Privacy Policy


Privacy policy
Status: 26.09.2022

1) Information about the collection of personal data and contact details of the person responsible.
We are pleased that you are visiting our website and thank you for your interest. In the following, we inform you about the handling of your personal data when using our website. Personal data in this context are all data with which you can be personally identified. Statistical data that we collect, for example, when you visit our website and that cannot be linked to your person do not fall under the term personal data. You can print or save this privacy policy by using the usual functionality of your browser.

The contact person and responsible for data processing on this website within the meaning of the General Data Protection Regulation (GDPR) is.

Cannaflos – Gesellschaft für medizinisches Cannabis mbH,
Vogelsanger Straße 348, 50827 Cologne, Germany,
Tel.: 0221/986 574 54,

We maintain up-to-date technical measures to ensure data security, in particular to protect your personal data from risks during data transmissions and from third parties gaining knowledge. These are adapted to the current state of the art in each case. This website uses SSL or TLS encryption for security reasons and to protect the transmission of personal data and other confidential content (e.g. orders or requests to the person responsible). You can recognize an encrypted connection by the string “https://” and the lock symbol in your browser line.

2) Data collection when visiting our website
During the mere informational use of our website, i.e. if you do not register or otherwise transmit information to us, we only collect data that your browser transmits to our server (so-called “server log files”). When you visit our website, we collect the following data, which is technically necessary for us to display the website to you:
– Our visited website
– Date and time at the time of access
– Amount of data sent in bytes
– Source/reference from which you reached the page
– Browser used
– Operating system used
– IP address used (if applicable: in anonymized form)
The processing is carried out in accordance with Art. 6 para. 1 lit. f DSGVO on the basis of our legitimate interest in improving the stability and functionality of our website. The data is not passed on or used in any other way. However, we reserve the right to check the server log files retrospectively should concrete indications point to illegal use.

3) Cookies
In order to make visiting our website more attractive and to enable the use of certain functions, we use so-called cookies on various pages. These are small text files that are stored on your terminal device. Some of the cookies we use are deleted after the end of the browser session, i.e. after you close your browser (so-called session cookies). Other cookies remain on your end device and allow your browser to be recognized on your next visit (so-called persistent cookies). If cookies are set, they collect and process certain user information such as browser and location data as well as IP address values to an individual extent. Persistent cookies are automatically deleted after a specified period of time, which may differ depending on the cookie. The duration of the respective cookie storage can be found in the overview of the cookie settings of your web browser.
In some cases, the cookies are used to simplify the ordering process by storing settings (e.g. remembering the contents of a virtual shopping cart for a later visit to the website). If personal data is also processed by individual cookies used by us, the processing is carried out in accordance with Art. 6 para. 1 lit. b DSGVO for the performance of the contract, in accordance with Art. 6 para. 1 lit. a DSGVO in the case of consent given, or in accordance with Art. 6 para. 1 lit. f DSGVO to protect our legitimate interests in the best possible functionality of the website and a customer-friendly and effective design of the site visit.
Please note that you can set your browser in such a way that you are informed about the setting of cookies and can decide individually about their acceptance or can exclude the acceptance of cookies for certain cases or in general. Each browser differs in the way it manages cookie settings. This is described in the help menu of each browser, which explains how you can change your cookie settings. You can find this for each browser at the following links:
Internet Explorer:
Please note that if you do not accept cookies, the functionality of our website may be limited.

4) Contacting us
In the context of contacting us (e.g. via contact form or e-mail), personal data is collected. Which data is collected in the case of a contact form can be seen from the respective contact form. This data is stored and used exclusively for the purpose of answering your request or for contacting you and the associated technical administration. The legal basis for the processing of this data is our legitimate interest in responding to your request in accordance with Art. 6 (1) lit. f DSGVO. If your contact aims at the conclusion of a contract, the additional legal basis for the processing is Art. 6 (1) lit. b DSGVO. Your data will be deleted after final processing of your request. This is the case if it can be inferred from the circumstances that the matter in question has been conclusively clarified and provided that there are no statutory retention obligations to the contrary.

5) Registration in the specialist area via DocChec
Members of the medical profession have the option of registering for our specialist area via the external identification service DocCheck. For this purpose, an input mask from DocCheck is integrated into our website, into which you can enter your DocCheck user data (e-mail and password). The data you enter will be transmitted by us to DocCheck Community GmbH. The processing serves to enable access to the subject area. The legal basis is Art. 6 para. 1 letter b) DSGVO.

6) Newsletter
You have the option of ordering our newsletter, in which we inform you regularly about company and industry news and availabilities. For ordering our newsletters, we use the so-called double opt-in procedure, i.e. we will only send you newsletters by e-mail if you confirm in our notification e-mail by clicking on a link that you would like to receive our newsletters. If you confirm your wish to receive the newsletter, we will store your e-mail address, the time of registration and the IP address used for registration until you unsubscribe. The storage serves the sole purpose of sending you the newsletter and to be able to prove your registration. You can unsubscribe from the newsletter at any time. A corresponding unsubscribe link can be found in every newsletter. A message to the contact details provided above or in the newsletter (e.g. by e-mail or letter) is of course also sufficient for this purpose. The legal basis for the aforementioned data processing is your consent pursuant to Art. 6 (1) a) DSGVO.

This website uses the Sendinblue service of the provider Sendinblue GmbH, Köpenicker Straße 126, 10179 Berlin, a subsidiary of the French parent company Sendinblue SAS, 55 rue d’Amsterdam, 75008 Paris, France, to send newsletters. Sendinblue is a service for organizing and analyzing newsletter delivery. The data you enter when registering for the newsletter (e.g. e-mail address) is stored on Sendinblue’s servers and on our servers. Newsletter dispatch via Sendinblue enables us to analyze the behavior of newsletter recipients. Among other things, we can analyze how many recipients have opened the newsletter message and how often which link in the newsletter was clicked. All links in the email are so-called tracking links, with which your clicks can be counted.

If you do not want Sendinblue to analyze your data, you must unsubscribe from the newsletter or revoke your consent (see section 15 below).

The data you provide us with for the purpose of receiving the newsletter will be stored by us until you unsubscribe from the newsletter distribution list and will be deleted from our servers as well as from Sendinblue’s servers after you unsubscribe from the newsletter. Data that has been stored by us for other purposes (e.g. existing customer data) remains unaffected by this.

For more information on data protection at Sendinblue, please refer to Sendinblue’s privacy policy at:

We have concluded an order processing agreement with Sendinblue, in which we oblige Sendinblue to protect our customers’ data and not to pass it on to third parties.

Your e-mail address will be used exclusively by us or our service providers and will not be passed on to other third parties.

The legal basis of the processing for the newsletter dispatch is Art. 6 para. 1 lit. a) DSGVO.

7) Use of your data for direct advertising
Advertising by letter mail
On the basis of our legitimate interest in personalized direct advertising, we reserve the right to store your first and last name, your postal address and – insofar as we have received this additional information from you as part of the contractual relationship – your title, academic degree, year of birth and your occupational, industry or business designation in accordance with Art. 6 (1) f DSGVO and to use it to send you interesting offers and information about our products by letter post.
You can object to the storage and use of your data for this purpose at any time by sending a message to the person responsible.

8) Data processing when opening a customer account and for the processing of contracts
On the basis of Art. 6 para. 1 lit. b DSGVO, we collect and process personal data if you provide it to us for the execution of a contract or when opening a customer account. Which data is collected can be seen from the respective input forms. A deletion of your customer account is possible at any time and can be done by sending us a message.

We store and use the data you provide for contract processing using the cloud ERP software weclapp (weclapp GmbH, Frauenbergstraße 31-33, 35039 Marburg, Germany). This transfer takes place in accordance with Art. 6 (1) lit. f DSGVO and serves our legitimate interest of an efficient, secure and user-friendly management of your data. Weclapp performs data processing on behalf only in member states of the European Union or the European Economic Area.

In order to protect your data, we have concluded an order processing agreement with weclapp, in which we oblige weclapp to protect your data and not to pass it on to third parties.

The privacy policy of weclapp can be viewed here:

After complete execution of the contract or deletion of your customer account, your data will be blocked with regard to tax and commercial law retention periods and deleted after expiration of these periods, unless you have expressly consented to a further use of your data or a legally permitted further use of data has been reserved by our side, about which we inform you accordingly below.

9) Data processing in application procedures
If you send us an unsolicited application or apply for an advertised position, we will process your data for the purpose of carrying out the application procedure insofar as this is necessary for the decision on the establishment of an employment relationship with us. The legal basis for this is § 26 para. 1 in conjunction with para. 8 p. 2 BDSG, as well as Art. 6 para.1 b) DSGVO.

Insofar as an employment relationship is established, we may further process the personal data already received from you for the purposes of the employment relationship in accordance with Section 26 (1) BDSG, or Art. 6 (1) b) DSGVO, if this is necessary for the implementation or termination of the employment relationship or for the exercise or fulfillment of rights and obligations arising from a law.

As part of the application process, we process data related to your application. This may be general data about you (such as your name, address and contact details), information about your professional qualifications and school education, or other information that you provide to us in connection with your application. In addition, we may process job-related information that you have made publicly available, such as a profile on professional social media networks.

The data transmitted as part of your application will be transferred via TLS encryption and stored in a database. This database is operated by Personio GmbH, which offers personnel administration and applicant management software ( Personio is our order processor in this context according to Art. 28 DSGVO. The basis for the processing here is an order processing agreement between us as the controller and Personio.

Your applicant data will be processed for the first time from the time of collection and will generally be deleted 6 months after completion of the application process.

In the event that you have agreed to further storage of your personal data, we will delete the data after the agreed period has expired.

10) Data room use
We use the services of Datasite LLC, Baker Center, 733 S Marquette Ave UNIT 600, Minneapolis, MN 55402, USA to operate a virtual data room in which we make various documents available to our customers and interested parties for viewing and/or downloading. These are, for example, contract documents and product information. Access is only granted to activated users after they have registered by e-mail using the double opt-in procedure.

In the context of access control, the following personal data are processed: Email address, user name. We store when the data room is entered and by whom which data is viewed or downloaded. 

The processing of personal data is based on Art. 6 para. 1 lit. b, f DSGVO. The purpose and our legitimate interest are to initiate contracts, to make relevant documents available and to prevent unauthorized access to the uploaded documents.

11) Note on data transfer to the USA
Tools and applications provided by companies based in the USA are linked to our website. When active, these tools or applications may also transfer your personal data to servers of the respective company located in the USA. Please note that the USA is not a safe third country in the sense of EU data protection law. Companies located there may be obliged to hand over personal data to security authorities without you as a data subject being able to take action against this. It can therefore not be ruled out that security authorities in the USA may process, evaluate and permanently store your data located on servers in the USA for monitoring purposes. Unfortunately, we have no influence on these processing activities.

12) Web analysis services
In order to continuously improve our offer, we use the statistical analysis tool “Matomo”, an open source service of InnoCraft Ltd, 150 Willis St, 6011 Wellington, New Zealand.

The software sets a cookie on your computer (for cookies, see already above). When you call up the website, the following data is stored:

– two bytes of the IP address of the user’s calling system,

– the website called up,

– the website from which the user accessed the website (referrer)

– the subpages accessed from the accessed website

– the time spent on the website

– the frequency with which the website is accessed

– browser incl. version

– operating system

– device type

– date and time

The software runs exclusively on the servers of our hosting contract partners in Germany. A storage of the personal data of the users only takes place there. The data is not passed on to third parties.

We use the option “AnonymizeIP” in the Matomo settings. This means that IP addresses are processed in abbreviated form, thus excluding the possibility of direct personal references. The IP address transmitted by your browser via Matomo is not merged with other data collected by us and is anonymized immediately after processing and before storage.

The legal basis for the use of Matomo is Art. 6 para. 1 p. 1 lit. f DSGVO. Our legitimate interest for the use is that we can improve our offer via the statistics obtained by means of Matomo and we can design more interesting for you as a user.

The data is deleted as soon as it is no longer required for our recording purposes, but at the latest after one year. The cookie set is valid for 13 months, after which it is deleted.

Information from the third-party provider on data protection is available at

13) Tools and miscellaneous

13.1 – Google Web Fonts
This site uses so-called web fonts provided by Google Ireland Limited, Gordon House, 4 Barrow St, Dublin, D04 E5W5, Ireland (“Google”) for the uniform display of fonts. When you call up a page, your browser loads the required web fonts into its browser cache in order to display texts and fonts correctly.
For this purpose, the browser you are using must connect to Google’s servers. This may also result in the transmission of personal data to the servers of Google LLC. in the USA. In this way, Google obtains knowledge that our website was accessed via your IP address. Google Web Fonts are used in the interest of a uniform and appealing presentation of our online offers. This represents a legitimate interest within the meaning of Art. 6 (1) lit. f DSGVO. If your browser does not support web fonts, a standard font will be used by your computer.
For more information on Google Web Fonts, please visit and see Google’s privacy policy:

13.2 – Yoast SEO
On our website, we use plugins from Yoast SEO. This is an offer from Yoast BV, Don Emanuelstraat 3, 6602 GX Wijchen, The Netherlands, Tel: +31 (0)24 82 00 337 (Chamber of Commerce / KvK: 55404367, VAT Number: NL851692540B01).
This plugin takes care of the complete technical optimization of our websites for search engines. It also assists with content development. For more information, please refer to Yoast BV’s privacy policy, which you can view at
You may refuse the use of cookies by selecting the appropriate settings on your browser, however please note that if you do this you may not be able to use the full functionality of this website.

13.3 – LinkedIn Social Plug-In
On our website, we use the social plug-in of the social network LinkedIn, provided by LinkedIn Corporation, 2029 Stierlin Court, Mountain View, California 94043, USA, on the basis of Art. 6 (1) p. 1 lit. f DSGVO. The underlying promotional purpose is to be considered a legitimate interest within the meaning of the GDPR. In doing so, we use the We would like to point out that we, as the provider of the website, have no knowledge of the content of the transmitted data or its use by LinkedIn.

Further information on the purpose and scope of data collection and its processing by LinkedIn can be found here:

14) Online presences in social media
We maintain online presences on the basis of our legitimate interests within the meaning of Art. 6 para. 1 lit. f. DSGVO, we maintain online presences within social networks and platforms in order to be able to communicate with customers, interested parties and users active there and to inform them about our services there. When calling up the respective networks and platforms, the terms and conditions and data processing policies of their respective operators apply.

Unless otherwise stated in our privacy policy, we process the data of users insofar as they communicate with us within the social networks and platforms, e.g. write posts on our online presences or send us messages.

15) Rights of the data subject
15.1 The applicable data protection law grants you comprehensive data subject rights (rights of information and intervention) vis-à-vis the controller with regard to the processing of your personal data, which we inform you about below:
– Right of access pursuant to Art. 15 DSGVO: In particular, you have the right to obtain information about your personal data processed by us, the processing purposes, the categories of personal data processed, the recipients or categories of recipients to whom your data have been or will be disclosed, the planned storage period or the criteria for determining the storage period, the existence of a right to rectification, erasure, restriction of processing, objection to processing, complaint to a supervisory authority, the origin of your data if it has not been collected from you by us, the existence of automated decision-making, including profiling, and, if applicable, meaningful information about the logic involved and the scope and intended effects of such processing that concern you, as well as your right to be informed about what guarantees exist in accordance with Art. 46 of the GDPR if your data is transferred to third countries;
– Right to rectification pursuant to Art. 16 DSGVO: You have the right to have any inaccurate data relating to you corrected without delay and/or to have any incomplete data stored by us completed;
– Right to deletion pursuant to Art. 17 DSGVO: You have the right to demand the deletion of your personal data if the requirements of Art. 17 (1) DSGVO are met. However, this right does not exist in particular if the processing is necessary for the exercise of the right to freedom of expression and information, for compliance with a legal obligation, for reasons of public interest or for the assertion, exercise or defense of legal claims;
– Right to restriction of processing pursuant to Art. 18 GDPR: You have the right to request the restriction of the processing of your personal data as long as the accuracy of your data, which you dispute, is being verified; if you refuse the erasure of your data due to unlawful data processing and instead request the restriction of the processing of your data; if you require your data for the assertion, exercise or defense of legal claims after we no longer need this data after the purpose has been achieved; or if you have lodged an objection for reasons relating to your particular situation as long as it has not yet been determined whether our legitimate grounds prevail;
– Right to information pursuant to Art. 19 DSGVO: If you have asserted the right to rectification, erasure or restriction of processing against the controller, the controller is obliged to inform all recipients to whom the personal data concerning you have been disclosed of this rectification or erasure of the data or restriction of processing, unless this proves impossible or involves a disproportionate effort. You have the right to be informed about these recipients.
– Right to data portability pursuant to Art. 20 DSGVO: You have the right to receive your personal data that you have provided to us in a structured, common and machine-readable format or to request that it be transferred to another controller, insofar as this is technically feasible;
– Right to revoke consent given in accordance with Art. 7 (3) DSGVO: You have the right to revoke consent to the processing of data once given at any time with effect for the future. In the event of revocation, we will immediately delete the data concerned, unless further processing can be based on a legal basis for processing without consent. The revocation of consent does not affect the lawfulness of the processing carried out on the basis of the consent until the revocation;
– Right to lodge a complaint pursuant to Art. 77 GDPR: If you consider that the processing of personal data concerning you infringes the GDPR, you have – without prejudice to any other administrative or judicial remedy – the right to lodge a complaint with a supervisory authority, in particular in the Member State of your residence, workplace or the place of the alleged infringement.


16) Duration of storage of personal data
The duration of the storage of personal data is measured on the basis of the respective legal basis, the purpose of processing and – if relevant – additionally on the basis of the respective statutory retention period (e.g. retention periods under commercial and tax law).
When processing personal data on the basis of explicit consent pursuant to Art. 6 (1) a DSGVO, this data is stored until the data subject revokes his or her consent.
If there are statutory retention periods for data that is processed within the scope of legal or quasi-legal obligations on the basis of Art. 6 (1) (b) DSGVO, this data will be routinely deleted after the retention periods have expired, provided that it is no longer required for the fulfillment or initiation of a contract and/or there is no legitimate interest on our part to continue storing it.
When processing personal data on the basis of Art. 6(1)(f) DSGVO, this data is stored until the data subject exercises his or her right to object pursuant to Art. 21(1) DSGVO, unless we can demonstrate compelling legitimate grounds for the processing which override the interests, rights and freedoms of the data subject, or the processing serves to assert, exercise or defend legal claims.
When processing personal data for the purpose of direct marketing on the basis of Article 6 (1) (f) DSGVO, this data is stored until the data subject exercises his or her right to object pursuant to Article 21 (2) DSGVO.
Unless otherwise stated in the other information in this statement about specific processing situations, stored personal data will otherwise be deleted when it is no longer necessary for the purposes for which it was collected or otherwise processed.

17) Recipients of the data
A transfer of the data collected by us takes place in principle only if:

you have given your express consent to this in accordance with Art. 6 Para. 1 a) DSGVO or in accordance with Art. 9 Para. 2 a) DSGVO,
the disclosure is necessary pursuant to Art. 6 (1) f) DSGVO or Art. 9 (2) f) DSGVO for the assertion, exercise or defense of legal claims and there is no reason to assume that you have an overriding interest worthy of protection in not having your data disclosed,
we are legally obliged to disclose your data pursuant to Art. 6 (1) c) DSGVO, or
this is legally permissible and necessary according to Art. 6 para. 1 b) DSGVO for the processing of contractual relationships with you or for the implementation of pre-contractual measures, which are carried out at your request.

In principle, we process your data ourselves. However, in some cases we also use service providers for this purpose. In addition to the service providers mentioned in this privacy policy, this may include, in particular, data centers that store our website and databases, IT service providers that maintain our systems, and consulting companies. If we pass on data to service providers, they may only use the data to perform their tasks. The service providers have been carefully selected and commissioned by us. They are contractually bound to our instructions, have appropriate technical and organizational measures in place to protect the rights of the data subjects, and are regularly monitored by us.

In addition, disclosure may take place in connection with official inquiries, court orders and legal proceedings if it is necessary for legal prosecution or enforcement.

18) External hosting
Our Internet pages are hosted by RAIDBOXES GmbH, Friedrich-Ebert-Straße 7, 48153 Münster, Germany as an external service provider. Personal data that is collected on our Internet pages is stored on the host’s servers. This may include, but is not limited to, IP addresses, contact requests, meta and communication data, contract data, contact data, names, website accesses and other data generated via a website.

We use the services of our hosting service provider for the purpose of fulfilling contracts with potential and existing customers (Art. 6 para. 1 lit. b DSGVO) and in the interest of providing our online service securely, quickly and efficiently (Art. 6 para. 1 lit. f DSGVO).

Our hosting service provider will process your data only to the extent necessary to fulfill its service obligations and will follow our instructions regarding this data. In order to ensure data protection-compliant processing of your data by our hosting service provider, we have concluded an order processing agreement with them.

19) Changes to the data protection declaration
We occasionally update this privacy policy, for example when we adapt our website or when legal requirements change.