Please check your details in the fields marked in red.

Privacy Notice

This Privacy Notice is to inform you about the nature, scope and purpose of Heinemann Cruise Liner Global GmbH ("Heinemann”, “we”, “us”) processing of personal data.

 

1. Controller and Data Protection Officer Information

The data controller for the processing is Cruise Liner Global GmbH (Koreastraße 3, 20457 Hamburg, Germany).

You can contact our data protection officer at the e-mail address dataprotection@gebr-heinemann.de.

 

2. Processing of your personal data through our online services

2.1 „All for one“ Customer Account

You need a personal account to be identified and to access certain Heinemann services such as HEINEMANN Loyalty Program or the HEINEMANN mobile App. An account also provides a convenient way to use our Click & Collect service, but Click & Collect orders are also possible as a guest without account. For the above purposes, we process first and last name, Salutation, country, E-mail address, and the password you have chosen. Providing your date of birth and telephone number within registration is only optional.

To ensure that no errors occur when entering your email address, we use the double opt-in procedure (DOI procedure): After you have entered your email address in the registration field, we will send you a confirmation link to the email address you provided. Only when you click on this confirmation link will your email address be added to our newsletter distribution list.

You may review and change the information we have stored about you in your account or delete your account at any time.

Legal basis

The processing of account data for access to services such as the HEINEMANN Loyalty Program or App is based on Article 6(1)(b) GDPR (contract performance). Optional data (e.g. date of birth, telephone number) is processed based on consent under Article 6(1)(a) GDPR. For purposes such as fraud prevention, IT security, and improving user experience, processing is based on our legitimate interests pursuant to Article 6(1)(f) GDPR.

Retention period

Your personal data will be stored as long as your account is active. After deletion upon your request or prolonged inactivity, your data will be erased or anonymised unless legal retention obligations or legitimate interests (e.g. fraud prevention or legal defence) require longer storage. 

 

2.2 Pre-order processing

When you submit your cart at checkout, you will receive a pickup ticket with your order ID, your name and your cabine number. For this purpose we process your account data or the information you provided when proceeding as a guest and match this data with booking data (name and cabin number) provided by Otalio GmbH to make sure you are on board to pick up your order.

Legal basis

The legal basis for our processing of your personal data is the initiation and performance of a sales contract (Article 6(1)(b)).

Retention period

Your order history will be kept as long as your account is active, unless legal retention obligations or overriding legitimate interests require longer storage.

If you have ordered as a guest, we will delete your personal data when the purpose for which it was collected no longer applies.

 

2.3 Pre-Order history

If you have created an account, we store your webshop pre-order history to provide you with an excellent customer experience. Pre-Order history offers you a convenient way to reorder your favorite products and enables us to recommend our customers similar products and related promotions (e. g. tastings) based on previous orders. Your pre-order history can be viewed in your account (webshop and APP).

Legal basis

The storage of your pre-order history to enable convenient reordering and display past purchases in your account is based on Art. 6(1)(b) GDPR (performance of contract). The use of this data for personalised recommendations in the webshop and app is based on our legitimate interest pursuant to Art. 6(1)(f) GDPR, which lies in enhancing customer satisfaction and optimising our services. Recommendations via newsletter will only be sent if you have given marketing consent pursuant to Art. 6(1)(a) GDPR, which you may withdraw at any time with effect for the future (see Section 2.8 below).

Retention period

Your order history will be kept as long as your account is active, unless legal retention obligations or overriding legitimate interests require longer storage.

If you have ordered as a guest, we will delete your personal data when the purpose for which it was collected no longer applies.

 

2.4 Abandoned Cart

If you have created an account and have not completed your pre-order, you may receive a reminder email from us, provided you have given us marketing consent.

Legal basis

The legal basis for our processing of your personal data is according to Art. 6 (1) (a) GDPR the marketing consent you have given us. You may revoke your marketing consent at any time with future effect.

Retention period

As long as your account is active and you have not completed your pre-order or removed your products, your abandoned card will be retained.

 

2.5 Processing of Logfiles

When visiting our website, personal data is automatically transmitted by the user's terminal device; this includes the name of the website accessed, file, date and time of access, amount of data transferred, notification of successful access, browser type and version, the user's operating system, referrer URL (the previously visited page), IP address and the requesting provider.

Legal basis

The processing of this information is based on our legitimate interest according to Art. 6 (1) (f) GDPR in ensuring the proper operation of the website, including the smooth set-up of the connection and in ensuring the security of the processing (e.g. for the prevention and investigation of cyber attacks) pursuant to Art. (5) (f) GDPR.

Retention period

The log files are automatically anonymized at the end of the session. 

 

2.6 Cookie Consent Management

We use the Consent Management Platform (CMP) “Usercentrics” to record, store and document consent of our website visitors to the use of cookies, pixels and similar other technologies (collectively referred to as “cookies”) on our website. The CMP tool also enables us to conduct statistical analysis (e.g. opt-in rates) to optimize the user experience. For these purposes, we may process the following types of information: consent data and timestamp, device and browser information and anonymized IP address.

Usercentrics stores this information in the local storage of your browser so that your individual settings are saved for further visits to our website and the consent field is not displayed again each time.

More information about the cookies used on our website will be provided in Unsercentrics oder the following link:  [add Link to Usercentrics].

Legal basis

The legal basis for our processing of your personal data is according to Art. 6 (1) (c) GDPR our obligation to comply with Telecommunications Digital Services Data Protection Act (TDDDG) and our legitimate interest pursuant to Art. 6 (1) (f) GDPR. Our legitimate interest lies in the efficient management of consent data and optimizing user experience.

Retention period

The consent data (consent given and withdrawal of consent) will be stored for one year. The data will then be deleted immediately.

 

2.7 Operating the HEINEMANN loyalty program 

We collect, process, and store data relating to purchases you have made using your member card (customer transaction data) and coupons you have redeemed within the scope of HEINEMMAN loyalty program Customer transaction data includes information about the type, quantity, and price of items purchased, as well as the date and place of purchase, as shown on the printed receipt.

The purpose of processing is to manage your HEINEMANN X ME account and calculate your loyalty points so that we can offer you the benefits of your membership. As part of the so-called program communication, we will send you contract related information to the email address you have provided.

Legal basis 

The legal basis for our processing of your personal data is the performance of your membership contract  according to Art. 6 (1) (b) GDPR. 

Retention period 

Your personal data will be stored for as long as your loyalty membership is active. 

After deletion upon your request or prolonged inactivity, your data will be erased or anonymised unless legal retention obligations or legitimate interests (e.g. fraud prevention or legal defence) require longer storage.

 

2.8 Newsletter

If you subscribe to our newsletter, we will regularly send you information about promotions, offers, and events tailored to your interests and preferences. For this purpose, we process your customer account data and the information stored in your customer profile, such as newsletter opens and link clicks. 

Legal basis 

The legal basis for processing is your consent in accordance with Art. 6 (1) (a) GDPR. You can revoke your consent at any time with future effect, e.g., by clicking on the “Unsubscribe from newsletter” link in the footer of the newsletter. 

Retention period

We use your data for advertising purposes via email until you revoke your consent.

 

2.9 Customer Service 

If you have any questions or issues regarding our products or services, you can contact our customer service team by phone, email or by using the contact form. In this case, a customer ticket will be created and, depending on the communication channel you have chosen, we will process your contact data such as your email address, name and telephone number together with any other personal data contained in your message in order to clarify your request and respond to your enquiry

Legal basis

If the processing of personal data is related to a purchase (e.g. complaint or return), the legal basis is Art. 6 (1) (b) DSGVO (contract performance). In all other cases, the processing is based on our legitimate interest in accordance with Article 6 (1) (f) DSGVO. Our legitimate interest lies in ensuring customer satisfaction through good service.

Retention period

The personal data relating to your service ticket will be deleted as soon as your enquiry has been resolved, unless  statutory retention obligations or warranty and guarantee claims require longer storage.

 

2.10 Postpaid Payment

Payment for goods purchased on board is made via your cruise operator, Aroya Cruises Limited  (Aroya), as a postpaid payment. For this purpose, Heinemann will check the status of your shopping limit at the beginning of the checkout. Afterwards you will be asked to provide your name and cabin number at checkout. Heinemann will then forward this data together with the digital signed purchase receipt to the cruise operator. Information on data protection at Aroya is available at https://aroya.com/en/documents/privacy-policy

Legal basis

The legal basis for processing is Art. 6 (1) (b) GDPR (contract performance).

Retention period

Your personal data will be deleted from our checkout system as soon as error-free transfer to the Aroya systems has been ensured.

 

3. Sharing personal data with third parties

Besides what is described above, disclosure of personal data to third parties only occurs within the framework of legal requirements. We only disclose personal data of users to third parties, if this is required e.g. for billing purposes or other purposes, if the disclosure is necessary to ensure the fulfilment of contractual obligations towards the users (in accordance with Article 6 (1) (b) of the GDPR). We may also disclose personal data to accountants, lawyers and other external advisors based on our legitimate interests (in accordance with Article 6 (1) (f) of the GDPR).

In the context of Heinemann’s development, the corporate structure may change, e.g., by the total or partial sale of the company. In the case of a partial transfer of assets containing personal data, the processing basis for the related transfer of personal data is, as a rule, Article 6 (1) (f) of the GDPR, as we have an interest in transferring parts of our assets and making commercial/structural changes.

If we engage subcontractors (Group companies and IT service providers), we have made appropriate contractual arrangements as well as adequate technical and organizational measures with these companies.

If we transfer your personal data to recipients whose registered offices are located in a third country, such transfer is based on the EU-US Data Privacy Framework, other adequacy decisions, or the EU Commission’s standard contractual clauses, which you may obtain a copy of by contacting us as stated above.

 

4. Data Subject Rights

You have the following rights with regards to the processing of your personal data:

  1. Right of access to your personal data
  1. Right to rectification of your personal data
  1. Right to erasure (‘right to be forgotten’)
  1. Right to restriction of processing of your personal data
  1. Right to data portability
  1. Right to not be subject to an automated decision, including profiling
  1. The right to lodge a complaint with a competent data protection supervisory authority.
  1. Right to withdraw consent at any time where processing is based on Article (6)(1) GDPR or Article 9(1) GDPR without effecting the lawfulness of processing based on consent before its withdrawal.

 

5. Right to Object

You have at any time the right to object, on the grounds relating to your particular situation, to processing your personal data concerning you which is based on point (e) or (f) of Article 6(1), including profiling based on those provisions. In case of objection, we will no longer process the personal data unless we demonstrate compelling legitimate grounds for the processing which override your interests, rights and freedoms of you or for the establishment, exercise or defence of legal claims.

 

6. No obligation to provide personal data

Generally, you are not obliged to provide your personal data. However, if the legal basis for the respective processing is performance or conclusion of a contract, the provision of your personal data is necessary for the contractual relationship. Without this data, it is not possible to conclude or fulfil the contract in such cases.

If personal data is not provided in cases of processing based on legitimate interests, the respective services and offers cannot be used.

 

Status: June 2025