Privacy policy

Online order

If you wish to place an order for our products, we will only request the data from you that is necessary for the order and payment processing. This data is treated confidentially and is only processed by us, the payment provider and the shipping service provider. At least the following data is required for this:

• First name/last name
• Address
• Contact details
• Payment data

Insofar as this is necessary for the delivery of your order, we will pass on your data to a shipping company. Depending on your selection, we will pass on the necessary payment data to the respective credit institution or a payment service provider to process your payment. In some cases, you can create an account with the payment service provider yourself or register with an existing account. In the aforementioned cases, the data protection declarations of the service providers apply in each case.

As a protective measure , the transmission of the data you enter - just like the visit to the rest of the website - takes place via an encrypted connection. In addition, we apply the principle of data minimisation and only collect the data that is actually required. Your data will be stored for as long as is necessary to process your order or until you request the deletion of the data. However, invoice-relevant data is subject to legal retention periods and can be stored for up to ten years. The purpose of the requested data is order and payment processing in order to provide you with the desired product. The legal basis is the mutual fulfilment of the contract in accordance with the European data protection requirements from Art. 6 para. 1 lit. b DSGVO.

Registration

You also have the option of registering on our website and then logging in with a user account at any time. To register with us, the following data is required:

• First name/last name
• Address
• Contact details
• Password

As a protective measure , the transmission of the data you enter - just like the visit to the rest of the website - takes place via an encrypted connection. In addition, we apply the principle of data minimisation and only collect the data that is actually required. Your data will be stored for as long as is necessary to process your order or until you request the deletion of the data. However, invoice-relevant data is subject to legal retention periods and can be stored for up to ten years. The purpose of the requested data is order and payment processing in order to provide you with the desired product. The legal basis is the mutual fulfilment of the contract in accordance with the European data protection requirements from Art. 6 para. 1 lit. b DSGVO.

As a protective measure, the transmission of the data you enter - just like the visit to the rest of the website - takes place via an encrypted connection. After successful confirmation, your data will be stored until you decide to delete individual data or the entire user account. The purpose of the requested data is to create a user account for the use of extended functions on the website. Registration is voluntary and can be revoked or the user data deleted at any time. The legal basis is your consent in accordance with the European data protection requirements from Art. 6 para. 1 lit. a DSGVO.

Newsletter

If you are interested in news about our company or our products, you can subscribe to our newsletter. You will then receive an e-mail in which you must click on a link to confirm that you wish to receive the newsletter. We will then store your e-mail address until you unsubscribe from the newsletter. You will find a link to unsubscribe in every newsletter e-mail. The newsletter is delivered by a specialized service provider.

As a protective measure, we request the so-called "double opt-in" to ensure that the e-mail address entered actually belongs to you. Furthermore, we have concluded a data protection contract (order processing) with the commissioned service provider. You also have the option of unsubscribing from the newsletter at any time and thus deleting your e-mail address from the service provider's database. The purpose of data collection is to send the newsletter to your personal e-mail address in order to comply with your request for news about our company or our products. The legal basis is your consent in accordance with the European data protection requirements of Art. 6 para. 1 lit. a GDPR.

BRLO App

Wenn Sie unsere BRLO App verwenden, verarbeiten wir nur solche Daten, die für die Bereitstellung der App und der angebotenen Funktionen erforderlich sind. Es gelten unsere Nutzungsbedingungen. Die App ist im Apple App Store und im Google Play Store verfügbar. Nachfolgend informieren wir Sie darüber, welche Daten wir in der App erheben, warum wir dies tun und wie lange wir diese speichern.

Bei der Installation der App verarbeiten die jeweiligen Store Anbieter eigene Daten. Auf diese Verarbeitung haben wir keinen Einfluss. Weitere Informationen finden Sie in den Datenschutzhinweisen des Apple App Store und des Google Play Store. Um die App nutzen zu können, können Sie ein Benutzerkonto anlegen. Hierfür werden Ihre Kontaktdaten und ein Passwort abgefragt. Wenn Sie die Funktion Location Finder nutzen möchten, fragt die App auf Ihren Wunsch hin den Standort Ihres Endgeräts ab. Sie können dies erlauben oder verweigern. Der Standort wird ausschließlich verwendet, um Ihnen den nächstgelegenen BRLO-Standort anzuzeigen. Um Treuepunkte zu sammeln und Prämien einzulösen, verarbeiten wir Angaben zu Ihren Besuchen und Transaktionen, erfasste Punkte und eingelöste Prämien. Diese Daten werden nur für die Durchführung des Treueprogramms verwendet und gelöscht, sobald sie hierfür nicht mehr erforderlich sind oder Sie Ihr Benutzerkonto löschen. Wenn Sie Kassenbons einscannen möchten, fragt die App bei Bedarf die Berechtigung für die Kameranutzung ab. Die Kamera wird nur verwendet, um den Kassenbon zu erfassen. Die Bilddaten werden nicht dauerhaft gespeichert, sondern nur verarbeitet, um Ihre Punkte korrekt zuzuordnen. Sie können bei Bedarf Push Nachrichten aktivieren, um Informationen über Aktionen, News oder Events zu erhalten. Die hierfür erforderlichen technischen Daten werden ausschließlich zur Zustellung der Nachrichten verwendet. Sie können Push Nachrichten und andere Freigaben jederzeit in den Geräteeinstellungen deaktivieren.

Für den technischen Betrieb der App und einzelner Funktionen setzen wir Dienstleister zur App-Entwicklung und App-Bereitstellung ein. Mit allen Dienstleistern bestehen Auftragsverarbeitungsverträge, um die Einhaltung der europäischen Datenschutzvorgaben sicherzustellen. Eine Übermittlung in Drittstaaten wie die USA, z. B. durch die Verwendung der App-Stores, findet nur statt, wenn geeignete Garantien vorhanden sind, etwa Standardvertragsklauseln und zusätzliche Sicherheitsmaßnahmen.

Als Schutzmaßnahme erfolgt die Übermittlung der von Ihnen eingegebenen Daten über eine verschlüsselte Verbindung. Zudem wenden wir den Grundsatz der Datenminimierung an und erfassen nur solche Daten, die für die Bereitstellung der App Funktionen erforderlich sind. Standortdaten und Kamerazugriffe werden ausschließlich auf Ihren Wunsch hin abgefragt und nur für den jeweiligen, angegebenen Zweck verwendet. Ihre Daten werden nur solange gespeichert, wie dies zur Bereitstellung Ihres Benutzerkontos, zur Durchführung des Treueprogramms oder zur Nutzung einzelner Funktionen erforderlich ist oder bis Sie die Löschung der Daten veranlassen. Zweck der Verarbeitung ist die Bereitstellung der App, die Erstellung und Verwaltung Ihres Benutzerkontos, die Nutzung des Location Finders, die Erfassung und Einlösung von Treuepunkten sowie die Kommunikation über Push Nachrichten. Die Nutzung optionaler Funktionen erfolgt freiwillig und kann jederzeit widerrufen werden. Rechtsgrundlagen sind je nach Vorgang Ihre Einwilligung nach Art. 6 Abs. 1 lit. a DSGVO, etwa bei freiwilligen Abfragen, oder die gegenseitige Vertragserfüllung nach Art. 6 Abs. 1 lit. b DSGVO, etwa betreffend unser Treueprogramm.

Applications

If you apply to us online or otherwise respond to one of our job advertisements, we collect and process the personal applicant data for the purpose of processing the application procedure. The processing is primarily carried out electronically. This is particularly the case if an applicant submits relevant application documents to us electronically, for example by e-mail or via a web form located on the website. If we conclude an employment contract with an applicant, the transmitted data will be stored for the purpose of processing the employment relationship in compliance with the statutory provisions. If we do not conclude an employment contract with the applicant, the application documents will be deleted six months after notification of the rejection decision - this retention period is justified by any obligation to provide evidence in proceedings under the General Equal Treatment Act (AGG). If an applicant has given his/her consent, applications may also be kept for longer than six months.

We also use a recruiting and applicant management software called "d.vinci", which is provided by the service provider d.vinci HR-Systems GmbH, Nagelsweg 37-39, 20097 Hamburg, Germany. This software helps us to place job advertisements and manage applications centrally. We have concluded an order processing agreement to ensure that d.vinci only processes the personal data of our applicants in accordance with our instructions. Further information on data protection at d.vinci can be found in the service provider's privacy policy: https://www.dvinci.de/datenschutz/.

The legal basis is the establishment and implementation of the employment relationship in accordance with § 26 BDSG. If the employment relationship does not materialise, the data will be deleted as stated above.

Cookies

Our website partly uses so-called cookies and a cookie banner in which you can freely choose whether you accept these cookies and third-party providers. Cookies are small text files that are usually stored in a folder of your browser. Cookies contain information about the current or last visit to the website:

• Website name
• Expiry date of the cookie
• Any value

If cookies do not contain a precise expiry date, they are only temporarily stored and automatically deleted as soon as you close your browser or restart the terminal device. Cookies with an expiry date remain stored even if you close your browser or restart the terminal device. Such cookies are only removed on the specified date or when you delete them manually.

We use the following three types of cookies on our website:

• Required cookies (we need these, e.g. to display the website correctly for you and to temporarily store certain settings).
• Function and performance-related cookies (these help us to evaluate e.g. technical data of your visit and thus avoid error messages).
• Advertising and analytics cookies (these ensure that, for example, advertisements for shoes are displayed if you have previously searched for shoes).

You can configure, block and delete cookies in your browser settings. If you delete all cookies from our website, some functions of the website may not be displayed correctly.Helpful information and instructions for the most common browsers are provided by the Federal Office for Information Security:
https://www.bsi-fuer-buerger.de/BSIFB/DE/Empfehlungen/EinrichtungSoftware/EinrichtungBrowser/Sicherheitsmassnahmen/Cookies/cookies_node.html

Recipients of data

Depending on how you use our website, we share your information with the following recipients who are essential to providing our service and communicating with you:

• Webflow, provided by Webflow, Inc, 398 11th Street, 2nd Floor, San Francisco, CA 94103. This is a web service for the creation of forms & web pages, which is necessary for the provision of our offer. Depending on your location, the data is stored either in the European Union or the USA. For more information, please see Webflows' privacy policy.
• Oracle NetSuite, provided by Oracle Corporation, 10 Van de Graaff Drive Burlington, MA 01803, USA. This is our central application for controlling business processes and customer management. Depending on your location, data is stored either in the European Union or the USA. For more information, please see Oracle's privacy policy.
• Shopify, provided by Shopify International Ltd, c/o Intertrust Ireland, 2nd Floor 1-2, Victoria Buildings, Haddington Road, Dublin 4, D04 XN32, Ireland. Shopify provides our online shop and makes it possible for you to order online from us in the first place. The data is stored in Canada and the USA. For more information, please see Shopify's privacy policy.
• Fareharbor, provided by FareHarbor B.V., Herengracht 597, 1017CE Amsterdam, The Netherlands. Fareharbor is an integration we use to offer brewery tours and create vouchers for them. For more information, please see Fareharbor's privacy policy.
• Open Table, provided by OpenTable, Inc. 1 Montgomery St Ste 700, San Francisco CA 94104. Open Table is a booking platform that we use to facilitate reservations. For more information, please see Open Table's Privacy Policy.
• Mailchimp, provided by The Rocket Science Group, LLC, 675 Ponce de Leon Ave NE, Suite 5000, Atlanta, GA 30308 USA. We use Mailchimp to send our newsletter, for which you can register voluntarily. The data is stored in the USA. For more information, please see Mailchimp's privacy policy.
• Google Analytics, provided by Google Ireland Limited, Gordon House, Barrow Street Dublin 4 Ireland. We use Google Analytics to analyse user behaviour and to serve personalised advertising. You can voluntarily agree to these functions within our cookie banner and also de-select them. Depending on your location, the data is stored either in the European Union or the USA. You can find more information in Google's privacy policy.
• Gastronovi, provided by Gastronovi GmbH, Buschhöhe 2, 28357 Bremen, Germany, is an integration that we use to provide vouchers. Further information can be found in Gastronovi's privacy policy.

We only share data that is necessary for the performance of the mutual contract or if you have given us your consent, for example in the context of our newsletter or cookie banner. If no contract exists yet, we share the data in certain cases in the context of legitimate interests. This is the case, for example, if you only want to visit our website or contact us. When you visit our website, it is in the interest of both parties to provide access to the offer and to communicate with each other.

We have also entered into contract processing agreements with all external recipients to comply with European law requirements. Depending on your location, some of the above service providers - if specified - will also transfer your data to the United States. The European Court of Justice has ruled that the United States does not have an equivalent level of data protection to the EU and authorities may be able to access data without due process. Additional safeguards are therefore required to ensure a sufficient level of data protection. To meet this requirement, we have concluded additional contracts for commissioned processing called standard contractual clauses. In addition, we check each service provider together with our data protection officer and ensure that additional security measures are available, such as strong encryption of the data.

Status of the data protection declaration: November 2021