aforementioned purposes or process your data for the purposes requested by your household member. In some cases, segments that we have formed in accordance with your consent for "advertising and performance measurement using the IAB TCF. The individual purposes and functions and the processing assigned to them are specified in more detail in the consent.

4. recipients/categories of recipients As described, we are jointly responsible with Virtual Minds GmbH for the data processing described here. We will be happy to provide you with the main contents of the underlying agreement on request - please use the options provided under "Contact details", for example. We work together with other advertising partners to display advertising. They are only involved in the processing in connection with the display of advertisements on third-party media and the associated (technical) functions, not in the creation and analysis of your advertising profile as described in the consent. We only provide these advertising partners with identification numbers that only we can assign to a specific usage behavior - divided into specific customer or usage categories (segments). Information about your individual usage behavior is never passed on to the advertising partners. Furthermore, other processors are also involved in the advertising playout, which support us in particular in the planning, control and processing of the respective advertising campaign. If these advertising partners or other processors receive access to personal data, contracts for order processing have been concluded with these service providers in accordance with Art. 28 GDPR.

5. duration of storage The data is deleted as soon as it is no longer required for the stated purposes. Detailed information can be found in the "Expiry" column for the respective cookie. If "persistent" is specified in the "Expiry" column, the cookie is stored permanently until the corresponding consent is revoked.

6. revocation and removal options In this regard, please refer to the explanations under VIII. Objection and removal options.

VIII. Objection and removal options You can withdraw your consent to processing at any time. Data processing is lawful until consent is withdrawn. If you wish to exercise your right to withdraw consent, please click on the following link to withdraw your consent to the use of cookies on our website. This will delete all cookies that were set for the domain www.cannadusa.com and are not technically necessary.

IX. Advertising newsletter by e-mail & direct advertising 1. description and scope of data processing

1.1 Standard newsletter Our website offers the option of subscribing to a free newsletter. When you subscribe to the newsletter, the data from the input screen is transmitted to us.

The following data is processed as mandatory information:

  • E-mail address

  • Date and time of registration for the newsletter

  • Website used for registration

  • Page type used to log in

If you subscribe to the newsletter, you agree that we may regularly inform you by e-mail to the e-mail address provided about current offers, products, promotions, satisfaction surveys on the products, services, events and competitions of the Cannadusa Group.

We proceed as follows: In a first step, we send an e-mail to the e-mail address provided with a confirmation link to verify the e-mail address provided (via double opt-in procedure). If you do not confirm your registration, your data will be deleted after 7 days. If you confirm the link, we store the fact that the e-mail address has been confirmed in a log file as proof of the consent given. Only then will we process the e-mail address to send the subscribed newsletter until you withdraw your consent. If you open our e-mail newsletter, click on links contained in it or submit a website form after clicking on a link, this is recorded but not stored on an individual basis, but only analyzed anonymously in aggregated statistics. We therefore do not create a personalized profile of your newsletter reading behavior without your express further consent.

1.2 Consent to the personalization of the newsletter If you also give the optional further consent to the personalization of the subscribed newsletter, you agree that we may

link the newsletter to your existing Cannadusa customer account in order to customize the content of your newsletter to your presumed interests and shopping preferences based on both past and future transaction data and transaction-related data of your customer account (these are purchased products, returns, support tickets, ratings, shopping cart sizes, purchase frequencies, delivery address, information on name, gender, birthday) to adapt the content of your newsletter to your presumed interests and shopping preferences and, in the case of separate acceptance of cookies for advertising purposes on our websites, we can track your click and surfing behavior on the websites of the online marketplace and in the app (this includes clicks on products, search terms, referrer pages (websites from which the user came to the current page), products viewed, add to cart events (products added to the shopping cart), products added to the wish list, A/B test group memberships and information on the type of device used, device manufacturer, operating system, browser, IP address and resulting localization data) in order to adapt the content of your newsletter to your presumed interests and shopping preferences based on these findings.

1.3 Direct advertising If you have made a purchase via the online marketplace, we will also use the e-mail address you provided in connection with the purchase for service information such as satisfaction surveys and for advertising our own similar offers by e-mail. In such a case, only direct advertising for similar goods or services is sent.

2. legal basis for data processing The legal basis for the processing of data after you have registered for the newsletter is the consent of the subscribers in accordance with Art. 6 para. 1 a) GDPR. For the personalization of the newsletter, Art. 6 para. 1 a) GDPR is also the legal basis for processing. The provision of your data is voluntary. Failure to provide your data would mean that you would not be able to receive the newsletter - and, if you have given your separate consent, the personalized newsletter. The legal basis for direct advertising for similar goods or services as a result of the sale of goods or services is Art. 6 para. 1 sentence 1 lit. f) GDPR i.V.m. § Section 7 para. 3 UWG.

3. purpose of data processing The processing of users' personal data enables us to inform users about current offers and to advertise them.

4. recipients/categories of recipients The data is processed within Medusa Engineering GmbH. In order to process the newsletter dispatch, we use the system of our processor, who receives and processes the data on our behalf on the basis of Art. 28 GDPR to send the e-mails.

5. duration of storage The data will be deleted as soon as it is no longer required for the purpose for which it was collected. The user's e-mail address will therefore be stored for at least as long as the subscription to the newsletter is active. After a revocation by you or the discontinuation of the service, the personal data will be deleted for the purpose of accountability pursuant to Art. 5 para. 2 GDPR and to defend against any claims for damages three years after revocation/ discontinuation of the service (Art. 83 para. 8 GDPR i.V.m. § 41 BDSG and § 31 para. 2 no. 1 OWiG and legitimate interest pursuant to Art. 6 para. 1 f GDPR), unless there are statutory retention obligations.

6. revocation, objection and removal options You can revoke your consent to receive the newsletter at any time. You can also object to the sending of direct advertising at any time. Until you withdraw your consent, data processing based on this consent is lawful. Please note that for technical reasons, it may take 24 hours from the time of revocation until it is noted in the systems. If a newsletter is still being sent during this time, we apologize for this. However, this cannot be avoided in individual cases. Please inform us of your revocation in text form to the following e-mail address: newsletter-info@cannadusa.com (for newsletters) and emails-abbestellen@cannadusa.com (for direct advertising) or use the link provided in every e-mail. This also enables you to withdraw your consent or object to the sending of direct advertising.

With regard to data processing based on Art. 6 para. 1 f) GDPR, you have the right to object pursuant to Art. 21 GDPR. There is no automated decision-making pursuant to Art. 22 (1) and (4) GDPR.

X. Abusive use of the online marketplace

1. description and scope of data processing If it serves to clarify a misuse of the online marketplace, for which legal prosecution is necessary or there is a legal obligation to disclose, personal data will be forwarded to authorities (in particular law enforcement agencies and tax authorities), our legal defense and, if necessary, to injured third parties. Disclosure may also take place if this serves to enforce our GTC or other agreements or is necessary due to a legal or official order or a court order. Furthermore, we use the device information specified under I) 1) No. 1, No. 3, No. 6 to determine possible misuse of a customer account. To protect your customer account, we will send you an e-mail if we detect unusual login activity, such as login attempts from different locations than usual or via a different device.

2. legal basis for data processing The legal basis for processing is Art. 6 para. 1 lit. f GDPR.

3. purpose of data processing Data processing is absolutely necessary to ensure the security of our information technology systems and processes and to comply with legal and regulatory requirements. In addition, the processing also indirectly serves the interests of the data subjects with regard to the integrity of their personal data. These purposes constitute our legitimate interest in data processing in accordance with Art. 6 para. 1 lit. f GDPR.

4. recipients/categories of recipients Authorities (in particular law enforcement authorities and tax authorities), our legal defense and, if applicable, injured third parties.

5. duration of storage The data will be deleted as soon as it is no longer required for the purpose for which it was collected.

6. right of objection and removal You have the right to object to this data processing. However, in addition to the declaration of objection, reasons against the processing arising from your particular situation must be stated, as the processing of the data is necessary in the event of abusive use in order to counteract the misuse of the services provided and to prevent the impairment of your own rights and the rights of third parties.

C. Further information for customers We only store your personal data if you provide it to us. We need this data, in particular your name, address and e-mail address, to process your order on the online marketplace or if you take part in a competition or order a newsletter, for example.

Data is collected when you enter your data in the respective input mask of the order or contact form.

The procedures in detail:

I. Registration

1. description and scope of data processing In order to use the services of our websites to their full extent, you must register by providing personal data. The data is entered into an input mask and transmitted to us and stored. The following data is collected as part of the registration process:

  • First name

  • Surname

  • Date of birth (age check)

  • E-mail address

  • password

  • Consent to the GTC and confirmation of acknowledgement of the privacy policy, including time of consent

  • Optionally, whether a newsletter order has been placed, including time of consent

If you have created an online marketplace customer account, we will use the e-mail address provided there in particular to provide you with important service information or changes to your customer account. In addition, your data will be passed on to third parties as described below.

You can also select the "Stay logged in" checkbox in your customer account and, depending on the account services you have selected, you will be able to access services more quickly the next time you visit the website without having to log in again.

2. legal basis for data processing The legal basis for processing in the context of the registration of a customer account is Art. 6 para. 1 lit. b GDPR. The legal basis for processing in the context of the "Stay logged in" function is Art. 6 para. 1 lit. a GDPR.

3. purpose of data processing User registration is necessary for the provision of certain content and services, such as the processing of orders, on our websites. In contrast to pure online stores, the consolidation of customer data in a customer account on an online marketplace such as ours is of particular relevance. As a customer, you can use our online marketplace to purchase several products from different sellers in one order. The mandatory registration of a customer account guarantees the allocation of orders and ensures proper processing in the event of a complaint. In addition, this circumstance serves to implement the data protection maxim of data economy, as the procedure enables us to reduce the transfer of data to the retailers to the minimum necessary for order processing.

4. recipients/categories of recipients In this regard, reference is made to the explanations under II. order processing.

5 Duration of storage Customer accounts are generally deleted after receipt of the request for deletion, unless there are statutory retention obligations. With regard to the personal data associated with the customer accounts, a distinction is made as to whether or not the fulfillment of a legal obligation precludes deletion. If this is the case, the data will be blocked for further processing.

6. revocation, objection and removal options As a user, you have the option of canceling your registration at any time. You can have the data stored about you changed at any time. To do so, simply log into your customer account or contact customer service with your request. If the data is required to fulfill a contract or to carry out pre-contractual measures, premature deletion of the data is only possible insofar as contractual or legal obligations do not prevent deletion. As a user, you also have the option of revoking your consent to the processing of personal data at any time using the "Stay logged in" function. To do this, simply uncheck the box you have set in the registration box by clicking on it.

II Order processing

1. description and scope of data processing The marketplace operator provides an online marketplace on various domains, which it also uses itself as a direct sales channel. Various natural and legal persons and partnerships ("marketplace traders" or "sellers") can post offers to sell goods on this online marketplace. In addition to the product selection, the customer can also choose between different sellers. In their function as legal sellers, these are named as such in the offer presentation under "Seller" and are listed as part of the order processing.

2. legal basis for data processing The legal basis for the processing of data is Art. 6 para. 1 lit. b GDPR.

3. purpose of data processing The data processing serves the purpose of order processing and thus the fulfillment of a contract with the user or the implementation of pre-contractual measures.

4. recipients/categories of recipients Data is passed on to third parties within the framework described below: Marketplace merchants/sellers In cases where marketplace merchants operate their own store on the online marketplace or they sell you their products via the online marketplace, they do so in their own name. We act solely as an intermediary between seller and buyer. In order to ensure that your order and complaints are processed quickly, it is therefore essential to involve the sellers in the processes. In addition to transferring the data required to fulfill the legal transaction as part of order processing, the retailers therefore also have access to the complaints system and can view the exchange of messages regarding the tickets there (see below for more information).

Suppliers of direct sales In cases where the seller of the goods is the marketplace operator itself, the marketplace operator obtains the goods either from its own warehouses or from the warehouses of suppliers, so-called dropshippers. For the purpose of order processing, it is necessary in these cases to integrate the suppliers into the processes. The shipping data required to fulfill the legal transaction is therefore made available to the supplier exclusively for order processing.

Other service providers Furthermore, it may be necessary, for example, to pass on your data to service providers such as call centers or billing offices and carriers in order to process your request. In particular with regard to the sending of transaction e-mails, this may result in the transfer and storage of individual information to a server in the United States of America. Such a transfer of data to third parties only ever takes place within the framework of statutory regulations or commissioned data processing.

5 Duration of storage The data is deleted as soon as it is no longer required for the purpose for which it was collected. If the data collected is not used to conclude a contract with the user, this is the case for the data collected during the registration process if the registration on our websites is canceled or modified. With regard to data collected during the ordering process to fulfill a contract or to carry out pre-contractual measures, this is the case when the data is no longer required for the execution of the contract. Even after conclusion of the contract, it may be necessary to store personal data of the contractual partner in order to comply with contractual or legal obligations, such as those arising from the limitation periods for warranty claims or tax retention obligations.

6. right of objection and removal As a user, you have the option of canceling your registration at any time. You can have the data stored about you changed at any time. To do so, simply log into your customer account or contact customer service with your request.

If the data is required to fulfill a contract or to carry out pre-contractual measures, premature deletion of the data is only possible insofar as contractual or legal obligations do not prevent deletion.

III Payment services and payment methods, credit check

1. description and scope of data processing The marketplace operator has used Viva Payment Services S.A. - German branch to process payments. The payment service provider is entered in the commercial register of the Berlin Local Court under the number HRB 19294. It is authorized to offer payment services and is licensed by the German Federal Financial Supervisory Authority ("BaFin") as a payment institution within the meaning of Section 1 (1) No. 5 of the German Payment Services Supervision Act ("ZAG"). It is entered in BaFin's public register of payment institutions on its website under ID 155910. The payment service provider offers payment services for the processing of contracts for the purchase and sale of products between customers and marketplace merchants that are concluded on the online marketplace. The payment service provider accepts payments from customers using the various payment methods for the marketplace merchants in its own account at a credit institution and pays out the funds from the sale of products to the marketplace merchants. For the payment itself, customers can choose between the payment options provided on the online marketplace or the payment methods integrated by third-party providers. The data that you enter for the purpose of payment in the check-out is primarily processed as part of your order and the associated payment processing and, in this context, may be passed on to third parties, in particular the payment method providers. At the same time, however, various business and customer-related internal security measures are also carried out as part of the payment procedure - if necessary with the involvement of third parties - in order to control and reduce the risks of money laundering and terrorist financing in accordance with the legal requirements under the Money Laundering Act, fraud prevention measures are taken by the payment service provider or one of the affiliated payment providers and, in individual cases, a SCHUFA and/or Bürgel query may be carried out for individual payment methods where there is a risk of non-payment or an increased risk of fraud. In addition, the processing operations to be mentioned include, in particular, business and customer-related internal security measures such as transaction monitoring or the taking of fraud prevention measures in the context of payment by credit card in order to minimize the risks of money laundering and terrorist financing.

2. legal basis for data processing The legal basis for the processing of data is Art. 6 para. 1 lit. b GDPR and Art. 6 para. 1 lit. c GDPR in conjunction with. § SECTION 6 GWG. At the same time, Art. 6 para. 1 lit. f GDPR is an additional legal basis for the processing of users' personal data.

3. purpose of data processing The processing of data in the context of payment processing is necessary in particular for the provision of order processing on our website. It thus serves to fulfill a contract with the user or to carry out pre-contractual measures. The implementation of business and customer-related internal security measures to minimize and control the risks of money laundering and terrorist financing serves to comply with legal requirements under the Money Laundering Act. The SCHUFA and/or Bürgel queries carried out in individual cases or fraud prevention measures in the case of credit card transactions also serve the purpose of minimizing the risk of payment default and preventing credit card misuse. For these purposes, our legitimate interest lies in the processing of data in accordance with Art. 6 para. 1 lit. f GDPR.

4. recipients/categories of recipients A transfer of data to third parties in the context of payment processing always takes place only within the framework of the statutory provisions or order data processing.

5. duration of storage The data is deleted as soon as it is no longer required to achieve the purpose for which it was collected. With regard to data collected to fulfill a contract or to carry out pre-contractual measures, this is the case when the data is no longer required for the execution of the contract. Even after conclusion of the contract, it may be necessary to store personal data of the contractual partner in order to comply with contractual or legal obligations, such as those arising from the limitation periods for warranty claims or tax retention obligations.

6. possibility of objection and removal Until the final collection of the data by sending the order, you can change the data yourself, remove it from the input mask or change the payment method according to your wishes. Subsequently, the processing is mandatory for the processing of the order. Consequently, the user has no option to object. IV. Contact form, e-mail contact and use of the complaints system

1 Description and scope of data processing As a user of our websites, you have the option of contacting us in various ways (e.g. via contact form, email, letter or when using the complaints system). If you take the opportunity to contact us, all data relevant to the conversation will be collected.

These include in particular

  • Name

  • E-mail address

  • Billing/delivery address

  • Transaction data

  • Date of birth and telephone number, if applicable

  • IP address (when contacting us via the contact form)

The user's personal data transmitted as part of the process is stored and used to process the conversation. Data will be passed on to third parties within the framework described below: For example, it may be necessary to pass on your data to service providers such as call centers, billing offices, suppliers or carriers in order to process your request.

2. legal basis for data processing The legal basis for the processing of the data is Art. 6 para. 1 lit. f GDPR in order to be able to answer your request. If it is a contract-related question, data processing may be necessary for the performance of a contract pursuant to Art. 6 para. 1 lit. b) GDPR or for the implementation of pre-contractual measures taken at the request of the data subject. The legal basis for forwarding your request to the correct office is Art. 6 para. 1 f) GDPR. The legitimate interest in this transfer lies in the interest of the group of companies to correctly assign customer inquiries and to be able to process them in the interests of the customer.

3. purpose of data processing The processing of personal data from the input mask serves to process the contact.

4. recipients/categories of recipients Data is passed on to third parties within the framework described below:

Marketplace merchants/sellers In cases where marketplace merchants operate their own store on the online marketplace or sell their products to you via the online marketplace, they do so in their own name. We act solely as an intermediary between seller and buyer. It is therefore essential to involve the sellers in the processes in order to be able to guarantee fast processing of your order and handling of complaints. In addition to transferring the data required to fulfill the legal transaction as part of order processing, the retailers therefore also have access to the complaints system and can view the exchange of messages on the tickets there.

Suppliers of direct sales In cases where the seller of the goods is the marketplace operator itself, the marketplace operator obtains the goods either from its own warehouses or from the warehouses of suppliers, so-called dropshippers. For the purpose of order processing, it is necessary in these cases to integrate the suppliers into the processes. The shipping data required to fulfill the legal transaction is therefore made available to the supplier exclusively for order processing.

Other service providers Furthermore, it may be necessary, for example, to pass on your data to service providers such as call centers or billing offices and carriers in order to process your request. In particular with regard to the sending of transaction e-mails, this may result in the transfer and storage of individual information to a server in the United States of America. However, such a transfer of data to third parties only ever takes place within the framework of statutory regulations or commissioned data processing.

5. duration of storage The data will be deleted as soon as it is no longer required for the purpose for which it was collected.

6. possibility of objection and removal The user has the possibility to object to the processing of personal data at any time. The conversation may then not be able to be continued. Please contact customer service with your request.

V. Age verification

1. description and scope of data processing The marketplace operator verifies the age of the customer by means of various identity checks, depending on the top-level domain. Depending on the method and identification document used, this document is scanned and a facial comparison is made. A signature is created and stored as proof of successful identification. The retention period is necessary as proof in the event of fraud and is limited to 6 months.

2. legal basis for data processing The legal basis for the processing of data is Art. 6 para. 1 lit. b GDPR and Art. 6 para. 1 lit. c GDPR.

3. purpose of data processing The exchange of data with SCHUFA (in Germany) also serves to fulfill legal obligations to carry out identity checks.

4. recipients/categories of recipients The marketplace operator transmits personal data collected within the scope of this contractual relationship to SCHUFA Holding AG, Kormoranweg 5, 65201 Wiesbaden, Germany, regarding the application, execution and termination of this business relationship.

5. duration of storage The data will be deleted as soon as it is no longer required for the purpose for which it was collected.

6. possibility of objection and removal The user has the possibility to revoke his consent to the processing of personal data at any time. The provision of certain content and services on our website may then no longer be possible. Please contact customer service with your request.

VI Other services

1. insurances Finally, we offer you as a customer the opportunity to use various services of cooperation partners via our website. As part of these cooperations, the offers of the cooperation partners are integrated into the online marketplace via so-called iFrames. The technology of the so-called iFrames is used to integrate third-party content on the website. We are therefore happy to inform you about corresponding offers and which cooperation partner is responsible for the corresponding offers. However, any personal data is processed exclusively by our cooperation partners. For further information, please contact the respective partners.

2. YouTube/Google Drive On some subpages or partly on the main page of the online marketplace, video files may be temporarily available for playback in a YouTube/Google Drive frame. If you play the video, you access the website , drive.google.com of Google Inc. via the frame itself. We have no influence on the scope of the data and the handling of your data by Google Inc. that results from accessing the YouTube website. Google Inc. itself is legally responsible for this. However, you can find more information on how Google handles your data at the following link:

VII Registration and use of the online marketplace

1. description and scope of data processing On our online marketplace, we offer traders the opportunity to register by providing personal data. The data is entered into an input mask, transmitted to us and stored. By processing the data, traders are then given the opportunity to list products on the online marketplace, to sell them to private customers via the online marketplace, to receive marketing services and to participate in payment processing.

2. legal basis for data processing The legal basis for the processing of the data is Art. 6 para. 1 lit. a GDPR if the user has given consent. If the registration serves the fulfillment of a contract to which the user is a party or the implementation of pre-contractual measures, the additional legal basis for the processing of the data is Art. 6 para. 1 lit. b GDPR. Finally, another legal basis for the processing is Art. 6 para. 1 lit. f GDPR.

3. purpose of data processing The registration of the user is necessary on the one hand for the provision of certain content and services on our websites. In addition, the user's registration is necessary for the fulfillment of a contract with the user or for the implementation of pre-contractual measures. Finally, data processing may also be necessary to ensure the security of our information technology systems and processes and to comply with legal and regulatory requirements. These purposes constitute our legitimate interest in data processing in accordance with Art. 6 para. 1 lit. f GDPR.

4. recipients/categories of recipients Your data will be passed on to third parties in the following cases, among others: For example, it is necessary to pass on your data to service providers, such as the payment service provider, other payment method providers or the bank involved to secure the funds, as part of payment processing in order to carry out payment processing. Data may also be disclosed to the end customer during the ordering process and when marketing services are provided if this serves to investigate misuse of the online marketplace or appears necessary for the marketplace operator's legal prosecution or legal defense. If we have concrete evidence of unlawful or abusive behavior, at the request of certain public authorities or in the case of warnings from industrial property rights, copyright or competition law, the provider may forward personal data to law enforcement authorities, tax authorities or authorities that prosecute administrative offenses subject to fines and, if necessary, to third parties who assert an infringement of their rights. We are not obliged to check beforehand whether the third party's claim is justified. Disclosure may also take place if this serves to enforce the contractual agreement or is necessary due to a statutory or official order or a court order. If the merchant participates in the Sponsored Products Program, the merchant acknowledges that the information provided when registering to use the online marketplace will be passed on to and processed by other service providers for the purpose of providing the services of the Sponsored Products Program, such as for invoicing purposes. Such a transfer of data to third parties only ever takes place within the framework of the statutory provisions or commissioned data processing.

5. duration of storage The data will be deleted as soon as it is no longer required for the purpose for which it was collected. If the data collected is not used to conclude a contract with the user, this is the case for the data collected during the registration process if the registration on our website is canceled or modified. With regard to data collected during the registration process to fulfill a contract or to carry out pre-contractual measures, this is the case when the data is no longer required for the execution of the contract. Even after conclusion of the contract, it may be necessary to store personal data of the contractual partner in order to comply with contractual or legal obligations.

6. right of objection and removal As a user, you have the option of canceling your registration at any time. You can have the data stored about you changed at any time. Simply log in to your customer account or contact Marketplace Support with your request. If the data is required to fulfill a contract or to carry out pre-contractual measures, premature deletion of the data is only possible if there are no contractual or legal obligations to the contrary.

VIII. Identification of business partners/internal security measures

1. description and scope of data processing As part of the registration process, you will find, among other things, a procedure to ensure the identification of the business partner. In addition, business and customer-related security measures are taken to control and minimize the risks of money laundering and terrorist financing. The processing of your data is necessary in this context, as the connected payment service provider is obliged under the Money Laundering Act to identify its contractual partners and to create appropriate security measures to prevent money laundering and terrorist financing.

2. legal basis for data processing The legal basis is Art. 6 para. 1 lit. c GDPR in conjunction with. § 11 ff. GWG.

3. purpose of data processing The purpose of processing personal data is to fulfill a legal obligation to which the marketplace operator or a connected service provider is subject.

4. recipients/categories of recipients Data is only ever exchanged with third parties within the framework of statutory regulations or commissioned data processing.

5. duration of storage The data will be deleted as soon as it is no longer required for the purpose for which it was collected and there is no longer a legal obligation to store it.

6. possibility of objection and removal Premature deletion of the data is only possible insofar as no contractual or legal obligations prevent deletion.