Data protection

Thank you for your interest in OH MY! FANTASY. The protection of your privacy is just as important to us as it is to you. We therefore do everything in our power to ensure that your data is as safe as possible with us and that you can keep track of the data processing that affects you. In the following we would like to inform you in detail about how we handle your data and your rights.

  1. Basic information on data processing and legal bases

  2. Safety measures

  3. Cooperation with processors and third parties

  4. Provision of contractual services

  5. contact

  6. Comments and Posts

  7. Business analysis and market research

  8. Collection of access data and log files

  9. Cookies and range measurement

  10. External payment service providers

  11. Marketing Cookies

  12. Technically necessary cookies

  13. your rights

  14. deletion of data

  15. Newsletter

  16. Changes to the Privacy Policy

Responsible

OMF Sales GmbH
Baaderstr. 78
80469 Munich​
E-mail: info@ohmyfantasy.de
Website: www.ohmyfantasy.com

Managing Director: Annika Breu

Contact for questions about data protection: info@ohmyfantasy.de

1. Basic information on data processing and legal bases

1.1. This data protection declaration clarifies the type, scope and purpose of the processing of personal data (hereinafter referred to as data) within our online offer and the associated websites, functions and content as well as external online presences, such as our social media profile (hereinafter jointly referred to as "Online offer" or "Website"). The data protection declaration applies regardless of the domains, systems, platforms and devices used (e.g. desktop or mobile) on which the online offer is running.

1.2. The terms used, such as "personal data" or their "processing" refer to the definitions in Art. 4 of the General Data Protection Regulation (GDPR).

1.3. The personal data of the users processed in the context of this online offer

  • Inventory data (e.g. names and addresses of customers)

  • Contact information (e.g. e-mail, telephone numbers)

  • Usage data (e.g. websites visited, interest in content)

  • Content data (e.g. text input)

  • Meta / communication data (e.g. device information, IP addresses)

1.4. The term "user" includes all categories of persons affected by data processing. They include our business partners, customers, interested parties and other visitors to our online offering. The terms used, such as "user" are to be understood as gender-neutral.

1.5. We process personal data of users only in compliance with the relevant data protection regulations. This means that user data will only be processed if there is legal permission, in particular if the data processing is necessary to provide our contractual services (e.g. processing orders) and online services, or if is required by law, the user has given their consent, as well as our legitimate interests (i.e. interest in the analysis, optimization and economic operation and security of our online offer within the meaning of Art. 6 Para. 1 lit. f. GDPR, in particular when measuring range, creating profiles for advertising and marketing purposes and collecting access data and using third-party services.

1.6. We would like to point out that the legal basis for consent is Art. 6 Para. 1 lit. a. and Art. 7 GDPR, the legal basis for processing to fulfill our services and carry out contractual measures Art. 6 para. 1 lit. b. DSGVO, the legal basis for processing to fulfill our legal obligations Art. 6 para. 1 lit. c. DSGVO, and the legal basis for processing to protect our legitimate interests Art. 6 para. 1 lit. f. GDPR is.

2. Safety measures

2.1. In accordance with Art. 32 GDPR, we take appropriate technical measures, taking into account the state of the art, the implementation costs and the type, scope, circumstances and purposes of the processing as well as the different probability of occurrence and severity of the risk for the rights and freedoms of natural persons and organizational measures to ensure a level of protection appropriate to the risk.

2.2. The security measures include, in particular, securing the confidentiality, integrity and availability of data by controlling physical access to the data, as well as access, input, disclosure, securing availability and their separation. 

3. Cooperation with processors and third parties

3.1. Data will only be passed on to third parties within the framework of legal requirements. We only pass on user data to third parties if this is necessary, for example on the basis of Art. 6 para. 1 lit. b. DSGVO is required for contractual purposes or on the basis of legitimate interests acc. Art. 6 Abs. 1 lit. f. GDPR in the economic and effective operation of our business operations.

3.2. If we use subcontractors to provide our services, we take appropriate legal precautions and appropriate technical and organizational measures to ensure the protection of personal data in accordance with the relevant statutory provisions.

3.3. If content, tools or other means from other providers (collectively referred to as "third-party providers") are used within the scope of this data protection declaration and their registered office is in a third country, it can be assumed that data will be transferred to the countries where the third-party providers are domiciled. Third countries are countries in which the GDPR is not directly applicable law, i.e. basically countries outside the EU or of the European Economic Area. Data is transferred to third countries either if there is an appropriate level of data protection, user consent or other legal permission.

4. Provision of contractual services

4.1. In addition, we process

- Contract data (e.g. subject of the contract, term, customer category).
- Payment data (e.g. bank details, payment history)
from our customers, prospects and business partners for the purpose of providing contractual services, service and customer care, marketing, advertising and market research.

4.2. The processed data includes inventory data, communication data, contract data, payment data and the persons affected by the processing include our customers, interested parties and other business partners. The processing takes place for the purpose of providing contractual services in the context of operating an online shop, billing, delivery and customer services. We use session cookies to store the contents of the shopping cart and permanent cookies to store the login status.

4.3. The processing takes place on the basis of Art. 6 Para. 1 lit. b (implementation of order processes) and c (legally required archiving) GDPR. The information marked as required is required for the establishment and fulfillment of the contract. We disclose the data to third parties only within the scope of delivery, payment or within the scope of legal permits and obligations to legal advisers and authorities. The data will only be processed in third countries if this is necessary to fulfill the contract (e.g. at the customer's request for delivery or payment).

5. contact

5.1. When contacting us (by e-mail, telephone or social media), the information provided by the user to process the contact request and its processing acc. Art. 6 Abs. 1 lit. b. DSGVO processed. User information can be stored in a customer relationship management system ("CRM system") or comparable inquiry organization.

5.2. We delete the requests if they are no longer necessary. We review necessity every two years; Furthermore, the statutory archiving obligations apply.

6. Comments and Contributions

6.1. If users leave comments or other contributions, their IP addresses can be processed on the basis of our legitimate interests within the meaning of Art. 6 Para. 1 lit. f. GDPR are stored for 7 days. This is for our security if someone leaves illegal content in comments and posts (insults, forbidden political propaganda, etc.). In this case, we can be prosecuted for the comment or contribution and are therefore interested in the identity of the author.

6.2. Furthermore, we reserve the right, on the basis of our legitimate interests acc. Art. 6 Abs. 1 lit. f. GDPR to process user information for the purpose of spam detection.

6.3. On the same legal basis, in the case of surveys, we reserve the right to store the IP addresses of users for the duration of the survey and to use cookies to avoid multiple votes.

6.4. The data provided in the context of the comments and posts will be stored by us permanently until the user objects.

7. Business analysis and market research

7.1. In order to be able to operate our business economically, to be able to recognize market trends, the wishes of contractual partners and users, we analyze the data available to us on business transactions, contracts, inquiries, etc. We process inventory data, communication data, contract data, payment data, usage data, metadata on the basis of Art. 6 Para. 1 lit. f. GDPR, whereby the persons concerned include contractual partners, interested parties, customers, visitors and users of our online offer.

7.2. The analyzes are carried out for the purpose of business evaluations, marketing and market research. In doing so, we can take into account the profiles of the registered users with information, e.g. on the services they have used. The analyzes serve us to increase the user-friendliness, the optimization of our offer and the economic efficiency. The analyzes serve us alone and are not disclosed externally, unless they are anonymous analyzes with summarized values.

7.3. If these analyzes or profiles are personal, they will be deleted or made anonymous upon termination by the user, otherwise after two years from the conclusion of the contract. Otherwise, the overall business analyzes and general trend determinations are created anonymously if possible.

8. Collection of access data and log files

8.1. we, resp. our hosting provider, based on our legitimate interests within the meaning of Art. 6 Para. 1 lit. f. GDPR Data about every access to the server on which this service is located (so-called server log files). The access data includes the name of the accessed website, file, date and time of access, amount of data transferred, notification of successful access, browser type and version, the user's operating system, referrer URL (the previously visited page), IP address and the requesting provider .

8.2. Log file information is stored for a maximum of 7 days for security reasons (e.g. to investigate misuse or fraud) and then deleted. Data whose further storage is required for evidence purposes are excluded from deletion until the respective incident has been finally clarified.

9. Cookies and range measurement

9.1. Cookies are pieces of information that are transmitted from our web server or web servers of third parties to the web browser of the user and stored there for later retrieval. Cookies can be small files or other types of information storage.

Users are informed about the use of cookies in the context of pseudonymous range measurement in the context of this data protection declaration.

9.2. If users do not want cookies to be stored on their computer, they are asked to deactivate the corresponding option in their browser's system settings. Saved cookies can be deleted in the system settings of the browser. The exclusion of cookies can lead to functional restrictions of this online offer.

9.3. You can opt out of the use of cookies, which are used to measure reach and for advertising purposes, via the deactivation page of the network advertising initiative ( http://optout.networkadvertising.org/ ) and additionally the US website ( http://www.aboutads.info/choices ) or the European website ( http://www.youronlinechoices.com/uk/your-ad-choices/ ) contradict.

10. External payment service providers

10.1. We use external payment service providers, via whose platforms the users and we can carry out payment transactions (e.g. Paypal). As part of the fulfillment of contracts, we use the payment service providers on the basis of Art. 6 Para. 1 lit. b. GDPR a. In addition, we use external payment service providers on the basis of our legitimate interests in accordance with Art. Art. 6 Abs. 1 lit. f. GDPR in order to offer our users effective and secure payment options.

10.2. The data processed by the payment service provider includes inventory data such as name and address, bank data such as account numbers or credit card numbers, passwords, TANs and checksums as well as contract, total and recipient-related information. The information is required to carry out the transactions. However, the data entered will only be processed and stored by the payment service providers. This means that we do not receive any account or credit card-related information, only information with confirmation or negative information about the payment. Under certain circumstances, the payment service provider may transmit the data to credit agencies. The purpose of this transmission is to check identity and creditworthiness. For this we refer to the terms and conditions and data protection information of the payment service provider.

10.3. The terms and conditions and the data protection information of the respective payment service provider, which can be found within the respective websites or Transaction applications are available. We also refer to this for the purpose of further information and the assertion of revocation, information and other data subject rights.

11. Marketing Cookies

To make our service even more personal, we use these cookies to display personalized recommendations and advertising. These cookies are listed below. 

The cookies are set by us and our advertising partners. This enables us and our partners to show users of our service personalized advertising based on a cross-website and cross-device analysis of their usage behavior (e.g. B. clicked advertising banners, visited subpages, made search queries). The data collected with the help of cookies can be combined by us and our partners with data from other websites. Some of our partners are based in countries outside the European Economic Area (EEA). 

The legal basis for the use of these cookies is your consent in accordance with Art. 6 Para. 1 lit. a GDPR. If you do not consent to these cookies or subsequently deactivate them, you will only be shown advertising that may be less relevant to you. 

11.1. Google (Re-)Marketing-Services

Our website uses the Google Remarketing function, a service provided by Google Ireland Limited, Gordon House, Barrow Street, Dublin 4, Ireland for users from the European Economic Area and Switzerland and by Google LLC 1600 Amphitheater Parkway Mountain View for all other users , CA 94043, USA (collectively "Google"). This service uses cookies and similar technologies to show you customized advertising messages on websites that work with Google. Cookies and similar technologies are also used to analyze website usage, which forms the basis for creating interest-based advertisements. The data generated in this context can be transmitted by Google to a server in the USA for evaluation and stored there.

If you use a Google account, depending on the settings stored in the Google account, Google can link your web and app browser history from Google to your Google account and use information from your Google account to personalize ads. If you do not want this assignment to your Google account, you must log out of Google before calling up our contact page. 

You can also prevent the collection of the data generated by the cookies and related to your use of this website as well as the processing of this data by Google outside of Usercentrics by Ad Preferences and set the personalization switches to "off". 

Our website also uses Google AdWords conversion tracking, a service provided by Google Ireland Limited, Gordon House, Barrow Street, Dublin 4, Ireland for users from the European Economic Area and Switzerland and by Google LLC 1600 Amphitheater for all other users Parkway Mountain View, CA 94043, USA (collectively "Google"). The performance of provided advertisements (so-called. AdWords campaigns) measured. The analytics program allows Google to more accurately evaluate the performance of the ads provided, and both Google and we as Google customers can increase the quality and relevance of the ads you see. Google AdWords conversion tracking uses cookies and similar technologies. The data generated in this context can be transmitted by Google to a server in the USA for evaluation and stored there. The cookies normally remain active on your computer for a maximum of 30 days. If you visit our website during this period, Google and we will be informed that you have seen the advertisement provided.

11.2. Facebook, Custom Audiences and Facebook Marketing Services

Within our online offer, due to our legitimate interests in the analysis, optimization and economic operation of our online offer and for these purposes, the so-called "Facebook Pixel" of the social network Facebook, which is operated by Facebook Inc., 1 Hacker Way, Menlo Park, CA 94025 , USA, or if you are based in the EU, Facebook Ireland Ltd., 4 Grand Canal Square, Grand Canal Harbour, Dublin 2, Ireland is used.

With the help of the Facebook pixel, Facebook is able to determine the visitors of our online offer as a target group for the display of advertisements (so-called "Facebook Ads"). Accordingly, we use the Facebook pixel to only display the Facebook ads we have placed to those Facebook users who have also shown an interest in our online offer or who have certain characteristics (e.g. interests in certain topics or products, which are based on the visited website). websites are determined), which we transmit to Facebook (so-called "Custom Audiences").

With the help of the Facebook pixel, we also want to ensure that our Facebook ads correspond to the potential interests of users and are not annoying. With the help of the Facebook pixel, we can also understand the effectiveness of Facebook ads for statistical and market research purposes by seeing whether users were redirected to our website after clicking on a Facebook ad (so-called "conversion"). The Facebook pixel is integrated directly by Facebook when you visit our website and can create a so-called cookie on your device. save cookies. If you then log into Facebook or visit Facebook while logged in, the visit to our online offer will be noted in your profile. The data collected about you is anonymous to us, so we cannot draw any conclusions about the identity of the user. However, the data is stored and processed by Facebook so that a connection to the respective user profile is possible and can be used by Facebook and for its own market research and advertising purposes. If we should transmit data to Facebook for comparison purposes, this will be encrypted locally on the browser and only then sent to Facebook via a secure https connection. This is done solely for the purpose of making a comparison with the data that is similarly encrypted by Facebook.

The legal basis for the processing of your data is your consent (Art. 6 Para. 1 lit. and DSGVO). If you do not want the data mentioned to be collected and processed via Facebook Custom Audiences, you can refuse your consent or revoke it at any time with effect for the future. The personal data are kept for as long as they are necessary to fulfill the processing purpose. The data will be deleted as soon as they are no longer required to achieve the purpose.

12. Technically necessary cookies

In order to improve our website, we use various technologies to improve our website, analyze user behavior and evaluate the associated data. The data collected may include, in particular, the IP address of the end device, the date and time of access, the identification number of a cookie, the device identifier of mobile end devices and technical information about the browser and operating system. However, the data collected is only stored pseudonymously, so that no direct conclusions can be drawn about the person. 

In the following section we would like to explain these technologies and the providers used for them in more detail.

12.1. Google Analytics

Our website uses Google Analytics, a web analytics service provided by Google LLC, 1600 Amphitheater Parkway, Mountain View, CA 94043, USA ("Google"). Google Analytics uses cookies and similar technologies to analyze and improve our website based on your user behavior. The data generated in this context can be transmitted by Google to a server in the USA for evaluation and stored there. However, your IP address will be shortened before the usage statistics are evaluated, so that no conclusions can be drawn about your identity. For this purpose, Google Analytics on our website was expanded to include the code "anonymizeIP" to ensure that IP addresses are recorded anonymously.

Google will process the information obtained through the cookies in order to evaluate your use of the website, to compile reports on website activity for website operators and to provide other services related to website activity and internet usage.

You can configure your browser so that it rejects cookies, or you can prevent the collection of data generated by cookies and related to your use of this website (incl. your IP address) and the processing of this data by Google by using the Google-provided Browser-Add-On download and install. As an alternative to the browser add-on or if you access our website from a mobile device, please use this Opt-Out-Link. This will prevent future detection by Google Analytics within this website (the opt-out only works in the browser and only for this domain). If you delete your cookies in this browser, you must Link click again.

12.2. Google Tag Manager

The "Google Tag Manager" service is used on this website. The Tag Manager is a tool for managing so-called Tags used for tracking in online marketing. The Tag Manager itself does not process any personal data, since it is used purely for the administration of other services - e.g. Google Analytics, etc. – serves.
More information about the Tag Manager at: https://www.google.com/intl/de/tagmanager/use-policy.html.

13. your rights 

You have the following legal data protection rights under the respective legal requirements:

  • Right to information (Article 15 GDPR, Section 34 BDSG)

  • Right to erasure (Article 17 GDPR, Section 35 BDSG)

  • Right to rectification (Article 16 GDPR, Section 34 BDSG)

  • Right to restriction of processing (Article 18 GDPR)

  • Right to data portability (Article 20 GDPR)

  • Right to revoke consent (Article 7 Paragraph 3 GDPR)

  • Right to object to certain data processing measures (Article 21 GDPR)

14. deletion of data

The data processed by us will be deleted or their processing restricted in accordance with Art. 17 and 18 GDPR. Unless expressly stated in this data protection declaration, the data stored by us will be deleted as soon as they are no longer required for their intended purpose and the deletion does not conflict with any statutory storage requirements. If the data is not deleted because it is required for other and legally permissible purposes, its processing will be restricted. This means that the data will be blocked and not processed for other purposes. This applies, for example, to data that must be retained for commercial or tax reasons.

According to legal requirements in Germany, storage takes place in particular for 10 years in accordance with §§ 147 Paragraph 1 AO, 257 Paragraph 1 No. 1 and 4, Paragraph 4 HGB (books, records, management reports, accounting documents, trading books, relevant for taxation documents, etc.) and 6 years according to Section 257 Paragraph 1 Nos. 2 and 3, Paragraph 4 HGB (commercial letters).

15. Newsletter

In order to provide you with regular information about our company and offers, we offer to send an e-mail newsletter. With your newsletter registration, we process the data you entered during registration (e-mail address and other voluntary information). In order to be able to prove the registration process in a legally compliant manner, your registration will be logged. The registration and confirmation time as well as the IP address are affected. 

The legal basis for sending the newsletter is your consent in accordance with Art. 6 Para. 1 a) GDPR. The data processing in connection with sending the confirmation e-mail for your registration and the associated data logging takes place in accordance with Art. 6 Para.1 f) GDPR based on our legitimate interest in proving your proper registration.

We use service providers to send the newsletter, to whom we transmit the named data. The data is transmitted to the servers of the following service providers in the USA:

Klaviyo: Klaviyo, Inc., 60 South Street, Suite 910, Boston, Massachusetts, USA

Certification under: https://www.privacyshield.gov/participant?id=a2zt00000008RNFAA2&status=Active  

Further information on data protection at: https://www.klaviyo.com/privacy  

16. Hosting

On our website we use Shopify, a shop system from Shopify Inc., 150 Elgin St., 8th Fl, Ottawa, ON K2P 1L4, Canada ("Shopify").

Shopify processes the following data of our customers as part of the provision of the shop system: name, e-mail address, delivery and billing address, payment data, company name, telephone number, IP address, information about orders, information about shops visited and supported by Shopify and information about the devices and browsers used.

The legal basis for data processing is our overriding legitimate interest in the optimal marketing of our online offer Art. 6 Para. 1 f) GDPR. 

For customers from the European Economic Area, data processing is mainly carried out by the Shopify subsidiary, Shopify International Limited, c/o Intertrust Ireland, 2nd Floor 1-2 Victoria Buildings, Haddington Road, Dublin 4, D04 XN32, Ireland. 

However, data may also be transferred to regions outside the EU/EEA. Shopify guarantees the maintenance of an adequate level of data protection for these transfers as follows:

For transfers to Canada, there is an adequacy decision by the EU Commission, available at: https://eur-lex.europa.eu/legal-content/DE/TXT/PDF/?uri=CELEX:32002D0002&from=DE

For transmissions to the USA, Shopify guarantees the maintenance of an appropriate level of data protection by participating in the EU-US Privacy Shield. Shopify is certified under: https://www.privacyshield.gov/participant?id=a2zt0000000TNSNAA4&status=Active.

If data is transmitted to Shopify subsidiaries in other third countries, Shopify guarantees that an appropriate level of data protection will be maintained through internal group agreements.

17. Changes to the Privacy Policy

17.1. We reserve the right to change the data protection declaration in order to adapt it to changed legal situations or to changes in the service and data processing. However, this only applies with regard to declarations on data processing. If user consent is required or parts of the data protection declaration contain provisions of the contractual relationship with the user, the changes will only be made with the consent of the user.

17.2. You are asked to inform yourself regularly about the content of the data protection declaration.