This privacy notice explains which personal data (Art. 4 No. 1 GDPR) we process when you use our website, mobile applications, and services, for what purposes, and on what legal basis, as well as what rights you have.

Controller (Art. 4 No. 7 GDPR):
Coral Club Distribution LTD
Agapinoros 52, 2nd floor, Flat/Office 1,
8049 Paphos, Cyprus
Registered in the Commercial Register of the Republic of Cyprus, Reg. No.: HE343977

E-mail: datenschutz@coral-club.com

Data Protection Officer (DPO): datenschutz@coral-club.com

Local contact office (no independent controller):
Coral Club Deutschland GmbH
Siegener Str. 12, 35066 Frankenberg (Eder), Germany
Tel.: +49 611 36007328

A Data Protection Help Center with answers to frequently asked questions, guidance on exercising your rights, and account settings is available via the link in the footer of our website.

This privacy notice applies to all websites and online services operated by Coral Club Distribution LTD, unless expressly stated otherwise.

We collect personal data only to the extent necessary to provide our services, fulfill contractual or legal obligations, based on your consent, or to protect our legitimate interests (Art. 6 para. 1 lit. a, b, c, f GDPR). When storing or accessing information on end devices, the requirements of § 25 TTDDG (formerly TTDSG) also apply.

Web Hosting (Art. 6 para. 1 lit. f GDPR): We use a European hosting provider to operate this website. The IP address and server log files are processed on our behalf. A Data Processing Agreement (Art. 28 GDPR) is in place with the provider. Server locations: EU/EEA; for data transfers to third countries, we apply Art. 45/46 GDPR (DPF/SCC).

When Visiting the Website (Server Log Files) (Art. 6 para. 1 lit. f GDPR): Your browser transmits technically necessary information (e.g., IP address, date/time, browser/OS, referrer URL). The IP address is stored in log files for a maximum of 30 days and then automatically deleted (for IT security, stability, and error analysis purposes).

Contact Form / Email (Art. 6 para. 1 lit. b for contract-related inquiries; otherwise lit. f GDPR): We collect only necessary information (Art. 5 para. 1 lit. c GDPR). Required fields: Club number, name, email, message. Optional: phone number (for faster response). Alternatively, you may contact us directly by email; data will be deleted after completion unless legal retention requirements apply.

User Account (Club Membership) (Art. 6 para. 1 lit. b GDPR): For the optional account, we collect your email address, first and last name, and address. Optional: phone number, gender. Date of birth is collected only if necessary for age or identity verification (e.g., for certain payment methods). Account deletion can be requested via datenschutz@coral-club.com; legal retention obligations remain unaffected (Art. 6 para. 1 lit. c GDPR).

Order Without Registration (Guest Order) (Art. 6 para. 1 lit. b GDPR): Required information: first and last name, address, email, and payment details (depending on payment method). Date of birth — only for invoice purchases (fraud/credit check; Art. 6 para. 1 lit. f GDPR). Retention follows commercial and tax law (Art. 6 para. 1 lit. c GDPR).

“Extended Information” Option (Art. 6 para. 1 lit. a GDPR): This community feature is disabled by default. You can selectively share: (i) contact info (email/phone), (ii) messenger IDs, (iii) event participation, (iv) purchase history up to 3 months. Only information you actively enable in your member/partner account becomes visible. Withdrawal of consent is possible at any time in account settings (Art. 7 para. 3 GDPR). Note: We remain the controller responsible for the lawful provision and access control of this feature.

Newsletter (§ 7 UWG in conjunction with Art. 6 para. 1 lit. a GDPR): Sent after Double-Opt-In confirmation. Required field: email. Tracking of openings/clicks only with consent. Unsubscribe via the “unsubscribe” link in the email or by contacting us directly. The legal basis for logging the Double-Opt-In process is Art. 6 para. 1 lit. f GDPR (proof of consent).

Contests / Surveys (Art. 6 para. 1 lit. b GDPR; optional marketing Art. 6 para. 1 lit. a GDPR): Data collected depends on the specific form.

Contact Channels – Overview:

• Phone: name, number, inquiry (Art. 6 para. 1 lit. b/f GDPR); deleted after processing.
• Email: sender address, content (Art. 6 para. 1 lit. b/f GDPR); deleted after processing.
• WhatsApp (Business Platform): see below.
• Telegram: see below.

WhatsApp (Business Platform) (Art. 6 para. 1 lit. b/f GDPR): Contact via Click-to-Chat or saved number. Processed data: phone number, account name, sent content (text/image), metadata (timestamp, device info, IP). Message content is end-to-end encrypted; metadata may still be processed by the provider. Cross-border transfers via Meta/WhatsApp are based on DPF/SCC; details: Business Data Transfer Addendum and whatsapp.com/legal/privacy-policy. Use is voluntary; alternatives include phone/email.

Telegram (Art. 6 para. 1 lit. b/f GDPR): Contact via our official account/channel. Processed data: username, phone number (if available), message content, metadata. Cloud chats are not end-to-end encrypted; Secret chats are. Provider: Telegram FZ-LLC (UAE). More info: telegram.org/privacy.

Social Media Presence (Facebook, Instagram, X/Twitter, etc.): When visiting our social media pages, data may be processed for marketing and analytics purposes. Where we jointly determine purposes and means of processing with the platform (e.g., “Page Insights”), we act under joint controllership (Art. 26 para. 1–2 GDPR). Information about joint processing can be found in each platform’s “Page Insights Addendum.”

Further details on retention periods and data recipients are provided in Section 3 of this Privacy Notice.

We process personal data for the purposes listed below, based on the relevant legal grounds of the General Data Protection Regulation (GDPR) and the Telecommunications-Telemedia Data Protection Act (TTDDG):

• Service Provision / IT Security (log files): Art. 6 para. 1 lit. f GDPR.
• Contract Performance (account / orders / support): Art. 6 para. 1 lit. b GDPR; retention: Art. 6 para. 1 lit. c GDPR.
• Newsletter: Double-Opt-In, Art. 6 para. 1 lit. a GDPR, § 7 UWG; withdrawal possible at any time (Art. 7 para. 3).
• Contests / Surveys: participation / implementation Art. 6 para. 1 lit. b; optional marketing lit. a.
• Analytics / Marketing (cookies / pixels): only with consent § 25 para. 1 TTDDG, Art. 6 para. 1 lit. a; necessary cookies § 25 para. 2 TTDDG, Art. 6 para. 1 lit. f.
• Payments / Shipping: transfer to payment and logistics providers Art. 6 para. 1 lit. b, where applicable lit. c.
• Existing Customer Advertising (similar own products): Art. 6 para. 1 lit. f in conjunction with § 7 para. 3 UWG; objection possible at any time.
• Regulatory Requirements: disclosure where legally required Art. 6 para. 1 lit. c.

Recipients / Data Processors (Art. 13 para. 1 lit. e, Art. 28 GDPR): hosting / cloud, IT maintenance, payment, shipping, CRM / support, newsletter, web analytics / tag management, consent management.

Advertising Objection Lists (Robinson List) (Art. 6 para. 1 lit. f GDPR): To ensure that no unwanted advertising is sent, your contact details are shared with authorized service providers solely for comparison against internal suppression lists.

Intra-Group Recipients (Art. 6 para. 1 lit. b/f GDPR): Transfers within the corporate group are made for contract fulfillment as well as for centralized support, IT, compliance, and reporting purposes, in accordance with data protection laws and internal data protection agreements (Intra-Group Agreements pursuant to Art. 46 para. 2 lit. c GDPR).

Data Transfers to Third Countries (Art. 44 et seq. GDPR): Transfers occur only on the basis of an adequacy decision (Art. 45) or appropriate safeguards (Art. 46, especially EU Standard Contractual Clauses). For U.S. recipients certified under the EU–U.S. Data Privacy Framework (DPF), we rely on the adequacy decision of July 10, 2023 (Art. 45); otherwise, transfers follow Art. 46 GDPR.

IMPORTANT – Right to Object (Art. 21 GDPR): You may object to the processing of your data at any time for reasons arising from your particular situation; for direct marketing purposes, you may object at any time without giving reasons. Please send objections to: datenschutz@coral-club.com.

• Art. 6 para. 1 lit. c GDPR – fulfillment of legal obligations (e.g., disclosure requirements, record-keeping obligations under commercial and tax law);
• Art. 6 para. 1 lit. f GDPR – protection of legitimate interests (e.g., safeguarding our systems, rights, and security);
• §§ 24, 26 BDSG – where applicable, in particular for law enforcement, prevention of threats, or the establishment or defense of legal claims;
• Art. 32 GDPR – ensuring the security of processing (technical and organizational measures, IT security concepts, access controls).

We provide information about mandatory disclosures in accordance with Art. 14 para. 4 GDPR to the extent legally permissible, unless such disclosure is restricted by statutory confidentiality obligations or the protection of public interests.

Analytics Functions and Technical Security (Art. 6 para. 1 lit. f GDPR): When technically necessary analytics or security functions are used, data (e.g., IP address, browser information, visited pages) are processed to ensure the stability, security, and usability of our website. Information collected by these tools may be transmitted to servers located in third countries (e.g., the USA). If no adequacy decision pursuant to Art. 45 GDPR exists, the transfer is carried out based on appropriate safeguards under Art. 46 GDPR (e.g., EU Standard Contractual Clauses). Further details can be found in the privacy policies of the respective providers.

Our website may contain links to websites operated by third parties to which this Privacy Policy does not apply. When you click on a link to a third-party website, please note that we have no control over the content or privacy practices of these providers. We recommend that you review the applicable privacy policies of those websites.

If third-party content is embedded on our website (e.g., Google Maps maps, YouTube videos, social media plugins, or other tools), this is done based on your consent in accordance with Art. 6 para. 1 sentence 1 lit. a GDPR in conjunction with § 25 TTDDG, or to protect our legitimate interests in providing an attractive and user-friendly online offering in accordance with Art. 6 para. 1 sentence 1 lit. f GDPR. In this context, it may be necessary for the respective third-party provider to process your IP address to correctly deliver the content. We have no influence over this data processing.

If you do not want third-party providers to collect, process, or use data about you, you can disable JavaScript in your browser or block the execution of such content using a suitable browser add-on. Please note, however, that some features of our website may no longer function properly if you do so.

If data is transferred to third countries (e.g., the USA), such transfer takes place exclusively in compliance with the provisions of Art. 44 et seq. GDPR (adequacy decision or appropriate safeguards, in particular DPF/SCC).

As a data subject within the meaning of Art. 4 No. 1 GDPR, you have the following rights with respect to us:

• Right of Access (Art. 15 GDPR): You have the right to obtain confirmation as to whether we process personal data concerning you and, if so, to access such data and receive additional information as required by law.
• Right to Rectification (Art. 16 GDPR): You have the right to request the immediate correction of inaccurate personal data or completion of incomplete personal data stored by us.
• Right to Erasure (“Right to be Forgotten”) (Art. 17 GDPR): You have the right to request the deletion of your personal data, unless statutory retention obligations or other legal reasons prevent it.
• Right to Restrict Processing (Art. 18 GDPR): You have the right to request the restriction of the processing of your data under certain circumstances.
• Right to Data Portability (Art. 20 GDPR): You have the right to receive your personal data in a structured, commonly used, and machine-readable format or to have it transmitted to another controller.
• Right to Object (Art. 21 GDPR): You have the right to object, at any time and for reasons arising from your particular situation, to the processing of your personal data based on Art. 6(1)(e) or (f) GDPR.
• Right to Withdraw Consent (Art. 7(3) GDPR): You have the right to withdraw your consent at any time with effect for the future.
• Right to Lodge a Complaint with a Supervisory Authority (Art. 77 GDPR): You have the right to lodge a complaint with a data protection supervisory authority if you believe that the processing of your personal data violates the GDPR. In Germany, § 19 BDSG also applies.

To view, update, or delete your personal data, please log into your personal account and open the “Settings” section (Art. 12(2) GDPR — facilitating the exercise of rights).

Alternatively, you can contact us at datenschutz@coral-club.com to obtain more information and instructions on how to exercise your rights. We will respond to your request without undue delay, but no later than within one month (Art. 12(3) GDPR).

Please note that to protect your data from unauthorized access, we are required to verify your identity before disclosing information or making any changes (Art. 12(6) GDPR).

The exercise of your rights is generally free of charge (Art. 12(5) GDPR). However, in the case of manifestly unfounded or excessive requests within the meaning of Art. 12(5) sentence 2 GDPR, we reserve the right to charge a reasonable fee or refuse to act on the request.

We process and store personal data in compliance with the principles of data minimization, integrity, and confidentiality in accordance with Art. 5(1)(c) and (f) GDPR. To ensure an appropriate level of protection, we apply technical and organizational measures pursuant to Art. 24 and Art. 32 GDPR. These measures include, in particular:

• Encryption of data transmission (e.g., TLS / SSL);
• Firewalls, access control systems, and role-based permission management;
• Regular security and penetration testing;
• Training and awareness programs for our employees on data protection and IT security.

We store personal data only for as long as necessary to provide the services you have requested or as required by law (Art. 5(1)(e) GDPR). The specific retention period is determined according to the following criteria:

• Contract fulfillment – until the full completion of the contractual relationship and expiration of statutory or contractual warranty periods (Art. 6(1)(b) GDPR);
• Commercial and tax obligations in Germany – retention period of 6 years for business correspondence (§ 257 HGB) and 10 years for tax-relevant documents (§ 147 AO) (Art. 6(1)(c) GDPR);
• Legal claims – retention until the expiry of statutory limitation periods (§§ 195 et seq. BGB) to assert or defend legal claims (Art. 6(1)(f) GDPR).

After the expiration of the respective retention periods, personal data will be deleted or anonymized, unless other statutory retention obligations or legitimate interests prevent deletion (Art. 17 GDPR).

If you have any questions about data security or our retention periods, please contact us at datenschutz@coral-club.com.

Our services are intended exclusively for individuals aged 18 and above. This age restriction is implemented to protect minors and ensure compliance with legal requirements, in particular with Section 4(2) of the German Interstate Treaty on the Protection of Minors in the Media (JMStV), as well as the protection principle set out in Art. 5(1)(a) GDPR (lawfulness and transparency) in conjunction with Art. 6(1)(f) GDPR (legitimate interest in the protection of minors).

We do not knowingly collect personal data from individuals under the age of 18. If you become aware of or have reason to believe that someone under 18 has provided us with personal data, please contact us immediately at datenschutz@coral-club.com. We will promptly delete such data in accordance with Art. 17 GDPR.

Do Not Track Signals: Our websites currently do not respond to so-called “Do Not Track” browser signals. However, we process all personal data in accordance with this Privacy Notice and the provisions of Art. 5 and 6 GDPR, as well as — where applicable — § 25 TTDDG when accessing user devices.

Compliance with this age restriction and the data protection principles forms part of our organizational and technical measures under Art. 24 and Art. 32 GDPR.

We reserve the right to adjust these provisions as necessary in response to changes in legal or technical requirements.

We reserve the right to update or amend this Privacy Policy at any time to reflect changes in legal requirements, technical developments, or modifications to our services. When making such changes, we comply with the transparency and information obligations set out in Art. 12 and Art. 13(3) GDPR.

Significant changes that affect the purpose of processing or the categories of personal data processed will be communicated to you in advance — for example, by email or via a prominent notice on our homepage — at least 30 days before the changes take effect (Art. 13(3) GDPR).

If the changes concern processing activities based on consent (Art. 6(1)(a) GDPR), we will seek your renewed consent if the modifications are material and not covered by your original consent (Art. 7(3) GDPR).

The most recent version of this Privacy Policy is always available on our website via the dedicated link. Previous versions can be provided upon request in accordance with Art. 15 GDPR.

Effective date of this Privacy Policy: October 2025

You have the right to lodge a complaint with any data protection supervisory authority (Art. 77 GDPR), in particular in the Member State of your habitual residence, your place of work, or the place of the alleged infringement.

Lead Supervisory Authority at the Controller’s Registered Office (Cyprus):
Office of the Commissioner for Personal Data Protection
1 Iasonos Str., 1082 Nicosia, Cyprus
Website: www.dataprotection.gov.cy

Local Supervisory Authority for Germany (Contact Office in Frankenberg, Hesse):
Der Hessische Beauftragte für Datenschutz und Informationsfreiheit (HBDI)
Gustav-Stresemann-Ring 1, 65189 Wiesbaden, Germany
Phone: +49 611 1408-0
E-Mail: poststelle@datenschutz.hessen.de
Website: datenschutz.hessen.de

If you have any questions, concerns, or complaints regarding this Privacy Policy or the processing of your personal data, you may contact us at any time. We ensure that all requests are handled in accordance with the transparency and information obligations set out in Art. 12, Art. 13(1)(a–b), and Art. 15 GDPR.

Main Contact (Controller):
Coral Club Distribution LTD
Agapinoros 52, 2nd floor, Flat/Office 1
8049 Paphos, Cyprus
Registered in the Commercial Register of the Republic of Cyprus, Reg. No. HE343977

Local Contact in Germany (Contact Point, Not an Independent Controller):
Coral Club Deutschland GmbH
Nikolaj Josko
Siegener Str. 12
35066 Frankenberg, Germany
E-Mail: datenschutz@coral-club.com
Phone: +49 611 36007328

We recommend that sensitive information be transmitted only in encrypted form (Art. 32 GDPR – Security of Processing).

We generally respond to inquiries without undue delay and no later than one month after receipt (Art. 12(3) GDPR). If a request is complex or if a large number of requests are received, this period may be extended by a further two months. You will be informed of any such extension in due time (Art. 12(3), Sentence 2 GDPR).

We use cookies and similar technologies (e.g. web beacons, pixels, local storage) to provide functionality, ensure security, personalize content, and analyze the use of our services.

The storage of information on your device and access to it are governed by § 25 TDDDG (formerly TTDSG):

• Technically necessary technologies – required for the operation of our website; legal basis: § 25(2) TDDDG in conjunction with Art. 6(1)(f) GDPR (legitimate interest in maintaining a functional and secure website).
• Analytics, marketing, and personalization technologies – used only with your consent; legal basis: § 25(1) TDDDG and Art. 6(1)(a) GDPR (voluntary consent that can be withdrawn at any time pursuant to Art. 7(3) GDPR).

You can withdraw or adjust your consent at any time with future effect via the “Cookie Settings” link in the footer (Art. 7(3) GDPR). You may also disable the use of certain technologies in your browser settings; however, some website functions may then be unavailable.

Types of Technologies Used

• Session cookies – automatically deleted after the session ends; legal basis: § 25(2) TDDDG, Art. 6(1)(f) GDPR.
• Persistent cookies / local storage – stored for a defined period (e.g., preferences / logins); legal basis depending on purpose: Art. 6(1)(a) or (f) GDPR.
• Pixels / web beacons – used to measure interactions and performance; legal basis: Art. 6(1)(a) GDPR.

Examples of Tools Used

• Google Analytics 4 (GA4) – web analytics for reach and usage measurement; IP addresses are not permanently stored (geo-based processing without permanent storage). The retention period for user and event data is typically up to 14 months (depending on configuration). Legal basis: § 25(1) TDDDG, Art. 6(1)(a) GDPR. Contract / DPA: in place. Data transfers to third countries: to recipients in the U.S. based on the EU–US Data Privacy Framework (Art. 45 GDPR) or appropriate safeguards under Art. 46 GDPR (Standard Contractual Clauses).
• Mixpanel – product and event analytics; used only with consent; privacy policy: mixpanel.com/legal/privacy-policy/.
• Singular – campaign attribution; used only with consent; privacy policy: singular.net/privacy-policy/.

Data transfers to countries outside the EU / EEA occur only where there is an adequacy decision (Art. 45 GDPR) — e.g., for recipients certified under the EU–US DPF — or under appropriate safeguards (Art. 46 GDPR) such as EU Standard Contractual Clauses. For more information, please refer to the respective provider’s privacy policy.

When external content or functions are integrated, the respective providers process data under their own responsibility (Art. 4(7) GDPR). In the case of data transfers to third countries, we ensure compliance with the requirements of Art. 45/46 GDPR (DPF/SCC). Further details can be found in the privacy policies of the respective providers.

Google Maps
Google Ireland Limited, Gordon House, Barrow Street, Dublin 4, Ireland.
Purpose: Display of maps and location information.
Privacy Policy: policies.google.com/privacy
Data transfer to third countries: USA – based on the EU–US Data Privacy Framework or appropriate safeguards pursuant to Art. 46 GDPR.

Meta (Facebook / Instagram)
Meta Platforms Ireland Limited, 4 Grand Canal Square, Dublin 2, Ireland.
Privacy Policies: facebook.com/privacy/policy, privacycenter.instagram.com/policy
Joint controllership for “Page Insights” in accordance with Art. 26 GDPR.

X (Twitter)
Twitter International Unlimited Company, One Cumberland Place, Fenian Street, Dublin 2, Ireland.
Privacy Policy: twitter.com/privacy
Data transfer to third countries: USA – based on appropriate safeguards pursuant to Art. 46 GDPR.

YouTube
Google Ireland Limited, Gordon House, Barrow Street, Dublin 4, Ireland.
Purpose: Embedding of video content.
Privacy Policy: policies.google.com/privacy
Data transfer to third countries: USA – based on the EU–US Data Privacy Framework or appropriate safeguards pursuant to Art. 46 GDPR.