Goldwin Europe GmbH is committed to your privacy. This privacy notice (“Privacy Notice”) explains our collection, use, disclosure, retention, and protection of your personal data and which rights and options are available to you in this regard. This Privacy Notice describes how we process data when you use our website and our services including our online shop (the “Shop”).

Contents

1. What is personal data

Personal data is all information relating to an identified or identifiable natural person. An identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person.

2. Who we are: Name and address of the controller

The controller pursuant to Article 4 no. 7 of the General Data Protection Regulation (GDPR) and other national data protection laws of the member states as well as other data protection regulations for the processing of your personal data is

Goldwin Europe GmbH,
Schäfflerhof, Schäfflerstraße 4, 80333 München, Germany,
phone: +49 (0)89 46259810
email: info@goldwineurope.com

References to “Goldwin”, “we” or “us” are references to Goldwin Europe GmbH.

3. Personal data we collect and how we use it

In this section of the Privacy Notice we will explain to you what personal data we collect, the purposes of the processing for which the personal data are intended as well as the legal basis for the processing.

a. When you visit our website

When you access our website, without providing personal data through registration or ordering products in any way, the following data will be collected and stored for the stated duration:

Collected data Duration of Storage
Internet protocol (IP) address 14 months
Device 14 months
Browser type and version 14 months
Time zone setting 14 months
Browser plug-in types and versions 14 months
Browser language settings 14 months
Operating system 14 months
Platform 14 months
The website address (URL) clickstream to, through and from our website including date and time 14 months

This data is collected in logfiles. We use log files to make the website and its functions available to you. We use the collected data to optimize our website and to ensure the security of our IT systems. We use log files as part of our legitimate interest in making our website available and continuously developing it further. The legal basis is Article 6 sec. 1 lit. f GDPR.

b. “Contact us” button

A contact us button on our website can be used for electronic contact. If the button is clicked on, the user will be redirected via their browser to contact us via mail. The following data is transmitted to us and stored as in our standard email communication processes:

  • Name
  • Email address
  • Any other data that might be transmitted by the user through mailing (phone number or address in the signature, personal data entered in the email message, etc.)

In the same sense, any inquiry sent by email leads to the processing of personal data as mentioned in the above.

The data will be deleted by us as soon as they are no longer necessary for the purpose of their collection. This is the case for the personal data from email communication when the respective conversation with the user has ended. The conversation ends when it can be concluded from the circumstances that the matter in question has been finally clarified.

The data entered into the input mask is used exclusively for the respective conversation, i.e. the processing of the personal data from the input mask serves us solely to conduct the conversation. The legal basis for the use of your personal data regarding the contact form is Article 6 para. lit. f GDPR.

c. Order

When you select and order goods through our Shop, the following data will be processed and stored:

  • Name
  • Email address
  • Address
  • Credit card details
  • Products you viewed or searched for

The data will be deleted by us as soon as they are no longer necessary for the purpose of their collection – this usually happens within 180 days from the purchasing date. This is the case for the personal data collected when selecting and ordering goods through our Shop when you place your order.

The processing of the respective data is necessary for the performance of a contract to which the data subject is party or in order to take steps at the request of the data subject prior to entering into a contract. The legal basis for the use of your personal data regarding the Shop is Article 6 sec. 1 lit. b GDPR

d. Customer account

In order to use further functions of our website, a registration and the creation of a so called “customer account” is required. If a user uses the registration form provided on our website, the following data will be processed:

  • Name
  • Email address
  • Address
  • And the credit card details and products viewed or searched for if the user selects or orders goods as mentioned in the above

A user account will be created with the aforementioned data.

By registering on our website, the IP address – assigned by the Internet service provider (ISP) and used by the data subject – date, and time of the registration are also stored. The storage of this data takes place against the background that this is the only way to prevent the misuse of our services, and, if necessary, to make it possible to investigate committed offenses. Insofar, the storage of this data is necessary to secure the controller. This data is not passed on to third parties unless there is a statutory obligation to pass on the data, or if the transfer serves the aim of criminal prosecution.

The registration of the data subject, with the voluntary indication of personal data, is intended to enable the controller to offer the data subject contents or services that may only be offered to registered users due to the nature of the matter in question.

The data entered during registration is processed on the basis of your consent (Art. 6 para. 1 lit. a GDPR). A revocation of your already given consent is possible at any time. An informal notification by email is sufficient for the revocation. The legality of the data processing already carried out remains unaffected by the revocation.

We store the data collected during registration for the period you are registered as customer account holder on our website. Your data will be deleted without delay after informing us about your intention to cancel your customer account by email. Legal retention periods remain unaffected.

e. Newsletter

On our website, users are given the opportunity to subscribe to our newsletter. The data entered in the input mask -name and email address- is used for this purpose and will be processed exclusively on the basis of your consent (Art. 6 para. 1 lit. a GDPR).

We inform our customers and business partners regularly by means of a newsletter about company offers. Our newsletter may only be received by the data subject if (1) the data subject has a valid email address and (2) the data subject registers for the newsletter shipping. A confirmation email will be sent to the email address registered by a data subject for the first time for newsletter shipping, for legal reasons, in the double opt-in procedure. This confirmation email is used to prove whether the owner of the email address as the data subject is authorized to receive the newsletter.

During the registration for the newsletter, we also store the IP address of the computer system assigned by the Internet service provider (ISP) and used by the data subject at the time of the registration, as well as the date and time of the registration. The collection of this data is necessary in order to understand the (possible) misuse of the email address of a data subject at a later date, and it therefore serves the aim of the legal protection of the controller.

The personal data collected as part of a registration for the newsletter will only be used to send our newsletter. In addition, subscribers to the newsletter may be informed by email, as long as this is necessary for the operation of the newsletter service or a registration in question, as this could be the case in the event of modifications to the newsletter offer, or in the event of a change in technical circumstances. There will be no transfer of personal data collected by the newsletter service to third parties. The subscription to our newsletter may be terminated by the data subject at any time. The consent to the storage of personal data, which the data subject has given for shipping the newsletter, may be revoked at any time. For the purpose of revocation of consent, a corresponding link is found in each newsletter. It is also possible to unsubscribe from the newsletter at any time directly on the website of the controller, or to communicate this to the controller in a different way. Data entered to set up the subscription will be deleted when you unsubscribe. If such data has been transmitted to us for other purposes and elsewhere, they will remain with us.

4. Data deletion and storage duration

Personal data will be deleted or blocked as soon as the purpose for which it was stored no longer applies. For the exact dates regarding the individual categories of processed data, please refer to section 3 of this privacy notice. Storage may also be necessary if this has been provided for by the European or national legislator in EU regulations, laws or other regulations to which the controller is subject. Blocking or deletion of the data also occurs when a storage period prescribed by the aforementioned standards expires, unless further storage is necessary and there is a legal basis for this.

5. Third parties

a. Google Analytics

We have integrated the Google Analytics component with anonymisation function on our website. Google Analytics is a web analysis service. Web analysis is the collection and evaluation of data on the behaviour of visitors to websites. Among other things, a web analysis service collects data about the website from which a person concerned came to a website (so-called referrer), which subpages of the website were accessed or how often and for how long a subpage was visited. A web analysis is mainly used to optimize an internet page and for cost-benefit analysis of internet advertising. We concluded a joint controller agreement with Google as basis for this processing. Legal basis for processing personal data is the data subject’s consent, Article 6 sec. 1 lit. a GDPR.

The operating company of the Google Analytics component is Google Ireland Limited, Gordon House, Barrow Street, Dublin, D04 E5W5, Ireland.

We use the suffix "_gat._anonymizeIp" for web analysis via Google Analytics. By means of this addition, the IP address of the Internet connection of the person concerned is shortened by Google and made anonymous if the access to our Internet pages is from a member state of the European Union or from another state that is a party to the Agreement on the European Economic Area. However, this shortening-process does not mean that the complete data processing is made anonymous. When using Google Analytics, in addition to the IP address, further usage data is collected which is to be evaluated as personal data, such as identification features of individual users. This allows for example a linking to an existing Google account.

The personal data collected in this context is processed by Google for its own purpose (e.g. profiling).

The purpose of the Google Analytics component is to analyse the flow of visitors to our website. Among other things, Google uses the data and information obtained to evaluate the use of our website in order to compile online reports for us which show the activities on our website and to provide further services in connection with the use of our website.

Google Analytics places a cookie on the information technology system of the person concerned. For further information on cookies please refer to section 6 of this data protection notice. By setting this cookie, Google is enabled to analyse the use of our website. Each time one of the individual pages of this website, which is operated by the person responsible for processing and on which a Google Analytics component has been integrated, is called up, the internet browser on the information technology system of the person concerned is automatically prompted by the respective Google Analytics component to transmit data to Google for the purpose of online analysis. In the course of this technical process, Google receives knowledge of personal data, such as the IP address of the person concerned, which Google uses, among other things, to trace the origin of visitors and clicks and subsequently to enable commission settlements.

By means of the cookie, personal information such as the access time, the location from which access was made and the frequency of visits to our website by the person concerned is stored. Whenever our website is visited, this personal data, including the IP address of the Internet connection used by the person concerned, is transmitted to Google in the United States of America. This personal data is stored by Google in the United States of America. Google may pass on this personal data collected via the technical process to third parties.

The person concerned has the opportunity to object to the collection of data generated by Google Analytics and relating to the use of this website, as well as to the processing of this data by Google, and to prevent such processing. For this purpose, please click on the following link to open the consent manager Cookie Preferences.

b. Marketing

aa. Klaviyo

For marketing purposes, we use the services provided by Klaviyo, Inc. Klaviyo is an email marketing platform providing marketing solutions for online businesses.

In our use of the services provided by Klaviyo, personal data is transferred to Klaviyo. We entered into a data processing agreement with Klaviyo to determine who fulfils which obligations regarding data protection. This agreement can be found here: https://www.klaviyo.com/privacy/dpa . Klaviyo agreed that it will not use the collected personal data for its own purposes and will use it only as directed or authorized by Goldwin Europe GmbH.

In this context, the following personal data is transferred to and processed by Klaviyo:

  • Contact details and demographic data, shopping histories and details about consumers’ interactions with marketing communications;
  • Details about the devices that are used to access our website (such as the IP address, and type of operating system and web browser);
  • Dates and times of visits to and use of our website;
  • Information about how our website is used (such as the content that is viewed on our clients’ websites and how users navigate between webpages, and the date and time of access);
  • Details about how individuals interact with our emails (such as whether the email is opened, and which links are clicked in the email);
  • URLs that refer visitors to our website; and
  • Search terms used to reach our website.

To provide its service, Klaviyo might share such personal data with its Affiliates. If this is the case, Klaviyo enters into an Agreement with them with no less protective provisions than those provided for in the data protection agreement Klaviyo entered into with us. You can find a list of Klaviyo’s Affiliates here: https://www.klaviyo.com/legal/subprocessors.

Klaviyo will retain personal information until we instruct Klaviyo to delete it, which happens no later than 180 days after the date we requested Klaviyo to use the data.

Information about data protection from Klaviyo in general can be found here:

https://www.klaviyo.com/privacy/policy

You can reach Klaviyo under:

Klaviyo Inc.
125 Summer Street, Boston
MA, 02111, United States

Online you can reach Klaviyo by sending an email to privacy@klaviyo.com

Our contact details can be found in this data protection notice under section 2.b.

Klaviyo Inc. is a US-based company. The transfer, processing and/or storage of personal data by Klaviyo relies on European Commission´s Standard Contractual Clauses. You can find these clauses in the Data Protection Addendum we have entered in with Klaviyo here: https://www.klaviyo.com/privacy/dpa.

bb. Google Ads

For marketing purposes, we use the services provided by Google Ads. Google Ads is an online advertising solution provided by Google LLC, USA. Google Ads helps us improve our advertising strategies.

Information about Google’s data processing can be found here:
https://policies.google.com/privacy?hl=en.

You can reach Google under:

Google Ireland Limited
Gordon House, Barrow St
Dublin 4, Ireland

You can reach Google online here:
https://support.google.com/policies/answer/9581826?p=privpol_privts&hl=en&visit_id=637357814601092865-2339382308&rd=1.

In our use of the services provided by Google Ads, the provisions contained in this privacy notice remain valid for our controllership over the data we process and collect as mentioned in the present privacy notice. Our contact details can be found in this data protection declaration under section 2.b.

Google is a US-based company. The transfer and processing of personal data in our use of Google services “Google Ads” relies on European Commission’s Standard Contractual Clauses we have entered into. You can find these clauses here:
https://privacy.google.com/businesses/gdprcontrollerterms/.

cc. Outbrain

For marketing purposes, we use the services offered by Outbrain UK Ltd. Outbrain enables us to place content on third party websites that may also be of interest to you within our website and to refer you to this. These recommendations are determined based on previous content read by the user. The technology is based on a pixel and cookies, with the help of which the corresponding user behaviour can be evaluated. These advertisements tailored to you will only appear on Outbrain Engage advertising spaces or the Outbrain Extended Network.

In this context, Outbrain can collect and process the following personal data:

  • Information about a User’s device and operating system
  • IP address
  • Advertising identifiers on mobile devices
  • Location
  • Device time zone
  • Content visited and HTML events

A visitor pixel and cookies are used by Outbrain on our website to measure conversions. In this way, the behaviour of users can be tracked after they have been redirected to the provider's website by clicking on an Outbrain advertisement. This procedure is used to evaluate the effectiveness of the Outbrain ads for statistical and market research purposes and can help to optimise future advertising measures. The data collected is anonymous for us, so it does not allow us to draw any conclusions about the identity of the user. Information about the use of cookies by Outbrain can be found here: https://www.outbrain.com/legal/privacy#cookies.

You can reach Outbrain under:
Outbrain UK Ltd.
5th Floor, The Place, 175 High Hoolborn
LONDON WC1V 7AA, United Kingdom

Online you can reach Outbrain by sending an email to privacy@outbrain.com.
Our contact details can be found in this data protection notice under section 2.b.

Insofar as data is transferred to Outbrain servers in the USA or other international Outbrain companies, Outbrain uses standard contractual clauses that have been recognised by the EU Commission. Further information on data processing by Outbrain can be found here: https://www.outbrain.com/legal/privacy#privacy-policy.

c. Shopify

We also use Shopify as an e-commerce platform, which enables you to order goods in our online shop.

Shopify is processor of the personal data collected in the context of our use of its service. Shopify and any person subordinate to Shopify who has access to the personal data may process such data only on instructions from Goldwin. For this purpose, Goldwin entered a data processing agreement with Shopify pursuant to Art. 28 GDPR.

In this context, Shopify can collect and process the following personal data:

  • Information you provide about yourself, for example:
    • name
    • billing and shipping address
    • phone number
    • payment information
  • Information about how you access our website, your account and Shopify platform,
  • Information about the device and browser type, the network connection and IP address.

To provide its service, Shopify might share such personal data its service providers. You can find a list of Shopify’s service providers here:
https://help.shopify.com/en/manual/your-account/privacy/GDPR/subprocessors.

Shopify will retain personal information until we instruct Shopify to delete it.

Further information about Shopify’s data processing can be found here:
https://www.shopify.com/legal/privacy.

You can reach Shopify under:

Shopify International Ltd.

Data Protection Officer
c/o Intertrust Ireland
2nd Floor 1-2 Victoria Buildings
Haddington Road
Dublin 4, D04 XN32
Ireland

Online you can reach Shopify by sending an email to privacy@shopify.com

Our contact details can be found in this data protection notice under section 2.b.

Shopify International Ltd. might transfer personal data to its headquarter located in:

Shopify Inc.

150 Elgin St.
8th Fl.
Ottawa, ON K2P 1L4
Canada

The transfer to and processing and/or storage of personal data by Shopify Inc. relies on the European Commission’s decision that Canada offers adequate data protection standards for transfers from the European Economic Area. However, Shopify might transfer personal data to its subcontractors located in the US. In this case, Shopify transfers this data pursuant to the requirements of the Canadian Personal Information Protection and Electronic Documents Act (which the European Commission has determined as adequate), and subject to specific contractual agreements.

For more information, please read Shopify's Privacy Statement
(https://www.shopify.de/legal/datenschutz) and Terms of Service
(https://www.shopify.de/legal/agb).

d. Stocky by Shopify

We use Stocky by Shopify for stock control and order management.

Stocky by Shopify is a Service provided by

Shopify International Ltd
2nd Floor 1-2 Victoria Buildings
Haddington Road
Dublin 4, D04 XN32
Irland

In this context, Shopify International Ltd. can collect and process the following personal data:

  • Information you provide about business partners and their employees, for example:

    • Order number
    • Name
    • Billing and shipping address
    • Phone number

Shopify is processor of the personal data collected in the context of our use of its service. Shopify and any person subordinate to Shopify who has access to the personal data may process such data only on instructions from Goldwin. For this purpose, Goldwin entered a data processing agreement with Shopify pursuant to Art. 28 GDPR.

To provide its service, Shopify might share such personal data its service providers. You can find a list of Shopify’s service providers here: https://help.shopify.com/en/manual/your-account/privacy/GDPR/subprocessors.

Shopify will retain personal information until we instruct Shopify to delete it.

Further information about Shopify’s data processing can be found here: https://www.shopify.com/legal/privacy.

You can reach Shopify under:

Shopify International Ltd.

Data Protection Officer
c/o Intertrust Ireland
2nd Floor 1-2 Victoria Buildings
Haddington Road
Dublin 4, D04 XN32
Ireland

Online you can reach Shopify by sending an email to privacy@shopify.com

Our contact details can be found in this data protection notice under section 2.b.

Shopify International Ltd. might transfer personal data to its headquarter located in:

Shopify Inc.
150 Elgin St.
8th Fl.
Ottawa, ON K2P 1L4
Canada

The transfer to and processing and/or storage of personal data by Shopify Inc. relies on the European Commission’s decision that Canada offers adequate data protection standards for transfers from the European Economic Area. However, Shopify might transfer personal data to its subcontractors located in the US. In this case, Shopify transfers this data pursuant to the requirements of the Canadian Personal Information Protection and Electronic Documents Act (which the European Commission has determined as adequate), and subject to specific contractual agreements.

For more information, please read Shopify's Privacy Statement (https://www.shopify.de/legal/datenschutz) and Terms of Service (https://www.shopify.de/legal/agb).

e. Sizolution

We also use Sizolution as a service that allows you to get recommendations on your clothing size.

Sizolution is a Service provided by

Sizolution GmbH
Kanalstraße 4 - 6
13599 Berlin

In addition to the postal address, you can reach Sizolution at privacy@sizolution.com.

In this context, Sizolution GmbH may collect and process the following personal data:

  • IP-address
  • Browser and device characteristics
  • Operation System
  • Language preferences
  • Links to URLs
  • Device Name
  • Country
  • Location
  • Information about how and when you use the website and widget

You can use the Sizolution widget on our website without additional registration to get recommendations for determining your clothing size. To receive size recommendations for a specific product, you can provide the following information via the widget:

  • Name (optional) - used to allow the user to create multiple accounts on one device (for example, for other family members)
  • Gender
  • Height
  • Weight
  • Body Shape
  • Photo of your body in full length (optional)
  • Body measurements
  • Information about clothes, brand and size that suites you (optional)
  • Bra size (only for women)
  • Preferences for fit of the clothes
  • Age
  • In addition, information about your previous purchases in the store can be used to provide size determination services.

The widget calculates specific size recommendations using statistical methods, clothing data from partners, and sometimes anonymized purchase and return data. The transferred personal data is stored in the corresponding database under a randomly generated session identifier.

Sizolution is processor of the personal data collected in the context of our use of its service. Sizolution and any person subordinate to Sizolution who has access to the personal data may process such data only on instructions from Goldwin. For this purpose, Goldwin entered a data processing agreement with Sizolution pursuant to Art. 28 GDPR.

For more information, please read Sizolution's privacy policy at https://sizolution.com/privacy_policy_en.pdf.

f. Social media

aa. Facebook

Goldwin operates an online presence on Facebook, a so-called Facebook fanpage, in order to communicate with the interested parties and users active there and to be able to inform them about our events and news. When visiting our fanpage, the following additional information on data processing applies.

Joint responsibility, contact details:

We are jointly responsible with Facebook for the operation of our Facebook fanpage in accordance with Art. 26 GDPR. For this purpose, Facebook has entered into an agreement with us to determine who fulfils which obligations with regard to data protection. This agreement can be found here: https://www.facebook.com/legal/terms/page_controller_addendum. Facebook is obliged to provide the person concerned with information about the joint processing and to enable him/her to exercise his/her data protection rights. Irrespective of this, we hereby inform you as the jointly responsible party about your visit to our fan page and thus provide you with the information required by data protection law.

Information about data protection on Facebook in general can be found here:
https://www.facebook.com/about/privacy/

You can reach Facebook under:

Facebook Ireland Ltd.
4 Grand Canal Square,
Grand Canal Harbour,
Dublin 2, Ireland

Online you can reach Facebook here:
https://www.facebook.com/help/contact/2061665240770586

You can reach the Facebook data protection officer here:
https://www.facebook.com/help/contact/540977946302970

Our contact details can be found in this privacy notice under section 2.b.

Collection and storage of personal data as well as type and purpose and their use:

  • Data collected by Facebook:

    If you are a Facebook user, Facebook collects the information described in the Facebook Data Policy [https://www.facebook.com/about/privacy/update] under "What types of information do we collect? If you are not a Facebook user, cookies, small text files with identifiers, may still be stored in your browser, which enable a so-called tracking of your user behaviour.

    As a rule, when you visit Facebook, the user data is also processed by Facebook for market research and advertising purposes. On the basis of user behaviour (also when visiting our fan page) complex user profiles are created, which Facebook can use to display personalized advertisements to the visitor inside and outside of Facebook. You can also find more detailed information on this in the Facebook privacy notice.

    If you do not agree with this, you can object to it here (Opt-Out):
    https://www.facebook.com/ads/preferences/?entry_product=ad_settings_screen

  • Data used by us ("page insights") and legal basis:

    Facebook provides us with statistics and usage data, which we can use to analyse the use of our fan page (so-called "Page-Insights"). This enables us to continuously improve our Facebook offer. We as operators do not make any decisions regarding the processing of Insights data and all other information resulting from Art. 13 GDPR, such as the storage period of cookies on user terminals. The primary responsibility according to GDPR for the processing of Insights data lies with Facebook. In this regard, we also refer to the agreement on joint responsibility https://www.facebook.com/legal/terms/page_controller_addendum pursuant to Art. 26 GDPR that Facebook has concluded with us and to the obligations assumed by Facebook thereafter.

    We as site administrators have no other possibility to evaluate the user behaviour on our fan page, not even via user tracking. It is also fundamentally impossible for us to identify the visitor of our fan page by means of the page insights. In particular, according to the agreement with Facebook, we have no right to demand that Facebook disclose individual visitor data. We can only identify a visitor if we can assign individual profile pictures to "like" information for the page; but only if our fan page has been marked "like" by the respective visitor and the "like" information is set to "public".

    The information Facebook uses to create the Page-Insights can be found here:
    https://www.facebook.com/legal/terms/information_about_page_insights_data

    The operation of the Facebook fan page and the use of the Page-Insights serves our legitimate interest in an effective external presentation and the communication with our interested parties. This interest justifies the operation of the page both against the legitimate interests of Facebook users and against visitors to our fan page who do not have a Facebook account. The legal basis is accordingly Art. 6 para. 1 sentence 1 lit. f GDPR.

bb. YouTube

Goldwin operates an online presence on YouTube. YouTube is an Internet video portal that enables video publishers to set video clips and other users free of charge, which also provides free viewing, review and commenting on them. YouTube allows you to publish all kinds of videos, so you can access both full movies and TV broadcasts, as well as music videos, trailers, and videos made by users via the Internet portal.

The operating company of YouTube is Google Ireland Limited, Gordon House, Barrow Street, Dublin, D04 E5W5, Ireland.

YouTube's data protection provisions, available at https://www.google.com/intl/en/policies/privacy/, provide information about the collection, processing and use of personal data by YouTube and Google.

cc. Instagram

Goldwin operates an online presence on Instagram. Instagram is a service that may be qualified as an audio-visual platform, which allows users to share photos and videos, as well as disseminate such data in other social networks.

The operating company of the services offered by Instagram is Facebook Ireland Ltd., 4 Grand Canal Square, Grand Canal Harbour, Dublin 2 Ireland.

Further information and the applicable data protection provisions of Instagram may be retrieved under https://help.instagram.com/155833707900388 and
https://www.instagram.com/about/legal/privacy/.

g. Payment Method:

aa. PayPal

On this website, the controller has integrated components of PayPal. PayPal is an online payment service provider. Payments are processed via so-called PayPal accounts, which represent virtual private or business accounts. PayPal is also able to process virtual payments through credit cards when a user does not have a PayPal account. A PayPal account is managed via an email address, which is why there are no classic account numbers. PayPal makes it possible to trigger online payments to third parties or to receive payments. PayPal also accepts trustee functions and offers buyer protection services.

The European operating company of PayPal is PayPal (Europe) S.à.r.l. et Cie., S.C.A., 22-24 Boulevard Royal L-2449, Luxembourg.

If the data subject chooses "PayPal" as the payment option in the online shop during the ordering process, we automatically transmit the data of the data subject to PayPal. By selecting this payment option, the data subject agrees to the transfer of personal data required for payment processing.

The personal data transmitted to PayPal is usually first name, last name, address, email address, IP address, telephone number, mobile phone number, or other data necessary for payment processing. The processing of the purchase contract also requires such personal data, which are in connection with the respective order.

The transmission of the data is aimed at payment processing and fraud prevention. The controller will transfer personal data to PayPal, in particular, if a legitimate interest in the transmission is given. The personal data exchanged between PayPal and the controller for the processing of the data will be transmitted by PayPal to economic credit agencies. This transmission is intended for identity and creditworthiness checks.

PayPal will, if necessary, pass on personal data to affiliates and service providers or subcontractors to the extent that this is necessary to fulfil contractual obligations or for data to be processed in the order.

The data subject has the possibility to revoke consent for the handling of personal data at any time from PayPal. A revocation shall not have any effect on personal data which must be processed, used or transmitted in accordance with (contractual) payment processing.

The applicable data protection provisions of PayPal may be retrieved under
https://www.paypal.com/us/webapps/mpp/ua/privacy-full.

bb. Shop Pay

We also use Shop Pay as a payment method, which enables the data subject to pay for goods in our online shop. Shop Pay is a payment method provided by Shopify. With Shop Pay the data subject can store their payment information for faster checkouts at any Merchant Store that offers Shop Pay.

If the data subject chooses "Shop Pay" as the payment option in the online shop during the ordering process, we automatically transmit the data of the data subject to Shop Pay and the data subject will be forwarded to the website of Shop Pay to complete the payment.

The personal data transmitted to Shop Pay is the data subject’s name, email address, and mobile phone number; credit card information and billing address; shipping address and the shipping method select on the checkout page; and information related to order details of goods or services purchased, such as the tracking number, carrier name, order number and product details. All personal data collected from the data subject in connection with the use of Shop Pay is governed by the Shop Pay Privacy Policy that is accessible at https://www.shopify.com/legal/shop-pay-merchant-terms

To provide its service, Shopify might share personal data with its service providers. A list of service privders is accessible at:
https://help.shopify.com/en/manual/your-account/privacy/GDPR/subprocessors.

The data subject has the possibility to revoke consent for the handling of personal data at any time from Shop Pay. A revocation shall not have any effect on personal data which must be processed, used or transmitted in accordance with (contractual) payment processing.

6. Cookies

We use cookies on our websites. Cookies are small text files that are assigned and stored on your hard disk to the browser you are using by a characteristic string of characters and through which certain information flows to the site that sets the cookie. Cookies cannot execute programs or transfer viruses to your computer and therefore cannot cause any damage. They serve to make the Internet offer altogether more user-friendly and effective, i.e. more pleasant for you.

Cookies can contain data that make it possible to recognize the device you are using. However, in some cases cookies only contain information on certain settings that cannot be related to a specific person. However, cookies cannot directly identify a user.

A distinction is made between session cookies, which are deleted as soon as you close your browser, and permanent cookies, which are stored beyond the individual session. With regard to their function, a distinction is again made between cookies:

  • Strictly Necessary Cookies: These are essential to navigate the site, use basic functions and ensure the security of the site; they do not collect information about you for marketing purposes nor do they store which web pages you have visited;
  • Strictly Necessary Analytics Cookies: These cookies are necessary for the website to function and cannot be switched off in our systems.These cookies allow us to count visits and traffic sources so we can measure and improve the performance of our site. All information these cookies collect is aggregated and therefore anonymous. You can set your browser to block or alert you about these cookies.
  • Functional Cookies: These cookies enable the website to provide enhanced functionality and personalisation. They may be set by us or by third party providers whose services we have added to our pages. If you do not allow these cookies, then some or all of these services may not function properly.
  • Performance and Analytics Cookies: These collect information about how you use our website, which pages you visit and, for example, whether errors occur during website use; they do not collect any information that could identify you - all information collected is anonymous and is only used to improve our website and to find out what interests our users have;
  • Targeting Cookies: These are used to provide the website user with tailored advertising on the website or offers from third parties and to measure the effectiveness of these offers; advertising and targeting cookies are stored no more than 13 months;

We use the following cookies:

Strictly Necessary Cookies

Name Description Duration of Storage Cookies Used
__verify This cookie determines whether the browser accepts cookies. Session 1st Party
_dc_gtm_UA-xxxxxxxx This cookie is associated with sites using Google Tag Manager to load other scripts and code into a page. Where it is used it may be regarded as Strictly Necessary as without it, other scripts may not function correctly. The end of the name is a unique number which is also an identifier for an associated Google Analytics account. Session 1st Party
dynamic_checkout_shown_on_cart This cookie is generally provided by Shopify and is used in connection with checkout. Session 1st Party
_orig_referrer This cookie is generally provided by Shopify and is used in connection with a shopping part. 2weeks 1st Party
_secure_session_id This cookie is generally provided by Shopify and is used in connection with navigation through a storefront. 1day 1st Party
_shopify_country This cookie is provided by Shopify and is used in connection with checkout. Session 1st Party
cart Used in connection with Shopify shopping cart. 2weeks 1st Party
cart_currency This cookie is used to integrate with shopping cart. 2weeks 1st Party
cart_sig This cookie is generally provided by Shopify and is used in connection with checkout. 2weeks 1st Party
cart_ts This cookie is generally provided by Shopify and is used in connection with checkout. 2weeks 1st Party
cart_ver Used in connection with Shopify shopping cart. 2weeks 1st Party
eupubconsent This cookie is used by the IAB Europe Transparency & Consent Framework to store the user's consent to the data collection Purposes. The cookie holds an encrypted consent string that vendors participating in the framework can read and determine the user's consent. 20years 1st Party
lang This cookie is used for language setting. Session 1st Party
OptanonAlertBoxClosed This cookie is set by websites using certain versions of the cookie law compliance solution from OneTrust. It is set after visitors have seen a cookie information notice and in some cases only when they actively close the notice down. It enables the website not to show the message more than once to a user. The cookie has a one year lifespan and contains no personal information. 1year 1st Party
OptanonConsent This cookie is set by the cookie compliance solution from OneTrust. It stores information about the categories of cookies the site uses and whether visitors have given or withdrawn consent for the use of each category. This enables site owners to prevent cookies in each category from being set in the users browser, when consent is not given. The cookie has a normal lifespan of one year, so that returning visitors to the site will have their preferences remembered. It contains no information that can identify the site visitor. 1year 1st Party
secure_customer_sig This cookie is generally provided by Shopify and is used in connection with a customer login. 20years 1st Party
shopify_pay_redirect Used by Shopify to handle secure payment and checkout. Session 1st Party
__cfduid Helps Cloudflare detect malicious visitors to our Customers’ websites and minimizes blocking legitimate users. 1month 3rd Party
_pay_session Used by Shopify to handle secure payment and checkout. Session 3rd Party
akavpau_ppsd This domain is owned by Paypal. The main business activity is: E-commerce Provision Session 3rd Party
connect.sid Tracks the current session ID Session 3rd Party
cookietest Testing to see if the browser allows cookies. Session 3rd Party
enforce_policy This domain is owned by Paypal. The main business activity is: E-commerce Provision 1year 3rd Party
jsessionid Used to maintain an anonymous user session by the server Session 3rd Party
l7_az This domain is owned by Paypal. The main business activity is: E-commerce Provision Session 3rd Party
LANG This domain is owned by Paypal. The main business activity is: E-commerce Provision Session 3rd Party
locale_bar_accepted This cookie is provided by app (BEST Currency Converter) and is used to secure currency chosen by the customer. Session 3rd Party
nsid This domain is owned by Paypal. The main business activity is: E-commerce Provision Session 3rd Party
shopify_pay_redirect Used by Shopify to handle secure payment and checkout. Session 3rd Party
ts This domain is owned by Paypal. The main business activity is: E-commerce Provision 3years 3rd Party
ts_c This domain is owned by Paypal. The main business activity is: E-commerce Provision 3years 3rd Party
tsrce This domain is owned by Paypal. The main business activity is: E-commerce Provision 3days 3rd Party
x-cdn This domain is owned by Paypal. The main business activity is: E-commerce Provision Session 3rd Party
x-csrf-jwt This domain is owned by Paypal. The main business activity is: E-commerce Provision 1week 3rd Party
x-pp-s This domain is owned by Paypal. The main business activity is: E-commerce Provision Session 3rd Party
cf_use_ob This cookie is used to indicate the country of origin of the product. Session 3rd Party

Strictly Necessary Analytics Cookies

Name Description Duration of Storage Cookies Used
_gxxxxxxxxxx This cookie is provided by Google and is used to identify shop. Session 1st Party
_landing_page This cookie is used to track, report, and analyze on landing pages. 2weeks 1st Party
_s This cookie is associated with Shopify's analytics suite. Session 1st Party
_shopify_fs This cookie is associated with Shopify's analytics suite. 2years 1st Party
_shopify_s This cookie is associated with Shopify's analytics suite. Session 1st Party
_shopify_sa_p This cookie is associated with Shopify's analytics suite concerning marketing and referrals. Session 1st Party
_shopify_sa_t This cookie is associated with Shopify's analytics suite concerning marketing and referrals. Session 1st Party
_shopify_y This cookie is associated with Shopify's analytics suite. 1year 1st Party
_y This cookie is associated with Shopify's analytics suite. 1year 1st Party

Functional Cookies

Name Description Duration of Storage Cookies Used
adsHaveShown This cookie is used to display pop-up advertisement upon initial access. 1day 1st Party
CIR This cookie is used to switch languages. Session 1st Party
cookietest Common cookie name could have a number of different origins. Where this is first party and a session cookie, its most likely to do with checking to see if the browser is set to block or allow cookies. Session 1st Party
eushop-customer This cookie is used to reflect log-in status throughout the website. Session 1st Party
eushop-customername This cookie is used to reflect log-in user name throughout the website. Session 1st Party
eushop-itemcount This cookie is used to reflect quantitiy of items in cart throughout the website. Session 1st Party
kiwi-sizing-token Used by the Kiwi Size Chart Shopify plugin Session 1st Party
swym-cu_ct Used to manage wish list created by the customer. 1year 1st Party
swym-currentFilter Used to manage wish list created by the customer. 1year 1st Party
swym-email Used to manage wish list created by the customer. 1year 1st Party
swym-instrumentMap Used to manage wish list created by the customer. 1year 1st Party
swym-ninfo Used to manage wish list created by the customer. 1year 1st Party
swym-np_r Used by the SWYM Wishlist Plus Shopify plugin 1year 1st Party
swym-o_s Used by the SWYM Wishlist Plus Shopify plugin Session 1st Party
swym-ol_ct Used to manage wish list created by the customer. Session 1st Party
swym-pid Used to manage wish list created by the customer. 1year 1st Party
swym-session-id Used by the SWYM Wishlist Plus Shopify plugin Session 1st Party
swym-swymRegid Used to manage wish list created by the customer. 1year 1st Party
swym-v-ckd Used to manage wish list created by the customer. Session 1st Party
usshop-customer This cookie is used to reflect log-in status throughout the website. Session 1st Party
usshop-customername This cookie is used to reflect log-in user name throughout the website. Session 1st Party
usshop-itemcount This cookie is used to reflect quantitiy of items in cart throughout the website. Session 1st Party
_ks_scriptVersion Used by the Kiwi Size Chart Shopify plugin 1year 3rd Party
_ks_scriptVersionChecked Used by the Kiwi Size Chart Shopify plugin 1day 3rd Party
_ks_userCountryUnit Used by the Kiwi Size Chart Shopify plugin 1day 3rd Party
kiwi-sizing-token Used by the Kiwi Size Chart Shopify plugin Session 3rd Party
__cfduid This cookie is used to chat app. 1month 3rd Party
uid Sizolution, customer ID 1year 3rd Party
uid_male Sizolution, customer ID, separation of male and female accounts if there are multiple accounts on one device 1year 3rd Party
uid_female Sizolution, customer ID, separation of male and female accounts if there are multiple accounts on one device 1year 3rd Party

Performance and Analytics Cookies

Name Description Duration of Storage Cookies Used
__kla_id Tracks when someone clicks through a Klaviyo email to your website 2years 1st Party
__utmzz This cookie is provided by Google and is used to identify referral. 6months 1st Party
_ga This cookie is used to Google Analytics. 13months 1st Party
_gat This cookie is used to Google Analytics. Session 1st Party
_gat_UA- This cookie is used to Google Analytics. Session 1st Party
_gclxxxx This cookie is used to Google Analytics. 3months 1st Party
_gid This cookie is used to Google Analytics. 1day 1st Party
_shopify_d This cookie is used to analyize Shopify E-commerce platform. Session 1st Party
KL_FORMS_MODAL Tracks when someone subscribes (opts in) to a Klaviyo form 1year 3rd Party

Targeting Cookies

Name Description Duration of Storage Cookies Used
__utmzzses UTM Parameters used for advertising/tracking with Google Analytics Session 1st Party
_fbp Used by Facebook to deliver a series of advertisement products such as real time bidding from third party advertisers 3months 1st Party
__kla_id Tracks when someone clicks through a Klaviyo email to your website 2years 3rd Party
CONSENT YouTube is a Google owned platform for hosting and sharing videos. YouTube collects user data through videos embedded in websites, which is aggregated with profile data from other Google services in order to display targeted advertising to web visitors across a broad range of their own and other websites. 17years 3rd Party
fr Contains browser and user unique ID combination, used for targeted advertising. 3months 3rd Party
GPS YouTube is a Google owned platform for hosting and sharing videos. YouTube collects user data through videos embedded in websites, which is aggregated with profile data from other Google services in order to display targeted advertising to web visitors across a broad range of their own and other websites. Session 3rd Party
outbrain_cid_fetch This domain is owned by Outbrain Inc, a USA based company with multi-national presence. It provides tageted native advertising services. Session 3rd Party
IDE This domain is owned by Doubleclick (Google). The main business activity is: Doubleclick is Googles real time bidding advertising exchange 13months 3rd Party
t_gid This domain is owned by Taboola Inc, a USA based company with multi-national presence. It provides tageted native advertising services. 1year 3rd Party
test_cookie This domain is owned by Doubleclick (Google). The main business activity is: Doubleclick is Googles real time bidding advertising exchange Session 3rd Party
VISITOR_INFO1_LIVE This cookie is used as a unique identifier to track viewing of videos 6months 3rd Party
YSC YouTube is a Google owned platform for hosting and sharing videos. YouTube collects user data through videos embedded in websites, which is aggregated with profile data from other Google services in order to display targeted advertising to web visitors across a broad range of their own and other websites. Session 3rd Party

Any use of cookies that is not absolutely technically necessary constitutes data processing that is only permitted with your express and active consent in accordance with Art. 6 Paragraph 1 Sentence 1 lit. a GDPR. This applies in particular to the use of advertising, targeting or sharing cookies. Furthermore, we will only pass on your personal data processed by cookies to third parties if you have given your express consent in accordance with Art. 6 Paragraph 1 Sentence 1 lit. a GDPR.

You can change your preferences for setting cookies on our website at any time here: Cookie Preferences . The changes will take effect immediately. Already set cookies can be deleted in your browser settings.The following links may be helpful:

If you change your settings and refuse cookies, certain functions and features of our website may not function as intended.

7. How we share personal information

We share your personal information with other entities of the Goldwin group for the purposes set out in this Privacy Notice and for administrative purposes. Your personal information may be combined with personal information originating from another Goldwin entity for the respective purposes. In addition, we may share personal information with other companies and individuals who provide services to us, such as fulfilling orders, delivering, sending mail and email, analysing data, marketing and business development assistance, IT services, processing credit card payments, and providing customer service. Our providers have access to personal information needed to perform their functions but may not use it for other purposes.

Additionally, we may disclose personal information to the reasonably necessary extent that such disclosure is appropriate to comply with the law, enforce or apply our customers terms and other agreements, or protect the rights, property or safety of Goldwin, our users or others. This includes exchanging information with other companies and organizations for fraud protection and credit risk management. Moreover, as we continue to develop our business we may sell or buy our business or assets. In such transactions, customer data generally is one of the transferred assets but remains subject any pre-existing privacy notice.

8. How we transfer personal information to recipients abroad

We may share personal information with recipients (as explained in section 7 above) abroad including in countries that do not provide the same level of data protection as the laws of your home country or EU/EEA laws. However, we are under an obligation to ensure that appropriate safeguards are in place to protect your personal information in such transfers. We usually rely on a data transfer agreement based on the “EU standard contractual clauses”. If you wish to receive a copy of these agreements, please contact us at the address indicated. We may also transfer personal information with your explicit consent and in certain other situations as permitted by applicable law.

9. How we protect your personal information

We apply appropriate technical and organisational security processes to safeguard the security of your personal information and to protect it against unauthorised or unlawful processing and to prevent the risk of loss, unintentional alteration, unintentional disclosure or unauthorised access.

10. No automated decision-making

We do not use technologies allowing an automated decision-making, including profiling.

11. The legal basis for our use of personal data

Art. 6 sec. 1 lit. a GDPR serves as the legal basis for processing operations for which we obtain consent for a specific processing purpose. If the processing of personal data is necessary for the performance of a contract to which the data subject is party, as is the case, for example, when processing operations are necessary for the supply of goods or to provide any other service, the processing is based on Article 6 sec.1 lit. b GDPR. The same applies to such processing operations which are necessary for carrying out pre-contractual measures, for example in the case of inquiries concerning our products or services. Is our company subject to a legal obligation by which processing of personal data is required, such as for the fulfilment of tax obligations, the processing is based on Art. 6 sec. 1 lit. c GDPR. In rare cases, the processing of personal data may be necessary to protect the vital interests of the data subject or of another natural person. This would be the case, for example, if a visitor were injured in our company and his name, age, health insurance data or other vital information would have to be passed on to a doctor, hospital or other third party. Then the processing would be based on Art. 6 sec. 1 lit. d GDPR. Finally, processing operations could be based on Article 6 sec. 1 lit. f GDPR. This legal basis is used for processing operations which are not covered by any of the abovementioned legal grounds, if processing is necessary for the purposes of the legitimate interests pursued by our company or by a third party, except where such interests are overridden by the interests or fundamental rights and freedoms of the data subject which require protection of personal data.

12. Your rights in relation to your personal data

If your personal data is processed, you are the person concerned within the meaning of the GDPR and you are entitled to the following rights:

  • information about the processing of your personal data;
  • obtain access to the personal data held about you;
  • ask for incorrect, inaccurate or incomplete personal data to be corrected;
  • request that personal data be erased when it’s no longer needed or if processing it is unlawful;
  • object to the processing of your personal data for marketing purposes or on grounds relating to your particular situation;
  • request the restriction of the processing of your personal data in specific cases;
  • receive your personal data in a machine-readable format and send it to another controller (‘data portability’);
  • complain to a data protection authority in your place of habitual residence, place of work, or the place of the alleged infringement;request that decisions based on automated processing concerning you or significantly affecting you and based on your personal data are made by natural persons, not only by computers. You also have the right in this case to express your point of view and to contest the decision.

If you wish to exercise your rights, you can contact us using the contact information provided under section 2.