Last updated: September 2023
I. Name and contact details
The controller within the meaning of the GDPR (General Data Protection Regulation), the national data protection laws of the member states and other data protection is the:
Waterdrop Microdrink GmbH
Erika-Krenn Promenade 15
II. Data Protection Officer
For enquiries relating to data protection and the exercise of your rights (see point XIX), please contact our data protection officer at email@example.com or by post at the above address with the addition of "attn. data protection officer".
General Information on data processing
III. What is personal data?
Personal data is any information relating to an identified or identifiable natural person ("data subject"). This includes individual details about personal or factual circumstances such as your name, address, telephone number, date of birth, e-mail address or health data (e.g. information about current or chronic illnesses, intolerances, allergies, blood sugar levels). On the other hand, information for which we cannot establish a link to your person (or can only do so with a disproportionate effort) is not personal data.
IV. Scope of the processing of personal data
As a matter of principle, we only collect and use personal data of our users to the extent necessary to provide a functional waterdrop® Hydration App and to provide our services with its contents. We use your personal data to provide our services, to inform you about news and offers, to answer your questions and to operate and improve our waterdrop® Hydration App.
Your personal data will not be used for any other purpose. Without your consent, your personal data will not be transferred to third parties or used for advertising purposes, except in the cases described below, unless we are legally obliged to disclose data.
V. Legal basis for the processing of personal data
Insofar as we obtain the consent of the data subject for processing operations of personal data, Art 6 (1) lit a GDPR serves as the legal basis. For the processing of health data, explicit consent is obtained in accordance with Art 9 (2) lit a GDPR (e.g. by ticking a box or selecting technical settings).
For the processing of personal data that is necessary for the performance of a contract to which the data subject is a party (e.g. ordering our products), Art 6 (1) lit b GDPR serves as the legal basis. This also applies to processing operations that are necessary for the implementation of pre-contractual measures.
Insofar as the processing of personal data is necessary for the fulfillment of a legal obligation to which our company is subject (e.g. accounting obligation), Art 6 (1) lit c GDPR serves as the legal basis.
If the processing is necessary to protect a legitimate interest of our company or a third party (e.g. fraud prevention, direct advertising, IT security) and the interests, fundamental rights and freedoms of the data subject do not outweigh the first-mentioned interest, Art 6 (1) f GDPR serves as the legal basis for the processing.
VI. Data deletion and storage period
The personal data of the data subject shall be deleted or blocked as soon as the purpose of the storage no longer applies. Storage may also take place if this has been provided for by the European or national legislator in Union regulations, laws or other provisions to which the controller is subject. The data will also be blocked or deleted if a storage period prescribed by the aforementioned standards expires, unless there is a need to continue storing the data for the conclusion or performance of a contract, or for the assertion, exercise or defence of legal claims.
Collection and use of your personal data when using the waterdrop® Hydration App
If you wish to make use of content and services offered by us on the waterdrop® Hydration App, it is necessary to provide personal data for this purpose. Details can be found below in the description of the specific data processing procedures.
When registering in the waterdrop® Hydration App, you will be asked to provide your first and last name, email address, password and to select your waterdrop® Club. When you create your account, this required data is entered by you in an input mask, transmitted to us and stored.
We use this data to enable you to use the waterdrop® Hydration App and to provide the associated benefits and content. The personal data you disclose as part of the registration process is processed for the purposes of user verification, user profile management, data creation, management and updating.
The data processed for the purposes of creating, managing and updating master data from the current membership in the waterdrop® Club will generally be stored for the duration of the current membership in the waterdrop® Club. After termination of membership, only data that is absolutely necessary due to the applicable legal provisions or retention obligations shall be stored.
VIII. Waterdrop® Club
Members of the waterdrop® Club not only get to use the waterdrop® Hydration App, but also receive exclusive offers and benefits such as club-only vouchers, collect points that can be redeemed for rewards such as unique and high-quality accessories when ordering products, and participate in exclusive competitions and challenges. The account also allows you to manage your addresses and view your purchase and order history. For more information, please refer to our General Terms and Conditions, waterdrop® CLUB, available at https://en.waterdrop.com/pages/terms-conditions.
During the course of your membership in the waterdrop® Club, we collect additional data when you use your account either through our website or through the waterdrop® Hydration App (regardless of whether you have registered for the waterdrop® Club through the waterdrop® Hydration App or through our website). The following personal data is processed:
- First name, Last name
- Birthday (optional)
- Email Address
- Delivery address
- Billing address
- Telephone number
- Purchase and order history, including merchandise exchange data and other order data (e.g., transaction data)
- Your personal hydration goal in the waterdrop® Hydration App
- Your hydration tracker data (drink type and quantity) in the waterdrop® Hydration App
- Loyalty points
- Payment method
- IP address of the requesting computer
- Date and time of registration (login and respective access) and password
- Usage behavior (e.g. opening and click-through rates of newsletters, responses to campaigns, use of our website)
We use this data to enable you to participate in waterdrop® Club and to provide you with the associated benefits and content. We process your date of birth in order to check the minimum age required for participation in waterdrop® Club in individual cases, as well as to be able to offer you further benefits from waterdrop® Club if necessary. In addition, you will receive information that is necessary for participation in waterdrop® Club, for example a registration confirmation, updated terms and conditions of participation as well as information on the benefits granted via waterdrop® Club.
If you have given us your consent, we will send you information about interesting offers, current promotions, products, services, quizzes, challenges and competitions at regular intervals by e-mail, SMS, MMS, push messages, messages via apps and messengers and post tailored to your interests. In addition, we may contact you for customer surveys (e.g. post-purchase surveys and customer satisfaction enquiries) and as part of customer care (e.g. reminders, messages about product re-availability), invite you to submit reviews and wish you a happy birthday. Furthermore, this data is processed for the purpose of handling the customer loyalty programme as well as competitions and challenges (participation, contacting and, if applicable, notification and transmission of the prize).
We optimise and personalise our information about offers, products and services as well as customer surveys and other messages as part of customer care, customer loyalty measures, competitions and challenges. For the purpose of personalisation, we analyse your usage behaviour with automated data processing procedures in order to gain new insights. This procedure is data profiling according to Art 4 No. 4 GDPR. By creating a personal user profile, we want to tailor our advertising approach to your interests and make our offers more relevant to you. This means that you will only receive information compiled specifically for you. Thus, we will not send you content that is unlikely to be of interest to you. For the creation of personalised information, the aforementioned personal data will be merged with the data already provided and stored in your customer profile.
In order to improve our website and advertising campaigns and to inform you about interesting offers, current promotions, products, services, quizzes, challenges and competitions, we work together with selected marketing partners (see point XIV.).
The processing of personal data takes place voluntarily on the basis of your consent in accordance with Art 6 (1) lit a GDPR. The data will be deleted as soon as they are no longer required to achieve the purpose for which they were collected. They will therefore be stored for as long as your membership of the waterdrop® Club remains valid.
Membership in the waterdrop® Club and consent to the processing of personal data can be revoked at any time free of charge without giving reasons by sending an e-mail to firstname.lastname@example.org. In this case, your account will be deleted and you will no longer be able to enjoy the benefits. A (further) membership in the waterdrop® Club is not (any longer) possible if you do not give or revoke your consent. In addition, your consent to be contacted for the purposes outlined above can be revoked separately via the unsubscribe link in the respective message. In this case, your membership in the waterdrop® Club will remain valid and your account will continue to exist. You can continue to collect points when shopping and for selected other activities and redeem them when placing orders, as well as manage your addresses and view your purchase and order history. However, you will no longer receive promotional messages from us. In both cases, the revocation does not affect the lawfulness of the processing until the revocation. After revocation of consent, the personal data will still be stored for 6 months for the purpose of legal defence. The legal basis for this is Art 6 (1) lit f GDPR.
Furthermore, we can detect errors in the log-in process by means of specific error codes (e.g. an account already exists where the e-mail address entered is stored, the password is incorrect or there is a technical error). Based on this, we will show you the corresponding error messages. The legal basis for the associated data processing is our overriding legitimate interest (Art 6 (1) lit f GDPR), in the security of our IT systems and customer support.
IX. Login verification
If you already have a waterdrop® Club Account, no further registration in the waterdrop® Hydration App is required. Instead, you can log in directly in the waterdrop® Hydration App using your waterdrop® Club Account login data. For this purpose, the data you enter (email address and password) will be matched with our customer database and stored.
The data is deleted as soon as it is no longer required to achieve the purpose for which it was collected. They will therefore only be stored as long as your membership in the waterdrop® Club is valid.
After termination of membership, only data that is absolutely necessary due to the applicable legal provisions or retention obligations will be stored.
X. Individual Hydration Target/ Logging and measurement of individual drinking behavior
- a) Individual Hydration Target
We customize your app experience and personal hydration target to you individually. After registration/login, you will therefore be asked to provide the following personal data:
- Your weight
- Your date of birth
- Your gender
The data entered will be used to provide you with an accurate calculation of your personal daily hydration needs. Providing this data is optional. The more of the data is disclosed, the better the individual hydration target can be set. The data processing shown is required for the use of the waterdrop® Hydration App through its disclosed data.
The following additional information (lifestyle options) is voluntary and helps to make the individual hydration target in the waterdrop® Hydration App even more precise.
- Pregnancy (Yes/No)
- Sport unit (Duration)
- Breastfeeding (Yes/No)
- Intake of dehydrating drinks
Providing this data is optional. If you provide us with this information, it will be used to adjust your personal hydration target based on the information provided to create an even more accurate, individualised goal for you. The data processing of the disclosed data described above is required for the use of the waterdrop® Hydration App.
If the data disclosed consists of health data and thus sensitive personal data, the legal basis for the processing of this information is your express consent (Art 9 (2) lit a GDPR), which you give separately in the course of registering in the waterdrop® Hydration App. You can withdraw your consent or delete your contribution at any time free of charge by sending an e-mail to email@example.com without stating a reason. This does not affect the lawfulness of the processing that took place until the point of consent withdrawal. Please note that further use of the waterdrop®Hydration App is no longer possible after a withdrawal. The aforementioned processing operations of health data are necessary for us to provide the function of the waterdrop® Hydration App (in particular, the calculation of the personal hydration target and the hydration tracker).
The data processed for the purposes of determining the individual hydration target and recording the amounts of liquids are deleted as soon as they are no longer required to achieve the purpose for which they were collected. Accordingly, they are stored for as long as your membership of the waterdrop® Club remains valid. After termination of membership, only data that is absolutely necessary due to the applicable legal provisions or retention obligations will be stored.
- b) Hydration Tracker
The waterdrop®Hydration App provides a hydration tracker. In this hydration tracker, you can enter your hydration data, have an overview of your current hydration status at any time and of the amounts of fluid consumed, as well as lifestyle options that influence the fluid requirement.
Furthermore, the waterdrop®Hydration App provides user-specific evaluations of hydration data broken down by week, month and year. You can also collect so-called "levels" and "badges" based on your drinking behaviour, which in turn earns you waterdrop® Club points.
For this purpose, we store and process the data recorded by you or transmitted via LUCY® Smart Cap on the liquids drunk and the type of drinks (type, quantity and time). The hydration tracker is one of the basic functions of the app. When processing personal data necessary for the performance of a contract to which the data subject is a party, Art 6 (1) lit b GDPR serves as the legal basis.
The data processed for these purposes will be deleted as soon as they are no longer required to achieve the purpose for which they were collected. They will therefore be stored for as long as your membership of the waterdrop® Club remains valid. After termination of membership, only data that is absolutely necessary due to the applicable legal provisions or retention obligations will be stored.
XI. LUCY® Smart Cap
The Lucy® Smart Cap purifies water using innovative UV-C light technology, automatically tracks water consumption with a special sensor and gently flashes to remind you to drink.
The Lucy® Smart Cap only works in combination with the waterdrop® Hydration App.
If the Lucy® Smart Cap is used to track water consumption, the data on the amounts drunk (quantity, time) is transferred directly to the waterdrop® Hydration App via a Bluetooth connection and processed there in the same way as hydration data entered directly in the App (see point X.b).
XII. Apple Health
You can voluntarily activate a link to Apple Health in the waterdrop® Hydration App in the App settings. If you activate the link, we will analyze the duration of your training sessions recorded in Apple Health in order to automatically adjust the sport mode (lifestyle data) in the waterdrop® Hydration App and subsequently, your personal hydration target. Similarly, data from the waterdrop® Hydration App (amounts drunk) is also shared with Apple Health.
When activating the link, you will be redirected to the Apple Health page and asked for your consent to share and read the mentioned data. If data (training sessions completed) is received through linking with Apple Health, it will be processed in the same way as the lifestyle data entered directly in the waterdrop® Hydration App (see point X.a).
The processing of personal data is voluntary and based on your consent in accordance with Art 6 (1) lit a GDPR. You can withdraw your consent at any time by removing the link between the waterdrop® Hydration App and the Apple Health App in your app.
XIII. Monitoring and Analysis
In order to detect, analyze and fix bugs in the App, we use Firebase Crashlytics, a service provided by Google Ireland Limited, Gordon House, 4 Barrow Street, D04 E5W5 Dublin, Ireland ("Google").
Firebase Crashlytics receives real-time crash reports detailing the state of the app, code locations, device information and recent log file messages. This information helps us to facilitate app maintenance and improve stability. If the app crashes, certain information about the crash such as time of crash, device type, operating system, and other technical data from your mobile device is sent to Firebase Crashlytics. These crash reports do not contain IP addresses or other personal data.
These services and technologies are necessary to ensure central functions of the waterdrop® Hydration App, as well as the fulfillment of contracts with users. Furthermore, we have a legitimate interest in the use of these technologies for the technically error-free and optimised provision of our service. The use is based on the legal grounds of Art 6 (1) (b) (fulfillment of contract) and Art 6 (1) (f) GDPR (overriding legitimate interests).
Google acts as an order processor and we have concluded a corresponding contract with Google. The user ID generated by Firebase Crashlytics is usually transferred to a Google server in the USA and processed there. For these cases, Google has, according to its own statements, imposed a standard on itself that corresponds to the former EU-US Privacy Shield and has promised to comply with applicable data protection laws in the international transfer of data. Google has also voluntarily joined the EU-U.S. Data Privacy Framework, a data protection agreement between the EU and the U.S. for which the European Commission has issued an adequacy decision. We have also agreed on so-called standard contractual clauses with Google, the purpose of which is to ensure compliance with an adequate level of data protection in the third country (see point XV).
Your personal data may be transferred to third parties in the following situations
When passing on your personal data, we always ensure the highest possible level of security and therefore only work with carefully selected and contractually obligated service providers and contractual and cooperation partners.
XIV. Recipient categories
IT service provider
We work with technical service providers and IT tool providers to deliver our services to you. These service providers include, for example, external IT service providers that enable the technical provision of our website and customer management (e.g. Shopify), as well as providers of various IT tools and software as a service (e.g. Klaviyo). The main service providers or suppliers are:
Web presence and customer management:
- Shopify: Our web presence, including provision of the website and web shop, as well as customer management is operated through Shopify. Shopify offers a complete e-commerce platform that allows merchants to create an online shop and unify their commercial activities. Shopify (platform and apps) is also used for marketing activities (e.g. personalised messages, waterdrop® Club) and customer management and support (e.g. back in stock email, reactivation emails, web push notifications). More information on the provider and apps can be found at https://www.shopify.com/de and https://apps.shopify.com/.
Service Provider for Europe is Shopify International Limited, 2nd Floor Victoria Buildings, 1-2 Haddington Road, Dublin 4, D04 XN32, Ireland, with VAT identification number IE 3347697KH (see item 13 of Shopify's Terms and Conditions, https://www.shopify.de/legal/agb).
Your personal data (e.g. name, billing address, shipping address, email address, phone number and payment information, and information about how you access our websites, account and platform) is processed by Shopify International Limited, the Shopify company in Ireland. In the course of providing the Services, this personal data may be transferred to other regions, including Canada and the United States. Your personal data is protected by Canadian law when sent to Canada. The EU Commission has determined that this provides adequate protection for your data. If we then send that personal data to a country outside Canada (e.g. to sub-processors), that data is protected by contractual obligations similar to those in EU Commission standard contractual clauses (https://eur-lex.europa.eu/eli/dec_impl/2021/914/oj?locale=de).
Customer Management and Support:
- Klaviyo: for customer management, sending messages by email and user analysis we use the services of Klaviyo, Inc, 125 Summer Street, Boston MA, 02111, USA ("Klaviyo"). More information about the provider can be found at https://www.klaviyo.com/legal.
Klaviyo helps us analyze the use of our waterdrop® Hydration App. Certain usage data, such as information about individual hydration goals, usage patterns, records of quantities drunk and types of drinks, purchase and order history in the web shop, as well as details about how individuals interact with our emails (e.g. whether the email is opened and which links in the email are clicked on), are linked to you (e.g. after entry in a registration form) and stored in our customer database ("CRM"). This enables us to send you information and offers tailored to your interests. This transfer is carried out in accordance with Art 6 (1) f GDPR and serves our legitimate interest in the use of an effective, secure and user-friendly customer management and newsletter system.
In the process, your personal data may also be forwarded to Klaviyo servers in the United States (USA). In order to ensure an appropriate level of protection for your data in the USA, we have concluded a data processing agreement with Klaviyo, in which Klaviyo undertakes to protect the data of our users, to process it only on our behalf and, in particular, not pass it on to third parties. The standard contractual clauses of the EU Commission are part of the data processing agreement (see point XV.). In addition, Klaviyo undertakes to implement supplementary measures. Klaviyo has also voluntarily joined the "EU-U.S. Data Privacy Framework", a data protection agreement between the EU and the USA, for which the European Commission has issued an adequacy decision.
- Firebase Cloud Firestore: For the transfer of data into the Klaviyo customer management tool, we use Firebase Cloud Firestore, a web hosting and backend service provided by Google Ireland Limited, Gordon House, 4 Barrow Street, D04 E5W5 Dublin, Ireland ("Google").
Google acts as a processor and we have entered into a contract with Google to this effect. Your personal data may be transmitted to a Google server in the USA and processed there. For these cases, Google has, according to its own statements, imposed a standard on itself that corresponds to the former EU-US Privacy Shield and has promised to comply with applicable data protection laws when transferring data internationally. Google has also voluntarily joined the EU-U.S. Data Privacy Framework, a data protection agreement between the EU and the U.S. for which the European Commission has issued an adequacy decision. We have also agreed on so-called standard contractual clauses with Google, the purpose of which is to ensure compliance with an adequate level of data protection in the third country (see point XV).
The data processing and security provisions of Firebase Cloud Firestore can be found here: https://firebase.google.com/terms/data-processing-terms.
- LoyaltyLion: to enable you to join the loyalty programme, which is part of the waterdrop® Club, we use a service provided by LoyaltyLion Ltd, a UK provider with registered offices at 165 Fleet Street London, UK ("LoyaltyLion"). LoyaltyLion is a tool through which we provide loyalty points and give our customers the opportunity to receive rewards. For more information, please visit https://loyaltylion.com/terms-of-service.
For this purpose, the data provided by you and other data required to manage your loyalty points will be passed on to LoyaltyLion so that LoyaltyLion can operate the service. The legal basis for the processing of your data is your consent to membership of the waterdrop® Club (Art 6 para 1 lit a GDPR). You can revoke your consent at any time (see point XVII).
The European Commission has decided that the UK offers an adequate level of protection compared to the GDPR. The transfer of data takes place on the basis of this adequacy decision.
Further information on data processing by LoyaltyLion and an "opt-out" option are available here: https://loyaltylion.com/privacy. .
Authorities and other third parties
If we are obliged to do so by an official or court decision or if we are entitled to do so, e.g. because this is necessary for the prosecution of criminal offences or for the exercise and enforcement of our rights and claims, we will pass on your data to law enforcement agencies or other third parties if necessary.
XV. Legal basis for the transmission
- you have given your express consent in accordance with Art 6 (1) lit a GDPR (e.g. social media networks),
- this is legally permissible and necessary for the processing of contractual relationships with you (e.g. shipping companies, payment service providers) in accordance with Art 6 (1) lit b GDPR,
- in the event that there is a legal obligation for the disclosure pursuant to Art 6 (1) lit c GDPR (e.g. authorities),
- the disclosure is necessary in accordance with Art 6 (1) lit f GDPR to protect legitimate interests and there is no reason to assume that you have an overriding interest worthy of protection in not disclosing your data (e.g. notification service from shipping companies; exercising and enforcing our rights and claims) or
- this is carried out by a service provider (e.g. technical service provider) acting on our behalf and on our exclusive instructions, which we have carefully selected (Art 28 (1) of the GDPR) and with whom we have concluded a corresponding contract on commissioned processing (Art 28 (3) of the GDPR), which obliges our contractor, among other things, to implement appropriate security measures and grants us comprehensive control powers.
Service providers and other contractual and cooperation partners may transfer your personal data to other countries. If your data is processed outside the European Economic Area (EEA), this may result in your data being transferred to a country with a lower data protection standard than in the European Union. This may result, for example, in your data being processed by public authorities, for control and monitoring purposes, possibly also without the possibility of legal redress.
We implement appropriate safeguards, including the conclusion of EU standard data protection clauses (see the text of the contract at https://eur-lex.europa.eu/eli/dec_impl/2021/914/oj?locale=de), in the event that personal data is processed outside the EU and no adequacy decision has been taken by the European Commission.
Adequacy decisions of the European Commission are available e.g. for Canada, UK and Switzerland (see a list at https://commission.europa.eu/law/law-topic/data-protection/international-dimension-data-protection/adequacy-decisions_en).
XVI. Who you can contact?
If you have any questions, please feel free to contact us at any time (see point I). You are welcome to contact us by e-mail: firstname.lastname@example.org
XVII. Right of withdrawal in the case of processing on the basis of consent
If your personal data is collected on the basis of consent pursuant to Art 6 (1) lit a GDPR (see point V) (e.g. personalised news), you have the right to revoke your consent at any time without giving reasons. This has the consequence that we may no longer continue the data processing based on this consent for the future. However, the revocation of your consent does not affect the lawfulness of the processing carried out on the basis of the consent until the revocation. If you wish to exercise your right of revocation, simply send an e-mail to email@example.com.
XVIII. Right of objection
Insofar as your personal data is collected on the basis of legitimate interests pursuant to Art 6 (1) lit f GDPR (see point V), you have the right to object to the processing of your personal data in accordance with Art 21 GDPR, provided that there are grounds for doing so which arise from your particular situation. If your objection is directed against direct advertising, you have a general right of objection; a statement of reasons is not required for these cases. If you wish to exercise your right of objection, simply send an e-mail to firstname.lastname@example.org.
XIX. Your data subject rights
As a data subject of a processing of personal data, you have the right,
- to request information about your personal data processed by us in accordance with Art 15 GDPR. In particular, you can request information about the processing purposes, the category of personal data, the categories of recipients to whom your data has been or will be disclosed, the planned storage period, the existence of a right to rectification, erasure, restriction of processing or objection, the existence of a right of complaint, the origin of your data if it has not been collected by us, as well as the existence of automated decision-making including profiling and, if applicable, meaningful information about its details;
- demand the correction of incorrect or incomplete personal data stored by us without delay in accordance with Art 16 GDPR;
- pursuant to Art 17 GDPR to request the erasure of your personal data stored by us, unless the processing is necessary for the exercise of the right to freedom of expression and information, for compliance with a legal obligation, for reasons of public interest or for the assertion, exercise or defence of legal claims;
- to request the restriction of the processing of your personal data in accordance with Art 18 of the GDPR, insofar as you dispute the accuracy of the data, the processing is unlawful, we no longer require the data and you object to their deletion because you require them for the assertion, exercise or defence of legal claims. You also have the right under Article 18 of the GDPR if you have objected to the processing in accordance with Article 21 of the GDPR;
- in accordance with Art 20 GDPR, to receive your personal data that you have provided to us in a structured, common and machine-readable format or to request that it be transferred to another controller; and
- complain to a supervisory authority in accordance with Art 77 GDPR. As a rule, you can contact the supervisory authority of your usual place of residence or workplace or our registered office.
To exercise your data protection rights, with the exception of the right to lodge a complaint with the supervisory authority, simply send an e-mail to email@example.com.
XX. Data protection for children
Our services are not directed to persons under the age of 14. We do not knowingly collect personal information from anyone under the age of 14. If you are a parent or guardian and you know that your child has provided us with personal information, please contact us. If we become aware that we have collected personal information from anyone under the age of 14 without verifying parental consent, we will take steps to remove that information from our servers.
If we have to rely on consent as the legal basis for processing your data and your country requires the consent of a parent, we may obtain your parent's consent before collecting and using that data.