Privacy Policy

We take the protection of your personal data very seriously and treat your personal data confidentially and in accordance with statutory data protection regulations and this privacy policy. 

Important structural note – separate data controllers: DR. KURT WOLFF GMBH & CO. KG, incorporated and registered in Germany with the commercial register of the local court in Bielefeld, Germany under HRA 11533 and its registered office at Johanneswerkstrasse 34-36 33611 Bielefeld, Germany (“Dr. Wolff”) operates and provides this website and its content. 

For all processing activities described in this Privacy Policy (other than the checkout described in Part B), Dr. Wolff UK Limited, registered in England and Wales, Carpenter Court, 1 Maple Road, Bramhall, Cheshire, Stockport SK7 2DH, United Kingdom (“Dr. Wolff UK”), acts as a wholly-owned subsidiary and sub-processor (on Dr. Wolff’s behalf) for all website operation, marketing, analytics, customer service, and related services as described herein. 

The checkout of the webshop (including conclusion of the purchase contract, payment, fulfillment and related customer service) is operated by THE HUT.COM LIMITED incorporated and registered in England and Wales with company number 05016010 whose registered office is at Icon 1, 7-9 Sunbank Lane, Altrincham, WA15 0AF (“THG”), which acts as the seller to customers and as a separate controller for the processing at checkout. Dr. Wolff and THG act as separate data controllers unless expressly stated otherwise. 

Last updated: April, 2026 

I. Information about the collection of personal data 

1. When you use our website, we inform you below about the collection of personal data. Personal data means all data that relates to you personally, e.g., name, address, email addresses, user behavior. 
2. Controller within the meaning of Art. 4(7) (UK) GDPR for this website (excluding the checkout described in Part B) is: 
   • DR. KURT WOLFF GMBH & CO. KG, Johanneswerkstraße 34–36, 33611 Bielefeld, Germany 
   • Data Protection Officer: dpo@drwolffgroup.com or at our postal address with the addition “Data Protection Officer”. 
3. When you contact us by email or via a contact form, the data you provide (your email address and, if provided, your name, telephone number, and any other personal data contained in your message) will be stored by us to answer your questions. We delete the data arising in this context when storage is no longer necessary, or restrict processing if there are statutory retention obligations. Legal bases: Art. 6(1)(a) (UK) GDPR (consent when using a contact form), Art. 6(1)(b) (UK) GDPR (performance of a contract or pre‑contractual measures), and/or Art. 6(1)(c) (UK) GDPR (legal obligations). 
4. If we use commissioned service providers for individual functions of our offering or wish to use your data for advertising purposes, we inform you below about the respective processes, including criteria for the storage period. 
5. For all website operation, analytics, marketing and customer service activities described in this Privacy Policy (apart from checkout/fulfillments by THG), Dr. Wolff UK acts as sub-processor (“processor”/“data processor” in UK law) on behalf of Dr. Wolff. 

II. Your rights 

Subject to statutory conditions, you have the following rights. To exercise them, please contact the addresses known to you; preferably use: dpo@drwolffgroup.com

• Art. 15 (UK) GDPR – Right of access 
• Art. 16 (UK) GDPR – Right to rectification 
• Art. 17 (UK) GDPR – Right to erasure 
• Art. 18 (UK) GDPR – Right to restriction of processing 
• Art. 20 (UK) GDPR – Right to data portability (where processing is based on consent or contract) 
• Art. 21 (UK) GDPR – Right to object: 
  • You can object at any time, on grounds relating to your particular situation, to processing based on legitimate interests, performance of a task in the public interest, or the exercise of official authority. 
  • Where we process your personal data for direct marketing, you can object at any time; in that case we will no longer process your personal data for these purposes. 

• Art. 77 (UK) GDPR – Right to lodge a complaint with a supervisory authority 
• Withdrawal of consent: You can withdraw consent at any time with effect for the future using any of the contact addresses known to you. 

III. Collection of personal data when visiting our website 

1. When you merely use the website for informational purposes, we collect only the personal data that your browser transmits to our server. These data are technically necessary to display our website and to ensure stability and security (Art. 6(1)(f) (UK) GDPR): 
   • IP address 
   • Date and time of the request 
   • Time zone difference to GMT 
   • Content of the request (specific page) 
   • Access status/HTTP status code 
   • Amount of data transferred 
   • Website from which the request originates (referrer) 
   • Browser 
   • Operating system and its interface 
   • Language and version of the browser software 
2. Cookies: In addition to the data mentioned above, cookies are stored on your computer when you use our website. Cookies are small text files stored on your hard drive assigned to the browser you use, and they provide certain information to the party that sets the cookie (here, Dr. Wolff). They serve to make our offering more user‑friendly and effective. 
3. Types of cookies 
   • Transient cookies (session cookies) are automatically deleted when you close the browser. They store a session ID that assigns various requests from your browser to a single session. They are deleted when you log out or close the browser. 
   • Persistent cookies are automatically deleted after a specified period, which may differ depending on the cookie. You can delete cookies at any time in your browser’s security settings. 
   • You can configure your browser to refuse third‑party or all cookies. Please note that you may then not be able to use all functions of this website. 
   • We use cookies to recognize you on subsequent visits. 
4. Consent management 
   • We use a consent management platform (OneTrust, 82 St John Street, Farringdon, London EC1M 4JN, United Kingdom) to obtain and manage your consent in a legally compliant manner and to enable withdrawals. Your consent is documented and technically controls the setting of cookies. 
   • Categories of data: IP address, date/time of consent, a pseudonymous ID, and your selected settings. 
   • International transfers: Transfers to sub‑processors in third countries may occur; appropriate safeguards (e.g., adequacy decisions or Standard Contractual Clauses) are implemented where required. 
   • Legal basis: Art. 6(1)(f) (UK) GDPR (legitimate interests in ensuring compliant consent capture and cookie management). 
   • Storage period for consent records: 365 days. 

IV. Other functions and offers on our website

1. In addition to purely informational use, we offer various services which you can use if interested. For this, you generally need to provide additional personal data which we use to provide the respective service and to which the above principles apply. 
2. We sometimes use external service providers to process your data. They have been carefully selected and commissioned by us, are bound by our instructions, and are regularly monitored. 
3. We may also pass your personal data to third parties if promotions, competitions, contract conclusions, or similar services are offered by us together with partners. You will receive more information when you provide your personal data or in the description of the offer. 
4. If our service providers or partners are based outside the EEA or the UK, we will inform you about the consequences in the description of the offer. 

V. Web analytics, monitoring, and optimization 

We use services in the area of web analytics, monitoring, and optimization. 

• Purposes: Evaluating visitors to our online offering (including behavior, interests, and demographic information in pseudonymous form), identifying technical errors, and optimizing design/content; A/B testing may be used. 
• Categories of data: interests; pseudonymous usage data and interactions (e.g., pages visited, clicks, scrolls); technical data (device, OS, browser type/version, screen resolution, language); meta/communication data (IP address, referrer URL, date/time); where possible we use IP masking. 
• Service providers used: 
  1. Google services (Google Analytics, Google Ads, DoubleClick) 
     • Provider: Google Ireland Limited, Gordon House, Barrow Street, Dublin 4, Ireland 
     • International transfers may occur; appropriate safeguards are used where required. 
     • Legal basis: Typically consent (Art. 6(1)(a) (UK) GDPR) via our consent tool; where only essential measurement is performed without non‑essential cookies, Art. 6(1)(f) (UK) GDPR may apply. 
  2. Sentry 
     • Provider: Functional Software Inc., 132 Hawthorne Street, San Francisco, CA 94107, USA 
     • International transfers may occur; appropriate safeguards are used where required. 
     • Legal basis: Art. 6(1)(f) (UK) GDPR (legitimate interests in error monitoring and application stability). 
  3. Microsoft Clarity 
     • Provider: Microsoft Corporation, One Microsoft Way, Redmond, WA 98052, USA 
     • Purpose: Heatmaps and session replays to understand user behavior, identify technical errors, and optimize our website. 
     • International transfers may occur; appropriate safeguards are used where required. 
     • Legal basis: Consent (Art. 6(1)(a) (UK) GDPR) via our consent tool. 
     • Storage period at provider: up to 13 months. 

VI. Remarketing and conversion tracking 

We use services for remarketing and conversion tracking. 

• Purposes: Presenting interest‑based advertising; analyzing user interactions to display targeted advertising on other websites/platforms; measuring campaign performance to optimize advertising. 
• Categories of data: pseudonymous usage data and meta/communication data (e.g., device info); interests; demographic information; location data where users have consented. 
• Service providers used: 
  1. Google services (Google Analytics, Google Ads, Google Remarketing, DoubleClick) – Provider: Google Ireland Limited, Dublin, Ireland; international transfers with safeguards; legal basis: consent (Art. 6(1)(a) (UK) GDPR). 
  2. TikTok Analytics – Provider: TikTok Technology Limited, Dublin, Ireland; international transfers with safeguards; legal basis: consent (Art. 6(1)(a) (UK) GDPR). 
  3. Adform – Provider: Adform A/S, Silkegade 3B, 1113 Copenhagen K, Denmark; international transfers with safeguards; legal basis: consent (Art. 6(1)(a) (UK) GDPR). 
  4. Outbrain Amplify – Provider: Outbrain UK Limited, First Floor, Craven House, 121 Kingsway, London WC2B 6PA, United Kingdom; international transfers with safeguards; legal basis: consent (Art. 6(1)(a) (UK) GDPR).
  5. Taboola – Provider: Taboola Germany GmbH, Alt‑Moabit 2, 10557 Berlin, Germany (group locations worldwide); international transfers with safeguards; legal basis: consent (Art. 6(1)(a) (UK) GDPR). 
  6. Facebook Custom Audiences – Provider: Meta Platforms Ireland Limited, 4 Grand Canal Square, Dublin 2, Ireland; international transfers with safeguards; legal basis: consent (Art. 6(1)(a) (UK) GDPR). Users can adjust ad preferences in their account settings. 
  7. Pinterest Conversion Insights – Provider: Pinterest Europe Ltd., Palmerston House, Fenian Street, Dublin 2, Ireland; international transfers with safeguards; legal basis: consent (Art. 6(1)(a) (UK) GDPR). 

VII. Other services 

1. Playing videos via bunny.net 
   • Provider: BunnyWay d.o.o., Dunajska cesta 165, 1000 Ljubljana, Slovenia 
   • Purpose: Embedding videos via iFrame; server log files may record activity (pages visited), device/browser information (including IP address, operating system), and interactions with the embedded video. 
   • Legal basis: Art. 6(1)(f) (UK) GDPR (legitimate interests in secure and efficient provision and improved stability/functionality). 
2. Embedding reviews via Judge.me
   • Provider: Judge.me Ltd, c/o Buckworths, 1–3 Worship Street, London EC2A 2AB, United Kingdom 
   • Purpose: Enable users to write and publish product reviews on product detail pages. 
   • International transfers may occur; appropriate safeguards are used where required. 
   • Legal basis: Depending on use, Art. 6(1)(b) (UK) GDPR (performance of contract for submission/publishing of your review) and/or Art. 6(1)(f) (UK) GDPR (legitimate interests in providing user reviews). 

VIII. Advertising and newsletters 

1. With your consent, you can subscribe to our newsletter to receive information about current offers. The advertised goods and services are described in the consent declaration. 
2. We use a double opt‑in procedure (confirmation email). We also store IP addresses and timestamps of registration and confirmation to document your consent and investigate possible misuse. 
3. Mandatory information for sending the newsletter is your email address; further data marked as optional helps us address you personally. After confirmation, we store your email address to send the newsletter. Legal basis: Art. 6(1)(a) (UK) GDPR (consent). 
4. You can withdraw your consent and unsubscribe at any time via the link in each newsletter or via the contact details in our imprint. 
5. Newsletter analytics: We evaluate user behavior (web beacons/tracking pixels; individual IDs linked with your email address; links contain this ID). If images are blocked by default in your email program, tracking is not possible; if you load images, tracking occurs. Legal basis: Art. 6(1)(a) (UK) GDPR (consent to newsletter and associated tracking). 

IX. Data access from THG (separate controller) for Dr. Wolff’s direct marketing and market analysis 

1. Dr. Wolff may be granted access to customer data relating to purchases with THG for the purpose of direct advertising and customer relationship management, insofar as legally permitted and you have consented or, where no express consent is necessary, not objected. This may include your contact details and limited purchase metadata to send you direct marketing about our products. Legal basis: Art. 6(1)(f) (UK) GDPR (legitimate interests) or Art. 6(1)(a) (UK) GDPR (consent), as applicable under UK/EEA law. You can opt out at any time by clicking the unsubscribe link in our emails or by contacting us at alpecinsupport@thgingenuity.com We will stop sending you marketing emails if you opt out.   
2. Dr. Wolff may, to the extent permitted by law, access and evaluate customer data from purchases at THG for market analysis. Legal basis: Art. 6(1)(f) (UK) GDPR (legitimate interests).  
3. Separation of responsibilities 
   • Checkout, payment, fulfillment, and associated processing are performed by THG as separate data controller (see Part B). Dr. Wolff does not process payment details or other data necessary for contract execution/fulfillment. 
4. Categories of data accessed 
   • Identification and contact details (e.g., name, email address, postal address) 
   • Purchase‑related data to the extent necessary (e.g., product categories purchased, date of purchase, order value) 
   • In each case limited to what is required for the purposes above. 

X. Security of processing 

To prevent unauthorized access to your personal data, transmissions are encrypted using TLS/SSL where applicable. Further technical and organizational measures are implemented pursuant to Art. 32 (UK) GDPR.

THG acts as the seller to customers and as a separate controller for all processing of personal data in connection with the checkout, payment, order fulfillment, returns, and customer service for purchases.  

I. Controller and contact 

• Controller (Art. 4(7) GDPR): FIC Shareco Limited
• Registered address: Icon 1, 7-9 Sunbank Lane, Altrincham, WA15 0AF 
• Contact email: customer.experience@thehutgroup.com 

II. Scope and purposes of processing at checkout 

• We collect personal data from you when you provide it to us directly and through your use of the Site.  We also automatically collect personal data related to your use of the Site and interactions with us and others, e.g. using cookies and pixel tags, as well as information we derive about you and your use of the Site. The personal data we process includes the following categories of data: Identification and contact data; delivery/billing address; order details; payment method and transaction data; communication history; returns/warranty data; device and network information collected during checkout; fraud/risk signals. 
• Depending on how you use the Site, your interactions with us, and the permissions you give us, the purposes for which we use your personal data include: Contract execution (performance of a contract); payment processing and delivery (performance of a contract); fraud prevention and security (legitimate interests); and compliance with legal obligations such as tax and record-keeping requirements. 

III. Legal bases 

We rely on the following legal bases under data protection law to process your personal data: 

• Art. 6(1)(b) GDPR – performance of a contract or pre‑contractual measures.  Where the processing is necessary to perform a contract with you, or take steps prior to entering into a contract with you (e.g. where you express and interest in purchasing products or services from us). 
• Art. 6(1)(c) GDPR – compliance with legal obligations. In very limited cases, where it is necessary to comply with a legal obligation which we are subject to. 
• Art. 6(1)(f) GDPR – legitimate interests (e.g., fraud prevention, IT and payment security), if applicable.  Where it is in our legitimate interests as an e-commerce provider to maintain, promote and protect our business and services. We are always seeking to understand more about our customers in order to offer the best products and customer experience. We use information about you to tailor your view of the Site, to make it more interesting and relevant in respect of the products, services and offers on view. 
• Art. 6(1)(a) GDPR – consent (e.g., marketing by THG or optional features), if applicable.  Where we have obtained your consent (e.g. if you consent to receive marketing from us or agree to the use of non-essential cookies).  If you have consented to a processing activity, you can withdraw your consent at any time.   

IV. Recipients and categories of recipients 

We may share your personal data with third parties, for the purposes described above, in the following circumstances: 

• With other companies in our group of companies. 
• With our suppliers and service providers who process the data on our behalf, e.g., payment processors. 
• With our professional and legal advisors. 
• With third parties engaged in fraud prevention and detection. 
• With third party platforms, providers and networks.  We may disclose or make available personal data to third party platforms and providers that we use to provide the Site and its features. We may also make personal data available to third parties in support of our marketing, analytics, advertising and campaign management.  
• With law enforcement or other governmental authorities, e.g., to report a fraud or in response to a lawful request. 
• To comply with legal obligations. We may share personal data with third parties to comply with our legal and compliance obligations and to respond to legal process e.g. in response to subpoenas, court orders, and other lawful requests by regulators and law enforcement and government bodies.  This may include responding to national security or law enforcement disclosure requirements and disclosures that we are required to make under applicable laws, such as the names of sweepstakes and contest winners. 
• Otherwise, where we have your consent or are legally permitted to do so. 

V. International data transfers 

• We use service providers, and have group companies, in countries around the world. Your personal data may therefore be processed in countries outside of Europe, including in countries where you may have fewer legal rights in respect of your data than you do under local law. If we transfer personal data outside your territory we will ensure that your privacy rights are adequately protected by appropriate safeguards. Please contact us if you would like more information about these safeguards.  

VI. Retention 

• We will keep your personal data in line with our data retention policy, for as long as we need it for the purposes set out above, so this period will vary depending on your interactions with us.  

VII. Security 

• We implement appropriate technical and organisational security safeguards to protect your data from loss, misuse, and unauthorised access, disclosure, alteration and destruction. We also maintain ISO 27001 and PCI DSS (Payment Card Industry - Data Security Standard) security certifications. 
• However, please be aware that it is impossible for any company to guarantee the absolute security and integrity of the information that has been transmitted to its website.  

VIII. Children  

• The Site is not intended for, and should not be used by, children under the age of 18. We do not knowingly collect personal data from children under 18. 

IX. Data subject rights vis‑à‑vis THG 

• You have choices regarding our processing of your personal data as described in this section.
• Your rights under GDPR include the rights of access, rectification, erasure, restriction, portability, objection.  Common rights include the right to: 
  • Ask for a copy of your personal data, make corrections to your personal data, and in some cases e.g. where our purposes for processing have come to an end, ask us to delete it. 
  • Object to our use of your personal data in certain situations, including where we use your personal data for direct marketing.  
  • Transfer your personal data, in certain circumstances, to another provider, in a commonly used format. 
  • Complain to the data protection regulator in your country.    

• We will comply with any requests to exercise your rights in accordance with applicable law.  
• You can exercise your rights by contacting customer.experience@thehutgroup.com. 

X. Cookies and Personalisation 

• Cookies and tracking technologies. We and our third party service providers use cookies, pixels, local storage objects, log files, APIs, and similar technologies to automatically collect browsing activity, device and similar information within the Site. 
• We use this information to provide functionality on the Site, to understand and measure Site performance, to understand how users access, use and interact with others, and to deliver targeted advertising and content on our Site and third party sites.   
• We also use it to identify and resolve bugs and errors in the Site and to assess, secure, protect, optimise and improve the performance of the Site.  
• Manage your preferences.  You can manage your preferences for cookies and personalisation used by us as explained below. 
• Cookie preference tool. You can review and update your cookie preferences for the Site and opt out of most cookies and trackers on the Site (other than those that are strictly necessary) within the Cookie Preference Tool.  Your preferences are browser and device specific so you need to set the preference for each browser and device you use to access the Site.  If you delete or block cookies, you may need to reapply these preferences.   
• Please note that opting out of cookies and trackers on the Site does not mean that you will no longer see ads from us. You may continue to see generic or “contextual” ads.   

XI. Changes to this Notice 

• This Notice is current as of the Effective Date stated above. We may change this Notice from time to time, so please be sure to check back periodically. If we make material changes we will alert you e.g. by posting a prominent notice on the Site or via email. 

XII. Contact Us 

• If you have any queries on any aspect of our Privacy Notice, please contact us at customer.experience@thehutgroup.com.