Privacy Policy
We appreciate your trust and handle your data conscientiously. It is therefore a matter of course for us to inform you in detail about the scope of the processing and use of your data.
DATA PROTECTION
Date: 31.03.2023
Responsible body and data protection officer
Urbanara GmbH, Alte Jakobstraße 85/86 10179 Berlin
Phone: +49 (0) 30 346 461 587
Email: kontakt@urbanara.de
If you have any questions about data protection, you can also contact our data protection officer at any time at dataprotection@urbanara.com.
- Basic information on data processing and legal bases
1.1. This data protection declaration explains to you the type, scope and purpose of the processing of personal data within our online offer and the associated websites, functions and content (hereinafter collectively referred to as "online offer" or "website"). The data protection declaration applies regardless of the domains, systems, platforms and devices (e.g. desktop or mobile) used on which the online offer is carried out.
1.2. The terms used, such as "Personal data" or their "processing" we refer to the definitions in Art. 4 of the General Data Protection Regulation (GDPR).
1.3. The personal data of users processed in the context of this online offer include inventory data (e.g., names and addresses of customers), contract data (e.g., services used, names of clerks, payment information), usage data (e.g., the websites of our online offer visited, interest on our products) and content data (e.g., entries in the contact form).
1.4. The term “user” includes all categories of persons affected by data processing. They include our business partners, customers, interested parties and other visitors to our online offer. The terms used, such as “Users” are to be understood as gender-neutral.
1.5. We only process personal data of users in compliance with the relevant data protection regulations. This means that user data is only processed if there is legal permission. This means, in particular, if the data processing is necessary or required by law to provide our contractual services (e.g. processing of orders) and online services, the user has given consent, as well as due to our legitimate interests (i.e. interest in analysis, optimisation and economic operation and security of our online offer within the meaning of Art. 6 Para. 1 lit.f) GDPR, especially when measuring reach, creating profiles for advertising and marketing purposes and collecting access data and using the services of third-party providers.)
1.6. We would like to point out that the legal basis for the consent is Art. 6 Para. 1 lit. a) and Art. 7 GDPR, the legal basis for processing for the performance of our services and implementation of contractual measures Art. 6 Para. 1 lit. b) GDPR, the legal basis for processing in order to fulfil our legal obligations Art. 6 Para. 1 lit. c) GDPR, and the legal basis for processing to safeguard our legitimate interests is Art. 6 Para. 1 lit. f) GDPR.
- Data security
2.1 We use the popular SSL (Secure Socket Layer) method in conjunction with the highest level of encryption supported by your browser when you visit our website. As a rule, this is a 256-bit encryption. If your browser does not support 256-bit encryption, we use 128-bit v3 technology instead. You can tell whether an individual page of our website is transmitted in encrypted form by the closed key or lock symbol in the lower status bar of your browser.
2.2 We also use suitable technical and organisational security measures to protect your data against accidental or intentional manipulation, partial or complete loss, destruction or against unauthorised access by third parties. Our security measures are continuously improved in line with technological developments.
-
Transfer of data to third parties and third party providers
3.1. A transfer of data to third parties takes place only within the framework of the legal requirements. In particular, we only pass on user data to third parties if they have given their consent within the meaning of Art. 6 Para. 1 lit. a) GDPR, the disclosure on the basis of Art. 6 Para. 1 lit. b) GDPR is required for contractual purposes or based on legitimate interests in accordance with. Art. 6 para. 1 lit. f) GDPR is justified in the economic and effective operation of our business operations.
3.2. If we use subcontractors to provide our services, we take appropriate legal precautions as well as corresponding technical and organisational measures to ensure the protection of personal data in accordance with the relevant legal regulations.
3.3. If, within the scope of this data protection declaration, content, tools or other means are used by other providers (hereinafter jointly referred to as "third-party providers") and whose registered office is in a third country, it can be assumed that data will be transferred to the third-party providers' home states. Third countries are countries in which the GDPR is not a directly applicable law, i.e. basically countries outside the EU or the European Economic Area. The transfer of data to third countries takes place either when there is an adequate level of data protection, the consent of the user or other legal permission.
- Provision of contractual services
4.1. We process inventory data (e.g. names and addresses as well as contact details of users), contract data (e.g. services used, names of contact persons, payment information) for the purpose of fulfilling our contractual obligations and services in accordance with. Art. 6 para. 1 lit b) GDPR.
4.2. Users can optionally create a user account in which they can see their orders in particular. As part of the registration, the required mandatory information is communicated to the users. The user accounts are not public and cannot be indexed by search engines. If users have terminated their user account, their data will be deleted with regard to the user account, subject to their retention is for commercial or tax reasons in accordance with Art. 6 Para. 1 lit. c) GDPR necessary. It is up to the users to save their data in the event of termination before the end of the contract. We are entitled to irretrievably delete all user data stored during the term of the contract.
4.3. As part of the registration and renewed logins as well as using our online services, the IP address and the time of the respective user action are saved. The storage takes place on the basis of our legitimate interests, as well as the user in protection against misuse and other unauthorised use. This data is not passed on to third parties unless it is necessary to pursue our claims or there is a legal obligation to do so in accordance with. Art. 6 para. 1 lit. c) GDPR.
4.4. We process usage data (e.g., the websites of our online offer visited, interest in our products) and content data (e.g., entries in the contact form or user profile) for advertising purposes in a user profile in order to e.g. To display product information based on the services you have previously used.
4.5 We use the shop system of the service provider Shopify International Limited, Victoria Buildings, 2nd floor, 1-2 Haddington Road, Dublin 4, D04 XN32, Ireland ("Shopify"), for the purpose of hosting and displaying the online shop processing on our behalf. All data collected on our website is processed on Shopify's servers. As part of the aforementioned Shopify services, data can also be processed in the context of further processing on behalf of Shopify Inc., 150 Elgin St, Ottawa, ON K2P 1L4, Canada, Shopify Data Processing (USA) Inc., Shopify Payments (USA) Inc . or Shopify (USA) Inc. In the event that data is transmitted to Shopify Inc. in Canada, the European Commission's adequacy decision guarantees the appropriate level of data protection.
The use of Shopify can lead to your personal data being transferred to the USA. The transfer of data to the USA is exceptionally permissible on the basis of Art. 49 Paragraph 1 Clause 1 lit b) if the transfer is necessary for the fulfilment of contractual obligations.
The USA is an insecure third country in which there is no level of data protection comparable to EU standards. Shopify does not offer any other guarantee to make up for this deficit. There is therefore the risk that government agencies will access your personal data through the transmission without you having any effective legal protection options.
Further information on data protection from Shopify can be found on the following website: https://www.shopify.de/legal/datenschutz.
4.6 On our website we offer, among other things payment via PayPal. PayPal enables payment via PayPal, direct debit, credit card and on account. The provider of this payment service is PayPal (Europe) S.à.r.l. et Cie, S.C.A., 22-24 Boulevard Royal, L-2449 Luxembourg (hereinafter “PayPal”).
If you choose to pay via PayPal, the payment details you have entered will be transmitted to PayPal.
The transmission of your data to PayPal takes place on the basis of Art. 6 Para. 1 lit. a GDPR (consent) and Art. 6 Para. 1 lit. b) GDPR (processing to fulfil a contract). You have the option of withdrawing your consent to data processing at any time. A revocation does not affect the effectiveness of data processing operations in the past.
PayPal's current data protection provisions can be found at https://www.paypal.com/de/webapps/mpp/ua/privacy-full.
4.7 On our website we offer, among other things payment via Amazon Pay. The provider of this payment service is primarily Amazon Payments Europe s.c.a., secondarily Amazon EU SARL, Amazon Services Europe SARL and Amazon Media EU SARL, all located at 5 Rue Plaetis, 2338 Luxembourg (hereinafter “Amazon Pay”).
If you choose to pay via Amazon Pay, the payment details you have entered will be transmitted to Amazon Pay.
Your data is transmitted to Amazon Pay on the basis of Art. 6 Para. 1 lit. a GDPR (consent) and Art. 6 Para. 1 lit. b) GDPR (processing to fulfil a contract). You have the option of withdrawing your consent to data processing at any time. A revocation does not affect the effectiveness of data processing operations in the past.
For details on paying with Amazon Pay, see the following link: https://pay.amazon.com/de/help/201751600.
4.9 If you opt for the payment services of Klarna Bank AB (publ), Sveavägen 46, 111 34 Stockholm, Sweden (hereinafter “Klarna”), we ask for your consent in accordance with Art. 6 Para. 1 S. 1 lit. a GDPR that we are allowed to transmit the data necessary for processing the payment and an identity and credit check to Klarna. In Germany, the credit agencies named in Klarna's data protection declaration can be used for identity and credit checks. Klarna uses the information received about the statistical probability of a payment default for a balanced decision on the establishment, implementation or termination of the contractual relationship. You can revoke your consent at any time by sending a message to the contact option mentioned in this data protection declaration. As a result, we may no longer be able to offer you certain payment options. You can revoke your consent to this use of personal data at any time to Klarna.
4.10 If the payment method "Payment by credit card" is selected, the payment will be processed by Mollie B.V. (https://www.mollie.com/de), Keizersgracht 313, 1016 EE Amsterdam, Netherlands (hereinafter "Mollie"). We give Mollie the information you provided during the ordering process, along with the information about your order in accordance with Art. 6 Para. 1 lit. b) GDPR. The transfer of your data takes place exclusively for the purpose of payment processing and only insofar as it is necessary for this. You can find more information about Mollie's data protection provisions at the following Internet address: https://www.mollie.com/de/privacy.
4.11 The order processing (in particular the invoicing) takes place via the service provider "easybill" (easybill GmbH, Düsselstrasse 21, 41564 Kaarst). Name, address and any other personal data will be processed in accordance with Art. 6 Para. 1 lit. b DSGVO passed on to easybill exclusively for processing the online order. Your data will only be passed on if this is actually necessary to process the order. Details on data protection at easybill and easybill's data protection declaration can be viewed on the easybill website at easybill.de.
- Contact
5.1. When contacting us (using the contact form or email), the information provided by the user is used to process the contact request and to process it in accordance with. Art. 6 para. 1 lit. b) GDPR processed.
5.2. User information is stored in our customer relationship management system ("CRM system") or a comparable request organisation.
- Collection of access data and log files
6.1. On the basis of our legitimate interests within the meaning of Art. 6 Para. 1 lit. f) GDPR data on every access to the server on which this service is located (so-called server log files). The access data includes the name of the accessed website, file, date and time of access, amount of data transferred, notification of successful access, browser type and version, the user's operating system, referrer URL (the previously visited page), IP address and the requesting provider .
6.2. For security reasons (e.g. to investigate acts of abuse or fraud), log file information is stored for a maximum of 14 days and then deleted. Data, the further storage of which is necessary for evidence purposes, are excluded from deletion until the respective incident has been finally clarified.
7. Cookies
So-called cookies are used on our website. Cookies are small text files that are stored locally in the cache of the website visitor's Internet browser. The cookies enable the internet browser to recognise you, e.g. Recognise when using the login area. These are used to make surfing as easy and comfortable as possible for you. If you want to rule out the use of cookies in general, you can do this by making a setting in your browser. In this case, however, this may result in a functional impairment when using our website.
If you consent to the use of cookies, the legal basis for processing is the declared consent in accordance with Section 6 Paragraph 1 Clause 1 lit. a) GDPR.
Otherwise, the data processed with the help of cookies will be processed on the basis of our legitimate interests (e.g. in a business operation of our online offer and its improvement) or, if the use of cookies is necessary to fulfil our contractual obligations, both according to § 6 paragraph 1 sentence 1 lit. f) GDPR.
A list of the cookies we use, descriptions of the purposes of the cookies and further information on the respective cookies can be found in our cookie consent banner.
- Newsletter
8.1 The following information explains the contents of our newsletter and the registration, dispatch and statistical evaluation procedures and your rights to withdraw - by subscribing to our newsletter, you agree to receive it and to the procedures described. You can subscribe to the newsletter as part of the ordering process or separately via our online shop page.
8.2 Only your email address is required for receiving the newsletter. The provision of further separately marked personal data (first name, surname) is voluntary and will be used to address you personally in our communications if necessary. After your confirmation, we store your email address to send you the newsletter.
8.3 Content of the newsletter: We send emails and other electronic notifications with promotional information ("newsletter") only with the recipients' consent or legal permission.
The legal basis for this is your consent as per Art. 6 Para. 1 Sentence 1 lit. a), Art. 7 DSGVO as well as § 7 para. 2 no. 3 UWG.
We offer you various newsletter services that include the following: ● Inspiring topics, e.g. current information about our brands, trends, offers and new products.
- Current offers.
- General product recommendations.
- Surveys on whether you liked the products you bought. ● Invitations to competitions.
If you have consented to personalised advertising, we process tracking data about your user behaviour when visiting our webshop, including data from purchases made or abandoned, wish lists created and when using our newsletter. This allows us to personalise our newsletter and associate it with your email address or user profile within our database. We also store information about the browser you are using and the settings you have
made in the operating system, and information about the internet connection you use to reach our website. In the newsletter sent to you, we receive, among other things, receipt and read confirmations and information about the links you have clicked on in our newsletter.
Furthermore, we can assign your order history and the data stored about your orders (e.g. your address, shopping baskets, or purchasing behaviour) via your email address. If you have consented to the personalisation of your newsletter, we offer the following newsletter services:
- Notifications, e.g. about the re-availability of your products stored in the wish list.
- Reminders about products you have forgotten in your shopping basket.
- Personalised recommendations of products if we assume that these could be of interest to you based on your previous orders and your surfing habits.
8.4 Double opt-in and logging: Registration for our newsletter takes place in a so-called double opt-in process. After registration, you will receive an email in which you are asked to confirm your newsletter registration so that we can ensure that you are the owner of the specified email address and that you actually wish to receive the newsletter. By clicking the confirmation link in the email, you give us your final consent to use your personal data in accordance with Art. 6 Para. 1 Sentence 1 lit. a) DSGVO. If you do not confirm your registration within 24 hours, the information will be blocked and automatically deleted after one month.
Subscriptions to the newsletter are logged to be able to prove the subscription process as per legal requirements.
This includes the storage of the registration and confirmation time and the IP address. The legal basis for collecting and storing this data is Art. 6 para. 1 sentence 1 lit f) DSGVO. The data processing is carried out to prove existing consent. This is the necessary legitimate interest.
8.5 Statistical collection and analyses - The newsletters contain a so-called "web beacon", i.e. a pixel-sized file that is retrieved from the server of the dispatch service provider when the newsletter is opened (see 8.7.). Within the scope of this retrieval, technical information, such as information on the
browser and your system, your IP address and the time of the retrieval are initially collected. This information is used for the technical improvement of the services based on the technical data or the target groups and their reading behaviour based on the retrieval locations (which can be determined with the help of the IP address) or the access times. Statistical surveys also include determining whether newsletters are opened, when they are opened and which links are clicked. This information can be assigned to individual newsletter recipients for technical reasons. However, it is neither our intention nor that of the dispatch service provider to observe individual users. The analyses serve us much more to recognise the reading habits of our users and to adapt our content to them or to send different content according to the interests of our users. The statistical surveys and analyses are carried out based on our legitimate interests pursuant to Art. 6 para. 1 sentence 1 lit. f) DSGVO. Our interest is to use a user-friendly and secure newsletter system that serves our business interests and meets the expectations of our users.
8.6 Revocation - You can revoke your consent at any time with permanent effect. Each newsletter contains an unsubscribe link for this purpose. If you use the unsubscribe link, we will unsubscribe your email address immediately. In addition, you can revoke your consent at any time by sending an email to contact@urbanara.co.uk to cancel receipt of the newsletter for the future. You can withdraw your consent in whole or in part.
8.7 Our email newsletters are sent via the technical service provider Sendinblue GmbH (“Brevo”) , Köpenicker Str. 126, 10179 Berlin, Germany to whom we transmit your newsletter registration data.
You can find Brevos privacy policy at Privacy Policy Personal Data Protection - Brevo
You can also modify or revoke your consent to the use of cookies via the
- Integration of other services and content from third parties
In order to be able to provide and continuously improve our services, we rely on the services of the following third-party providers, through which personal data can also be processed. We have selected these third party providers carefully and in accordance with the provisions of the GDPR.
A list of the cookies we use, descriptions of the purposes of the cookies and further information on the respective cookies can be found in our cookie consent banner.
9.1 The social networks Facebook, Twitter and Pinterest are integrated on our website as a link to the corresponding services. After clicking on the integrated text / image link, you will be redirected to the website of the respective provider. User information is only transmitted to the respective provider after it has been forwarded. For information on how your personal data is handled when you use this website, please refer to the respective data protection provisions of the providers you use.
9.2 Functions of the Instagram service are integrated into our online offer. These functions are offered by Instagram Inc., 1601 Willow Road, Menlo Park, CA, 94025, USA. If you are logged into your Instagram account, you can link the content of our pages to your Instagram profile by clicking the Instagram button. This enables Instagram to assign your visit to our website to your user account. We would like to point out that, as the provider of the pages, we have no knowledge of the content of the data transmitted or its use by Instagram. Data protection declaration: http://instagram.com/about/legal/privacy/.
9.3
'Microsoft Clarity' refers to a Microsoft procedure wherein user analysis is possible based on a pseudonymous user ID and in effect, based on pseudonymous data. Essentially, we use your data, but it is all encased in anonymous, artificial identifiers - nothing personal. This includes data evaluation on mouse movements, or performance data on specific Internet presentations. In particular, we process usage data (e.g. interest in content, access times), meta/communication data (e.g. device information, IP addresses), location data, and movement data (mouse movements, scrolling movements), but all in pseudonymised form.All website users who have consented to data use via our cookie consent service are subject to this processing.The purpose of the processing is tracking, remarketing, conversion measurement (measuring the effectiveness of marketing measures), interest-based and behavioural marketing, profiling (creating user profiles), reach measurement, and cross-device tracking (processing user data across devices for marketing purposes).Microsoft Clarity: Online marketing and web analytics; offered by Microsoft Corporation, One Microsoft Way, Redmond, WA 98052-6399, USA; Internet presentation: https://clarity.microsoft.com; Privacy policy: https://privacy.microsoft.com/de-de/privacystatement
- Rights of data subjects
You have the right to information about the processing of your personal data (Art. 15 GDPR),
for correction (Art. 16 GDPR),
for deletion (Art. 17 GDPR),
if applicable, the right to restricted processing (Art. 18 GDPR),
the right to communication (Art. 19 GDPR),
as well as the right to data portability (Art. 20 GDPR).
The more detailed requirements of the aforementioned claims result from the GDPR and the BDSG.
- Right to Object
If you want to object to the collection, processing or use of your data by URBANARA in accordance with these data protection provisions as a whole or for individual measures, you can send your objection by e-mail, fax or letter to the following contact details: dataprotection@urbanara.com.
You have the right, for reasons that arise from your particular situation, to object at any time to the processing of your personal data, which is based on Art. 6 Para. 1 lit. f) GDPR takes place, to lodge an objection (Art. 21 GDPR).
These are cases in which the processing is based on the legitimate interests of the person responsible and the assumption that your legitimate interests in excluding processing do not outweigh them. When exercising such an objection, we ask you to explain the reasons arising from your particular situation. In the event of your objection, we will examine the situation and either stop or adjust the data processing or show you our compelling reasons worthy of protection on the basis of which we will continue processing.
In addition, you have the right to lodge a complaint with a data protection supervisory authority in accordance with Art. 77 GDPR if you are of the opinion that your personal data is not being processed lawfully. The right of appeal exists without prejudice to any other administrative or judicial remedy.
- Deletion of data
The data stored by us will be deleted as soon as they are no longer required for their intended purpose and the deletion does not conflict with any statutory retention requirements. If the user data is not deleted because it is required for other and legally permissible purposes, its processing will be restricted. I.e. the data will be blocked and not processed for other purposes. This applies e.g. for user data that must be kept for commercial or tax law reasons.
According to legal requirements, the storage takes place for 6 years according to § 257 Abs. 1 HGB (trading books, inventories, opening balance sheets, annual financial statements, commercial letters, accounting documents, etc.) and for 10 years according to § 147 Abs. 1 AO (books, records, management reports, Accounting documents, commercial and business letters, documents relevant for taxation, etc.).
- Changes to the privacy policy
We reserve the right to change the data protection declaration in order to adapt it to changed legal situations or to changes in the service and data processing. However, this only applies to declarations on data processing. If the consent of the user is required or components of the data protection declaration contain provisions of the contractual relationship with the users, the changes are only made with the consent of the users. The users are asked to inform themselves regularly about the content of the data protection declaration.