Privacy Policy
Data processing controller
Controller and service provider responsible:
BRIGHTLYLABS.COM
privacy@brightlylabs.com
PO BOX
Dubai, UA
The protection of your personal data is very important to us. We would therefore like to inform you in the following pages about the data collected during your visit and the purposes it is used for. Should you still have any queries about the handling of your personal data, please contact our data protection officer.
The ongoing further development of technology, changes in our services or the legal situation as well as other reasons can require adjustments of our data protection notice. We therefore reserve the right to change this data protection declaration at any time and ask you to regularly inform yourself about the current status.
1 BASIC INFORMATION ON DATA HANDLING
1.1 Extent of the personal data processing
We fundamentally collect and use the personal data of our users only insofar as this is required for the provision of a functional website and of our contents and services as well as for the implementation of our business purpose. As a rule we collect and use the personal data of our users only after the user has given his/her consent. Exceptions apply in such cases where it was not possible to obtain prior consent for factual reasons and where the processing of the data is permitted because of statutory requirements.
1.2 Purposes and legal basis for the processing of personal data
We process personal data only to fulfil our contractual obligations or to preserve our overriding legitimate interests. Our legitimate interests are the implementation of our business purpose.
Insofar as we obtain consent from the data subject for processing operations of personal data, Article 6, paragraph 1, sentence 1 lit. a EU General Data Protection Regulation (EU-GDPR) serves as the legal basis for the processing of personal data.
In the processing of personal data required to perform a contract of which the contractual party is the data subject, Art. 6 paragraph 1 sentence 1 lit. b GDPR serves as the legal basis. This also applies to processing operations that are necessary to carry out pre-contractual measures.
Insofar as processing of personal data is required to fulfil a legal requirement that our company is subject to, Art. 6 paragraph 1 sentence 1 lit. c GDPR serves as the legal basis.
In the case that vital interests of the data subject or another natural person make the processing of personal data necessary, Art. 6 paragraph 1 sentence 1 lit. d GDPR serves as the legal basis.
If processing is required to protect a legitimate interest of our company or of a third party and the interests do not override the interests, fundamental rights and freedoms of the data subject of the first-named interest, Art. 6 paragraph 1 sentence 1 lit. f GDPR serves as the legal basis for the processing.
1.3 Categories of recipients and personal data, origin of the same; data transmission
We forward personal data to our business partners and service providers for the implementation of the business purpose. To implement our business purpose we use typical contact and address data of our customer and business partners. We typically receive the personal data direct from the data subject or with the consent of the data subject and also in exceptional cases from third parties.
Insofar as nothing to the contrary is stated in the following sections, no forwarding of your data to third parties takes place, unless we are legally obliged to do so, or the data transmission is required to perform the contractual relationship or you have previously given your explicit consent to the forwarding of your data. External service providers and partner companies, such as, for example, online payment providers or the shipping company tasked with the delivery, only receive your data insofar as it is necessary for the execution of your order. However, in these cases the extent of the transmitted data is restricted to the minimum required. Insofar as our service providers come into contact with your personal data, we assure that the regulations of the data protection laws are observed in the same manner. Please also observe the data protection notices of the individual providers. The individual service provider is responsible for the contents of third party services, whereby we verify as far as can be reasonably expected that the services observe statutory requirements.
1.4 Transmission to third countries
Essentially we do not forward personal data to recipients in third countries (i.e. countries outside of the EU). Should data be forwarded to recipients in third countries, we assure not only that we will obtain the permission required for the forwarding, but that the third country recipient also assures an adequate level of data protection (or derogations for specific situations pursuant to Art 49 paragraph 1 GDPR applies).
In specific case we forward personal data to recipients in third countries (i.e. countries outside of the EU).
United States of America
In these specific cases we give the following guarantees as described in Art. 44 GDPR:
EU standard contractual clauses
Privacy shield
1.5 Data security
We have taken extensive technical and organisational precautions to protect your data from accidental or intentional manipulation, loss, destruction or access by unauthorised persons. Our security procedures are regularly checked and revised to take into account technological progress.
1.6 Data deletion and storage periods
The personal data of the data subject is deleted or blocked, as soon as the purpose for which it was stored no longer applies. Storage can also be effected if this was required by the European or national legislators in European Union regulations, laws or other stipulations that the person responsible is subject to. The data is also blocked or deleted if a statutory storage period prescribed by the cited standards expires, unless there is a need for continued data storage for the purposes of a conclusion or performance of a contract.
2 GENERAL DATA COLLECTION WHEN VISITING OUR WEBSITE
When visiting the website for purely informational purposes, i.e. when you do not register or transfer other information to us, we collect only the personal data that your browser transmits to our server.
Within the framework of the balancing of interests pursuant to Art. 6 paragraph 1 senteince1 lit. f GDPR we have taken into account and weighed up our interest in provision and your interest in the processing of your personal data in compliance with data protection requirements. As the data below is necessary for the technical provision of our service in order to be able to offer you access to our website and also to ensure stability and security, in particular to offer protection against misuse, we have come to the conclusion that this data - in conjunction with an assurance of data security based on the state of technology - can be processed, whereby your interest in processing in compliance with data protection requirements is adequately taken into account.
Description and extent of data collection
Whenever our internet site is visited, our system automatically records data and information from the computer system of the visiting computer.
The following data is collected:
- Information about the browser type and version used
- The operating system and the interface of the user
- The internet server provider of the user
- The IP address of the user
- Access status/http status code
- Date and time of the visit
- Time zone difference to Greenwich Mean Time
- Content of the request (concrete internet page)
- The quantity of data transmitted
- Websites, from which the system of the user accessed our internet site
- Websites that are visited by the system of the user via our website
- Regarding mobile end devices: Manufacturer and type designation of the Smartphone, tablet or other mobile end devices
Low-level tracer
The data is likewise stored in the logfiles of our system. Storage of this data together with other personal data of the user does not take place.
Legal basis for data processing
The legal basis for the temporary storage of the data and the logfiles is Art. 6, paragraph 1, sentence1 lit. f GDPR.
Purpose of data processing
The temporary storage of the IP address by the system is necessary so as to enable delivery of the website to the computer of the user. To do this the IP address of the user remains stored for the duration of the session.
Storage in logfiles is required in order to assure the functionality of the website. In addition, the data serves to optimise the website and to assure the security of our IT systems. In particular our website and our other IT system help us to adapt to the browser, operating system and end devices used.
An evaluation of the data for marketing purposes does not take place in this connection.
These purposes are also our legitimate interest in data processing pursuant to Art. 6 paragraph 1 sentence1 lit. f GDPR.
Duration of the storage
The data is deleted as soon as it is no longer required to achieve the purpose for which it was collected. If the data is recorded in order to provide the website, this is the case when the session in question has ended.
In the case of storage of data in logfiles, this is the case after seven days at the latest. Storage above and beyond this period is possible. In this case the IP addresses of the user are deleted or distorted so that it is no longer possible to recognise the calling client.
Right to object and removal
The recording of data for the provision of the website and the storage of the data in logfiles is absolutely essential for the operation of the internet site. As a consequence the user has no possibility to object to this.
3 REGISTRATION
On our internet site we offer users the possibility to register by entering their personal data. The data is entered in the input mask and is transferred to us and stored. The data is not forwarded to third parties. The following data is collected as part of the registration process:
- Salutation
- Academic title (optional)
- First name
- Last name
- Password
- Address
- Telephone number
- Company (optional)
- Country
- Packing station (if available)
- CPF – Natural Person Register (only Brazil)
- At the time of registration the following data is also stored:
- The IP address of the user
- Date and time of the registration
- Customer number
- Entity-ID
- Email hash
The user is asked as part of the registration process to consent to the processing of this data. After registration has been completed you receive a personal access protected by password and can view and manage the registration data. Registration is effected on a voluntary basis, but may be a precondition for using our services.
In this connection your data is forwarded to our email service provider Emarsys so that we can send you an email confirming your registration.
Legal basis for the data processing
Assuming the user gives his or her consent, the legal basis for the processing of the data is Art. 6 paragraph 1 sentence1 lit. a GDPR.
If registration serves to perform a contract, of which the contractual partner is the user or in order to take steps prior to entering into a contract, the legal basis for the processing of the data is also Art. 6 paragraph 1 sentence1 lit. b GDPR.
Purpose of data processing
User registration is necessary for the provision of certain contents and services, in particular the extended use of our web shop on our website. User registration also serves for the performance of a contract with the user or to take steps prior to entering into a contract. Registration refers in particular to the use of our web shop.
Sales contracts are typically concluded via the web shop for the following product groups:
- Clothing
- Shoes
- Bags
- Accessories (including jewellery)
- Children's clothing
- Furnishings
- Gift vouchers
Duration of the storage
The data is deleted as soon as it is no longer required to achieve the purpose for which it was collected.
This is the case for the data collected during the registration process if the registration on our internet site is cancelled or modified.
Insofar as the data collected during the registration process is required to perform a contract or to take steps prior to entering into a contract, this is only the case when the data is no longer required to perform the contract. Even after conclusion of the contract it may still be necessary to store personal data in order to fulfil contractual or statutory obligations.
Personal data is stored as a measure to prevent fraud.
The deletion deadline for the purposes of fraud prevention is 6 months, for actual attempts of fraud 6 months.
Right to object and removal
As a user you can cancel your registration at any time. You can have the data stored about you altered at any time.
You can send an email to privacy@brightlylabs.com requesting the deletion or modification of your data.
If the data is required for the performance of a contract or to take steps prior to entering into a contract, a premature deletion of the data is only possible insofar as no contractual or statutory obligations contradict this.
4 CONTACT
Our internet site has a contact form which can be used to contact us by electronic means. If the user takes advantage of this possibility, the data entered in the input mask is transmitted to us and stored. This data is:
- There follows a list of the data in the input mask:
- First and last name
- Email address
- Subject
- Message
No data is stored when the message is sent. Alternatively, contact can be established via the email address provided. In this case the personal data of the user transmitted via the email is stored. In this connection the data is not forwarded to third parties. The data is solely used for the processing of the conversation.
Legal basis for the data processing
If the user has given his or her consent, the legal basis for the processing of the data is Art. 6 paragraph 1 sentence1 lit. a GDPR. paragraph 1 sentence1 lit. a GDPR.
Legal basis for the processing of the data that is transmitted as part of sending an email is Art. 6 paragraph 1 sentence1 lit. a GDPR. If the intention of the email contact is the conclusion of a contract, the legal basis for the processing is also Art. 6 paragraph 1 sentence1 lit. a GDPR.
Purpose of data processing
The processing of personal data from the input mask is used solely for the process of establishing the contact. In the case of contact by email there is also the necessary and legitimate interest in processing the data.
The personal data otherwise processed during the sending process is used to prevent misuse of the contact form and to assure the security of our IT systems.
Duration of the storage
The data is deleted as soon as it is no longer required to achieve the purpose for which it was collected. For the personal data from the input mask of the contract form and the personal data sent by email, this is the case when the conversation with the user has ended. The conversation is deemed to have ended when the circumstances suggest that the subject matter in question has been conclusively clarified.
The personal data additionally collected during the sending process is deleted at the latest seven days afterwards.
Right to object and removal
The user can revoke his or her consent to the processing of personal data at any time. If the user establishes contact with us via email, he or she can object to the storage of his or her personal data at any time. The conversation cannot be continued in such a case.
You can inform us of your revocation of consent as well as your objection to storage of your personal data by sending an email to privacy@brightlylabs.com.
In this case all personal data stored during the establishment of the contact is deleted.
5 NEWSLETTER
We use the so-called double opt-in procedure and the confirmed opt-in procedure for registration to our newsletter. The double opt-in procedure means that we send you a confirmation email to the email address you provide, in which we ask you to confirm that you wish to receive the newsletter. If you do not confirm within a period of 72 hours, the data will be deleted automatically. If you confirm your wish to receive the newsletter, your email address will be saved. The storage serves the sole purpose of being able to send you the newsletter. In addition, we also store your IP addresses when you register and confirm as well as the times, in order to prevent misuse of your personal information.
Email Service Provider: Newsletters are sent by Emarsys eMarketing Systems AG, Hans-Fischer-Straße 10, 80339 Munich, Germany, hereinafter referred to as the "Email Service Provider". You can view the privacy policy of the email service provider here: https://www.emarsys.com/de/datenschutzrichtlinie/
The email address is the only required information for sending the newsletter. The provision of additional, specially marked information is voluntary, and it will be used solely for the purpose of personalising the newsletter. In addition, we store the IP addresses you use for registration and confirmation, as well as the times these events take place. The purpose of this procedure is to have evidence of your registration and, if necessary, to clarify any possible misuse of your personal data. After your confirmation, we save your registration data for the purpose of sending you the newsletter. The legal basis for this is Art. 6(1)(1)(a) GDPR.
If we have received your email address in connection with your order and you have not objected to this, we reserve the right to send you regular offers by email for products similar to those you have already purchased from our product range.
You can object at any time to the use of your email address and the processing and use of the data to create user profiles without stating reasons by sending a message to privacy@brightlylabs.com or by using the unsubscribe link in the email newsletter, without incurring any costs other than the transmission costs according to the basic rates, i.e. your existing Internet contract.
We would like to point out that we evaluate your user behaviour when sending the newsletter. For this evaluation, the emails we send contain, among other things, so-called web beacons also known as tracking pixels. These are one-pixel image files enabling us to evaluate your user behaviour. This is done by collecting web beacons, which are assigned to your email address and linked to your own ID.
We use the email service provider as well as Certona (see 11.1.1 Certona in the privacy policy) to store cookies on your computer through your web browser. The cookies and the identification numbers stored in them will not be associated with your name, address, email address or other personally identifiable information unless you have expressly permitted us to send you information specifically tailored to your interests. The email service provider and Certona use these cookies to recognize your browser, so that we can track your movements on our website as well as recording and measuring the success of certain marketing actions. We use this information to improve our website and email newsletters, in particular by adapting our information and offers to the individual interests and needs of users.
The storage of these cookies is carried out on the basis of Art. 6(1)(a) GDPR.
With the data obtained in this way, we create a pseudonymous user profile in order to be able to provide you with a newsletter tailored to your interests. The following data will be collected:
- Have you opened the newsletter? And what did you click on in it?
- When and how long did you visit our website? What products and categories did you look at?
- When and what did you purchase? What category, and in what amount? And: Did you cancel the order?
We associate this data with your user account, if you have logged in.
The information collected by the email service provider is stored on a server located within the European Union. With regard to the data collected by Certona, a data transfer takes place. Guarantees pursuant to Articles 44 et seq. GDPR are provided by means of an order data processing contract between us and Certona, which contains standard EU contract clauses.
You can opt out of the cookie-based collection and analysis of online data described above at any time by clicking the Opt-out button below. If you exercise this option, an anonymous "opt-out" cookie will be stored in your web browser, informing the Emarsys web servers and the Certona web servers of your opting out and preventing the collection of data. The opt-out cookie will remain in effect in the browser you are using until you delete it using that browser. However, if you delete the cookie or use a different browser or computer, the email service provider and Certona will no longer be able to recognise that you have declared your objection. Alternatively, you can configure your browser so that it does not accept cookies.
If you have registered in our webshop and placed products on your wish list, you will receive emails informing you about the products on the wish list. You can unsubscribe from these notifications by unchecking the box at the end of the wish list or by using the unsubscribe link in the emails.
EMARSYS & CERTONA
ONOFF
6 YOUR ORDER IN OUR ONLINE SHOP
If you would like to place an order in our web shop it is necessary for the purposes of concluding the contract that you provide personal data which we require to process the order. Mandatory details required for the processing of contracts are specifically marked as such, other details are voluntary. We use the data given by you to process you order. In addition, we can forward your payment details to the payment service provider selected by you. Additionally, we forward your address details to the shipping logistics service provider selected to carry out shipping.
The legal basis for this is Art. 6 paragraph 1 sentence1 lit b. GDPR.
You can also create a user account on a voluntary basis, which we can then use to store your data for additional purchases at a later date. This registration is based on Point 3 of this declaration.
We can also process the data given by you in order to notify you about additional products in our range that you may find of interest or have emails about technical information sent to you.
Commercial and fiscal stipulations require us to store your address, payment and order details for the period of ten years. Nevertheless, we restrict processing after two years; this means your data is only used to observe the statutory requirement.
You can object to the use of your data for advertising and data analysis purposes at any time. Please send your objection to privacy@brightlylabs.com.
To prevent unauthorised access to your personal data, in particular financial data, the order process is encrypted by hybrid encryption protocol for the secure data transmission "Secure Socket Layer" (SSL).
7 OUR PAYMENT SERVICE PROVIDERS
7.1 Paypal
PayPal (PayPal (Europe) S.a.r.l. et Cie, S.C.A. 22-24 Boulevard Royal 2449 Luxemburg) is a payment method termed as a so-called E-wallet. This means the customer creates an actual payment method with PayPal and logs with us into his PayPal account during the payment process in order to confirm the payment there. The login is effected on the PayPal site and the customer must share no payment data. However, the following data is transmitted to PayPal when this payment method is used: amount, order number, name (both of the invoice as well as the delivery address), address (both of the invoice as well as the delivery address), email, telephone number. The purpose of the data processing is the execution of your payment via PayPal. We receive from PayPal a payment conformation relating to the above-mentioned data and the time of payment. Legal basis is Art. 6 paragraph 1 sentence 1 lit. b GDPR. The data transmission described is effected simultaneously also for the purposes of fraud prevention at PayPal. Therefore, the additional legal basis Art. 6 paragraph 1 sentence1 lit. f GDPR applies. Insofar as you effect payment by PayPal, a right of objection is excluded as the processing of your data is absolutely essential.
7.2 BS Payone
BS Payone (BS PAYONE GmbH Lyoner Straße 9 D-60528 Frankfurt/Main) is our payment service provider through which the card transaction as well as EPS payments is processed.
For card transactions we use iFrame which is made available by BS Payone and is integrated in our web shop. Therefore, customers do not have to share any card details with us. We also receive from BS Payone no other personal data. However, the following data is transmitted to Payone when this payment method is used: amount, order number, name (both of the invoice as well as the delivery address), address (both of the invoice as well as the delivery address), email, telephone number, pseudocardpan. The data from card payments is in turn forwarded by Payone to our acquiring banks (Elavon, American Express) so that the card can be debited by the card-issuing bank. The purpose of the data processing is the execution of your payment via card transaction. Legal basis is Art. 6 paragraph 1 sentence 1 lit. b GDPR. The data transmission described is effected simultaneously also for the purposes of fraud prevention at BS Payone. Therefore, the additional legal basis Art. 6 paragraph 1 sentence1 lit. f GDPR applies. Insofar as you effect payment by card, a right of objection is excluded as the processing of your data is absolutely essential.
For EPS payments customers are transferred by Payone to their own bank after they have selected their bank. There they must confirm the payment process in the same way as a transfer needs to be confirmed when using online banking services. We receive from BS Payone no other personal data. However, the following data is transmitted to Payone when this payment method is used: amount, order number, name (both of the invoice as well as the delivery address), address (both of the invoice as well as the delivery address), email, telephone number. The purpose of the data processing is the execution of your payment via EPS payment. Legal basis is Art. 6 paragraph 1 sentence 1 lit. b GDPR. Insofar as you effect payment by EPS payment, a right of objection is excluded as the processing of your data is absolutely essential.
7.3 Klarna
Klarna (Klarna Bank AB (publ), Sveavägen 46, 111 34 Stockholm, Sweden) is our service provider for the payment method SOFORT Überweisung. Should you use this payment method the following data is transmitted: We send no personal data to Klarna. However, we receive from Klarna payment confirmation as well as the following data: account holder, IBAN, BIC, account number. The purpose of the data processing is the execution of your payment via SOFORT Überweisung. Legal basis is Art. 6 paragraph 1 sentence 1 lit. b GDPR. Insofar as you effect payment by SOFORT Überweisung, a right of objection is excluded as the processing of your data is absolutely essential.
8 COOKIES
We use cookies in order to improve our web presence and to optimise use for you, but also for advertising purposes. Cookies are small text files that are stored on your computer when you call up our website and enable a renewed identification of your browser. Cookies store information, such as, for example, your language setting, the length of visit to our website or the entries you made there. This avoids the need to re-input all the required data afresh at every session. Moreover, cookies enable us to detect your preferences and to tailor our website to your areas of interest.
Most browsers accept cookies automatically. If you would like to prevent the acceptance of cookies, you can select the setting "accept no cookies" in the browser settings. How this works in detail can be found in the instructions of your browser manufacturer. Cookies already stored on your computer can be deleted at any time. However, we would like to point out this may restrict the functionality of our web presence.
9 FIRST-PARTY COOKIES
This type of cookie is set by the website that the user visits. Only this website is permitted to read the cookie information.
9.1 Cookies used
We use cookies in order to design our website in a user-friendly fashion. Some elements of our internet site require the calling browser to be identified also after a page change.
The following data is stored and transmitted in the cookies:
There follows a list of the stored data. Examples can be:
- Language settings
- Articles in a shopping cart
- Log-In information
- We also use cookies on our website to enable analysis of the user's surfing behaviour.
In this way the following data can be transferred:
There follows a list of the collected data. This can be for example:
- Search terms entered
- Frequency of page views
- Utilisation of website functions
- Device or browser information
- Products and categories viewed
- Call up of wish list and the shopping cart as well as the adding of new products
- Number of products in the shopping cart
- Point of origin of the page visitor
- Abbreviated IP address
- Email hash
The user data collected in this manner is pseudonymised by technical precautions. Therefore, the data can no longer be traced to a visiting user. When calling up our website the user is informed about the use of cookies for analysis purposes. In this connection a reference is also made to this data protection declaration.
Legal basis for the data processing
The legal basis for the processing of personal data by the means of cookies is Art. 6 paragraph 1 sentence1 lit. f GDPR.
Purpose of data processing
The reason why technically necessary cookies are employed is to simplify use of websites for the users. Some functions of our internet site cannot be offered without the use of cookies. It is essential for these functions that the browser is also recognised again after a page change.
We require cookies for the following functions:
- Shopping cart
- To protect the website from attacks
- Marking of sessions - settings
- The user data collected by the technically necessary cookies is not used to generate user profiles.
We use analysis cookies to improve the quality of our website and its contents. The analysis cookies enable us to find out how the website is being used and therefore allow us to ensure an ongoing improvement of our web presence. In addition, they enable us to maintain quality assurance and constantly improve the user experience.
These purposes are also our legitimate interest in processing personal data pursuant to Art. 6 paragraph 1 sentence1 lit. f GDPR.
Duration of storage, right to object and removal
Cookies are stored on the computer of the user and are transferred from it to our site. Therefore, you as the user also have full control over the use of cookies. By altering the settings in your internet browser you can disable or restrict the transfer of cookies. Cookies already stored can be deleted at any time. This can also be effected automatically. Disabling cookies for our website may mean that not all functions of the website can be used to their full extent.
Our website uses transient cookies. These are automatically deleted when you close your browser. These are typically so-called session cookies. These store a so-called session ID with which various queries form your browser can be assigned to a common session. It means that your computer can be recognised again when you return to our website. These cookies are deleted when you log out or close the browser.
Our website also uses persistent cookies. These are automatically deleted after a predetermined period that can vary depending on the cookie. These cookies, too, can be deleted at any time.
Our website likewise uses flash cookies. The flash cookies used are not recorded by your browser, but by your flash plug-in. Furthermore, we use HTML5 storage objects, which are stored on your end device. These objects store the required data irrespective of the browser you are using and have no automatic expiry date. If you no longer wish flash cookie processing, you must install a corresponding add-on, e.g. "Better Privacy" for Mozilla Firefox (https://addons.mozilla.org/de/firefox/addon/betterprivacy/) or the Adobe flash killer cookie for Google Chrome. You can also partially prevent the use of flash cookies by changing the settings of your flash player. You can prevent the use of HTML5 storage objects by employing the private mode in your browser. Additionally, we recommend manually deleting your cookies and the browser history on a regular basis.
10 THIRD-PARTY COOKIES
Third-party cookies are set by organisations that are not the operators of the website the user visits. These cookies are used by marketing companies, for example.
10.1 Criteo GmbH
We employ technology of Criteo GmbH (Criteo GmbH, Gewürzmühlenstr. 11, 80538 Munich) on our site to create and deliver personalised advertising. Our website brighltylabs.com uses cookies/advertising IDs for the purpose of advertising. This enables us to show our advertisements to visitors who are interested in our products on partner websites, apps and emails. Re-targeting technologies use your cookies or advertising IDs and display advertisements based on your past browsing behavior. You can opt-out of interest based advertising by visiting the following websites:
http://www.networkadvertising.org/choices/
http://www.youronlinechoices.com/
We may share data, such as technical identifiers derived from your registration information on our brightlylabs.com website or our CRM system with our trusted advertising partners. This allows them to link your devices and/or environments and provide you a seamless experience across the different devices and environments that you use. To read more about their linking capabilities, please refer to their privacy policy listed in the above-mentioned platforms or listed below.
You can find more information concerning Criteo data protection here: https://www.criteo.com/privacy/
Should you no longer wish to be shown any personalised advertising material, you can unsubscribe from Criteo advertising here.
10.2 Adobe Tracker
We use the following technology of Adobe Systems Software Ireland Limited (4-6 Riverwalk, Citywest Business Campus, Dublin 24,Republic of Ireland):
10.2.1 Adobe Advertising Cloud
Everest Tech (AdobeSystem Ireland Ltd.) is an advertising solution that enables companies to optimise their online advertising in search engines. Therefore, Adobe sets a cookie as soon as you have bought something on brightlylabs.com after clicking in the Google search engine or have placed something in the shopping cart.
Only information such as keyword, orderID, productID and turnover is transmitted to Adobe.
According to Adobe no additional personal data is collected. Personal data is not forwarded to the USA.
Guarantees pursuant to Art. 44ff GDPR exist as Adobe is subject to the Privacy Shield, which you can find here
Legal basis for the processing of the data is Art. 6 paragraph 1 sentence 1 lit. f GDPR.
We use the service provider Adobe in order to optimise our search engine campaigns on Google and thus to improve our advertising efficiency. These purposes are also our legitimate interest in the sense of Art. 6 paragraph 1 sentence 1 lit. f GDPR.
We hand over no personal data. If you would not like Adobe to receive anonymised data, you can unsubscribe here https://www.adobe.com/uk/privacy/opt-out.html. If you would like to find out more information on Adobe, you can find all data protection topics here: https://www.adobe.com/uk/privacy/opt-out.html.
10.3 Google Tracker
We use the following technology of Google Dublin, Google Ireland Ltd., Gordon House, Barrow Street, Dublin 4, Ireland, which is a part of Google Inc. (1600 Amphitheatre Parkway, Mountain View, CA 94043, USA; "Google“.
10.3.1 Google AdWords and Conversion Tracking
In order to attract attention to our services, we place Google Adwords adverts and use as part of this the Google conversion tracking for the purpose of providing personalised online advertising that takes into consideration interest and location. The option to anonymise the IP addresses is regulated at Google Tag Manager via an internal setting that is not visible in the source of this page. This internal setting is set so that the anonymisation of the IP address required by the Federal Data Protection Act is achieved.
The adverts are displayed after search queries on websites of the Google Advertising Network. We have the ability to combine our adverts with certain search terms. We can use cookies to place adverts based on the previous visits of the user to our website.
A cookie is set by Google when an advert is clicked on the computer of the user. For more information on the cookie technology used, please consult the information provided by Google on Website Statistics and in the Data Protection Provisions.
With the aid of this technology Google and we as a customer receive information on when a user has clicked on an advert and which websites he or she was forwarded to. The information obtained by this is solely used for a statistical evaluation for advertising optimisation purposes. We receive no information with which visitors can be personally identified. The statistics made available to us by Google contain the total number of users that have clicked on our adverts, and, if applicable, whether they were forwarded to a webpage of our web content furnished with a conversion tag. We can use these statistics to track which search terms occur particularly frequently when our advert is clicked and which adverts lead the user to establishing contact via the contact form.
If you would not like this, you can prevent the storage of the cookies required for this technology, for example, via your browser settings. In this case your visit does not flow into the user statistics.
You can prevent your participation in this tracking process in a variety of ways:
- a) by a corresponding setting in your browser software, in particular the suppression of third-party cookies means that you receive no adverts from third-party providers;
- b) by disabling the cookies for conversion tracking by setting your browser so that cookies from the domain "www.googleadservices.com" are blocked, https://www.google.de/settings/ads, this setting being deleted when you delete your cookies;
- c) by disabling the interest-related adverts of providers that are part of the self regulating campaign "About Ads" via the link http://www.aboutads.info/choices, this setting being deleted when you delete your cookies;
- d) by permanent disabling in your browsers Firefox, Internetexplorer or Google Chrome under the link http://www.google.com/settings/ads/plugin. We point out that in this case you may not be able to use all the functions of this content to its full extent.
Legal basis for the processing of your data is Art. 6 paragraph 1 sentence 1 lit. f GDPR. Our legitimate interest are the evaluation of the statistics obtained from the findings on user behaviour and the efficacy of our advertising. This in turn serves to continually improve our web content and our web presence.
You can find more information concerning Google data protection here: http://www.google.com/intl/de/policies/privacy and https://services.google.com/sitestats/de.html.
Alternatively, you can visit the website of the Network Advertising Initiative (NAI) on http://www.networkadvertising.org. Google has submitted to the EU-US Privacy Shield, https://www.privacyshield.gov/EU-US-Framework.
Nevertheless, we and Google continue to receive the statistical information regarding how many users visited the site and when they did this. If you would not like to be included in these statistics, you can prevent this with the aid of additional programs for your browser (for example with the Add-on Ghostery).
10.3.2 Google AdWords and Google Analytics Remarketing Lists for Search Ads (RLSA)
brightlylabs.com uses Google AdWords and Google Analytics Remarketing Lists for Search Ads (RLSA). Users that visit brightlylabs.com are collected via a Google tag and the behaviour is recorded. You appear on the list for a standard period of 30 days and for a maximum period of 540 days.
The information generated by the cookie about your use of the website like:
- Browser type / version,
- Operating system used,
- Referrer-URL (the site visited previously),
- Hostname of the calling computer (IP address),
- Time of the server query
is as a rule transmitted to a Google server in the USA and stored there.
The recorded behaviour pattern such as, for example, the dwell time on the site, concluded or aborted shopping cart operations, direct abort of the visit (bounce) can be used to adapt the advertising to the Google search results page.
For those exceptional cases in which personal data is transferred to the USA, Google has submitted to the EU-US Privacy Shield which you can find here.
Legal basis for the processing of the data is Art. 6 paragraph 1 sentence 1 lit. f GDPR. Our legitimate interest resides in the analysis of the efficacy of our advertising and the constant improvement of our advertising efficiency that goes hand in hand with this.
If you want to object to the use of the data, please click here.
10.3.3 Google Shopping Reviews
brightlylabs.com uses Google Shopping Reviews, which allows shoppers to write a review of brightlylabs.com after they have placed an order. These reviews are visible to potential future customers.
Should a buyer agree, the following data will be collected:
Order ID
Email address (for sending the survey)
Shipping country
Estimated delivery time (time the survey was submitted)
For those exceptional cases in which personal data is transferred to the USA, Google has submitted to the EU-US Privacy Shield.
Legal basis for the processing of the data is Art. 6 paragraph 1 sentence 1 lit. f GDPR.
Our legitimate interest lies in your consent to participate in the survey. This data must be collected so that Google Shopping Reviews, the third party commissioned by us, can provide you with an independent survey if you have consented to the delivery of your order.
Your data will be stored for a 12-month period.
10.3.4 Google Customer Match
brightlylabs uses Google Customer Match technology to create and deliver personalised advertising.
Our brightlylabs.com website uses cookies/advertising IDs for advertising purposes. This allows us to show our advertising to visitors interested in our products on partner websites, apps and emails. Re-targeting technologies use cookies or advertising IDs and display ads based on your previous browsing behaviour. To opt out of this interest-based advertising, please visit the following websites:
http://www.networkadvertising.org/choices/
http://www.youronlinechoices.com/
We may share information such as technical identifiers from your registration information on our brightlylabs.com website or CRM system with trusted advertising partners. This allows you to link your devices and/or environments and provide a seamless user experience with the devices and environments you use. For more details on these linking capabilities, please refer to the privacy policy found on the aforementioned platforms, or to the explanations below.
The legal basis for the processing of personal data using marketing cookies is Article 6(1) sentence 1a GDPR.
If you no longer wish to receive personalised advertising material, you can unsubscribe from Google's advertising here.
10.3.5 Google reCAPTCHA
On this website we use the reCAPTCHA function of Google Ireland Limited, Gordon House, 4 Barrow St, Dublin, D04 E5W5, Ireland ("Google"). This function is primarily used to differentiate whether an entry is made by a natural person or abusively by machine and automated processing. The service includes the sending of the IP address and, if applicable, other data required by Google for the reCAPTCHA service to Google and is carried out in accordance with Art. 6 para. 1 lit. f DSGVO on the basis of our legitimate interest in establishing individual responsibility on the Internet and avoiding abuse and spam. In the course of using Google reCAPTCHA, personal data may also be transferred to the servers of Google LLC. in the USA.
Further information about Google reCAPTCHA as well as Google's privacy policy can be found at: https://www.google.com/intl/de/policies/privacy
10.4 Microsoft Bing Tracker
We use the following technology of Microsoft Corporation (One Microsoft Way, Redmond, WA 98052-6399, USA):
10.4.1 Bing Conversion Tracking
We also use Bing Ads Conversion Tracking. A Bing Ads cookie is set on your computer as soon as you visit our website via a Bing search ad. Using Bing Conversion Tracking, campaigns for search machine advertising are directed to Bing on a frequency basis, i.e. ads are placed more frequently for search queries that often lead to a purchase, whereas search queries that are less relevant see fewer ads.
The following data is collected:
- Browser type / version,
- Operating system used,
- Hostname of the calling computer (IP address),
- Time of the server query
If you would not like this, you can unsubscribe at any time on https://account.microsoft.com/privacy/ad-settings . For more information on Bing Ads Conversion Data Protection, please consult https://privacy.microsoft.com/de-de/privacystatement.
For the exceptional cases in which personal data is transferred to the USA, Microsoft has submitted to the EU-US Privacy Shield which you can find hier.
Legal basis for the processing of the data is Art. 6 paragraph 1 sentence 1 lit. f GDPR. We use Bing Conversion Tracking in order to optimise our search engine campaigns on Bing and thus to improve our advertising efficiency. These purposes are also our legitimate interest in the sense of Art. 6 paragraph 1 sentence 1 lit. f GDPR.
10.4.2 Bing Ads Remarketing Lists for Search Ads (RLSA)
We also use Microsoft Bing Ads Remarketing Lists for Search Ads. Here, the users that visit our website are detected by means of a general website tag and optional event snippets and their behaviour recorded. The recorded behaviour pattern such as, for example, the dwell time on the site, concluded or aborted shopping cart operations, direct abort of the visit (bounce) can be used to adapt the advertising to the Bing search results page. This means that users that have a great interest in our website see more ads in a higher position, while visitors that have less interest in our website see fewer ads in the search engine or even none at all. For more information on Bing Ads Remarkting Lists for Search Ads data protection, please consult https://advertise.bingads.microsoft.com/de-de/ressourcen/richtlinien/richtlinien-zur-datensicherheit-und-datnschutzerklaerung.
The following data is collected by means of cookies:
- Browser type / version,
- Operating system used,
- Hostname of the calling computer (IP address),
- Time of the server query
For the exceptional cases in which personal data is transferred to the USA, Microsoft has submitted to the EU-US Privacy Shield which you can find hier.
Legal basis for the processing of the data is Art. 6 paragraph 1 sentence 1 lit. f GDPR. Our legitimate interest are the evaluation of the statistics obtained from the findings on user behaviour and the efficacy of our advertising. This in turn serves to continually improve our web content and our web presence.
If you would not like this, you can unsubscribe at any time on https://account.microsoft.com/privacy/ad-settings. For more information on Bing Ads Conversion Data Protection, please consult https://privacy.microsoft.com/de-de/privacystatement.
10.5 Facebook Custom Audiences
(1) This website uses Facebook Custom Audience with the so-called pixel function ("Facebook Pixel") provided by Facebook Ireland Ltd. ("Facebook"). This allows users of the site to view interest-based advertisements ("Facebook Ads") when visiting the Facebook social network or other sites that also use the process. Our interest in pursuing this route is to show you advertisements which are of interest to you in order to make our website more interesting for you.
(2) We do not actively transmit personally identifiable information to Facebook. However, due to the use of Facebook Pixel, your browser automatically establishes a direct connection to the Facebook server. We have no influence on the extent and further use of the data collected through the use of this tool by Facebook and therefore inform you according to our state of knowledge: Through the integration of Facebook Custom Audiences, Facebook receives the information that you have accessed the corresponding website of our website or clicked on an advertisement from us. If you are registered with a Facebook service, Facebook can assign the visit to your account. Even if you are not registered on Facebook or have not logged in, the provider may collect and store your IP address and other identifiers.
(3) The legal basis for the processing of personal data using cookies is Article 6(1) sentence 1f GDPR.
(4) Using Facebook Pixel, Facebook can on the one hand determine the visitors to our online offering as a target group for the presentation of ads (so-called "Facebook ads"). Accordingly, we use Facebook Pixel to display Facebook ads placed by us only to Facebook users who have shown an interest in our online offering or who have certain features (for example, interests in certain topics or products that are determined on the basis of the websites visited) that we transmit to Facebook (so-called "custom audiences"). Using Facebook Pixel, we also want to ensure that our Facebook ads correspond to the potential interest of users and do not have an annoying effect. Facebook Pixel also enables us to track the effectiveness of Facebook ads for statistical and market research purposes by seeing if users were referred to our site after clicking on a Facebook ad (known as "conversion"). These purposes also constitute our legitimate interest within the meaning of Article 6(1) sentence 1f GDPR.
(5) In the event that Facebook transmits data to the USA, Facebook is certified under the Privacy Shield Agreement and thus guarantees a level of data protection comparable to European law (Articles 44 et seq. GDPR). (https://www.privacyshield.gov/participant?id=a2zt0000000GnywAAC&status=Active).
(6) Information about the third-party provider: Facebook Ireland Limited, 4 Grand Canal Square, Dublin 2, Ireland; Board of Directors: Gareth Lambe, Shane Crehan; registered with the Companies Registration Office of the Republic of Ireland; company number 462932.
For more information about Facebook data processing, please visit https://www.facebook.com/about/privacy.
(7) You may opt out of data collection via Facebook Pixel and the use of your information to display Facebook ads by using the opt-out below. To set what types of ads you see within Facebook, you can go to the following page set up by Facebook and follow the instructions there about the settings for usage-based ads: https://www.facebook.com/settings?tab=ads. The settings are platform-independent, that is, they are adopted for all devices, such as desktop computers or mobile devices.
Note: If you use opt-out, an opt-out cookie is stored on your device. If you delete the cookies in this browser, then you must make the selection again. Furthermore, the opt-out only applies within the browser you are using, and only within our web domain where the box was unchecked.
You can find a corresponding opt-out for Facebook Pixel here:
FACEBOOK CUSTOM AUDIENCE
ONOFF
11 SPECIAL TOOLS
In addition to the above-mentioned cookies we also employ additional tools for the purposes of usage analysis, content optimisation, marketing analysis and advertising optimisation. The explanations in section 10 do not apply to these tools. We will now inform you about each of these special functions, including the extent of data collection, the legal basis, the purposes pursued with the data collection as well as the possible ways you have at your disposal to prevent the use of these tools.
11.1 Tools for marketing purposes
We use cookies for marketing purposes in order to offer our users appealing advertising. In addition, we use the cookies to cap the display frequency of an advertisement and to measure the efficacy of our advertising measures. This information can also be shared with third parties, such as, for example Ad-networks.
11.1.1 Certona
We use the Certona Product Recommendations analysis and advertising service provided by Certona Corporation, 10431 Wateridge Circle, Suite 200, San Diego, CA 92121, USA ("Certona"). Certona Product Recommendations uses cookies stored on your computer to help us analyse and optimise the use of our website, as well as to personalise your visit to our website and improve our advertising. The information generated by the cookie about your use of this website is generally transmitted to a Certona server in the United States and stored and processed there on our behalf.
The following data will be transmitted:
IP address without assignment to a specific user profile
Device-related data such as device type and model, operating system and browser type and version.
Usage-related information such as time of use, length of stay, place of origin
Information about purchasing behaviour such as purchases, placement of items into the shopping cart, deletion from the shopping cart, inclusion on the wish list, deletion from the wish list, product search, product reviews
Certona tracking ID (anonymised)
Order list, order ID, product ID (all pseudonymized), prices
Email hash
A data transfer to the USA takes place. Guarantees pursuant to Articles 44 et seq. GDPR are provided by means of an order data processing contract between us and Certona, which contains standard EU contract clauses. To view the standard contractual clauses, please send us an email to privacy@brightlylabs.com.
The legal basis for processing of data is Article 6 (1) sentence 1f of the GDPR. Our justified interest lies in usage analysis and the related continuous optimisation of our website as well as in the offer of personalised web content.
If you want to avoid the transmission of your data, please click the following link (Note: If you use opt-out, an opt-out cookie is stored on your device. If you delete the cookies in this browser, then you must make the selection again. Furthermore, the opt-out only applies within the browser you are using, and only within our web domain where the box was unchecked).
CERTONA
ONOFF
11.1.2 Google Analytics and Conversion Tracking
This website uses Google Analytics, an advertising analysis service of Google Inc. ("Google"). Use takes place based on Art. 6 paragraph 1 sentence 1 lit. f. GDPR Google Analytics uses so-called "cookies", text files that are stored on your computer and enable an analysis of the use of the website by you.
The information generated by the cookie about your use of the website like:
Browser type / version,
Operating system used,
Referrer-URL (the site visited previously),
Hostname of the calling computer (IP address),
Time of the server query
is as a rule transmitted to a Google server in the USA and stored there. The IP address transmitted as part of Google Analytics from your browser is not amalgamated with other Google data. We have also added the code "anonymizeIP" to Google Analytics on this website. This ensures that your IP address is masked so that all data is collected anonymously. Only in exceptional cases is the full IP address transferred to a Google server in the USA and shortened there.
For the exceptional cases in which personal data is transferred to the USA, Google has submitted to the EU-US Privacy Shield https://www.privacyshield.gov/EU-US-Framework.
On behalf of the operator of this website, Google uses this information to evaluate your use of the website, to collate reports on website activities and to render further services to the website operator connected with the website use and internet use. This represents a legitimate interest in the sense of Article 6, paragraph 1 sentence 1 lit. f GDPR.
You can prevent the storage of the cookies by means of an appropriate setting in your browser software; however, we would like to point out that in this case you may not be able to use all the functions of this website to their full extent.
You can also prevent the recording of the data related to your use of the website (incl. your IP address) by Google as well as the processing of this data by Google by downloading and installing a browser plug-in available on the following link: http://tools.google.com/dlpage/gaoptout?hl=de. An opt-out cookie is set that prevents the future collection of your data when you visit this website. The opt-out cookie only applies for this browser and only for our website and is saved on your device. If you delete the cookies in this browser, you must set the opt-out cookie afresh.
This website additionally uses Google Analytics for a cross-device analysis of visitor flows carried out via a User-ID. You can deactivate in your customer account under "My Data", "Personal Data" the cross-device analysis of you use.
User terms: http://www.google.com/analytics/terms/de.html, data protection overview: http://www.google.com/intl/de/analytics/learn/privacy.html, as well as the data protection declaration: https://www.google.com/policies/privacy/.
11.1.3 Monetate
We likewise use the analysis and personalising service Monetate of the firm Monetate Inc (951 Hecotr St, Conshohocken, PA 19428, United States). Monetate uses cookies that are stored on your computer and enable us to analyse the usage of our internet site and its optimisation. The information generated by the cookies due to your use of this internet site is transferred to a Monetate server in the USA and stored and processed there on our behalf. Before further processing your IP address is anonymised and replaced by a generic one, i.e. one that can no longer be used to identify a person. A direct identification of persons is therefore excluded.
The following data is transmitted:
IP address (anonymised)
Device-related data such as device type, model, operating system, browser type and version
Usage-related information such as time of use, dwell time, point of origin
We were not informed of the storage period by Monetate. There is data transfer to the USA. Guarantees pursuant to Art. 44ff GDPR exist as Monetate is subject to the Privacy Shield, which you can find here.
Legal basis for the processing of the data is Art. 6 paragraph 1 sentence 1 lit. f GDPR. Our legitimate interest resides in the usage analysis and the ongoing optimisation of our internet site connected with this.
If you want to object to the transfer of data, send us an email to privacy@brightlylabs.com.
For more information regarding Monetate data protection, please consult the Data Protection Notice of Monetate.
11.1.4 Localytics
In the brightlylabs.com app we use the services of Localytics (Char Software, Inc. d/b/a Localytics, 2 Centre Plaza Boston, MA 021058, United States) Localytics is a Marketing und Analyse Service app. The service enables us to understand the function and use of our mobile content on your device. Furthermore, we use Localytics in order to send you tailored promotions and information on our products per push notification or in-app message. We also inform you via Localytics about items you have forgotten in your shopping bag.
Localytics uses the following personal data:
- IP address (is not stored)
- Device-related data such as device type, model, operating system, browser type and version
- Usage-related information such as time of use, dwell time, point of origin
- First name
- Email hash
- Localytics devices ID
- Installations ID
- Devices ID
Legal basis for the processing of the data is Art. 6 paragraph 1 sentence 1 lit. f GDPR. Our legitimate interest resides in the analysis of the efficacy of our advertising and goes hand in hand with the constant improvement of our advertising efficiency.
There is data transfer to the USA. Guarantees pursuant to Art 44ff GDPR exist by means of the EU standard contractual clauses with Localytics. If you would like to view these clauses, please send an email to privacy@mytheresa.com.
If you want to object to the transfer of the data, please send us an email to privacy@mytheresa.com.
11.2 Tracking pixel
A so-called tracking pixel (also: 1x1 pixel, web beacon or pixel tag) is a 1x1 gif loaded when our website is called up. This tracking pixel allows us and our partners to record statistical data for our marketing and web analysis. By employing appropriate analysis tools we can use this data for various purposes. The different marketing instruments are explained more thoroughly in the next section. It is not possible to identify your person.
11.3 Tracking systems
We use different tracking systems on our website, which, in part, record your data. This section provides information about the providers of the systems, the purpose for which it is used, whether and which data is collected, how you can prevent this and links to the data protection provisions of the providers.
11.3.1 CommandersAct
Our provider CommandersAct, Fjord Technologies Head Office | Commanders Act | 3/5 rue Saint-Georges | 75009 Paris | France, provides a solution for the central management and control of our marketing tags as well as the data transfer interface to our service providers. In addition, it support us in the analysis and optimisation of our offers.
The following personal data is collected:
Communication data
Contract master data (such as product interest)
Data is forwarded to third parties, however only under the condition of a contractual agreement in accordance with Art. 28 paragraph 2 - 4 GDPR. Data is not transferred to third countries.
The legal basis for the processing of the data with the use of Commanders Act is Art. 6 paragraph 1 sentence1 lit f GDPR. CommandersAct is used to simplify and to constantly improve marketing activities. These purposes are also our legitimate interest in the sense of Art. 6 paragraph 1 sentence1 lit. f GDPR.
The personal data collected via this system is not used for anything other than the cited purposes. You are also entitled to object to this processing. If you object to this processing, the processing via this system will be prevented in the future. In order to object to the processing, please use the possibility to set an opt-out cookie created by CommandersAct.
To do this use https://www.commandersact.com/de/datenschutz/ function. In addition, you can find further information about data recording, use and security on the CommandersAct website.
11.3.2 New Relic
On this website we use a plug-in of the website analysis service of New Relic (188 Spear Street, Suite 1200 San Francisco, CA 94105, USA). It enables statistical evaluations of the speed of the website to be recorded and is used to optimise the website.
When a user calls up a website of this offer containing such a plug-in his or her browser establishes a direct connection with the New Relic server. The integration of the plug-in provides New Relic with the information that a user has called up on the corresponding page of the offer.
The following data is transmitted:
IP address (anonymised)
Device-related data such as device type, model, operating system, browser type and version
Usage-related information such as time of use, dwell time, point of origin
New Relic User ID
According to New Relic no additional personal data is collected.
We were not informed of the storage period by New Relic. There is data transfer to the USA. Guarantees pursuant to Art. 44ff GDPR exist by means of EU standard contractual clauses. Should you wish to view the standard contractual clauses, please send us an email to privacy@mytheresa.com.
Legal basis for the processing of the data is Art. 6 paragraph 1 sentence 1 lit. f GDPR. Our legitimate interest lies in the analysis of the usage and functionality of our website and goes hand in hand with the ongoing optimisation of our web presence.
If you want to object to the transfer of data, send us an email to privacy@mytheresa.com.
For more information regarding New Relic data protection, please consult the Data Protection Notice of New Relic.
11.3.3 Crashlytics
We use Crashlytics (a service of Google Ireland Ltd., Gordon House, Barrow St, Dublin 4, Ireland) in the mytheresa.com app for the purpose of measuring quality as well as evaluating the use behaviour of our app user. Crashlytics focuses on measuring technical crashes of the app with the intention of making the app more stable and to avoid errors in the app source code for improved user friendliness. Furthermore, we can use Crashlytics to track which app version the user has and whether a user regularly updates the app. The information collected by us in the analysis software is not linked to personal data.
Crashlytics uses the following personal data
IP address (anonymised)
Device-related data such as device type, model, operating system, browser type and version
Usage-related information such as time of use, dwell time, point of origin
Legal basis for the processing of the data is Art. 6 paragraph 1 sentence 1 lit. f GDPR. Our legitimate interest resides in the usage analysis and the ongoing optimisation of our internet site connected with this.
There is data transfer to the USA. Guarantees pursuant to Art. 44ff GDPR exist as Crashlytics is subject to the Privacy Shield, which you can find here.
If you want to object to the transfer of the data, please send us an email to privacy@mytheresa.com.
11.3.4 Firebase Cloud Messaging Server
In the Android app we likewise use the services of Firebase Cloud Messaging Server (a service of Google Ireland Ltd., Gordon House, Barrow St, Dublin 4, Ireland). The Firebase Cloud Messaging Server allows us to ascertain whether you agree to the receipt of push notifications or not. This enables us to ascertain whether you want to receive push notifications via the app or not.
The Firebase Cloud Messaging Server uses the following personal data:
Instance IDs (devices ID)
Legal basis for the processing of the data is Art. 6 paragraph 1 sentence 1 lit. f GDPR. Our legitimate interest resides in the sending of advertising messages only if consent has been forthcoming.
There is data transfer to the USA. Guarantees pursuant to Art. 44ff GDPR exist as Firebase is subject to the Privacy Shield, which you can find here.
If you want to object to the transfer of the data, please send us an email to privacy@mytheresa.com.
11.3.5 Return Path
We use Return Path, a service from Return Path, Inc. 3 Park Avenue, 41st Floor, New York, NY 10016, to optimise our email delivery and increase the profitability of email channels. Return Path used web beacons to track user behaviour.
The following data is processed:
- IP address
- Email address
- Telephone number
- Possibly first and last names
Return Path has not communicated to us that the data is stored. A data transfer to the USA takes place. The guarantees required by Articles 44 et seq. GDPR exist because Return Path is subject to Privacy Shield, which you can find here.
The legal basis for processing of data is Article 6 (1) sentence 1f of the GDPR. Our legitimate interest is to maximise the response and conversion rates of our marketing campaigns using optimised, customised emails.
If you wish to object to the transmission of the data, please send us an email at privacy@mytheresa.com.
You can find more information about the privacy policy of Return Path in the Data Protection Information provided by Return Path.
12 SURVEYS
12.1 Customer Satisfaction Surveys
We conduct customer satisfaction surveys to continuously optimise our products and services. You can voluntarily participate in the customer satisfaction survey, either by clicking on an appropriate link we send you by email as a selected customer, or by participating as a selected customer in a customer satisfaction survey displayed to you on our website. We use SurveyGizmo LLC, a service provider based in the USA, to conduct the customer satisfaction survey. The following data will be provided to SurveyGizmo LLC when you participate in the customer satisfaction survey:
- Email address
- Email hash
- Language, such as German de-de
- SurveyGizmo LLC themselves store the following data:
- Email address
- IP address
- Email hash
- Survey results
- A response ID
- Language, such as German de-de
- Participant's country
SurveyGizmo LLC stores the data for 6 months. A data transfer to the USA takes place. The guarantees under Articles 44 et seq. GDPR are ensured by means of EU standard contracts.
The legal basis for processing of data is Article 6 (1) sentence 1f of the GDPR. Our legitimate interest lies in the optimisation of our products and services.
12.2 Trustpilot
You have the opportunity to rate our company on Trustpilot, Inc., 245 5th Avenue, 4th floor, New York, NY 10016, USA ("Trustpilot") as well as your purchase from us. These ratings are voluntary, and the results will be published on https://www.trustpilot.com/ under a freely selectable pseudonym. If you rate us, we would like to thank you for your feedback – every feedback helps us improve our service even further. By submitting a rating of our company, you agree that we may publish your rating on Trustpilot and on our websites. The terms and conditions and privacy policy of Trustpilot apply, as published at http://legal.trustpilot.de/end-user-privacy-terms and http://legal.trustpilot.de/end-user-privacy-terms. As part of your voluntary participation in the rating via Trustpilot, we will pass on your email address, your first and last name and your customer ID to Trustpilot.
13 AFFILIATE NETWORKS
In addition, we collaborate with affiliate networks, such as Commission Junction/Zanox/etc.
An affiliate network is a service provider from the online advertising sector and an agent between advertisers (mytheresa.com) and publishers (website operators). Publishers can enter into a partnership via the affiliate network with mytheresa.com and thus take part in special promotions. Therefore, the publisher integrates a mytheresa advertisement/promotion code/hyperlink in the content on its website and thus leads the customer to our online shop through, for example, an editorial text.
As soon as the user buys on mytheresa.com, the publisher receives an appropriate commission. Only the information on the sale, such as order ID, product ID and the prices of the products sold, is transferred to the network. No personal data are collected or transferred.
14 SOCIAL SHARING FUNCTIONS
His website uses the social sharing functions of the providers
Facebook (operator: Facebook Inc., 1601 S. California Ave, Palo Alto, CA 94304, USA)
Twitter (operator: Twitter Inc., 795 Folsom St., Suite 600, San Francisco, CA 94107, USA)
Google+ (operator: Google Inc., 1600 Amphitheatre Parkway, Mountain View, CA 94043, USA)
Pinterest (operator: Pinterest Inc., 635 High Street, Palo Alto, CA, 94301, USA)
LinkedIn (operator: LinkedIn Ireland Unlimited Company, Wilton Place, Dublin 2, Ireland)
No data collection takes place by mytheresa, but by the relevant social sharing provider, as soon as you click on the relevant icon on the product detail page. You can access the privacy policy of the different social media providers here:
- Google+
15 SOCIAL BOOKMARKS
So-called social bookmarks (e.g. from Facebook, Twitter and Xing) are integrated into our website. Social bookmarks are internet bookmarks, with which the user of such a service can collect links and news messages. These are integrated into our website only as a link to the relevant services. After clicking the integrated graphic, you will be forwarded to the site of the relevant provider, i.e. only then will user information be transferred to the relevant provider. Information on dealing with your personal data in the use of these websites can be found in the relevant data protection terms and conditions of the provider.
16 PERMISSION FOR DIRECT ADVERTISING PURSUANT TO ART. 7, PARA. 3, OF THE GERMAN FAIR TRADE PRACTICES ACT [UWG]
We use the email address collected at the purchase of goods on our website for direct advertising for our own and similar products. If you no longer wish to receive any direct advertisements, you can object to the use of your email address at any time. To this end, you will find a corresponding link in each newsletter. Unsubscribe here.
17 USE OF SIGNIFYD
For the administration of payments or to fight fraud in credit card payments, we share rare data with Signifyd Inc. (2540 North First Street, Ste 300, San Jose, CA 95131, USA), which are processed only for this purpose.
Signifyd uses the transferred data only in suspicious cases to compare these with their databank and to then provide an estimate of the risk of fraud.
The following data are transferred:
- Transaction data (delivery and invoicing address, name, telephone number)
- Email address
- Shipping country
- IP address
The legal basis for the use of the data for fighting fraud is Art. 6, Para.1, P. 1, lit. f, GDPR.
Personal data are transferred to the USA. There are guarantees pursuant to Art. 44 et seq. GDPR through EU standard contract clauses. If you wish to view the standard contract clauses, please send us an email at privacy@mytheresa.com.
18 USE OF EKATA
To combat credit card fraud, we occasionally share information with Ekata (Ekata, Inc., 1301 Fifth Avenue, Suite 1600, Seattle, WA 98101, USA) that is processed solely for this purpose.
Ekata uses the provided data only in suspicious cases, to check it against their database and then to make an assessment of the risk of fraud.
The following data will be transmitted:
- First and last name
- Complete address (shipping and billing addresses, if different)
- Telephone number
- IP address
- Email address
The legal basis for processing of data is Article 6 (1) sentence 1f of the GDPR. As part of the weighing of interests pursuant to Art. 6(1)(f) GDPR, we have considered and weighed our interest in the service of Ekata and your interest in processing your personal data in compliance with data protection regulations, and have come to the conclusion that our legitimate interests prevail, namely the intention to make a profit, the reduction of our default rate and protection against credit risks.
Personal data will be transmitted to the United States. Guarantees pursuant to Articles 44 et seq. GDPR are provided by standard EU contractual clauses. If you would like to view these standard contractual clauses, please send us an email at privacy@mytheresa.com. Ekata does not provide precise information about the duration of data storage. You can find the Ekata privacy policy here.
18使用EKATA
为了打击信用卡诈骗,我们偶尔会与Ekata(Ekata, Inc.,1301 Fifth Avenue,Suite 1600,Seattle,WA 98101,USA)共享仅为此用途而处理的信息。
Ekata仅在可疑情况下将所提供的数据与其数据库进行核对,然后评估欺诈风险。
我们传输以下数据:
名字和姓氏
完整地址(如果配送地址和账单地址不同)
电话号码
IP地址
电子邮件地址
处理数据的法律依据是GDPR第6(1)条第1f句。作为根据GDPR第6(1)(f)条权衡权益的一部分,我们考虑并权衡了我们在Ekata服务方面的享有的权益以及您在根据数据保护法规处理个人数据方面的享有的权益,并得出结论:我们的合法权益优先,即有意获利、降低我们的违约率和防范信贷风险。
个人数据将被传输到美国。按照欧盟标准合同条款,根据GDPR第44条等做出保证。如果您想查看这些标准合同条款,请发送电子邮件至privacy@mytheresa.com。Ekata没有提供关于数据存储期限的准确信息。请在此处查找Ekata隐私政策。
19 USE OF VERIFF
To combat credit card fraud, we occasionally share information with Veriff (Veriff OÜ, registry code 12932944, registered address at Niine 11, 10414 Tallinn, Estonia). For that purpose, the customer can choose to use Veriff for identification.
The following personal data will be collected and processed:
- personal information of User (such as name, sex, personal identification code, date of birth, legal capacity, nationality, citizenship, but also historic data of that User that may have been stored with us during previous counteractions within the retention periods)
- document details (such as the name of the document, issuing country, number, expiry date, security features)
- facial recognition data (such as photos, videos and sound recording, photographs taken from you and your document and video and sound recording of the verification process)
- contact details (such as address, e-mail address, telephone numbers, IP address)
- technical data (Device Signature), including but not limited to information about, the date and time that you use the Services, your IP address and domain name, your software and hardware attributes, also, your general geographic location (e.g. city, country);
The legal basis for the processing of personal data by Veriff is Article 6 (1) sentence 1 lit. a) of the GDPR. If a customer is suggested to use veriff, this is only possible with their prior consent.
The personal data is transmitted to Tallinn, Estonia. There will be no data transfer into third countries. Veriff does not provide precise information about the duration of data storage. You can find more information in the privacy policy of Veriff: https://www.veriff.com/privacy-policy
20 DISCLOSING DATA
There will be no transfer of your personal data to a third party apart from for the specified purposes.
We disclose your personal data to a third party only if:
you have given your explicit consent to do so,
the disclosure is required for asserting, exercising or defending legal rights and there are no grounds for assuming that you have an overriding legitimate interest in the non-disclosure of your data,
that there is a statutory obligation for the disclosure, and
this is legally permissible and required for implementing the contractual relationships with you.
Fundamentally, the high European level of data protection does not apply to data transfer outside the European Union. For a transfer, it can be that there is currently no adequacy decision by the EU Commission in the sense of Art. 45, Para. 1, 3 GDPR. This means that the EU Commission has not yet positively determined that the country-specific level of data protection corresponds to the level of data protection of the European Union based on GDPR, which is why we have created the abovementioned suitable guarantees.
Possible risks, which cannot be completely excluded in connection with the data transfer are in particular:
your personal data could possibly be dealt with beyond the actual purpose.
Moreover, there is a possibility that you cannot sustainably assert and implement any of your legal data protection rights, such as, for example, your right to information, correction, deletion or data portability.
There may also be a higher probability that there could be incorrect data processing and the personal data do not quantitively and qualitatively meet or not fully meet the requirements of GDPR.
21 INSTRUCTION ON THE RIGHTS OF AFFECTED PERSONS
21.1 Rights of the affected person
If your personal data are processed, you are the affected person in the meaning of GDPR and you have the following rights against the responsible person:
21.2 Right to Information
You can demand from the responsible person a confirmation of your personal data processed by us which affect you.
If there is such processing, you can demand information on the following from the responsible person:
the purpose for which your personal data is being processed;
the categories of personal data being processed;
the recipient and/or the categories of recipients to whom the personal data affecting you are being or will be disclosed;
the planned storage time for the personal data affecting you or, if concrete details on this are not possible, the criteria for determining the duration of storage;
the existence of a right to correction or deletion of the personal data affecting you, a right to restrict the processing by the responsible person or a right to object to this processing;
the existence of a right to appeal to a supervisory authority
all available information on the origin of the data if the personal data were not collected from the affected person;
the existence of automated decision-making, especially profiling, pursuant to Art. 22, Paragraphs 1 and 4 GDPR and – at least in these cases – significant information about the logic involved and the scope and the intended effects of such processing for the affected person.
You have the right to demand information about whether the personal data affecting you are transferred to a third country or an international organisation. In this context, you can demand to be informed about the suitable guarantees in Art. 46 GDPR in connection with the transfer.
21.3 Right of Correction
You have the right to correction and/or completion against the responsible person, if the personal data processed that affect you are incorrect or incomplete. The responsible person must make the correction without delay.
21.4 Right of Restricting the Processing
Under the following prerequisites, you can demand the restricting of the processing of the personal data affecting you:
- if the correctness of the personal data affecting you has been disputed over a period, which enables the responsible person to check the correctness of the personal data;
- if the processing is unlawful and you eject deletion of the personal data and instead of this you request the restriction of the use of the personal data;
- if the responsible person no longer needs the personal data for the purpose of processing, but you need these for asserting, exercising or defending legal rights, or
- if you have appealed against the processing pursuant to Art. 21, Para. 1, GDPR and has still not been determined whether the legitimate grounds of the responsible person outweigh your grounds.
- If the processing of the personal data affecting you is restricted, these data, apart from their storage, may only be processed with your consent or for asserting, exercising or defending legal rights or to protect the rights of another natural person or legal entity or on the grounds of an important public interest of the Union or a member state.
- If the restriction of the processing is restricted pursuant to the abovementioned prerequisites, you will be notified by the responsible person before the restriction is lifted.
21.5 Right of Deletion
- a) Obligation of Deletion
You can demand the responsible person that the personal data affecting you be deleted without delay and the responsible person is duty bound to delete these data without delay, unless one of the following grounds applies:
the personal data affecting you are no longer necessary for the purpose for which they were collected or processed in another way.
You withdraw your consent on which the processing under Art. 6, Para. 1, P. 1, lit. a or Art. 9, Para. 2, lit. a, GDPR is based and there is an absence of another legal basis for the processing.
Pursuant to Art. 21, Para. 1, GDPR, you appeal against the processing and there are no overriding legitimate grounds for processing or you appeal against the processing under Art. 21, Para. 2, GDPR.
The personal data affecting you has been unlawfully processed.
The deletion of the personal data affecting you is necessary for fulfilling a legal obligation under Union law or the laws of the member states to which the responsible person is subject.
The personal data affecting you were collected regarding the services offered by the information society under Art. 8, Para. 1, GDPR.
- b) Information to Third Parties
If the responsible person has disclosed the personal data affecting you and they are obligated to delete them under Art. 17, Para. 1, GDPR, they are thus to take suitable measures, taking account of the available technology and the costs of implementation, including of a technological type, to inform the person responsible for the data processing, who processes the personal data, that you, as the affected person, have demanded the deletion of all links to these personal data or of copies or replications of these personal data.
- c) Exceptions
There is no right of deletion if the processing is required
to exercise the right to freedom of expression and information;
to fulfil a legal obligation, for which the processing is required under the law of the Union or the member states to which the responsible person is subject, or to perform a task which is in the public interest or ensues in exercising public authority, which has been transferred to the responsible person;
on grounds of public interest around public health pursuant to Art. 9, Para. 2, lit. h and I as well as Art. 9, Para 3, GDPR;
for purposes of archiving, scientific or historical research or for statistical purposes pursuant to Art. 89, Para. 1, GDPR, insofar as the law cited under Section a) is anticipated to make this processing impossible or seriously impairs it, or
to assert, exercise or defend legal rights.
21.6 Right of Notification
If you exercise the right of correction, deletion or restriction of the processing to the responsible person, they are obligated to notify all recipients to whom the personal data affecting you has been disclosed of this correction or deletion of the data or restriction of the processing, unless this proves to be impossible or is associated with disproportionate expenditure.
You have the right against the responsible person to be informed of these recipients.
21.7 Right of Data Portability
You have the right to receive the personal data affecting you, which you made available to the responsible person, in a structured, accessible and machine-readable format. In addition, you have the right to transfer these data to another responsible person without hindrance by the responsible person to whom the personal data was made available, if
the processing was based on consent pursuant to Art. 6, Para. 1, P. 1, lit. a, GDPR or Art. 9, Para. 2, lit. a, GDPR or on a contract pursuant to Art.6, Para. 1, P. 1, lit. b, GDPR and
the processing is done with the help of an automated process.
In addition, in exercising this right, you also have the right to obtain the personal data affecting you are transferred direct from a responsible person to another responsible person, if this is technically possible. Freedom and rights of other persons may not be affected by this.
The right of data portability does not apply to the processing of personal data that is necessary for performing a task which lies in the public interest or ensues in exercising public authority, which has been transferred to the responsible person.
21.8 Right to Object
You have the right to object at any time to the processing of the personal data affecting you ensuing from Art. 6, Para. 1, P. 1, lit. e or f, GDPR, for reasons arising from your own special situation; this also applies to profiling supported by one of these provisions.
The responsible person no longer processes the personal data affecting you, unless they can demonstrate compelling, legitimate reasons for the processing which outweigh your interests, rights and freedoms, or the processing serves to assert, exercise or defend legal rights.
If the personal data affecting you is processed to operate direct advertising, you have the right to object at any time to the processing of the personal data affecting you for the purpose of such advertising; this also applies to profiling if it is related to such direct advertising.
If you object to the processing for the purpose of direct advertising, the personal data affecting you will no longer be processed for this purpose.
Irrespective of EU Directive 2002/58/EU, in connection with the use of the services of the information society, you can exercise your right to object by means of automated process in respect of which technical specifications are applied.
21.9 Right to Revoke the Declaration of Consent under Data Protection Law
You have the right to revoke your declaration of consent under data protection law at any time. By revoking the consent, the legality of the processing undertaken up to the revocation is not affected.
21.10 Automated Decision-making in the Individual Case, Including Profiling
You have the right not to be subjected to a decision based exclusively on automated processing, including profiling, which has a legal affect on you or which seriously impairs you in a similar way. This does not apply if the decision
is required for concluding or fulfilling a contract between you and the responsible person,
if it is permissible on the basis of the legal provisions of the Union or the member states to which the responsible person is subject, and these legal provisions contain reasonable measures for safeguarding your rights and freedoms, or
takes place with your explicit consent.
However, these decisions may not be based on special categories of personal data under Art. 9, Para. 1, GDPR, insofar as Art. 9, Para. 2, lit. a applies and reasonable measures have been taken for protecting your rights and freedoms as well as your legitimate interests.
Regarding the cases cited in (1) and (3), the responsible person takes reasonable measures to safeguard your rights and freedoms and your legitimate interests, wherefore at least the right to effect the intervention of a person on behalf of the responsible person who can hear the presentation of your standpoint and the appeal against the decision.
21.11 Right to Complain to a Supervisory Authority
Regardless of any other administrative or judicial remedy, you have the right to complain to a supervisory authority, especially in the member state of your place of residence, your place of work or the location of the alleged breach, if you are of the view that the processing of the personal data affecting you breaches the GDPR.
The supervisory authority to which the complaint was made informs the complainant about the state and the result of the complaint, including the opportunity of a judicial remedy under Art. 78 GDPR.
The following supervisory authority is responsible for you:
Bayerisches Landesamt für Datenschutzaufsicht
Promenade 27
91522 Ansbach
Telephone: 0981 53 1300
22 RIGHT IN THE CASE OF DATA PROCESSING FOR OPERATING DIRECT ADVERTISING
Pursuant to Art. 21, Para. 2, GDPR, you have the right to object at any time to the processing of personal data affecting you. In the event of a complaint from you against the processing of your personal data for the purpose of direct advertising, your personal data will no longer be processed for this purpose. Please note that the objection has effect only for the future. Processing carried out prior to the objection are not affected by this.
23 REFERENCE TO THE RIGHT TO OBJECT IN A BALANCING OF INTERESTS
If we base the processing of your personal data on a balancing of interests, you can object to the processing. In exercising such a right to object, we request that the grounds on which we should not process your personal data as described by us are presented. In the event of your justifiable objection, we will examine the facts and will either cancel or adjust the data processing or explain our compelling, legitimate grounds to you.
24 LINKS TO OTHER WEBSITES
Our web pages may contain links to other providers. We point out that this data protection declaration applies exclusively to the web pages of mytheresa.com. We have no influence on and do not control whether the other providers adhere to the data protection provisions.
25 CHANGES TO THE DATA PROTECTION DECLARATION
We reserve the right to change or adjust this data protection declaration at any time, taking account of the applicable data protection provisions.