Buffalo | Dataprotection

Privacy Notice Buffalo, as of May 2025 We are pleased that you are interested in our website. Protecting your privacy is very important to us. Below, we provide you with detailed information about how we handle your personal data.

Your personal data is collected, processed, and used by Buffalo only in accordance with the applicable data protection laws. Our data protection practices comply with the European General Data Protection Regulation ("GDPR") and the German Federal Data Protection Act ("BDSG").

Personal data refers to all information relating to an identified or identifiable natural person. An identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier, or one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person (Art. 4 No. 1 GDPR). This includes, for example, your name, phone number, address, and all account data you provide when registering or creating your customer account. Statistical or anonymized data that we collect when you visit our web shop and which cannot be directly linked to you as a person are not considered personal data.

1. General Information

In this privacy notice, we (Buffalo Boots GmbH, hereinafter also referred to as "Buffalo") would like to inform you about the type, scope, and purpose of processing your personal data ("data") when using our website and its associated features, as well as our social media presences.

Buffalo only processes your data when permitted under data protection law – for example, when you provide your consent for specific use cases such as subscribing to a newsletter, participating in surveys or contests, or where another legal basis allows us to use your data (e.g., for processing your orders or responding to your contact inquiries). Further details on the specific data processing activities are provided below in this privacy notice.

2. Controller and Contact

Buffalo Boots GmbH Schanzenstraße 41 51063 Cologne, Germany Email: [email protected]

3. Data Protection Officer

Buffalo has appointed a Data Protection Officer. You can contact the Data Protection Officer via email at: [email protected]

4. Subject of Data Protection

The subject of data protection is personal data. According to Art. 4 No. 1 GDPR, this refers to all information relating to an identified or identifiable natural person. A person is considered identifiable if they can be identified, directly or indirectly, particularly by reference to identifiers such as a name, identification number, location data, online identifier, or one or more specific characteristics that express the physical, physiological, genetic, mental, economic, cultural, or social identity of that person. This includes, for example, your name, telephone number, address, and all data you provide to us when registering or creating a customer account. Statistical or anonymized data that we collect, for instance, when visiting our webshop and which cannot be directly linked to your identity, is not considered personal data.

5. Automated Data Collection

When you access this website, your device automatically transmits the following data for technical reasons:

Browser type and version
Operating system used
Referrer URL
Hostname of the accessing device
Time of the server request
IP address
When JavaScript is enabled, the browser also transmits the screen resolution and color depth of the browser window.

These data are stored for the following purposes:

Ensuring the security of our IT systems
Defending against attacks on our online offering and IT systems
Ensuring the proper operation of our online services

The IP address is stored only for a period of 7 days. Processing is based on our legitimate interests as outlined above, in accordance with Art. 6 (1) lit. f) GDPR.

6. Contact

If you contact us via our contact form or by other means (telephone, email), we process your information and contact details (in particular your name, email address, and, where applicable, your telephone number) to handle your inquiry and any follow-up questions. The processing is based on Art. 6 (1) lit. f) GDPR. We have a legitimate interest in responding to your request efficiently, and, if your request concerns a contract, to initiate or execute that contractual relationship.

If you are (or may become) a contractual partner, the data processing in connection with your inquiry is based on Art. 6 (1) lit. b) GDPR. The data you provide during contact remains with us until the purpose of the data storage/processing no longer applies (e.g., once your inquiry has been fully resolved). Mandatory legal requirements – in particular statutory retention periods – remain unaffected. We store contract-related or potentially legally relevant inquiries for the duration of the general statutory limitation period, i.e., three years from the end of the year in which we received your inquiry. This storage is based on our legitimate interest in proper business documentation and in securing our legal position (Art. 6 (1) lit. f) GDPR). In the case of contract-related inquiries, the storage also serves the purpose of contract initiation and execution (Art. 6 (1) lit. b) GDPR) and/or our corresponding legitimate interests (Art. 6 (1) lit. f) GDPR).

7. Advertising and Market Research Purposes

We offer you, among other things, the following services:

Delivery of a newsletter with current offers and product promotions
“White mail” (postal mailings)
Participation in prize draws

Where applicable, we use your data in connection with these services to create and maintain a user profile so that we can send you individualized advertising that we believe will be of special interest to you, provided that the prerequisites set out in Sections 7.1 and 7.2 below are met. To perform the services listed above, we engage service providers/processors (see Section 28.3).

7.1 Newsletter

Before you subscribe to our Buffalo newsletter, you consent to our use of the data you provide in order to send you information by email about the content and products in our range. We employ a “double opt‑in” procedure: we will only send you the newsletter after you have expressly confirmed your subscription in response to our confirmation email. For statistical purposes, we evaluate anonymously which links in the newsletter are clicked (without identifying any individual). Based on your consent, we also carry out a personalized analysis of which links you click in order to optimize our offering.

We will send you a confirmation email and ask you to click a link in that email to confirm your newsletter subscription. If third parties are commissioned to handle and send out the newsletter, they are likewise bound to protect your data in accordance with data protection law and to use it only for the expressly specified purpose.

The following data may be processed:

Data you provide when subscribing to the Buffalo newsletter (email address; salutation, first name, last name, address, postal code, shoe size, preferred brands, interests, date of birth)
Data required to verify your consent to receive the Buffalo newsletter and for processing your data (IP address and timestamp of the subscription and of the click on the confirmation link, your declarations of consent)
Data collected when you read the Buffalo newsletter (newsletter opens, clicks on links contained therein, data on the device used, location data based on IP address, deliverability of the email address, purchases made on buffalo‑boots.com or actions on the website following a click on an offer)
Data collected when you participate in one of our prize draws (information provided for the prize draw, your responses)
Data collected when you register a user account on our website buffalo‑boots.com (salutation, first name, last name, email address, postal code, registration date, last login date)
Data on your purchases made online or in store at Buffalo (goods/services, total amount, currency, location, cashier or terminal ID, transaction date and number, store ID, discount amount)
Data collected when you redeem vouchers or coupons or activate credit (vouchers and coupons redeemed, date and place of redemption)
Data generated through your use of our website buffalo‑boots.com (pages viewed, services used, wishlist, preferences)
Data collected in customer surveys (survey responses)
Data generated by evaluating the data listed above (customer segments, inferred product preferences)

We process only those data that actually arise in each case—for example, through use of our website features, placing an order on buffalo‑boots.com, or taking part in one of our prize draws. Processing is based on your consent (Art. 6 (1) lit. a GDPR). You may withdraw your consent at any time with future effect (e.g. by email, letter, or via the unsubscribe link in every newsletter). We also retain information to demonstrate your consent (in particular, the time of consent). This processing is based on Art. 6 (1) lit. c in conjunction with Art. 7 (1) GDPR. Upon withdrawal, we will delete your data immediately. Any consent‑evidence data we have stored will be deleted one month later. Further storage of such evidence is based on our legitimate interest in proper business documentation and in asserting, securing, or defending legal claims (Art. 6 (1) lit. f GDPR).

7.2 Prize Draws

If you wish to participate in any of our prize draws, we will inform you in separate privacy notices in advance of the personal data processing involved.

7.3 WhatsApp

WhatsApp News You have the option to join our WhatsApp community and receive news, deals, and updates from Buffalo via WhatsApp (“WhatsApp Conversations”). WhatsApp is operated by WhatsApp Ireland Limited, 4 Grand Canal Square, Grand Canal Harbour, Dublin 2, Ireland (“WhatsApp Ireland”), which acts as a data controller for the transmission of messages and your responses. Further information on WhatsApp Ireland’s data processing can be found here: [WhatsApp Ireland Privacy Policy].

For sending messages via WhatsApp, we process your telephone number and WhatsApp profile name on the basis of your consent, which you grant by clicking “Sounds great” or “Sign up” in the WhatsApp chat. The legal basis is Art. 6 (1) lit. a GDPR; we are the data controller in this respect.

To provide and operate WhatsApp Conversations, we use the software solution of Charles GmbH, Gartenstr. 86‑87, 10115 Berlin (“Charles”), which processes your data solely on our behalf as a processor and for no other purposes. The legal basis is Art. 6 (1) lit. a GDPR.

Right of Withdrawal: You may withdraw your consent at any time by sending “STOP” in our WhatsApp chat.

8. Cookies & Similar Technologies

To make your visit to our website attractive and to enable the use of certain functions, we use cookies and similar technologies (e.g. browser storage objects) on various pages. These small text files are stored on your device to make our online presence more user-friendly, effective, and secure, and to speed up navigation. Some cookies are deleted at the end of your browser session (session cookies); others remain on your device to recognize your browser on your next visit (persistent cookies).

For example, session and persistent cookies are required to use our shopping cart. You can configure your browser to notify you about cookie usage and to decide on a case‑by‑case basis whether to accept cookies or to block them entirely. If you do not accept cookies, website functionality may be limited.

We use the following cookie categories:

Technically Necessary Cookies: Essential for the operation and functionality of the website (e.g. navigation, proper page display, consent management). Without these cookies, the website cannot function correctly. – Legal basis: § 25 (2) TDDDG or Art. 6 (1) lit. f GDPR (legitimate interest in a technically optimized and user‑friendly website and in system security).
Functional / Analytics Cookies: Used to measure online traffic and analyze user behavior to improve our services. – Legal basis: your consent (Art. 6 (1) lit. a GDPR).
Marketing Cookies: Enable us to draw your attention to relevant Buffalo marketing campaigns and to display personalized Buffalo content on third‑party websites. We can also limit the frequency of ads shown to you. – Legal basis: your consent (Art. 6 (1) lit. a GDPR).

Where cookies require your consent, you may withdraw it at any time via the “Cookie Settings” link in the website footer or by adjusting your browser settings. Withdrawal does not affect the lawfulness of processing carried out prior to withdrawal.

9. Personalized Product Recommendations – Tracking Pixels

Tracking pixels serve functions similar to cookies but are not visible to the user. With your consent, we use tracking pixels within our shop functionality to measure your behavior, in the newsletter, and for remarketing. These data are anonymous and not linked to personal data on your device or in any database. For personalized product recommendations on buffalo‑boots.com, your shopping history is used (e.g. items and categories you have viewed, searched for, or purchased). All collected information is stored anonymously, and no inference can be made about your identity. The legal basis is Art. 6 (1) lit. a GDPR. You may withdraw your consent as described in Section 8; please note that we will then be unable to provide you with tailored recommendations in that browser.

10. Google Tag Manager

This website uses Google Tag Manager, which allows website tags to be managed in a single interface. Google Tag Manager merely implements tags—it does not itself set cookies or collect personal data. It triggers other tags that may collect data, but Google Tag Manager does not access this data. If you have disabled tracking at the domain or cookie level, this deactivation remains in effect for all tracking tags implemented via Google Tag Manager.

11. Analytics Software, Marketing Pixels and Retargeting

11.1 Google Analytics

If you give us your consent, we use the web analytics service Google Analytics by Google Ireland Limited ("Google"). This service allows us to analyze user behavior on our website and generate reports to improve our services. The processing of personal data complies with the EU-US Data Privacy Framework, which ensures an adequate level of data protection for transfers to the USA. Google has adhered to this framework, ensuring your data is handled securely. The legal basis for using Google Analytics is your consent in accordance with Art. 6 (1) lit. a) GDPR. Google Analytics uses cookies to collect information about your use of our website, including your IP address, which is anonymized (IP masking) before being transmitted. This information is transferred to Google servers in the USA or other locations compliant with the EU-US Data Privacy Framework and stored there. Google uses the collected data to compile reports on website activity and to provide further services related to website and internet usage. Furthermore, Google may link this data with other data from your Google account if you are logged in to Google while using our website. Data collected through Google Analytics is stored for a maximum of 14 months. After this period, only aggregated statistics are retained. You can withdraw your consent to the use of Google Analytics at any time with future effect by adjusting your cookie settings. For more information on how Google uses personal data, visit policies.google.com/privacy and for the EU-US Data Privacy Framework, see policies.google.com/privacy/frameworks. Please consider the above when giving your consent.

11.2 Google Ads Remarketing

If you give us your consent, we use Google Ads Remarketing features provided by Google. This allows us to advertise our website in Google search results and on third-party websites. Google places a cookie in your browser, which enables interest-based advertising using a pseudonymous cookie ID based on the pages you have visited. Furthermore, your browser history may be linked with your Google account, and information from your Google account may be used to personalize ads that you see on the web. If you are logged into Google during your visit to our website, Google uses your data together with Google Analytics data to create and define target audience lists for cross-device remarketing. To do this, Google temporarily links your personal data with Google Analytics data. As described in section 11.1, using Google Ads Remarketing may involve the transfer of personal data to third countries (especially to Google LLC servers in the USA). Please consider the above when giving your consent. Details on the processing triggered by Google Ads Remarketing and how Google handles data from websites can be found here: policies.google.com/technologies/partner-sites. The data stored by Google is retained for 14 months. After this period, only aggregated statistics are stored in Google Analytics. The use of Google Analytics is based on your consent (Art. 6 (1) lit. a) GDPR). You can withdraw your consent as described in section 8.

11.3 Microsoft Bing Ads

If you give us your consent, we use the conversion tracking of Microsoft Corporation, One Microsoft Way, Redmond, WA 98052-6399, USA, on our website. When you access our website via a Microsoft Bing ad, a cookie is stored on your device by Microsoft Bing Ads. This allows Microsoft Bing and us to recognize that someone clicked on an ad, was redirected to our website, and reached a predefined target page (conversion page). We only learn the total number of users who clicked on a Bing ad and were redirected to the conversion page. The processing of personal data under Microsoft Bing Ads now takes place in accordance with the EU-US Data Privacy Framework, which the European Commission has recognized as providing an adequate level of protection. Microsoft has committed to complying with the EU-US Data Privacy Framework to ensure your data is handled securely and lawfully. If your personal data is transferred to a third country, this is done based on standard contractual clauses in accordance with Art. 46 (2) lit. c) GDPR and supplementary technical and organizational measures. Please consider the above when giving your consent. The use of Microsoft Bing Ads is based on your consent (Art. 6 (1) lit. a) GDPR). You can withdraw your consent at any time as described in section 8. For more information on Microsoft and Bing Ads privacy and cookies, see: privacy.microsoft.com/de-de/privacystatement.

11.4 Facebook Custom Audiences

If you give us your consent, we use "Facebook Custom Audiences" features on this website, provided by Meta Platforms Ireland Limited. By using the Facebook Pixel, we can define visitors of our website as a target audience for the display of ads ("Facebook Ads"). This enables us to show Facebook Ads only to users who have shown interest in our website or specific topics/products. These target groups are created based on certain characteristics that we transmit to Meta ("Custom Audiences"). The Facebook Pixel also helps ensure that our Facebook Ads are relevant to you and allows us to measure their effectiveness for statistical and market research purposes through conversion tracking. This enables us to determine whether a user was redirected to our website after clicking on an ad. Meta Platforms Ireland processes various data, including:

Usage data (e.g., visited websites, interest in content, access times)
Meta/communication data (e.g., device information, IP addresses)
Event data (e.g., interactions with content, purchases, app installations) The processing of personal data is also carried out in accordance with the EU-US Data Privacy Framework, recognized by the European Commission. Meta has committed to complying with this framework. If data is transferred to non-secure third countries, this is done based on standard contractual clauses under Art. 46 (2) lit. c) GDPR and supplementary technical and organizational measures. We are jointly responsible with Meta Platforms Ireland Limited for the collection or receipt of event data. You can view the joint controller agreement here: www.facebook.com/legal/terms/page_controller_addendum. Metrics and analyses are provided to us by Meta in anonymized form and are not subject to joint responsibility. Please consider the above when giving your consent. The use of Facebook Custom Audiences is based on your consent (Art. 6 (1) lit. a) GDPR), which you can withdraw at any time. Further information can be found in Meta’s privacy policy: www.facebook.com/privacy/explanation.

11.5 TikTok Ads & Pixel

If you give us your consent, we use the so-called "TikTok Pixel" on this website, provided by TikTok (for users in the EEA and Switzerland: TikTok Technology Limited, 10 Earlsfort Terrace, Dublin, D02 T380, Ireland – "TikTok Ireland"). The TikTok Pixel is a code implemented on our website. With your consent, a connection to TikTok servers is established when you visit our website to track your activity. For example, if you purchase a product on our website, the TikTok Pixel is triggered and stores your actions in one or more cookies. This may include personal data such as your IP address, email address, device ID, device type, and operating system, which may be transferred to TikTok. TikTok uses email or other login/device information to identify users and associate their actions with TikTok accounts. TikTok uses this data to deliver targeted and personalized advertising and to create interest-based user profiles. The collected data is anonymous to us and only used to measure the effectiveness of advertising campaigns. If personal data is processed in an insecure third country, this is done in accordance with section 11.1. Please consider the above when giving your consent. The use of TikTok Ads / Pixel is based on your consent (Art. 6 (1) lit. a) GDPR). You can withdraw your consent at any time as described in section 8. TikTok's privacy policy is available here: www.tiktok.com/legal/page/eea/privacy-policy/de-DE.

11.6 Snap Pixel and Website Custom Audiences

We use the "Snap Pixel" from Snapchat, operated by Snap Inc., Market Street, Venice, CA 90291, USA, to analyze and optimize our website and services. The Snap Pixel allows Snapchat to identify visitors of our website as a target audience for showing ads ("Snapchat Ads"). Accordingly, we use the Snap Pixel to display Snapchat Ads only to users who have shown interest in our website or match certain characteristics we provide to Snapchat ("Custom Audiences"). With the Snap Pixel, we can also ensure that our Snapchat Ads match users’ potential interests and do not appear annoying. Furthermore, we can track conversions—whether users were redirected to our website after clicking on an ad. Snapchat processes data according to its privacy policy, available here: Privacy Center - You Control Your Info | Snapchat Privacy. The legal basis for data processing is Art. 6 (1) lit. a) GDPR. The required cookies (so-called marketing cookies) are only used with your consent. You can withdraw your consent at any time via our preference center.

11.7 Use of Pinterest Social Plugins

Our website uses social plugins from Pinterest, operated by Pinterest Inc., 635 High Street, Palo Alto, CA, 94301, USA ("Pinterest"). When you visit a page containing such a plugin, your browser establishes a direct connection to Pinterest’s servers. The plugin sends log data to Pinterest’s servers in the USA. All collected data is anonymous and does not identify you. Data collected includes device information (e.g., type, brand), operating system, IP address, time of access, campaign type and content, campaign response (e.g., purchase, newsletter registration), and device identifiers. We use Pinterest to optimize our online offering and Pinterest campaigns. We use a “Pinterest Tag” (a snippet of code) in our ad campaigns. If a Pinterest user views or clicks the ad, further actions and audiences are tracked. This helps ensure that Pinterest ads are only shown to users already interested in our offer and allows us to measure campaign conversions. This data is used for statistical and market research purposes and helps optimize campaigns. The legal basis is Art. 6 (1) lit. f) GDPR. Personal data such as your IP address, email address, device ID, device type, and operating system may be transmitted to Pinterest. Pinterest uses email or device information to identify users and associate actions with their Pinterest accounts. Data is stored according to legal retention periods and then automatically deleted. If you log into your Pinterest account after visiting our site, or visit while logged in, Pinterest may store and process this data and possibly associate it with your Pinterest account for its own advertising purposes. More information can be found in Pinterest’s privacy policy: https://policy.pinterest.com/de/privacy-policy. You can object to this data processing at any time in your Pinterest account settings: https://help.pinterest.com/en/article/personalization-and-data, or by clicking “opt-out”. We also note that the transfer of personal data to Pinterest in the USA is carried out in accordance with the EU-US Data Privacy Framework. This framework ensures an adequate level of data protection in compliance with EU standards. Further details on the framework and Pinterest’s privacy measures can be found in Pinterest’s privacy policy.

11.8 Criteo

If you give us your consent, our website uses cookies/advertising IDs for advertising purposes by Criteo, 32 Rue Blanche, 75009 Paris, France. This allows us to display advertising to visitors who are interested in our products on partner websites, apps, and in emails. Retargeting technologies use cookies or advertising IDs to show ads based on your previous browsing behavior.

We may exchange information such as technical identifiers from your login information on our website or CRM system with trusted advertising partners. This enables your devices and/or environments to be linked, providing you with a seamless experience across the devices and environments you use. The use of Criteo is based on your consent (Art. 6 para. 1 lit. a) GDPR). You can withdraw your consent at any time as described in section 8.

For more information on data protection and details about Criteo's linking capabilities, please refer to the privacy policy at www.criteo.com/privacy.

11.9 ContentSquare

If you give us your consent, this website uses technologies from contentsquare S.A.S. to collect interaction data of website visitors in pseudonymized form for marketing purposes and to improve the user-friendliness of the website through the use of cookies.

The information generated by the cookie about your use of the website is usually transmitted to and stored on a server operated by contentsquare. The IP address transmitted by your browser is not merged with other data from contentsquare. Contentsquare shortens your IP address so that your data is processed in anonymized form. The following cookies are used by contentsquare:

_cs_id: to recognize returning website users (stored for up to 13 months)
_cs_s: a session cookie created at the beginning of a website visit and deleted 30 minutes after the last page view

The use of contentsquare is based on your consent (Art. 6 para. 1 lit. a) GDPR). You can withdraw your consent at any time as described in section 8.

11.10 Zenloop

In various places in our online shop, we optionally ask for feedback about your shopping experience. For this, we use the services of zenloop GmbH, Brunnenstraße 196, 10119 Berlin, to collect and evaluate your feedback. The following data may be processed: your public IP address, email address, device and browser data, statistical data about your purchase, the website from which you access the feedback platform, and any additional information you provide in your message. The legal basis is Art. 6 para. 1 lit. f) GDPR. We offer this service to make the shopping experience on our website more appealing, which constitutes our legitimate interest.

If you request contact from Buffalo based on your feedback after your purchase, this will occur if you leave a message in the comment field and confirm the process. In this case, we may contact you via email to handle your request. Further information on zenloop's data protection can be found at www.zenloop.com/en/legal/privacy/.

11.11 Emarsys

If you give us your consent, we use technologies from Emarsys eMarketing Systems AG, Märzstraße 1, 1150 Vienna, Austria to personalize our website, the Buffalo app, and newsletter content by creating user profiles via the Emarsys Marketing Cloud. All data collected through the Emarsys Web Extend database is captured using JavaScript commands and cookies.

For visitors with a newsletter subscription or Buffalo online shop account, our website uses JavaScript commands to capture browsing and purchase data. These data enrich your customer profile and provide a personalized experience across all our touchpoints. We also store the following personal data in our Emarsys CRM suite and use them for targeting and profiling within the website, SCAYLE, possibly WhatsApp, newsletters, and – if permission is granted – push notifications in the app:

Mobile number
Email address
Salutation
First and last name
Date of birth
IP address
Order data
Loyalty ID
Shoe size
Preferred brands
Interests

Using the Emarsys Marketing Cloud may result in data matching through Google and Facebook, which can involve data processing outside Europe. Given the potential risks (see the sections on Google and Facebook in this privacy notice), we only use Emarsys if you also consent to possible data transfers to insecure third countries.

Such third countries may not offer an adequate level of data protection according to the European Commission (see: ec.europa.eu/info/law/law-topic/data-protection/international-dimension-data-protection/adequacy-decisions). For instance, the U.S. is currently not considered a secure third country. Data transfers to such countries pose risks, including potential access by U.S. authorities. While standard contractual clauses offer some protection, they do not eliminate all risks. However, Google and Facebook implement security measures to protect your personal data.

We only process your data automatically to assess personal characteristics (profiling), using mathematical and statistical methods to personalize advertising to your interests.

After unsubscribing from the newsletter, we will stop sending it and delete your data unless you also have a customer account on our website, in which case we will retain your data as long as the account exists – unless we are legally required or entitled to store data for specific purposes, including legal defense. The legal basis for data processing is Art. 6 para. 1 lit. a) GDPR.

You can withdraw your consent at any time as described in section 8.

11.12 ChannelPilot

If you give us your consent, we use ChannelPilot – an online marketing tool from Channel Pilot Solutions GmbH, Lilienstraße 5–9, Semperhaus C, 20095 Hamburg. ChannelPilot uses cookies to analyze the performance of linked online marketing channels such as Google. Your IP address is also processed for click fraud detection (bot detection), usually for a maximum of 24 hours.

The legal basis for data processing is Art. 6 para. 1 lit. a) GDPR. You can withdraw your consent at any time as described in section 8.

For more information on ChannelPilot’s data protection, visit www.channelpilot.com/privacy.

11.13 Conversion Linker

If you give us your consent, we use the following Google technology: Google Ads Conversion Tracking via the Google Tag Manager and the Conversion Linker. We use the Conversion Linker to ensure more reliable measurement of click data and better conversion tracking. When you click on our ads, the URL of the conversion page on our website contains information about the click. If you perform an action we’ve tagged as a conversion (e.g., triggering a Google Ads conversion tracking tag), this conversion is linked to the click that brought you to our site. The Conversion Linker automatically captures click information from the URLs and stores it in cookies on our site.

If personal data is transferred to an insecure third country, this is done in accordance with the provisions under section 11.1.

Please consider these circumstances when giving your consent.

Cookies used by Google:

_gcl_au: Contains a randomly generated user ID (stored for up to 90 days)
_gcl_aw: Set when a user arrives at the website via a Google ad click. It stores information about the clicked ad so that conversions (e.g. purchases or contact requests) can be attributed to the ad (stored for up to 90 days)

The legal basis for data processing is Art. 6 para. 1 lit. a) GDPR. You can withdraw your consent at any time as described in section 8.

11.14 Google Enhanced Conversions

If you give us your consent, we use the Enhanced Conversions feature from Google, which allows us to advertise our website more precisely and effectively using higher-quality data.

Enhanced Conversions is an extension of Google Ads Remarketing. Encrypted customer data is transmitted as hash values to a Google interface via the Google Tag Manager. These include input data from form fields on our website. Google links these with potential usage data from your Google account if you were logged in during interaction with an ad. We never see this Google account data; we only receive aggregated conversion reports from Google, which are more accurate thanks to Enhanced Conversions.

Data collection occurs only after your explicit consent and completion of data entry on our website. If you are logged into your Google account while interacting with ads, the conversion may be linked to your account. To prevent this, you can either log out of your Google account or withhold consent for this service.

According to our knowledge, Google uses the data confidentially and ensures data protection. You can find Google’s Enhanced Conversions policies here, and how Google uses your data is explained here.

As with section 11.1, using Google Enhanced Conversions may result in data transfers to third countries (especially to Google LLC servers in the U.S.).

The legal basis for processing your personal data is your consent under Art. 6 para. 1 sentence 1 lit. a) GDPR and, if data stored on your device is accessed or processed, § 25 para. 1 TDDDG.

You can withdraw your consent at any time as described in section 8.

12. Use and Application of Livereach

Users of social media platforms ("users"), especially Instagram, regularly interact with us through their own photo and video posts ("content"). This occurs, for example, by tagging our Instagram profile @buffalo in a photo or comment, or by using one of our campaign hashtags.

Tagged content includes products distributed by us. In order to identify and utilize such relevant content, we use the software solution “Livereach,” operated by Gorilla GmbH, Geisbergweg 8, 48143 Münster, Germany. If Livereach identifies publicly accessible content relevant to us, we contact the user who published it. The user then has the option to grant us usage rights by accepting the terms of participation.

Content for which usage rights have been granted may then be shared by us online (e.g., in our own webshop) and in print in accordance with the usage terms. Along with the content, personal data associated with the original post, such as the username/alias, may also be shared.

The use of Livereach is based on our legitimate interest in promoting our brand and products. The legal basis for the processing of personal data in this context is Art. 6 (1) lit. b) or f) GDPR, unless you enter into or intend to enter into a contract with us.

The privacy policy of the third-party provider Livereach can be found here.

13. DigitalGenius

Customer service automation is supported by the third-party provider DigitalGenius, 110 Clifton Street, London EC2A 4HT, United Kingdom. Messages are retrieved from the Scayle operating system, processed via the DigitalGenius platform, and automatically returned to the customer through Scayle. As part of this process, DigitalGenius processes personal data to handle the request. All data is stored on the platform for a maximum of 30 days.

This service is used to respond to customer inquiries more quickly and accurately. The legal basis for this data processing is Art. 6 (1) lit. b) or f) GDPR, unless you enter into or intend to enter into a contract with us. In this case, our overriding legitimate interest lies in providing appropriate communication channels.

14. Reviews

You have the option to review the products and services offered by us on our website. After placing an order, you will receive an email requesting a review of the purchased product or service. If you do not wish to receive review request emails, you can object to receiving them at any time. For more details, please refer to the section on your right to object in this privacy policy. Each review email also contains a link allowing you to unsubscribe from such emails with future effect.

The email includes a link to a review form where you can rate the purchased product or service.

Reviews can also be submitted directly via a form on the website.

As part of the review process, we process your email address, the content entered in the review form, and a so-called device fingerprint (IP address, device identifier, and geolocation). This data is processed to collect and publish the review and to verify its authenticity. Additionally, cookies that are strictly necessary for the operation of the review system are stored. The review system is provided by Bazaarvoice, Inc. in the USA. Bazaarvoice acts as a processor on our behalf on the basis of a data processing agreement pursuant to Art. 28 GDPR.

Personal data may be transferred to a third country without an adequate level of data protection. In such cases, we ensure that appropriate safeguards pursuant to Art. 46 GDPR are in place. Proof of such safeguards (EU Standard Contractual Clauses) can be provided upon request at any time.

The legal basis for this data processing is our legitimate interest pursuant to Art. 6 (1) lit. f) GDPR in supporting users in selecting products and services by providing authentic reviews from other users. If you have expressly consented to certain data processing activities, the legal basis is your consent pursuant to Art. 6 (1) lit. a) GDPR. You may request deletion of your submitted review at any time. Please contact us using the contact details provided above.

15. Use of Tracking Tools by trbo GmbH

Our website uses technologies provided by trbo GmbH, Leopoldstr. 41, 80802 Munich, Germany (Home | trbo) to optimize our online offerings, measure the effectiveness of our online advertising, and deliver personalized content.

If you have given us your consent pursuant to Art. 6 (1) sentence 1 lit. a GDPR, we use tracking tools in this context (particularly “cookies” and “web beacons”). The data collected and used is always stored under a pseudonym (e.g., a randomly generated identification number) and is not combined with other personal data (e.g., name, address).

The data is deleted as soon as it is no longer necessary for the purposes for which it was collected. Deletion at the user and event level occurs no later than 14 months after collection.

You can revoke your consent for the use of trbo tracking for the purposes mentioned above at any time with future effect or adjust your preferences. To do so, simply reopen the cookie settings via the following link: [Cookie Settings].

We have entered into a data processing agreement with trbo, in which the provider is obliged to protect our customers’ data and not to disclose it to third parties. Further information on data protection at trbo can be found here: www.trbo.com/datenschutz.

16. Our Social Media Presences

If our websites contain icons of the following social media providers, we use these as passive links to the respective providers’ pages.

16.1 Facebook Fan Page

You can find us on Facebook at: www.facebook.com/buffalo.com

For users outside the USA and Canada, Facebook is operated by Facebook Ireland Ltd., 4 Grand Canal Square, Grand Canal Harbour, Dublin 2, Ireland ("Facebook Ireland"). For users in the USA and Canada, Facebook Inc., 1601 South California Avenue, Palo Alto, CA 94304, USA, is the operator.

Even if you are not registered with Facebook and visit our Facebook fan page, Facebook may collect pseudonymous usage data. Further information is available in Facebook’s Data Policy: https://www.facebook.com/about/privacy, including information about your account settings.

Facebook Ireland may share your data within the Facebook corporate group and with third parties. This may involve the transfer of personal data to the USA or other third countries without an EU adequacy decision. In such cases, Facebook Ireland will rely on the EU Commission’s Standard Contractual Clauses pursuant to Art. 46 (2) lit. c GDPR. More information can be found in Facebook’s Data Policy.

We are also joint controllers with Facebook regarding the processing of so-called Insights Data when visiting our Facebook fan page. Facebook Ireland uses Insights Data to analyze behavior on our page and provides us with aggregated, anonymized statistics. We have concluded a joint controllership agreement with Facebook Ireland, which can be found here: Facebook Page Insights Joint Controller Addendum. Facebook Ireland assumes primary responsibility under the GDPR for processing Insights Data and fulfilling all GDPR obligations with regard to it.

The processing is based on our legitimate economic interests in optimizing and tailoring our Facebook fan page, Art. 6 (1) lit. f) GDPR.

We also draw your attention to the following: If you visit or “like” our Facebook fan page while logged into Facebook, Facebook Ireland processes personal data. Even if you are not a registered Facebook user and visit the page, Facebook Ireland may still collect pseudonymous usage data.

Specifically, Facebook Ireland collects the following information:

Viewing a page, post, or video
Subscribing or unsubscribing to/from a page
Liking or unliking a page or post
Recommending a page in a post or comment
Commenting on, sharing, or reacting to a post (including the type of reaction)
Hiding a post or reporting it as spam
Clicking on links to the page from elsewhere (Facebook or external websites)
Hovering over a page name or profile picture to see a preview
Clicking on page buttons such as website, phone number, or “Get Directions”
Information on whether you're logged in from a desktop or mobile device while interacting with the page

More information is available in Facebook’s policy on Page Insights data: https://de-de.facebook.com/legal/terms/information_about_page_insights_data

16.5 Community Features

When you visit our social media presences (e.g., our Facebook fan page), we process certain data from you, such as when you interact with our page or account, like or comment on a post, reply, or provide other content. These data processing activities are generally based on our legitimate interest in providing you with the relevant functions on our social media presences (Art. 6 para. 1 lit. f) GDPR), as well as your consent given to the respective platform operators (e.g., Facebook Ireland, LinkedIn Ireland), Art. 6 para. 1 lit. a) GDPR, or your contractual relationship with the platform operators (Art. 6 para. 1 lit. b) GDPR).

Please note that these areas are publicly accessible and any personal information you share there or provide upon registration may be viewed by others. We have no control over how other users use this information. In particular, we cannot prevent third parties from sending you unsolicited messages.

Content posted in community areas may be stored indefinitely. If you would like us to remove content you have posted, please send us an email to the address listed above in section 2.

17. Payment Methods

We process your payment information for the purpose of handling payments, for example, when you purchase a product from our online shop. Depending on the payment method chosen, we may forward your payment details to third parties (e.g., to your credit card provider in the case of credit card payments).

The legal basis for this data processing is Art. 6 para. 1 lit. b) GDPR, where processing is necessary for the execution of the payment, as well as Art. 6 para. 1 lit. f) GDPR, with our overriding legitimate interest being the proper handling of payments. In our online shop, we primarily offer the following payment methods:

17.1 Credit Cards

We accept Visa and MasterCard. If you choose this payment method, you will be redirected to an external website (Saferpay) provided by Six Payment Services AG. Your card data will be collected there. If two-factor authentication is required, it will be handled by Saferpay.

Further information on the Saferpay service is available here: www.six-payment-services.com/de/site/e-commerce/solutions/paymentsolution.html

Important Security Information: If your credit card is misused by unauthorized persons, you may file a chargeback with your credit card provider. Maximum security: With state-of-the-art SSL encryption, we ensure optimal protection of your personal data in the checkout area of our online shop. Additionally, for credit card payments, the entire transaction is further secured by requiring the card verification number (CVC2 or CVV2). Good to know: These numbers are not stored on your credit card’s magnetic strip and therefore do not appear on payment receipts.

17.2 PayPal

If you select PayPal as your payment method, your payment data will be transferred to PayPal (Europe) S.à r.l. et Cie, S.C.A., 22-24 Boulevard Royal, L-2449 Luxembourg (hereinafter "PayPal") for payment processing. You will be identified through your PayPal account login.

For further information on data protection at PayPal, please refer to PayPal’s Privacy Policy: www.paypal.com/de/webapps/mpp/ua/privacy-full

17.3 Klarna

In order to offer you Klarna’s payment options, we will share personal data such as contact and order details with Klarna Bank AB (publ), Sweden. Klarna uses this information to assess whether you qualify for the payment options offered through Klarna and to tailor those options to your needs. General information about Klarna can be found here. Your personal data will be handled by Klarna in accordance with applicable data protection laws and as described in Klarna’s privacy policy.

18. Order Process

The following personal data will be collected from you during the order process:

First name, last name, address, email address, phone number (optional), as well as the data collected through the applications mentioned above and by processors/service providers.

This data processing is carried out for the purpose of fulfilling your purchase. The legal basis for this processing is Art. 6 para. 1 lit. b) GDPR. In the case of purchasing goods in our online shop (contract conclusion), the provision of your personal data is required. If you do not provide the aforementioned data, a purchase in our online shop cannot be completed. The data will be made available to employees responsible for sales and logistics, as well as to commissioned service providers/data processors in this context (see section 28.3). Your data will be stored until the respective purchase contract has been completed and thereafter in an anonymized and restricted form for as long as statutory retention periods apply to the transactions carried out.

19. Customer Account

On our website, we offer you the opportunity to register by providing personal data ("My Account"). Registration is necessary in order for us to create your customer account. Buffalo uses your personal data to manage your Buffalo account ("My Account"), including obtaining consents, verifying and confirming the identity of the account user, preventing unauthorized access and use, restricting use by minors, sending communications and notifications, taking measures against account misuse, investigating violations of the terms of use, and processing the withdrawal of consents. We also use your personal data to provide you with a personalized online experience and to give you immediate access to information regarding your purchases.

The processing of your personal data for your account is based on your consent when you create a customer account. The legal basis for this processing is Art. 6 para. 1 lit. a) GDPR. We store your personal data for as long as necessary to provide the account. Personal data collected and used solely for the purpose of providing you with a customer account will be deleted once the account is closed. You may withdraw your consent at any time as described in section 8.

21. Use of Data

When you register in our online shop, we use your login credentials (email address and password) to grant you access to and manage your user account ("Required Information"). Required fields during registration are marked with an asterisk and are necessary for the conclusion of the user agreement. If you do not provide this information, you will not be able to create a user account. Required information also includes: title, first name, last name, and country. In addition, you may voluntarily provide the following details during registration: mobile phone number and date of birth.

We use the required information to authenticate you during login and to process password reset requests. The data you provide during registration or login is processed and used by us to (1) verify your authorization to manage the user account, (2) enforce the online shop’s terms and conditions and all related rights and obligations, and (3) contact you to send technical or legal notices, updates, security alerts, or other messages related to the management of your user account. Voluntary information is used to send you personalized communication.

This data processing is justified because (1) it is necessary for the performance of the contract between you as the data subject and us pursuant to Art. 6 para. 1 lit. b) GDPR, or (2) we have a legitimate interest in ensuring the functionality and smooth operation of our services, which outweighs your rights and interests in protecting your personal data in accordance with Art. 6 para. 1 lit. f) GDPR.

We use the information available to us (mobile number, date of birth, transaction data) to personalize features and content and to provide you with tailored suggestions. In order to create personalized products that are individual and relevant to you, we use your connections, preferences, interests, and activities. This is based on the data we collect and learn from you, on how you use and interact with our products, and on the people, places, or things you are connected to or interested in both on and off our platforms.

We also use the information available to us to develop, test, and improve our products – including by conducting surveys and studies, as well as testing and troubleshooting for new products and features. Furthermore, we use information we have about you – including data about your interests, actions, and connections – to select and personalize the advertisements, offers, and other sponsored content that we show you.

22. Data Security

We have implemented technical and organizational security measures to protect your personal data against loss, destruction, manipulation, and unauthorized access. All of our employees are bound to data confidentiality, i.e., the confidential handling of personal data. Our security measures are continuously reviewed and updated according to technological developments.

23. Automated Individual Decisions or Profiling Measures

We do not use automated processing procedures to make decisions or carry out profiling.

24. Data Disclosure

As a general rule, your personal data will only be disclosed without your explicit prior consent in the following cases:

If it is necessary to clarify unlawful use of our services or for law enforcement purposes, personal data will be forwarded to law enforcement authorities and, if applicable, to injured third parties. However, this only takes place if there are concrete indications of illegal or abusive behavior. Disclosure may also occur if it serves the enforcement of contracts or other agreements. Furthermore, we are legally obliged to provide information to certain public authorities upon request. These include law enforcement agencies, authorities responsible for prosecuting administrative offenses subject to fines, and tax authorities. The disclosure of this data is based on our legitimate interest in combating abuse, prosecuting crimes, and securing, asserting, and enforcing claims (Art. 6(1)(f) GDPR), or on a legal obligation (Art. 6(1)(c) GDPR).

Your data will be passed on to the shipping company commissioned with delivery insofar as this is necessary for delivering the goods. The shipping company uses your personal data exclusively for processing the delivery. To process payments, we pass your payment data to the credit institution or PayPal or other payment service providers commissioned with the payment. Your data will not be passed on to any other third parties or used for advertising purposes. The legal basis for data processing is Art. 6(1)(b) GDPR. After full completion of the contract and full payment of the purchase price, your data will be blocked for further use and deleted after expiry of the tax and commercial retention periods.

We rely on contractually linked third-party companies and external service providers (“processors”) to provide our services. In such cases, personal data is passed on to these processors to enable further processing. These processors are carefully selected and regularly reviewed by us to ensure that your rights and freedoms are protected. The processors are only permitted to use the data for the purposes we specify and are contractually obliged by us to handle your data exclusively in accordance with these privacy notices and applicable data protection laws.

The transfer of data to processors is based on Art. 28(1) GDPR. In addition to the processors mentioned in these privacy notices, we also engage the following categories of processors:

IT service providers
Cloud service providers
Software service providers

Within the framework of administrative processes and the organization of our operations, financial accounting, and compliance with legal obligations, such as archiving, we disclose or transmit the same data that we have received in connection with the provision of our contractual services, if applicable, to tax authorities, advisors such as tax consultants or auditors, as well as other fee offices and payment service providers. The disclosure of this data is based on our legitimate interest in maintaining our business activities, performing our tasks, and providing our services (Art. 6(1)(f) GDPR) or on a legal obligation (Art. 6(1)(c) GDPR).

As part of the further development of our business, it may happen that the structure of Buffalo Boots GmbH changes, for example by changing the legal form or by founding, buying, or selling subsidiaries, business units, or components. In such transactions, data relating to our customers and contacts will be passed on together with the part of the company being transferred. We ensure that any transfer of personal data to third parties in this scope is carried out in accordance with these privacy notices and applicable data protection laws. Any such data disclosure is justified by our legitimate interest in adapting our corporate structure to economic and legal conditions as needed (Art. 6(1)(f) GDPR).

25. Provision of Your Data

You are neither legally nor contractually obligated to provide your data.

However, providing your data is necessary to some extent so that we can offer you the functions on our website and our services. In particular, the provision of your data is required so that we can receive and process your inquiries, enable the initiation and execution of contracts, and allow you to use the community functions related to our social media presences. Furthermore, providing your data is necessary for receiving and processing your job application.

Where the provision of your data is required, we will indicate this as a mandatory field during input. Providing additional data beyond that is voluntary. If you do not provide the required data, we will not be able to provide the corresponding functions and services. Specifically, we will not be able to receive and process your inquiries or enable contract initiation or execution. Additionally, you will not be able to use the community functions of our social media presences. If you do not provide the required data in connection with your application, we will not be able to consider your application. In the case of voluntary data, not providing it means that we may not be able to provide the corresponding functions and services or may only provide them to a limited extent.

26. Transfer to Third Countries

We also process data in countries outside the European Economic Area (“EEA”), so-called third countries, or transfer data to recipients in these third countries. This includes the United States. For data transfers to the USA, the EU-US Data Privacy Framework serves as the legal basis, provided that the receiving company is certified under this framework. Please note that for some of these third countries, there is currently no adequacy decision by the EU Commission confirming that these third countries generally provide an adequate level of data protection. Therefore, when structuring contractual relationships with recipients in third countries, we rely on the standard contractual clauses approved by the EU Commission pursuant to Art. 46(2)(c) GDPR or, alternatively, on your consent according to Art. 49(1)(a) GDPR.

For our service providers who process your data on our behalf (“processors”), we conclude the standard contractual clauses for transfers to processors in third countries. For transfers to third parties in third countries, we use the standard contractual clauses for transfers to third parties acting as controllers. You can request a copy of these standard contractual clauses at the contact details provided under section 2.

27. Change of Purpose

Processing your data for purposes other than those described will only take place if permitted by law or if you have consented to the changed purpose of data processing. In the event of further processing for purposes other than those for which the data was originally collected, we will inform you about these other purposes before the further processing and provide you with all relevant additional information.

28. Deletion of Your Data

Unless otherwise stated in these privacy notices, we delete or anonymize your data as soon as it is no longer necessary for the purposes for which we collected or used it according to the above sections. Further storage only occurs insofar as it is required for legal reasons, in particular for asserting, securing, or defending claims. This storage is based on our legitimate interest in the proper documentation of our business operations and the safeguarding of our legal positions (Art. 6(1)(f) GDPR).

If your data is relevant for contract initiation or performance, the storage is for the purpose of initiating and executing the respective contractual relationship (Art. 6(1)(b) GDPR). Furthermore, if we are legally obliged to retain data, we store your data beyond this period for the legally prescribed duration (Art. 6(1)(c) GDPR). Legal retention obligations may arise, in particular, from the retention periods set forth in the German Commercial Code (HGB) or the Fiscal Code (AO). The retention period under these regulations generally ranges between 6 and 10 years from the end of the year in which the respective process was completed—for example, when we have conclusively processed your inquiry or when the contract has ended.

29. Your Rights as a Data Subject

You have the following rights regarding the processing of your personal data. To exercise your rights, you can submit a request by post or email to the address provided above under section 2.

29.1 Right of Access

You have the right to obtain from us at any time, upon request, information about the personal data concerning you that we process, in accordance with Article 15 GDPR and Section 34 of the German Federal Data Protection Act (BDSG).

29.2 Right to Rectification of Incorrect Data

You have the right to demand from us the immediate correction of any inaccurate personal data concerning you, in accordance with Article 16 GDPR.

29.3 Right to Deletion

You have the right to request the deletion of personal data concerning you under the conditions described in Article 17 GDPR and Section 35 BDSG. These conditions include, in particular, the right to deletion if the personal data is no longer necessary for the purposes for which it was collected or otherwise processed, as well as in cases of unlawful processing, objection, or when there is a legal obligation under Union law or the law of the member state to which we are subject.

29.4 Right to Restrict Processing

You have the right to request the restriction of processing from us in accordance with Article 18 GDPR. This right applies, in particular, if the accuracy of the personal data is disputed between you and us, for the duration of the verification of accuracy; if you have requested restriction instead of deletion in the case of an existing right to deletion; if the data is no longer necessary for the purposes pursued by us, but you require it for the establishment, exercise, or defense of legal claims; and if the successful exercise of an objection between you and us is still disputed.

29.5 Right to Data Portability

You have the right to receive the personal data concerning you that you have provided to us in a structured, commonly used, and machine-readable format in accordance with Article 20 GDPR.

29.6 Right to Object

You have the right to object at any time, for reasons arising from your particular situation, to the processing of personal data concerning you which is based on Article 6(1)(e) or (f) GDPR, pursuant to Article 21 GDPR. We will cease processing your personal data unless we can demonstrate compelling legitimate grounds for the processing that override your interests, rights, and freedoms, or if the processing serves the establishment, exercise, or defense of legal claims.

Where we process your personal data for direct marketing purposes, including profiling, you have the right to object to this processing. After your objection, we will cease processing.

29.7 Right to Complain

You have the right to lodge a complaint with a supervisory authority of your choice. The supervisory authority responsible for North Rhine-Westphalia is:

State Commissioner for Data Protection and Freedom of Information North Rhine-Westphalia Kavalleriestr. 2-4 40213 Düsseldorf Phone: +49 211 38424-0 Fax: +49 211 38424-10 Email: [email protected]

30. Data Processing When Exercising Your Rights

Finally, please note that if you exercise your rights under Articles 15 to 22 GDPR, we process the personal data you provide in this context for the purpose of implementing these rights and to be able to provide proof thereof. These processing activities are based on the legal basis of Art. 6(1)(c) GDPR in conjunction with Articles 15 to 22 GDPR and Section 34(2) BDSG.

31. Updates and Changes

We reserve the right to amend and update the privacy notice in accordance with current legal requirements or adjustments in data processing. Please review the privacy notice regularly before using our services to stay informed of any changes or updates.

32. Scayle

Scayle is a headless eCommerce system of About You SE & Co. KG (Domstraße 10, 20095 Hamburg). Buffalo uses the Scayle system to provide the online shop.

Information on the privacy policy can be found at this link: Datenschutz | SCAYLE

32.1 Akamai Technologies, Inc.

Buffalo uses the service "Akamai" to optimize the delivery of the website and to secure our web servers with a Web Application Firewall. The entity responsible for processing your personal data is: Akamai Technologies GmbH, Parkring 20-22, 85748 Garching, Germany.

The following list includes all (personal) data collected through or during the use of this service:

Browser information
Visited pages
Date and time of visit
Operating system
IP address

The legal basis for processing your personal data is Article 6(1)(f) GDPR, balancing of interests, based on our legitimate interest in ensuring the constant availability of our website.

The location of processing is the European Union and the United States of America (Currently, there is no statement from the European Commission confirming that the USA generally provides an adequate level of data protection. If the level of protection for personal data is not ensured at a level equivalent to the European standard, the transfer of personal data is carried out through appropriate safeguards and based on EU standard contractual clauses for the protection of personal data; an additional safeguard is that personal data processed in connection with Akamai is pseudonymized and therefore especially protected).

The lifespan of the cookies used lasts until the end of the respective session. Personal data collected using these cookies is deleted when it is no longer required for processing.

To read the data processor’s privacy policy, click here: Legal | Akamai.

32.2 Amazon Web Services Inc.

Amazon Web Services (AWS) is a cloud computing service offered by Amazon.com. This service enables companies and organizations to operate IT infrastructure and applications in the cloud.

The provider is Amazon Web Services EMEA SARL, 38 Avenue John F. Kennedy, 1855 Luxembourg (hereinafter referred to as "AWS").

More detailed information can be found here: AWS GDPR Data Processing Addendum – now part of the Service Terms | Amazon Web Services.

Further information about the processing of personal data is available in the AWS Privacy Notice: (Privacy Notice).

The use of the AWS service is subject to your consent (Article 6(1)(a) GDPR). The legal basis for the use of the AWS service is Article 6(1)(f) GDPR. We have a legitimate interest in the reliable presentation of our website. If we have obtained your consent to the processing of personal data, processing takes place exclusively on the basis of Article 6(1)(a) GDPR and Section 25(1) TCDDG (Telecommunications and Telemedia Data Protection Act), if the consent includes the storage of cookies or access to information on the user's device (e.g., scanning fingerprints on the device) under the TCDDG. This consent can be revoked at any time.

32.3 Datadog Inc.

Datadog is a service focused on monitoring real user activity and performance. The data processing serves to analyze these websites and their visitors. On behalf of the operator of this website, Datadog uses the collected information to evaluate website usage, monitor the performance of this website, application screens, user actions, network requests, and the performance of our front-end code, track ongoing errors and issues, and generate reports on website activity.

The data controller is Datadog, Inc. (620 8th Avenue, Floor 45, New York, NY 10018, USA).

Among other things, the following information may be collected:

IP address
Date and time of page visit
User navigation (click path)
Information about the browser and device you use
Visited pages
Referrer URL (website from which you accessed our website)
Location data
Shopping activities

Datadog uses technologies such as cookies, browser web storage, and tracking pixels to analyze your use of the website. The processing of personal data, in particular the setting of cookies, only takes place with your consent. More information about the terms of use and protection of personal data can be found here: Privacy Policy | Datadog.

32.4 New Relic Inc.

New Relic (New Relic, Inc., 188 Spear St. Suite 1200, 94105 San Francisco, USA) is a web service for analyzing website usage. The cookie transfers information, including your IP address, to a New Relic server in the USA. The processing of personal data is based on Art. 6(1)(f) GDPR for the purpose of optimal presentation of our online offering. New Relic uses the stored information to evaluate website usage, compile reports for the website operators, and provide other services related to website and internet usage.

Further information on data protection can be found here: General Privacy Notice.

32.5 Functional Software, Inc.

Functional Software, Inc. (132 Hawthorne Street, San Francisco, California 94107) provides a platform for reporting software errors and failures so that we can retrospectively analyze and improve our website. Please note that this involves the transfer of personal data to the USA, which is considered a transfer of personal data to a third country. The processing of personal data is carried out in accordance with the provisions of Article 6(1)(f) GDPR.

Information about the protection of personal data can be found at the following link: Privacy Policy 3.3.1 (May 31, 2024).

32.6 Cloudflare, Inc.

Use of Cloudflare

This website uses a so-called Content Delivery Network (“CDN”) provided by the technology service provider Cloudflare Inc., 101 Townsend St. San Francisco, CA 94107, USA (“Cloudflare”). A Content Delivery Network is an online service that helps deliver large media files (such as graphics, page content, or scripts) via a network of regionally distributed and internet-connected servers. The use of Cloudflare’s CDN helps optimize the loading speeds of this website and contributes to improving performance and stability.

For this purpose, personal data may be processed in Cloudflare’s server log files. Cloudflare also collects statistical data about visits to this website. The data collected includes:

Name of the requested website, requested file and URL
Date and time of the request
Amount of data transferred
HTTP status code (e.g., 200, 404)
Browser type, version, and language settings
Operating system and its version
Referrer URL
IP address of the requesting device
Requesting provider
Geographical location data
Information about security risks (e.g., suspicious activities or bot detection)
TLS/SSL information for secure connection

The data processing agreement is based on the Standard Contractual Clauses, which can be found here: https://www.cloudflare.com/cloudflare-customer-scc/

Further information about Cloudflare’s privacy policies is available here: Privacy Policy | Cloudflare.

The company is certified under the “EU-US Data Privacy Framework” (DPF). The DPF is an agreement between the European Union and the USA to ensure compliance with European data protection standards when processing data in the USA. Every company certified under the DPF commits to adhere to these data protection standards. More information is available from the provider at the following link: https://www.dataprivacyframework.gov/s/participant-search/participant-detail?contact=true&id=a2zt0000000GnZKAA0&status=Active

Additional information regarding the use of Cloudflare Turnstile:

Cloudflare Turnstile is used to verify whether data entry on this website is performed by a human or by an automated program. To do this, Turnstile analyzes the behavior of the website visitor based on various characteristics.

This analysis begins automatically as soon as the visitor enters a website with Turnstile enabled. Turnstile evaluates various information for the analysis (e.g., IP address, duration of the visitor’s stay on the website, or mouse movements made by the user).

The data collected during this analysis is transmitted to Cloudflare.

The data transfer between your browser and our servers is analyzed on Cloudflare’s servers to prevent attacks. Cloudflare uses cookies to enable your access to our website. The use of Cloudflare Turnstile is in the interest of the secure use of our online presence and the defense against harmful external attacks. The storage and analysis of the data is based on Art. 6(1)(f) GDPR and § 25(2) no. 2 TDDDG.

This site uses the map service Google Maps. The provider is Google Ireland Limited ("Google"), Gordon House, Barrow Street, Dublin 4, Ireland.

To use the functions of Google Maps, it is necessary to store your IP address. This information is usually transmitted to a Google server in the USA and stored there. The provider of this site has no influence over this data transmission. When Google Maps is activated, Google may use Google Web Fonts for the uniform presentation of fonts. When accessing Google Maps, your browser loads the required web fonts into your browser cache to display texts and fonts correctly.

The use of Google Maps is in the interest of an appealing presentation of our physical stores and easy findability of the locations we list on the website. This constitutes a legitimate interest within the meaning of Art. 6(1)(f) GDPR. If an appropriate consent has been requested, the processing takes place exclusively on the basis of Art. 6(1)(a) GDPR; consent can be revoked at any time.

The data transfer to the USA is based on the Standard Contractual Clauses of the EU Commission. Details can be found here:

Google Maps/Earth Additional Terms of Service – Google

More information on handling user data can be found in Google’s privacy policy: Privacy Policy – Privacy & Terms – Google

34. RTB House

Below you will find a notice that is published in the customer’s privacy policy regarding the processing of personal data by RTB House for the purpose of conducting online advertising campaigns on your behalf.

“For the execution of personalized advertising campaigns, Buffalo Boots GmbH processes certain data about users’ online activities on this website. This data may include: online identifiers (e.g., cookie ID / mobile advertising ID), information about specific pages visited, products viewed or added to the cart along with timestamps, and purchased products, as well as technical device and browser details. Buffalo Boots GmbH commissions RTB House GmbH, an advertising technology company, as a third-party processor to carry out advertising campaigns based on this data and to display personalized ads to users. Insofar as this data constitutes ‘personal data’ under the GDPR, Buffalo Boots GmbH acts as the controller and RTB House GmbH as the processor. Further information about RTB House retargeting technology can be found here: https://www.rtbhouse.com/privacy-center/.”

Please note that in addition to including the above information in your privacy policy, you must also comply with all obligations arising from applicable laws to ensure the legality of the collection, processing, and sharing of user data. These include in particular:

Obtaining valid user consent for storing and accessing information on the user’s device using cookie-based or other tracking technologies (in accordance with the ePrivacy Directive);
Securing a valid legal basis for processing the personal data collected through such tracking technologies on the website for the purpose of later personalizing advertising, including the creation of a personalized advertising profile, as well as for sharing this data with RTB House as a processor for the aforementioned purposes (in accordance with Article 6 GDPR);
Properly informing the users of your website about the specific aspects of the processing of their data (in accordance with Article 13 GDPR).

In view of the above obligations, we strongly recommend that you consult a professional law firm to create or review your website notices and privacy policies, and to closely monitor the application of data protection laws to online advertising in your jurisdiction, especially through your local supervisory authorities.4. Please also note that your company can be integrated into the IAB Transparency & Consent Framework (TCF) via a registered Consent Management Platform (CMP) to facilitate obtaining a valid legal basis for processing personal data for the purpose of ad personalization. More information about the IAB TCF initiative and its benefits for website operators can be found at: https://advertisingconsent.eu/publishers/

The legal basis for this data processing is your consent pursuant to Art. 6 para. 1 sentence 1 lit. a GDPR and § 25 para. 1 sentence 1 TDDDG, which you can revoke at any time 35. Use of AWIN Buffalo Boots GmbH processes your personal data to conduct affiliate marketing campaigns. This allows us to track which third-party operators of websites, apps, and other technologies have referred potential customers to our websites and apps, and we can pay them a commission in return for these referrals. We do this based on our legitimate interest in conducting a performance-based online advertising campaign. We work with Awin, which supports us in carrying out these affiliate marketing campaigns. You can find Awin’s privacy policies here, which contain information about your rights regarding data processing by Awin. In some cases, Awin may create a limited profile related to you, but that does not allow conclusions about your identity, online behavior, or other personal characteristics. This profile is only used to understand whether a referral was started on one device and completed on another. In some cases, Awin and the referrers of potential customers receive and process your personal data for the purpose of conducting affiliate marketing campaigns with us. We also receive from Awin and the referrers personal data which can be categorized as follows: cookie data, data related to the website, app, or other technology from which a potential customer was referred, and technical information relating to your device or an individually assigned ID for your transaction that Awin can assign to the aforementioned data in its system. You may revoke your consent in accordance with the information under section 8.

36. Use of Clarity

The tool Clarity is used on this website to gain insights into user behavior and to optimize the user experience. Clarity is an analysis and diagnostic tool from Microsoft that provides detailed information about user behavior by collecting data on interactions on the website. This includes, among other things, clicks, scroll behavior, and duration of stay.

Clarity does not collect personal data but anonymizes it before processing. The collected information is used solely for analysis and optimization purposes. The processing of the data is based on our legitimate interest pursuant to Art. 6 para. 1 lit. f GDPR to improve the functionality and user-friendliness of our website.

Further information about data usage by Clarity and the privacy policy can be found on the official Microsoft Clarity website. You also have the option to disable the processing of your data by Clarity via appropriate settings in your browser or by withdrawing your consent.