PRIVACY Policy

Last Update: 2.5.2024

SCOPE

This data protection declaration applies to all personal data processed by us in the company and to all personal data processed by companies commissioned by us (order processors). By personal data, we mean information within the meaning of Art. 4 No. 1 DSGVO, such as a person's name and e-mail address. The processing of personal data ensures that we can offer and invoice our services and products, whether online or offline. The scope of this privacy policy includes:

  • all online presences (websites, online stores) that we operate

  • Social media appearances and e-mail communication

LEGAL BASIS

In the following privacy statement, we provide you with transparent information on the legal principles and regulations, i.e. the legal bases of the General Data Protection Regulation, which enable us to process personal data.
As far as EU law is concerned, we refer to REGULATION (EU) 2016/679 OF THE EUROPEAN PARLIAMENT AND OF THE COUNCIL of 27 April 2016. You can of course read this EU General Data Protection Regulation online on EUR-Lex, the access to EU law, at https://eur-lex.europa.eu/legal-content/DE/ALL/?uri=celex%3A32016R0679.

We only process your data if at least one of the following conditions applies:

  1. Consent (Article 6(1) lit. a DSGVO): You have given us your consent to process data for a specific purpose. An example would be the storage of your entered data of a contact form.

  2. contract (Article 6(1)(b) DSGVO): In order to fulfill a contract or pre-contractual obligations with you, we process your data. For example, if we conclude a purchase contract with you, we need personal information in advance.

  3. Legal obligation (Article 6(1)(c) DSGVO): If we are subject to a legal obligation, we process your data. For example, we are legally obliged to keep invoices for accounting purposes. These usually contain personal data.

  4. Legitimate interests (Article 6(1)(f) DSGVO): In the case of legitimate interests that do not restrict your fundamental rights, we reserve the right to process personal data. For example, we need to process certain data in order to operate our website securely and economically efficiently. This processing is therefore a legitimate interest.

Further conditions such as the performance of recordings in the public interest and the exercise of official authority as well as the protection of vital interests do not generally occur with us. If such a legal basis should be relevant, it will be indicated at the appropriate place.

In addition to the EU regulation, national laws also apply:

  • In Austria, this is the Federal Act on the Protection of Individuals with regard to the Processing of Personal Data(Data Protection Act), or DSG for short.

  • In Germany, the Federal Data Protection Act, or BDSG for short, applies.

If other regional or national laws apply, we will inform you about them in the following sections.

CONTACT DETAILS OF THE RESPONSIBLE PERSON

If you have any questions regarding data protection or the processing of personal data, please find below the contact details of the responsible person or body:

Karoline Strobl
Windmühlgasse 22 1060 Vienna, Austria
E-mail: hello@foolproofskin.org
Phone: +4369915072220

RIGHTS UNDER THE GENERAL DATA PROTECTION REGULATION

In accordance with Articles 13, 14 of the GDPR, we inform you about the following rights you have to ensure that data processing is fair and transparent:

  • According to Article 15 of the GDPR, you have the right to know whether we are processing data about you. If this is the case, you have the right to receive a copy of the data and the following information:

    • the purpose for which we carry out the processing;

    • the categories, i.e. the types of data that are processed;

    • who receives this data and, if the data is transferred to third countries, how security can be guaranteed;

    • how long the data will be stored;

    • the existence of the right to rectification, erasure or restriction of processing and the right to object to processing;

    • that you can complain to a supervisory authority (links to these authorities can be found below);

    • the origin of the data if we have not collected it from you;

    • whether profiling is carried out, i.e. whether data is automatically evaluated in order to arrive at a personal profile of you.

  • You have a right to rectify data according to Article 16 of the GDPR, which means that we must correct data if you find errors.

  • According to Article 17 of the GDPR, you have the right to erasure ("right to be forgotten"), which specifically means that you may request the deletion of your data.

  • According to Article 18 of the GDPR, you have the right to restriction of processing, which means that we may only store the data but not use it any further.

  • According to Article 20 DSGVO, you have the right to data portability, which means that we will provide you with your data in a common format upon request.

  • According to Article 21 of the GDPR, you have a right to object, which, once enforced, entails a change in processing.

    • If the processing of your data is based on Article 6(1)(e) (public interest, exercise of official authority) or Article 6(1)(f) (legitimate interest), you may object to the processing. We will then check as soon as possible whether we can legally comply with this objection.

    • If data is used to conduct direct marketing, you may object to this type of data processing at any time. We may not use your data for direct marketing thereafter.

    • If data is used to perform profiling, you can object to this type of data processing at any time. We may not use your data for profiling thereafter.

  • According to Article 22 of the GDPR, you may have the right not to be subject to a decision based solely on automated processing (for example, profiling).

  • According to Article 77 of the GDPR, you have the right to lodge a complaint. This means that you can complain to the data protection authority at any time if you believe that the data processing of personal data violates the GDPR.

If you believe that the processing of your data violates data protection law or that your data protection rights have been violated in any other way, you can complain to the supervisory authority. For Austria, this is the data protection authority, whose website can be found at https://www.dsb.gv.at/. In Germany, there is a data protection officer for each federal state. For more information, you can contact the Federal Commissioner for Data Protection and Freedom of Information (BfDI). The following local data protection authority is responsible for our company:

Austria data protection authority

Head: Mag. Dr. Andrea Jelinek
Address : Barichgasse 40-42, 1030 Vienna
Phone: +43 1 52 152-0
E-mail address: dsb@dsb.gv.at
Website: https: //www.dsb.gv.at/

COMMUNICATION

Communication summary
👥 Data subjects: All those who communicate with us by telephone, e-mail or online form
📓 Data processed: e.g. telephone number, name, e-mail address, form data entered. More details can be found at the respective contact type used
🤝 Purpose: Handling of communication with customers, business partners, etc.
📅 Storage period: Duration of the business case and legal requirements
⚖️ Legal basis: Art. 6 para. 1 lit. a DSGVO (Consent), Art. 6 para. 1 lit. b DSGVO (Contract), Art. 6 para. 1 lit. f DSGVO (Legitimate Interests).

When you contact us and communicate by phone, e-mail or online form, personal data may be processed.

The data will be processed for the handling and processing of your question and the related business transaction. The data is stored for as long as it is required by law.

Persons concerned

All those who seek contact with us via the communication channels provided by us are affected by the aforementioned processes.

Phone

When you call us, the call data is stored pseudonymously on the respective terminal device and with the telecommunications provider used. In addition, data such as name and telephone number may subsequently be sent by e-mail and stored for the purpose of responding to inquiries. The data is deleted as soon as the business case has been terminated and legal requirements permit.

E-mail

If you communicate with us by e-mail, data may be stored on the respective end device (computer, laptop, smartphone,...) and data is stored on the e-mail server. The data is deleted as soon as the business case has been terminated and legal requirements allow it.

Online forms

If you communicate with us using an online form, data is stored on our web server and, if necessary, forwarded to an e-mail address of ours. The data is deleted as soon as the business case has been terminated and legal requirements permit.

Legal basis

The processing of the data is based on the following legal bases:

  • Art. 6 para. 1 lit. a DSGVO (consent): You give us your consent to store your data and to further use it for purposes related to the business case;

  • Art. 6 para. 1 lit. b DSGVO (contract): There is a need for the performance of a contract with you or a processor such as the telephone provider or we need to process the data for pre-contractual activities, such as the preparation of an offer;

  • Art. 6 para. 1 lit. f DSGVO (Legitimate Interests): We want to operate customer inquiries and business communication in a professional framework. For this purpose, certain technical facilities such as e-mail programs, exchange servers and mobile network operators are necessary in order to be able to operate the communication efficiently.

15 (3) of the German Telemedia Act (TMG).

For absolutely necessary cookies, even in the absence of consent, there are legitimate interests (Article 6(1)(f) DSGVO), which in most cases are economic in nature. We want to provide visitors to the website with a pleasant user experience and for this purpose certain cookies are often absolutely necessary.

If cookies are used that are not absolutely necessary, this only happens in the case of your consent. The legal basis in this respect is Art. 6 para. 1 lit. a DSGVO.

In the following sections, you will be informed in more detail about the use of cookies, if used software uses cookies.

 

Cookies Summary
👥 Data subjects: visitors to the website
🤝 Purpose: depends on the cookie in question. More details can be found below or from the manufacturer of the software that sets the cookie.
📓 Data processed: Depending on the cookie used in each case. More details can be found below or from the manufacturer of the software that sets the cookie.
📅 Storage period: depending on the respective cookie, can vary from hours to years
⚖️ Legal basis: Art. 6 para. 1 lit. a DSGVO (Consent), Art. 6 para. 1 lit.f DSGVO (Legitimate Interests).

 

EMAILS

 We may send you marketing emails from which you can unsubscribe by clicking the link at the bottom of the email. We share your contact information with Squarespace, our email marketing provider, so that Squarespace can send these emails on our behalf.

Email marketing summary
👥 Data subjects: newsletter subscribers
🤝 Purpose: direct advertising by email, notification of system-relevant events
📓 Data processed: Data entered during registration but at least the e-mail address. More details can be found with the respective e-mail marketing tool used.
📅 Storage period: Duration of the existence of the subscription
⚖️ Legal basis: Art. 6 para. 1 lit. a DSGVO (consent), Art. 6 para. 1 lit. f DSGVO (legitimate interests).

In order to keep you always up to date, we also use the possibility of e-mail marketing. If you have agreed to receive our e-mails or newsletters, your data will also be processed and stored. E-mail marketing is a sub-area of online marketing. It involves sending news or general information about a company, products or services by e-mail to a specific group of people who are interested in them.

If you want to participate in our e-mail marketing (mostly via newsletter), you usually just have to register with your e-mail address. To do this, you fill out an online form and send it off. However, it may also happen that we ask you for your salutation and name, for example, so that we can also write to you personally.

Basically, the registration for newsletters works with the help of the so-called "double opt-in procedure". After you have registered for our newsletter on our website, you will receive an e-mail via which you confirm the newsletter registration. This ensures that the e-mail address belongs to you and that no one has registered with a third-party e-mail address. We or a notification tool we use logs each individual subscription. This is necessary so that we can also prove the legally correct registration process. As a rule, the time of registration, the time of the registration confirmation and your IP address are stored. In addition, it is also logged when you make changes to your stored data.

What data is processed?

When you become a subscriber to our newsletter via our website, you confirm by e-mail that you are a member of an e-mail list. In addition to IP address and e-mail address, your title, name, address and telephone number may also be stored. However, only if you agree to this data storage. The data marked as such are necessary for you to participate in the service offered. Providing this information is voluntary, but failure to provide it will result in you not being able to use the service. In addition, information about your device or your preferred content on our website may be stored. You can find out more about the storage of data when you visit a website in the section "Automatic data storage". We record your declaration of consent so that we can always prove that this complies with our laws.

Duration of data processing

If you unsubscribe your e-mail address from our e-mail/newsletter distribution list, we may store your address for up to three years based on our legitimate interests so that we can still prove your consent at that time. We may only process this data if we need to defend ourselves against any claims.

However, if you confirm that you have given us your consent to subscribe to the newsletter, you can submit an individual deletion request at any time. If you permanently object to the consent, we reserve the right to store your e-mail address in a blacklist. As long as you have voluntarily subscribed to our newsletter, we will of course also keep your e-mail address.

Right of objection

You have the option to cancel your newsletter subscription at any time. To do this, you only need to revoke your consent to the newsletter subscription. This usually only takes a few seconds or one or two clicks. Most of the time, you will find a link to cancel your newsletter subscription right at the end of each email. If you really can't find the link in the newsletter, please contact us by mail and we will cancel your newsletter subscription immediately.

Legal basis

The sending of our newsletter is based on your consent (Article 6 para. 1 lit. a DSGVO). This means that we may only send you a newsletter if you have actively registered for it beforehand. If applicable, we may also send you advertising messages on the basis of Section 7 (3) of the German Unfair Competition Act (UWG), provided that you have become our customer and have not objected to the use of your e-mail address for direct advertising.

Information about specific email marketing services and how they process personal data, if any, is provided in the following sections.

 

FONTS

This website provides and displays font files from Google Fonts and Adobe Fonts. In order to properly display this website to you, these third parties may receive personal information about you, including:

  • Information about your browser, network or device

  • Information about this website and the page you are visiting on the website

  • Your IP address

 Messenger & Communication

Summary

👥 Affected parties: Website visitors

🤝 Purpose: Contact requests and general communication between us and you

📓 Processed data: Data such as name, address, email address, telephone number, general content data, and, if applicable, IP address

For more details, please refer to the respective tools used.

📅 Storage period: depends on the messenger and communication functions used

⚖️ Legal basis: Art. 6 (1) lit. a GDPR (consent), Art. 6 (1) lit. f GDPR (legitimate interests), Art. 6 (1) sentence 1 lit. b GDPR (contractual or pre-contractual obligations)

What are messenger and communication functions?

We offer various options on our website (such as messenger and chat functions, online or contact forms, email, telephone) to communicate with us. Your data will be processed and stored as necessary to respond to your inquiries and subsequent actions.

In addition to traditional communication methods such as email, contact forms, or telephone, we also use chats or messengers. The most commonly used messenger function is currently WhatsApp, but there are many different providers specifically for websites that offer messenger functions. If content is end-to-end encrypted, this is indicated in the respective privacy texts or in the privacy policy of the respective provider. End-to-end encryption means that the content of a message is not visible to the provider. However, information about your device, location settings, and other technical data may still be processed and stored.

Why do we use messenger and communication functions?

Communication with you is of great importance to us. After all, we want to talk to you and provide the best possible answers to any questions you may have about our service. Effective communication is an important part of our service. With the practical messenger and communication functions, you can choose the ones that you prefer at any time. In exceptional cases, however, we may not be able to answer certain questions via chat or messenger. This is the case, for example, when it comes to internal contractual matters. In such cases, we recommend using other communication channels such as email or telephone.

We generally assume that we remain responsible for data protection even when using services of a social media platform. However, the European Court of Justice has ruled that in certain cases, the operator of the social media platform can be jointly responsible with us within the meaning of Art. 26 GDPR. If this is the case, we will specifically point this out and work based on an agreement in this regard. The essential provisions of the agreement are described below for the respective platform.

Please note that when using our integrated elements, your data may also be processed outside the European Union, as many providers, such as Facebook Messenger or WhatsApp, are American companies. As a result, you may not be able to easily assert or enforce your rights regarding your personal data.

What data is processed?

The exact data that is stored and processed depends on the respective provider of the messenger and communication functions. In general, it includes data such as name, address, telephone number, email address, and content data, such as all the information you enter in a contact form. Usually, information about your device and IP address is also stored. Data collected through a messenger and communication function is also stored on the providers' servers.

If you want to know exactly what data is stored and processed by the respective providers and how you can object to the data processing, you should carefully read the respective company's privacy policy.

How long is data stored?

The duration of data processing and storage primarily depends on the tools we use. Below you will find more information about the data processing of each tool. The privacy policies of the providers usually specify exactly which data is stored and processed and for how long. In general, personal data is processed only as long as necessary to provide our services. The storage period for data stored in cookies varies widely. The data can be deleted immediately after leaving a website, but it can also be stored for several years. Therefore, if you want to know more about data storage, you should examine each individual cookie in detail. In the privacy policies of the respective providers, you will usually find informative information about the individual cookies.

Right to object

You also have the right and the possibility to revoke your consent to the use of cookies or third-party providers at any time. This can be done either through our cookie management tool or through other opt-out functions. For example, you can prevent the collection of data through cookies by managing, disabling, or deleting cookies in your browser. For more information, please refer to the consent section.

As cookies may be used in messenger and communication functions, we also recommend reading our general privacy policy on cookies. To find out what data is exactly stored and processed about you, you should read the privacy policies of the respective tools.

Legal basis

If you have consented to the processing and storage of your data through integrated messenger and communication functions, this consent serves as the legal basis for data processing (Art. 6 (1) lit. a GDPR). We process your request and manage your data in the context of contractual or pre-contractual relationships to fulfill our pre-contractual and contractual obligations or to respond to inquiries. The basis for this is Art. 6 (1) sentence 1 lit. b GDPR. In general, your data will also be stored and processed based on our legitimate interest (Art. 6 (1) lit. f GDPR) in fast and efficient communication with you or other customers and business partners, provided that you have given your consent.

WhatsApp Privacy Policy

We use the instant messaging service WhatsApp on our website. The service provider is the American company WhatsApp Inc., a subsidiary of Meta Platforms Inc. (formerly Facebook Inc. until October 2021). For the European region, the responsible company is WhatsApp Ireland Limited, 4 Grand Canal Square, Grand Canal Harbour, Dublin 2, Ireland.

What is WhatsApp?

We probably don't need to introduce WhatsApp to you. The likelihood that you yourself use this well-known messaging service on your smartphone is relatively high. For many years, there have been voices criticizing WhatsApp and its parent company Meta Platforms for their handling of personal data. In recent years, the main criticism has been about the merging of WhatsApp user data with Facebook. In response, Facebook adjusted its terms of use in 2021. Facebook stated that currently (as of 2021), no personal data of WhatsApp users is shared with Facebook.

Nevertheless, numerous personal data about you is processed by WhatsApp if you use WhatsApp and have agreed to data processing. This includes your phone number, chat messages, as well as sent photos, videos, and profile data. However, photos and videos are supposed to be stored only temporarily, and all messages and calls are encrypted end-to-end. Therefore, they should not be accessible even to Meta itself. In addition, information from your address book and other metadata is stored by WhatsApp.

Why do we use WhatsApp?

We want to stay in touch with you, and WhatsApp is the best way to do so. On the one hand, because the service works flawlessly, and on the other hand, because WhatsApp is still the most widely used instant messaging tool worldwide. The service is convenient and enables uncomplicated and fast communication with you.

How secure is data transfer on WhatsApp?

WhatsApp processes data from you, among other things, in the United States. We would like to point out that, in the opinion of the European Court of Justice, there is currently no adequate level of protection for data transfer to the United States. This can be associated with various risks for the legality and security of data processing.

As the basis for data processing for recipients based in third countries (outside the European Union, Iceland, Liechtenstein, Norway, especially the United States) or for data transfers to such countries, WhatsApp uses so-called standard contractual clauses (= Art. 46 para. 2 and 3 GDPR). Standard contractual clauses (Standard Contractual Clauses - SCC) are model templates provided by the European Commission and are intended to ensure that your data also comply with European data protection standards when they are transferred to and stored in third countries (such as the United States). Through these clauses, WhatsApp commits to complying with the European level of data protection when processing your relevant data, even if the data is stored, processed, and managed in the United States. These clauses are based on an implementing decision of the European Commission. You can find the decision and the corresponding standard contractual clauses here: https://eur-lex.europa.eu/eli/dec_impl/2021/914/oj?locale=en

Information on data transfer at WhatsApp, which complies with the standard contractual clauses, can be found at https://www.whatsapp.com/legal/business-data-transfer-addendum-20210927

We hope we have provided you with the most important information about the use and data processing by WhatsApp. You can find more information about the data processed by the use of WhatsApp in the Privacy Policy at https://www.whatsapp.com/privacy.

Squarespace

Visitor Data

This website is hosted by Squarespace. Squarespace collects personal data when you visit this website. This includes:

  • Information about your browser, network, and device

  • Websites you visited before accessing this website

  • Websites you visit on this website

  • Your IP address

Squarespace requires the data for the operation of this website as well as for the protection and improvement of its platform and services. Squarespace analyzes the data in a de-personalized form.

Analytics

This website collects personal data that serves as the basis for our website analytics. This includes:

  • Information about your browser, network, and device

  • Websites you visited before accessing this website

  • Your IP address

This information may also include details about your use of this website, including:

  • Clicks

  • Internal links

  • Visited pages

  • Scrolling

  • Search queries

  • Timestamps

We share this information with Squarespace, our provider of website analytics, to gain insights into the traffic and activity on this website.

Google Analytics

👥 Affected individuals: Visitors to the website

🤝 Purpose: Evaluation of visitor information to optimize the website.

📓 Processed data: Access statistics, which include data such as access locations, device data, access duration and timing, navigation behavior, click behavior, and IP addresses. More details can be found below in this privacy policy.

📅 Storage duration: depends on the properties used

⚖️ Legal basis: Art. 6 para. 1 lit. a GDPR (consent), Art. 6 para. 1 lit. f GDPR (legitimate interests)

How long and where are the data stored?

Google has servers distributed worldwide. Most servers are located in America, so your data is mainly stored on American servers. You can find out exactly where Google data centers are located here: https://www.google.com/about/datacenters/locations/?hl=en

Your data is distributed across various physical media. This has the advantage that the data can be accessed more quickly and is better protected against manipulation. In each Google data center, there are emergency programs for your data. For example, if hardware at Google fails or natural disasters disable servers, the risk of service interruption at Google remains low.

The retention period of the data depends on the properties used. When using the newer Google Analytics 4 properties, the retention period for your user data is fixed at 14 months. For other so-called event data, we have the option to choose a retention period of 2 months or 14 months.

For Universal Analytics properties, a retention period of 26 months for your user data is standardized in Google Analytics. Then your user data will be deleted. However, we have the option to choose the retention period of usage data ourselves. We have five options available:

  • Deletion after 14 months

  • Deletion after 26 months

  • Deletion after 38 months

  • Deletion after 50 months

  • No automatic deletion

In addition, there is also the option that data will only be deleted if you do not visit our website within the time period we have chosen. In this case, the retention period is reset every time you visit our website within the specified time period.

Once the specified time period has expired, the data is deleted once a month. This retention period applies to your data that is linked to cookies, user recognition, and advertising IDs (e.g. cookies from the DoubleClick domain). Report results are based on aggregated data and are stored independently of user data. Aggregated data is a fusion of individual data into a larger unit.

How can I delete my data or prevent data storage?

Under the data protection law of the European Union, you have the right to access, update, delete, or restrict your data. By using the browser add-on to disable Google Analytics JavaScript (ga.js, analytics.js, dc.js), you can prevent Google Analytics from using your data. You can download and install the browser add-on at https://tools.google.com/dlpage/gaoptout?hl=en. Please note that this add-on only disables data collection by Google Analytics.

If you generally want to disable, delete, or manage cookies, you will find the corresponding links to the instructions for the most common browsers in the "Cookies" section.

Legal basis

The use of Google Analytics requires your consent, which we obtained with our cookie popup. According to Art. 6 para. 1 lit. a GDPR (consent), this consent is the legal basis for the processing of personal data that may occur during the collection by web analytics tools.

In addition to consent, we also have a legitimate interest in analyzing the behavior of website visitors and thus improving our offer technically and economically. With the help of Google Analytics, we can identify website errors, detect attacks, and improve efficiency. The legal basis for this is Art. 6 para. 1 lit. f GDPR (legitimate interests). However, we only use Google Analytics if you have given consent.

Google processes data from you, among other things, in the United States. We would like to point out that, in the opinion of the European Court of Justice, there is currently no adequate level of protection for data transfer to the United States. This can be associated with various risks for the legality and security of data processing.

As the basis for data processing for recipients based in third countries (outside the European Union, Iceland, Liechtenstein, Norway, especially the United States) or for data transfers to such countries, Google uses so-called standard contractual clauses (= Art. 46 para. 2 and 3 GDPR). Standard contractual clauses (Standard Contractual Clauses - SCC) are model templates provided by the European Commission and are intended to ensure that your data also comply with European data protection standards when they are transferred to and stored in third countries (such as the United States). Through these clauses, Google commits to complying with the European level of data protection when processing your relevant data, even if the data is stored, processed, and managed in the United States. These clauses are based on an implementing decision of the European Commission. You can find the decision and the corresponding standard contractual clauses here: https://eur-lex.europa.eu/eli/dec_impl/2021/914/oj?locale=en

The Google Ads data processing terms, which refer to the standard contractual clauses, can be found at https://business.safety.google/intl/en/adsprocessorterms/.

We hope we have provided you with the most important information about the data processing by Google Analytics. If you want to learn more about the tracking service, we recommend these two links: https://marketingplatform.google.com/about/analytics/terms/en/ and https://support.google.com/analytics/answer/6004245?hl=en.

Cookies

This website uses cookies and similar technologies, which are small files or short texts that are downloaded to a device when a visitor accesses a website or app. For information on how to view the cookies placed on your device, please see About the Cookies Used by Squarespace.

These functional and necessary cookies are always used as they allow Squarespace, our hosting platform, to securely provide this website to you.

These analytics and performance cookies are only used on this website when you confirm our cookie banner, as described below. This website uses analytics and performance cookies to gain insight into website traffic data, website activity, and other data.

Cookie Storage Duration

The storage duration depends on the specific cookie and is further specified below. Some cookies are deleted in less than an hour, while others can remain stored on a computer for several years.

You also have control over the storage duration. You can manually delete all cookies at any time through your browser (see also "Right to Object" below). Furthermore, cookies based on consent are deleted no later than after the withdrawal of your consent, while the lawfulness of storage until then remains unaffected.

Right to Object - How Can I Delete Cookies?

You can decide for yourself whether and how you want to use cookies. Regardless of which service or website the cookies come from, you always have the option to delete, disable, or only partially allow cookies. For example, you can block third-party cookies but allow all other cookies.

If you want to find out which cookies are stored in your browser, if you want to change or delete cookie settings, you can find this in your browser settings:

Chrome: Clear, enable, and manage cookies in Chrome

Safari: Manage cookies and website data with Safari

Firefox: Clear cookies to remove data that websites have stored on your computer

Internet Explorer: Delete and manage cookies

Microsoft Edge: Delete and manage cookies

If you generally do not want any cookies, you can set up your browser to always inform you when a cookie is to be set. This way, you can decide for each individual cookie whether to allow it or not. The procedure varies depending on the browser. It is best to search for instructions on Google using the search term "clear cookies Chrome" or "disable cookies Chrome" in the case of a Chrome browser.

Legal Basis

Since 2009, there has been the so-called "Cookie Directive." This directive stipulates that storing cookies requires consent (Article 6(1)(a) GDPR) from you. However, within the EU countries, there are still very different reactions to this directive. In Austria, however, this directive was implemented in § 96(3) of the Telecommunications Act (TKG). In Germany, the cookie directive was not implemented as national law. Instead, this directive was largely implemented in § 15(3) of the Telemedia Act (TMG).

For strictly necessary cookies, even if no consent is given, there are legitimate interests (Article 6(1)(f) GDPR), which are mostly of an economic nature. We want to provide visitors of the website with a pleasant user experience, and certain cookies are often strictly necessary for this purpose.

If non-essential cookies are used, this only happens with your consent. The legal basis is Article 6(1)(a) GDPR in this respect.

The following sections provide more detailed information about the use of cookies if the software used employs cookies.

Cookies Summary

👥 Data subjects: Website visitors

🤝 Purpose: Depending on the respective cookie. More details can be found below or with the manufacturer of the software that sets the cookie.

📓 Processed data: Depending on the respective cookie. More details can be found below or with the manufacturer of the software that sets the cookie.

📅 Storage duration: Depending on the respective cookie, ranging from hours to years.

⚖️ Legal basis: Article 6(1)(a) GDPR (Consent), Article 6(1)(f) GDPR (Legitimate interests)

Emails

We may send you marketing emails, which you can unsubscribe from by clicking the link at the end of the email. We share your contact information with Squarespace, our email marketing provider, so that Squarespace can send these emails on our behalf.

Email Marketing Summary

👥 Data subjects: Newsletter subscribers

🤝 Purpose: Direct advertising via email, notification of system-relevant events

📓 Processed data: Data provided during registration, at least the email address. More details can be found with the respective email marketing tool.

📅 Storage duration: Duration of the subscription

⚖️ Legal basis: Article 6(1)(a) GDPR (Consent), Article 6(1)(f) GDPR (Legitimate interests)

To keep you informed, we also use email marketing. When you subscribe to our emails or newsletters, data about you is processed and stored. Email marketing is part of online marketing. It involves sending news or general information about a company, products, or services via email to a specific group of people who are interested in it.

If you want to participate in our email marketing (usually via newsletter), you usually just need to sign up with your email address. You fill out an online form and submit it. However, it may also happen that we ask for your salutation and name so that we can address you personally.

Generally, signing up for newsletters works using the so-called "double opt-in" procedure. After you have registered for our newsletter on our website, you will receive an email to confirm your newsletter subscription. This ensures that the email address belongs to you and that no one has registered with a different email address. We or a notification tool used by us log each individual registration. This is necessary so that we can provide evidence of the legally correct registration process. Typically, the time of registration, the time of confirmation, and your IP address are stored. In addition, changes to your stored data are also logged.

What data is processed?

When you become a subscriber to our newsletter via our website, you confirm your membership in an email list via email. In addition to the IP address and email address, your salutation, name, address, and telephone number may also be stored. However, only if you consent to this data storage. The data marked as such is necessary for you to participate in the offered service. The information is voluntary, but not providing it will result in you not being able to use the service. Additionally, information about your device or your preferred content on our website may also be stored. More information about data storage when visiting a website can be found in the section "Automatic Data Storage." We record your declaration of consent so that we can always prove that it complies with our laws.

Duration of Data Processing

If you unsubscribe your email address from our email/newsletter distribution list, we may store your address for up to three years based on our legitimate interests to be able to prove your previous consent. We may only process this data if we need to defend against possible claims.

However, if you confirm that you have given us consent for newsletter registration, you can request individual deletion at any time. If you permanently object to consent, we reserve the right to store your email address in a blocklist. As long as you voluntarily subscribe to our newsletter, we will of course also retain your email address.

Right to Object

You have the opportunity to cancel your newsletter subscription at any time. To do so, simply revoke your consent to newsletter registration. This usually only takes a few seconds or one or two clicks. In most cases, you will find a link at the end of each email to unsubscribe from the newsletter. If you cannot find the link in the newsletter, please contact us by email, and we will immediately cancel your newsletter subscription.

Legal Basis

The sending of our newsletter is based on your consent (Article 6(1)(a) GDPR). This means that we are only allowed to send you a newsletter if you have actively registered for it. If you have become our customer and have not objected to the use of your email address for direct advertising, we may also send you advertising messages based on § 7(3) UWG.

Information about specific email marketing services and how they process personal data, if available, can be found in the following sections.

Fonts

This website provides font files from Google Fonts and Adobe Fonts and displays these fonts. In order to display this website correctly, these third parties may receive personal data about you, including:

· Information about your browser, network, or device · Information about this website and the page you are visiting on the website · Your IP address

Social Media

Social Media Privacy Policy Summary

👥 Data subjects: Website visitors

🤝 Purpose: Presentation and optimization of our services, contact with visitors, interested parties, etc., advertising

📓 Processed data: Data such as phone numbers, email addresses, contact information, user behavior data, information about your device and your IP address.

More details can be found with the respective social media tool.

📅 Storage duration: Depending on the social media platforms used

⚖️ Legal basis: Article 6(1)(a) GDPR (Consent), Article 6(1)(f) GDPR (Legitimate interests)

What is Social Media?

In addition to our website, we are also active on various social media platforms. This may involve processing data from users so that we can specifically address users who are interested in us through social networks. In addition, elements of a social media platform may be directly embedded in our website. This is the case, for example, when you click on a so-called social button on our website and are directly redirected to our social media presence. Social media refers to websites and apps where registered members can produce content, exchange content openly or in specific groups, and connect with other members.

What data is processed?

The exact data stored and processed depends on the provider of the social media platform. However, it usually involves data such as telephone numbers, email addresses, data you enter in a contact form, user data such as which buttons you click, whom you like or follow, when you visited which pages, information about your device, and your IP address. Most of this data is stored in cookies. Specifically, if you have a profile on the visited social media channel and are logged in.

Instagram Privacy Policy Summary

👥 Affected: Website visitors

🤝 Purpose: Optimization of our service performance

📓 Processed data: Data such as user behavior data, information about your device, and your IP address.

More details can be found below in the privacy policy.

📅 Storage period: until Instagram no longer needs the data for its purposes

⚖️ Legal basis: Art. 6 para. 1 lit. a GDPR (consent), Art. 6 para. 1 lit. f GDPR (legitimate interests)

What is Instagram?

We have integrated Instagram features on our website. Instagram is a social media platform owned by Instagram LLC, 1601 Willow Rd, Menlo Park CA 94025, USA. Instagram has been a subsidiary of Meta Platforms Inc. since 2012 and is part of the Facebook products. Embedding Instagram content on our website is called embedding. This allows us to display content such as buttons, photos, or videos from Instagram directly on our website. When you visit web pages on our website that have an Instagram feature integrated, data is transmitted, stored, and processed by Instagram. Instagram uses the same systems and technologies as Facebook. As a result, your data is processed across all Facebook companies.

Below, we want to give you a more detailed insight into why Instagram collects data, what data it is, and how you can largely control the data processing. Since Instagram is owned by Meta Platforms Inc., we obtain our information from both Instagram's policies and Meta's privacy policies.

Instagram is one of the most well-known social media networks worldwide. Instagram combines the benefits of a blog with the advantages of audiovisual platforms like YouTube or Vimeo. On "Insta" (as many users casually call the platform), you can upload photos and short videos, edit them with various filters, and share them in other social networks. And if you don't want to be active yourself, you can also follow interesting users.

Why do we use Instagram on our website?

Instagram is the social media platform that has skyrocketed in popularity in recent years. And of course, we have also responded to this boom. We want you to feel as comfortable as possible on our website. That's why it is natural for us to present our content in an engaging way. By using embedded Instagram features, we can enrich our content with helpful, entertaining, or exciting content from the Instagram world. Since Instagram is a subsidiary of Facebook, the data collected can also be used for personalized advertising on Facebook. This ensures that our ads are only shown to people who are genuinely interested in our products or services.

Instagram also uses the collected data for measurement and analysis purposes. We receive aggregated statistics and gain more insights into your preferences and interests. It is important to mention that these reports do not identify you personally.

What data is stored by Instagram?

When you come across one of our pages that have Instagram features (such as Instagram images or plugins) embedded, your browser automatically connects to Instagram's servers. Data is then transmitted, stored, and processed by Instagram. This applies regardless of whether you have an Instagram account or not. This includes information about our website, your computer, purchases made, advertisements you see, and how you use our offering. Additionally, the date and time of your interaction with Instagram are also stored. If you have an Instagram account or are logged in, Instagram stores significantly more data about you.

Facebook differentiates between customer data and event data. We assume that this is also the case with Instagram. Customer data includes name, address, telephone number, and IP address, for example. This customer data is only transmitted to Instagram after being "hashed." Hashing means that a data record is transformed into a character string, encrypting the contact details. The above-mentioned "event data" is also transmitted. "Event data" refers to data about your user behavior, according to Facebook and therefore also Instagram. It is also possible for contact details to be combined with event data. The collected contact details are compared with the data that Instagram already has about you.

The collected data is transmitted to Facebook via small text files (cookies) that are usually stored in your browser. Depending on the Instagram features used and whether you have an Instagram account yourself, different amounts of data are stored.

We assume that data processing works the same way on Instagram as it does on Facebook. This means that if you have an Instagram account or have visited www.instagram.com, Instagram has set at least one cookie. If this is the case, your browser sends information to Instagram via the cookie as soon as you come into contact with an Instagram feature. These data are deleted or anonymized no later than 90 days after being compared. Although we have extensively studied Instagram's data processing, we cannot say exactly which data Instagram collects and stores.

How long and where are the data stored?

Instagram shares the information received with Facebook companies, external partners, and individuals you connect with worldwide. The data processing is carried out in compliance with its own data policy. For security reasons, your data is distributed across Facebook servers worldwide. Most of these servers are located in the United States.

How can I delete my data or prevent data storage?

Thanks to the General Data Protection Regulation, you have the right to information, data portability, rectification, and erasure of your data. You can manage your data in the Instagram settings. If you want to completely delete your data on Instagram, you must permanently delete your Instagram account.

Here's how to delete your Instagram account:

First, open the Instagram app. On your profile page, scroll down and click on "Help Center." This will take you to the company's website. On the website, click on "Managing Your Account" and then on "Delete Your Account."

If you delete your account, Instagram will delete posts such as your photos and status updates. Information that others have shared about you is not part of your account and will therefore not be deleted.

As mentioned above, Instagram primarily stores your data through cookies. You can manage, disable, or delete these cookies in your browser. The management process may vary slightly depending on the browser you are using. Under the "Cookies" section, you will find the corresponding links to the instructions for the most popular browsers.

You can also generally configure your browser to notify you whenever a cookie is set. This allows you to individually decide whether to allow the cookie or not.

Legal basis

If you have consented to the processing and storage of your data by embedded social media elements, this consent serves as the legal basis for data processing (Art. 6 para. 1 lit. a GDPR). In principle, your data is also stored and processed based on our legitimate interests (Art. 6 para. 1 lit. f GDPR) in fast and effective communication with you or other customers and business partners. However, we only use embedded social media elements if you have given your consent. Most social media platforms also use cookies in your browser to store data. Therefore, we recommend that you carefully read our privacy policy on cookies and review the privacy policy or cookie policies of the respective service providers.

Instagram and Facebook also process data in the United States, among other locations. We would like to point out that, in the opinion of the European Court of Justice, there is currently no adequate level of protection for transferring data to the United States. This can entail various risks for the lawfulness and security of data processing.

Facebook uses standard contractual clauses (= Art. 46 para. 2 and 3 GDPR) approved by the European Commission as the basis for data processing with recipients based in third countries (outside the European Union, Iceland, Liechtenstein, Norway, especially in the United States) or for transferring data to such countries. These clauses oblige Facebook to comply with the level of data protection in the EU when processing relevant data outside the EU. These clauses are based on an implementing decision of the European Commission. You can find the decision and the clauses here: https://germany.representation.ec.europa.eu/index_de.

We have tried to provide you with the most important information about data processing by Instagram. You can find more information about Instagram's data policies at https://help.instagram.com/519522125107875.

TikTok Privacy Policy

We also use TikTok, a social media and video platform. The service provider is the Chinese company Beijing Bytedance Technology Ltd. For the European region, the responsible company is TikTok Technology Limited, 10 Earlsfort Terrace, Dublin, D02 T380, Ireland.

TikTok processes your data, among other locations, in the United States. We would like to point out that, in the opinion of the European Court of Justice, there is currently no adequate level of protection for transferring data to the United States. This can entail various risks for the lawfulness and security of data processing.

TikTok uses so-called standard contractual clauses (= Art. 46 para. 2 and 3 GDPR) as the basis for data processing with recipients based in third countries (outside the European Union, Iceland, Liechtenstein, Norway, especially in the United States) or for transferring data to such countries. Standard contractual clauses (SCC) are sample templates provided by the European Commission to ensure that your data complies with European data protection standards even when transferred and stored in third countries (such as the United States). Through these clauses, TikTok commits to maintaining the European level of data protection when processing your relevant data, even if the data is stored, processed, and managed in the United States. These clauses are based on an implementing decision of the European Commission. You can find the decision and the corresponding standard contractual clauses here: https://eur-lex.europa.eu/eli/dec_impl/2021/914/oj?locale=de

You can learn more about the standard contractual clauses and the data processed through the use of TikTok Pixel in the Privacy Policy at https://www.tiktok.com/legal/privacy-policy-eea?lang=de or https://ads.tiktok.com/i18n/official/policy/controller-to-controller.

LinkedIn Privacy Policy

We also use LinkedIn, a social media networking platform for business contacts operated by LinkedIn Corporation, 2029 Stierlin Court, Mountain View, CA 94043, USA. On our website, you will find links to our profiles. For data processing in Europe, LinkedIn Ireland Unlimited Company Wilton Place in Dublin is responsible. The company processes your data, among other locations, in the United States. We would like to point out that, in the opinion of the European Court of Justice, there is currently no adequate level of protection for transferring data to the United States. You can find information about how LinkedIn uses and stores your data here: https://de.linkedin.com/legal/privacy-policy.

Typeform

We use Typeform, a survey software, for our website. The service provider is the Spanish company Typeform, located at 163 Carrer de Bac de Roda, Barcelona, Spain. You can learn more about the data processed through Typeform in the privacy policy at https://admin.typeform.com/to/dwk6gt.

The processing of your medical data through the questionnaire is optional. However, if you do not provide this information through your consent and answering the questions, you will not be able to perform checks and receive recommendations. We use your data to provide you with information on skincare consultations, improve our app, and contribute to research in the field of cosmetic science. Your data is stored in a pseudonymized manner, which means that your name is not stored together with your health data. Only your assigned skincare expert has access to your name and data. We only provide third parties with anonymized data analyses. Both Typeform and we can delete your data upon request.

Eventbrite

We utilize Eventbrite for the registration and execution of our workshops. Their EU office is situated at Unit 3100, Lake Drive, Citywest Business Campus Dublin 24, Citywest, Dublin. Upon providing your email address, you consent to receive information about the workshop. To understand more about the data Eventbrite processes and how to delete it, refer to the privacy policies at https://www.eventbrite.de/help/de/articles/460838/datenschutzrichtlinien-von-eventbrite/ and https://www.eventbrite.de/help/de/articles/363929/f-a-fragen-und-antworten-zum-eu-datenschutz-von-eventbrite/.

Explanation of Terms Used

We always strive to make our privacy policy as clear and understandable as possible. However, this is not always easy, especially with technical and legal topics. It often makes sense to use legal terms (such as personal data) or specific technical terms (such as cookies, IP address). However, we do not want to use these terms without explanation. Below is an alphabetical list of important terms used, which may not have been sufficiently explained in the previous privacy policy. If these terms were taken from the GDPR and are definitions, we will also include the GDPR texts here and, if necessary, add our own explanations.

Consent

Definition according to Article 4 of the GDPR

For the purposes of this Regulation, the expression:

"consent" of the data subject means any freely given, specific, informed, and unambiguous indication of the data subject's wishes by which he or she, by a statement or by a clear affirmative action, signifies agreement to the processing of personal data relating to him or her;

Explanation: In most cases, such consent is obtained through a cookie consent tool on websites. You are probably familiar with this. Whenever you visit a website for the first time, you are usually asked via a banner if you agree or consent to the data processing. Usually, you can also make individual settings and decide for yourself which data processing you allow and which you do not. If you do not consent, no personal data may be processed. In principle, consent can also be given in writing, i.e., not through a tool.

Personal Data

Definition according to Article 4 of the GDPR

For the purposes of this Regulation, the expression:

"personal data" means any information relating to an identified or identifiable natural person ('data subject'); an identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person;

Explanation: Personal data is any data that can identify you as a person. This usually includes data such as:

  • Name

  • Address

  • Email address

  • Postal address

  • Phone number

  • Date of birth

  • Identification numbers such as social security number, tax identification number, ID card number, or student ID number

  • Bank data such as account number, credit information, account balances, etc.

According to the European Court of Justice (ECJ), your IP address is also considered personal data. IT experts can determine at least the approximate location of your device and subsequently identify you as the connection holder based on your IP address. Therefore, storing an IP address also requires a legal basis under the GDPR. There are also so-called "special categories" of personal data, which are also particularly protected. These include:

  • Racial and ethnic origin

  • Political opinions

  • Religious or philosophical beliefs

  • Trade union membership

  • Genetic data, such as data extracted from blood or saliva samples

  • Biometric data (information about psychological, physical, or behavioral characteristics that can identify a person)

Health Data

Definition according to Article 4 of the GDPR

For the purposes of this Regulation, the expression:

"health data" means personal data related to the physical or mental health of a natural person, including the provision of health care services, from which information about the health status of that person can be inferred;

Explanation: Health data includes all stored information related to your own health. Often, these are data that are also recorded in a patient record. This includes, for example, the medications you use, X-ray images, the entire medical history, or usually the vaccination status.

Profiling

Definition according to Article 4 of the GDPR

For the purposes of this Regulation, the expression:

"profiling" means any form of automated processing of personal data consisting of the use of personal data to evaluate certain personal aspects relating to a natural person, in particular to analyze or predict aspects concerning that person's performance at work, economic situation, health, personal preferences, interests, reliability, behavior, location or movements;

Explanation: Profiling involves collecting various information about a person to learn more about that person. In the web field, profiling is often used for advertising purposes or for credit checks. Web or advertising analysis programs, for example, collect data about your behavior and interests on a website. This results in a specific user profile that can be used to target advertising to a specific audience.

Closing Words

Congratulations! If you are reading these lines, you have really "fought" your way through our entire privacy policy, or at least scrolled down here. As you can see from the extent of our privacy policy, we take the protection of your personal data very seriously.

It is important to us to inform you to the best of our knowledge and belief about the processing of personal data. However, we not only want to inform you about the data being processed but also explain the reasons for using various software programs. Privacy policies are usually very technical and legal. However, since most of you are not web developers or lawyers, we wanted to take a different approach in terms of language and explain the matter in simple and clear language. However, this is not always possible due to the nature of the topic. Therefore, the most important terms are explained in more detail at the end of the privacy policy.

If you have any questions regarding data protection on our website, please do not hesitate to contact us or the responsible party. We wish you a pleasant time and hope to welcome you back to our website soon.

All texts are protected by copyright.

Source: Partially created with the Privacy Policy Generator by AdSimple and Squarespace https://support.squarespace.com/hc/de/articles/360002123427-Beispieltexte-für-Ihre-Datenschutzerklärung