Privacy

Responsible for data processing in accordance with the provisions of the General Data Protection Regulation (DSGVO) is: Auto-Leebmann GmbH Traminer Str. 1 D-94036 Passau Tel: 0851 96 60 90 60 Web: www.leebmann24.com E-Mail: [email protected]

CSBK Data Protection GmbH E-Mail: [email protected]

In the course of our business and website operations, we process data. This also includes disclosure by transmission to third parties and, if applicable, to so-called third countries outside the European Union ("EU") and the European Economic Area ("EEA"). Where we transfer data outside the EU or EEA, we have marked this accordingly below.

The individual data concerned, processing purposes, legal bases, recipients and, where applicable, transfers to third countries are listed below:

We log your website visit. In doing so, we process: • name(s) of our accessed website(s), • date and time of access, • the amount of data transferred, • the browser type and version, • the operating system used by you • the referrer URL (the previously visited website), • your IP address, • the requesting provider The legal basis for data processing is our overriding legitimate interest in the ongoing provision and security of our website in accordance with Art. 6 (1) f) DSGVO. The log file is deleted after seven days, unless it is needed to prove or clarify specific legal violations that have become known within the retention period.

To provide our online presence, we use the services of web hosting providers who process the above-mentioned data and all data to be processed in connection with the operation of this website (log file when visiting the website) on our behalf. The legal basis for data processing is our overriding legitimate interest in providing our website in accordance with Art. 6 (1) f) DSGVO.

If you contact us, we process the following data from you for the purpose of processing and handling your request: name, contact details -if provided by you- and your message. The legal basis for the data processing is our obligation to fulfill the contract and/or to fulfill our pre-contractual obligations pursuant to Art. 6 para. 1 b) DSGVO and/or our overriding legitimate interest in processing your request pursuant to Art. 6 para. 1 f) DSGVO.

We process your order data to handle the contractual relationship between you and us. The legal basis for the data processing is the fulfillment of our contractual obligations pursuant to Art. 6 (1) b) DSGVO and, in individual cases, the fulfillment of our legal obligations pursuant to Art. 6 (1) c) DSGVO. We transmit your address data to the company commissioned with the delivery. If necessary for the execution of the contract, we additionally transmit your e-mail address or your telephone number to the company commissioned with the delivery in order to coordinate a delivery date (notification). Your transaction data (name, date of order, method of payment, date of dispatch and/or receipt, amount and payee, bank details or credit card details, if applicable) are transmitted to the payment service provider commissioned with processing the payment.

In order to provide you with regular information about our company and offers, we offer to send you an e-mail newsletter. With your newsletter registration, we process the data you entered during registration (e-mail address as well as other voluntary information). To prevent misuse, we will send you an e-mail after your registration in which we ask you to confirm your registration (double opt-in procedure). In order to be able to prove the registration process in a legally compliant manner, your registration is logged. This concerns the time of registration and confirmation as well as your IP address. The legal basis for sending the newsletter is your consent in accordance with Art. 6 (1) a) DSGVO. The data processing in connection with the sending of the confirmation email for your registration and the associated data logging is carried out in accordance with Art. 6 para.1 f) DSGVO due to our legitimate interest in proving your proper registration. If you give us consent, we also evaluate in the newsletters whether you have opened the newsletter as well as the scrolling and clicking behavior in the newsletter. This is done for the purpose of optimally tailoring our newsletter to your interests and improving the content of our newsletter. The legal basis for the analysis of the newsletter is your consent in accordance with Art. 6 (1) a) DSGVO.

In connection with the opening and use of a customer account, we process your inventory data (name, address, e-mail address, bank details) and your usage data (user name, password). This allows you to manage your orders and orders and we can identify you as a customer. The legal basis for this data processing is your consent in accordance with Art. 6 (1) a) DSGVO.

On our website we use so-called cookies. Cookies are small text files that are stored on your respective end device (PC, smartphone, tablet, etc.) and saved by your browser. Information about the specific cookies we use, their providers and purposes can be found in our Consent banner. There you give your consent to the respective services, can revoke it or adjust your settings subsequently. Our Consent Banner In order to fulfill our data protection obligations, we use the consent management tool Usercentrics of Usercentrics GmbH, Sendlinger Straße 7, 80331 Munich, Germany ("Usercentrics"). By using Usercentrics, data of website visitors regarding granted or revoked consents (opt-in ,opt-out data, consent ID, consent number, date and time of consent, implicit or explicit consent, banner language, customer preference, template version) and device data (device information, browser information (http agent, http referrer), anonymized IP address) are processed. This data is transmitted to Usercentrics. The data processing is carried out in order to fulfill our legal obligations according to Art 6 (1) c) DSGVO. For more information on data processing at Usercentrics, please visit https://usercentrics.com/privacy-policy/.

We offer you the possibility on our website to upload your vehicle to a digital vehicle garage: Here, your name and the so-called VIN, vehicle identification number, are assigned to a fixed user ID. The service offers you the possibility to get exactly matching parts for your vehicle displayed. Furthermore, individual features of the vehicle can be stored, which are useful for service appointments, improvements or maintenance of the vehicle. The legal basis for the processing is Art. 6 para. 1 lit f DSGVO, as well as Art. 6 I lit.b DSGVO, as far as the digital garage is used in the context of a contract initiation or a contract conclusion. Our legitimate interest lies in being able to offer you a functional service that can also improve the safety of the vehicle. The data is stored as long as you park your vehicle in the digital garage. If you remove a vehicle, all personal data, the assignment to the VIN and your ID are automatically deleted. We will also be happy to help you individually if you want to object to the processing or need help with the deletion. You can contact our data protection officer named above at any time. If you have any technical questions or suggestions, please contact our IT department at [email protected].

We use Atlas from MongoDB, Inc. as a database service. The databases are located in the "eu-central-1" data center in Frankfurt on virtual servers. The data processing is based on our legitimate interests in the technically error-free and optimized provision of our services according to Art. 6 I f) DSGVO and will be deleted immediately after the purpose ceases to exist. Further information on MongoDB's data protection can be found at https://www.mongodb.com/de-de/cloud/trust.

We use a service provided by Commercetools GmbH, Adams-Lehmann-Str. 44, 80797 Munich, Germany (hereinafter: commercetools) to process orders and to process data relevant in the context of ordering processes, such as names, addresses or delivery addresses. Art. 6 para. 1 lit. b DSGVO serves as the legal basis. In order to fulfill our retention obligations under commercial law, the data is stored for up to ten years in accordance with § 147 AO, §256 HGB, insofar as it is part of an invoice, for example.

We use Algolia, a web hosting and backend service of the American company Algolia lnc, 301 Howard Street, Suite 300, San Francisco, CA 941 05, USA, as the basis for our website. The legal basis is Art. 6 para. 1 lit. b, as well as lit. f DSGVO. Since, in the opinion of the European Court of Justice, there is currently no sufficient data protection for a transfer of data to the USA, Algolia uses standard contractual clauses approved by the EU Commission (= Art. 46. para. 2 and 3 DSGVO) in order to comply with the EU level of data protection even when processing data in third countries (such as the USA in particular). There is a data security risk in the United States. The clauses are based on an implementing decision of the EU Commission, which you can view at https://germany.representation.ec.europa.eu/index de. The data will only be stored as long as it is necessary for the functionality and presentation of the website.

Vercel lnc, an American company located at 340 S Lemon Ave #4133, Walnut, CA 91789, provides our website with a cloud deployment platform. The legal basis for this is Art. 6 (1) lit. b, as well as lit. f DSGVO. Since, according to the European Court of Justice, there is currently no adequate level of protection for data transfers to the United States of America, this may pose various risks to the security of data processing. For this reason, Vercel undertakes, through the application of standard contractual clauses (= Art. 46. para. 2 and 3 DSGVO), to comply with the European level of data protection even if data is transferred to the USA and stored there. The data will only be stored as long as this is necessary for the use of our services.

Our website uses Google Cloud as an online storage service. Google lnc, an American company, and Google lreland Limited (Gordon House, Barrow Street Dublin 4, Ireland) are responsible for all Google services in Europe. Data that is transferred from you to Google may also be processed in the USA, although according to the European Court of Justice there is currently no adequate level of protection for the transfer of data to the USA. For this reason, Google undertakes to comply with the EU standard contractual clauses in order to maintain a European level of data protection even when processing data in the USA. After the end of the purpose, the data will be deleted again.

We use Mailjet on our website, a service for our email marketing. The service provider is the German company Mailjet GmbH, Alt-Moabit 2, 10557 Berlin, Germany. In order to use our email marketing, you must provide us with some personal data. We process this data to send you our newsletter and other information. These data are: • your e-mail address • your name • your IP address We use your personal data for the sole purpose of sending you our newsletter and other information. We will not pass on your data to third parties. The data will be deleted immediately after the purpose ceases to exist, e.g. if you no longer wish to receive advertising. The legal basis for the newsletter is your consent according to Art. 6 I lit.a) DSGVO. You can find out more about the data processed through the use of Mailjet in the Privacy Policy at www.mailjet.com/de/rechtliches/datenschutzerklaerung/.

We have commissioned Payone GmbH, Lyoner Straße 9, 60528 Frankfurt am Main, to assist us with online payments as part of our payment processing. To make this possible, Payone GmbH requires information such as name and address, bank or credit card details as well as invoice amount and transaction number. This information may be used by Payone for payment processing purposes and passed on to us, in compliance with German data protection laws. Payone's privacy policy can be viewed at https://www.payone.de/datenschutz/. The data will only be processed as long as it is necessary for the payment processing or until the expiry of the statutory retention period. The legal basis is the processing of the contract according to Art. 6 I lit.b) DSGVO.

We offer you the option of processing the payment transaction via the payment service provider Amazon Pay (Amazon Payments Europe s.c.a., 38 avenue J.F. Kennedy, L-1855 Luxembourg). This corresponds to our legitimate interest in offering an efficient and secure payment method (Art. 6 para. 1 lit. f DSGVO). In connection with this, we transmit the following data to Amazon Payments, insofar as it is necessary for the performance of the contract (Art. 6 para. 1 lit b. DSGVO): • first name • last name • address • e-mail address • telephone number The transmission of your personal data is necessary for the processing of a payment with Amazon Pay. Without this information, we cannot process a payment via Amazon Pay. However, it is possible to choose an alternative payment method. The data will only be processed as long as it is necessary for the payment processing or until the expiry of the statutory retention period.

We offer our customers the option to process payments via PayPal. This is in the interest of an efficient and secure payment method (pursuant to Art. 6 para. 1 lit. f DSGVO). In connection with this, we pass on the following personal data to PayPal, which is necessary for the execution of the contract (pursuant to Art. 6 para. 1 lit. b. DSGVO): • first name • last name • your address • e-mail address • telephone number The transmission of this data is neither legally required nor contractually obligatory. Without this information, we can not make a payment via PayPal. However, it is possible to choose an alternative payment method. PayPal performs a credit check for various services, such as direct debit payments, to ensure the customer's willingness and ability to pay. This is in the legitimate interest of PayPal (according to Art. 6 para. 1 lit. f DSGVO) and serves the execution of the contract (according to Art. 6 para. 1 lit. b DSGVO). In this process, data such as name, address, date of birth and bank account details are passed on to credit agencies. We have no influence on this process and only receive the result of whether the payment was successfully made, rejected or is still being reviewed. For more information about PayPal's objection and removal options, please visit: https://www.paypal.com/de/webapps/mpp/ua/privacy-full. The data will be stored until the completion of the payment processing, including the period necessary for the processing of refunds, claims management and fraud prevention.

In order to provide you with an optimal service on our website and in the integrated online store, we rely on the Klarna payment system. This allows us to guarantee you a fast, easy and secure payment processing of your orders. If you select the Klarna payment method, personal data will also be transmitted to the company. Klarna collects technical data, such as your browser type, operating system, our Internet address, date and time, language settings, time zone settings and your IP address. When you order a product or service through our store, you must enter personal data such as your name and address. This data is used by Klarna for payment processing. In addition, data for creditworthiness and identity checks, as well as general product information, may be stored and processed by Klarna. Our payment solution Klarna requires the transmission of certain personal data from you. This includes: Contact information such as your name, date of birth, national ID number, title, billing and shipping address, email address, telephone number and nationality or salary. Payment information, such as your credit card information or bank account number. Information about your orders, such as shipment number, type of item and price. Klarna endeavors to store your data within the EU or the European Economic Area (EEA). However, there may be individual cases where data is transferred outside the EU/EEA. In this case, Klarna ensures that the data protection complies with the requirements of the GDPR and that the third country in question has been assessed as adequate by the European Union. The data will be stored for as long as Klarna needs it for its processing purpose. You may withdraw your consent to the processing of personal data by Klarna at any time. You also have the right to access, correct and delete your personal data. To exercise these rights, you can simply contact Leebmann or contact Klarna's data protection team at [email protected]. We offer Klarna as a payment service provider for the processing of contractual and legal relationships (Art. 6 para. 1 lit. b DSGVO). If you would like to learn more about how we handle your data, the Klarna privacy policy is available at https://cdn.klarna.com/1.0/shared/content/legal/terms/0/de_at/privacy.

We use various services of Google Ireland Limited, Gordon House, Barrow Street, Dublin 4, Ireland (hereinafter "Google") on our website. It is possible that this will also result in data transfers to Google LLC, 1600 Amphitheatre Parkway, Mountain View, CA 94043 in the USA. There is no EU Commission adequacy decision for data transfers to the USA. Google ensures an adequate level of data protection via the EU standard contractual clauses. You can access a copy of the contractual clauses here: https://policies.google.com/privacy/frameworks?hl=de&gl=de Please also note the information on the use of data by Google in the Google Partner Network at: www.google.com/intl/de/policies/privacy/partners/ Google Analytics We use the Google Analytics tracking tool from Google on our website. We use Google Analytics to evaluate your use of the website, to compile reports on the activities within this website and to provide other services related to the use of the website and thus to improve the user experience. When Google Analytics is used, interactions of website visitors are primarily recorded and systematically evaluated with the help of cookies. We use Google Analytics with the extension "anonymizeIp()". This shortens IP addresses within the member states of the EU or EEA. If a transmission to Google's servers in the USA takes place, the full IP address is only transmitted in exceptional cases and shortened there. A direct reference to a person is therefore generally excluded. In particular, an assignment to the called computer or terminal of the website visitor is no longer possible. The following data is processed through the use of Google Analytics: • 3 bytes of the IP address of the called system of the website visitor (anonymized IP address), • the web page accessed, • the website from which the user reached the accessed page of our website (referrer), • the subpages accessed from the website, • the time spent on the website • the frequency with which the website is accessed Google states that it will not associate your IP address with any other data held by Google. Google Remarketing/Retargeting We use so-called tracking cookies from Google on our website. When you visit our site, information is stored in permanent cookies about which products you have viewed on our site and through which third-party ads and pages users reach our site. If you subsequently visit a partner website, we can display personalized advertising for you based on the items you have viewed on our site. Google Ads We use Google Ads, an online advertising program from Google, on our website. This involves so-called conversion tracking. If you click on an ad placed by Google, a cookie is set. This cookie loses its validity after 30 days and is not used to personally identify the user. If the user visits certain pages of this website and the cookie has not yet expired, Google and we can recognize that the user clicked on the ad and was redirected to this page. The data collected using the conversion cookie is used to generate statistics for Ads customers who have opted in to conversion tracking. Legal basis and revocation The legal basis for data processing within the scope of the aforementioned Google services is your prior consent pursuant to Art. 6 (1) a) DSGVO. You can revoke your consent at any time with effect for the future by adjusting your preferences in our Consent Banner.

We use the analysis and remarketing service "Bing Ads" of Microsoft Corporation, One Microsoft Way, Redmond, WA 98052-6399, USA. Microsoft stores a cookie on your computer if you have reached our website via a Microsoft Bing ad. In this way, it can be traced that the ad was clicked on and that this led to a redirect to our website. This allows us to target you with targeted product recommendations and interest-based advertising on the pages of Microsoft and other "Bing Ads" customers. The information collected using the conversion cookie is also used to generate conversion statistics. The cookie does not store any information that can be used to identify users personally. The legal basis for the data processing is your consent pursuant to Art. 6 (1) a) DSGVO. The data may be transferred to Microsoft servers in the USA. There is no adequacy decision of the EU Commission for data transfers to the USA. Microsoft ensures an adequate level of data protection via the EU standard contractual clauses. A copy of Microsoft's standard contractual clauses can be found in the Microsoft Terms of Use for Online Services ("MicrosoftOnlineServicesTerms"), the current version of which is available in your language at the following link: www.microsoftvolumelicensing.com/DocumentSearch.aspx?Mode=3&DocumentTypeId=31.

We use dynamic content ("Content") from third parties to optimize the presentation and the offer of our website. When you visit the website, a request is automatically made to the server of the respective content provider via an interface, during which certain log data (e.g. the user's IP address) is transmitted. The dynamic content is then transmitted to our website and displayed there. We use external content in connection with the following functionalities:

We have included videos from the YouTube portal of YouTube LLC, 901 Cherry Ave. San Bruno, CA 94066, USA ("YouTube"). Responsible for data processing at YouTube is Google Ireland Limited, Gordon House, Barrow Street, Dublin 4, Ireland (hereinafter "Google"). However, when playing the videos, log data is transmitted to YouTube's servers in the USA. The legal basis for the data processing is our overriding legitimate interest in the optimal marketing of our online offer according to Art. 6 para. 1 f) DSGVO. There is no adequacy decision of the EU Commission for data transfers to the USA. Google ensures an adequate level of data protection via the EU standard contractual clauses. You can access a copy of the contractual clauses here: https://policies.google.com/privacy/frameworks?hl=de&gl=de Further information at: https://policies.google.com/privacy?hl=de&gl=de

To display our Trusted Shops seal of approval and the Trusted Shops products for buyers after an order, the Trusted Shops trust badge is integrated on this website. The Trustbadge and the services advertised with it are an offer of Trusted Shops GmbH, Subbelrather Str. 15C, 50823 Cologne, Germany. When the Trustbadge is called up, your IP address, the date and time of the call-up, the volume of data transferred and the requesting provider (access data) are transmitted to the Trusted Shops servers. This access data is not evaluated and is automatically overwritten no later than seven days after the end of your visit to the site. The legal basis for the data processing is our overriding legitimate interest in the optimal marketing of our online offer according to Art. 6 para. 1 f) DSGVO. Further data will only be transferred to Trusted Shops if you decide to use Trusted Shops products after completing an order or have already registered to use them. In this case, the contractual agreement made between you and Trusted Shops applies.

We use seals of the payment services "Sofort-Überweisung", "Klarna", "Amazon Pay" and "Paypal" on our website. These are loaded from servers of PayPal (Europe) S.à r.l. et Cie, S.C.A., Amazon Payments Europe s.c.a., 5 Rue Plaetis - 2338 Luxembourg, Klarna Bank AB (publ), Stockholm, Sweden and Sofort GmbH when you visit the website. In the process, the name of the website accessed, the date and time of access, the amount of data transferred, the browser type and version, the operating system you are using, the referrer URL (the website previously visited), your IP address and the requesting provider are transmitted to the servers of the respective provider. The legal basis for data processing is our overriding legitimate interest in the optimal marketing of our online offering pursuant to Art. 6 (1) f) DSGVO. Further information on data protection can be found at: • Paypal: https://www.paypal.com/de/webapps/mpp/ua/privacy-full?locale.x=de_DE • Immediate bank transfer: https://www.sofort.de/datenschutz.html • Klarna: https://www.klarna.com/de/datenschutz/ • Amazon Pay: https://pay.amazon.de/help/82974

If you would like to apply for a job with us, we require information regarding your qualifications and your contact details. The data provided will be processed for the purpose of carrying out the application procedure. The legal basis for the processing is Article 88 DSGVO in conjunction with Section 26 BDSG (n.F). Insofar as the processing is necessary for the defense of possibly asserted legal claims against us arising from the application procedure, the processing is based on Art. 6 (1) f) DSGVO. The legitimate interest here is to enable us to provide evidence in such a lawsuit. The storage period for data from unsuccessful applications is 6 months or as long as we need the data for the defense of legal claims. In the case of written or electronic consent, we store the application for up to 2 years. The personal data in the application process is provided by you voluntarily. We do not use automated decision-making pursuant to Art 22 EU-DSGVO within the application process.

We process personal data, such as your contact data in this case, for the purposes of promotional communication, which may be via e-mail, telephone, post or fax. In the present case, on the basis of the consent granted by you in accordance with Art. 6 para. 1 p.1 lit. a) DSGVO. You can revoke the consent given at any time with effect for the future. Your data will then be deleted immediately and you removed from the advertising mailing list. After revocation, we may store the data required to prove consent for up to three years on the basis of our legitimate interests pursuant to Art. 6 para.1 p.1 lit. f) DSGVO. The processing of this data is limited to the purpose of a possible defense against claims.

We process your customer data, in the event that you have not given consent to advertising, exclusively for the purpose of fulfilling the contract on the basis of the contract concluded with you in accordance with Art. 6 para.1 p.1 lit. b) 1st Alt DSGVO. Your data will only be stored for as long as is necessary for the fulfillment of the contract and will not be passed on to third parties outside the BMW Group. In some cases, a comparison is made with databases of the BMW Group in order to be able to guarantee the execution of necessary services and security updates. In addition, we are required by the provisions of the German Commercial Code and the German Fiscal Code to retain invoices and similar business documents for between six and a maximum of ten years before they are also destroyed.

We store personal data only as long as it is necessary for the purposes for which it is processed or as long as any consent you have given us has been revoked by you. Insofar as statutory retention obligations must be observed, the storage period for certain data may be up to 10 years, regardless of the processing purposes.

Upon request, we will provide you at any time and free of charge with information about all personal data that we have stored about you.

If you no longer agree with the storage of your personal data or if this data has become incorrect, we will arrange for the deletion or blocking of your data or make the necessary corrections (insofar as this is possible according to the applicable law) on the basis of a corresponding instruction. The same applies if we are only to process data in a restrictive manner in the future. You have the right to object in particular in cases where your data is required due to the performance of a task that is in the public interest or in our legitimate interest, as well as profiling based on this. You also have such a right of objection in the event of data processing for the purpose of direct advertising.

You may revoke any consent you have given at any time with effect for the future. Your revocation will not affect the lawfulness of the processing until the time of revocation.

If data processing takes place on the basis of a contract, pre-contractual negotiations, consent or with the help of automated processes, you have the right to data portability. Upon request, we will provide you with your data in a common, structured and machine-readable format so that you can transfer the data to another responsible party upon request.

Data for which we are not able to identify the data subject, for example if it has been anonymized for analysis purposes, is not covered by the above rights. Information, deletion, blocking, correction or transfer to another company may be possible in relation to this data if you provide us with additional information that allows us to identify you.

If you have any questions regarding the processing of your personal data, if you wish to obtain information, correct, block, object to or delete data, or if you wish to have your data transferred to another company, please contact [email protected]. You also have the possibility to complain about your data protection rights to a supervisory authority: https://www.bfdi.bund.de/DE/Service/Anschriften/anschriften_node.html