Data protection


1. General

This privacy policy is intended to inform you, as a user of this website, about the nature, scope and purpose of the collection and use of personal data by the person responsible, XOX Gebäck GmbH. XOX Gebäck GmbH takes data protection very seriously and treats your personal data confidentially and in accordance with legal regulations. Personal data is any information that relates to an identified or identifiable person. These include, for example, your name, your telephone number and your postal and e-mail address.

As changes to this Privacy Policy may be made through new technologies and the continued evolution of this Site, we encourage you to review the Privacy Policy periodically.


2 Responsible person

The person responsible within the meaning of the basic data protection regulation and other national data protection laws of the member states as well as other data protection regulations is the:

XOX Gebäck GmbH
Am Hastebach 8
31789 Hameln
Tel.: +49(0)5151 1073350


3 Data Protection Officer

The data protection officer of the responsible person is:

Christian Spin
Lofkampweg 61a
46514 Schermbeck
Tel.: +49(0)2853 60415-0


4 Scope of processing of personal data

In principle, we process your personal data only insofar as this is necessary for the provision of a functional website and our content and services. The processing of your personal data takes place regularly only if you inform us voluntarily, such as when using our e-mail contact form. In doing so, we observe the data protection regulations according to the Telemedia Act (TMG), the Federal Data Protection Act (BDSG) and other data protection regulations such as the General Data Protection Regulation (DS-GVO).


5 Legal basis for the processing of personal data

Insofar as we obtain the consent of the data subject for processing of personal data, Art. 6 para. 1 lit. a EU General Data Protection Regulation (DS-GVO) as legal basis.

In the processing of personal data necessary for the performance of a contract to which the data subject is a party, Art. 6 para. 1 lit. b DS-GMO as legal basis. This also applies to processing operations required to carry out pre-contractual actions.

If the processing is necessary for the protection of a legitimate interest of XOX Gebäck GmbH or a third party and the interests, basic rights and fundamental freedoms of the data subject do not predominate the first mentioned interest, then Art. 6 para. 1 lit. f DSGVO as legal basis for processing.


6 Data deletion and storage duration

We adhere to the principles of data avoidance and data economy. The personal data of the data subject will be deleted or blocked as soon as the purpose of the processing ceases or according to the various periods of storage provided by the legislator.


7 Provision of the website and logfiles

For the use of the website, system security, technical administration and web site optimization, it is necessary that data is collected through the hosting provider’s web server (Hosteurope).

The web server of the hosting provider store for about 8-9 weeks every access to the site in a log file (log file). Then the data is automatically deleted. A reference to your person without additional, unavailable information (for example, information from your Internet provider) can not be produced. Personal user profiles are not created. The web servers of Hosteurope usually record:

(1) Information about the browser type and version used
(2) The operating system of the user
(3) time of access
(4) country of origin
(5) possibly used search engine and search string
(6) The IP address of the user (anonymized for the duration of the website access)


8 Cookies

Some websites use so-called cookies. Cookies do not harm your computer and do not contain viruses. Cookies serve to make our offer more user-friendly, effective and secure. Cookies are small text files that are stored on your computer and stored by your browser.

Most of the cookies we use are so-called “session cookies”. They are automatically deleted after your visit. Other cookies remain stored on your device until you delete them. These cookies allow us to recognize your browser the next time you visit.

You can set your browser so that you are informed about the setting of cookies and allow cookies only in individual cases, the acceptance of cookies for certain cases or generally exclude and enable the automatic deletion of cookies when closing the browser. Disabling cookies may limit the functionality of this website.

Cookies that are required to carry out the electronic communication process or to provide certain functions that you wish to use are based on Art. 6 para. 1 lit. f DSGVO saved. The website operator has a legitimate interest in the storage of cookies for the technically error-free and optimized provision of its services.


9 Competition “product tester”

On our website, we offer users the opportunity to register for a raffle by providing personal information. The data is entered into an input mask and transmitted to us and stored. A transfer of data to third parties does not take place. The following data are required for sending the prize by mail: Salutation, surname, first name, street, postal code and city. The e-mail address is required for the winning notification. The date of birth is required to match if the participant has reached the age of 18, as required in the conditions of participation. At the time of registration, the date and time of registration will also be saved.

The first name, the surname shortened to a letter and the place of the winner will be published in the event of a profit on the website. The publication of the winners is part of the terms and conditions of the competition. If you do not agree, you can not participate in the raffle.

Subject to legal retention periods, your personal data will be deleted immediately after the end of the competition and the winnings have been sent.

Your personal data will also be deleted if you have revoked a consent granted for processing, unless there are compulsory statutory retention periods.

The legal basis for the processing of your personal data is the participation in the raffle (Article 6 paragraph 1 letter b) of the DS-GVO or in the case of the prize and the related publication of your first name, the first letter of your surname and your place of residence voluntarily granted consent in accordance with Art. 6 (1) lit. a) DS-GMO.


10 Contact form

On our website a contact form is available, which can be used by you for the electronic contact. If you make this possible, the data entered by you in the input mask will be transmitted to us and saved. The processing of the personal data from the input mask serves us only to process the contact. The e-mail will be read after receipt on our server exclusively by our employees. A passing on to third does not take place. Please note that the unencrypted data transmission in the Internet can have security gaps. A complete protection of the data from access by third parties, especially when sending unencrypted e-mails, is not possible.

If you want to use the contact form for the complaint of a product, further information is required. In most cases, the required information can be found on the back of the packaging in the white MHD field.

In addition to the information provided in the contact form, the date, time and the IP address of the user are stored at the time of transmission.

The data will be deleted as soon as it is no longer necessary for the purpose of its collection. For the personal data from the input form of the contact form and the IP address, this is the case when the respective conversation with the user has ended. The conversation is ended when it can be inferred from the circumstances that the relevant facts have been finally clarified.

For the processing of the data in the context of the sending process your consent is obtained and referred to this privacy statement.


11 Application

If you use the specified e-mail to apply for an advertised position or to take an initiative, we will use the personal data you provided, such as name, first name, address, telephone number, your e-mail address and Process your application documents. The collection and processing of your personal application data is exclusively earmarked for the filling of positions within our company. As a matter of principle, your data will only be forwarded to the internal offices and specialist departments of our company responsible for the specific application process. A transfer of the data to third parties does not take place.

If the controller concludes a contract of employment with an applicant, the data transmitted will be stored for the purposes of the employment relationship in accordance with the law. If no employment contract is concluded with the candidate by the controller, the application documents shall be deleted six months after notification of the rejection decision, unless deletion precludes other legitimate interests of the controller. Other legitimate interest in this sense, for example, a burden of proof in a procedure under the General Equal Treatment Act (AGG).


12 Google Maps

The website uses Google Maps API to visually display geographic information. When using Google Maps, Google also collects, processes and uses data about the use of the Maps features by visitors to the Websites. For more information about data processing by Google, please refer to the privacy policy of Google. There you can also change your settings in the privacy center so that you can manage and protect yours.

Here’s more on how to manage your own data related to Google products.


13 Canteen app

You have the possibility to download our canteen app via the website. The “Kantine am Hastebach” in Hameln with its affiliated XOX factory outlet offers a small breakfast and a lunch from Monday to Friday. The menu and the daily changing menus are currently available through the app. If you click on the link of the app, you will be redirected to the download page of your selected operating system (IOS or Android).

As part of the use of the app, the following data (log entries) are stored:

Time of request
IP address hash (The IP address is no longer recognizable or recoverable)
These log entries are created when the app retrieves the menu from the backend. The IP address is used to protect the service from misuse of spam bots or for error analysis. After that we will make you unrecognized and filed. There is no association with an Apple or Google Account, Device Id or Concrete Person. The stored data will be deleted after 7 days.


14 Protection of your data

We secure our website and IT systems by appropriate technical and organizational measures against loss, destruction, unauthorized access, modification or dissemination of your data by unauthorized persons.


15 Your rights

You have a right to free information about the data stored about you. In addition, you may exercise your right to correct inaccurate data, blockage, deletion, opposition, restriction, and data portability. You may revoke your consent to data collection, processing and use at any time with future effect. Please contact us by e-mail at Of course, you can also reach us under the contact details given in the imprint.

You also have the right to contact the Data Protection Supervisory Authority (Landesbeauftragte für Niedersachsen) for complaints.


May 2018