Data Protection

I. General Information

This Privacy Policy informs you about the processing of personal data when using our online presence. This online privacy policy applies to our websites www.rebeccamarea.com / www.rebeccamarea.de as well as to our profiles on social media platforms.

“Personal data” means any information relating to you personally, such as your name, address, email address, IP address, or user behaviour.

With regard to the terms used (e.g., “processing”, “controller” or “data subject”), reference is made to the definitions in Article 4 GDPR. In particular, the following applies:

“Personal data” means any information relating to an identified or identifiable natural person (the “data subject”); an identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person (Art. 4(1) GDPR).

“Processing” means any operation or set of operations which is performed on personal data or on sets of personal data, whether or not by automated means, such as collection, recording, organisation, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure or destruction (Art. 4(2) GDPR).

“Controller” means the natural or legal person, public authority, agency or other body which, alone or jointly with others, determines the purposes and means of the processing of personal data (Art. 4(7) GDPR).

“Processor” means a natural or legal person, public authority, agency or other body which processes personal data on behalf of the controller (Art. 4(8) GDPR).

In particular, the terms “processing” and “personal data” are very broad, so that almost any handling of data may fall within their scope.

II. Controller

Rebecca Ettelt
Knüll 11
24819 Haale
Germany
Phone: +49 15224828560
Email: info@rebeccamarea.com

III. What data do we collect and for what purposes / on what legal basis do we process it?

1) Visiting our website (no registration / no active submission)

When you visit our website without registering or otherwise providing information, we process only the personal data that your browser transmits to our server. To the best of our knowledge, this includes in particular the following data which is technically necessary to display our website and to ensure its stability and security:

IP address of the requesting device
Date and time of the request
Name and URL of the retrieved file
Access status / HTTP status code
Amount of data transferred
Website from which the request originates (referrer URL)
Browser used
Operating system

The processing of this data in so-called log files is necessary to display our website and to ensure stability and security.

2) Contacting us / submitting information

If you provide us with personal data (e.g., via email enquiry or our contact form), we process—depending on the information you provide—also the following data:

Basic data (e.g., name, address)
Contact data (e.g., email address, phone number)
Content data (e.g., text entries, photos, videos)
Usage data (e.g., visited pages, access times)
Communication / metadata (e.g., device information, IP addresses)

We may also process the following personal data for the purposes of providing contractual services, customer service and customer care as well as marketing/advertising:

Contract data (e.g., subject matter of the contract, term, customer number)
Payment data (e.g., bank details, payment history)

3) Purposes of processing

We process your personal data when you visit our website for the following purposes:

Providing the functions and content of our online offering
Ensuring a smooth connection to our website
Ensuring convenient use of our website
Evaluating and ensuring system security and stability as well as general security measures
Responding to contact enquiries / communicating with you
Other administrative purposes
Providing contractual services
Customer service

4) Legal bases

Unless a specific legal basis is stated in this Privacy Policy, the following applies:

Consent: Art. 6(1)(a) GDPR and Art. 7 GDPR
Performance of a contract / pre-contractual measures / responding to enquiries: Art. 6(1)(b) GDPR
Compliance with legal obligations: Art. 6(1)(c) GDPR
Vital interests: Art. 6(1)(d) GDPR
Legitimate interests: Art. 6(1)(f) GDPR (our legitimate interest follows from the purposes of data collection stated above)

If, in the course of processing your personal data, we disclose it to third parties, transfer it, or otherwise grant access to it, this will occur only on the basis of a legal permission—e.g., where you have consented, where we are legally obliged, or on the basis of our legitimate interests.

A legal permission exists in particular where the transfer is necessary to fulfil contractual obligations (e.g., to payment or shipping service providers). A legitimate interest may exist, for example, if we use data for direct advertising, to prevent fraud, or where you are our customer. Legitimate interests may also arise when using web or email hosting providers, cloud providers or similar service providers.

Such service providers often act as processors on the basis of a corresponding processing agreement. They are required to comply with data protection requirements and to ensure this contractually. The legal basis for processor relationships is Art. 28 GDPR.

IV. To whom do we transfer your data?

We regularly work with the following recipients in particular:

Shipping service providers
Banks / credit institutions
Email hosting providers
Web hosting providers

We select external service providers carefully. Where processing is carried out on our behalf (Art. 28 GDPR), these companies are contractually bound by our instructions and are regularly monitored by us. Further information is provided in the descriptions of the individual services below.

V. Is your data transferred to recipients outside the EU?

A transfer of your personal data to third countries (i.e., outside the EU/EEA) or to an international organisation is only envisaged in exceptional cases. Further information can be found in the descriptions of the individual services below.

If we process your personal data in a third country or have it processed by third parties, this only occurs if it is necessary to fulfil our (pre-)contractual obligations, on the basis of your consent, a legal obligation, or our legitimate interests.

In such cases, personal data is processed in a third country only where the special requirements of Articles 44 et seq. GDPR are met, unless statutory or contractual permissions apply in individual cases. This means, for example, that processing may be based on appropriate safeguards such as an officially recognised adequacy decision of the European Union or compliance with specific recognised contractual obligations (in particular the EU Standard Contractual Clauses).

VI. How long do we process (store) your data?

The storage period for your personal data is generally determined by statutory retention obligations (e.g., under commercial or tax law). Unless otherwise stated below, your personal data will be routinely deleted after the expiry of any applicable retention period, provided it is no longer required for contract performance or initiation, we no longer have a legitimate interest in further storage, and/or you have not consented to storage beyond this.

VII. What are your rights?

With regard to the processing of your personal data, you have the right to:

Request information about your personal data processed by us, in particular about processing purposes, categories of personal data, categories of recipients to whom your data has been or will be disclosed, planned storage period, existence of rights to rectification, erasure, restriction or objection, existence of a right to lodge a complaint, the origin of your data (if not collected from you), and the existence of automated decision-making including profiling and meaningful information about its logic (Art. 15 GDPR);
Request the rectification of inaccurate personal data or completion of your stored personal data without undue delay (Art. 16 GDPR);
Request erasure of your personal data stored by us, unless processing is necessary for exercising freedom of expression and information, compliance with a legal obligation, reasons of public interest, or for the establishment, exercise or defence of legal claims (Art. 17 GDPR);
Request restriction of processing of your personal data if you contest the accuracy of the data, processing is unlawful and you oppose erasure, we no longer need the data but you need it to establish, exercise or defend legal claims, or you have objected under Art. 21 GDPR (Art. 18 GDPR);
Receive the personal data you have provided to us in a structured, commonly used and machine-readable format or request its transfer to another controller (data portability, Art. 20 GDPR);
Not to be subject to a decision based solely on automated processing—including profiling—which produces legal effects concerning you or similarly significantly affects you (Art. 22 GDPR);
Lodge a complaint with a supervisory authority (Art. 77 GDPR);
Object at any time, on grounds relating to your particular situation, to the processing of personal data concerning you carried out on the basis of Art. 6(1)(e) or (f) GDPR; this also applies to profiling based on these provisions (Art. 21 GDPR);
Withdraw your consent at any time (Art. 7(3) GDPR). Withdrawal does not affect the lawfulness of processing based on consent before its withdrawal.

The last three rights are explained in more detail below.

VIII. When and how can you object to processing?

If your personal data is processed on the basis of legitimate interests pursuant to Art. 6(1) sentence 1(f) GDPR, or for direct marketing and/or profiling, you have the right to object to the processing at any time. In that case, we will no longer process your personal data for these purposes unless we can demonstrate compelling legitimate grounds for the processing which override your interests, rights and freedoms, or the processing serves the establishment, exercise or defence of legal claims.

The right to object applies only where there are reasons arising from your particular situation—unless your objection relates to direct marketing. In the latter case, you have a general right to object which will be implemented without the need to state such a situation.

To exercise your right to object, a message to us is sufficient (contact details above).

IX. When and how can you withdraw consent?

You can withdraw any consent you have given to us at any time. This means that we may no longer continue data processing based on that consent for the future. To exercise your right of withdrawal, a message to us is sufficient (contact details above).

X. Where can you lodge a complaint?

You have the right to lodge a complaint with a data protection supervisory authority regarding our processing of your personal data. A list of German state data protection supervisory authorities can be found, for example, at:
www.bfdi.bund.de/DE/Infothek/Anschriften_Links/anschriften_links-node.html

XI. When and why is providing your data necessary?

When using our contact form or when sending enquiries by email, you provide us with personal data (e.g., name, address, or email address).

Providing personal data may in part be required by law (e.g., tax regulations). It may also be necessary to carry out (pre-)contractual measures. If you do not provide your personal data, a contract may not be concluded with you and/or your enquiry may not be answered.

For the performance of contracts, pre-contractual measures, or communication with us, the following data is required:

First and last name
Address
Email address
Text entries

Unless otherwise stated in this Privacy Policy, all other information is voluntary.

XII. Automated decision-making (e.g., profiling)

Automated decision-making, including profiling, does not take place.

XIII. How can you contact us?

You can contact us by post, phone, or email (see above).

If you contact us, for example by email or via our contact form, we store the personal data you voluntarily provide to us automatically for the purpose of processing your enquiry and/or contacting you. This data is not passed on to third parties.

XIV. Security

Taking into account the state of the art, implementation costs, and the nature, scope, context and purposes of processing as well as the varying likelihood and severity of the risks to the rights and freedoms of natural persons, we implement appropriate technical and organisational measures to ensure a level of security appropriate to the risk (Art. 32 GDPR). These measures include, in particular, safeguarding the confidentiality, integrity and availability of data.

We have also established internal processes to ensure, in particular, the protection of data subject rights, the deletion of data, and responses to data breaches. In addition, we observe the principles of data protection law, including data protection by design and by default (Art. 25 GDPR).

For security reasons and to protect the transmission of personal data and other confidential content, our website uses encrypted transmission via SSL/TLS. You can recognise this by the “https” in your browser’s address bar (instead of “http”) and the lock symbol.

XV. Cookies

To manage the cookies and similar technologies (tracking pixels, web beacons, etc.) used and the related consents, we use the consent tool “Real Cookie Banner”. Details on how “Real Cookie Banner” works can be found at:
https://devowl.io/de/rcb/datenverarbeitung/

The legal bases for processing personal data in this context are Art. 6(1)(c) GDPR and Art. 6(1)(f) GDPR. Our legitimate interest is the management of the cookies and similar technologies used and the related consents.

Providing personal data is neither contractually required nor necessary for the conclusion of a contract. You are not obliged to provide personal data. If you do not provide personal data, we cannot manage your consents.

We use “cookies” on our website. Cookies are small files containing text information which are stored by your browser and saved on your device.

Transient (temporary) cookies are automatically deleted when you close your browser. These include session cookies in particular. They store a specific identifier (session ID) that allows your device to be recognised when you return to our website. This can be used, for example, to store the contents of a virtual shopping cart or login status. Session cookies are deleted when you log out or close the browser.

Persistent cookies are automatically deleted after a specified period; the storage duration varies depending on the cookie. This can be used, for example, to store user information for reach measurement, marketing purposes, or a login status for a longer period.

For both temporary and permanent cookies, a distinction is made between first-party cookies and third-party cookies. First-party cookies are set by the controller; third-party cookies are set by third-party providers.

You can delete cookies at any time in your browser’s security settings or, for example, refuse the acceptance of third-party cookies. If you wish to object generally to the use of cookies used for online marketing, you can do so via various services/providers, for example via the US site www.aboutads.info/choices or the European site www.youronlinechoices.com. Please note that you may then not be able to use all functions of our website.

On our website we may use temporary and permanent cookies, as well as first- and third-party cookies. You will find further information about this in the sections below.

At present, we only use cookies that are technically necessary to provide our offering. The legal basis for the use of cookies is Art. 6(1) sentence 1(f) GDPR. Where other, non-essential cookies are used, we obtain your consent (Art. 6(1) sentence 1(a) GDPR).

XVI. Social Media

We operate the social media profiles listed below in order to communicate with users active on these networks and to inform them about our services. When accessing the respective networks, the respective terms and privacy policies of the operators apply. Unless otherwise stated in this Privacy Policy, we process users’ data only if they contact us within the social networks, for example by posting content on our profile pages or sending us messages.

Facebook

This website integrates elements of the social network Facebook. The provider is Meta Platforms Ireland Limited, 4 Grand Canal Square, Dublin 2, Ireland. According to Facebook, the collected data is also transferred to the USA and other third countries.

An overview of Facebook social media plug-ins can be found here:
https://developers.facebook.com/docs/plugins/?locale=de_DE

If the social media element is active, a direct connection is established between your device and the Facebook server. Facebook thereby receives the information that you visited this website with your IP address. If you click the Facebook “Like” button while logged into your Facebook account, you can link the contents of this website to your Facebook profile. This allows Facebook to associate your visit to this website with your user account.

Please note that, as the provider of these pages, we have no knowledge of the content of the data transmitted or of its use by Facebook. Further information can be found in Facebook’s Privacy Policy:
https://de-de.facebook.com/privacy/explanation

If consent has been obtained, the use of the service is based on Art. 6(1)(a) GDPR and Section 25 TTDSG. Consent can be withdrawn at any time. If no consent has been obtained, the service is used on the basis of our legitimate interest in achieving the widest possible visibility on social media.

Where personal data is collected on our website using the tool described here and forwarded to Facebook, we and Meta Platforms Ireland Limited are jointly responsible for this data processing (Art. 26 GDPR). Joint responsibility is limited exclusively to the collection of data and its transmission to Facebook. Further processing by Facebook after transmission is not part of the joint responsibility. The obligations incumbent on us jointly have been set out in an agreement on joint processing. The agreement is available at:
https://www.facebook.com/legal/controller_addendum

According to this agreement, we are responsible for providing the privacy information when using the Facebook tool and for the data protection-compliant implementation of the tool on our website. Facebook is responsible for the data security of Facebook products. Data subject rights (e.g., requests for information) regarding data processed by Facebook can be asserted directly with Facebook. If you assert data subject rights with us, we are obliged to forward them to Facebook.

Data transfers to the USA are based on the EU Commission’s Standard Contractual Clauses. Details:
https://www.facebook.com/legal/EU_data_transfer_addendum
https://de-de.facebook.com/help/566994660333381
https://www.facebook.com/policy.php

Instagram

This website integrates functions of the Instagram service. These functions are provided by Meta Platforms Ireland Limited, 4 Grand Canal Square, Grand Canal Harbour, Dublin 2, Ireland.

If the social media element is active, a direct connection is established between your device and the Instagram server. Instagram thereby receives information about your visit to this website.

If you are logged into your Instagram account, you can link the contents of this website to your Instagram profile by clicking the Instagram button. This allows Instagram to associate your visit to this website with your user account.

Please note that, as the provider of these pages, we have no knowledge of the content of the data transmitted or of its use by Instagram.

Where personal data is collected on our website using the tool described here and forwarded to Facebook and/or Instagram, we and Meta Platforms Ireland Limited are jointly responsible for this data processing (Art. 26 GDPR). Joint responsibility is limited exclusively to the collection of data and its transmission. Further processing after transmission is not part of the joint responsibility. The agreement on joint processing is available at:
https://www.facebook.com/legal/controller_addendum

Data transfers to the USA are based on the EU Commission’s Standard Contractual Clauses. Details:
https://www.facebook.com/legal/EU_data_transfer_addendum
https://help.instagram.com/519522125107875
https://de-de.facebook.com/help/566994660333381

More information is available in Instagram’s Privacy Policy:
https://instagram.com/about/legal/privacy/

Pinterest

This website uses elements of the social network Pinterest, operated by Pinterest Europe Ltd., Palmerston House, 2nd Floor, Fenian Street, Dublin 2, Ireland.

When you access a page that contains such an element, your browser establishes a direct connection to Pinterest’s servers. This social media element transmits log data to Pinterest’s servers in the USA. This log data may include your IP address, the addresses of websites visited that also contain Pinterest functions, browser type and settings, date and time of the request, your use of Pinterest, and cookies.

Further information on purpose, scope, and further processing and use of the data by Pinterest, as well as your rights and options for protecting your privacy, can be found in Pinterest’s Privacy Policy:
https://policy.pinterest.com/de/privacy-policy

XVII. Advertising and Analytics Tools

Google Analytics

This website uses functions of the web analytics service Google Analytics. Provider: Google Ireland Limited (“Google”), Gordon House, Barrow Street, Dublin 4, Ireland.

Google Analytics enables the website operator to analyse the behaviour of website visitors. The website operator receives various usage data, such as page views, time spent on site, operating systems used, and the user’s origin. This data is assigned to the user’s device. It is not assigned to a user ID.

We may also use Google Analytics to record mouse movements, scrolling behaviour, and clicks. Furthermore, Google Analytics uses various modelling approaches to supplement the collected data sets and uses machine learning technologies for data analysis.

Google Analytics uses technologies that enable the recognition of the user for the purpose of analysing user behaviour (e.g., cookies or device fingerprinting). Information collected by Google about the use of this website is generally transferred to a Google server in the USA and stored there.

The use of this service is based on your consent pursuant to Art. 6(1)(a) GDPR and Section 25(1) TTDSG. Consent can be withdrawn at any time.

Data transfers to the USA are based on the EU Commission’s Standard Contractual Clauses. Details:
https://privacy.google.com/businesses/controllerterms/mccs/

Browser plug-in
You can prevent the collection and processing of your data by Google by downloading and installing the browser plug-in available at:
https://tools.google.com/dlpage/gaoptout?hl=de

Further information on how Google Analytics handles user data can be found in Google’s Privacy Policy:
https://support.google.com/analytics/answer/6004245?hl=de

Google Ads

The website operator uses Google Ads. Google Ads is an online advertising programme of Google Ireland Limited (“Google”), Gordon House, Barrow Street, Dublin 4, Ireland.

Google Ads enables us to display advertisements in Google search results or on third-party websites when a user enters certain search terms on Google (keyword targeting). In addition, targeted ads can be displayed based on user data available at Google (e.g., location data and interests) (audience targeting). As the website operator, we can evaluate this data quantitatively, for example by analysing which search terms led to the display of our ads and how many ads led to clicks.

The use of this service is based on your consent pursuant to Art. 6(1)(a) GDPR and Section 25(1) TTDSG. Consent can be withdrawn at any time.

Data transfers to the USA are based on the EU Commission’s Standard Contractual Clauses. Details:
https://policies.google.com/privacy/frameworks
https://privacy.google.com/businesses/controllerterms/mccs/

Google Conversion Tracking

This website uses Google Conversion Tracking. Provider: Google Ireland Limited (“Google”), Gordon House, Barrow Street, Dublin 4, Ireland.

With Google Conversion Tracking, Google and we can recognise whether the user has performed certain actions. For example, we can evaluate which buttons on our website were clicked and how often, and which products were viewed or purchased particularly frequently. This information is used to compile conversion statistics. We learn the total number of users who clicked on our ads and what actions they performed. We do not receive information that would enable us to identify the user personally. Google uses cookies or comparable recognition technologies for identification.

The use of this service is based on your consent pursuant to Art. 6(1)(a) GDPR and Section 25(1) TTDSG. Consent can be withdrawn at any time.

More information on Google Conversion Tracking can be found in Google’s data protection provisions:
https://policies.google.com/privacy?hl=de

Meta Pixel (formerly Facebook Pixel)

This website uses the Meta/Facebook visitor action pixel for conversion measurement. Provider: Meta Platforms Ireland Limited, 4 Grand Canal Square, Dublin 2, Ireland. According to Facebook, the collected data is also transferred to the USA and other third countries.

This allows the behaviour of website visitors to be tracked after they have been redirected to the provider’s website by clicking on a Facebook ad. This makes it possible to evaluate the effectiveness of Facebook ads for statistical and market research purposes and to optimise future advertising measures.

The data collected is anonymous for us as the operator of this website; we cannot draw any conclusions about the identity of users. However, the data is stored and processed by Facebook so that a connection to the respective user profile is possible and Facebook can use the data for its own advertising purposes in accordance with Facebook’s Data Policy:
https://de-de.facebook.com/about/privacy/

This enables Facebook to display ads on Facebook and outside of Facebook. We, as the website operator, cannot influence this use of the data.

The use of this service is based on your consent pursuant to Art. 6(1)(a) GDPR and Section 25(1) TTDSG. Consent can be withdrawn at any time.

We use the Advanced Matching function within the Meta Pixel.

Advanced Matching enables us to transmit various types of data (e.g., place of residence, state, postcode, hashed email addresses, names, gender, date of birth, or phone number) of our customers and interested parties collected via our website to Meta (Facebook). By activating this, we can tailor our advertising campaigns on Facebook more precisely to people who are interested in our offers. In addition, Advanced Matching improves the attribution of website conversions and expands Custom Audiences.

Where personal data is collected on our website using the tool described here and forwarded to Facebook, we and Meta Platforms Ireland Limited are jointly responsible for this data processing (Art. 26 GDPR). Joint responsibility is limited exclusively to the collection of data and its transmission to Facebook. Further processing by Facebook after transmission is not part of the joint responsibility. The agreement on joint processing is available at:
https://www.facebook.com/legal/controller_addendum

Facebook’s Privacy Policy also contains further information on protecting your privacy:
https://de-de.facebook.com/about/privacy/

You can disable the remarketing function “Custom Audiences” in the ad settings at:
https://www.facebook.com/ads/preferences/?entry_product=ad_settings_screen
(You must be logged in to Facebook.)

If you do not have a Facebook account, you can opt out of usage-based advertising by Facebook on the website of the European Interactive Digital Advertising Alliance:
http://www.youronlinechoices.com/de/praferenzmanagement/

Facebook Conversion API

We have integrated the Facebook Conversion API on this website. Provider: Meta Platforms Ireland Limited, 4 Grand Canal Square, Dublin 2, Ireland. According to Facebook, the collected data is also transferred to the USA and other third countries.

Facebook Conversion API enables us to record interactions of the website visitor with our website and to transmit them to Facebook in order to improve the advertising performance on Facebook.

In particular, the time of access, the website visited, your IP address and your user agent, and—if applicable—other specific data (e.g., purchased products, cart value, and currency) are collected. A complete overview of the data that can be collected can be found here:
https://developers.facebook.com/docs/marketing-api/conversions-api/parameters

The use of this service is based on your consent pursuant to Art. 6(1)(a) GDPR and Section 25(1) TTDSG. Consent can be withdrawn at any time.

Where personal data is collected on our website using the tool described here and forwarded to Facebook, we and Meta Platforms Ireland Limited are jointly responsible for this data processing (Art. 26 GDPR). Joint responsibility is limited exclusively to the collection of data and its transmission to Facebook. Further processing by Facebook after transmission is not part of the joint responsibility. The agreement on joint processing is available at:
https://www.facebook.com/legal/controller_addendum

Further information on protecting your privacy can be found in Facebook’s Privacy Policy:
https://de-de.facebook.com/about/privacy/