Data Protection policy
This data protection policy applies to the processing of data by the controller:
Managing director: Jonathan Lavigne
Collected Data and Regulations
We process data pursuant to
- Art. 6 para. 1 sentence 1 lit. a GPDR in conjunction with Art. 7 GDPR
- Art. 6 para. 1 sentence 1 lit. b GDPR
- Art. 6 para. 1 sentence 1 lit. c GDPR
- Art. 6 para. 1 sentence 1 lit. f GDPR
We collect traffic data or meta/communication and usage data whenever you access our app and website. This is necessary to be able to present the offer itself respectively in the appropriate form and with corresponding performance.
Registration requires personal data (name, e-mail address and the recipient’s address).
For the purpose of delivery we collect shipping addresses. You are responsible for ensuring that the data of third parties may also be shared with us in this regard. The shipping addresses are collected and used solely for the fulfillment of the contract.
We use the data provided by you for the fulfillment and processing of your order with your consent; in this context, we only pass on data required for delivery or contract processing to third service providers.
If you contact us, we will use the data provided by you for processing your request based on our legitimate interest, Art. 6 para. 1 sentence 1 lit. f GDPR. After answering your request, we will delete the data, unless it is necessary for contract fulfilment or other reasons.
We archive anonymised data on the usage of our service (e.g. also about the provided image files), to improve our product based on our legitimate interest in doing so.
Transfer to Processors and Third Parties
If any data is disclosed to, transmitted to or otherwise accessed by other parties (data processors or third parties) during processing, we will only act on the basis of legal permission (e.g. if a transmission of the data to third parties, such as payment, printing or shipping service providers, is required under Art. 6 para. 1 sentence 1 lit. b GDPR), you have given your consent, there is a legal obligation to do so or based on our legitimate interests (e.g. when using agents, web hosts, etc.), Art. 6 para. 1 sentence 1 lit. f GDPR.
We solely authorise third parties to process data based on a Data Processing Agreement in accordance with Art. 28 GDPR.
Transmission to Third Countries
The processing of data in third countries (i.e. outside the European Union (EU) or the European Economic Area (EEA)) or the use of third-party services or the disclosure or transmission of data to third parties is only permitted to the extent necessary to fulfil (pre-)contractual obligations, based on your consent, a legal obligation or based on our legitimate interests. Subject to legal or contractual permissions, we process or allow the data to be processed in a third country only under the special prerequisites of Art. 44 ff. GDPR.
We are using service providers in the US that have submitted to the EU-US Privacy Shield (https://www.privacyshield.gov/EU-US-Framework). The status of the relevant service provider can be verified on that website.
Payment Service Provider
Administration and Accounting
As part of our business activities, we continuously use providers to handle administrative and organisational tasks. All data collected by us, but in particular contract and payment data, may be affected. To the extent required by data protection regulations, we share such data on the basis of Data Processing Agreements. The processing is based on our legitimate interest.
We use external hosting providers for our website and app. Upon visiting our website, these providers receive, traffic data or meta/communication and usage data. This primarily serves our legitimate interest in offering and improving our services within the scope of Art. 6. para. 1 sentence 1 lit. f GDPR.
We have enganged a third party to print photo albums as part of our service. The tranfer of your data, image files and recipients is necessary for contract performance in this regard and the use of a third party provider is also based on our legitimate interest. We limit access to such data extent necessary for contract performance and restrict the data use accordingly.
We use the website and customer relations management app of Zendesk Inc, 989 Market Street #300, San Francisco, CA 94102, USA (“Zendesk”) (https://www.zendesk.com/company/customers-partners/privacy-policy/) to process support and customer inquiries.
This entails the collection of personal data which our users provide themselves in the messages and use for their communication (e.g. e-mail address, concerns, etc.) as well as cookies and usage data.
The submitted and transmitted data will only be used to answer the individual request. Depending on your request, this may serve contract performance in accordance with Art. 6 para. 1 sentence 1 lit. c GDPR as well as our legitimate interest within the meaning of Art. 6 para. sentence 1 lit. f GDPR in effective and efficient processing and answering of your request.
We use the service provider The Rocket Science Group, LLC d/b/a MailChimp, 675 Ponce de Leon Ave NE, Suite 5000, Atlanta, GA 30308, USA (“MailChimp”) (https://mailchimp.com/legal/privacy/) for our newsletters. Subscription requires your express consent. We will only transmit your name and e-mail address to MailChimp to provide you with a regular, user-friendly newsletters for information purposes and with respect to current events. You can unsubscribe from the newsletter at any time and use the link provided for this purpose in the newsletter.
MailChimp uses the data (e.g. time at which messages were viewed, clicks on links) in a pseudonymized form for the sole purpose of sending and statistically evaluating the newsletter on our behalf, to improve and adapt our product and to optimize the service itself.
Cookies and Google Firebase
We use Google Firebase from Google LLC (USA) (“Google”) to analyse and categorise user groups. Information on the usage of Google’s data within Firebase as well as the possibilities for preferences and objections can be found in the data protection policy (https://firebase.google.com/terms/data-processing-terms/) and from Google (https://policies.google.com/privacy).
You may also use the website without cookies. Stored cookies can be deleted in the system settings of your browser. The settings for deactivation can be found in the system settings of your browser or device. Deactivating the cookies may limit the use of the website.
Rights of the data subject
You have the right
- pursuant to Art. 15 GDPR to obtain from the controller confirmation as to whether or not personal data concerning you is being processed, and, where that is the case, access to the personal data and the information;
- pursuant to Art. 16 GDPR to obtain rectification of inaccurate personal data concerning yourself;
- pursuant to Art. 17 GDPR to erasure (‘right to be forgotten’);
- pursuant to Art. 18 GDPR of restriction of processing;
- pursuant to Art. 20 GDPR of data portability (receiving and transmitting);
- pursuant to Art. 21 GDPR to object to processing personal data on the grounds of your particular situation;
- pursuant to Art. 77 GDPR to lodge a complaint with a supervisory authority.
Right to withdrawal and objection
You have the right to withdraw your consent pursuant to Art. 7 para. 3 GDPR at any time to the future.
You have the right to object at any time to the future processing of the data relating to you and your situation pursuant to Art. 21 GDPR. You may object in particular to the processing for the purpose of direct marketing.
Deletion of data
All data will be deleted within a reasonable timeframe when the intended purposes have been achieved. This is subject to regular review.
The direct deletion is regularly opposed by legal retention obligations, in particular sections 147 para. 1 German Fiscal Code, 257 para. 1 items 1 and 4, para. 4 German Commercial Code (10 years) and section 257 para. 1 items 2 and 3, para. 4 German Commercial Code (6 years).
Unless the data has not been deleted because it is necessary for other and legally permitted purposes, its processing will be restricted with the result that the data will be blocked from general access and not processed for other purposes.
We transmit your sensitive data securely through encrypted connections. We use appropriate technical and organizational security measures to protect your data against accidental or intentional manipulation, partial or complete loss, destruction or against unauthorized access by third parties. We continuously improve our security measures in line with technological developments.
The data protection policy is up to date and effective as of March 2019.
As a result of ongoing developments of our services online or due to changes in legal or official stipulations, amendments to the data protection declaration may be necessary. The current data protection declaration can be accessed at any time on the website and in the app and can be printed out and saved to your device.