Privacy Declaration of Oner Active GmbH
Oner Active GmbH
6020 Innsbruck, Austria
1. Security and protection of your personal data when visiting our website
Oner Active GmbH (hereinafter referred to as “Oner Active“ or “we“) takes the protection of your personal data very seriously and exercises special care and uses the most modern security standards to ensure it.
We see it as our primary task to safeguard the confidentiality of your personal data and to protect it from unauthorized access.
In order to guarantee that the processing of personal data is explained to you in a transparent and understandable way, we would like to inform you about the various legal terms, which will also be used in this privacy declaration:
“Personal data” means any information relating to an identified or identifiable natural person (hereinafter the "data subject"). A natural person is considered to be identifiable if the identity of the person can be determined, directly or indirectly, in particular by association with identifying information such as a name, ID number, location data, an online username, or one or more special characteristics that express the physical, physiological , genetic, psychological, economic, cultural or social identity of this natural person.
“Processing” means any process or series of operations related to personal data, such as collecting, gathering, organizing, sorting, storing, adapting or modifying, reading, querying, using, disclosure by transmission, dissemination or other form of provision, matching or linking, restriction, erasure or destruction, with or without the aid of automated procedures.
Restriction of processing
“Restriction of processing” means the marking of stored personal data with the aim to limit their future processing.
„Profiling” means any kind of automated processing of personal data that consists in using that personal information to evaluate certain personal aspects relating to a natural person, in particular in order to analyze and predict aspects relating to job performance, economic situation, health, personal preferences, interests, reliability, behavior, location or relocation of that natural person.
“Pseudonymisation” means the processing of personal data in such a way that personal data can no longer be attributed to a specific data subject without adding additional information, provided that such additional information is kept separate and subject to technical and organizational measures to ensure that the personal data cannot be assigned to an identified or identifiable natural person.
“Filing system” means any structured set of personal data which are accessible according to specific criteria, whether centralised, decentralised or dispersed on a functional or geographical basis.
“Controller“ means the natural or legal person, public authority, agency or other body which, alone or jointly with others, determines the purposes and means of the processing of personal data; where the purposes and means of such processing are determined by Union or Member State law, the controller or the specific criteria for its nomination may be provided for by Union or Member State law.
“Processor“ means a natural or legal person, public authority, agency or other body which processes personal data on behalf of the controller.
“Recipient“ means a natural or legal person, public authority, agency or another body, to which the personal data are disclosed, whether a third party or not. However, public authorities which may receive personal data in the framework of a particular inquiry in accordance with Union or Member State law shall not be regarded as recipients; the processing of those data by those public authorities shall be in compliance with the applicable data protection rules according to the purposes of the processing.
“Third party“ means a natural or legal person, public authority, agency or body other than the data subject, controller, processor and persons who, under the direct authority of the controller or processor, are authorised to process personal data.
“Consent“ of the data subject means any freely given, specific, informed and unambiguous indication of the data subject’s wishes by which he or she, by a statement or by a clear affirmative action, signifies agreement to the processing of personal data relating to him or her.
3. Lawfulness of processing
The processing of personal data shall only be lawful if there is a legal basis for processing. According to article 6, section 1 a – f GDPR, a legal basis can be as follows:
- The data subject has given consent to the processing of his or her personal data for one or more specific purposes;
- processing is necessary for the performance of a contract to which the data subject is party or in order to take steps at the request of the data subject prior to entering into a contract;
- processing is necessary for compliance with a legal obligation to which the controller is subject;
- processing is necessary in order to protect the vital interests of the data subject or of another natural person;
- processing is necessary for the performance of a task carried out in the public interest or in the exercise of official authority vested in the controller;
- processing is necessary for the purposes of the legitimate interests pursued by the controller or by a third party, except where such interests are overridden by the interests or fundamental rights and freedoms of the data subject which require protection of personal data, in particular where the data subject is a child.
4. Collection of personal data when visiting our website
If using the website purely for information purposes, i.e. if you have not registered with us, do not order anything or are not forwarding information to us by another means, we shall only collect the personal data which your browser transmits to our server. If you wish to view our website, we collect the following data which is technically necessary for us to display our website to you and to guarantee stability and security (legal basis is art. 6, section 1, clause 1 lit. f GDPR):
- IP address
- Date and time of the query
- Time zone difference to Greenwich Mean Time (GMT)
- Content of the request (specific page)
- Access status / HTTP status code
- Data volume transferred in each instance
- Website from which the request originates (browser type)
- User’s operating system and user interface
- Browser software language and version.
5. Information on the collection of personal data – (e-mail, contact form, customer account and online shop)
(1) In the following section, we would like to inform you about the collection of personal data when using our website (contact form, customer account and online shop)
(2) If you contact us by email or using our contact form, we will store the information you provide us with (your name and email address or telephone number) to respond to your query. We will erase the data we collected on this basis when it is no longer required or we will restrict the processing where we have to comply with statutory retention requirements.
(3) If you buy products through our site or create a customer account to manage your previous or future orders, we collect the data we need for the contract. These can be seen from the respective entry fields for registration (customer account) or the order form. When ordering, we need at least the mandatory information marked with a *. We use this data in accordance with art. 6, section, 1 clause 1 b GDPR for the execution of contracts and for processing your inquiries.
Our store is hosted by Shopify Inc. Shopify provides us with the online e-commerce platform that allows us to sell our products and services to you.
Your data is stored through Shopify’s data storage, databases and the general Shopify application. Shopify stores your data on a secure server behind a firewall.
If you choose to pay via credit card, then Shopify stores your credit card data.It is encrypted through the Payment Card Industry Data Security Standard (PCI-DSS).Your purchase transaction data is stored only as long as is necessary to complete your purchase transaction. After that is complete, your purchase transaction information is deleted. All direct payment gateways adhere to the standards set by PCI-DSS as managed by the PCI Security Standards Council, which is a joint effort of brands like Visa, Mastercard, American Express and Discover. PCI-DSS requirements help ensure the secure handling of credit card information by our store and its service providers. For more insight, you may also want to read Shopify’s Terms of Service (https://www.shopify.com/legal/terms) or Privacy Statement (https://www.shopify.com/legal/privacy).
(4) In addition to credit card payments, we offer other payment methods for the use of the web shop, using different payment service providers with whom we have concluded a data processing agreement. Depending on which payment method you choose, different data will be transmitted to the respective payment service provider. The legal basis for the transfer is article 6(1) clause 1 a, b, f GDPR.
You can find a list of our payment service providers below:
If you pay for your purchase with us with PayPal, your personal data will be transmitted to PayPal. If you have not yet opened a PayPal account, you will be asked to do so by PayPal in the course of the payment process. When you use or open a PayPal account, your name, address, telephone number and e-mail address must be transmitted to PayPal. The legal basis for the transmission of data is article 6, section 1 a, GDPR and article 6, section 1 b, GDPR.
Operator of the payment service PayPal is:
PayPal (Europe) S.à r.l. et Cie, S.C.A.
22-24 Boulevard Royal
If you pay for your purchase with Klarna, your personal data will be transmitted to Klarna Bank AB, the operator of the payment service provider Klarna.The legal basis for the transmission of data is article 6, section 1 a, GDPR and article 6, section 1 b, GDPR.
Klarna AB can be contacted as follows:
Klarna Bank AB (publ)
111 34 Stockholm
Phone: 0046 8-120 120 00
Fax: 0046 8-120 120 99
Klarna collects the following data when processing the payment of orders from our online shop:
- Name, birth date, title, billing and delivery address, e-mail address, mobile phone number
- Information about ordered products
- Information about income, credit obligations and notes regarding payment
- Location-based information
- IP address
Detailed information regarding the data protection provisions of Klarna Bank AB (publ) can be found at https://www.klarna.com/de/datenschutz
(5) Your data will also be forwarded to the shipping company commissioned with the delivery, insofar as this is necessary for the delivery of the goods.
(6) Due to commercial and tax regulations, we are obliged to save your address, payment and order data for a period of ten years. However, after two years we will restrict the processing, i.e. your data will only be used to comply with legal obligations. The legal basis for this is article 6 section 1 clause 1 c, GDPR.
(1) With your consent, you can subscribe to our newsletter, with which we inform you about our current interesting offers. The advertised goods and services are named in the declaration of consent. The legal basis is article 6, section 1, clause 1 a, GDPR.
(2) We use the so-called double-opt-in-process for the registration to our newsletter. This means that after your registration we will send you an e-mail to the given e-mail address, in which we ask you for confirmation that you wish the newsletter to be sent. If you do not confirm your registration within 24 hours, your information will be blocked and automatically deleted after one month. In addition, we will store your IP addresses and times of registration and confirmation. The purpose of the procedure is to confirm your registration and, if necessary, to clarify any possible misuse of your personal data.
(3) The only required information for sending the newsletter is your e-mail address. Entering additional, separately marked data is voluntary and will be used to address you personally. After your confirmation, we will save your e-mail address for the purpose of sending you the newsletter.
(4) You can revoke your consent to the transmission of the newsletter at any time and unsubscribe from the newsletter. You can declare the cancellation by clicking on the link provided in each newsletter e-mail or by sending a message to the contact details stated in the legal notice.
(5) We use the external service provider Emarsys as a processor for the transmission of the newsletter. We have concluded a separate data processing agreement with the service provider to ensure the protection of your personal data. More information about Emarsys can be found on the website https://www.emarsys.com/de/.
7. Use of external tools on our website
We have integrated various tools from different companies into our website, which allow us to evaluate user behavior or to establish links with other websites.
The controller has integrated the component Google Analytics (with anonymisation function) on this website.
Google Analytics is a web analytics service. Web analysis is the gathering, collection and analysis of data about the behavior of visitors to websites. Among other things, a web analysis service collects data on which website a data subject has come to a website from (so-called referrers), which subpages of the website were accessed or how often and for which period of time a subpage was viewed. A web analysis is mainly used to optimize a website and for the cost-benefit analysis of Internet advertising.
The operator of the Google Analytics component is Google Inc., 1600 Amphitheatre Pkwy, Mountain View, CA 94043-1351, USA.
As IP anonymization is activated on our website, your IP address will be shortened by Google within Member States of the European Union or other states in agreement with the European Economic Area. Only in exceptional cases, the full IP address is sent to and shortened by a Google server in the USA. On behalf of the operator of the website, Google will use this information to evaluate your use of the website, compile reports on website activity and to provide further services related to website and internet use to us. The IP address transferred through your browser to Google Analytics will not be combined with other data held by Google.
In addition, this website uses the Analytics feature UserID to track interaction data. This User ID will be additionally anonymized and encrypted and will not be linked with other data.
You can prevent the storage of cookies by a corresponding setting of your browser software; however, please note that if you do this, you may not be able to use all the features of this website to the fullest extent possible.
In addition, you may prevent the collection of the data generated by the cookie and related to your use of the website (including your IP address) by Google as well as the processing of this data by Google by downloading and installing the browser plug-in available under the following link: https://tools.google.com/dlpage/gaoptout?hl=en
In addition, a cookie already set by Google Analytics can be deleted at any time via the Internet browser or other software programs.
Further information and Google‘s applicable privacy regulations can be found at https://policies.google.com/privacy?hl=en and https://marketingplatform.google.com/about/ The following link provides a further explanation of Google Analytics https://marketingplatform.google.com/about/.
Our website also uses Google Analytics performance reports relating to demographics and interests and reports on Google Display Network impressions. You can disable Google Analytics for display advertising and customize the ads on the Google Display Network by visiting the ad settings at this link: https://adssettings.google.com.
Google Tag Manager
This website uses Google Tag Manager. Through this service so-called website tags can be managed centrally via a user interface. Google Tag Manager only implements tags.No cookies are used and no personal information is collected.
However, Google Tag Manager will not access these data. If deactivation has been implemented for certain domains / websites or cookies, it will remain in effect for all tracking tags as far as they are implemented with the Google Tag Manager.
Facebook Tracking Pixel
With your consent, we will use Facebook's "tracking pixel". This pixel can be used to track user behavior after they have been redirected to our website by clicking on a Facebook and / or Instagram ad. This allows us to record the effectiveness of Facebook and Instagram advertisements for statistical and market research purposes and, if necessary, to take optimization measures. The tracking of users who have landed on our website after clicking on one of our Facebook and Instagram ads can remain active up to 180 days.
The data collected in this way is anonymous for us, i.e. we do not see the personal data of individual users. However, this data is stored and processed by Facebook, about which we will inform you to the best of our knowledge.
Facebook may connect this data to the Facebook account and also use it for its own advertising purposes, according to its data usage policy.
If you want to disable cookie storage for Facebook, you can do so via your browser settings.
Facebook communication tools
We also use Facebook communication tools, especially the "Custom Audiences" and "Website Custom Audiences" products. Basically, a non-reversible and non-personal checksum (hash value) is generated from your usage data, which can be transmitted to Facebook for analysis and marketing purposes.
If you want to refuse the usage of Facebook’s “Website Custom Audiences”, you can do so by following this link: https://www.facebook.com/ads/Webseite_custom_audiences/.
In addition, we use Customer Match Lists within the framework of our Facebook advertising activities, for instance for “Lookalike Audiences” and remarketing. To use Customer Match, lists of encrypted user data are uploaded to Facebook. After the upload, the system checks which data is already known and places these users in a list. After creating the customer match lists, the encrypted customer data is automatically deleted. Facebook does not gather new addresses in this way (encryption).
Our website employs components provided by Twitter. Twitter is a service of Twitter Inc., 795 Folsom St., Suite 600, San Francisco, CA 94107, USA.
Each time you visit our website, which has such a component, this component causes the browser you are using to download a corresponding representation of the component of Twitter. Through this process, Twitter is informed about which specific page of our website is currently being visited.
You can change your privacy settings in the Account Settings at https://twitter.com/account/settings.
To prevent Pinterest from associating your visit to our website with your Pinterest account, you must log out of your Pinterest account before visiting our site.
We store this information for a period of 12 months.
This data processing is based on art. 6 section 1.f GDPR for the protection of our legitimate interests, namely the optimization of our offer.
Here is a list of cookies that we use. We’ve listed them here so you can choose if you want to opt-out of cookies or not.
session_id, unique token, sessional, allows Shopify to store information about your session (referrer, landing page, etc).
shopify_visit, no data held, persistent for 30 minutes from the last visit, used by our website provider’s internal stats tracker to record the number of visitors.
shopify_uniq, no data held, expires midnight (relative to the visitor) of the next day, counts the number of visits to a store by a single customer.
cart, unique token, persistent for 3 weeks, stores information about the contents of your cart.
secure_session_id, unique token, sessional
storefront_digest, unique token, unlimited duration, if the shop has a password, it is used to confirm that the current user has access.
9. Your data protection rights against Oner Active
(1) Right of information, article 15 GDPR
According to article 15, section 1 GDPR, you have the right to be informed of whether we process your personal data. If that is the case, you are entitled to further information (article 15, section 2 GDPR).
(2) Right of rectification, erasure or restriction of processing, article 16, 17 and 18 GDPR
According to article 16 GDPR, you have the right to demand – with immediate effect – the rectification of incorrect data and the completion of incomplete data – including by means of providing a supplementary statement.
In accordance with article 17 of the GDPR, you have the right to deletion of your personal data, especially if the processing of your personal data is not or no longer permissible.
(3) Right to object, article 21 GDPR
You have the right to object, on grounds relating to your particular situation, at any time to processing of personal data concerning yourself which is based on point (e) or (f) of article 6(1), including profiling based on those provisions. We will then no longer process your personal data unless we can demonstrate compelling legitimate grounds for the processing which override your interests, rights and freedoms.
You can exercise your right to object at any time by contacting us via one of the contact opportunities mentioned in our legal notice.
(4) Right to lodge a complaint with a supervisory authority
In addition, without prejudice to any other administrative or judicial remedy, you have the right to lodge a complaint with a supervisory authority, in particular in the Member State of your habitual residence, place of work or place of the alleged infringement if you consider that the processing of personal data relating to you is unlawful. The data protection authority of the Republic of Austria provides forms for complaints and for exercising your rights at https://www.dsb.gv.at/dokumente. As far as our German customers are concerned: Your data protection authority in charge is the one in your place of residence. A list of all data protection authorities can be found at https://www.bfdi.bund.de/DE/Infothek/Anschriften_Links/anschriften_links-node.html