Privacy Policy

AWORIS – an online shop operated by SIROWA Biotechnologies GmbH
Effective date: 21.05.2026

1. Data Controller

The controller within the meaning of the General Data Protection Regulation (GDPR) and other applicable data protection legislation is:

SIROWA Biotechnologies GmbH
trading under the brand AWORIS
In der Stelzbach 1
65618 Selters
Germany

Email: support@aworis.com

Website: aworis.com

The appointment of a Data Protection Officer is not legally required and none has been appointed. For any data protection enquiries, please contact us using the details above.

The online shop is operated under the brand AWORIS. All references to “AWORIS”, “we”, “us” or “our” in this Privacy Policy refer to SIROWA Biotechnologies GmbH as the data controller.

2. General Information on Data Processing

We process personal data of our users only to the extent necessary to provide a functioning online shop, our content and services.

The AWORIS online shop is directed exclusively at business customers and professionally qualified purchasers. It does not offer or sell products to consumers through this website.

Use of our online shop requires full legal capacity. Persons under 18 years of age are excluded from using the shop. We do not knowingly process personal data of minors.

The processing of personal data takes place only with the consent of the user or where processing is permitted by statutory provisions.

3. Legal Bases for Processing

The processing of your personal data is based on the following legal grounds:

Art. 6(1)(a) GDPR — consent: where you have given us consent, for example for our newsletter or analytics cookies;
Art. 6(1)(b) GDPR — performance of a contract: where processing is necessary for contract performance or pre-contractual measures, in particular order processing;
Art. 6(1)(c) GDPR — legal obligation: where we are subject to a legal obligation, for example retention of business records or verification of tax exemptions for intra-community supplies;
Art. 6(1)(f) GDPR — legitimate interest: where processing is necessary to protect legitimate interests, for example IT security, fraud prevention, or verification of entitlement to purchase certain products.

Where processing is based on your consent, you may withdraw it at any time with effect for the future.

4. Purposes of Data Processing

We process your personal data for the following purposes:

processing and fulfilling your orders;
managing your customer account and customer relationship;
communicating with you regarding orders, enquiries or services;
providing customer support;
improving our website, products and services;
sending marketing communications, where permitted by law or with your consent;
complying with legal obligations, in particular tax and commercial record retention obligations;
preventing fraud and ensuring security;
verifying purchase entitlement for business customers, including proof of trade, medical or practitioner licence where applicable.

The specific legal basis for each processing purpose is set out in Section 3 and in the sections below.

5. Provision of the Online Shop and Hosting

Our online shop AWORIS is operated via the Shopify platform.

Provider: Shopify International Limited, Victoria Buildings, 2nd Floor, 1–2 Haddington Road, Dublin 4, D04 XN32, Ireland.

When you visit our shop, Shopify automatically collects server log data, including:

IP address;
date and time of access;
page name and URL;
data volume transferred;
success notification;
browser type and version;
operating system;
referrer URL.

Legal basis: Art. 6(1)(f) GDPR — legitimate interest.

Shopify sub-processors include Cloudflare, Inc. in the USA and Google Cloud in Canada/EU. F

We have entered into a Data Processing Addendum (DPA) with Shopify pursuant to Art. 28 GDPR.

6. Customer Account and Order Processing

6.1 Customer Account

During registration, we may collect the following data:

company name;
first and last name of the contact person;
business address, including delivery and billing address;
email address;
phone number, which may be required for order enquiries and delivery;
VAT ID, where applicable;
additional registration data, where required.

Use of the online shop requires full legal capacity and a minimum age of 18 years.

Legal basis: Art. 6(1)(b) GDPR.

6.2 Business Customer Verification

For business customers and professionally qualified purchasers, we may collect one or more of the following proofs of qualification:

proof of trade registration, such as a trade licence or commercial register extract, to verify commercial activity and entitlement to purchase products;
medical licence, such as a certificate of approbation, to verify medical qualification where certain products may only be supplied to licensed physicians;
proof of entitlement to practise a healing profession, such as a Heilpraktiker licence, to verify entitlement where certain products may only be supplied to licensed practitioners.

Legal basis: Art. 6(1)(b) GDPR — pre-contractual measures and contract performance, Art. 6(1)(c) GDPR — legal obligations, and Art. 6(1)(f) GDPR — legitimate interest in verifying purchase entitlement.

Documents are retained for the duration of the business relationship and thereafter in accordance with statutory retention periods.

6.3 Order Processing

When placing an order, we process the following data pursuant to Art. 6(1)(b) GDPR:

name or company name and contact person;
delivery and billing address;
email address;
phone number for enquiries and shipping communication;
order data, including items, quantities and prices;
payment information, depending on the selected payment method;
VAT ID, where applicable for business customers and intra-community supplies.

Data is deleted after completion of the contract, subject to statutory retention periods. Commercial correspondence may be retained for six years pursuant to Section 257 HGB. Tax-relevant documents may be retained for ten years pursuant to Section 147 AO.

7. Payment Providers

We use payment providers to process payments. Legal basis: Art. 6(1)(b) GDPR.

7.1 PayPal

Provider: PayPal (Europe) S.à r.l. et Cie, S.C.A., 22–24 Boulevard Royal, L-2449 Luxembourg.

7.2 Klarna

Provider: Klarna Bank AB (publ), Sveavägen 46, 111 34 Stockholm, Sweden.

Klarna may carry out identity and credit checks.

7.3 Stripe

Provider: Stripe Payments Europe, Ltd., 1 Grand Canal Street Lower, Dublin, D02 H210, Ireland.

7.4 Credit Card Payment

Credit card payments are processed via [specify provider, e.g. Stripe / Shopify Payments].

Depending on the provider, processed data may include card number, expiry date, CVC and billing address. Payment data is transmitted in encrypted form and processed in accordance with PCI-DSS standards.

8. Shipping Providers

We share your delivery address, email address and phone number with shipping providers where necessary for delivery.

The phone number may be required for delivery coordination.

9. Cookies

9.1 Strictly Necessary Cookies

Shopify sets strictly necessary cookies that are required for the operation of the online shop. These cookies may be used without consent on the basis of Art. 6(1)(f) GDPR and Section 25(2) TDDDG.

Such cookies may include:

_shopify_sa_t and _shopify_sa_p;
cart and cart_ts;
secure_customer_sig;
checkout and checkout_token;
localization.

9.2 Analytics and Marketing Cookies

Analytics and marketing cookies are set only after express consent.

Legal basis: Art. 6(1)(a) GDPR and Section 25(1) TDDDG.

10. Web Analytics

We use Google Analytics 4, a web analytics service provided by Google Ireland Limited, Gordon House, Barrow Street, Dublin 4, Ireland.

Google Analytics 4 no longer uses full IP addresses by default.

Legal basis: Art. 6(1)(a) GDPR — consent.

Transfers to the USA may take place on the basis of the EU-U.S. Data Privacy Framework pursuant to Art. 45 GDPR.

11. Newsletter

Subscription to the newsletter requires a separate sign-up and is not linked to registration or orders.

For newsletter registration, we may collect:

email address, mandatory;
name and company, optional;
date and time of registration;
IP address.

We use a double opt-in procedure.

Legal basis: Art. 6(1)(a) GDPR — consent.

You may withdraw your consent at any time via the unsubscribe link included in each newsletter.

12. Social Media Plugins

[Include this section only if social media plugins are embedded on the website.]

If social media plugins are embedded, personal data may be transferred to the respective provider only after your consent.

Possible providers may include Facebook/Meta, Instagram or LinkedIn.

Legal basis: Art. 6(1)(a) GDPR — consent.

[If a two-click or Shariff solution is used, describe it here.]

13. Customer Reviews

[Include this section only if a customer review tool is used.]

If a customer review tool is used, personal data may be processed for the purpose of collecting, displaying or verifying customer reviews.

Provider: [specify review tool, e.g. Trustpilot, Trusted Shops or Judge.me].

Legal basis: [specify legal basis, usually Art. 6(1)(a) GDPR or Art. 6(1)(f) GDPR depending on implementation].

If no customer review tool is used, this section should be removed before publication.

14. Contact

When you contact us by email, phone or contact form, your data is processed to handle your enquiry.

Legal basis: Art. 6(1)(b) GDPR, where your enquiry relates to a contract or pre-contractual measures, or Art. 6(1)(f) GDPR, based on our legitimate interest in responding to enquiries.

Data is deleted once the enquiry has been resolved, unless statutory retention obligations apply.

15. Data Transfers to Third Countries

Personal data may be transferred to countries outside the European Union or the European Economic Area, including the USA, where service providers are used that process data outside the EU/EEA.

This may apply in particular to:

Google Analytics, where consent has been given;
Shopify;
PayPal;
Stripe;
[newsletter tool, if applicable];
[additional tools, if applicable].

Such transfers are based, where applicable, on adequacy decisions pursuant to Art. 45 GDPR, including the EU-U.S. Data Privacy Framework, Standard Contractual Clauses pursuant to Art. 46(2)(c) GDPR, and supplementary technical and organisational measures.

16. Recipients and Disclosure of Personal Data

We only share your personal data where this is necessary.

16.1 Processors and Service Providers

Recipients may include:

Shopify for hosting and shop operation;
PayPal, Klarna and Stripe for payment processing;
UPS, DHL and other shipping providers for delivery;
Google Ireland for analytics, where consent has been given;
[newsletter provider] for marketing communications, where consent has been given.

Where required, we have concluded data processing agreements with processors pursuant to Art. 28 GDPR.

All service providers are contractually bound to process personal data only for specified purposes and to implement appropriate security measures.

16.2 Disclosure Due to Legal Obligation

We may disclose personal data where required by law or where necessary to protect our legitimate rights, enforce our terms, or protect the rights, property or safety of our users or third parties.

This may include disclosure to tax authorities, law enforcement authorities or courts.

Legal basis: Art. 6(1)(c) GDPR — legal obligation, or Art. 6(1)(f) GDPR — legitimate interest.

16.3 Data Transfer in Business Transactions

In the event of a merger, acquisition, restructuring, sale of business assets or insolvency proceedings, personal data may be transferred as part of the business transaction.

We will ensure that the recipient is bound by equivalent data protection obligations and will inform you of the transfer where legally required.

Legal basis: Art. 6(1)(f) GDPR — legitimate interest in carrying out the business transaction.

17. Retention Periods

We retain personal data only for as long as necessary for the respective processing purpose or as required by statutory retention obligations.

The following retention periods may apply:

order data and invoices: ten years;
business correspondence: six years;
customer account data: until account deletion, plus applicable statutory retention periods;
trade, medical or practitioner proofs: for the duration of the business relationship, plus applicable statutory retention periods;
newsletter data: until withdrawal of consent;
server logs: [insert retention period, e.g. 14 or 30 days];
cookie consent records: at least one year.

18. Your Rights as a Data Subject

You have the following rights under the GDPR:

right of access pursuant to Art. 15 GDPR;
right to rectification pursuant to Art. 16 GDPR;
right to erasure pursuant to Art. 17 GDPR;
right to restriction of processing pursuant to Art. 18 GDPR;
right to data portability pursuant to Art. 20 GDPR;
right to object pursuant to Art. 21 GDPR;
right to withdraw consent pursuant to Art. 7(3) GDPR.

To exercise your rights, please contact us using the contact details in Section 1.

We will respond to your request within the statutory period, generally within one month.

19. Right to Lodge a Complaint

You have the right to lodge a complaint with a data protection supervisory authority.

The competent authority for SIROWA Biotechnologies GmbH is:

Der Hessische Beauftragte für Datenschutz und Informationsfreiheit
Gustav-Stresemann-Ring 1
65189 Wiesbaden
Germany

Phone: +49 611 1408-0
Email: poststelle@datenschutz.hessen.de

20. SSL/TLS Encryption

Our shop uses SSL/TLS encryption.

You can identify an encrypted connection by the “https://” prefix in the browser address bar and the lock icon.

21. Automated Decision-Making / Profiling

We do not use automated decision-making within the meaning of Art. 22(1) and Art. 22(4) GDPR.

Exception: Klarna may perform automated identity and credit checks. Please see Section 7.2 for further information.

22. Changes to This Privacy Policy

We reserve the right to amend this Privacy Policy to ensure ongoing legal compliance or to reflect changes in our services.

The version published on this website at the time of your visit applies.

Effective date: 21.05.2026