Privacy Policy

The security of your privacy and personal data is important to us. This Privacy Policy ('Policy') provides an overview of how the operator of www.tomshot360.com and including any staff ('we', 'us'), process your personal data, as well as other important information.

  1. Personal data collected while browsing this website

    1. What we collect

      When you browse this website ('Site') without creating an account or making an order, data is collected and processed, such as:

      1. your IP address,

      2. the webpages and files that you accessed from this Site,

      3. the date and time of access,

      4. the previous website you visited which referred you to this Site if you arrived her through a link and if your device is setup to send this information,

      5. information about your browser and operating system if your device is setup to send this information.

    2. Purpose and legal basis

      This data is usually sent automatically by your device by default and logged by this Site when received. We process this data:

      1. for the purpose of the optimization, maintenance, error logging, and security of this Site,

      2. on the legal basis of our legitimate interests of providing a functional website and ensuring the network and information security of this Site, or on the legal basis of the performance of a contract with you when you search for information about the products that you have previously ordered, or in order to take steps at your request prior to entering into a contract before you place an order.

    3. How long we keep it

      This data:

      1. is automatically deleted after 30 days from the time of your visit,

      2. or in case we experience a problem with this Site, this data is processed until the problem is resolved.

  2. Cookies placed on your device while browsing this website

    1. Strictly necessary cookies

      We use strictly necessary cookies on this Site for it to function properly. These are small files containing settings and data which are stored on your device memory when you browse this Site, for exchange between our Site and your web browser. The cookies that we use are:

      1. 'PHPSESSID' – is a user-input and authentication session cookie which contains a randomly generated, unique string of text assigned to you for the purpose of remembering whether you have added products to the shipping cart, how far you have gone through the checkout process, and remembering if you have logged into your user account.

      2. 'language' – is a user-interface customization session cookie which contains a predefined value, for the purpose of setting the language to display on the Site.

      3. 'currency' – is a user-interface customization session cookie which contains a predefined value, for the purpose of setting the currency to display and to calculate the price of the products in your order.

      4. 'cb_enabled' – is a user-interface customization persistent cookie which contains a predefined value, for the purpose of remembering whether or not you have chosen to close the cookie notification bar. This cookie is only created after you click the "hide" button on the cookie notification bar.

      5. 'google_embedded_content_consent' – is a user-interface customization persistent cookie which contains a predefined value, for the purpose of remembering whether or not you have consented to loading external third party embedded content from external thid party Google websites such as YouTube and Street View, and the Google cookies that may come with the content. This cookie is only created after you click the "Load" content button.

    2. Purpose and legal basis

      We process this data:

      1. for the purpose of the making this Site functional for you to browse and place orders, on the legal basis of our legitimate interests to present a functional website,

      2. or on the legal basis of the performance of a contract with you or in order to take steps at your request prior to entering into a contract.

    3. How long cookies are kept

      1. Session cookies are erased when you close your web browser.

      2. The persistent cookies that we use expire after 365 days.

    4. How to delete or object to cookies, and the consequences

      1. You may delete cookies, and object to cookies by disabling the acceptance of cookies through your web browser settings. Refer to your browser instruction manual on how to do this. Here are external third party links to some information about how to control cookies with some common browsers:

        Chrome: https://support.google.com/chrome/answer/95647?co=GENIE.Platform%3DDesktop&hl=en

        Microsoft Edge: https://support.microsoft.com/en-us/microsoft-edge/delete-cookies-in-microsoft-edge-63947406-40ac-c3b8-57b9-2a946a29ae09

        Firefox: https://support.mozilla.org/en-US/kb/cookies-information-websites-store-on-your-computer

        Apple Safari: https://support.apple.com/guide/safari/manage-cookies-and-website-data-sfri11471/mac

      2. However, if you disable cookies then you will not be able to add items to the shopping cart, submit an order, or log into your user account on this Site.

      3. This Site does not have the ability to detect or respond to a no tracking setting from your web browser.

  3. External third party embedded content from external third party websites

    Some of the webpages on this Site may load external third party embedded content from external third party websites, for the purpose of showing you instruction videos of our products and examples of our projects, on the legal basis of our legitimate interests to explain and present information about our products and services, or on the legal basis of your consent. The embedded content is not loaded onto your device until after you indicate your consent by checkmarking the "I Agree" boxes and clicking the "Load" content buttons, which are located over the area where the embedded content is to be loaded. After you choose to load external third party embedded content, they will then automatically load every time you visit a webpage on this Site which has the embedded content. If you delete or block cookies from your device, then you will need to click these buttons every time you want to load these embedded contents. You can indicate a separate consent for third party embedded content which have different third party privacy policies, for example there would be a separate consent between loading content from Google or from Vimeo.

    1. How external third party embedded content work

      1. When you choose to load the external third party embedded content on this Site, the embedded content behaves as if you had directly visited the external third party website from where the embedded content originates from. The third party website may store and exchange their third party cookies on your device, and they may collect and process your personal data, whether or not you have started to interact with the embedded content.

      2. The data transmissions through the external third party embedded content are directly between your device and the external third party websites, which we have no control of. This Site does not have access to those data transmissions, so we do not know exactly what personal data the third party websites collect from you, for what purpose they would process your data or what legal basis they have to do so, but we guess that some of their purposes could include analytics, advertising, marketing, and automated decision-making and profiling. You have rights regarding your personal data collected by the external third party websites. Therefore, it is very important that you read the privacy policy of the external third party websites before you choose to load the external third party embedded content.

      3. The external third party websites may also open more connections between your device and other external third party websites controlled by other organizations, which may cause the other organizations to store and exchange their cookies on your device and to collect and process your personal data. Those other external third party websites may also connect you to other external third party websites, and so on and so on. We have no control of this.

      4. We do not share your personal data that we have collected from this Site through the embedded content. When you choose to load the external third party embedded content, this Site does not communicate with the external third party websites where the external content originate from, nor do they communicate with this Site. However, if you choose to load the embedded content, and if your device and browser are setup to automatically send referrer header data, then the third party website may know that you have visited our Site. However, we have included a meta tag on our Site to request your browser to not send referrer header data to external third party websites. However, it is up to your device and browser to decide whether or not to honor our request and this is out of our control. Please refer to your device and browser instruction manuals for how to disable referrer header data.

      5. Third party cookies from the loading of external third party embedded content

        If you choose to load the external third party embedded content, then the external third party websites where the content originates from may store and exchange their third party cookies on your device. We have no control of these third party cookies. Please refer to the third party website's cookie and privacy policies for more information about these third party cookies. You may delete or object to third party cookies by disabling the acceptance of cookies through your web browser settings. Refer to your browser instruction manual on how to do this. The above section B(4) has some information about how to control cookies with some common browsers and the consequences of doing so. It may be possible to disable the acceptance of third party cookies from certain websites while allowing cookies from this Site, depending on whether your browser offers this functionality.

        If you do not want to accept the third party cookies, you may also choose not to load the external third party embedded content. In such a case, do not press the "Load" content button. If you have already pressed the button, then you may change your choice by clicking the "I Object or Withdraw My Consent" button in the section below.

      6. YouTube videos and Google Maps Street View virtual tours

        Some of the webpages on this Site may load external third party YouTube video and Google Maps Street View virtual tour embedded content, which originate from external third party Google websites. These contents are products operated by Google LLC ('Google'), 1600 Amphitheatre Parkway, Mountain View, CA 94043, USA, and their various subsidiaries.

        1. If you are logged into your Google or YouTube account when you load the embedded content, the data that they have collected may be associated with your Google or YouTube account.

        2. Google may transfer your personal data to third countries outside of the European Economic Area ('EEA'), and those third countries may or may not have an adequacy decision by the European Commission.

        3. Please refer to the Google privacy policy for more information about the Google cookies and how to delete or object to them, the collection and processing of your personal data by Google, who they share it with, their purposes and legal bases, your rights, how to exercise your rights, transfers to third countries and the safeguards, and how to contact Google.

        4. Google privacy policy - https://policies.google.com/privacy?hl=en

        5. You have the right to object to, or to withdraw your consent to the loading of external third party Google embedded content.

          I Object or Withdraw My Consent Click this button to exercise this right. The external third party Google embedded content will no longer automatically load, until after you indicate your consent again.

  4. Personal data collected when creating an account, placing an order, or requesting a quote or support

    1. What we collect

      When you enter your billing and shipping details on this Site while creating an account or during the checkout steps, or when you contact us directly by e-mail and other types of electronic communications to request a quote, support, or to place an order, data is processed such as:

      1. your name,

      2. business name only if you provide it to us,

      3. European VAT ID number or other tax number only if you provide it to us,

      4. addresses (e.g. street name, street number, additional text line, post code, city, region or state, country),

      5. e-mail addresses,

      6. telephone number only if you provide it to us or contact us by telephone,

      7. IP addresses if you contact us or place an order through the internet,

      8. the account password if you created a user account,

      9. products purchased and their value including any taxes,

      10. shipping options and their value including any taxes,

      11. currency of the values,

      12. bank account details only if you paid by SEPA transfer or requested refund by SEPA transfer,

      13. payment transaction numbers,

      14. invoice and order numbers,

      15. shipping tracking numbers,

      16. date and times of communications, account creation, ordering, payments and refunds, shipment and delivery.

    2. Purpose and legal basis

      We process this data:

      1. for the purpose of the shipping and fulfilling your order,

      2. providing a quote,

      3. providing support or warranty service,

      4. collecting payment, and sending refunds,

      5. updating your account,

      6. on the legal basis of the performance of a contract with you or in order to take steps at your request prior to entering into a contract, for the above points (a) to (e),

      7. and for the purpose of accounting and taxation,

      8. on the legal basis of our legal obligations to keep records, to which we are subject.

    3. How long we keep it

      This data:

      1. is kept for 10 years when processing is based on our legal obligations, or as long as we are legally required,

      2. or is kept for 2 years when processing is not based on our legal obligations, or until it is deleted when we purge unnecessary data from our storage at regular intervals.

    4. Which data is required

      The following data is generally required for you to enter a contract with us:

      1. your name and addresses (e.g. street name, street number, additional text line, post code, city, region or state, country). Without it, we will not be able to take your order and deliver your package.

      2. Your business name and European VAT ID number are only necessary if you want to make an intra-community order as a business with zero VAT using the reverse charge method, with delivery within the European Union ('EU') but outside of Germany. Without these data you will be charged German VAT when delivering within the EU.

      3. Your other tax number is only necessary to enter a contract with us for deliveries to countries outside of the EU when your country requires it for customs clearance. If you give it to us, we will share it with the delivery service provider used to deliver your package. They may use it for customs clearance. Without your other tax number the delivery service provider may contact you for further customs clearance and the delivery may become delayed.

      4. Your e-mail address is necessary to enter a contract with us. It is our primary method of contact with you, and the primary identifier of your account. It is also used as an identifier when collecting payment through PayPal.

      5. Your telephone number is only necessary to enter a contract with us when you select an express courier as your method of shipment. When shipping your package by express courier such as FedEx and UPS, there is a contractual obligation to share your telephone number with them, which can be used to facilitate the timely delivery of your package. Your telephone number is also necessary for customs clearance by the express courier when you want the package to be delivered internationally out of the European Union. On the checkout webpage, you must have selected the checkbox to understand and agree to your telephone number being shared with the express courier. If you did not select the checkbox, then it is not possible for you to submit an order through the checkout webpage. The express courier may use your telephone number to contact you in case they encounter problems with delivery.

  5. Children

    We do not knowingly collect personal data from persons under the age of 16. Persons under the age of 16 must not use this Site or our services.

  6. Who we share personal data with

    1. Web hosting and communications

      Data is processed with our internet related service providers for the purpose of hosting our Site and to facilitate our electronic communications with you, on the legal basis of our legitimate interests of providing a functional website and the performance of a contract with you or in order to take steps at your request prior to entering into a contract. We use internet related service providers such as:

      1. the web hosting provider SiteGround Spain S.L. ('Siteground'), Calle de Prim 19,28004 Madrid, Spain, or the web hosting provider Serverprofis GmbH ('Serverprofis'), Mondstr. 2-4, 85622 Feldkirchen, Germany, to host this Site, to send your account creation and password reset notifications, and to send order confirmations and updates,

      2. the internet software company Google LLC ('Google'), 1600 Amphitheatre Parkway, Mountain View, CA 94043, USA, for e-mail and electronic communications and storage using the G Suite group of software.

    2. Delivery service providers

      To deliver your packages, we share personal data with the delivery service provider that you request in your order, or an alternative provider of similar service that we select when the service you requested is not available or is less efficient. The data that we share with them may include your name and addresses (e.g. street name, street number, additional text line, post code, city, region or state, country), business name, European VAT ID number or other tax number, products purchased and their value,shipping options and their value, any taxes, currency of values, invoice and order numbers, and shipping tracking numbers. Your telephone number will also be shared when shipping with express courier. We share this data for the purpose of shipping your order to you, on the legal basis of the performance of a contract with you or in order to take steps at your request prior to entering into a contract. Some of the delivery service providers that we use are:

      1. FedEx Express Germany GmbH, Langer Kornweg 34 k, 65451 Kelsterbach, Germany. Its parent company is FedEx Corporation, 942 Shady Grove Rd S, Memphis, TN 38120, USA ('FedEx')

      2. DPD Deutschland GmbH, Wailandtstraße 1, 63741 Aschaffenburg, Germany ('DPD')

      3. Deutsche Post AG, Charles-de-Gaulle-Straße 20, 53113 Bonn, Germany ('Deutsche Post')

      4. DHL Paket GmbH, Sträßchensweg 10, 53113 Bonn, Germany ('DHL')

      5. United Parcel Service Deutschland Sarl & Co. OHG, Görlitzer Straße 1, 41460 Neuss, Germany. Its parent company is United Parcel Service, Inc., 55 Glenlake Parkway, N.E., Atlanta, GA 30328, USA ('UPS')

      The delivery and postal service provider may share personal data with their delivery partners, parcel shops, and drivers in order to deliver your package. They may share personal data with customs offices for customs clearance. Your personal data will also be visible on the outside of the package.

    3. Payment collectors

      1. Most of our payments are collected by PayPal (Europe) Sarl et Cie, S.C.A., 22-24 Boulevard Royal, L-2449, Luxembourg. Its parent company is PayPal Holdings, Inc., 2211 North First Street, San Jose, CA 95131, USA ('PayPal'). When you complete the order on the checkout page and if you selected PayPal as your form of payment, or if we send you a payment request or a refund through PayPal, or if you send us a direct payment through PayPal, your personal data is transmitted electronically to PayPal, for the purpose of collecting your payment to us or to send a refund to you. In such cases, the data that we share with PayPal may include your name and addresses (e.g. street name, street number, additional text line, post code, city, region or state, country), business name, European VAT ID number or other tax number, products purchased and their value,shipping options and their value, any taxes, currency of values, invoice and order numbers, shipping tracking numbers, and telephone number.

      2. We use N26 Bank GmbH, Klosterstr 62, 10179, Berlin, Germany ('N26'), for SEPA transfers. If you send us a SEPA transfer, or if we send you a refund by SEPA transfer, then your personal data is transmitted to N26, for the purpose of collecting your payment to us or to send a refund to you. In such cases, the data that we share with N26 may include your name and addresses (e.g. street name, street number, additional text line, post code, city, region or state, country), business name, the value of your order, currency of values, invoice and order numbers. Intermediary banks facilitating the transfer and your bank may also collect and process your personal data.

      3. The legal basis for the transfer of data to PayPal or N26 is for the performance of a contract with you or in order to take steps at your request prior to entering into a contract.

    4. Accounting and taxation

      We may share personal data with accountants and government tax authorities for accounting and taxation purposes, and with other similar agencies when we have legal obligations to do so or for the legal basis for the performance of a contract with you or in order to take steps at your request prior to entering into a contract.

    5. Referrer header data

      1. Your device and browser may be setup to automatically attach referrer header data when you send an http request to load a new webpage. This means that if you click on an external link on our Site or load external third party embedded content with a destination to or an origin from an external third party website, then that third party website may know that you have visited the webpage on our Site where the link you clicked on was located or where the embedded content was loaded.

      2. We have no control of your device and browser behavior with referrer header data. However, we have included a meta tag on our Site to request your browser to only send referrer header data within our Site when you browse our webpages, and not to send referrer header data about our webpages to third party websites. However, it is up to your device and browser to decide whether or not to honor our request. Please refer to your device and browser instruction manuals about how to disable referrer header data.

  7. Security

    1. Encryption

      Your personal data is encrypted with Secure Sockets Layer technology ('SSL') when we transmit it through the internet. Credit card data is not processed by us, but collected and processed directly by PayPal or Stripe. We secure our Site, other systems, and local storage with measures against loss and unauthorized use.

    2. Your responsibilities

      You should keep your user account password confidential, and for best security, close the web browser and clear the browser cache when you have finished communicating with us or using this Site, particularly if you are using a public device. You should ensure that the software you use to communicate with us has encryption and SSL enabled. You should keep your operating system and web browser up to date with the latest security updates, and use a virus scanner and firewall software.

    3. Notification of a breach

      In case of a personal data breach, we will notify the relevant supervisory authority within 72 hours of becoming aware of it, and also notify you if you are affected, unless the breach is unlikely to result in a risk of your rights and freedom within the meaning of Articles 33 and 34 of the General Data Protection Regulation ('GDPR').

      GDPR - https://eur-lex.europa.eu/eli/reg/2016/679/2016-05-04

  8. Third party privacy policies and transfers of personal data to third countries

    Many of the service providers that we use operate internationally, therefore your personal data may be transferred to third countries outside of the European Economic Area ('EEA'), and those third countries may or may not have an adequacy decision by the European Commission. If those countries do not, then the service providers that transfer personal data to third countries will have an appropriate safeguard within the meaning of Articles 44 to 49 GDPR.

    1. Google

      data processing amendment - https://admin.google.com/terms/apps/6/1/en/dpa_terms.html

      model contractual clauses - https://admin.google.com/terms/apps/1/7/en/mcc_terms.html

      privacy policy - https://policies.google.com/privacy?hl=en

      other terms - https://policies.google.com/terms?hl=en

    2. Siteground

      data processing agreement, standard contractual clauses - https://www.siteground.com/viewtos/data_processing_agreement?scid=3&lang=en

      privacy policy - https://www.siteground.com/viewtos/privacy_policy

      other terms - https://www.siteground.com/terms.htm

    3. Serverprofis

      data processing agreement, information, https://www.serverprofis.de/faq/content/12/88/de/auftragsverarbeitungsvertrag.html

      data processing agreement, must be logged into hosting account to view, https://service.serverprofis.net/dl.php?type=d&id=62

      privacy policy - https://www.serverprofis.de/datenschutz/

    4. UPS

      privacy notice, standard contractual clauses - https://www.ups.com/de/en/help-center/legal-terms-conditions/privacy-notice.page?

    5. FedEx

      privacy notice, model contractual clauses - https://www.fedex.com/en-de/privacy-policy.html

    6. Deutsche Post

      data protection, binding data protection regulations or standard contractual clauses - https://www.deutschepost.de/en/f/footer/data-protection-and-cookies.html

    7. DHL

      privacy notice, standard contractual clauses - https://www.dhl.de/en/toolbar/footer/privacy-notice.html

    8. DPD

      privacy policy - https://www.dpd.com/de/de/datenschutz/

    9. PayPal

      binding corporate rules - https://www.paypal.com/de/webapps/mpp/ua/bcr

      privacy policy - https://www.paypal.com/webapps/mpp/ua/privacy-full

    10. If we travel and work outside the EEA, we may access your personal data remotely or carry your personal data with us on encrypted mobile or data storage devices to continue maintaining this Site, communicate with you, or to fulfill your orders, or if we permanently relocate ourselves outside the EEA in the future, then we will take your personal data with us to continue our business from a new location, on the legal basis for the performance of a contract with you or in order to take steps at your request prior to entering into a contract, or when we have legal obligations to keep records, or for our legitimate interests to provide a functional website. We would have an appropriate safeguard within the meaning of Articles 44 to 49 GDPR.

  9. Your rights

    If you are located in a country of the EEA or another country that is covered by the GDPR, or you are a citizen or resident of those countries, or your country has a similar regulation, then you have the following rights regarding your personal data:

    1. Right of access, Article 15 GDPR

      You have the right to obtain confirmation from us as to whether or not we process your personal data, to receive a copy of the personal data, and other information about how and why we process it, how long we store it, and who we share it with, and other information according to Article 15 GDPR.

    2. Right to rectification, Article 16 GDPR

      You have the right to correct your personal data that is inaccurate or incomplete.

    3. Right to erasure, Article 17 GDPR

      You have the right to obtain from us the erasure of your personal data in certain cases, such as when the personal data is no longer necessary for their original purposes, you withdraw your consent and there are no other legal basis for the data that you consented to, you object to the processing of certain data according to Article 21(1,2) GDPR, the data was processed unlawfully or has to be erased for compliance with a legal obligation, and also in other cases, with some exceptions, as described in Article 17 GDPR.

    4. Right to restriction of processing, Article 18 GDPR

      You have the right to restrict processing of your personal data in certain cases, such as when you contest the accuracy of the data, the processing is unlawful and you oppose its erasure and request restriction instead, when we no longer have a purpose for it but it is required for your establishment, exercise or defense of legal claims, or you have objected to processing according to Article 21(1) GDPR and pending its verification.

    5. Right to data portability, Article 20 GDPR

      You have the right to receive a copy of your personal data which you directly provided to us, if the data was processed by automated means and processing was based on your consent (Article 6(1)(a), Article 9(2)(a) GDPR) or for a contract with you (Article 6(1)(b) GDPR), and to receive it in a structured, commonly used and machine-readable format and have it transmitted to another controller.

    6. Right to object, Article 21 GDPR

      You have the right to object to the processing of your personal data which are based on point (e) or (f) of Article 6(1) GDPR, including profiling based on those provisions, such as when we process it for our legitimate interests, with some exceptions as described in Article 21 GDPR. Where personal data is processed for direct marketing purposes, you have the right to object at any time for such marketing, which includes profiling to the extent that it is related to such direct marketing.

    7. Right to withdraw consent, Article 7(3) GDPR

      You have the right at any time to withdraw your consent to the processing of your personal data which is processed based on that consent.

    8. Right to lodge a complaint, Article 77 GDPR

      You have the right to lodge a complaint with your local supervisory authority and the German supervisory authority.

    9. Automated individual decision-making and profiling, Article 22 GDPR

      We do not perform automated individual decision-making and profiling. However the web hosting service where our Site is located, the e-mail service provider that we use, and the other network providers which your electronic transmissions, including e-mails, go through before reaching us, may have automated decision-making and profiling systems in place to detect possible fraud, cyber attacks, spam, and for other various uses, for the purpose of protecting their systems or other various purposes, by analyzing your IP address and the data attached to your transmissions to decide if your activity is unauthorized or damaging, and in case of such determination they may stop your transmissions from reaching us. You may request human intervention from those service and network providers which your electronic transmissions travel through.

    10. How to make a request to the controller

      1. To make a request of your rights free of charge or to ask questions about this Policy, please contact Thomas Huang by e-mail at thomas@tomshot360.com, or by post to Thomas Huang, Öjendorfer Steinkamp 28, 22117, Hamburg, Germany, who is the controller of the personal data that we collect within the meaning of the GDPR.

      2. If we are not certain of your identity, we may request more information from you for verification.

    11. Exemptions

      1. Some personal data may be exempt from your requests in certain circumstances when processing is based on our legal obligations or legitimate interests, in which case we will inform you when responding to your request.

      2. We may refuse to act on your request if they are manifestly unfounded, excessive, or repetitive within the meaning of Article 12(5) GDPR.