Gratiae respects your privacy and wants you to be aware of the steps that we take to protect any information that you provide to us during your visit to gratiaecosmetics.com or our other online areas. It’s important for you to understand what information we collect and what we do with it. We do not rent or sell your information to anyone for any reason.
If you have questions regarding the use of any data that you’ve provided, please contact our customer service department at firstname.lastname@example.org.
1. Name and contact details of the controller
Responsible: Gratiae Cosmetics Laboratories B.V., Boekweitstraat 13, 2153GK Nieuw Vennep, Netherlands
2. Collection and storage of personal data as well as type and purpose of their use
a) When visiting the website
When you visit our website gratiaecosmetics.com, the browser on your device automatically sends information to the server on our website. This information is temporarily stored in a so-called log file. The following information is recorded without your intervention and stored until it is automatically deleted:
- IP address of the requesting computer,
- date and time of access,
- name and URL of the retrieved file,
- website from which access is made (referrer URL),
- the browser used and, if applicable, the operating system of your computer as well as the name of your access provider.
The mentioned data will be processed for the following purposes:
- ensuring a smooth connection of the website,
- ensuring comfortable use of our website,
- evaluation of system security and stability as well as
- other administrative purposes.
The legal basis for data processing is Art. 6 para. 1 sentence 1 lit. f GDPR. Our legitimate interest follows from the purposes listed above for data collection. Under no circumstances do we use the data collected for the purpose of drawing conclusions about you personally. The data collected is stored in the log file for a period of 30 and then deleted.
b) When registering for our newsletter
You can unsubscribe at any time, for example via a link at the end of each newsletter. Alternatively, you are welcome to send your unsubscription request at any time to email@example.com by e-mail. After the unsubscription your e-mail address will be deleted from the list of the newsletter distribution list.
Double-Opt-In and protocol
The registration for our newsletter takes place in a so-called double opt-in procedure. This means that after registration you will receive an e-mail asking you to confirm your registration. This confirmation is necessary so that no one can log in with other e-mail addresses.
Subscriptions to the newsletter are logged in order to be able to prove the registration process in accordance with legal requirements. This includes the storage of the login and confirmation time, as well as the IP address.
Use of “MailChimp”
We use the newsletter of the newsletter mailing platform “MailChimp” of Rocket Science Group, LLC, 675 Ponce De Leon Ave NE #5000, Atlanta, GA 30308, USA.
The e-mail addresses of our newsletter recipients as well as their further collected data are stored on the servers of MailChimp in the USA as described below.
MailChimp uses this information exclusively for sending and evaluating the newsletter on our behalf.
In addition MailChimp can also use this data according to its own information to optimize or improve its own services, for example to technically optimize the dispatch, to improve the presentation of newsletter content or to determine from which countries the recipients come. However, MailChimp does not use the data to write to our newsletter recipients or to pass them on to third parties.
MailChimp is certified under the EU-US “Privacy Shield” and thus commits itself to comply with the data protection level of the European Union and the EU data protection regulations.
Contract on data processing
Furthermore, we have concluded a contract with MailChimp for data processing in which MailChimp undertakes to protect the data of our newsletter recipients, to process them on our behalf in accordance with their data protection regulations and in particular not to pass them on to third parties. The data protection regulations of MailChimp can be viewed here.
The newsletters contain a so-called “web-beacon”, which is a pixel-sized file that is retrieved from the MailChimp server when the newsletter is opened. Within the scope of this retrieval, information about the browser and your system, your IP address and the time of retrieval of MailChimp are collected. This information is used to technically improve the services.
It is also evaluated whether and if so, when the newsletters are opened and which links are clicked. Although this information can be assigned to individual newsletter recipients for purely technical reasons, it is not used to monitor user behavior. Rather, we use the analysis reports to identify our users’ reading habits and adapt our content to them.
Online call MailChimp
The use of the newsletter dispatch service provider MailChimp, the execution of the analyses as well as the protocol of the registration procedure are carried out on the basis of our legitimate interests according to Art. 6 Para. 1 lit. f GDPR. We are interested in using a user-friendly and secure newsletter system that serves our business interests and meets the expectations of our users.
c) When using the comment option
For the comment function on our site, in addition to your comment, the time of entry of the comment, your e-mail address and, if you do not post anonymously, the user name you have chosen will be saved and published.
In addition, the IP addresses used by the author of the comment are stored.
Since the comments are not checked before being displayed on our website, we need this data in order to be able to take action against the author in the event of legal infringements, such as insults or propaganda.
The comments and the associated data (e.g. IP address) are stored and remain on our website until the commented content has been completely deleted or the comments must be deleted for legal reasons (e.g. offensive comments).
The comments are stored on the basis of your consent in accordance with Art. 6 para. 1 lit. a GDPR. You can revoke your consent at any time. All you need to do is send an informal message by e-mail to firstname.lastname@example.org. The legality of the data processing processes already carried out remains unaffected by the revocation.
d) When using our contact form / data processing in customer service
If you wish to contact us via the contact form provided on our website, by e-mail, telephone, fax or via social media platforms and request information about your orders or your customer status, it may be necessary to provide us with personal data such as your first name, telephone number and e-mail address or order or invoice number in order to process your request sensibly. These data will be used exclusively for the verification and processing of your enquiry and will be stored by us for the purpose of processing the enquiry and in the event of follow-up questions.
The data provided by you will not be passed on to other third parties.
The processing of the data entered in the contact form is thus carried out exclusively on the basis of your consent pursuant to Art. 6 para. 1 lit. a GDPR. You can revoke this consent at any time. All you need to do is send an informal e-mail to us at email@example.com. The legality of the data processing processes carried out up to the revocation remains unaffected by the revocation.
The data entered by you in the contact form will remain with us until you request us to delete, your consent for storage revoked or the purpose for data storage no longer applies (e.g. after your request has been processed). Mandatory statutory provisions – in particular retention periods – remain unaffected.
In the event that you contact us via a social media platform, we would like to point out that this is not our property or our sphere of control and therefore the protection and confidentiality of the data provided to us via the respective social media platform cannot be guaranteed. For questions regarding data protection, please contact the operators and owners of the respective social media platform.
3. Passing on of data
Your personal data will not be transmitted to third parties for purposes other than those listed below.
We will only pass on your personal data to third parties if:
- you have given your express consent pursuant to Art. 6 para. 1 sentence 1 lit. a GDPR,
- the disclosure pursuant to Art. 6 para. 1 sentence 1 f GDPR is necessary to assert, exercise or defend legal claims and there is no reason to assume that you have an overriding interest worthy of protection in not disclosing your data,
- in the event that a legal obligation exists for the transfer pursuant to Art. 6 para. 1 sentence 1 lit. c GDPR, and
- this is legally permissible and is necessary for the processing of contractual relationships with you pursuant to Art. 6 para. 1 sentence 1 lit. b GDPR.
For example, we use so-called session cookies to recognize that you are visiting individual pages of our website. These will be deleted automatically after leaving our site.
In addition, we also use temporary cookies that are stored on your end device for a specified period of time to optimize user-friendliness. If you visit our site again to use our services, it will automatically recognize that you have already been with us and what entries and settings you have made so that you do not have to enter them again.
The data processed by cookies is required for the aforementioned purposes in order to protect our legitimate interests and those of third parties pursuant to Art. 6 Para. 1 S. 1 lit. f GDPR.
Most browsers automatically accept cookies. However, you can set your browser so that you are informed about the setting of cookies and only allow cookies in individual cases or no cookies are stored on your computer. However, the complete deactivation of cookies can lead to the fact that you cannot use all functions of our website.
5. Tracking tools
The tracking measures listed below and used by us are carried out on the basis of Art. 6 para. 1 sentence 1 f GDPR. With the tracking measures used, we want to ensure that our website is designed to meet requirements and is continually optimized. On the other hand, we use the tracking measures to statistically record the use of our website and to evaluate it for the purpose of optimizing our offer. These interests are to be regarded as legitimate within the meaning of the aforementioned provision.
The respective data processing purposes and data categories can be found in the corresponding tracking tools.
a) Google Analytics
This website uses functions of the web analysis service Google Analytics. The provider is Google Inc, 1600 Amphitheatre Parkway, Mountain View, CA 94043, USA.
Google Analytics uses so-called “cookies” (see section 4.). These are text files that are stored on your computer and enable an analysis of your use of the website. The information generated by the cookie about your use of this website is usually transferred to a Google server in the USA and stored there.
The information is used to evaluate the use of the website, to compile reports on the website activities and to provide further services associated with the use of the website and the Internet for the purposes of market research and demand-oriented design of these Internet pages. The IP address transmitted by your browser in the context of Google Analytics is not merged with other Google data.
Google Analytics cookies are stored on the basis of Art. 6 Par. 1 lit. f GDPR. We have a legitimate interest in analyzing the user behavior of our website visitors in order to optimize our offers.
We have activated the function “IP-Anonymization” on this website. This will cause your IP address to be cut by Google within Member States of the European Union or in other countries party to the Agreement on the European Economic Area before being transmitted to the USA. Only in exceptional cases will the full IP address be transmitted to a Google server in the USA and shortened there.
You can also prevent Google from collecting the data generated by the cookie and relating to your use of the website (including your IP address) and from processing this data by Google by downloading and installing the browser plug-in available under the following link: https://tools.google.com/dlpage/gaoptout?hl=en.
Objection to data collection
You can prevent Google Analytics from collecting your data by clicking on the following link. An opt-out cookie is set which prevents the collection of your data on future visits to this website: https://support.google.com/analytics/answer/181881?hl=en
Contract data processing
We have concluded a contract with Google for commissioned data processing and fully implement the strict requirements of the German data protection authorities for the use of Google Analytics.
b) Google Adwords and Google Remarketing
Our website also uses Google Conversion Tracking, an analysis service of Google Inc, 1600 Amphitheatre Parkway, Mountain View, CA 94043, USA.
Google AdWords will set a cookie on your device (“conversion cookie”) if you have accessed our website via a Google ad. These cookies expire after 30 days and do not serve the personal identification of users. If you visit certain pages of ours and the cookie has not expired, we and Google may recognize that someone clicked on the ad and was redirected to our page. Each Google AdWords customer receives a different cookie. Therefore, cookies cannot be tracked through the websites of various AdWords customers. The information collected with the help of the conversion cookie is used to generate conversion statistics for us. As an AdWords customer, we know the total number of users who clicked on our ad and were redirected to a page with a conversion tracking tag. However, we do not receive any information that personally identifies users.
If you do not want information about your behavior on the website to be processed in the tracking process, you can also refuse the setting of a cookie required for this – for example using a browser setting that generally deactivates the automatic setting of cookies. You can also deactivate cookies for conversion tracking by setting your browser to block cookies from the “googleadservices.com” domain.
You can prevent Google from using cookies in the future by making the appropriate setting on the http://www.google.com/settings/ads website.
c) Bing Ads
On our website we use technologies from Bing Ads (bingads.microsoft.com), which are provided and operated by Microsoft Corporation, One Microsoft Way, Redmond, WA 98052-6399, USA.
Microsoft will set a cookie on your device if you have accessed our website via a Microsoft Bing ad. Microsoft and we can see in this way that someone has clicked on an ad, has been redirected to our website and has reached a pre-defined target page (“conversion site”). We only see the total number of users who clicked on a Bing ad and were then redirected to the conversion site. Microsoft collects, processes and uses information about the cookie from which usage profiles are created using pseudonyms. These usage profiles are used to analyze visitor behavior and are used to play advertisements. No personal information concerning the identity of the user is processed.
The information collected is transmitted to Microsoft servers in the United States and stored there for a maximum of 180 days.
If you do not want information about your behavior to be used by Microsoft as described above, you can refuse the setting of a cookie required for this purpose – for example, using a browser setting that generally deactivates the automatic setting of cookies. You can also prevent the collection of data generated by the cookie and related to your use of the website and the processing of this data by Microsoft by clicking on the following link http://choice.microsoft.com/de-DE/opt-out and declaring your objection. Further information on data protection and the cookies used at Microsoft and Bing Ads can be found on the Microsoft website https://privacy.microsoft.com.
6. Social Media Plug-ins
We use social plug-ins of the social networks Facebook, Twitter, Instagram, YouTube and Pinterest on our website on the basis of art. 6 par. 1 p. 1 lit. f GDPR to make our company better known. The underlying advertising purpose is to be regarded as a legitimate interest within the meaning of the GDPR. Responsibility for data protection-compliant operation must be guaranteed by the respective provider.
Our website uses social media plugins from Facebook to personalize their use. For this we use the “LIKE” or “PART”-button. This is an offer from Facebook.
When you access a page of our website that contains such a plugin, your browser establishes a direct connection to the Facebook servers. The content of the plugin is transmitted directly from Facebook to your browser and integrated into the website.
By integrating the plugins, Facebook receives the information that your browser has called up the corresponding page of our website, even if you do not have a Facebook account or are not currently logged on to Facebook. This information (including your IP address) is transmitted directly from your browser to a Facebook server in the USA and stored there.
If you are logged in to Facebook, Facebook can associate your visit to our website directly with your Facebook account. If you interact with the plugins, for example by pressing the “LIKE” or “PART” button, the corresponding information is also transmitted directly to a Facebook server and stored there. The information is also published on Facebook and displayed to your Facebook friends.
Facebook may use this information for the purposes of advertising, market research and demand-oriented design of Facebook pages. To this end, Facebook creates usage, interest and relationship profiles, e.g. to evaluate your use of our website with regard to the advertisements displayed to you on Facebook, to inform other Facebook users about your activities on our website and to provide other services associated with the use of Facebook.
If you do not want Facebook to associate the information collected through our website with your Facebook account, you must log out of Facebook before visiting our website.
The purpose and scope of the data collection and the further processing and use of the data by Facebook as well as your rights and setting options for the protection of your privacy can be found in Facebook’s data protection information at: https://www.facebook.com/about/privacy/.
Our website contains plugins of the short message network of Twitter Inc. (Twitter) integrated. You can recognize the Twitter plugins by the Twitter logo on our site. An overview of tweet buttons can be found at: https://about.twitter.com/resources/buttons.
When you access a page of our website that contains such a plugin, a direct connection is established between your browser and the Twitter server. Twitter receives the information that you have visited our site with your IP address. If you click the Twitter “tweet button” while logged into your Twitter account, you can link the contents of our pages on your Twitter profile. This allows Twitter to associate the visit of our pages with your user account. We would like to point out that, as the provider of the pages, we are not aware of the content of the data transmitted or how it is used by Twitter.
If you do not want Twitter to associate your visit to our pages, please log out of your Twitter account.
Our website also uses so-called social plugins from Instagram, which is operated by Instagram LLC, 1601 Willow Road, Menlo Park, CA 94025, USA.
The plug-ins are marked with an Instagram logo, for example in the form of an “Instagram camera”.
When you access a page of our website that contains such a plugin, your browser establishes a direct connection to Instagram’s servers. Instagram transfers the content of the plugin directly to your browser and integrates it into the page. This integration informs Instagram that your browser has called up the corresponding page of our website, even if you do not have an Instagram profile or are not currently logged in to Instagram.
This information (including your IP address) is transmitted directly from your browser to an Instagram server in the USA and stored there. If you are logged in to Instagram, Instagram can immediately associate your visit to our website with your Instagram account. If you interact with the plugins, for example by pressing the “Instagram” button, this information is also transmitted directly to an Instagram server and stored there.
The information is also published on your Instagram account and displayed to your contacts.
If you do not want Instagram to associate the information collected through our website directly with your Instagram account, you must log out of Instagram before visiting our website.
Our website uses plugins from Google’s YouTube site. This website is operated by YouTube, LLC, 901 Cherry Ave, San Bruno, CA 94066, USA.
If you visit one of our pages equipped with a YouTube plugin, a connection to the YouTube servers is established. The YouTube server is informed which of our pages you have visited.
If you are logged into your YouTube account, you allow YouTube to associate your surfing behavior directly with your personal profile. You can prevent this by logging out of your YouTube account.
The use of YouTube is in the interest of an appealing presentation of our online offers. This represents a legitimate interest within the meaning of Art. 6 para. 1 lit. f GDPR.
The Pinterest Button of Pinterest Inc. 808 Brannan St, San Francisco, CA 94103, USA, is integrated on our website. This transmits your IP address to a Pinterest server in the USA. If you are logged in to Pinterest with the same browser when you visit our site, this information can be linked to your profile. If you click on the plug-in “Pin-It”, this is also transmitted to Pinterest and published via your account there.
You can set your privacy on Pinterest at http://pinterest.com/about/privacy.
If you do not agree to the transfer of your data to Pinterest, please log out of Pinterest before visiting our website.
7. Data processing when using our online shop
Processing of data (customer and contract data)
We collect, process and use personal data only to the extent necessary for the establishment, content design or change of the legal relationship (inventory data). This is done on the basis of Art. 6 para. 1 lit. b GDPR, which permits the processing of data for the fulfilment of a contract or pre-contractual measures. The collected customer data will be deleted after completion of the order or termination of the business relationship and expiry of the warranty period. Legal retention periods remain unaffected.
When you place an order as a guest in our online shop, the following data is collected, processed and used by you to process your order: Name, first name, billing and delivery address, e-mail address, telephone number (“customer master data”).
It is also possible to set up a customer account during the ordering process so that you do not have to re-enter your master data and register directly in the customer account under your password for subsequent orders. To do this, you must provide your e-mail address and a password of your choice twice, as well as your express consent, before placing your order.
Data transfer upon conclusion of contract
In order to ensure the best possible support for our customers, we pass on the data to other companies within the scope of what is legally permissible exclusively for the proper performance of the contract and only to the extent necessary for this – for example to the companies entrusted with the delivery of the goods or the credit institution commissioned with the processing of payments – and ensure that we only process your data in accordance with our instructions. Your data will not be passed on to third parties without your express consent, for example for advertising purposes. The basis for data processing is Art. 6 para. 1 lit. b GDPR, which permits the processing of data for the fulfilment of a contract or pre-contractual measures.
The collected customer master data will be deleted after completion of the order or termination of the business relationship after expiry of the statutory warranty period. Legal retention periods remain unaffected.
The customer master data stored in the customer account on the basis of your consent pursuant to Art. 6 para. 1 lit. a GDPR will be stored for future order enquiries until you revoke your consent and/or delete your account.
8. payment provider
On our website we offer payment via PayPal. The provider of this payment service is PayPal (Europe) S.à.r.l. et Cie, S.C.A., 22-24 Boulevard Royal, L-2449 Luxembourg.
9. Data security through encryption
SSL or TLS encryption
This site uses SSL or TLS encryption for security reasons and to protect the transmission of confidential content, such as orders or requests that you send to us as the site operator. You can recognize an encrypted connection by the fact that the address line of the browser changes from “http://” to “https://” and by the lock symbol in your browser line.
If SSL or TLS encryption is activated, the data you transmit to us cannot be read by third parties.
Encrypted payment transactions on this website
If after the conclusion of a chargeable contract there is an obligation to provide us with your payment data (e.g. account number for direct debit authorization), this data is required for payment processing.
Payment transactions via the common means of payment (American Volume/credit guard/authorize.net) are made exclusively via an encrypted SSL or TLS connection. You can recognize an encrypted connection by the fact that the address line of the browser changes from “http://” to “https://” and by the lock symbol in your browser line.
In the case of encrypted communication, your payment data that you transmit to us cannot be read by third parties.
We also use suitable technical and organizational security measures to protect your data against accidental or intentional manipulation, partial or complete loss, destruction or unauthorized access by third parties. Our security measures are continuously improved in line with technological developments.
10. Your rights
You have the right:
- to request information about your personal data processed by us in accordance with Art. 15 GDPR. In particular, you may request information about the purposes of processing, the category of personal data, the categories of recipients to whom your data have been or will be disclosed, the planned storage period, the existence of a right to rectification, deletion, restriction of processing or objection, the existence of a right of appeal, the origin of your data, if these have not been collected by us, and the existence of automated decision-making including profiling and, if applicable, meaningful information on their details;
- in accordance with Art. 16 GDPR, to demand without delay the correction of incorrect or complete personal data stored by us;
- to request the deletion of your personal data stored with us in accordance with Art. 17 GDPR, unless the processing is necessary to exercise the right to freedom of expression and information, to fulfil a legal obligation, for reasons of public interest or to assert, exercise or defend legal claims;
- in accordance with Art. 18 GDPR, to restrict the processing of your personal data if you dispute the accuracy of the data, if the processing is unlawful but you refuse to delete the data and we no longer need the data, but if you need it to assert, exercise or defend legal claims or if you have filed an objection to the processing in accordance with Art. 21 GDPR;
- in accordance with Art. 20 GDPR, to receive your personal data that you have provided to us in a structured, current and machine-readable format or to request its transfer to another person responsible;
- in accordance with Art. 7 para. 3 GDPR, to revoke your consent to us at any time. As a result, we are no longer allowed to continue processing data based on this consent in the future and
- to complain to a supervisory authority pursuant to Art. 77 GDPR. As a rule, you can contact the supervisory authority at your usual place of residence or workplace or at our company headquarters.
11. Right of objection
If your personal data are processed on the basis of legitimate interests pursuant to Art. 6 para. 1 sentence 1 letter f GDPR, you have the right to object to the processing of your personal data pursuant to Art. 21 GDPR, provided that there are reasons for this which arise from your particular situation or the objection is directed against direct advertising. In the latter case, you have a general right of objection, which we will implement without specifying a particular situation.
If you wish to exercise your right of revocation or objection, simply send an e-mail to firstname.lastname@example.org.