Privacy Policy I. Basic Information Here we inform you about the processing of personal data when using our online presence. This online privacy policy therefore applies to our website www.xyz.de as well as to our profiles on social networks. Personal data is any data that can be related to you personally, including, among other things, your name, address, email address, IP address, or user behavior. Regarding the terms used, such as "processing," "controller," or "data subject," please refer to the definitions in Article 4 of the GDPR. There you will find, in particular, the following: "Personal data" means any information relating to an identified or identifiable natural person (the "data subject" or "data subject"); An identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person (Art. 4 No. 1 GDPR). "Processing" means any operation or set of operations which is performed on personal data or on sets of personal data, whether or not by automated means, such as collection, recording, organisation, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure or destruction (Art. 4 No. 2 GDPR). “Controller” (or “controller”) is the natural or legal person, public authority, agency or other body which, alone or jointly with others, determines the purposes and means of the processing of personal data (Art. 4 No. 7 GDPR). “Processor” is a natural or legal person, public authority, agency or other body which processes personal data on behalf of the controller (Art. 4 No. 8 GDPR). In particular, the terms “processing” and “personal data” are very broad, so that almost any handling of data can be understood as falling under them. II. Who is the controller? We are responsible for the processing of your data: Anatara Elke Dusin Mittelstr. 12a 14467 Potsdam Tel.: +49 3301 5716478 Email: datenschutz@tolles-kleid.de III. How can you contact our data protection officer? The data protection officer of the controller is: Anatara Elke Dusin, Mittelstr. 12a, 14467 Potsdam, Tel.: +49 3301 5716478, Email: datenschutz@tolles-kleid.de [Alternatively: We are not legally obligated to appoint a data protection officer. For questions regarding the processing of your data, please feel free to contact us at any time (contact details above).] IV. Who is affected by data processing? When you visit our website, for example, as a prospective customer, customer, supplier, service provider, or other visitor, your personal data is processed in accordance with legal regulations and/or this statement. All visitors to our website are collectively referred to as "users." V. What data do we collect from you and for what purposes or on what legal basis do we process it? When you visit our website without registering or otherwise providing us with information, only the personal data that your browser transmits to our server is processed. To our knowledge, the following data, among others, is processed, which is technically necessary to display our website and to ensure its stability and security: IP address of the requesting computer, date and time of the request, name and URL of the retrieved file, access status / HTTP status code, amount of data transferred, website from which the request originates (referrer URL), browser used, operating system. The processing of this data in so-called log files is necessary to display our website and to ensure its stability and security. If you also submit personal data to us, for example, as part of an inquiry via email or our contact form, we will process the following data – depending on the information you provide: Master data (e.g., name, address), contact data (e.g., email address, telephone number), content data (e.g., text entries, photos, videos), usage data (e.g., sites visited, access times), communication/metadata (e.g., device information, IP addresses). Furthermore, we may process the following personal data for the purposes of providing contractual services, customer service and support, and marketing/advertising: Contract data (e.g., subject matter of the contract, term, customer number), payment data (e.g., bank details, payment history). We process your personal data when you visit our website for the following purposes: providing the functions and content of our online services, ensuring a smooth connection to our website, ensuring convenient use of our website, evaluating and ensuring system security and stability as well as general security measures, and responding to any contact requests. or for communication with you, further administrative purposes, provision of contractual services, and customer service. Unless we specify a particular legal basis within this privacy policy, the following applies to the processing of your personal data: The legal basis for obtaining consent is Art. 6 para. 1 lit. a, Art. 7 GDPR. The legal basis for data processing to fulfill our services and carry out (pre-)contractual measures, as well as to answer any inquiries, is Art. 6 para. 1 lit. b GDPR. The legal basis for data processing to fulfill legal obligations is Art. 6 para. 1 lit. c GDPR. Should the vital interests of the data subject or another natural person necessitate data processing, the legal basis is Art. 6 para. 1 lit. d GDPR. Data processing to protect our legitimate interests is based on Art. 6 para. 1 lit. f GDPR. Our legitimate interest arises from the aforementioned purposes of data collection. When we disclose your personal data to third parties, transfer it to them, or otherwise grant them access to it, this is done exclusively on the basis of legal permission, insofar as you have consented to it, we are legally obligated to do so, or on the basis of our legitimate interests. Legal permission exists in particular when the transfer of data is necessary for the fulfillment of contractual obligations (e.g., with payment or shipping service providers). A legitimate interest may exist when we use data for direct marketing or to prevent fraud, or when you are a customer of ours. A legitimate interest may also exist, for example, when using web or email hosting providers, cloud providers, or other service providers. Such service providers often act as so-called data processors on the basis of a corresponding contract. They are also obligated to comply with data protection regulations and to guarantee this contractually. The legal basis for such data processing relationships is Article 28 GDPR. VI. To whom do we transfer your data? We regularly collaborate with the following recipients in particular: shipping service providers, credit institutions, email hosting providers, and web hosting providers. We select these external service providers carefully. In the case of data processing agreements (Art. 28 GDPR), these companies are contractually bound to our instructions and are regularly audited by us. Further information can be found in the following descriptions of the individual services. VII. Is your data transferred to entities outside the EU? The transfer of your personal data to third countries (i.e., outside the EU or the EEA) or to an international organization is only intended in exceptional cases. Further information can be found in the following descriptions of the individual services. If we process your personal data in a third country or have it processed by third parties, this only occurs if it is necessary for the performance of our (pre-)contractual obligations or based on your consent, a legal obligation, or our legitimate interests. Your personal data will only be processed in a third country if the specific requirements of Art. 44 et seq. GDPR are met, unless legal or contractual permissions exist in individual cases. This means that data processing is carried out, for example, on the basis of special guarantees, such as the officially recognized finding of a level of data protection equivalent to that of the European Union or compliance with specific, recognized contractual obligations (in particular the so-called "EU Standard Contractual Clauses"). [Alternatively: Transfer of your personal data to third countries (i.e., outside the EU or the EEA) or to an international organization is not planned.] VIII. How long do we process your data? The duration of storage of your personal data is regularly determined by existing statutory retention periods (e.g., under commercial or tax law). Unless otherwise stated below, your personal data will be routinely deleted after the expiry of any applicable period, provided that it is no longer required for the performance of a contract or for initiating a contract, we no longer have a legitimate interest in its continued storage, and/or you have not consented to further storage. In Germany, specific retention periods exist, among others, in the following areas: according to commercial law (6 years, e.g., for opening balance sheets, annual financial statements, accounting documents, etc.); according to tax law (10 years for all tax-relevant documents); according to the General Equal Treatment Act (AGG) (6 months for documents of rejected applicants). IX. What are your rights? With regard to the processing of your personal data, you have the right to request information from us about your personal data processed by us. In particular, you can request information about the purposes of the processing, the categories of personal data, the categories of recipients to whom your data has been or will be disclosed, the planned storage period, the existence of a right to rectification, erasure, restriction of processing or objection, the existence of a right to lodge a complaint, the origin of your data if it was not collected by us, and the existence of automated decision-making, including profiling, and, where applicable, meaningful information about the logic involved (Art. 15 GDPR). to request the immediate rectification of inaccurate or incomplete personal data stored by us (Art. 16 GDPR); to request the erasure of your personal data stored by us, unless processing is necessary for exercising the right of freedom of expression and information, for compliance with a legal obligation, for reasons of public interest, or for the establishment, exercise, or defense of legal claims (Art. 17 GDPR); to request the restriction of processing of your personal data where the accuracy of the data is contested by you, the processing is unlawful, but you oppose its erasure, and we no longer need the data, but you require it for the establishment, exercise, or defense of legal claims, or you have objected to processing pursuant to Art. 21 GDPR (Art. 18 GDPR); to receive your personal data, which you have provided to us, in a structured, commonly used, and machine-readable format or to request its transmission to another controller (data portability, Art. 20 GDPR); not to be subject to a decision based solely on automated processing, including profiling, which produces legal effects concerning you or similarly significantly affects you (Art. 22 GDPR); to lodge a complaint with a supervisory authority (Art. 77 GDPR); to object, on grounds relating to your particular situation, at any time to processing of personal data concerning you which is based on point (e) or (f) of Article 6(1), including profiling based on those provisions (Art. 21 GDPR); to withdraw your consent at any time. This means that we will no longer be permitted to process the data based on this consent in the future (Art. 7(3) GDPR). The last three rights mentioned are explained in more detail below. X. When and how can you object to data processing? [The text of this section must be highlighted, i.e., by bold or italic formatting, a different font or color, etc.] If your personal data is processed on the basis of legitimate interests pursuant to Art. 6 para. 1 sentence 1 lit. f GDPR or for direct marketing or profiling, you have the right to object to the data processing at any time. This will then mean that we may no longer process your personal data in the future, unless we can demonstrate compelling legitimate grounds for the processing which override your interests, rights and freedoms, or the data processing serves the establishment, exercise or defense of legal claims. However, the right to object only applies if there are grounds relating to your particular situation or if your objection is directed against direct marketing. In the latter case, you have a general right to object, which we will implement without requiring you to specify a particular situation. If you wish to exercise your right to object, a message to us is sufficient (contact details see above). XI. When and how can you withdraw your consent? You can withdraw any consent you have given us at any time. This means that we will no longer be permitted to process your personal data based on this consent in the future. If you wish to exercise your right of withdrawal, simply send us a message (contact details above). XII. Who can you complain to? Regarding our processing of your personal data, you have the right to lodge a complaint with a data protection supervisory authority. A list of the state data protection supervisory authorities can be found, for example, at the following address: www.bfdi.bund.de/DE/Infothek/Anschriften_Links/anschriften_links-node.html XIII. When and why is providing your data necessary? When using our contact form or sending inquiries by email, you provide us with your personal data (e.g., name, address, or email address). Providing your personal data is partly required by law (e.g., by tax regulations). It may also be necessary for carrying out (pre-)contractual measures. Failure to provide your personal data would mean that the contract with you could not be concluded or that your request could not be answered. For the performance of contracts or pre-contractual measures, or for communication with us, the provision of the following data is mandatory: First and last name, address, email address, customer data (e.g., customer number), text entries, and telephone number (e.g., for follow-up questions or answering customer inquiries). Unless otherwise stated in this privacy policy, all other information is voluntary. XIV. Is automated decision-making (e.g., profiling) used? No automated decision-making, including profiling, takes place. XV. How can you contact us? You can contact us by mail, telephone, or email (see above). If you contact us, for example, by email or via our contact form, we automatically store the personal data you voluntarily provide to us for the purpose of processing your request or contacting you. This data will not be shared with third parties. XVI. How do we secure our website? Taking into account the state of the art, the costs of implementation, and the nature, scope, context, and purposes of processing, as well as the varying likelihood and severity of the risk to the rights and freedoms of natural persons, we implement appropriate technical and organizational measures to ensure a level of security appropriate to the risk (Art. 32 GDPR). These measures include, in particular, ensuring the confidentiality, integrity, and availability of data. Furthermore, we have established internal business processes that ensure, in particular, the protection of data subject rights, the deletion of data, and the response to data breaches. In addition, we comply with the principles of data protection law, including data protection by design and by default (Art. 25 GDPR). For security reasons and to protect the transmission of your personal data and other confidential content, we use encrypted transmission via an SSL certificate on our website. You can recognize this by the fact that "https" (instead of "http") appears in your browser's address bar, along with a padlock icon and a different color scheme. XVII. What are cookies and how do we use them? We use cookies on our website. These are small files containing text information that are stored by your browser or placed on your device. So-called transient (or temporary) cookies are automatically deleted when you close your browser. These include session cookies. These store a specific identifier (the session ID), which allows your device to be recognized when you return to our website. This allows, for example, the contents of a virtual shopping cart in an online store or your login status to be saved. Session cookies are deleted when you log out or close your browser. So-called persistent (or permanent) cookies are automatically deleted after a certain period of time; the storage duration varies depending on the cookie. This allows, for example, user information to be stored for audience measurement or marketing purposes, or even a login status to be saved for an extended period. A distinction must be made between first-party and third-party cookies, both temporary and permanent. First-party cookies are set by the responsible party, while third-party cookies are set by third-party providers. You can delete cookies at any time via your browser's security settings or, for example, refuse to accept third-party cookies. If you generally wish to object to the use of cookies for online marketing purposes, you can do so with various services or providers, such as the American website www.aboutads.info/choices or the European website www.youronlinechoices.com. Please note, however, that you may then not be able to use all the functions of our website. On our website, we may use temporary or permanent cookies, as well as first-party and third-party cookies, for example, to identify you on subsequent visits if you have an account with us (otherwise, you would have to log in again each time you visit). You will find further information about this in our privacy policy below. We currently only use cookies that are technically necessary for providing our services (e.g., to store your login status). The legal basis for the use of cookies is Article 6(1)(f) GDPR. If other cookies that are not technically necessary are used, we will obtain your consent (Article 6(1)(a) GDPR). XVIII. What about our profiles on social networks? We operate the profiles listed below on social networks in order to contact users active there and inform them about our services. When accessing the respective networks, the terms and conditions and privacy policies of the respective operators apply. Unless otherwise stated in our privacy policy, we only process user data if users interact with us via social networks, for example, by posting on our profile pages or sending us messages. Our social media profiles: Facebook, LinkedIn, Instagram