Data Protection Statement

We care about your personal data (“data”). This data protection statement informs you about the processing of data on our website which is made available to the public at With a view to the terminology used (such as, for example, “processing” or “controller”) we refer to the legally binding definitions in Art. 4 of the General Data Protection Regulation (GDPR) of the European Union.

1. Responsibility

GW Cosmetics GmbH
Achauerstrasse 49a
A-2333 Leopoldsdorf

E-mail address:
Phone: +43 / 2235 / 47 940-0

Legal Notice:
Insofar as GW Cosmetics GmbH controls the data processing and determines the purposes and means of the processing of data, it acts as “controller” according to the GDPR.

2. Overview of processing operations

Categories of data

We process Meta/communication data (e.g. device information, IP addresses), usage data (e.g. websites visited, interest in content, access times) and location data (information on the geographical position of a device or person) of our website visitors.


  • Providing of our website’s online service
  • Communication with users and providing of customer support
  • Interest-based and behavioral marketing including remarketing, web analytics, access statistics, recognition of returning visitors
  • Security measures, server monitoring and error detection

3. Legal Base for the Processing

We process data on the basis of

  • the consent given by each data subject to the processing of his or her personal data for one or more specific purposes (Article 6 (1) (a) GDPR),
  • the performance of a contract to which the data subject is party or in order to take steps at the request of the data subject prior to entering into a contract (Article 6 (1) (b) GDPR),
  • the performance of our legal obligations (Article 6 (1) (c) GDPR) and/or
  • if processing is necessary for the purposes of the legitimate interests pursued by the controller or by a third party, except where such interests are overridden by the interests or fundamental rights and freedoms of the data subject which require protection of personal data (Article 6 (1) (f) GDPR).

In Austria, in addition to the GDPR the Federal Act on the Protection of Individuals with regard to the Processing of Personal Data (Data Protection Act – DSG) applies. It contains additional provisions on the right of access, rectification or cancellation, processing of special categories of personal data, processing for other purposes and transmission and automated decision making in individual cases.

4. Security Precautions

Technical and Organisational Measures (TOMs)

We take appropriate TOMs in accordance with the legal requirements, taking into account the state of the art, the costs of implementation and the nature, scope, context and purposes of processing as well as the risk of varying likelihood and severity for the rights and freedoms of natural persons, in order to ensure a level of security appropriate to the risk.

The measures include, in particular, safeguarding the confidentiality, integrity and availability of data by controlling physical and electronic access to the data as well as access to, input, transmission, securing and separation of the data. In addition, we have established procedures to ensure that data subjects’ rights are respected, that data is erased and that we are prepared to respond to data threats rapidly. Furthermore, we take the protection of personal data into account as early as the development or selection of hardware, software and service providers allows, in accordance with the principle of privacy by design and privacy by default.

Masking of the IP address
If it is possible for us or the storage of the IP address is not necessary, we shorten your IP address or have it shortened. When the IP address is shortened, also known as “IP masking”, the last octet, i.e. the last two numbers of an IP address, is deleted (the IP address in this context is an identifier individually assigned to an Internet connection by the online access provider). With the shortening of the IP address, the identification of a person on the basis of their IP address is to be prevented or made considerably more difficult.

SSL encryption (https)
In order to protect your data transmitted via our online services in the best possible way, we use SSL encryption. You can recognize such encrypted connections by the prefix https:// in the address bar of your browser.

5. Transmission and Disclosure

In the context of our processing of data, it may happen that the data is transferred to other places, companies or persons or that it is disclosed to them (eg service providers commissioned with IT tasks or providers of services and content that are embedded in our website). In such a case, the legal requirements will be respected and in particular corresponding contracts or agreements, which serve the protection of your data, will be concluded with the recipients of your data in compliance with the GDPR.

We may transfer personal data to other companies within our group of companies or otherwise grant them access to this data. Insofar as this disclosure is for administrative purposes, the disclosure of the data is based on our legitimate business and economic interests or otherwise, if it is necessary to fulfill our contractual obligations or if the consent of you or other data subjects or otherwise a legal permission is present.

6. Data Processing in Third Countries

We process the data of the users of our online services in the EU according to the GDPR. If we process data in a third country (i.e. outside the European Union (EU) or the European Economic Area (EEA)) or the processing takes place in the context of the use of third party services or disclosure or transfer of data to other persons, bodies or companies, this will only take place in accordance with the legal requirements.

Subject to express consent or transfer required by contract or law, we process or have the data processed only in third countries with a recognised level of data protection, on the basis of special guarantees, such as a contractual obligation through so-called standard protection clauses of the EU Commission or if certifications or binding internal data protection regulations justify the processing (Article 44 to 49 GDPR, information page of the EU Commission:

7. Cookies

What are “Cookies”?
“Cookies” are small files stored on the computers of users. Various information may be stored within the cookies. A cookie serves primarily the purpose of storing the information concerning a user (respectively concerning the device on which the cookie is stored) during or even after his or her use of an online service. We describe cookies offered by us as “first party cookies”. If cookies are not offered by us, but by other parties as “third party cookies”.

Temporary cookies respectively “session cookies” or “transient cookies” are cookies, which are deleted after a user leaves an online service and closes his browser. In such a cookie, the content of a basket, for example, in an online shop or a log-in status may be stored. “Permanent” or “persistent” cookies are those which remain stored even after the browser is closed. Likewise, the interests of users may be stored in such a cookie, which are used to measure coverage, or for marketing purposes.

How do you avoid Cookies?
A general objection against the use of cookies used for online marketing may be declared by yourself in your cookie settings and in case of many services also through the US site or the EU site Further, the storage of cookies may be realized by way of their being turned off on the browser settings. Please note that in such case you perhaps may not be able to use all functions of this Online Service.

If you do not wish that cookies are stored on your computer, you are requested to deactivate the corresponding option in the system settings of your internet browser. Stored cookies may be deleted in the system settings of the browser. The exclusion of cookies may lead to limitations of the functions of our online service.

Our cookies
We use cookie management by Borlabs and Fonts, for technical functionality reasons as well as Cookies by Google Tag Manager, Google Analytics and Google Maps.

Legal bases
If we process your personal data with the help of cookies based on your declared consent, this consent is the legal basis for the processing of your data. Your consent can be revoked at any time. The revocation might have an effect on the usability of our online services.

In addition, legal basis for the processing with the help of cookies can also be our legitimate interests (e.g. technical necessity, in a business operation of our online service and its improvement) or, if the use of cookies is necessary, to fulfill our contractual obligations or statutory obligations and legal permissions.

Withdrawal of Cookie Consent/Objection/Revocation (Opt-Out)
Respective of whether processing is based on consent or legal permission, you have the option at any time to object to the processing of your data using cookie technologies or to revoke consent (collectively referred to as “opt-out”). You can initially explain your objection using the settings of your browser, e.g. by deactivating the use of cookies (which may also restrict the functionality of our online services).

Retention period
Unless we provide you with explicit information on the retention period of permanent cookies (e.g. within the scope of a so-called cookie opt-in consent form), please assume that the retention period can differ depending on the legal basis and the purpose of using the cookie.

Cookies of third parties
In case you use services of third parties such as Google Maps, which are made available on our website for you, cookies of such third parties may be used. We are not responsible for the content of third parties or cookies used beyond our control by such third parties, but will inform you specifically below in our data protection information in relation to these services of third parties.

8. Webhosting and data processing to protect our systems

In order to provide our online services securely and efficiently, we use the services of one or more web hosting providers from whose servers (or servers they manage) the online services can be accessed. For these purposes, we may use infrastructure and platform services, computing capacity, storage space and database services, as well as security and technical maintenance services.

The data processed within the framework of the provision of the hosting services may include all information relating to the users of our online services that is collected in the course of use and communication. This regularly includes the user’s IP address, which is necessary to be able to deliver the contents of online services to browsers.

Collection of Access Data and Log Files: We (or our web hosting provider) collect data on the basis of each user’s access to the server (so-called server log files). Server log files may include the address and name of the web pages and files accessed, the date and time of access, data volumes transferred, notification of successful access, browser type and version, the user’s operating system, referrer URL (the previously visited page) and, as a general rule, IP addresses and the requesting provider.

The server log files are used for security purposes, e.g. to avoid overloading the servers (especially in the case of abusive attacks, so-called DDoS attacks) and to ensure the stability and optimal load balancing of the servers. Legal basis are our legitimate interests (Article 6 (1) (f) GDPR) in an efficient and safe provision and in connection with Article 28 GDPR (conclusion of a data processing agreement).

Logfile information will be stored for security reasons (e.g. for solving abuse or fraud activities) for the duration of 2 months. Data needed to be kept for security reasons and/or in the context of legal obligations and/or our legitimate interests and/or evidence purposes will not be deleted until final clarification of the incident concerned.

9. Plugins and embedded functions and content

We integrate functional and content elements provided by third parties (hereinafter referred to as „third-party providers“) into our website that are obtained from the respective third-party provider’s server. These can be e.g. graphics, videos or (city) maps (hereinafter uniformly referred to as „content“). The integration always requires that the third-party provider of the content processes the IP address of the user, since the third-party provider cannot send the content to the user’s browser without processing the IP address. The IP address is therefore required for the presentation of the content or functions. If you consent to the use of external media cookies via the Cookie-Consent-Tool on our website, third-party providers may also use so-called “pixel tags” (invisible graphics, also known as “web beacons”) for statistical or marketing purposes. The “pixel tags” are used to evaluate information such as visitor traffic on the pages of this website. Pseudonymous information may also be stored in cookies on the user’s device and may include technical information about the browser and operating system, referring websites, visit times and other information about the use of our website, and can be linked to such information from other sources. In this context, Usage data (e.g. websites visited, interest in content, access times), Meta/communication data (e.g. device information, IP addresses), Location data (Information on the geographical position of a device or person) of website visitors and users of our online services may be processed.
If the user has given consent to the use of third-party cookies, the legal basis for the processing of data is the consent of the respective user (Article 6 (1) (a) GDPR). This consent can be revoked at any time. In addition, user data is processed on the basis of our legitimate interests (Article 6 (1) (f) GDPR, i.e. provision and usability of our website and online offer; interest in the analysis, optimisation and economic operation of our online services). In this context, we would also like to refer you to the information on the use of cookies in point 7. of this privacy policy.
On our website we embed functions and content of the following third-party providers:

10. Web Analysis, Monitoring, Optimization, Online Marketing

  • What is Web Analysis? Web analysis is used to evaluate the visitor traffic on our website and may include the behaviour, interests or demographic information of users, such as age or gender, as pseudonymous values. With the help of web analysis we can e.g. recognize, at which time our online services or their functions or contents are most frequently used or requested for repeatedly, as well as which areas require optimization. In addition to web analysis, we can also use test procedures, e.g. to test and optimize different versions of our online services or their components.
  • What is Online Marketing? We process personal data for the purposes of online marketing, which may include in particular the marketing of advertising space or the display of advertising and other content (collectively referred to as “Content”) based on the potential interests of our users and the measurement of their effectiveness. We use Cookies as described in this data protection statement. The information in the profiles is usually stored in the cookies or similar memorizing procedures. These cookies can later, generally also on other websites that use the same online marketing technology, be read and analyzed for purposes of content display, as well as supplemented with other data and stored on the server of the online marketing technology provider.

We use the services of Bugsnag as well as Google Analytics and the Google Tag Manager.

  • Bugsnag ffor the purposes of stability and error monitoring of our systems and for applications using anonymous data; Service provider: Bugsnag, Inc., 110 Sutter St, Suite 1000, San Francisco, California 94104, USA; Website:; Privacy Policy:
  • Google Analytics for the purpose of web analytics; Service provider: Google Ireland Limited, Gordon House, Barrow Street, Dublin 4, Ireland, parent company: Google LLC, 1600 Amphitheatre Parkway, Mountain View, CA 94043, USA; Website:; Privacy Policy: Opt-Out: Opt-Out-Plugin:, Settings for the Display of Advertisements:
  • Google Tag Manager for the purpose of managing so-called website tags via an interface and thus integrate other services into our online services. With the Tag Manager itself (which implements the tags), for example, no user profiles are created or cookies are stored. Google only receives the IP address of the user, which is necessary to run the Google Tag Manager. Service provider: Google Ireland Limited, Gordon House, Barrow Street, Dublin 4, Ireland, parent company: Google LLC, 1600 Amphitheatre Parkway, Mountain View, CA 94043, USA; Website:; Privacy Policy:
  • These services use cookies or similar procedures to store relevant user (e.g. website visitors, users of online services) information which may include usage data (e.g. websites visited, interest in content, access times, browser used, computer system used and information on times of use) and Meta/communication data (e.g. device information, IP addresses) as well as location data.
  • Concerning IP addresses of the users IP masking procedures (i.e. pseudonymisation by shortening the IP address) are used to protect the user. In general, within the framework of web analysis, A/B testing and optimisation, no user data (such as e-mail addresses or names) is stored, but pseudonyms. This means that neither we nor the providers of the software used know the actual identity of the users, but only the information stored in their profiles for the purposes of the respective processes.
  • Clear Data: Exceptionally, clear data can be assigned to the profiles. This is the case, for example, if the users are members of a social network whose online marketing technology we use and the network links the profiles of the users in the aforementioned data. Please note that users may enter into additional agreements with the social network providers or other service providers, e.g. by consenting as part of a registration process. As a matter of principle, we only gain access to summarised information about the performance of our advertisements. However, within the framework of so-called conversion measurement, we can check which of our online marketing processes have led to a so-called conversion, i.e. to the conclusion of a contract with us. The conversion measurement is used alone for the performance analysis of our marketing activities.
  • Information on legal basis: Legal basis for such processing is your consent (Article 6 (1) (a) GDPR), legitimate interests (Article 6 (1) (f) GDPR), performance of a contract and prior requests (Article 6 (1) (b) GDPR). If we ask the users for their consent to the use of third party providers, the legal basis of the processing is consent. Furthermore, the processing can be a component of our (pre)contractual services, provided that the use of the third party was agreed within this context. Otherwise, user data will be processed on the basis of our legitimate interests (i.e. interest in efficient, economic and recipient friendly services). In this context, we would also like to refer you to the information on the use of cookies in this privacy policy.
  • Purposes of Processing: Web Analytics (e.g. access statistics, recognition of returning visitors), Targeting (e.g. profiling based on interests and behaviour, use of cookies), Remarketing, Conversion tracking (Measurement of the effectiveness of marketing activities), Profiling (Creating user profiles), Security measures, Server monitoring and error detection Web Analytics (e.g. access statistics, recognition of returning visitors).
  • Opt-Out: We refer to the privacy policies of the respective service providers and the possibilities for objection (so-called “opt-out”). If no explicit opt-out option has been specified, it is possible to deactivate cookies in the settings of your browser. However, this may restrict the functions of our online offer. We therefore recommend the following additional opt-out options, which are offered collectively for each area: a) Europe: b) Canada: c) USA: d) Cross-regional:

11. Erasure of data

The data processed by us will be erased in accordance with the statutory provisions as soon as their processing is revoked or other permissions no longer apply (e.g. if the purpose of processing this data no longer applies or they are not required for the purpose).

If the data is not deleted because they are required for other and legally permissible purposes, their processing is limited to these purposes. This means that the data will be restricted and not processed for other purposes. This applies, for example, to data that must be stored for commercial or tax reasons or for which storage is necessary to assert, exercise or defend legal claims or to protect the rights of another natural or legal person.

12. Rights of Data Subjects

As data subject, you are entitled to various rights under the GDPR, which arise in particular from Articles 15 to 21 of the GDPR:

  • Right of withdrawal of consent: You have the right to revoke consent at any time.
  • Right to Object: You have the right, on grounds arising from your particular situation, to object at any time to the processing of your personal data which is based on Article 6 (1) lit e) or f) GDPR. Where personal data are processed for direct marketing purposes, you have the right to object at any time to the processing of the personal data concerning you for the purpose of such marketing, which includes profiling to the extent that it is related to such direct marketing.
  • Right of access: You have the right to request confirmation as to whether the data in question will be processed and to be informed of this data and to receive further information and a copy of the data in accordance with the provisions of the law.
  • Right to rectification: You have the right to request the completion of the data concerning you or the rectification of the incorrect data concerning you.
  • Right to Erasure and Right to Restriction of Processing: You have the right to demand that the relevant data be erased immediately or, alternatively, to demand that the processing of the data be restricted in accordance with the statutory provisions.
  • Right to data portability: You have the right to receive data concerning you which you have provided to us in a structured, common and machine-readable format in accordance with the legal requirements, or to request its transmission to another controller.
  • Complaint to the supervisory authority: You also have the right, under the conditions laid down by law, to lodge a complaint with the supervisory authority applicable for our company in Austria: This is the “Datenschutzbehörde” ( if you consider that the processing of personal data relating to you infringes the GDPR.

13. Rights according to the California Consumer Privacy Act (CCPA)

If you are a resident in California, we highlight that we do not sell personal informationand in case you are registered with the California Secretary of State, you may make a request related to your personal information as well as on behalf of your minor child. We do not take actions to respond to Do Not Track signals. The information given in this Data Protection Statement also applies to residents in California.

14. Changes and Updates to the Privacy Policy

We kindly ask you to inform yourself regularly about the contents of our data protection declaration. We will adjust the privacy policy as changes in our data processing practices make this necessary. If changes require your cooperation (e.g. consent) or other individual notification, we will inform you accordingly.

If we provide addresses and contact information of companies and organizations in this privacy policy, we ask you to note that addresses may change over time and to verify the information before contacting us.