Privacy Declaration of HESTIA Fashion GmbH
HESTIA Fashion GmbH
6020 Innsbruck, Austria
Customer commitment to data protection and privacy
Protecting personal data and your privacy is of greatest concern for HESTIA Fashion GmbH.
HESTIA Fashion GmbH manifests its commitment to privacy and data protection by embracing the following principles.
HESTIA Fashion GmbH uses personal data lawfully, fairly, correctly and in a transparent manner.
HESTIA Fashion GmbH collects no more personal data than necessary, and only for a legitimate purpose.
HESTIA Fashion GmbH retains no more data than necessary or for a longer period than needed.
HESTIA Fashion GmbH protects personal data with appropriate security measures.
About this Privacy Notice
This Privacy Notice intends to establish a clear, concise and transparent communication on the collection, use, processing, storing etc. of personal data relating to customers of HESTIA Fashion GmbH.
Within the meaning of this Privacy Notice “customer HESTIA Fashion GmbH ” means former, current and potential customer or user of a product or service offered by an HESTIA Fashion GmbH affiliate and brand, visitors to our official website, member of a loyalty program, community or member of a loyalty program or community.
Lawfulness of processing
The processing of personal data shall only be lawful if there is a legal basis for processing. According to article 6, section 1 a – f GDPR, a legal basis can be as follows:
- The data subject has given consent to the processing of his or her personal data for one or more specific purposes;
- processing is necessary for the performance of a contract to which the data subject is party or in order to take steps at the request of the data subject prior to entering into a contract;
- processing is necessary for compliance with a legal obligation to which the controller is subject;
- processing is necessary in order to protect the vital interests of the data subject or of another natural person;
- processing is necessary for the performance of a task carried out in the public interest or in the exercise of official authority vested in the controller;
- processing is necessary for the purposes of the legitimate interests pursued by the controller or by a third party, except where such interests are overridden by the interests or fundamental rights and freedoms of the data subject which require protection of personal data, in particular where the data subject is a child.
Data Collected on Websites
This policy applies only to information collected on the website. We collect two types of information from visitors to our websites: (1) Personal data and (2) Non-personal data. “Personal data” is information that identifies you personally and that you provide to us, such as your name, address, telephone number, email address, and sometimes your Internet Protocol (IP) address. We may collect this information when you create a profile on our websites, visit our website, or complete a purchase. “Non-personal data” can be technical in nature. It does not identify you personally. Examples of non-personal data may include, but is not limited to, cookies, web beacons, and demographic information.
If using the website purely for information purposes, i.e. if you have not registered with us, do not order anything or are not forwarding information to us by another means, we shall only collect the personal data which your browser transmits to our server. If you wish to view our website, we collect the following data which is technically necessary for us to display our website to you and to guarantee stability and security (legal basis is art. 6, section 1, clause 1 lit. f GDPR):
- IP address
- Date and time of the query
- Time zone difference to Greenwich Mean Time (GMT)
- Content of the request (specific page)
- Access status / HTTP status code
- Data volume transferred in each instance
- Website from which the request originates (browser type)
- User’s operating system and user interface
- Browser software language and version.
Information on the collection of personal data – (e-mail, contact form, customer account and online shop)
In the following section, we would like to inform you about the collection of personal data when using our website (contact form, customer account and online shop)
If you contact us by email, we will store the information you provide us with (your name and email address or telephone number) to respond to your query. We will erase the data we collected on this basis when it is no longer required or we will restrict the processing where we have to comply with statutory retention requirements.
If you buy products through our site or create a customer account to manage your previous or future orders, we collect the data we need for the contract. These can be seen from the respective entry fields for registration (customer account) or the order form. When ordering, we need at least the mandatory information marked with a *. We use this data in accordance with art. 6, section, 1 clause 1 b GDPR for the execution of contracts and for processing your inquiries.
Our store is hosted by WooCommerce. WooCommerce provides us with the online e-commerce platform that allows us to sell our products and services to you.
Your data is stored through WooCommerce’s data storage, databases and the general WooCommerce application. WooCommerce stores your data on a secure server behind a firewall.
If you choose to pay via credit card, then WooCommerce stores your credit card data. It is encrypted through the Payment Card Industry Data Security Standard (PCI-DSS).Your purchase transaction data is stored only as long as is necessary to complete your purchase transaction. After that is complete, your purchase transaction information is deleted. All direct payment gateways adhere to the standards set by PCI-DSS as managed by the PCI Security Standards Council, which is a joint effort of brands like Visa, Mastercard, American Express and Discover. PCI-DSS requirements help ensure the secure handling of credit card information by our store and its service providers. For more insight, you may also want to read WooCommerce’s Privacy Statement https://automattic.com/privacy/
(In addition to credit card payments, we offer other payment methods for the use of the web shop, using different payment service providers with whom we have concluded a data processing agreement. Depending on which payment method you choose, different data will be transmitted to the respective payment service provider. The legal basis for the transfer is article 6(1) clause 1 a, b, f GDPR.
You can find a list of our payment service providers below:
If you pay for your purchase with us with PayPal, your personal data will be transmitted to PayPal. If you have not yet opened a PayPal account, you will be asked to do so by PayPal in the course of the payment process. When you use or open a PayPal account, your name, address, telephone number and e-mail address must be transmitted to PayPal. The legal basis for the transmission of data is article 6, section 1 a, GDPR and article 6, section 1 b, GDPR.
Operator of the payment service PayPal is:
PayPal (Europe) S.à r.l. et Cie, S.C.A.
22-24 Boulevard Royal
If you pay for your purchase with Klarna, your personal data will be transmitted to Klarna Bank AB, the operator of the payment service provider Klarna.The legal basis for the transmission of data is article 6, section 1 a, GDPR and article 6, section 1 b, GDPR.
Klarna AB can be contacted as follows:
Klarna Bank AB (publ)
111 34 Stockholm
Phone: 0046 8-120 120 00
Fax: 0046 8-120 120 99
Klarna collects the following data when processing the payment of orders from our online shop:
- Name, birth date, title, billing and delivery address, e-mail address, mobile phone number
- Information about ordered products
- Information about income, credit obligations and notes regarding payment
- Location-based information
- IP address
Detailed information regarding the data protection provisions of Klarna Bank AB (publ) can be found at https://www.klarna.com/de/datenschutz
Your data will also be forwarded to the shipping company commissioned with the delivery, insofar as this is necessary for the delivery of the goods.
Due to commercial and tax regulations, we are obliged to save your address, payment and order data for a period of ten years. However, after two years we will restrict the processing, i.e. your data will only be used to comply with legal obligations. The legal basis for this is article 6 section 1 clause 1 c, GDPR.
With your consent, you can subscribe to our newsletter, with which we inform you about our current interesting offers. The advertised goods and services are named in the declaration of consent. The legal basis is article 6, section 1, clause 1 a, GDPR.
We use the so-called double-opt-in-process for the registration to our newsletter. This means that after your registration we will send you an e-mail to the given e-mail address, in which we ask you for confirmation that you wish the newsletter to be sent. If you do not confirm your registration within 24 hours, your information will be blocked and automatically deleted after one month. In addition, we will store your IP addresses and times of registration and confirmation. The purpose of the procedure is to confirm your registration and, if necessary, to clarify any possible misuse of your personal data.
The only required information for sending the newsletter is your e-mail address. Entering additional, separately marked data is voluntary and will be used to address you personally. After your confirmation, we will save your e-mail address for the purpose of sending you the newsletter.
You can revoke your consent to the transmission of the newsletter at any time and unsubscribe from the newsletter. You can declare the cancellation by clicking on the link provided in each newsletter e-mail or by sending a message to the contact details stated in the legal notice.
Use of external tools on our website
We have integrated various tools from different companies into our website, which allow us to evaluate user behaviour or to establish links with other websites.
The controller has integrated the component Google Analytics (with anonymisation function) on this website.
Google Analytics is a web analytics service. Web analysis is the gathering, collection and analysis of data about the behaviour of visitors to websites. Among other things, a web analysis service collects data on which website a data subject has come to a website from (so-called referrers), which subpages of the website were accessed or how often and for which period of time a subpage was viewed. A web analysis is mainly used to optimize a website and for the cost-benefit analysis of Internet advertising.
The operator of the Google Analytics component is Google Inc., 1600 Amphitheatre Pkwy, Mountain View, CA 94043-1351, USA.
As IP anonymization is activated on our website, your IP address will be shortened by Google within Member States of the European Union or other states in agreement with the European Economic Area. Only in exceptional cases, the full IP address is sent to and shortened by a Google server in the USA. On behalf of the operator of the website, Google will use this information to evaluate your use of the website, compile reports on website activity and to provide further services related to website and internet use to us. The IP address transferred through your browser to Google Analytics will not be combined with other data held by Google.
In addition, this website uses the Analytics feature User ID to track interaction data. This User ID will be additionally anonymized and encrypted and will not be linked with other data.
You can prevent the storage of cookies by a corresponding setting of your browser software; however, please note that if you do this, you may not be able to use all the features of this website to the fullest extent possible.
In addition, you may prevent the collection of the data generated by the cookie and related to your use of the website (including your IP address) by Google as well as the processing of this data by Google by downloading and installing the browser plug-in available under the following link: https://tools.google.com/dlpage/gaoptout?hl=en
In addition, a cookie already set by Google Analytics can be deleted at any time via the Internet browser or other software programs.
Further information and Google‘s applicable privacy regulations can be found at https://policies.google.com/privacy?hl=en and https://marketingplatform.google.com/about/ The following link provides a further explanation of Google Analytics https://marketingplatform.google.com/about/.
Our website also uses Google Analytics performance reports relating to demographics and interests and reports on Google Display Network impressions. You can disable Google Analytics for display advertising and customize the ads on the Google Display Network by visiting the ad settings at this link: https://www.google.com/ads/preferences?continue=aHR0cHM6Ly9hZHNzZXR0aW5ncy5nb29nbGUuY29tL2Fub255bW91cw%3D%3D.
Google Tag Manager
This website uses Google Tag Manager. Through this service so-called website tags can be managed centrally via a user interface. Google Tag Manager only implements tags. No cookies are used and no personal information is collected.
However, Google Tag Manager will not access these data. If deactivation has been implemented for certain domains / websites or cookies, it will remain in effect for all tracking tags as far as they are implemented with the Google Tag Manager.
Facebook Tracking Pixel
With your consent, we will use Facebook’s “tracking pixel”. This pixel can be used to track user behaviour after they have been redirected to our website by clicking on a Facebook and / or Instagram ad. This allows us to record the effectiveness of Facebook and Instagram advertisements for statistical and market research purposes and, if necessary, to take optimization measures. The tracking of users who have landed on our website after clicking on one of our Facebook and Instagram ads can remain active up to 180 days.
The data collected in this way is anonymous for us, i.e. we do not see the personal data of individual users. However, this data is stored and processed by Facebook, about which we will inform you to the best of our knowledge.
Facebook may connect this data to the Facebook account and also use it for its own advertising purposes, according to its data usage policy.
If you want to disable cookie storage for Facebook, you can do so via your browser settings.
Facebook communication tools
We also use Facebook communication tools, especially the “Custom Audiences” and “Website Custom Audiences” products. Basically, a non-reversible and non-personal checksum (hash value) is generated from your usage data, which can be transmitted to Facebook for analysis and marketing purposes.
If you want to refuse the usage of Facebook’s “Website Custom Audiences”, you can do so by following this link: https://www.facebook.com/settings/?tab=ads.
In addition, we use Customer Match Lists within the framework of our Facebook advertising activities, for instance for “Lookalike Audiences” and remarketing. To use Customer Match, lists of encrypted user data are uploaded to Facebook. After the upload, the system checks which data is already known and places these users in a list. After creating the customer match lists, the encrypted customer data is automatically deleted. Facebook does not gather new addresses in this way (encryption).
To prevent Pinterest from associating your visit to our website with your Pinterest account, you must log out of your Pinterest account before visiting our site.
Consent to the Use of individual Online Services / the Collection of Tracking Data – Cookie Banner
We collect and process tracking data partly on the basis of consent. You give this consent by clicking on the “OK” button on our website in a banner that links to this consent text. By clicking on the “OK” button, you give your consent for us to store data on your terminal device (e.g. by setting cookies) or to retrieve data from your terminal device. Furthermore, by clicking on the “OK” button, you give your consent to the use of certain advertising functionalities, the use of which is in itself subject to consent. You also have the option of clicking on “Settings” in the banner and managing your consent preferences there. A distinction is made there between “absolutely necessary cookies & services”, “statistical cookies & services”, “personalisation cookies & services”, “cookies & services for marketing purposes” and “social media cookies & services”. The data processing that takes place in connection with these advertising functionalities is described below.
All data processing covered by the consent given by you by clicking on the “OK” button serves the same purpose, namely that of “advertising”.
Revocation of all consents: You can fully revoke the consent you have given for the data processing described above under https://behestia.com/terms-and-conditions/.
Consent Google Analytics in the “basic version”.
For the purpose of demand-oriented design and continuous optimization of our website, we use the basic version of Google Analytics, a web analytics service provided by Google Ireland Limited (“Google”). Google Analytics uses so-called “cookies” (text files), which are stored on your computer and which enable an analysis of your use of the website. On our behalf, Google will use this information for the purpose of evaluating your use of the website and compiling reports on website activity. Google processes the data collected via the use of the “basic version” of Google Analytics exclusively on our instructions and for our purposes.
Insofar as data collected via Google Analytics is used for advertising technologies of Google (e.g. Google remarketing) and in this case also processed by Google for its own purposes and / or purposes of third parties, such processing will only take place if you have given your consent to the use of such advertising technology on behestia.com. You can object to the collection of data by Google Analytics here.
Consent for Google Remarketing
This website uses the Google Remarketing service. Google Remarketing is an online advertising program of Google Inc, 1600 Amphitheatre Parkway, Mountain View, CA 94043, USA (“Google”). In doing so, we use the remarketing function within the Google AdWords service. The remarketing function allows us to present you with advertisements based on your interests on other websites within the Google advertising network. For this purpose, your surfing behavior on our website is analyzed, e.g. which offers you have viewed. This allows us to show you individualized advertising on the online search engine Google itself, so-called “Google Ads” and on other websites even after your visit to our website. For this purpose, Google stores a cookie in your browser when you visit Google services or websites in the Google advertising network. Your visits are recorded via this cookie. The cookie is used to uniquely identify your web browser and not to identify you personally. It is possible that Google may also use the data about your usage behavior collected via our website for its own purposes or for the purposes of other Google customers (e.g. to play out individualized third-party advertisements). Such further processing of the data as well as the processing of the data after its transmission by us to Google is carried out by Google as the sole data controller. In this context, Google, as the sole data controller, may store data about you in the United States. With regard to the USA, the European Court of Justice has determined that this is a country with an insufficient level of data protection. In this context, there is a particular risk that your data will be processed by American institutions / authorities for control and monitoring purposes without you having an adequate legal remedy against this. The legal basis for this data processing is Article 6(1)(a) DSGVO (consent).
Consent for Microsoft Advertising
Our website uses the Microsoft Advertising service. Microsoft Advertising is an online advertising program provided by Microsoft Ireland Operations Limited (One Microsoft Place, South County Business Park, Leopardstown, Dublin 18, D18 P521). (“Microsoft”). We use the so-called Universal Event Tracking (UET) within the Microsoft Advertising service with which data is collected and stored on this website for marketing and optimization purposes. For this purpose, your surfing behavior on our website is analyzed, e.g. which offers you have viewed. For this purpose, Microsoft stores a cookie in your browser. Your visits are recorded via this cookie. The cookie is used to uniquely identify your web browser and not to identify you personally. Microsoft processes the data collected about you on this website as the sole data controller. In this context, it is possible that your data will be transferred by Microsoft to the USA. With regard to the USA, the European Court of Justice has determined that this is a country with an insufficient level of data protection. In this context, there is a particular risk that your data will be processed by American institutions / authorities for control and monitoring purposes without you having an adequate legal remedy against this. The legal basis for this data processing is Article 6(1)(a) DSGVO (consent).
You can view more detailed information on Microsoft’s data protection declaration at: https://privacy.microsoft.com/de-DE/privacystatement Here you can also assert the data subject rights to which you are entitled vis-à-vis Microsoft (e.g. right to deletion). The legal basis for the data processing described above is the consent set out in Article 6(1)(a) DSGVO (consent).
Social plugins from YouTube are used on this website. These are offers of the US company Google Inc. (1600 Amphitheatre Parkway, Mountain View, CA 94043, USA (“Google”)).
When you visit a page that contains such a plugin, your browser establishes a connection to Google and the content is loaded from these pages. Your visit to this website may thus be tracked by Google, even if you do not actively use the social plugin function. If you have an account with Google, you can use such a social plugin and can thus share information with your friends. We have no influence on the content of the plugins and the transmission of information.
Google provides detailed information on the scope, type, purpose and further processing of your data on its websites. Here you will also find further information on your rights and setting options to protect your privacy.
Data protection information from Google: https://policies.google.com/privacy?
For the integration of various databases and web tools, we use Zapier, a service of Zapier Inc, 548 Market St #62411, San Francisco, California 94104, USA. When using Zapier, data is transferred to the USA, which is generally considered a third country with an insecure level of data protection in the GDPR. We have no knowledge of the content of the transmitted data or how Zapier uses it or how long it is stored. We have concluded a contract for commissioned processing with Zapier in accordance with Art. 28 GDPR.
Zapier is certified under the Privacy Shield agreement and thereby offers a guarantee of compliance with European data protection law https://www.privacyshield.gov/participant?id=a2zt0000000TNk2AAG&status=Active.
For more information on data protection at Zapier, please visit https://zapier.com/privacy.
We store this information for a period of 12 months.
This data processing is based on art. 6 section 1.f GDPR for the protection of our legitimate interests, namely the optimization of our offer.
Who is responsible for processing of your personal data?
HESTIA Fashion GmbH is primary responsible for the processing of personal data within the scope of this Privacy Notice. Under certain circumstances the responsibility for data protection and your privacy is shared with one or several other legal entities, either being an HESTIA Fashion GmbH affiliate or a third party.
Under each specific section of this Privacy Notice you will be informed about who is responsible for processing your personal data, the allocation of responsibilities and the modalities for the execution of rights.
Where do we process your data?
The personal data that we collected from you is generally stored within a country of the European Union but may also, whenever necessary, be transferred to and processed in a country outside of the EU. Any such transfer of your personal data will be carried out in compliance with applicable laws and without undermining your statutory rights.
Who has access to your data?
Your personal data is available and accessible only by those who need the data to accomplish the intended processing purpose. To the extent necessary, your personal data may be shared with suppliers and sub-contractors (processors and sub-processors) carrying out certain tasks on HESTIA Fashion GmbH behalf and with independent third-parties, including, but not limited to, using personal information you share with us or that we indirectly collect to verify your identity and for fraud prevention purposes.
In addition, we may also disclose personal data to third parties, if we have reason to believe that using or disclosing such information is necessary or advisable to: (i) conduct investigations of possible breaches of law; (ii) identify, contact, or bring legal action against someone who may be violating an agreement they have with us; (iii) investigate security breaches or cooperate with government authorities pursuant to a legal matter; or (iv) to protect our rights, safety or property, including the prevention of fraud.
We reserve the right to transfer any personal data we have about you in the event that we merge with or are acquired by a third party, undergo another business transaction such as a reorganization, or should any such transaction be proposed.
What is the legal ground for processing?
HESTIA Fashion GmbH is not allowed to collect, process, use, store etc. personal data without a valid legal ground. Lawfulness may be derived from your consent, by contract, statutory obligations or from our legitimate interest as a business. For each every specific process purpose of processing of personal data we collect from you, we will inform you about which legal ground that will apply, and what rights you are entitled to exercise. whether the provision of personal data is statutory or required to enter a contract and whether it is an obligation to provide the personal data and possible consequences if you choose not to.
We do not collect any personal data directly from individuals under the age of 13 on our websites. If we discover that any such information is in our possession, we will delete it.
Right to complain with a supervisory authority:
If you have complaints about the way HESTIA FASHION GMBH processes and protects your personal data and privacy you have the right, at any time, to make a complaint to the Austrian Data Protection Authority https://www.data-protection-authority.gv.at/ or any other competent a supervisory authority in the country of residence.
Updates to our Privacy Notice:
We may need to update our Privacy Notice. The latest version of the Privacy Notice is always available on our website. We will communicate any material changes to the Privacy Notice.
The revision history is set out in section Changes of this Privacy Notice.
Which rights do you have?
We take data protection very seriously and therefore we have dedicated customer service personnel to handle your requests in relation to your rights stated above. You can always reach them https://behestia.com/help-center/
We have also dedicated Customer Service personnel to handle your requests in relation to your rights stated above. You can always reach them at https://behestia.com/help-center/
If you have an HESTIA FASHION GMBH Account or being a member of HESTIA FASHION GMBH Membership, you can exercise your right to access, portability and rectification under your account pages, where you also can delete your account.
In addition, you have the following rights:
Right to access:
You have the right to request information about the personal data we hold on you at any time. You can contact HESTIA Fashion GmbH and we will provide you with your personal data via e-mail.
Right to portability:
Whenever HESTIA Fashion GmbH processes your personal data, by automated means based on your consent or based on an agreement, you have the right to get a copy of your data transferred to you or to another party. This only includes the personal data you have submitted to us.
Right to rectification:
You have the right to request rectification of your personal data if the information is incorrect, including the right to have incomplete personal data completed.
If you have an HESTIA Fashion GmbH account (Hestia membership), you can edit your personal data under your account pages.
Right to erasure:
You have the right to erase any personal data processed by HESTIA Fashion GmbH at any time except for the following situations:
- you have an ongoing matter with Customer Service
- you have an open order which has not yet been shipped or partially shipped
- you have an unsettled debt with HESTIA Fashion GmbH, regardless of the payment method
- if you are suspected or have misused our services within the last four years
- your debt has been sold to a third party within the last three years or one year for deceased customers
- your credit application has been rejected within the last three months
- if you have made any purchase, we will keep your personal data in connection to your transaction for book-keeping purposes
Your right to object to processing based on legitimate interest:
You have the right to object to processing of your personal data that is based on HESTIA Fashion GmbH’s legitimate interest. HESTIA Fashion GmbH will not continue to process the personal data unless we can demonstrate legitimate grounds for the process which overrides your interest and rights or due to legal claims.
Right to restriction:
You have the right to request that HESTIA Fashion GmbH restricts the process of your personal data under the following circumstances:
- if you object to a processing based HESTIA Fashion GmbH’s legitimate interest, HESTIA Fashion GmbH shall restrict all processing of such data pending the verification of the legitimate interest.
- if you have claim that your personal data is incorrect, HESTIA Fashion GmbH must restrict all processing of such data pending the verification of the accuracy of the personal data.
- if the processing is unlawful you can oppose the erasure of personal data and instead request the restriction of the use of your personal data instead
- if HESTIA FASHION GMBH no longer needs the personal data but it is required by you to defend legal claims.
(1) Right of information, article 15 GDPR
According to article 15, section 1 GDPR, you have the right to be informed of whether we process your personal data. If that is the case, you are entitled to further information (article 15, section 2 GDPR).
(2) Right of rectification, erasure or restriction of processing, article 16, 17 and 18 GDPR
According to article 16 GDPR, you have the right to demand – with immediate effect – the rectification of incorrect data and the completion of incomplete data – including by means of providing a supplementary statement.
In accordance with article 17 of the GDPR, you have the right to deletion of your personal data, especially if the processing of your personal data is not or no longer permissible.
(3) Right to object, article 21 GDPR
You have the right to object, on grounds relating to your particular situation, at any time to processing of personal data concerning yourself which is based on point (e) or (f) of article 6(1), including profiling based on those provisions. We will then no longer process your personal data unless we can demonstrate compelling legitimate grounds for the processing which override your interests, rights and freedoms.
You can exercise your right to object at any time by contacting us via one of the contact opportunities mentioned in our legal notice.
(4) Right to lodge a complaint with a supervisory authority
In addition, without prejudice to any other administrative or judicial remedy, you have the right to lodge a complaint with a supervisory authority, in particular in the Member State of your habitual residence, place of work or place of the alleged infringement if you consider that the processing of personal data relating to you is unlawful. The data protection authority of the Republic of Austria provides forms for complaints and for exercising your rights at https://www.dsb.gv.at/download-links/dokumente.html. As far as our German customers are concerned: Your data protection authority in charge is the one in your place of residence. A list of all data protection authorities can be found at https://www.bfdi.bund.de/DE/Infothek/Anschriften_Links/anschriften_links-node.html