Data Privacy Statement

Welcome to Tchibo GmbH’s Qbo Website. Protecting your privacy is a top priority for us. We collect and use your personal data solely within the scope of the valid data protection regulations.
Our employees and contractors are obliged to comply with the provisions of data protection regulations in accordance with the law.

In the following, we would like to tell you about how, why and to what extent we collect and use personal data. You can call up this information at any time on our website. This information relates to the use of the service using a PC, smartphone, tablet and all other internet-capable terminal devices, the associated processing of your personal data and your rights. The statements can be accessed at any time online at

Provision of website 

The following data is processed when you call up our website.


Legal foundation for processing

Purpose of processing

Browser data (date and time of access, URL (address) of referring website, file accessed, volume of data sent, browser type and version, operating system, IP address)

Art. 6 Para. 1 lit. f GDPR

Creation of connection to website (= justified interest)

Web analysis data*

Art. 6 Para. 1 lit. f GDPR

Range measurement, website optimization, interest-based advertising (justified interest)

Google reCAPTCHA data

Art. 6 Para. 1 lit. f GDPR

Protection of internet forms (= justified interest)


Web analysis*

To allow us to constantly improve and optimize the contents and user-friendliness of our website, we use analysis technologies provided by Matomo (formerly Piwik), [Innocraft Ltd., 150 Willis St, 6011 Wellington, New Zealand], as well as New Relic [New Relic, Inc., 188 Spear St., Suite 1200, San Francisco, CA USA 94105]. In this, the session and interaction data is collected and statistically evaluated. Cookies are used for this purpose. At no point is the session and interaction data processed in personal form; this is always done anonymously.


The length of function of the cookies used is limited to max. 1 year, unless otherwise stated in the following. A cookie is a tiny text file that allows a website to recognize a browser again. Cookies are placed in a text file on the computer and called up and read again the next time the web server is called up. As a user, you can decide for yourself, via your browser settings, if you want to allow, block or delete cookies, and if so, which ones.  


If you do not agree to the storage and evaluation of your data from your visit, using Matomo and NewRelic, you can cancel storage and use at any time just by clicking with the mouse afterwards.



Warning:  If you delete your cookies, this means that the opt-out cookie is also deleted and may thus need to be reactivated by you. Independently of traffic analysis, the website processes the following system information:

•    Anonymized IP address

•    Opt-In/Opt-Out status (local)

However, you can also cancel data collection and storage for the purposes of website optimization at any time with effect for the future using the following opt-out link . Using this link, you can manage your preferences relating to use-based online advertising. If you submit an objection to a particular provider to use-based online advertising using the preference manager, this only applies for the particular business data collection via the web browser just used. Preference management is cookie-based. Deleting all your browser cookies means that the preferences that you set up using the preference manager will also be deleted.  


Cookies & range measurementg 

1. Like many other websites, we also use so-called "cookies". This standard technology uses small text files that are transmitted from our web server or third-party web servers to the user's web browser and stored there for later retrieval. Cookies can be small files or other types of information storage. Cookies make it possible to make visiting a website more comfortable or safer. Cookies can also be used to better tailor the offer on a website to the interests of visitors or to improve it in general based on statistical evaluations. Processing takes place in accordance with Art. 6 Para. 1 lit. f GDPR based on our legitimate interest in a user-friendly design of our website.


2. We use "session cookies" that are only stored on our online presence for the duration of the current visit (e.g. to enable the use of our online offer at all). A randomly generated unique identification number, a so-called session ID, is stored in a session cookie. A cookie also contains information about its origin and the storage period. These cookies cannot save any other data. Session cookies are deleted when the use of our online offer has ended, and you e.g. log out or close the browser.


3. In addition to "session cookies", this site also uses other types of cookies. Some cookies are set by third parties that appear on our pages. When the user visits our website for the first time, the user is asked to check our cookie consent and then either accept or reject our cookies. Consent can be changed and revoked at any time using the link below:



We collect this consent and input through our cookie consent management tool ("OneTrust"), provided by OneTrust, LLC (UK headquarters: Cannon Green, 27 Bush Lane, London EC4R 0AA, UK and US headquarters: 1350 Spring Street NW, Suite 500, Atlanta, Georgia 30309, USA). OneTrust is used to save the cookie settings for the entire website. OneTrust stores information about the categories of cookies used by the website and whether the users have given or have withdrawn their consent to the use of the individual categories. This enables us to prevent cookies from being set in each category in the user's browser if no consent is given. OneTrust uses cookies for information storage that have a normal lifespan of one year, so that the preferences of returning visitors are saved. OneTrust is also certified under the Privacy Shield Agreement and thereby offers a guarantee to comply with European data protection law (



5. Users are informed about the use of cookies in the context of pseudonymous range measurement in the context of this data protection declaration. The use is based on the consent of the recipient in accordance with Art. 6 para. 1 lit. a, in conjunction with § 7 Para. 2 No. 3 UWG or on the basis of the legal permission acc. 7 para. 3 UWG. Consent is recorded by the cookie consent management tool ("OneTrust").


6. If the users do not want cookies to be stored on their computer, they can deactivate the corresponding option in the system settings of their browser. Stored cookies can be deleted in the system settings of the browser. The exclusion of cookies can lead to functional restrictions of this online offer.


7. You can also use online advertising based on usage by many companies via the deactivation page of the network advertising initiative ( and additionally via the US website ( or the contradict European website (


8. The provision of the aforementioned personal data is neither required by law nor by contract. Without this data, however, the service and functionality of our website cannot be guaranteed. In addition, individual services and services may not be available or restricted.


New Relic
We are using a plugin of the analytics service “New Relic” by New Relic Inc., 188 Spear Street, Suite 1200 San Francisco, CA 94105, USA.

The system is hosted in a secure data centre in Germany. All data submitted to New Relic Inc. only contains anonymous information apart from a user id and machine ids.

New Relic collects and saves this data for us to analyse user behaviour for optimization and marketing purposes. For this matter user profiles are being generated anonymously that cannot be traced back to real users. We are using this data for error analyses and technical improvements only.

New Relic collects the following in-app performance data and only when the Qbo App is active:

•    Frequency of the usage and interactions

•    Display time of individual components

•    Order of actions

•    Type of network connection

Legal grounds for processing data are to ensure the network and information security of our IT systems.

Countries outside of the European Union (and the European Economic Area (EEA)) may deal with personal data differently from countries within the European Union. To ensure the same level of protection special measures have to be taken care of. New Relic Inc. complies with the EU-US and Swiss-US Privacy Shield Frameworks as set forth by the US Department of Commerce regarding the collection, use and retention of personal data transferred from the EU, the United Kingdom and Switzerland to the United States in reliance on Privacy Shield. New Relic, Inc. has certified to the Department of Commerce that it adheres to the Privacy Shield Principles in respect of all personal data received from the EEA, the United Kingdom and Switzerland in reliance on the Shield.

The certification can be found here:

The collected data is being deleted latest after 90 days.

For more information about the extend of data collection through New Relic and the resulting rights and settings to protect the privacy of users head over to:

Use of Google Maps
To display map material, this website uses "Google Maps API" provided by Google Ireland Limited, Gordon House, Barrow Street, Dublin 4, Irland (Google). When Google Maps is used, Google also collects, processes and uses data about the use of the Maps functions by users of the web pages. The conditions of use for Google Maps can be accessed at Conditions of use for Google Maps. You will find further information about Google’s data protection guidelines at:

Our website uses the Vimeo interface, which is operated by Vimeo, Inc., 555 West 18th Street, New York, New York 10011 (“Vimeo”). We try to protect our users by measures on the website so that your browser does not automatically call up a direct connection with the Vimeo servers. Only actively clicking on the video button installed by us creates a connection to Vimeo and loads the video. We have no influence on the extent of the data that Vimeo collects with the button, but we assume that your IP address is captured. We do not actively forward any data to Vimeo. You can find out the purpose and extent of data collection by Vimeo and how Vimeo further processes and uses the data, along with your rights in this respect and settings options for protecting your privacy from Vimeo’s data protection statements:

Google reCAPTCHA
On our contact forms, we use the reCaptcha service of Google Ireland Limited, Gordon House, Barrow Street, Dublin 4, Irland (Google) to protect ourselves against spam and misuse. This service allows us to distinguish whether an entry has been made by a person or improperly through automated machine processing.

To determine this, Goggle places a cookie in your browser when you use the reCaptcha service and collects and processes the following data:

Referrer URL (address of the page on which Captcha is used)

Browser, browser size and resolution, browser plug-ins, date, language setting

Mouse or touch events within the reCaptcha box

Allocation to a Google account (if you are logged in with Google when you use the reCaptcha service, this is recognized and allocated)

Your input behavior (e.g. Answering the reCAPTCHA question, speed of entry in the form boxes, sequence of selection of input fields by the user) is processes in order to improve sample recognition at Google.

In addition, Google reads out the cookies from other Google services such as Gmail, Search and Analytics. All the data listed is encrypted and sent to Google. Google’s subsequent appraisal decides in which form the Captcha is shown on the page – in the form of a checkbox or as a text entry. No personal data from the input fields of the form in question is read or saved. Further information about Google’s privacy policy is available at


Qbo Newsletter

Our site offers you the chance to register for our Newsletter free of charge. The following data is processed within the Newsletter registration:


Legal foundation for processing

Purpose of processing

Newsletter data (e-mail address, consent data)

Art. 6 Para. 1 lit. a GDPR

Sending of an e-mail newsletter*, prevention of abuse of the service and the e-mail address


*Data is only used for this purpose if you have given your consent for this. In this case, we also log the consent granted by you.


You can register to take part in competitions on our website. The following data is processed when you register to take part in competitions:


Legal foundation for processing

Purpose of processing

Competition data (e-mail address, consent data)

Art. 6 Para. 1 lit. a GDPR

Information about the competition according to the Conditions of Entry


*Data is only used for this purpose if you have given your consent for this. In this case, we also log the consent granted by you.

Contact form and e-mail contact

Our website provides a contact form which can be used to make contact electronically. Alternatively, you can contact us using the e-mail address provided. If you make use of this possibility to contact us, the following data is processed.  


Legal foundation for processing

Purpose of processing

Contact form data (first name, surname, e-mail address)

Art. 6 Para. 1 lit. a GDPR

Communication relating to contact


*Data is only used for this purpose if you have given your consent for this. In this case, we also log the consent granted by you.


Forwarding personal data

Our agreements on contact center services are concluded on the basis of the EU General Data Protection Regulation (EU Regulation 2016/679), effective since May 25, 2018. All partners are obliged to implement and comply with the requirements of Art. 28 GDPR (order processing) The provision of the contractually agreed data processing takes place exclusively in a member state of the European Union or in another contracting state of the Agreement on the European Economic Area. Any relocation to a third country requires the prior consent of the client and may only take place if the special requirements of Art. 44 ff. GDPR are met.

The following contractual partners are responsible for handling:


  • CareByPhone GmbH, Am Pferdewasser 10, 24937 Flensburg
  • Teleperformance Germany S.ä.r.l. & CO. KQ, Martin-Schmeißer-Weg 18, 44227 Dortmund
  • CCC Competence Call Center GmbH Stralauer Allee 2 10245 Berlin
  • BPO BPO Nextdoor, V. Velykoho Str. 2 , 79026, Lviv, Ukrajne

Within the scope of our website services, we forward personal data to the following recipients or categories of recipients:

Recipient or categories of recipients:

Non-EU country

Forwarding to public offices or upon instruction by the courts

Upon instruction by the competent office we must provide information in individual cases about personal data (inventory data) if this is necessary for the purpose of criminal prosecution, protection against danger, to comply with the statutory provisions of the constitution protection authorities or the military counter-intelligence services or to enforce rights to intellectual property.



Social plug-ins

We do not integrate social plug-ins into our website so that we can protect your privacy when you visit our website. We have only included graphic links to social network providers (e.g. in our website. This means that it is not possible for your browser initially to create a direct connection with the server of the social network provider. Tchibo GmbH does not accept any liability for the data protection guidelines and procedures on linked websites.



Google reCAPTCHA
To protect our internet forms, we also use the reCAPTCHA service provided by Google Ireland Limited, Gordon House, Barrow Street, Dublin 4, Irland (Google). This service includes providing Google with your IP address and if applicable further data need for the reCAPTCHA service. Such data is covered by Google’s various privacy policies. You will find further information about Google Captcha privacy policies here: Google is covered by the EU-US Privacy Shield.

A transmission of your data in the USA can not be excluded

Tchibo (Schweiz) AG, Birkenweg 4, 8304 Wallisellen



Eduscho (Austria) GmbH, Wien, Austria


Atlassian Jira / Confluence, 1098 Harrison St, San Francisco, CA 94103, USA


Vimeo Inc., 555 West 18th Street, New York, New York 10011


Bornholdt Lee GmbH, Ludwig-Erhard-Strasse 18, 20459 Hamburg


Atlantis media GmbH, Haferweg 26, 22769 Hamburg


Episerver GmbH, Wallstrasse 16, 10179 Berlin


Plusserver, Hohenzollernring 72, 50672 Köln


Amazon Web Services, 410 Terry Avenue North, Seattle WA 98109, USA


Amazon Europe Core S.à r.l. (Société à responsabilité limitée), 5 Rue Plaetis, L-2338 Luxemburg


CareByPhone GmbH, Am Pferdewasser 10, 24937 Flensburg


Teleperformance Germany S.ä.r.l. & CO. KQ, Martin-Schmeißer-Weg 18, 44227 Dortmund


CCC Competence Call Center GmbH, Stralauer Allee 2 10245 Berlin


BPO BPO Nextdoor, V. Velykoho Str. 2 , 79026, Lviv, Ukrajne


LogMeIn Ireland Limited, Bloodstone Building Block C, 70 Sir John Rogerson`s Quay, Dublin 2, Ireland


Microsoft Corporation, One Microsoft Way, Redmond, WA 98052-6399, USA


New Relic Inc., 188 Spear St., Suite 1200, San Francisco, CA USA 94105


Uptime Informations-Technologie GmbH, Süderstraße 282-288, 20537 Hamburg


Apple Distribution International, Internet Software & Services, Hollyhill Industrial Estate, Hollyhill, Cork, Republic of Ireland


Crashlytics & Google Play Developer, 1600 Amphitheatre Parkway, Mountain View, CA 94043, USA



Your data will only be forwarded to associated companies and service partners if they are operating on our behalf and supporting Tchibo GmbH in the provision of its services. The above-mentioned service-providers are only given access to such personal information as is necessary for the fulfillment of the activity in question, such as providing advice on the Service Hotline to do with your machine or your Qbo Profile that you can set up using the Qbo App. These service-providers are not allowed to use your personal information for any other purposes, particularly for their own advertising purposes. If necessary under the law, contractual agreements have been concluded with these service-providers to protect your personal information. Unless otherwise expressly stated, these are mainly service-providers within the European Economic Area (EEA).


Forwarding personal data to non-EU countries

In this context, we forward personal data to the following non-EU countries:

  • Switzerland
  • USA

To ensure an appropriate level of data protection in these non-EU countries, adequacy decisions have been granted by the EU Commission or appropriate, suitable guarantees have been given in the form of:

  • EU standard contract clauses (we can provide a copy on request);
  • EU-US Privacy Shield certifications (with Implementing Decision (EU) 2016/1250 of the EU Commission of 12 July 2016, the level of protection of the EU-US Privacy Shield is recognized as the equivalent of the level of protection of the EU in this respect);

The adequacy of the data protection level provided in Switzerland was determined with the Adequacy Decision of the EU Commission (2000/518/EC). You can find further information about the recognition of secure non-EU countries on the EU Commission website. 


Obligation to provide personal data and automated decision-making

You are not obliged by law or contract to provide personal data. The provision of personal data is not necessary in order to conclude a contract.
There is no automated decision-making including checking accord to Art. 22 GDPR. 



Storage duration


We process and save your personal data where necessary for the duration of our business relationship, which also includes, for example, setting up and processing a contract and the regular expiration period of three years to defend against or to submit any legal claims.

In addition, we are governed by various retention and documentation obligations arising, for example, from the German Commercial Code (HGB) or the German Tax Code (AO). The periods given there for the retention of data are between six and ten years. During this time, the processing of data is limited. The retention period starts with the end of the calendar year in which the offer was given or the contract fulfilled. For example, accounting records required under commercial or tax legislation must be kept for ten years, and documents relevant for contracts and taxation must be kept for at least six years.

In legal matters being handled by lawyers, the associated data is kept for at least six years, and with enforcement orders, the storage duration may be up to thirty years because of the expiration regulations.

IP addresses are generally stored temporarily to make the connection; if we use these beyond this for website optimization or for advertising purposes, these are made anonymous immediately and only further processed anonymously. The length of function of cookies is limited to one year.

If you have given us consent for data processing, the data associated with the granting of the consent will be kept for the duration of the processing and, after this has been completed, for a further three years within the expiration term.


Your rights

You have the following rights:

  • Under Art. 15 GDPR, to request information about your personal data processed by us;
  • Under Art. 16 GDPR, to request immediately the correction or completion of any incorrect or incomplete personal data about you held by us;
  • Under Art. 17 GDPR, to request the deletion of personal data about you held by us;
  • Under Art. 18 GDPR, to request the restriction of the processing of personal data about you held by us;
  • Under Art. 20 GDPR, to be sent your personal data which you have provided to us, in a structured, standard, machine-readable format or to request that they are forwarded to another responsible party;
  • Under Art. 21, to submit an objection (i) under certain conditions to the processing of your personal data which is being carried out on the basis of Art. 6 Para. 1 lit. e GDPR (in the public interest) or on the basis of Art. 6 Para. 1 lit. f GDPR (to safeguard a justified interest), or (ii) against the processing of data for the purposes of direct marketing;

  • Under Art. 7 Para. 3 GDPR, to cancel the consent given to us at any time. This also applies for the cancellation of declarations of consent given to us before the introduction of the General Data Protection Regulation, i.e. before 25 May 2018. The consequence of this is that we are no longer allowed to continue data processing on the basis of this consent for the future, without affecting the legal validity of the processing carried out on the basis of this consent until its cancellation;
  • ​Under Art. 77 GDPR, to complain to a supervisory authority.


Contact data of responsible party and data protection officer

If you have any further questions about data protection, please contact us. If you have any questions about the processing of your personal data or about applying your statutory rights as a party affected, please contact:

Responsible party:

Tchibo GmbH 
Überseering 18
22297 Hamburg 
Telefon: +49 40 6387 0

Statutory representative:

Thomas Linemayr (Chair), 
Ulf Brettschneider, 
Dr. Jens Köppen

Chair of the Supervisory Board: 
Michael Herz 

Data protection officer:

Tchibo Data Protection Team 




The website provides links to other websites which might be of interest to you. With links to other websites, no personal information is forwarded to the third-party providers of the website. Tchibo GmbH is not responsible for the privacy practices of other websites or their content. It may be, therefore, that the privacy statements on the Tchibo GmbH website differ from the privacy policies of other websites. We recommend that you also read the other privacy policies.

Google Webfonts

To display fonts in the integrated services Google Maps and Google ReCaptcha this page uses script libraries and font libraries known as webfonts. These are provided by Google Ireland Limited, Gordon House, Barrow Street, Dublin 4, Irland (Google)( For this, when you access the services in question, your browser downloads the required webfonts to your browser cache to avoid multiple downloads. This is also necessary in order for your browser to be able to display a visually optimized representation of these texts. If your browser does not support this function, your computer will use a standard front for the display.
Calling up these script libraries or font libraries automatically triggers a connection between the user's computer and the Google server, with the consequence that the IP address is also transmitted. You will find further information about Google webfonts at You will find general information about data protection at Google at



Changes to the Privacy Policy


We reserve the right to change or adapt this Privacy Policy at any time in consideration of the valid data protection regulations.

If you have any queries, please contact