Data Protection Statement
We care about your personal data (“data”). This data protection statement informs you about the processing of data on our website which is made available to the public at refoctil-us.com. With a view to the terminology used (such as, for example, “processing” or “controller”) we refer to the legally binding definitions in Art. 4 of the General Data Protection Regulation (GDPR) of the European Union.
GW Cosmetics GmbH
E-mail address: firstname.lastname@example.org
Phone: +43 / 2235 / 47 940-0
Legal Notice: refectocil-us.com/imprint/
Insofar as GW Cosmetics GmbH controls the data processing and determines the purposes and means of the processing of data, it acts as “controller” according to the GDPR.
2. Overview of processing operations
Categories of data
We process Meta/communication data (e.g. device information, IP addresses), usage data (e.g. websites visited, interest in content, access times) and location data (information on the geographical position of a device or person) of our website visitors.
- Providing of our website’s online service
- Communication with users and providing of customer support
- Interest-based and behavioral marketing including remarketing, web analytics, access statistics, recognition of returning visitors
- Security measures, server monitoring and error detection
3. Legal Base for the Processing
We process data on the basis of
- the consent given by each data subject to the processing of his or her personal data for one or more specific purposes (Article 6 (1) (a) GDPR),
- the performance of a contract to which the data subject is party or in order to take steps at the request of the data subject prior to entering into a contract (Article 6 (1) (b) GDPR),
- the performance of our legal obligations (Article 6 (1) (c) GDPR) and/or
- if processing is necessary for the purposes of the legitimate interests pursued by the controller or by a third party, except where such interests are overridden by the interests or fundamental rights and freedoms of the data subject which require protection of personal data (Article 6 (1) (f) GDPR).
In Austria, in addition to the GDPR the Federal Act on the Protection of Individuals with regard to the Processing of Personal Data (Data Protection Act – DSG) applies. It contains additional provisions on the right of access, rectification or cancellation, processing of special categories of personal data, processing for other purposes and transmission and automated decision making in individual cases.
4. Security Precautions
Technical and Organisational Measures (TOMs)
We take appropriate TOMs in accordance with the legal requirements, taking into account the state of the art, the costs of implementation and the nature, scope, context and purposes of processing as well as the risk of varying likelihood and severity for the rights and freedoms of natural persons, in order to ensure a level of security appropriate to the risk.
The measures include, in particular, safeguarding the confidentiality, integrity and availability of data by controlling physical and electronic access to the data as well as access to, input, transmission, securing and separation of the data. In addition, we have established procedures to ensure that data subjects’ rights are respected, that data is erased and that we are prepared to respond to data threats rapidly. Furthermore, we take the protection of personal data into account as early as the development or selection of hardware, software and service providers allows, in accordance with the principle of privacy by design and privacy by default.
Masking of the IP address
If it is possible for us or the storage of the IP address is not necessary, we shorten your IP address or have it shortened. When the IP address is shortened, also known as “IP masking”, the last octet, i.e. the last two numbers of an IP address, is deleted (the IP address in this context is an identifier individually assigned to an Internet connection by the online access provider). With the shortening of the IP address, the identification of a person on the basis of their IP address is to be prevented or made considerably more difficult.
SSL encryption (https)
In order to protect your data transmitted via our online services in the best possible way, we use SSL encryption. You can recognize such encrypted connections by the prefix https:// in the address bar of your browser.
5. Transmission and Disclosure
In the context of our processing of data, it may happen that the data is transferred to other places, companies or persons or that it is disclosed to them (eg service providers commissioned with IT tasks or providers of services and content that are embedded in our website). In such a case, the legal requirements will be respected and in particular corresponding contracts or agreements, which serve the protection of your data, will be concluded with the recipients of your data in compliance with the GDPR.
We may transfer personal data to other companies within our group of companies or otherwise grant them access to this data. Insofar as this disclosure is for administrative purposes, the disclosure of the data is based on our legitimate business and economic interests or otherwise, if it is necessary to fulfill our contractual obligations or if the consent of you or other data subjects or otherwise a legal permission is present.
6. Data Processing in Third Countries
We process the data of the users of our online services in the EU according to the GDPR. If we process data in a third country (i.e. outside the European Union (EU) or the European Economic Area (EEA)) or the processing takes place in the context of the use of third party services or disclosure or transfer of data to other persons, bodies or companies, this will only take place in accordance with the legal requirements.
Subject to express consent or transfer required by contract or law, we process or have the data processed only in third countries with a recognised level of data protection, on the basis of special guarantees, such as a contractual obligation through so-called standard protection clauses of the EU Commission or if certifications or binding internal data protection regulations justify the processing (Article 44 to 49 GDPR, information page of the EU Commission: https://ec.europa.eu/info/law/law-topic/data-protection/international-dimension-data-protection_en).
What are “Cookies”?
“Cookies” are small files stored on the computers of users. Various information may be stored within the cookies. A cookie serves primarily the purpose of storing the information concerning a user (respectively concerning the device on which the cookie is stored) during or even after his or her use of an online service. We describe cookies offered by us as “first party cookies”. If cookies are not offered by us, but by other parties as “third party cookies”.
Temporary cookies respectively “session cookies” or “transient cookies” are cookies, which are deleted after a user leaves an online service and closes his browser. In such a cookie, the content of a basket, for example, in an online shop or a log-in status may be stored. “Permanent” or “persistent” cookies are those which remain stored even after the browser is closed. Likewise, the interests of users may be stored in such a cookie, which are used to measure coverage, or for marketing purposes.
How do you avoid Cookies?
If you do not wish that cookies are stored on your computer, you are requested to deactivate the corresponding option in the system settings of your internet browser. Stored cookies may be deleted in the system settings of the browser. The exclusion of cookies may lead to limitations of the functions of our online service.
We use cookie management by Borlabs and Fonts, for technical functionality reasons as well as Cookies by Google Tag Manager, Google Analytics and Google Maps.
If we process your personal data with the help of cookies based on your declared consent, this consent is the legal basis for the processing of your data. Your consent can be revoked at any time. The revocation might have an effect on the usability of our online services.
Withdrawal of Cookie Consent/Objection/Revocation (Opt-Out)
Unless we provide you with explicit information on the retention period of permanent cookies (e.g. within the scope of a so-called cookie opt-in consent form), please assume that the retention period can differ depending on the legal basis and the purpose of using the cookie.
Cookies of third parties
In case you use services of third parties such as Google Maps, which are made available on our website for you, cookies of such third parties may be used. We are not responsible for the content of third parties or cookies used beyond our control by such third parties, but will inform you specifically below in our data protection information in relation to these services of third parties.
8. Webhosting and data processing to protect our systems
In order to provide our online services securely and efficiently, we use the services of one or more web hosting providers from whose servers (or servers they manage) the online services can be accessed. For these purposes, we may use infrastructure and platform services, computing capacity, storage space and database services, as well as security and technical maintenance services.
The data processed within the framework of the provision of the hosting services may include all information relating to the users of our online services that is collected in the course of use and communication. This regularly includes the user’s IP address, which is necessary to be able to deliver the contents of online services to browsers.
Collection of Access Data and Log Files: We (or our web hosting provider) collect data on the basis of each user’s access to the server (so-called server log files). Server log files may include the address and name of the web pages and files accessed, the date and time of access, data volumes transferred, notification of successful access, browser type and version, the user’s operating system, referrer URL (the previously visited page) and, as a general rule, IP addresses and the requesting provider.
The server log files are used for security purposes, e.g. to avoid overloading the servers (especially in the case of abusive attacks, so-called DDoS attacks) and to ensure the stability and optimal load balancing of the servers. Legal basis are our legitimate interests (Article 6 (1) (f) GDPR) in an efficient and safe provision and in connection with Article 28 GDPR (conclusion of a data processing agreement).
Logfile information will be stored for security reasons (e.g. for solving abuse or fraud activities) for the duration of 2 months. Data needed to be kept for security reasons and/or in the context of legal obligations and/or our legitimate interests and/or evidence purposes will not be deleted until final clarification of the incident concerned.
9. Plugins and embedded functions and content
On our website, we integrate functional and content elements of the plugins Google Maps and Google Maps APIs and SDKs:
- The integration always presupposes that the third-party providers of this content process the IP address of the user, since they could not send the content to their browser without the IP address. The IP address is therefore required for the presentation of these contents or functions. We strive to use only those contents, whose respective offerers use the IP address only for the distribution of the contents. Third parties may also use so-called pixel tags (invisible graphics, also known as “web beacons”) for statistical or marketing purposes. The “pixel tags” can be used to evaluate information such as visitor traffic on the pages of this website. The pseudonymous information may also be stored in cookies on the user’s device and may include technical information about the browser and operating system, referring websites, visit times and other information about the use of our website, as well as may be linked to such information from other sources.
- Processed data types: Usage data (e.g. websites visited, interest in content, access times), Meta/communication data (e.g. device information, IP addresses), Location data (Information on the geographical position of a device or person).
- Data subjects: Users (e.g. website visitors, users of online services).
- Purposes of Processing: Provision of our online services and usability, Provision of contractual services and customer support.
- Legal Basis: Legitimate Interests (Article 6 (1) (f) GDPR).
10. Web Analysis, Monitoring, Optimization, Online Marketing
- What is Web Analysis? Web analysis is used to evaluate the visitor traffic on our website and may include the behaviour, interests or demographic information of users, such as age or gender, as pseudonymous values. With the help of web analysis we can e.g. recognize, at which time our online services or their functions or contents are most frequently used or requested for repeatedly, as well as which areas require optimization. In addition to web analysis, we can also use test procedures, e.g. to test and optimize different versions of our online services or their components.
We use the services of Bugsnag as well as Google Analytics and the Google Tag Manager.
- Concerning IP addresses of the users IP masking procedures (i.e. pseudonymisation by shortening the IP address) are used to protect the user. In general, within the framework of web analysis, A/B testing and optimisation, no user data (such as e-mail addresses or names) is stored, but pseudonyms. This means that neither we nor the providers of the software used know the actual identity of the users, but only the information stored in their profiles for the purposes of the respective processes.
- Clear Data: Exceptionally, clear data can be assigned to the profiles. This is the case, for example, if the users are members of a social network whose online marketing technology we use and the network links the profiles of the users in the aforementioned data. Please note that users may enter into additional agreements with the social network providers or other service providers, e.g. by consenting as part of a registration process. As a matter of principle, we only gain access to summarised information about the performance of our advertisements. However, within the framework of so-called conversion measurement, we can check which of our online marketing processes have led to a so-called conversion, i.e. to the conclusion of a contract with us. The conversion measurement is used alone for the performance analysis of our marketing activities.
- Opt-Out: We refer to the privacy policies of the respective service providers and the possibilities for objection (so-called “opt-out”). If no explicit opt-out option has been specified, it is possible to deactivate cookies in the settings of your browser. However, this may restrict the functions of our online offer. We therefore recommend the following additional opt-out options, which are offered collectively for each area:a) Europe: https://www.youronlinechoices.eu. b) Canada: https://www.youradchoices.ca/choices. c) USA: https://www.aboutads.info/choices. d) Cross-regional: https://optout.aboutads.info.
11. Erasure of data
The data processed by us will be erased in accordance with the statutory provisions as soon as their processing is revoked or other permissions no longer apply (e.g. if the purpose of processing this data no longer applies or they are not required for the purpose).
If the data is not deleted because they are required for other and legally permissible purposes, their processing is limited to these purposes. This means that the data will be restricted and not processed for other purposes. This applies, for example, to data that must be stored for commercial or tax reasons or for which storage is necessary to assert, exercise or defend legal claims or to protect the rights of another natural or legal person.
12. Rights of Data Subjects
As data subject, you are entitled to various rights under the GDPR, which arise in particular from Articles 15 to 21 of the GDPR:
- Right of withdrawal of consent: You have the right to revoke consent at any time.
- Right to Object: You have the right, on grounds arising from your particular situation, to object at any time to the processing of your personal data which is based on Article 6 (1) lit e) or f) GDPR. Where personal data are processed for direct marketing purposes, you have the right to object at any time to the processing of the personal data concerning you for the purpose of such marketing, which includes profiling to the extent that it is related to such direct marketing.
- Right of access: You have the right to request confirmation as to whether the data in question will be processed and to be informed of this data and to receive further information and a copy of the data in accordance with the provisions of the law.
- Right to rectification: You have the right to request the completion of the data concerning you or the rectification of the incorrect data concerning you.
- Right to Erasure and Right to Restriction of Processing: You have the right to demand that the relevant data be erased immediately or, alternatively, to demand that the processing of the data be restricted in accordance with the statutory provisions.
- Right to data portability: You have the right to receive data concerning you which you have provided to us in a structured, common and machine-readable format in accordance with the legal requirements, or to request its transmission to another controller.
- Complaint to the supervisory authority: You also have the right, under the conditions laid down by law, to lodge a complaint with the supervisory authority applicable for our company in Austria: This is the “Datenschutzbehörde”, www.dsb.gv.at) if you consider that the processing of personal data relating to you infringes the GDPR.
13. Rights according to the California Consumer Privacy Act (CCPA)
If you are a resident in California, we highlight that we do not sell personal informationand in case you are registered with the California Secretary of State, you may make a request related to your personal information as well as on behalf of your minor child. We do not take actions to respond to Do Not Track signals. The information given in this Data Protection Statement also applies to residents in California.