top of page

Data protection

This data protection declaration informs you about the type, scope and purpose of the processing of personal data (hereinafter referred to as “data”) in the context of providing our services as well as within our online offering and the websites, functions and content associated with it as well as external online presences, such as. our social media profile (hereinafter collectively referred to as “online offering”). With regard to the terms used, such as “processing” or “responsible person”, we refer to the definitions in Article 4 of the General Data Protection Regulation (GDPR).
 

Responsible person

Joelma Araujo / deOya
Schellingstr 126
80798 Munich
joelma@deOya.de
Owner: Joelma Araujo

Types of data processed

- Inventory data (e.g., personal master data, names or addresses).
- Contact details (e.g., email, telephone numbers).
- Content data (e.g., text entries, photographs, videos).
- Usage data (e.g., websites visited, interest in content, access times).
- Meta/communication data (e.g., device information, IP addresses).

Categories of data subjects
Visitors and users of the online offering (hereinafter we refer to the affected persons collectively as “users”).

Purpose of processing

- Provision of the online offer, its functions and content.
- Answering contact requests and communicating with users.
- Safety measures.
- Reach measurement/marketing
 

Terms used

“Personal data” means any information relating to an identified or identifiable natural person (hereinafter “data subject”); A natural person is considered identifiable if he or she can be identified directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier (e.g. cookie) or one or more special features, which are an expression of the physical, physiological, genetic, psychological, economic, cultural or social identity of that natural person.

“Processing” means any operation or series of operations relating to personal data, carried out with or without the aid of automated procedures. The term is broad and encompasses virtually every way data is handled.

“Pseudonymization” means the processing of personal data in such a way that the personal data can no longer be attributed to a specific data subject without the use of additional information, provided that this additional information is kept separately and is subject to technical and organizational measures that ensure that the personal data not be assigned to an identified or identifiable natural person.

“Profiling” means any type of automated processing of personal data, which consists in using that personal data to evaluate certain personal aspects relating to a natural person, in particular aspects relating to work performance, economic situation, health, personal Analyze or predict the preferences, interests, reliability, behavior, location or movements of that natural person.

The “controller” is the natural or legal person, public authority, institution or other body that alone or jointly with others decides on the purposes and means of processing personal data.

“Processor” means a natural or legal person, public authority, institution or other body that processes personal data on behalf of the controller.
 

Relevant legal bases

In accordance with Art. 13 GDPR, we will inform you of the legal basis for our data processing. For users from the scope of the General Data Protection Regulation (GDPR), i.e. the EU and the EEC, the following applies, unless the legal basis is stated in the data protection declaration:
The legal basis for obtaining consent is Article 6 Paragraph 1 Letter a and Article 7 GDPR;
The legal basis for processing to fulfill our services and carry out contractual measures as well as answer inquiries is Article 6 Paragraph 1 Letter b GDPR;
The legal basis for processing to fulfill our legal obligations is Article 6 (1) (c) GDPR;
In the event that the vital interests of the data subject or another natural person require the processing of personal data, Article 6 Paragraph 1 Letter d GDPR serves as the legal basis.
The legal basis for the processing necessary to carry out a task that is in the public interest or in the exercise of official authority vested in the person responsible is Article 6 (1) (e) GDPR.
The legal basis for processing to protect our legitimate interests is Article 6 (1) (f) GDPR.
The processing of data for purposes other than those for which they were collected is determined in accordance with the provisions of Article 6 (4) GDPR.
The processing of special categories of data (according to Art. 9 Para. 1 GDPR) is determined in accordance with the provisions of Art. 9 Para. 2 GDPR.

Safety measures

We take appropriate technical and organizational measures in accordance with the legal requirements, taking into account the state of the art, the implementation costs and the type, scope, circumstances and purposes of the processing as well as the different probability of occurrence and severity of the risk to the rights and freedoms of natural persons to ensure a level of protection appropriate to the risk.

The measures include, in particular, ensuring the confidentiality, integrity and availability of data by controlling physical access to the data, as well as the access, input, distribution, ensuring availability and its separation. We have also set up procedures to ensure the exercise of the rights of those affected, the deletion of data and the response to threats to data. Furthermore, we take the protection of personal data into account when developing or selecting hardware, software and processes, in accordance with the principle of data protection through technology design and through data protection-friendly default settings.

Collaboration with processors, joint controllers and third parties

If, as part of our processing, we disclose data to other people and companies (processors, joint controllers or third parties), transfer it to them or otherwise grant them access to the data, this only takes place on the basis of legal permission (e.g. if a transfer of the data to third parties, such as payment service providers, is necessary for the fulfillment of the contract), users have consented, a legal obligation requires this or on the basis of our legitimate interests (e.g. when using agents, web hosts, etc.).

If we disclose, transmit or otherwise grant access to data to other companies in our group of companies, this is done in particular for administrative purposes as a legitimate interest and, moreover, on a basis that complies with legal requirements.

Transfers to third countries
If we process data in a third country (i.e. outside the European Union (EU), the European Economic Area (EEA) or the Swiss Confederation) or in the context of using third-party services or disclosing or transferring data to other people or companies If this happens, this will only occur if it is to fulfill our (pre-)contractual obligations, based on your consent, based on a legal obligation or based on our legitimate interests. Subject to express consent or contractually required transfer, we only process or leave the data in third countries with a recognized level of data protection, which include US processors certified under the "Privacy Shield" or on the basis of special guarantees, such as contractual obligations through so-called standard protection clauses the EU Commission, the existence of certifications or binding internal data protection regulations (Articles 44 to 49 GDPR, EU Commission information page).

Rights of data subjects
Right to information: You have the right to request confirmation as to whether the data in question is being processed and to request information about this data as well as further information and a copy of the data in accordance with legal requirements.

Right to rectification: You have accordingly. In accordance with legal requirements, you have the right to request that the data concerning you be completed or that incorrect data concerning you be corrected.

Right to deletion and restriction of processing: In accordance with the legal requirements, you have the right to demand that the data in question be deleted immediately or, alternatively, to request that the processing of the data be restricted in accordance with the legal requirements.

Right to data portability: You have the right to receive data concerning you that you have provided to us in a structured, common and machine-readable format in accordance with legal requirements or to request that it be transmitted to another person responsible.

Complaint to the supervisory authority: You also have the right, in accordance with legal requirements, to submit a complaint to the responsible supervisory authority.

Right of withdrawal
You have the right to revoke your consent with effect for the future.

Right to object
Right to object: You have the right, for reasons arising from your particular situation, to object at any time to the processing of your personal data, which is carried out on the basis of Article 6 (1) (e) or (f) of the GDPR; This also applies to profiling based on these provisions. If your personal data is processed for the purpose of direct advertising, you have the right to object at any time to the processing of your personal data for the purpose of such advertising; This also applies to profiling insofar as it is connected to such direct advertising.

Cookies and right to object to direct advertising
“Cookies” are small files that are stored on users’ computers. Different information can be stored within the cookies. A cookie is primarily used to store information about a user (or the device on which the cookie is stored) during or after their visit to an online offering. Temporary cookies, or “session cookies” or “transient cookies,” are cookies that are deleted after a user leaves an online offering and closes their browser. Such a cookie can, for example, store the contents of a shopping cart in an online shop or a login status. Cookies that remain stored even after the browser is closed are referred to as “permanent” or “persistent”. For example, the login status can be saved if users visit it after several days. The interests of users can also be stored in such a cookie, which is used for range measurement or marketing purposes. “Third-party cookies” are cookies that are offered by providers other than the person responsible for operating the online offering (otherwise, if they are only their cookies, they are referred to as “first-party cookies”).

We can use temporary and permanent cookies and explain this in our data protection declaration.

If we ask users to consent to the use of cookies (e.g. as part of cookie consent), the legal basis for this processing is Article 6 Paragraph 1 lit. a. GDPR. Otherwise, the users' personal cookies are processed in accordance with the following explanations in this data protection declaration on the basis of our legitimate interests (i.e. interest in the analysis, optimization and economic operation of our online offering within the meaning of Art. 6 Para. 1 lit. f. GDPR) or if the use of cookies is necessary to provide our contract-related services, in accordance with Article 6 Paragraph 1 Letter b. GDPR, or if the use of cookies is necessary for the performance of a task that is in the public interest or in the exercise of official authority, in accordance with Article 6 Paragraph 1 Letter e. GDPR, processed.

If users do not want cookies to be stored on their computer, they are asked to deactivate the corresponding option in the system settings of their browser. Saved cookies can be deleted in the browser's system settings. The exclusion of cookies can lead to functional restrictions of this online offer.

A general objection to the use of cookies used for online marketing purposes can be made for a large number of services, especially in the case of tracking, via the US website http://www.aboutads.info/choices/ or the EU website http://www.youronlinechoices.com/ can be explained. Furthermore, the storage of cookies can be achieved by switching them off in the browser settings. Please note that not all functions of this online offer may then be able to be used.
 

Deletion of data
The data we process will be deleted or its processing restricted in accordance with legal requirements. Unless expressly stated in this data protection declaration, the data stored by us will be deleted as soon as they are no longer required for their intended purpose and the deletion does not conflict with any legal retention obligations.

Unless the data is deleted because it is required for other legally permissible purposes, its processing will be restricted. This means that the data will be blocked and not processed for other purposes. This applies, for example, to data that must be retained for commercial or tax reasons.

Changes and updates to the privacy policy
We ask you to regularly inform yourself about the content of our data protection declaration. We will adapt the data protection declaration as soon as changes to the data processing we carry out make this necessary. We will inform you as soon as the changes require your cooperation (e.g. consent) or other individual notification.

 

Business-related processing


Additionally we process
- Contract data (e.g., subject of the contract, term, customer category).
- Payment data (e.g., bank details, payment history)
from our customers, interested parties and business partners for the purpose of providing contractual services, service and customer care, marketing, advertising and market research.

 

Order processing in the online shop and customer account


We process our customers' data as part of the ordering process in our online shop in order to enable them to select and order the selected products and services, as well as their payment and delivery or execution.

The data processed includes inventory data, communication data, contract data, payment data and the persons affected by the processing include our customers, interested parties and other business partners. The processing takes place for the purpose of providing contractual services as part of the operation of an online shop, billing, delivery and customer services. We use session cookies to store the contents of the shopping cart and permanent cookies to store the login status.

Processing is carried out to fulfill our services and carry out contractual measures (e.g. carrying out ordering processes) and to the extent required by law (e.g. legally required archiving of business transactions for commercial and tax purposes). The information marked as necessary is required to establish and fulfill the contract. We only disclose the data to third parties in the context of delivery, payment or within the scope of legal permissions and obligations, as well as if this is based on our legitimate interests, about which we inform you as part of this data protection declaration (e.g., to legal and tax advisors, financial institutions, freight companies and authorities).

Users can optionally create a user account, in particular by being able to view their orders. As part of registration, the required mandatory information is provided to users. User accounts are not public and cannot be indexed by search engines. If users have terminated their user account, their data will be deleted with regard to the user account, unless their retention is necessary for commercial or tax reasons. Information in the customer account remains until it is deleted and subsequently archived in the event of a legal obligation or our legitimate interests (e.g. in the event of legal disputes). It is the users' responsibility to back up their data before the end of the contract if the contract is terminated.

As part of the registration and re-registration process as well as the use of our online services, we store the IP address and the time of the respective user action. The storage is based on our legitimate interests, as well as the user's protection against misuse and other unauthorized use. In principle, this data will not be passed on to third parties unless it is necessary to pursue our legal claims as a legitimate interest or there is a legal obligation to do so.

The deletion takes place after the expiry of statutory warranty and other contractual rights or obligations (e.g. payment claims or performance obligations from contracts with customers), whereby the necessity of storing the data is checked every three years; In the case of storage due to legal archiving obligations, deletion takes place after their expiry.

Contractual services


We process the data of our contractual partners and interested parties as well as other clients, customers, clients, clients or contractual partners (uniformly referred to as “contractual partners”) in accordance with Article 6 Paragraph 1 Letter b. GDPR in order to provide you with our contractual or pre-contractual services. The data processed here, the type, scope and purpose and necessity of their processing are determined by the underlying contractual relationship.

The data processed includes the master data of our contractual partners (e.g. names and addresses), contact data (e.g. e-mail addresses and telephone numbers) as well as contract data (e.g. services used, contract content, contractual communication, names of contact persons) and payment data (e.g. Bank details, payment history).

As a general rule, we do not process special categories of personal data, unless these are part of commissioned or contractual processing.

We process data that is necessary to justify and fulfill the contractual services and point out the necessity of providing them if this is not obvious to the contractual partners. Disclosure to external persons or companies will only occur if required as part of a contract. When processing the data provided to us as part of an order, we act in accordance with the instructions of the client and the legal requirements.

When using our online services, we can store the IP address and the time of the respective user action. The storage is based on our legitimate interests, as well as the interests of the users in protecting against misuse and other unauthorized use. In principle, this data will not be passed on to third parties unless it is necessary to pursue our claims in accordance with Article 6 Paragraph 1 Letter f of the GDPR or there is a legal obligation to do so in accordance with Article 6 Paragraph 1 Letter c. GDPR.

The data will be deleted when the data is no longer required to fulfill contractual or legal duties of care as well as to deal with any warranty and comparable obligations, whereby the necessity of retaining the data is reviewed every three years; Otherwise, the statutory retention requirements apply.

 

External payment service providers


We use external payment service providers through whose platforms users and we can carry out payment transactions. These payment service providers may include, each with a link to the data protection declaration: Paypal (https://www.paypal.com/de/webapps/mpp/ua/privacy-full), Klarna (https://www.klarna.com/de /datenschutz/), Skrill (https://www.skrill.com/de/fusszeile/datenschutzberatung/), Giropay (https://www.giropay.de/gesetzes/datenschutz-agb/), Visa (https:/ /www.visa.de/datenschutz), Mastercard (https://www.mastercard.de/de-de/datenschutz.html), American Express (https://www.americanexpress.com/de/content/privacy- policy-statement.html), Stripe (https://stripe.com/de/privacy).

As part of the fulfillment of contracts, we use the payment service providers on the basis of Article 6 Paragraph 1 Letter b. GDPR. Furthermore, we use external payment service providers based on our legitimate interests in accordance with Article 6 Paragraph 1 Letter f of the GDPR in order to offer our users effective and secure payment options.

The data processed by the payment service providers includes inventory data, such as name and address, bank details, such as account numbers or credit card numbers, passwords, TANs and checksums, as well as contract details, amounts and recipient-related information. The information is required to carry out the transactions. However, the data entered will only be processed and stored by the payment service providers. This means that we do not receive any account or credit card-related information, but only information with confirmation or negative information about the payment. Under certain circumstances, the data may be transmitted by the payment service provider to credit reporting agencies. The purpose of this transmission is to check identity and creditworthiness. For this purpose, we refer to the general terms and conditions and data protection information of the payment service providers.

The terms and conditions and data protection notices of the respective payment service providers apply to payment transactions, which can be accessed on the respective websites or transaction applications. We also refer to these for further information and to assert cancellation, information and other rights of those affected.

 

Administration, financial accounting, office organization, contact management


We process data as part of administrative tasks such as organizing our operations, financial accounting and compliance with legal obligations, such as archiving. In doing so, we process the same data that we process as part of the provision of our contractual services. The basis for processing is Article 6 Paragraph 1 Letter c. GDPR, Art. 6 Para. 1 lit. f. GDPR. Customers, interested parties, business partners and website visitors are affected by the processing. The purpose and our interest in the processing lies in administration, financial accounting, office organization, archiving of data, i.e. tasks that serve to maintain our business activities, carry out our tasks and provide our services. The deletion of data with regard to contractual services and contractual communication corresponds to the information provided in these processing activities.

We disclose or transmit data to the tax authorities, consultants such as tax advisors or auditors as well as other fee offices and payment service providers.

Furthermore, based on our business interests, we store information about suppliers, organizers and other business partners, e.g. for the purpose of later contact. We generally store this mostly company-related data permanently.

 

Google Cloud Services


We use the cloud offered by Google and the cloud software services (so-called Software as a Service, e.g. Google Suite) for the following purposes: document storage and management, calendar management, email sending, spreadsheets and presentations, exchange of documents, content and information with specific recipients or publication of web pages, forms or other content and information as well as chats and participation in audio and video conferences.

The users' personal data are processed to the extent that they become part of the documents and content processed within the services described or are part of communication processes. This may include, for example, user master data and contact details, data on processes, contracts, other processes and their contents. Google also processes usage data and metadata, which is used by Google for security purposes and service optimization.

When using publicly accessible documents, websites or other content, Google may store cookies on the user's computer for the purposes of web analysis or to remember user settings.

We use the Google Cloud services based on our legitimate interests in accordance with Article 6 Paragraph 1 Letter f of the GDPR in efficient and secure administrative and collaboration processes. Furthermore, processing takes place on the basis of an order processing agreement with Google (https://cloud.google.com/terms/data-processing-terms).

Further information can be found in Google's privacy policy (https://www.google.com/policies/privacy) and the security information for Google Cloud services (https://cloud.google.com/security/privacy/). You can object to us processing your data in the Google Cloud in accordance with the legal requirements. Furthermore, the deletion of data within Google's cloud services is determined by the other processing processes in which the data is processed (e.g. deletion of data no longer required for contractual purposes or storage of data required for taxation purposes).

The Google Cloud Services are provided by Google Ireland Limited. If a transfer takes place to the USA, we refer to the certification of Google USA under the Privacy Shield (https://www.privacyshield.gov/participant?id=a2zt0000000000001L5AAI&status=Aktive) and standard protection clauses (https://cloud.google. com/terms/data-processing-terms).

 

Contact


When contacting us (e.g. via contact form, email, telephone or via social media), the user's information is used to process the contact request and process it in accordance with Article 6 Paragraph 1 Letter b. (as part of contractual/pre-contractual relationships), Art. 6 Paragraph 1 lit get saved.

We delete the requests if they are no longer necessary. We review the necessity every two years; The statutory archiving obligations also apply.

 

Communication via WhatsApp messenger


We use WhatsApp Messenger for communication purposes and ask you to note the following information on the functionality, encryption, risks of WhatsApp, use of metadata within the Facebook group of companies and your options for objection.

You do not have to use WhatsApp and can contact us via alternative means, e.g. via telephone or email. Please use the contact options provided to you or use the contact options provided on our website.
WhatsApp (WhatsApp Inc. WhatsApp Legal 1601 Willow Road Menlo Park, California 94025, USA) is a US service, which means that the data you send via WhatsApp can first be transmitted to WhatsApp in the USA, before they are sent to us.

However, WhatsApp is certified under the Privacy Shield Agreement and therefore guarantees that it will comply with European and Swiss data protection law (https://www.privacyshield.gov/participant?id=a2zt0000000TSnwAAG&status=Active).
WhatsApp also ensures that the communication content (i.e. the content of your message and attached images) is end-to-end encrypted. This means that the content of the messages cannot be viewed, not even by WhatsApp itself. You should always use a current version of WhatsApp to ensure that the message content is encrypted.

However, we would like to point out to our communication partners that WhatsApp cannot see the content, but can find out that and when communication partners communicate with us as well as technical information about the device used by the communication partner and, depending on the settings of their device, location information (so-called metadata). processed. Except for the encrypted content, it is possible to transmit the data of communication partners within the Facebook group of companies, in particular for the purposes of optimizing the respective services and security purposes. Communication partners should also assume, at least as long as they have not objected to this, that their data processed by WhatsApp can be used for marketing purposes or to display advertising tailored to users.
 

If we ask communication partners for consent before communicating with them via WhatsApp, the legal basis for our processing of their data is Art. 6 Para. 1 lit. a. GDPR. Furthermore, if we do not ask for your consent and, for example, you contact us on your own initiative, we use WhatsApp in relation to our contractual partners and as part of the contract initiation as a contractual measure in accordance with Article 6 Paragraph 1 Letter b. GDPR and, in the case of other interested parties and communication partners, based on our legitimate interests in fast and efficient communication and meeting the needs of our communication partner in communication via messengers in accordance with Art. 6 Para. 1 lit. f. GDPR.

Further information on the purposes, types and scope of processing of your data by WhatsApp, as well as the relevant rights and setting options to protect your privacy, can be found in WhatsApp's data protection information: https://www.whatsapp.com/legal.

You can object to communication with us via WhatsApp at any time. If you subscribe to messages (also known as “broadcasts”) via WhatsApp, you can delete our corresponding telephone number from your contacts and ask us to remove your contact from our directory. If you have ongoing individual inquiries or communications, you can also ask us not to continue the communication via WhatsApp and to delete the communication content.

In the case of communication via WhatsApp, we delete the WhatsApp messages as soon as we can assume that we have answered any information provided by the user, if no reference to a previous conversation is to be expected and the deletion does not conflict with any legal retention requirements.

We would also like to point out that we will not transmit the contact details provided to us to WhatsApp without your consent (e.g. by contacting you via WhatsApp).

Finally, we would like to point out that, for reasons of your security, we reserve the right not to answer inquiries via WhatsApp. This is the case if, for example, contractual details require special secrecy or an answer via messenger does not meet the formal requirements. In such cases, we will refer you to more appropriate communication channels.

 

Hosting and email delivery


The hosting services we use serve to provide the following services: infrastructure and platform services, computing capacity, storage space and database services, email delivery, security services and technical maintenance services, which we use for the purpose of operating this online offering.

In doing so, we, or our hosting provider, process inventory data, contact data, content data, contract data, usage data, meta and communication data from customers, interested parties and visitors to this online offering based on our legitimate interests in the efficient and secure provision of this online offering in accordance with Art. 6 Para. 1 lit. f GDPR in conjunction with Art. 28 GDPR (conclusion of order processing contract).

 

Collection of access data and log files


We, or our hosting provider, collect data about every access to the server on which this service is located (so-called server log files) based on our legitimate interests within the meaning of Article 6 Paragraph 1 Letter f of the GDPR. The access data includes the name of the website accessed, file, date and time of access, amount of data transferred, notification of successful access, browser type and version, the user's operating system, referrer URL (the previously visited page), IP address and the requesting provider .

Log file information is stored for security reasons (e.g. to investigate acts of abuse or fraud) for a maximum of 7 days and then deleted. Data whose further storage is necessary for evidentiary purposes is excluded from deletion until the respective incident has been finally clarified.

Created with Datenschutz-Generator.de by RA Dr. Thomas Schwenke

bottom of page