Privacy Policy Intershop Service Portal (Service Now)

Thank you for visiting our website. In the privacy policy, we would like to inform you about the handling of your data in accordance with Art. 13 of the General Data Protection Regulation (GDPR).


The controller for the data processing described below is:

Intershop Communications AG
Steinweg 10
07743 Jena
Tel.: +49 3641 50-0

Usage data

When you visit our websites, our web server temporarily evaluates so-called usage data for statistical purposes in order to improve the quality of our website. This data consists of the following data categories:

  • the name and address of the requested content,
  • the date and time of the query,
  • the amount of data transferred,
  • the access status (content transferred, content not found),
  • the description of the used web browser and operating system,
  • the referral link, which indicates from which page you reached ours,
  • the IP address of the requesting computer, which is shortened in such a way that a personal reference can no longer be established.

The aforementioned log data will be evaluated anonymously.

The legal basis for the processing of usage data is Art. 6 (1) (f) GDPR. The processing is based on the legitimate interest of providing the contents of the website and ensuring a device- and browser-optimized display.

Data security

In order to protect your data as comprehensively as possible from unwanted access, we implement technical and organizational measures. These measures include encryption procedures on our websites. Your data is transferred from your computer to our server and vice versa via the internet using TLS encryption. You can usually recognize this by the fact that the lock symbol in the status bar of your browser is closed and the address line begins with https://.

Necessary cookies

We use cookies on our websites, which are necessary for using our websites. Cookies are small text files that can be stored on and extracted from your device. There is a difference between session cookies, which are deleted as soon as you close your browser, and permanent cookies, which are stored for more than the duration of the session.

We do not use these necessary cookies for analysis, tracking or advertising purposes. In some cases, these cookies only contain information on certain settings and are not linked to a person. They may also be necessary to enable user guidance, security and operating of the site. The legal basis for using these cookies is our legitimate interest according to Art. 6 (1) (f) GDPR and § 25 (2) TTDSG.

You can set your browser to inform you about the use of cookies. You can also delete cookies or prevent the setting of new cookies at any time by using the appropriate browser settings. Please note that if you delete certain cookies, our websites may not be displayed correctly and some functions may no longer be available.

In the following you find cookies usually found with the Service Now Platform. Unless otherwise stated, all cookies utilized by the platform are required for correct functionality.

Name Expiration Provider Description Category
BigIP Session Service Now The BigIP cookie is used for load-balancing decisions and absolutely no customer data is disclosed. Third Party
glide_user 15 days Service Now This cookie is relevant when the “remember me” checkbox is enabled. The duration for cookie expiration can be tuned with the ”glide.ui.user_cookie.life_span_in_days” system property.
Third Party
glide_user_activity Session Service Now The glide_user_activity prevents the log-out of an active user who did not opt-in to the 'Remember Me' option. It renews periodically if the user is active during the session. Its presence is to detect if there is any activity being performed on the users' end so that the session won't lock out the user during an active session. It will help the server to refresh the session. Third Party
glide_user_route 231-1 seconds (roughly 24, 855 days) Service Now Please note that some web browsers enforce a maximum limit for the lifespan of a cookie, and the values observed in certain web browsers may be much lower. For example, in the Google Chrome web browser a maximum limit of 400 days is applied. Third Party
glide_session_store 30 minutes Service Now 30 minutes The 'glide_session_store' was added to preserve the session when moving customers from one node to another. Having it enabled will make sure their users are not logged out in case we fail them over from one data center to another. However, it is not recommended but you can disable it by adding the following property:
• Name:
• Type: True|False
• Value: false
The purpose of the glide_session_store cookie is for the user to recover some of the session states when the main session has been lost, e.g. when the user has been redirected to an instance different from the instance on which the session was established. Whenever a new user session is established, the glide_session_store cookie is updated. Whenever the navigation history changes, the data associated with the glide_session_store cookie is updated. The glide_session_store cookie is not used for authentication and cannot be used to authenticate. It is used only for the partial restoration of the state. Other cookies, however, such as the glide_user_activity cookie, do play a role in authentication.
Third Party
glide_sso_id 6004 days Service Now Please see the note for "glide_user_route" above, associated to web browser limits. Third Party
JSESSIONID Session Service Now The 'JSESSIONID' cookie is a session cookie created by the application when the user first logs into the application and is created by the underlying server to maintain the session attributes of the user session. Third Party
glide_user_session Session Service Now This cookie is relevant when the “remember me” checkbox is enabled. Third Party
BAYEUX_BROWSER Session Service Now The cookie is used by the CometD library that we use in the platform. Bayeux protocol and CometD are used for long polling. Bayeux is a protocol for transporting asynchronous messages, primarily over HTTP. CometD is a scalable HTTP-based event routing bus that uses an AJAX push technology pattern known as Comet. It implements the Bayeux protocol.
Long polling, also called Comet programming, allows the emulation of an information push from a server to a client. Similar to a normal poll, the client connects and requests information from the server. However, instead of sending an empty response if the information isn't available, the server holds the request and waits until the information is available (an event occurs). The server then sends a complete response to the client. The client then immediately re-requests information. The client continually maintains a connection to the server, so it's always waiting to receive a response. In the case of server timeouts, the client connects again and starts over.
For transports based on HTTP (long-polling and callback-polling), CometD sends an HTTP cookie with the handshake response, marked as HttpOnly, called BAYEUX_BROWSER (see Configuring the Java Server). The CometD implementation, on the server, maps this cookie to a legit session id during the processing of the handshake request message. For every subsequent message, the browser will send the BAYEUX_BROWSER cookie to the server and the CometD implementation will retrieve the session id from legit sessions that have been mapped to the cookie, rather than from the message (where it could have been altered).
Third Party
__CJ_g_startTime 1 hour Service Now The "__CJ_g_startTime" cookie is set by certain UI pages to mark the loading start time of a page and does not contain any sensitive information. Third Party
__CJ_g_tabs2_list or __CJ_tabs2_section 1 hour Service Now There can be multiple cookies prefixed by __CJ_tabs2_list_* and __CJ__tabs2_section_*. These cookies are set by certain UI pages to mark the loading of various tabs & sections on a page and do not contain any sensitive information. The tabs2 cookies are set by the form's tabs code and read by it to restore the user's preferred section or related list tab on the next form load. Without them, a user will have their section and related list tabs reset to the first one on each form load. Third Party
sn-chatbot-deviceid Session Service Now This is a session management cookie related to chat functionality. It is a JavaScript-based UUID and does not contain any sensitive or user-identifiable information. Third Party
glide_language Session Service Now This cookie is set when the 'com.glide.sys.glide_language_cookie_enabled' property is enabled. The cookie contains a language ID used for the correct localization of guest users and does not contain sensitive information. Third Party
glide_user_edge Session Service Now This cookie contains information related to the user's time zone, date time format, and date format, which is utilized when Edge Encryption Proxy is enabled and does not contain sensitive information. This cookie is destroyed when the session is terminated. Third Party
atf_session_cookie Session Service Now This cookie is utilized by the Automated Testing Framework when the property 'sn_atf.runner.enabled' is set. It is used for rollback recording. Third Party
glide_mfa_remembered_browser 8 hours Service Now The duration for cookie expiration can be tuned with the “glide.authenticate.multifactor.browser.fingerprint.validity” system property.
Third Party

Registration and Service Portal for registered users

If you wish to use our user area, prior registration is necessary. Upon contract closure, Intershop will register the authorized main contact persons of a customer upon request. As a standard user, you can register through the authorized main contact person of your employer. This main contact person will create and enable your account in our service portal for you. For contacts, we only collect the data required for registration and provision of the service. This includes your name, your business e-mail-address and your company registration. In our Service Portal, you can create incident tickets and track their processing. For this purpose, we store your contact details in the portal, manage your authorization to access the system and link your contact details to the incident tickets and reports you create. We can also use the incident tickets for training purposes. Your employer's main contact person can deactivate your account in our portal via the self-service. After deactivation, your contact information will still be available in our system and may be linked to existing incident tickets, but it will no longer be possible to log in. If you wish to permanently unsubscribe from Service Portal (objection), please contact us. The processing is based on Art. 6 (1) (f) GDPR in our legitimate interest to provide you with the services and information you can access after registration and to improve our services.

We store your account data until a deletion is requested or for up to 3 years after your account has been deactivated. We store incident tickets for up to 15 years. If you request deletion or become inactive, we will anonymize the incident tickets you have created after 3 years.

Storage period

Unless we have already informed you in detail about the storage period, we delete personal data when they are no longer required for the aforementioned processing purposes and no legitimate interests or other (legal) reasons for storage prevent deletion.

Data processors

We share your data with service providers that support us in the operation of our websites and the associated processes as part of data processing on behalf of the controller pursuant to Art. 28 GDPR. These are, for example, hosting service providers. Our service providers are strictly bounded by our instructions and are contractually obligated accordingly.

In the following, we will name the processors with whom we work, if we have not already done so in the above text of the data protection declaration. If data may be processed outside the EU or the EEA in this context, we inform you about this in the following table.

Processor Purpose Adequate level of data protection
Service Now, Inc. (USA) Webhosting and Support For transfers to the U.S., an adequate level of data protection is ensured due to the certification of the provider under the adequacy decision (EU-U.S. Data Privacy Framework).

Your rights as a data subject

When processing your personal data, the GDPR grants you certain rights as a data subject:

Right of access (Art. 15 GDPR)

You have the right to obtain confirmation as to whether personal data of you is being processed; if this is the case, you have the right to obtain information about the processed personal data and to receive the information listed in detail in Art. 15 GDPR.

Right to rectification (Art. 16 GDPR)

You have the right to request the rectification of any inaccurate personal data relating to you and, where applicable, the completion of any incomplete data, without delay.

Right to erasure (Art. 17 GDPR)

You have the right to request the erasure of your personal data without delay, provided that one of the reasons listed in detail in Art. 17 GDPR applies.

Right to restriction of processing (Art. 18 GDPR)

You have the right to request the restriction of processing, for the duration of the assessment by the controller, if one of the requirements listed in Art. 18 GDPR is met, e.g. if you have objected to the processing.

Right to data portability (Art. 20 GDPR)

In certain cases, which are listed in detail in Art. 20 GDPR, you have the right to receive your personal data in a structured, commonly used and machine-readable format or to request the transfer of this data to a third party.

Right to withdraw consent (Art. 7 GDPR)

If the processing of data is based on your consent, you are entitled to withdraw your consent to the processing of your personal data at any time in accordance with Art. 7 (3) GDPR. Please note that the withdrawal of the consent only effective for the future. Processing that took place before the withdrawal is not affected.

Right to object (Art. 21 GDPR)

If data is collected on the basis of Art. 6 (1) (f) GDPR (data processing for the protection of legitimate interests) or on the basis of Art. 6 (1) (e) GDPR (data processing for the protection of public interests or in the exercise of official authority), you have the right to object to the processing at any time for reasons arising from your particular situation. We will then no longer process the personal data unless there are demonstrably compelling legitimate grounds for the processing which override your interests, rights and freedoms, or the processing serves to assert, exercise or defend legal claims.

Right to lodge a complaint with a supervisory authority (Art. 77 GDPR)

Pursuant to Art. 77 GDPR, you have the right to lodge a complaint with a supervisory authority if you believe that the processing of your data violates data protection regulations. The right to lodge a complaint can be asserted in particular witha supervisory authority in the Member State of your habitual residence, your place of work or the place of the suspected infringement.

Asserting your rights

Unless otherwise described above, please contact the controller of the data processing named in the imprint to assert your rights as a data subject.

Contact details of our data protection officer

Our external data protection officer will be happy to provide you with information on the subject of data protection under the following contact details:

datenschutz nord GmbH
Konsul-Smidt-Straße 88
28217 Bremen

If you contact our data protection officer, please also state the controller for the data processing named in the imprint.