Data protection

Thank you for your interest in OH MY! FANTASY. The protection of your privacy is just as important to us as it is to you. We therefore do everything in our power to ensure that your data is as secure as possible with us and that you keep track of the data processing affecting you. In the following we would like to inform you in detail about how we handle your data and your rights.

  1. Basic information on data processing and legal bases

  2. Safety measures

  3. Cooperation with contract processors and third parties

  4. Provision of contractual services

  5. contact

  6. Comments and contributions

  7. Business analysis and market research

  8. Collection of access data and log files

  9. Cookies and range measurement

  10. External payment service providers

  11. Marketing Cookies

  12. Technically necessary cookies

  13. Your rights

  14. Deletion of data

  15. Newsletter

  16. Changes to the privacy policy

Responsible

OMF Sales GmbH
Baaderstr. 78
80469 Munich
E-mail: info@ohmyfantasy.de
Website: www.ohmyfantasy.com

Managing director: Annika Breu

Contact for questions about data protection: info@ohmyfantasy.de

1. Basic information on data processing and legal bases

1.1. This data protection declaration clarifies the type, scope and purpose of the processing of personal data (hereinafter referred to as data) within our online offer and the associated websites, functions and content as well as external online presences, such as our social media profile (hereinafter jointly referred to as "Online Offer" or "Website"). The data protection declaration applies regardless of the domains, systems, platforms and devices used (e.g. desktop or mobile) on which the online offer is carried out.

1.2. The terms used, such as "personal data" or their "processing" refer to the definitions in Art. 4 of the General Data Protection Regulation (GDPR).

1.3. The personal data of the users processed in the context of this online offer include

  • Inventory data (e.g. names and addresses of customers)

  • Contact details (e.g. email, telephone numbers)

  • Usage data (e.g. websites visited, interest in content)

  • Content data (e.g. text input)

  • Meta / communication data (e.g. device information, IP addresses)

1.4. The term "user" includes all categories of persons affected by data processing. They include our business partners, customers, interested parties and other visitors to our online offer. The terms used, such as "user", are to be understood as gender-neutral.

1.5. We process personal data of users only in compliance with the relevant data protection regulations. This means that the data of the users are only processed if there is a legal permission, especially if the data processing is necessary or required by law for the provision of our contractual services (e.g. processing of orders) as well as online services, the consent of the user is available, as also due to our legitimate interests (i.e. interest in the analysis, optimization and economic operation and security of our online offer within the meaning of Art. 6 Paragraph 1 lit. of access data and the use of third-party services.

1.6. We would like to point out that the legal basis for consent is Article 6 Paragraph 1 lit. and Art. 7 GDPR, the legal basis for processing in order to fulfill our services and carry out contractual measures Art. 6 Para. 1 lit. b. GDPR, the legal basis for processing in order to fulfill our legal obligations, Art. 6 Para. 1 lit. c. GDPR, and the legal basis for processing to safeguard our legitimate interests is Art. 6 Paragraph 1 lit.

2. Security measures

2.1. In accordance with Art. 32 GDPR, taking into account the state of the art, the implementation costs and the type, scope, circumstances and purposes of processing as well as the different probability of occurrence and severity of the risk for the rights and freedoms of natural persons, we make suitable technical and organizational measures to ensure a level of protection appropriate to the risk.

2.2. The security measures include, in particular, securing the confidentiality, integrity and availability of data by controlling physical access to the data, as well as the access, input, transfer, ensuring availability and their separation.

3. Cooperation with contract processors and third parties

3.1. A transfer of data to third parties only takes place within the framework of the legal requirements. We only pass on user data to third parties if this is, for example, based on Article 6 Paragraph 1 lit. b. GDPR is required for contractual purposes or on the basis of legitimate interests in accordance with Art. 6 Para. 1 lit.f. GDPR in the economic and effective operation of our business operations.

3.2. If we use subcontractors to provide our services, we take suitable legal precautions as well as appropriate technical and organizational measures to ensure the protection of personal data in accordance with the relevant statutory provisions.

3.3. If, within the scope of this data protection declaration, content, tools or other means are used by other providers (hereinafter collectively referred to as "third-party providers") and their registered office is in a third country, it is to be assumed that data will be transferred to the third-party providers' registered offices Third countries are to be understood as countries in which the GDPR is not a directly applicable law, i.e. basically countries outside the EU or the European Economic Area. The transfer of data to third countries takes place either if there is an adequate level of data protection, the consent of the user or otherwise legal permission is given.

4. Provision of contractual services

4.1. We also process

- Contract data (e.g. subject of the contract, duration, customer category).
- Payment data (e.g. bank details, payment history)
by our customers, prospects and business partners for the purpose of providing contractual services, service and customer care, marketing, advertising and market research.

4.2. The processed data includes inventory data, communication data, contract data, payment data and the persons affected by the processing include our customers, interested parties and other business partners. The processing takes place for the purpose of providing contractual services in the context of the operation of an online shop, billing, delivery and customer services. We use session cookies to store the contents of the shopping cart and permanent cookies to store the login status.

4.3. The processing takes place on the basis of Art. 6 Paragraph 1 lit. b (execution of order processes) and c (legally required archiving) GDPR. The information marked as necessary is required for the establishment and fulfillment of the contract. We only disclose the data to third parties in the context of delivery, payment or in the context of legal permits and obligations to legal advisors and authorities. The data will only be processed in third countries if this is necessary to fulfill the contract (e.g. at the customer's request for delivery or payment).

5. Establishing contact

5.1. When contacting us (by e-mail, telephone or social media), the information provided by the user is used to process the contact request and to process it in accordance with Art. 6 Paragraph 1 lit. b. GDPR processed.The user information can be stored in a customer relationship management system ("CRM system") or a comparable request organization.

5.2. We delete the inquiries if they are no longer required. We review the requirement every two years; The statutory archiving obligations also apply.

6. Comments and contributions

6.1. If users leave comments or other contributions, their IP addresses can be stored for 7 days on the basis of our legitimate interests within the meaning of Art. 6 Paragraph 1 lit. This is done for our safety if someone leaves illegal content in comments and contributions (insults, prohibited political propaganda, etc.). In this case we can be prosecuted for the comment or contribution and are therefore interested in the identity of the author.

6.2. Furthermore, we reserve the right to process user information for the purpose of spam detection on the basis of our legitimate interests in accordance with Article 6 (1) (f) GDPR.

6.3. On the same legal basis, we reserve the right to save the IP addresses of users for the duration of surveys and to use cookies in order to avoid multiple votes.

6.4. The data given in the context of the comments and contributions will be stored permanently by us until the user objects.

7. Business analysis and market research

7.1. In order to operate our business economically, to be able to recognize market trends, wishes of the contractual partners and users, we analyze the data available to us on business transactions, contracts, inquiries, etc. We process inventory data, communication data, contract data, payment data, usage data, metadata on the basis of Art 6 Para. 1 lit.f. GDPR, whereby the persons concerned include contractual partners, interested parties, customers, visitors and users of our online offer.

7.2. The analyzes are carried out for the purpose of business evaluations, marketing and market research. In doing so, we can take into account the profiles of the registered users with information, e.g. on the services they have used. The analyzes serve us to increase the user-friendliness, the optimization of our offer and the economic efficiency. The analyzes serve us alone and are not disclosed externally, unless they are anonymous analyzes with summarized values.

7.3. If these analyzes or profiles are personal, they will be deleted or anonymized upon termination by the user, otherwise after two years from the conclusion of the contract. In addition, the overall business analysis and general tendency determinations are created anonymously if possible.

8. Collection of access data and log files

8.1. We, or our hosting provider, collect data on every access to the server on which this service is located (so-called server log files) on the basis of our legitimate interests within the meaning of Art. 6 Paragraph 1 lit. The access data includes the name of the accessed website, file, date and time of access, amount of data transferred, notification of successful access, browser type and version, the user's operating system, referrer URL (the previously visited page), IP address and the requesting provider .

8.2. For security reasons (e.g. to investigate acts of abuse or fraud), log file information is stored for a maximum of 7 days and then deleted. Data, the further storage of which is necessary for evidence purposes, are excluded from deletion until the respective incident has been finally clarified.

9. Cookies and range measurement

9.1. Cookies are information that is transferred from our web server or third party web servers to the user's web browser and stored there for later retrieval. Cookies can be small files or other types of information storage.

In the context of this data protection declaration, users are informed about the use of cookies in the context of pseudonymous range measurement.

9.2. If users do not want cookies to be stored on their computer, they are asked to deactivate the corresponding option in the system settings of their browser. Saved cookies can be deleted in the system settings of the browser. The exclusion of cookies can lead to functional restrictions of this online offer.

9.3. You can use cookies, which are used for range measurement and advertising purposes, via the deactivation page of the network advertising initiative (http://optout.networkadvertising.org/ ) and also the US website (http://www.aboutads.info/choices ) or the European website (http://www.youronlinechoices.com/uk/your-ad-choices/ ) contradict.

10. External payment service providers

10.1. We use external payment service providers, through whose platforms the user and we can carry out payment transactions (e.g. PayPal). As part of the fulfillment of contracts, we use the payment service providers on the basis of Article 6 Paragraph 1 lit. b. GDPR. In addition, we use external payment service providers on the basis of our legitimate interests in accordance with Article 6 (1) (f) GDPR in order to offer our users effective and secure payment options.

10.2. The data processed by the payment service provider includes inventory data such as name and address, bank data such as account numbers or credit card numbers, passwords, TANs and checksums as well as contract, sums and recipient-related information. The information is required to carry out the transactions. However, the data entered will only be processed and stored by the payment service providers. This means that we do not receive any account or credit card-related information, but only information with confirmation or negative information about the payment. The data may be transmitted to credit agencies by the payment service provider. The purpose of this transmission is to check your identity and creditworthiness. For this we refer to the terms and conditions and data protection information of the payment service providers.

10.3. The terms and conditions and data protection notices of the respective payment service providers, which can be accessed on the respective websites or transaction applications, apply to payment transactions. We also refer to these for the purpose of further information and the assertion of rights of revocation, information and other data subjects.

11. Marketing Cookies

In order to make our service even more personal, we use these cookies to display personalized recommendations and advertising. These cookies are listed below.

The cookies are set by us and our advertising partners. This enables us and our partners to show users of our service personalized advertising based on an analysis of their usage behavior across websites and devices (e.g. advertising banners clicked, subpages visited, search queries made). The data collected with the help of cookies can be merged by us and our partners with data from other websites. Some of our partners are based in countries outside the European Economic Area (EEA).

The legal basis for the use of these cookies is your consent in accordance with Article 6 (1) (a) GDPR. If you do not consent to these cookies or if you deactivate them afterwards, you will only be shown advertisements that may be less relevant to you.

11.1. Google (Re-)Marketing-Services

Our website uses the Google Remarketing function, a service provided for users from the European Economic Area and Switzerland by Google Ireland Limited, Gordon House, Barrow Street, Dublin 4, Ireland and for all other users by Google LLC 1600 Amphitheater Parkway Mountain View , CA 94043, USA (collectively "Google") is offered. This service uses cookies and similar technologies to show you individualized advertising messages on websites that work with Google. Cookies and comparable technologies are also used to analyze website usage, which forms the basis for creating interest-based advertisements. The data arising in this context can be transmitted by Google to a server in the USA for evaluation and stored there.

If you use a Google account, depending on the settings stored in the Google account, Google can link your Google web and app browser history to your Google account and use information from your Google account to personalize ads. If you do not want this assignment to your Google account, it is necessary that you log out of Google before calling up our contact page.

You can also prevent the collection of the data generated by the cookies and related to your use of this website and the processing of this data by Google outside of Usercentrics by using the Ad defaults and set the personalization switch to "Off".

Our website also uses Google AdWords conversion tracking, a service provided for users from the European Economic Area and Switzerland by Google Ireland Limited, Gordon House, Barrow Street, Dublin 4, Ireland and for all other users from Google LLC 1600 Amphitheater Parkway Mountain View, CA 94043, USA (collectively "Google"). This is used to measure the performance of the advertisements provided (so-called AdWords campaigns). Through the analysis program, Google can evaluate the performance of the advertisements made available more precisely and Google and we, as Google customers, can increase the quality and relevance of the advertisements that you see. Google AdWords Conversion Tracking uses cookies and similar technologies. The data arising in this context can be transmitted by Google to a server in the USA for evaluation and stored there. The cookies normally remain active on your computer for a maximum of 30 days. If you visit our website during this period, we and Google will be informed that you have seen the advert provided.

11.2. Facebook, Custom Audiences and Facebook Marketing Services

Due to our legitimate interests in the analysis, optimization and economic operation of our online offer and for these purposes, the so-called "Facebook pixel" of the social network Facebook, which is operated by Facebook Inc., 1 Hacker Way, Menlo Park, CA 94025 , USA, or if you are based in the EU, Facebook Ireland Ltd., 4 Grand Canal Square, Grand Canal Harbor, Dublin 2, Ireland is used.

With the help of the Facebook pixel, Facebook is on the one hand able to determine the visitors to our online offer as a target group for the presentation of advertisements (so-called "Facebook ads"). Accordingly, we use the Facebook pixel to display the Facebook ads placed by us only to those Facebook users who have also shown an interest in our online offer or who have certain characteristics (e.g. interests in certain topics or products that are based on the visited Websites) that we transmit to Facebook (so-called "Custom Audiences").

With the help of the Facebook pixel, we would also like to ensure that our Facebook ads correspond to the potential interest of the users and are not annoying. With the help of the Facebook pixel, we can also understand the effectiveness of the Facebook ads for statistical and market research purposes by seeing whether users have been redirected to our website after clicking on a Facebook ad (so-called "conversion"). Facebook -Pixel is integrated directly by Facebook when you visit our website and can save a so-called cookie on your device. If you then log in to Facebook or visit Facebook while logged in, the visit to our online offer will be noted in your profile Data is anonymous for us, so it does not allow us to draw any conclusions about the identity of the user. However, the data is stored and processed by Facebook so that a connection to the respective user profile is possible and can be used by Facebook as well as for its own market research and advertising purposes we should transmit data to Facebook for comparison purposes These are encrypted locally in the browser and only then sent to Facebook via a secure https connection. This is done solely for the purpose of making a comparison with the data that is also encrypted by Facebook.

The legal basis for the processing of your data is your consent (Art. 6 Para. 1 lit. a GDPR).If you do not want the data mentioned to be collected and processed via Facebook Custom Audiences, you can refuse your consent or revoke it at any time with effect for the future.The personal data are kept for as long as they are necessary to fulfill the processing purpose. The data will be deleted as soon as they are no longer required for the purpose.

12. Technically necessary cookies

In order to improve our website, we use various technologies to improve our website, analyze usage behavior and evaluate the associated data. The data collected may include, in particular, the IP address of the device, the date and time of access, the ID number of a cookie, the device ID of mobile devices and technical information about the browser and the operating system. However, the data collected is only stored under a pseudonym, so that no direct conclusions can be drawn about the persons.

In the following section we would like to explain these technologies and the providers used for them in more detail.

12.1. Google Analytics

Our website uses Google Analytics, a web analysis service provided by Google LLC, 1600 Amphitheater Parkway, Mountain View, CA 94043, USA ("Google"). Google Analytics uses cookies and similar technologies to analyze and improve our website based on your user behavior. The data generated in this context can be transmitted by Google to a server in the USA for evaluation and stored there. However, your IP address will be shortened before the usage statistics are evaluated so that no conclusions can be drawn about your identity. For this purpose, Google Analytics was based on Our website has been expanded to include the code "anonymizeIP" in order to ensure that IP addresses are recorded anonymously.

Google will process the information obtained through the cookies in order to evaluate your use of the website, to compile reports on website activity for the website operator and to provide other services relating to website activity and internet usage.

You can configure your browser so that it rejects cookies, or you can prevent the collection of the data generated by cookies and related to your use of this website (including your IP address) and the processing of this data by Google by opting out of Google provided Browser-Add-On download and install. As an alternative to the browser add-on or if you access our website from a mobile device, please use this Opt-Out-Link. This will prevent Google Analytics from collecting data on this website in the future (the opt-out only works in the browser and only for this domain). If you delete your cookies in this browser, you have to do so Link click again.

12.2. Google Tag Manager

The "Google Tag Manager" service is used on this website. The Tag Manager is a tool for managing so-called tags, which are used for tracking in online marketing. The Tag Manager itself does not process any personal data, as it is used purely for the administration of other services - e.g. Google Analytics, etc.
Further information on the Tag Manager can be found at:https://www.google.com/intl/de/tagmanager/use-policy.html.

13. Your rights

Under the respective legal requirements, you have the following legal data protection rights:

  • Right to information (Article 15 GDPR, Section 34 BDSG)

  • Right to deletion (Article 17 GDPR, Section 35 BDSG)

  • Right to correction (Article 16 GDPR, Section 34 BDSG)

  • Right to restriction of processing (Article 18 GDPR)

  • Right to data portability (Article 20 GDPR)

  • Right to withdraw consent (Article 7 Paragraph 3 GDPR)

  • Right to object to certain data processing measures (Article 21 GDPR)

14. Deletion of data

The data processed by us will be deleted or restricted in their processing in accordance with Art. 17 and 18 GDPR. Unless expressly stated in this data protection declaration, the data stored by us will be deleted as soon as they are no longer required for their intended purpose and the deletion does not conflict with any statutory retention requirements. If the data is not deleted because it is required for other legally permissible purposes, its processing will be restricted. This means that the data is blocked and not processed for other purposes. This applies, for example, to data that must be kept for commercial or tax reasons.

According to legal requirements in Germany, the storage takes place in particular for 10 years according to §§ 147 Abs. 1 AO, 257 Abs. 1 Nr. 1 and 4, Abs. 4 HGB (books, records, management reports, accounting documents, trading books, more relevant for taxation Documents, etc.) and 6 years according to § 257 Paragraph 1 No. 2 and 3, Paragraph 4 HGB (commercial letters).

15. Newsletter

In order to provide you with regular information about our company and offers, we offer to send you an email newsletter. When you register for the newsletter, we process the data you entered when registering (email address and other voluntary information). In order to be able to prove that the registration process is legally compliant, your registration will be logged. The time of registration and confirmation as well as the IP address are affected.

The legal basis for sending the newsletter is your consent in accordance with Art. 6 Paragraph 1 a) GDPR. The data processing in connection with the sending of the confirmation e-mail for your registration and the associated data logging takes place in accordance with Art. 6 (1) f) GDPR due to our legitimate interest in proof of your proper registration.

We use service providers to send the newsletter to whom we transmit the named data. The data is transmitted to the servers of the following service providers in the USA:

Klaviyo: Klaviyo, Inc., 60 South Street, Suite 910, Boston, Massachusetts, USA

Certification under:https://www.privacyshield.gov/participant?id=a2zt00000008RNFAA2&status=Active  

Further information on data protection can be found at:https://www.klaviyo.com/privacy  

16. Hosting

We use Shopify, a shop system from Shopify Inc., 150 Elgin St., 8th Fl, Ottawa, ON K2P 1L4, Canada ("Shopify") on our website.

As part of the provision of the shop system, Shopify processes the following data of our customers: name, email address, delivery and billing address, payment data, company name, telephone number, IP address, information about orders, information about shops visited and supported by Shopify about the devices and browsers used.

The legal basis for data processing is our overriding legitimate interest in the optimal marketing of our online offer Art. 6 Abs. 1 f) DSGVO. 

For customers from the European Economic Area, data processing takes place primarily through the Shopify subsidiary, Shopify International Limited, c / o Intertrust Ireland, 2nd Floor 1-2 Victoria Buildings, Haddington Road, Dublin 4, D04 XN32, Ireland.

However, data may also be transferred to regions outside the EU / EEA. Shopify guarantees the maintenance of an adequate level of data protection for these transmissions as follows:

There is an adequacy decision by the EU Commission for transfers to Canada, available at:https://eur-lex.europa.eu/legal-content/DE/TXT/PDF/?uri=CELEX:32002D0002&from=DE

For transmissions to the USA, Shopify guarantees the maintenance of an adequate level of data protection by participating in the EU-US Privacy Shield.Shopify is certified under:https://www.privacyshield.gov/participant?id=a2zt0000000TNSNAA4&status=Active.

Insofar as a transfer to subsidiaries of Shopify in other third countries takes place, Shopify guarantees the maintenance of an appropriate level of data protection through group-internal agreements.

17. Changes to the data protection declaration

17.1. We reserve the right to change the data protection declaration in order to adapt it to changed legal situations or to changes in the service and data processing. However, this only applies to declarations on data processing. If the consent of the user is required or components of the data protection declaration contain provisions of the contractual relationship with the users, the changes will only be made with the consent of the user.

17.2. You are asked to inform yourself regularly about the content of the data protection declaration.