If you have any questions about the processing of your Personal Information by us or about data protection in general, you can reach us at email@example.com.
What is Personal Information?
Personal Information is any information relating to personal or material circumstances that relates to an identified or identifiable individual. This includes, for example, your name, date of birth, e-mail address, postal address, or telephone number as well as online identifiers such as your IP address. In contrast, information of a general nature that cannot be used to determine your identity is not Personal Information. This includes, for example, the number of users of a website.
What is processing?
"Processing" means any operation or set of operations which is performed upon Personal Information, whether or not by automatic means. The term is broad and covers virtually any handling of data.
Relevant legal basis
In the following, we inform you about the legal basis on which we process Personal Information. If more specific legal bases apply in individual cases, we will inform you of these separately.
- Consent - The data subject has given his/her consent to the processing of Personal Information relating to him/her for a specific purpose or purposes.
- Performance of a contract and pre-contractual enquiries - Processing is necessary for the performance of a contract to which the data subject is a party or for the performance of pre-contractual measures carried out at the data subject's request.
- Legitimate interests - Processing is necessary for the purposes of the legitimate interests of the controller or a third party unless such interests are overridden by the interests or fundamental rights and freedoms of the data subject which require the protection of Personal Information.
Under the PIPEDA, you can exercise the following rights:
- Right to withdraw consent
- Right of access, correction or deletion
- Right to submit a privacy complaint
Under the GDPR, you can exercise the following rights:
- Right to information
- Right to rectification
- Right to object to processing
- Right to deletion
- Right to information
- Right to data portability
- Right of objection
- Right to withdraw consent
- Right to complain to a supervisory authority
- Right not to be subject to a decision based solely on automated processing.
The Supervisory Authority
The competent data protection authority in Canada is:
The Office of the Privacy Commissioner of Canada
30, Victoria Street
Gatineau, Quebec, Canada
Updating your information
If you believe that the information, we hold about you is inaccurate or that we are no longer entitled to use it and want to request its rectification, deletion, or object to its processing, please do so by contacting us using firstname.lastname@example.org.
In the event that you wish to make a Data Subject Access Request, you may inform us in writing of the same using email@example.com.
We will respond to requests regarding access and correction as soon as reasonably possible. Should we not be able to respond to your request within thirty (30) days after receiving your request, we will inform you in writing within thirty (30) days of the time by which we will be able to respond to your request. If we are unable to provide you with any Personal Information or to make a correction requested by you, we shall generally inform you of the reasons why we are unable to do so (except where we are not required to do so under the respective legal regulations mentioned above).
Processing of Personal Information
In the course of our business and website operations, we process data, and this data is generally transferred to our Headquarters in Canada. However, this also includes disclosure by transmission to third parties and to so-called third countries outside Canada. If we use third parties in third countries to provide our services, we take appropriate legal precautions as well as corresponding technical and organizational measures to ensure the protection of Personal Information in accordance with the relevant legal regulations.
- a) access data and hosting
You can visit our website without providing any Personal Information. Each time you access a website, the web server automatically saves a so-called server log file, which contains, for example, the name of the requested file, your IP address, the date and time of the access, the amount of data transferred and the requesting provider (access data and log files) and documents the access.
This access data is evaluated solely for the purpose of ensuring trouble-free operation of the site and improving our services. In accordance with the PIPEDA and GDPR, this serves to protect our legitimate interests in the correct presentation of our website, which outweigh our interests in the context of a balancing of interests. All access data is deleted at the latest seven days after the end of your visit to the site.
We use the store system Shopify of the service provider Shopify International Limited ("Shopify"), for the purpose of hosting and displaying the shop on the basis of processing on our behalf. All data collected on our website is processed on Shopify's servers. As part of Shopify's services, data may also be transferred to Shopify Inc, 150 Elgin St, Ottawa, ON K2P 1L4, Canada, Shopify Data Processing (USA) Inc, Shopify Payments (USA) Inc or Shopify (USA) Inc as part of further processing on our behalf. In the event that data is transferred to Shopify Inc. in Canada, the appropriate level of data protection is guaranteed. Further processing on servers other than the aforementioned of Shopify will only take place within the framework communicated below. The legal basis for the data processing is our legitimate interest in providing an appealing website and shop.
- c) hosting
As part of processing on our behalf, Shopify provides hosting and website presentation services for us. This serves to protect our legitimate interests in the correct presentation of our website. All data collected in the course of using our website or in forms provided for this purpose in the online shop are processed on Shopify`s servers.
- d) contacting us
If you contact us via e-mail or social media, we store and process the following data from you: e-mail address, name, and telephone number, if provided, as well as other Personal Information that you provide when contacting us. This data is collected and processed exclusively for the purpose of contacting you and processing your request and then deleted, provided there is no legal obligation to retain it. The legal bases for processing are contract and our legitimate interest.
- e) data collection and use for contract processing
We collect Personal Information if you voluntarily provide it to us in the context of your order (your name, e-mail address). Mandatory fields are marked as such, as we need the data in these cases to process the contract and we cannot process the order without you providing it. We use the data you provide to process the contract.
- f) financial data
If you make a purchase your payment will be processed via the payment system of Shopify (ShopPay) Payment data will solely be processed through the by you selected payment service provider. The legal basis for the provision of a payment system is the establishment and implementation of the user contract for the use of the service.
- g) newsletter
If you register for our newsletter, we will regularly send you information about our services. The only data required or sending the newsletter is your e-mail address. We use the so-called double opt-in procedure for sending the newsletter. This means that we will only send you an e-mail newsletter once you have expressly confirmed that you consent to receiving newsletters. By activating the confirmation link, you give us your consent.
You can unsubscribe from the newsletter at any time via the link provided for this purpose in the newsletter or by sending a corresponding message to firstname.lastname@example.org. After unsubscribing, your e-mail address will be deleted from our newsletter distribution list immediately. The legal basis for the data processing is your consent and our legitimate interest.
- h) marketing
Insofar as you have also given us your separate consent to process your data for marketing and advertising purposes, we are entitled to contact you for these purposes via the communication channels you have given your consent to.
You may give us your consent in a number of ways including by selecting a box on a form where we seek your permission to send you marketing information, or sometimes your consent is implied from your interactions or contractual relationship with us. Where your consent is implied, it is on the basis that you would have a reasonable expectation of receiving a marketing communication based on your interactions or contractual relationship with us.
Direct Marketing generally takes the form of e-mail but may also include other less traditional or emerging channels. These forms of contact will be managed by us, or by our contracted service providers. Every directly addressed marketing sent or made by us or on our behalf will include a means by which you may unsubscribe or opt out.
- i) social media
Based on our legitimate interest, we are present on social media. If you contact us via social media, you should note that the chat history can neither be deleted by us nor by you. And that, in accordance with the PIPEDA and GDPR, the relevant social media platform and we are jointly responsible for the processing of your data and enter into a so-called joint controller agreement.
A Joint Controller Agreement itself is very legalistic and lengthy, but in a nutshell, it clarifies how the jointly responsible parties will fulfil the obligations arising from data protection laws that are applicable to them. The legal basis for the use of the relevant social media platform is our legitimate interest, your consent or, in the case of a (pre) contractual relationship with us, the initiation of a contractual service, if any.
We sometimes use specialised service providers to process your data. Our service providers are carefully selected and regularly monitored by us. They process Personal Information only on our behalf and strictly in accordance with our instructions on the basis of corresponding contracts for commissioned processing.
We may also disclose Personal Information to third parties if we are legally obliged to do so e.g., by court order or if this is necessary to support criminal or legal investigations or proceedings at home or abroad or to fulfill our legitimate interests.
Integration of third-party services and content
We use content or service offers of third-party providers on the basis of our legitimate interests in order to integrate their content and services (hereinafter uniformly referred to as "content").
This always requires that the third-party providers of this content are aware of the IP address of the user, as without the IP address they would not be able to send the content to their browser. The IP address is therefore necessary for the display of this content.
Third-party providers may also use so-called pixel tags (invisible graphics, also known as "web beacons") for statistical or marketing purposes. The "pixel tags" can be used to evaluate information such as visitor traffic on the pages of our website. The pseudonymous information may also be stored in cookies on the user's device and may contain, among other things, technical information about the browser and operating system, referring websites, time of visit and other information about the use of our website, as well as being linked to such information from other sources.
The following provides an overview of third-party providers and their content, together with links to their privacy policies, which contain further information on the processing of data and so-called opt-out measures, if any:
- Analytics: Shopify Analytics by Shopify International Ltd of 150 Elgin Street 8th Floor Ottawa, ON K2P 1L4 Canada
Our data processing is subject to the principle that we only process the Personal Information that is necessary for the use of our services. In doing so, we take great care to ensure that your privacy and the confidentiality of all Personal Information are always guaranteed.
All transmitted data is protected by HTTPS encryption. Hyper Text Transfer Protocol Secure (HTTPS) is a protocol used to ensure secure data transmission on the Internet. The public-private key procedure is used here. This means that data encrypted with a publicly accessible key can only be decrypted again with a separate private key.
We also use technical and organizational security measures (TOMs) throughout the company to protect the data we manage from you against accidental or intentional manipulation, loss, destruction or against access by unauthorized persons.
Duration of data storage
We store Personal Information on our secure server and only for as long as it is necessary for the purposes for which it is processed or for as long as any consent you have given us has been revoked by you. Insofar as statutory retention obligations must be observed, the storage period for certain data may be up to 6 years, irrespective of the processing purposes.
Automated decision-making including profiling does not take place.
Do Not Sell
We do not sell Personal Information to third parties.
Personal Information and Children
We will not knowingly collect, use or disclose Personal Information from minors under the age of 18 without first obtaining consent from a legal guardian through direct offline contact.
Changes and updates
Concerns and Contact
If you have any concerns about a possible compromise of your privacy or misuse of your Personal Information on our part, or any other questions or comments, or wish to exercise your rights under applicable laws, please contact us.