Collecting Personal Information
- Examples of Personal Information collected: version of web browser, IP address, time zone, cookie information, what sites or products you view, search terms, and how you interact with the Site.
- Purpose of collection: to load the Site accurately for you, and to perform analytics on Site usage to optimize our Site.
- Source of collection: Collected automatically when you access our Site using cookies, log files, web beacons, tags, or pixels .
- Disclosure for a business purpose: shared with our processor Shopify .
- Examples of Personal Information collected: name, billing address, shipping address, payment information (including credit / debit card numbers, email address, and phone number.
- Purpose of collection: to provide products or services to you to fulfill our contract, to process your payment information, arrange for shipping, and provide you with invoices and/or order confirmations, communicate with you, screen our orders for potential risk or fraud, and when in line with the preferences you have shared with us, provide you with information or advertising relating to our products or services.
- Source of collection: collected from you.
- Disclosure for a business purpose: shared with our processor Shopify for processing the order.
Customer support information
- Examples of Personal Information collected:
- Purpose of collection: to provide customer support.
- Source of collection: collected from you.
- Disclosure for a business purpose:
Sharing Personal Information
We share your Personal Information with service providers to help us provide our services and fulfill our contracts with you, as described above. For example:
- We use Shopify to power our online store. You can read more about how Shopify uses your Personal Information here: https://www.shopify.com/legal/privacy.
- We may share your Personal Information to comply with applicable laws and regulations, to respond to a subpoena, search warrant or other lawful request for information we receive, or to otherwise protect our rights.
Advertising by e-mail
Email newsletter with registration
If you register for our newsletter, we will use the data required for this purpose or separately provided by you to send you our e-mail newsletter on a regular basis based on your consent pursuant to Art. 6 (1) p. 1 lit. a DSGVO. Unsubscribing from the newsletter is possible at any time and can be done either by sending a message to the contact option described below or via a link provided for this purpose in the newsletter. After unsubscribing, we will delete your e-mail address from the list of recipients, unless you have expressly consented to further use of your data pursuant to Art. 6 (1) p. 1 lit. a DSGVO or we reserve the right to use data beyond this, which is permitted by law and about which we inform you in this statement.
The newsletter may also be sent by our service providers as part of processing on our behalf. If you have any questions about our service providers and the basis of our cooperation with them, please use the contact option described in this privacy statement.
Our service providers, Omnisend ( https://www.omnisend.com/legal) are located in these countries: Lithuania. Our cooperation with you is based on these guarantees: standard data protection clauses of the European Commission.
HOW DO I UNSUBSCRIBE FROM MARKETING EMAILS?
You can choose to stop receiving marketing messages from us at any time.
This can be done:
- Clicking the "Unsubscribe" link in your email
- Contacting us directly (via firstname.lastname@example.org) and clearly state that you like to unsubscribe from the marketing emails.
We will process the update to your preferences when you tell us about the change. However, please note that it can take a few days-weeks for some of our systems to update, so you may receive some marketing messages during this process.
This change to your contact preferences will not stop communications regarding any orders you place, such as order confirmation and shipping emails.
As described above, we use your Personal Information to provide you with targeted advertisements or marketing communications we believe may be of interest to you. For example:
- We use Google Analytics to help us understand how our customers use the Site. You can read more about how Google uses your Personal Information here: https://policies.google.com/privacy?hl=en.You can also opt-out of Google Analytics here: https://tools.google.com/dlpage/gaoptout.
For more information about how targeted advertising works, you can visit the Network Advertising Initiative’s (“NAI”) educational page at http://www.networkadvertising.org/understanding-online-advertising/how-does-it-work.
You can opt out of targeted advertising by:
- FACEBOOK - https://www.facebook.com/settings/?tab=ads
- GOOGLE - https://www.google.com/settings/ads/anonymous
- BING - https://advertise.bingads.microsoft.com/en-us/resources/policies/personalized-ads]
Additionally, you can opt out of some of these services by visiting the Digital Advertising Alliance’s opt-out portal at: http://optout.aboutads.info/.
Use of Google services
For the purpose of website analysis, Google Analytics automatically collects and stores data (IP address, time of visit, device and browser information, and information about your use of our website), from which usage profiles are created using pseudonyms. Cookies may be used for this purpose. As a matter of principle, your IP address will not be merged with other data from Google. Data processing is carried out on the basis of an order processing agreement by Google.
For the purpose of optimized marketing of our website, we have activated the data release settings for "Google products and services". This allows Google to access the data collected and processed by Google Analytics and subsequently use it to improve Google services. Data sharing with Google under these data sharing settings is based on an additional agreement between responsible parties. We have no influence on the subsequent data processing by Google.
For the creation and execution of tests, we also use the Google Analytics Google Optimize extension function.
For web analysis, the Google Analytics Google Signals extension function enables so-called "cross-device tracking". Insofar as your internet-enabled devices are linked to your Google account and you have activated the "personalized advertising" setting in your Google account, Google can create reports about your usage behavior (esp. cross-device user numbers), even if you change your terminal device. A processing of personal data by us does not take place in this respect, we only receive statistics generated on the basis of Google Signals.
For web analysis and advertising purposes, the extension function of Google Analytics the so-called DoubleClick cookie enables recognition of your browser when visiting other websites. Google will use this information to compile reports on website activity and to provide other services related to website usage.
For advertising purposes in Google search results as well as on third-party websites, the so-called Google Remarketing Cookie is set when you visit our website, which automatically enables interest-based advertising by collecting and processing data (IP address, time of visit, device and browser information as well as information about your use of our website) and by means of a pseudonymous CookieID and based on the pages you visit. Data processing beyond this only takes place if you have activated the "personalized advertising" setting in your Google account. In this case, if you are logged in to Google while visiting our website, Google uses your data together with Google Analytics data to create and define target group lists for cross-device remarketing.
For website analysis and event tracking, we measure your subsequent usage behavior via Google Ads Conversion Tracking if you have reached our website via an advertisement from Google Ads. For this purpose, cookies may be used and data (IP address, time of visit, device and browser information, and information about your use of our website based on events specified by us, such as visiting a website or subscribing to a newsletter) may be collected, from which usage profiles are created using pseudonyms.
Use of Facebook services
Use of Facebook Pixel
We use the Facebook Pixel as part of the technologies of Facebook Ireland Ltd [https://de-de.facebook.com/facebookdublin/]., 4 Grand Canal Square, Dublin 2, Ireland ("Facebook"), as described below. The Facebook Pixel automatically collects and stores data (IP address, time of visit, device and browser information, and information about your use of our website based on events specified by us, such as visiting a website or subscribing to a newsletter), from which usage profiles are created using pseudonyms. In addition, as part of the so-called extended data matching, information is collected and stored hashed for matching purposes, with which individuals can be identified (e.g. names, e-mail addresses and telephone numbers). For this purpose, when you visit our website, a cookie is automatically set by the Facebook Pixel, which automatically enables recognition of your browser when you visit other websites by means of a pseudonymous CookieID. Facebook will combine this information with other data from your Facebook account and use it to compile reports on website activity and to provide other services related to website use, in particular personalized and group-based advertising.
As part of Facebook Analytics, statistics on visitor activity on our website are created from the data collected with the Facebook Pixel about your use of our website. Data processing is carried out on the basis of an order processing agreement by Facebook. Their analysis is used for the optimal presentation and marketing of our website.
Through Facebook Ads, we advertise this website on Facebook as well as on other platforms. We determine the parameters of the respective advertising campaign. Facebook is responsible for the exact implementation, in particular the decision on the placement of the ads with individual users. Unless otherwise specified for the individual technologies, the data processing is based on an agreement between joint controllers pursuant to Art. 26 DSGVO. The joint responsibility is limited to the collection of the data and its transmission to Facebook Ireland. The subsequent data processing by Facebook Ireland is not covered by this.
Based on the statistics on visitor activity on our website generated via Facebook Pixel, we operate group-based advertising on Facebook via Facebook Custom Audience by determining the characteristics of the respective target group. Within the scope of the extended data matching that takes place to determine the respective target group (see above), Facebook acts as our processor.
Based on the pseudonymous cookie ID set by the Facebook Pixel and the data collected about your usage behavior on our website, we conduct personalized advertising via Facebook Pixel remarketing.
Via Facebook Pixel Conversions, we measure for web analytics and event tracking your subsequent usage behavior when you have reached our website via an ad from Facebook Ads. The data processing is carried out on the basis of an agreement on commissioned processing by Facebook.
Social Plugins from Facebook, Instagram, Pinterest, Whatsapp
Social buttons from social networks are used on our website. These are only integrated into the page as HTML links, so that when you call up our website, no connection is yet established with the servers of the respective provider. If you click on one of the buttons, the website of the respective social network opens in a new window of your browser. There you can, for example, press the Like or Share button.
Our online presence on Facebook, Instagram, YouTube, Pinterest, Linkedin, TikTok.
Insofar as you have given your consent to this in accordance with Art. 6 para. 1 p. 1 lit. a DSGVO to the respective social media operator, your data will be automatically collected and stored for market research and advertising purposes when you visit our online presences on the social media mentioned above, from which usage profiles are created using pseudonyms. These can be used, for example, to place advertisements within and outside the platforms that presumably correspond to your interests. Cookies are generally used for this purpose. For detailed information on the processing and use of data by the respective social media operator, as well as a contact option and your rights and setting options in this regard to protect your privacy, please refer to the privacy notices of the providers linked below. If you still require assistance in this regard, you can contact us.
Facebook [https://www.facebook.com/about/privacy/]is an offer of Facebook Ireland Ltd, 4 Grand Canal Square, Dublin 2, Ireland ("Facebook Ireland") The information automatically collected by Facebook Ireland about your use of our online presence on Facebook is generally transmitted to a server of Facebook, Inc, 1601 Willow Road, Menlo Park, California 94025, USA and stored there. For the USA, there is no adequacy decision of the European Commission. Our cooperation is based on standard data protection clauses of the European Commission. Data processing in the context of a visit to a Facebook fan page is based on an agreement between jointly responsible parties in accordance with Art. 26 DSGVO. Further information (information on Insights data) can be found here [https://www.facebook.com/legal/terms/information_about_page_insights_data].
Instagram [https://help.instagram.com/519522125107875] is an offer of Facebook Ireland Ltd, 4 Grand Canal Square, Dublin 2, Ireland ("Facebook Ireland") The information automatically collected by Facebook Ireland about your use of our online presence on Instagram is usually transmitted to a server of Facebook, Inc, 1601 Willow Road, Menlo Park, California 94025, USA and stored there. For the USA, there is no adequacy decision of the European Commission. Our cooperation is based on standard data protection clauses of the European Commission. Data processing in the context of a visit to an Instagram fan page is based on an agreement between jointly responsible parties in accordance with Art. 26 DSGVO. Further information (information on Insights data) can be found here [https://www.facebook.com/legal/terms/information_about_page_insights_data].
YouTube [https://policies.google.com/privacy?hl=de] is a service of Google Ireland Ltd, Gordon House, Barrow Street, Dublin 4, Ireland ("Google"). The information automatically collected by Google about your use of our online presence on YouTube is usually transmitted to a server of Google LLC, 1600 Amphitheatre Parkway Mountain View, CA 94043, USA and stored there. For the USA, there is no adequacy decision of the European Commission. Our cooperation is based on standard data protection clauses of the European Commission.
Pinterest [https://about.pinterest.com/de/privacy-policy]is a service of Pinterest Europe Ltd, Palmerston House, 2nd Floor, Fenian Street, Dublin 2, Ireland ("Pinterest"). The information automatically collected by Pinterest about your use of our online presence on Pinterest is usually transmitted to a server of Pinterest, Inc., 505 Brannan St., San Francisco, CA 94107, USA and stored there. For the USA, there is no adequacy decision of the European Commission. Our cooperation is based on standard data protection clauses of the European Commission.
LinkedIn [https://www.linkedin.com/legal/privacy-policy]is an offer of LinkedIn Ireland Unlimited Company, Wilton Place, Dublin 2, Ireland ("LinkedIn"). The information automatically collected by LinkedIn about your use of our online presence on LinkedIn is usually sent to a server of LinkedIn Corporation, 1000 W. Maude Avenue, Sunnyvale, CA 94085, USA and stored there. For the USA, there is no adequacy decision of the European Commission. Our cooperation is based on standard data protection clauses of the European Commission.
TikTok, Mailing Address: TikTok Inc, Attn: TikTok Legal Department 10100 Venice Blvd, Suite 401, Culver City, CA 90232, USA
Contact TikTok: https://www.tiktok.com/legal/report/privacy
Using Personal Information
We use your personal Information to provide our services to you, which includes: offering products for sale, processing payments, shipping and fulfillment of your order, and keeping you up to date on new products, services, and offers.
Pursuant to the General Data Protection Regulation (“GDPR”), if you are a resident of the European Economic Area (“EEA”), we process your personal information under the following lawful bases:
- Your consent;
- The performance of the contract between you and the Site;
- Compliance with our legal obligations;
- To protect your vital interests;
- To perform a task carried out in the public interest;
- For our legitimate interests, which do not override your fundamental rights and freedoms.
When you place an order through the Site, we will retain your Personal Information for our records unless and until you ask us to erase this information. For more information on your right of erasure, please see the ‘Your rights’ section below.
If you are a resident of the EEA, you have the right to object to processing based solely on automated decision-making (which includes profiling), when that decision-making has a legal effect on you or otherwise significantly affects you.
We do not engage in fully automated decision-making that has a legal or otherwise significant effect using customer data.
Our processor Shopify uses limited automated decision-making to prevent fraud that does not have a legal or otherwise significant effect on you.
Services that include elements of automated decision-making include:
- Temporary denylist of IP addresses associated with repeated failed transactions. This denylist persists for a small number of hours.
- Temporary denylist of credit cards associated with denylisted IP addresses. This denylist persists for a small number of days.
If you order any products from this Site, you will be invited to complete a customer review with Loox, the verified customer service company. You can provide a review in your own name or anonymously, and there is no obligation to leave a review.
This website uses a live chat system of the following provider: Tidio Poland Sp. z o.o., Wojska Polskiego 81, 70-481 Szczecin, Poland.
The processing of personal data transmitted via the chat takes place either in accordance with Art. 6 para. 1 lit. b DSGVO, because it is necessary for the initiation or execution of the contract, or in accordance with Art. 6 para. 1 lit. f DSGVO due to our legitimate interest in the effective support of our site visitors.
Subject to any statutory retention periods to the contrary, your data transmitted in this way will be deleted when the matter in question has been conclusively clarified.
In addition, for the purpose of creating pseudonymised user profiles, further information may be collected and evaluated with the aid of cookies, although this information does not serve to identify you personally and is not merged with other data records. If this information has a personal reference, the processing is carried out in accordance with Art. 6 Para. 1 lit. f DSGVO on the basis of our legitimate interest in the statistical analysis of user behaviour for optimisation purposes.
The setting of cookies can be prevented by appropriate browser settings. However, the functionality of our website may be limited in this case. You can object to the collection and storage of data for the purpose of creating a pseudonymised user profile at any time with effect for the future.
Email, contact forms
When contacting us (e.g. via contact form or e-mail), personal data is processed exclusively for the purpose of processing and responding to your request and only to the extent necessary for this purpose. The legal basis for processing this data is our legitimate interest in responding to your request in accordance with Art. 6 (1) lit. f DSGVO. If your contact is aimed at a contract, the additional legal basis for the processing is Art. 6 (1) lit. b DSGVO. Your data will be deleted when the circumstances indicate that the matter in question has been conclusively clarified and provided that there are no statutory retention obligations to the contrary.
How do we use your personal information?
We use the Order Information that we collect generally to fulfill any orders placed through the Site (including processing your payment information, arranging for shipping, and providing you with invoices and/or order confirmations). Additionally, we use this Order Information to:
- Communicate with you;
- Screen our orders for potential risk or fraud; and
- When in line with the preferences you have shared with us, provide you with information or advertising relating to our products or services.
We use the Device Information that we collect to help us screen for potential risk and fraud (in particular, your IP address), and more generally to improve and optimize our Site (for example, by generating analytics about how our customers browse and interact with the Site, and to assess the success of our marketing and advertising campaigns).
Data processing for payment handling
When processing payments in our online store, we work with these partners: technical service providers, credit institutions, payment service providers.
Data processing for transaction processing
Data processing for the purpose of fraud prevention and optimization of our payment processes.
Where applicable, we provide our service providers with additional data, which they use together with the data necessary for the processing of the payment as our processors for the purpose of fraud prevention and optimization of our payment processes (e.g. invoicing, processing of contested payments, accounting support). Pursuant to Art. 6 (1) p. 1 lit. f DSGVO, this serves to protect our legitimate interests in our protection against fraud or in efficient payment management, which outweigh our interests in the context of a balancing of interests.
If you are a resident of the EEA, you have the right to access the Personal Information we hold about you, to port it to a new service, and to ask that your Personal Information be corrected, updated, or erased. If you would like to exercise these rights, please contact us through the contact information below.
Your Personal Information will be initially processed in Ireland and then will be transferred outside of Europe for storage and further processing, including to Canada and the United States. For more information on how data transfers comply with the GDPR, see Shopify’s GDPR Whitepaper: https://help.shopify.com/en/manual/your-account/privacy/GDPR.
A cookie is a small amount of information that’s downloaded to your computer or device when you visit our Site. We use a number of different cookies, including functional, performance, advertising, and social media or content cookies. Cookies make your browsing experience better by allowing the website to remember your actions and preferences (such as login and region selection). This means you don’t have to re-enter this information each time you return to the site or browse from one page to another. Cookies also provide information on how people use the website, for instance whether it’s their first time visiting or if they are a frequent visitor.
We use the following cookies to optimize your experience on our Site and to provide our services.
Cookies Necessary for the Functioning of the Store
|_ab||Used in connection with access to admin.|
|_secure_session_id||Used in connection with navigation through a storefront.|
|cart||Used in connection with shopping cart.|
|cart_sig||Used in connection with checkout.|
|cart_ts||Used in connection with checkout.|
|checkout_token||Used in connection with checkout.|
|secret||Used in connection with checkout.|
|secure_customer_sig||Used in connection with customer login.|
|storefront_digest||Used in connection with customer login.|
|_shopify_u||Used to facilitate updating customer account information.|
Reporting and Analytics
|_landing_page||Track landing pages|
|_orig_referrer||Track landing pages|
|_shopify_sa_p||Shopify analytics relating to marketing & referrals.|
|_shopify_sa_t||Shopify analytics relating to marketing & referrals.|
The length of time that a cookie remains on your computer or mobile device depends on whether it is a “persistent” or “session” cookie. Session cookies last until you stop browsing and persistent cookies last until they expire or are deleted. Most of the cookies we use are persistent and will expire between 30 minutes and two years from the date they are downloaded to your device.
You can control and manage cookies in various ways. Please keep in mind that removing or blocking cookies can negatively impact your user experience and parts of our website may no longer be fully accessible.
Most browsers automatically accept cookies, but you can choose whether or not to accept cookies through your browser controls, often found in your browser’s “Tools” or “Preferences” menu. For more information on how to modify your browser settings or how to block, manage or filter cookies can be found in your browser’s help file or through such sites as www.allaboutcookies.org.
Additionally, please note that blocking cookies may not completely prevent how we share information with third parties such as our advertising partners. To exercise your rights or opt-out of certain uses of your information by these parties, please follow the instructions in the “Behavioural Advertising” section above.
Third Parties and Social Media
We cannot be responsible for the privacy policies and practices of other third party sites (including but not limited to Facebook, YouTube, Twitter), or for advertisers on our site, even if you access them using links from our website and we recommend that you check the policy of each site you visit. If you linked to our Site from a third party site, we cannot be responsible for the privacy policies and practices of the owners or operators of that third party site and we recommend that you check the policy of that third party site and contact its owner or operator if you have any concerns or questions. Unless expressly stated, we are not agents for these third party sites or for any third party advertisers on our Site, nor are we authorised to make representations on their behalf.
Do I control my data?
Under the General Data Protection Regulation, you have several important rights available to you. In summary, those include rights to:
- Be informed about how your personal information is being used (hopefully this privacy notice explains it all)
- Access the personal information we hold about you
- Request that we transfer elements of your data to another service provider
- Request us to correct any mistakes in your information which we hold
- Request the erasure of personal information concerning you in certain situations
- Receive the personal information concerning you which you have provided to us, in a structured format or to ask us to transfer that information to another service provider
- Stop any direct marketing
- Object to processing of your personal data
- You can ask us to restrict or suspend processing of your personal data under certain circumstances, for example if you want us to restrict processing while the accuracy of personal data is being established
- Right not to be subjected to automated decision-making that significantly affects you, however, we will only use automated decision making in limited circumstances
- Right to withdraw your consent, where processing of your personal data is based on consent, you can remove it at any time
For further information on each of these rights, including the circumstances in which they apply, see the Guidance from the UK Information Commissioner’s Office (ICO) on individuals rights under the General Data Protection Regulation.
If you would like to exercise any of these rights, please:
- Email us email@example.com
- Let us have enough information to identify you;
- Let us know the information to which your request relates
We try to respond to all legitimate requests within one month. Occasionally it may take us longer than a month if your request is particularly complex or you have made many requests or your request is not clear we might need to seek further information from you. In this case, we will notify you and keep you updated.
Keeping your personal data safe
We have appropriate security measures in place to prevent personal information from being accidentally lost, or used or accessed in an unauthorised way. We limit access to your personal information to those who have a genuine business need to know it. Those processing your information will do so only in an authorised manner and are subject to a duty of confidentiality.
We also have procedures in place to deal with any suspected data security breach. We will notify you and any applicable regulator of a suspected data security breach where we are legally required to do so.
If you want detailed information from Get Safe Online on how to protect your information and your computers and devices against fraud, identity theft, viruses and many other online problems, please visit www.getsafeonline.org. Get Safe Online is supported by HM Government and leading businesses.
Do Not Track
Please note that because there is no consistent industry understanding of how to respond to “Do Not Track” signals, we do not alter our data collection and usage practices when we detect such a signal from your browser.
Right of objection
Insofar as we process personal data as explained above in order to protect our legitimate interests that prevail in the context of a balancing of interests, you may object to this processing with effect for the future. If the processing is carried out for direct marketing purposes, you can exercise this right at any time as described above. If the processing is carried out for other purposes, you will only have the right to object if there are grounds arising from your particular situation.
After exercising your right to object, we will no longer process your personal data for these purposes unless we can demonstrate compelling legitimate grounds for the processing which override your interests, rights and freedoms, or if the processing serves to assert, exercise or defend legal claims.
This does not apply if the processing is for direct marketing purposes. Then we will not further process your personal data for this purpose.
For more information about our privacy practices, if you have questions, or if you would like to make a complaint, please contact us by e-mail at firstname.lastname@example.org or by mail using the details provided below:
NAYA Skincare Ltd., Kemp House, 152-160, City Road, London EC1V 2NX, United KingdomLast updated: [01/07/2021]
We hope that we can resolve any query or concern you raise about our use of your information. If you are not happy with how NAYA Skincare manages your personal data, you have the right to lodge a complaint with a supervisory authority. The supervisory authority in the UK is the Information Commissioner who may be contacted at https://ico.org.uk/concerns/.