We have noticed that you are shopping from the USWould you like to switch to our US Shopping experience?

Privacy policy

We, the Carrera Toys GmbH ("Carrera/we"), are pleased about your visit to our website. In the following provisions, we inform you about the type, scope and purpose of the collection and use of your personal data on this website and in the context of the services offered by us.

Personal data is any information relating to an identified or identifiable natural person. This includes, in particular, your name, address and e-mail address.

Please read the Privacy Policy carefully before using this website. We reserve the right to adapt parts of this privacy policy at our own discretion and as required by law. Therefore, please check this privacy policy regularly for changes.

1. Data processing to enable the use of the website

Each time content on our website is accessed, connection data is transmitted to our web server. This connection data includes:

IP address (Internet Protocol address) of the respective users,
date and time of the request,
the referrer URL,
such as UDID (Unique Device Identifier) and comparable device numbers, device information (e.g. device type) as well as
the browser type/version.

This connection data is not used to

draw conclusions about the person of the user or merged with data from other data sources, but is used to provide the website. The legal basis for the processing of your data is Art. 6 Para. 1 S. 1 lit. f GDPR. After 7 days at the latest, the data is anonymized by shortening the IP address at domain level.

2. Data processing on request

As a rule, it is possible to use our website without providing personal data. You are neither obliged to access this website nor to provide any personal data. However, the provision of personal data is necessary, for example, for the receipt of newsletters or in the case of registration. If you do not provide us with personal data for the purposes listed below, you may not be able to use the functionalities of this website or individual services.

2.1. Dealer service "B2B Portal"

If you register with us as a dealer and use the dealer service or the B2B portal on our website, your details will be processed by us for this purpose. Details on the B2B portal can be found in the instructions in our portal under https://carrera-toys.com/dealer-portal.

The processing of your personal data is carried out on the basis of Art. 6 para. 1 p. 1 lit. b DSGVO.

2.2. Newsletter

If you have expressly consented, you will receive our newsletter. To receive our newsletter, it is sufficient to provide your e-mail address. The entry of any additional information about you is voluntary, marked accordingly (*) and serves only to personalize the newsletter for you.

To subscribe to our newsletter, we use the so-called double opt-in procedure. This means that after you have registered, we will send you an e-mail to the e-mail address provided, in which we ask you to confirm that you wish to receive the newsletter. If you do not confirm your registration within 24 hours, your information will be blocked and automatically deleted after one month.

The processing of your personal data takes place on the basis of your consent in accordance with Art. 6 para. 1 p. 1 lit. a DSGVO. There is no legal or contractual obligation to provide personal data. The only consequence of non-consent is that you will not receive an e-mail newsletter. You can revoke your consent at any time with effect for the future. The revocation of consent does not affect the lawfulness of the processing carried out on the basis of the consent until the revocation. For the exercise of the revocation there is a link at the end of each newsletter. Alternatively, you can revoke your consent at any time, e.g. by sending an e-mail to shop@carrera-toys.com.

When you register for a newsletter, we also store your IP address and the time of registration in order to be able to fulfil our legal documentation obligation. The legal basis for data processing in this case is Art. 6 Para. 1 S. 1 lit. c GDPR.

2.3. Registration as a customer

If you would like to register with us as a customer, we will collect the necessary mandatory information from you (name, country, e-mail address, password), which are marked accordingly (*). The entry of any additional information about you is voluntary.

Registration is not necessary, but will make the ordering process easier for future orders, as you can reuse the data you have already saved. Alternatively, you can place an order as a guest. In this case, we collect the same data from you, with the exception of a password, as when you registered. However, this data is not stored in a customer account for you, so you do not have access to a customer account.

After registration, you can log in by entering your e-mail address and password. Please always make sure to log out before leaving the website.

When using a password, please take appropriate security measures. For example, a password should be at least 8 characters long and, if possible, always consist of a combination of letters in upper and lower case, numbers and special characters. In this respect, trivial passwords such as "ABC" or keyboard sequences (e.g. "qwert" or "asdfgh"), all kinds of names (e.g. friends, acquaintances, colleagues, family members, pets), city and building names, cartoon characters, car brands, license plates, terms, dates of birth, telephone numbers, common abbreviations, etc. are problematic.

The processing of your personal data is based on your consent in accordance with Art. 6 para. 1 p. 1 lit. a DSGVO. Please note that in the event of a revocation, any bonus points collected will be forfeited without replacement.

In addition, your IP address and the time of registration will be stored by us as part of the registration process. This is necessary to ensure the security of our information technology systems. In this case, the legal basis for the processing of your data is Art. 6 Para. 1 S. 1 lit. f GDPR.

2.4. Login

If you are registered as a customer, you have access to your customer account via the login function on this website. The login is done by entering your e-mail address and password.

Login data must be kept strictly secret. If a transfer has nevertheless taken place, for example to enable access to certain databases by third parties in an emergency, the password must be changed immediately. For your own protection, it is prohibited to reuse passwords that have already been used.

In addition, your IP address and the time of access will be stored by us as part of a login. This is necessary to ensure the security of our information technology systems.

Each time we log in, we also set a session cookie. This session cookie prevents automatic logout during active use of the account or related services. After logging out, the session cookie is automatically deleted within a few minutes.

The legal basis for the processing of your data is Art. 6 para. 1 p. 1 lit. f GDPR and,

if your contractual relationship is concerned, Art. 6 para. 1 p. 1 lit. b and/or f GDPR.

2.5. Wish list

If you, as a customer (see para. 2.4. f.) If you are logged in, you can add individual products from the shop to your wish list. Until the time you unsubscribe, you will be able to access this wishlist and see all the products you have added there. In this case, the legal basis for the processing of your data is Art. 6 Para. 1 S. 1 lit. f GDPR. When you unsubscribe as a customer, the wish list is automatically deleted.

2.6. Ordering in the shop

When you place an order with us, we process the following data from you:

Registration data from the customer account or Your guest data,
Purchase data (order/shopping cart),
Payment data (payment method, account and credit card details, billing addresses)

The processing of your personal data is carried out on the basis of Art. 6 para. 1 p. 1 lit. b DSGVO.

2.7. Competitions

If you would like to participate in a competition offered by us via the website, you must first create an account. The provision of your data is necessary for the purpose of carrying out the competition. After completion of the competition, this data or the account will be deleted, provided that there are no legal obligations to retain it.

The processing of your personal data takes place on the basis of your consent in accordance with Art. 6 para. 1 p. 1 lit. a DSGVO. There is no legal or contractual obligation to provide personal data. The only consequence of non-consent is that you will not be able to participate in the competition. You can revoke your consent at any time with effect for the future. The revocation of consent does not affect the lawfulness of the processing carried out on the basis of the consent until the revocation.

3. Carrera Club

For our Carrera Club, we provide a separate club area on our website. The data processing in connection with our Carrera Club is described in the following paragraphs.

3.1. Registration as a Carrera Club member

If you would like to register with us as a club member, you must first order a membership in our online shop. We will then collect the necessary mandatory information (name, address, e-mail address, password) from you to set up your member account so that you can take advantage of the club benefits.

After registration, the login is done by entering your club username and password via the club area on our website. Please always make sure to log out before leaving the website.

The processing of your personal data is carried out for the fulfilment of the contract. The legal basis is Art. 6 Para. 1 S. 1 lit. b GDPR.

3.2 Login

If you are a club member, you have the option of using the login function on this website to access separate information or functionalities in our club area.

In addition, your IP address and the time of access will be stored by us as part of a login. This is necessary to ensure the security of our information technology systems.

The legal basis for the processing of your data is Art. 6 para. 1 p. 1 lit.

f GDPR and, if your contractual relationship is concerned, Art. 6 para. 1 p. 1 lit. b GDPR.

3.3 Member account

If you have purchased a club membership, a member account will be created for you, which can be viewed by other club members. You can use the settings to select which information about you should be visible to other club members.

If you already have a customer account in accordance with Section 2.3 et seq., the data from your previous customer account will be linked to your member account. This allows you to take advantage of the club benefits when ordering in our online shop.

The legal basis for the processing of your personal data is Art. 6 para. 1 p. 1 lit. b GDPR.

3.4 Communication with other club members/club forum

As a club member, you have the opportunity to get in touch with other club members via chat in our club forum. The content of your posts in the forum (text, photos or videos) as well as your username are only visible to other club members and the administrators of Carrera. In this respect, the club forum is a closed area that is moderated and administered by Carrera. The legal basis for the processing of your personal data is Art. 6 Para. 1 S. 1 lit. b GDPR.

If posts within the forum are also of interest to other customers of Carrera, Carrera will ask the club member who published the post and ask for consent to the publication of the post on Carrera's social media pages, among other things. The processing of your personal data is then carried out on the basis of your express consent in accordance with Art. 6 Para. 1 S. 1 lit. a GDPR.

Or is there other data besides the username that can be viewed by the other members?

Since our forum system is not yet finalized, we cannot answer this question 100% yet. However, there will certainly be other information that can be viewed by other users, such as date of accession, number of posts, possibly date of birth, etc. We will provide the final information in the next few weeks.

3.5 Payment for Club Membership

For payment processing, we use the services of the service provider Stripe Payments Europe Limited, an Irish company based at The One Building, Lower Grand Canal St, Dublin 2, Ireland ("Stripe"). The payment data you enter will be transmitted to Stripe. As part of the use of Stripe, personal data may be transmitted to Stripe, Inc., 354 Oyster Point Boulevard, South San Francisco, California, 94080 in the USA. In the event that data is transferred to Stripe Inc., an adequate level of data protection is guaranteed by the conclusion of the new so-called EU standard data protection clauses. Further information on Stripe's data protection can be found on the following website: https://stripe.com/de/privacy.

In addition, please note the separate data protection regulations of the payment methods you have selected.

Klarna: https://cdn.klarna.com/1.0/shared/content/legal/terms/0/de_de/privacy

VISA: www.visaeurope.com

MasterCard: https://www.mastercard.de/de-de.html

3.6 Club Newsletter

If you have

expressly consented to receive our club newsletter, you will regularly receive information about news in the club, sales of new products, etc. to the e-mail address you have provided.

To receive it, it is sufficient to provide your e-mail address. The additional voluntary information about you is only used to personalize the newsletter for you.

To register for the newsletter, we use the so-called double opt-in procedure. This means that after you have registered, we will send you an e-mail to the e-mail address provided, in which we ask you to confirm that you wish to receive or receive the newsletter. If you do not confirm your registration within 24 hours, your information will be blocked and automatically deleted after one month

The processing of your personal data takes place on the basis of your express consent in accordance with Art. 6 para. 1 p. 1 lit. a DSGVO.

You can revoke your consent at any time with effect for the future. The revocation of consent does not affect the lawfulness of the processing carried out on the basis of the consent until the revocation. For the exercise of the revocation there is a link at the end of each newsletter. Alternatively, you can revoke your consent at any time, e.g. by sending an e-mail to shop@carrera-toys.com.

In connection with our newsletter, we use the Evalanche service, operated by SC-Networks GmbH, Würmstraße 4, 82319 Starnberg ("Evalanche"). Evalanche is a service that can be used to organize and analyze the sending of newsletters. The e-mail address you provide for the purpose of subscribing to the newsletter will be stored on Evalanche's servers.

Our newsletters sent with Evalanche enable us to analyze the behavior of newsletter recipients via a tracking pixel. Among other things, it can be analyzed how many recipients have opened the newsletter message or how often which link in the newsletter was clicked. We have activated pseudonymised tracking in Evalanche's settings so that it is not possible for us to assign the information collected to your person. Further information on Evalanche's privacy policy can be found at https://help.evalanche.cloud/hc/de/articles/360038742231-Dokumente-zum-Datenschutz-Datenmanagement and in Evalanche's privacy policy: https://www.sc-networks.de/datenschutz/

The legal basis for data processing in connection with the aforementioned analysis is based on your consent, based on § 25 para. 1 sentence 1 TTDSG for the storage and access to information in terminal equipment and Art. 6 para. 1 sentence 1 lit. a DSGVO for our further processing of your data. You can revoke your consent at any time separately via e-mail to shop@carrera-toys.com.

4. Data processing for the needs-based design of the website and tracking

In order to make the use of our website as pleasant as possible for you, we use so-called web tracking systems. Cookies are usually used for this purpose, i.e. small text files that are sent from a web server to your browser and stored on your computer's hard drive. This enables us to recognize the device you are using when using our shop. In this way, it is possible for us to determine, for example, whether you are logged in, have an active shopping cart and what content the shopping cart has. The session cookies used for the use of the shop are deleted after the end of the browser session. Other cookies remain on your device and enable us to recognize your device on your next visit.

Most browsers are set to automatically accept cookies. You can deactivate the storage of cookies in your browser and have the option of deleting them from your hard drive at any time. However, you can also use your browser to prevent only certain cookies from being set (e.g. third-party cookies), for example if you want to prevent web tracking. You can find more information on this in the help function of your browser.

We would also like to point out that you can also install a plugin in your browser to protect your privacy, which offers the possibility to prevent tracking - e.g. AdBlock, Ghostery or NoScript (please note the privacy policy of the respective plugin provider).

Finally, we would like to point out that if cookies are deactivated, it may not be possible to use all functions of this website to their full extent. Please also note that deactivation may have to be made for each browser and for each device.

Details of the

cookies used on the website can be found in the cookie banner as well as in the following provisions. The legal basis for the processing of your data follows, as far as in the following provisions in para. 4.1. et seq. not deviated from Art. 6 Para. 1 S. 1 lit. f GDPR. Our legitimate interest lies in the needs-based design of the website.

4.1 Cookie consent with Cookiebot

In order to be able to administer your consent to the use of tracking tools, we use the cookie consent technology "Cookiebot". The provider of this technology is Usercentrics A/S, Havnegade 39, 1058 Copenhagen, Denmark, website: https://www.cookiebot.com/de/ ("Usercentrics")). In this context, in addition to the connection data, the granting or refusal of your consent or the revocation of consent will be transferred to Usercentrics. In order to be able to make the corresponding assignment, Usercentrics also sets a cookie in your browser.

Cookiebot is used to obtain the legally required consent for the use of cookies. The legal basis for this is Art. 6 Para. 1 S. 1 lit. c GDPR.

4.2. Google Analytics Universal

Our website uses the tracking tool "Google Analytics". This is a service provided by Google Ireland Limited, a company incorporated and operated under the laws of Ireland, whose registered office is at Gordon House, Barrow Street, Dublin 4, Ireland ("Google"). This tracking tool helps us to make the website more interesting for you and to improve the user experience. Data about the use of our website is stored in pseudonymous user profiles. Cookies may also be used for this purpose. In addition, data from different devices, sessions and interactions can be linked to a so-called "User ID". The information generated is usually transmitted to a Google server in the USA and stored there. We would like to point out that on our website Google Analytics has been extended by the "anonymizeIp" function. As a result, your IP address will first be shortened by Google within member states of the European Union or in other contracting states of the Agreement on the European Economic Area and only then transmitted to a Google server in the USA.

The shortening of the IP address represents an additional measure pursuant to Art. 25 (1) GDPR to protect users, but it does not lead to the complete data processing being carried out anonymously. For example, when using Google Analytics, in addition to the IP address, other usage data is also collected, which is to be evaluated as personal data, such as identification features of the individual users, which also allow a link, for example, to an existing Google account.

On our behalf, Google will use the information received to evaluate your use of our website, to compile reports on website activity and to provide us with other services related to website activity and internet usage. The pseudonymised user profiles will not be merged with personal data about the bearer of the pseudonym without separate consent.

For more information about Google Analytics, please visit:

https://support.google.com/analytics/answer/2790010?hl=de

Please note that Google also has independent access to your data collected via Google Analytics and can also use this data for its own purposes. For example, Google can link this data with other data about you, such as your search history, personal account, usage data from other devices and any other data that Google has about you.

The legal basis for the use of Google Analytics is your consent, based on § 25 para. 1 p. 1 TTDSG for the storage and access to information in terminal equipment and Art. 6 para. 1 p. 1 lit. a DSGVO for our further processing of your data. You give your consent via our cookie banner. Please note that Google is a company from the USA. According to a recent ruling by the European Court of Justice (ECJ), there is no adequate level of data protection in the USA and thus a risk to the protection of your data. For example, under certain conditions, your data may be processed by US authorities for control and monitoring purposes. The new EU standard data protection clauses have been agreed as appropriate safeguards to ensure an adequate level of protection during data transfers.

4.3 Google Analytics 4

Our website uses the tracking tool "Google Analytics". This is a service provided by Google Ireland Limited, a company incorporated and operated under the laws of Ireland with its registered office at Gordon House, Barrow Street, Dublin 4, Ireland (hereinafter "Google"). This tracking tool helps us to make the website more interesting for you and to improve the user experience. Data about the use of our website is stored in pseudonymous user profiles. Cookies may also be used for this purpose. In addition, data from different devices, sessions and interactions can be linked to a so-called "User ID". The information generated is usually first sent to a Google server within the EU.

By default, Google provides for automatic anonymization of users' IP addresses as early as the collection of user data. In addition, the IP addresses are neither logged nor stored by Google. However, the shortening of the IP addresses does not mean that the complete data processing is carried out anonymously. For example, when Google Analytics is used, usage data is collected that is to be evaluated as personal data, such as identifying features of the individual users, which also allow a link to an existing Google account, for example.

On our behalf, Google will use the information obtained via Google Analytics to evaluate your use of our website, to compile reports on website activity and to provide us with other services related to website activity and internet usage. The pseudonymised user profiles will not be merged with personal data about the bearer of the pseudonym without separate consent.

For more information about Google Analytics, please visit:

https://support.google.com/analytics/answer/12017362

4.4. YouTube

Our website uses plugins from YouTube, which is operated by Google. If you visit one of our websites equipped with a YouTube plugin and actively click on the corresponding field, a connection to YouTube's servers will be established. In doing so, the YouTube server is informed which of our websites you have visited. If you are logged into your YouTube account, you enable YouTube to assign your surfing behavior directly to your personal profile. You can prevent this by logging out of your YouTube account.

The legal basis for the use of YouTube is your consent, based on § 25 para. 1 p. 1 TTDSG for the storage and access to information in terminal equipment and Art. 6 para. 1 p. 1 lit. a DSGVO for our further processing of your data. You give your consent via our cookie banner. Please note that the provider is a company from the USA. According to a recent ruling by the European Court of Justice (ECJ), there is no adequate level of data protection in the USA and thus a risk to the protection of your data. For example, under certain conditions, your data may be processed by US authorities for control and monitoring purposes. If you still wish to consent to the use of this tool, you can choose to do so via the cookie banner.

For more information on how to handle user data, please refer to YouTube's privacy policy at: https://www.google.de/intl/de/policies/privacy.

4.5. Google Tag Manager

We use the Google Tag Manager "GTM". Through this service from Google, website tags can be managed via an interface. However, the GTM only implements tags. In this respect, no cookies are used. The GTM only triggers other tags, which in turn may collect data, but the GTM does not access this data. The data is evaluated exclusively in the respective tool (see in detail the data described in para. 4 listed tools). However, the GTM collects your IP address as well as the online identifiers (including cookie identifiers), which may also be transmitted to Google in the USA. Additional information on GTM can be found under https://support.google.com/tagmanager/answer/6102821?hl=de

The legal basis for the use of GTM is your consent, based on § 25 para. 1 p. 1 TTDSG for the storage and access to information in terminal equipment and Art. 6 para. 1 p. 1 lit. a DSGVO for our further processing of your data. You give your consent via our cookie banner. Please note that the provider is a company from the USA. According to a recent ruling by the European Court of Justice (ECJ), there is no adequate level of data protection in the USA and thus a risk to the protection of your data. For example, under certain conditions, your data may be processed by US authorities for control and monitoring purposes. The new EU standard data protection clauses have been agreed as appropriate safeguards to ensure an adequate level of protection during data transfers.

4.6. Address Validation

To reduce delivery errors, we use Google's Address Validation API. The Address Validation API can be used to determine whether an entered address refers to a real location or contains errors. For this purpose, your IP address and the content you enter in the address field will be transmitted to Google. If, for example, the address entered is incomplete, a correction recommendation is made via the Address Validation API, which you can accept. Alternatively, you will be asked to correct the address you entered.

The legal basis for the use of the Address Validation API is your consent, based on § 25 para. 1 p. 1 TTDSG for the storage and access to information in terminal equipment and Art. 6 para. 1 p. 1 lit. a DSGVO for our further processing of your data. You give your consent via our cookie banner. Please note that the provider is a company from the USA. According to a recent ruling by the European Court of Justice (ECJ), there is no adequate level of data protection in the USA and thus a risk to the protection of your data. For example, under certain conditions, your data may be processed by US authorities for control and monitoring purposes. The new EU standard data protection clauses have been agreed as appropriate safeguards to ensure an adequate level of protection during data transfers.

4.7. AWIN

We have integrated "AWIN" on our website. AWIN is an affiliate marketing software from AWIN AG, Eichhornstraße 3, 10785 Berlin, Germany. AWIN allows registered providers ("advertisers") to advertise their online goods and services within the framework of programs. For this purpose, the persons registered with AWIN (so-called "publishers") make their advertising space, such as websites, available to the "advertisers". We are registered with AWIN as a "publisher", i.e. we provide the "advertisers" with advertising space (through links) on our website.

As part of its tracking services, AWIN stores cookies on end devices of users who visit or use websites or other online offers of advertisers (e.g. when placing an online order) to document transactions. These cookies serve the sole purpose of correctly assigning the success of an advertising medium and the corresponding billing within the network. In the AWIN tracking cookies, an individual sequence of digits is stored, but cannot be assigned to the individual user, with which the affiliate program of an advertiser, the publishers and the time of the user's action (click or view) are documented. In doing so, AWIN also collects information about the end device from which an action is performed, e.g. the operating system and the browser.

The legal basis for the use of AWIN is your consent, based on § 25 para. 1 p. 1 TTDSG for the storage and access to information in terminal equipment and Art. 6 para. 1 p. 1 lit. a DSGVO for our further processing of your data. You give your consent via our cookie banner.

For more information about AWIN's use of data, please refer to the company's privacy policy: https://www.awin.com/de/rechtliches

4.8. Country.is

In order to be able to redirect the user to the appropriate webshop (e.g. the US webshop) from us, we use the so-called geo-localization of "Country.is". Country.is is an open-source geolocation API that determines a user's country (and nothing else) based on their IP address. IP-based geolocation is the mapping of an IP address or MAC address to the real geographic location of an Internet-connected computer or mobile device. Geolocation is the process of assigning IP addresses to the country, region (city), latitude/longitude, ISP, and domain name, among other things. On this basis, the user is automatically redirected to the webshop that suits him or her locally.

4.9. Azure Content Delivery Network

On our website we use "Azur Content Delivery Network" from Microsoft, a service of Microsoft Ireland Operations Ltd., One Microsoft Place, South County Business Park, Leopardstown, Dublin 18, Ireland.

With Azur Content Delivery Network, we can reduce load times and improve performance for our high-bandwidth site content by distributing user requests and serving them directly from Microsoft servers. When you access website content, you connect to Microsoft servers, whereby your IP address and, if applicable, browser data such as your user agent, but also the time and date of your visit to the website are transmitted. This data is processed exclusively for the purposes mentioned above and to maintain the security and functionality of Azur Content Delivery Network. The specific storage period of the processed data cannot be influenced by us, but is specified by Microsoft. Additional information can be found at: https://azure.microsoft.com/de-de/support/legal/.

The legal basis for the use of Azur Content Delivery Network is your consent, based on § 25 para. 1 p. 1 TTDSG for the storage and access to information in terminal equipment and Art. 6 para. 1 p. 1 lit. a DSGVO for our further processing of your data. You give your consent via our cookie banner. Please note that the provider is a company from the USA. According to a recent ruling by the European Court of Justice (ECJ), there is no adequate level of data protection in the USA and thus a risk to the protection of your data. For example, under certain conditions, your data may be processed by US authorities for control and monitoring purposes. The new EU standard data protection clauses have been agreed as appropriate safeguards to ensure an adequate level of protection during data transfers.

4.10. Findologic

On our website, we use the service of Findologic GmbH, Jakob-Haringer-Str. 5a, 5020 Salzburg ("Findologic") to provide a search function for our articles as well as for navigation. For the aforementioned service, cookies are used and various data are transferred to Findologic. This includes, in particular, the IP address and browser data of the users as well as the associated behavioral data resulting from the search queries. On the one hand, this allows us to optimize the shopping experience for our users and, on the other hand, to better understand which products our users are most interested in. Further information on Findologic's privacy policy can be found at: https://findologic.com/datenschutz/

The legal basis for the use of Findologic is your consent, based on § 25 para. 1 p. 1 TTDSG for the storage and access to information in terminal equipment and Art. 6 para. 1 p. 1 lit. a DSGVO for our further processing of your data. You give your consent via our cookie banner.

4.11. Facebook Pixel

The so-called "meta-pixel" is an invisible meta-pixel integrated on our website, which is used to analyze the online behavior of each website visitor by Meta Platforms Ireland Limited (formerly Facebook Ireland Limited), 4 Grand Canal Square, Grand Canal Harbour, Dublin 2, Ireland ("Meta"). The Meta Pixel makes it possible to transmit customer data such as first name, last name, e-mail address, etc. to Facebook and enrich it with existing tracking data. This makes it possible to collect data from non-Facebook users or to record users who are not logged in to Facebook while visiting a website. As a result, website visitors are tracked via Meta, who deliberately prevent the storage of third-party cookies. For example, if you add a vehicle to the shopping cart and cancel the purchase process, Meta will receive this information. We then have the opportunity to address you specifically on Facebook with an advertisement. However, the Meta Pixel also makes it possible to win new customers in a targeted manner and to address new people who resemble website visitors.

In addition to us, Meta itself is also responsible for data processing. The processing of the data by Meta is carried out in accordance with Meta's data usage policy. For details, see Meta's data usage policy. Specific information and details about the Meta pixel and how it works can be found in Meta's help section.

In this respect, we are jointly responsible with Meta within the meaning of Art. 26 GDPR for the processing of your personal data. In this case, you can in principle assert your rights (see section 11) both against us and against Meta. However, Meta serves as the first point of contact. We have entered into an agreement with Meta on joint responsibility for the processing of personal data. You can view them at the following link: https://www.facebook.com/legal/controller_addendum.

The legal basis for the use of the Meta-Pixel is your consent, based on § 25 para. 1 p. 1 TTDSG for the storage and access to information in terminal equipment and Art. 6 para. 1 p. 1 lit. a DSGVO for our further processing of your data. You give your consent via our cookie banner. Please note that Meta is a company from the USA. According to a recent ruling by the European Court of Justice (ECJ), there is no adequate level of data protection in the USA and thus a risk to the protection of your data. For example, under certain conditions, your data may be processed by US authorities for control and monitoring purposes. In the event that data is transferred to Meta Platforms Inc. in the USA, the new standard data protection clauses have been agreed between Meta Platforms Ireland Limited and Meta Platforms Inc.

5. Links to other websites

Our website contains links to other websites such as the Carrera Club website or to social networks (Facebook, YouTube, Instagram). These websites are operated partly by us and partly by third parties. If you follow the links, information may be transmitted to these third parties in the latter case. The purpose and scope of the data collection by the websites of third parties as well as the further processing and use of your data there, as well as your rights in this regard and setting options for the protection of your privacy, can be found in the respective data protection notices of the operators.

6. Data transfer

We only pass on your personal data to third parties or other recipients if this is necessary for the provision of services, if you have given your consent, if there is a legal obligation or if the data transfer is permitted on the basis of another legal basis. Data is passed on, for example, to the respective payment or shipping service provider, service providers for the provision of marketing services (e.g. e-mail marketing), technical service providers or - in the case of a corporate transaction - to interested parties/buyers, etc. If necessary, we have concluded agreements with the recipients of your data on order processing in accordance with Art. 28 GDPR.

Please also note the separate data protection regulations of the payment methods.

Klarna: https://cdn.klarna.com/1.0/shared/content/legal/terms/0/de_de/privacy

VISA: www.visaeurope.com

MasterCard: https://www.mastercard.de/de-de.html

Stripe: https://stripe.com/de/privacy

7. Social media appearances

7.1. Data processing by Carrera and legal basis

Our social media presences (Facebook, Twitter, YouTube, LinkedIn, Xing and Instagram) serve the purpose of informing you about Carrera as well as about new developments, services and products from us. Depending on the offer of the respective provider, you have the opportunity, for example, for different interactions (comments, recommendations, etc.), e.g. in connection with our social media presence. User interaction is an important criterion for us in order to conduct targeted marketing. For example, we can determine which posts are read preferentially. We therefore also use the statistics determined by the providers in this regard for our own purposes. If we process personal data of the users, the legal basis for this is Art. 6 Para. 1 S. 1 lit. f GDPR. Our legitimate interest then consists in particular in targeted information / advertising. You will be informed separately by the providers about the legal basis on the basis of which the providers process your data for their own purposes.

7.2. Shared responsibility

In individual cases, we are jointly responsible with the social media providers for the processing of your personal data. In this case, you can assert your rights (see section 11) both against us and against .dem social media provider. However, the first point of contact is the social media provider.

We have entered into an agreement with Meta (formerly Facebook) on joint responsibility for the processing of personal data. This applies with regard to the processing of so-called "insights data". These are page statistics, in particular on the interactions of Facebook users. Details of the Insights data can be found here. You can view our agreement with Meta at the following link.

Please note that Meta also processes your data outside the EU/EEA. According to a recent ruling by the European Court of Justice (ECJ), there is no adequate level of data protection in the USA and thus a risk to the protection of your data. For example, under certain conditions, your data may be processed by US authorities for control and monitoring purposes.

With regard to the storage period of the data processed by us for our own purposes, we refer to our explanations under para. 9. In all other respects, please note the data protection regulations of the respective social media provider.

8. Data transfer to countries outside the EU

To the extent necessary for our purposes, we also transfer your data to recipients outside the EU if you have given your consent, there is a legal obligation or the data transfer is permitted on the basis of another legal basis. As part of data processing, your data will also be transmitted to recipients based in the USA. Please note, however, that according to a recent ruling by the European Court of Justice (ECJ), there is no adequate level of data protection in the USA and thus a risk to the protection of your data. For example, under certain conditions, your data may be processed by US authorities for control and monitoring purposes. Incidentally, with regard to the legal basis for the transfer of data, we first refer to Art. 49 GDPR. An adequate level of data protection will be ensured in the future by concluding the new so-called EU standard data protection clauses.

9. Duration for which personal data will be stored / criteria for determining the duration

In principle, your personal data will be stored by us for as long as it is necessary for the aforementioned purposes of processing, in the event of an objection there are no compelling reasons worthy of protection on the part of Carrera to the contrary or in the event of a revocation there is no other legal basis for the data processing.

However, in certain cases, e.g. if there is a legal obligation to retain data, your personal data will not be deleted immediately, but will initially be blocked.

10. Security measures to protect your personal data

We protect your data from unauthorized access, loss or destruction through technical and organizational measures. Our security measures are continuously improved in line with technological developments. Our employees and all persons involved in data processing are obliged to comply with data protection laws and the confidential handling of personal data. Our employees are trained accordingly.

To protect the personal data of our users, we use a secure online transmission method, the so-called "Secure Socket Layer" (SSL) transmission. You can recognize this by the fact that an "s" ("https://") or a green, closed lock symbol is http:// attached to the address component. By clicking on the icon, you will receive information about the SSL certificate used. The display of the symbol depends on the browser version you are using. SSL encryption ensures the encrypted and complete transmission of your data.

11. Your rights

Within the framework of the legal requirements, you are generally entitled to

confirmation as to whether personal data concerning you are being processed by Carrera,
information about this data and the circumstances of the processing,
Correction if this data is incorrect,
Deletion, insofar as there is no justification for the processing and no obligation to store it,
restriction of processing in special cases determined by law,
Objection in the case of data processing on the basis of Art. 6 para. 1 p. 1 lit. f. GDPR and
Transmission of your personal data – if you have provided it – to you or a third party in a structured, common and machine-readable format.

Insofar as the processing of your personal data

is based on your consent, you have the right to revoke your consent at any time, with the consequence that the processing of your personal data becomes inadmissible for the future. However, this does not affect the lawfulness of the processing carried out on the basis of the consent until the revocation.

Please address your specific request in writing or by e-mail to our data protection officer, clearly identifying yourself:

krupna LEGAL

Dr. Karsten Krupna
Drehbahn 7
20354 Hamburg

E-mail: datenschutz@carrera-toys.com

Insofar as we process your data in joint responsibility with third parties within the meaning of Art. 26 GDPR, the third party is centrally responsible for exercising all data subject rights. However, you are at liberty to assert your rights against us.

Finally, we would like to draw your attention to your right to lodge a complaint with the supervisory authority (Austrian Data Protection Authority, Barichgasse 40-42, 1030 Vienna, dsb@dsb.gv.at).

12. No automated individual decision-making

13. Changes to the privacy policy

New legal requirements, business decisions or technical developments may require changes to our privacy policy. The privacy policy will then be adapted accordingly. You can always find the latest version on our website.

Status: 21.06.2023