• Secure Payments
  • Safe logistics
  • Buyer protection

PRIVACY POLICY

 

I.                          Overview

 

If you are a customer (buyer or seller) or business partner, please read on starting from Item III.

 

If you are visiting our site as a user, please read on starting from Item II.

 

II.             Which type of data do we process when you visit our site?

 

Welcome to our site! Here you can get an idea of how we process your personal data when you visit our site (Article 13 and 14 of the EU’s General Data Protection Regulation – GDPR; § 165 (3) of the Austrian Telecommunications Act (Telekommunikationsgesetz – TKG)).

 

When visiting our site, the following data may be processed:

  • browser type (user agent)

  • public IP address and pages visited on our platform, including entry and exit pages

  • country

  • operating system

  • display resolution

  • device data (we may store personal data from your device, such as geolocation data, IP address, unique identifiers (e.g. MAC address))

  • date, time and duration of access

  • information that you enter in a contact form

  • email address

  • first and last name

  • postal address

  • information about the purchased product

  • information on the delivery of the products

  • information about the logistics company handling the transport

  • payment data entered when making a purchase via Stripe

  • credit card number

  • data collected in relation to the newsletter service

 

The processing of this data is necessary to guarantee the secure operation of the site and to ensure the functionality of the site from a technical point of view. The collection of this data is partly carried out using technical cookies. These technical cookies are only used to the extent necessary (§ 165 (3) TKG). The processing of this data is justified by our legitimate interest in the operation of our site (Article 6 (1) (f) GDPR).

 

In order to operate our site, it may be necessary for us to disclose your information to the following recipients:

 

·       Recipient(s) of the data: Render Services, Inc.

o   Purpose of data processing: cloud computing provider

o   Legal basis: legitimate interests (Article 6 (1) (f) GDPR)

o   Server location: Germany

o   Basis for transfer to third country: standard data protection clauses (Article 46 (2) (c) GDPR)

 

·       Recipient(s) of the data: Cyberhouse GmbH

o   Purpose of data processing: site programming and maintenance

o   Legal basis: legitimate interests (Article 6 (1) (f) GDPR) and processing (Article 28 GDPR)

o   Registered seat: Austria

o   Basis for transfer to third country: within the EU

 

·       Recipient(s) of the data: MongoDB, Inc.

o   Purpose of data processing: database management

o   Legal basis: legitimate interests (Article 6 (1) (f) GDPR)

o   Registered seat: USA

o   Basis for transfer to third country: standard data protection clauses (Article 46 (2) (c) GDPR)

 

·       Recipient(s) of the data: ActiveCampaign, LLC

o   Purpose of data processing: Postmark email delivery services

o   Legal basis: consent (Article 6 (1) (a) GDPR)

o   Registered seat: USA

o   Basis for transfer to third country: standard data protection clauses (Article 46 (2) (c) GDPR)

 

·       Recipient(s) of the data: buyers

o   Purpose of data processing: transfer of data for the purpose of providing goods

o   Legal basis: necessary for the performance of the contract (Article 6 (1) (b) GDPR)

o   Registered seat: Austria

o   Basis for transfer to third country: in the EU

 

·       Recipient(s) of the data: sellers

o   Purpose of data processing: transfer of data for the purpose of providing goods

o   Legal basis: necessary for the performance of the contract (Article 6 (1) (b) GDPR)

o   Registered seat: Austria

o   Basis for transfer to third country: in the EU

 

·       Recipient(s) of the data: Google, Alphabet (Google Tag Manager, Google Analytics)

o   Purpose of data processing: consent

o   Legal basis: consent (Article 6 (1) (a) GDPR)

o   Registered seat: USA

o   Basis for transfer to third country: standard data protection clauses (Article 46 (2) (c) GDPR)

 

·       Recipient(s) of the data: law enforcement agencies (police, public prosecutors, government authorities) and courts

o   Purpose of data processing: pursuit and defense of legal claims

o   Legal basis: legitimate interests (Article 6 (1) (f) GDPR); legal obligation (Article 6 (1) (c) GDPR)

o   Registered seat: Austria

o   Basis for transfer to third country: in the EU

 

 

·       Recipient(s) of the data: tax office; local administrative authorities

o   Purpose of data processing: transfer of data in order to comply with legal mandate (documentation and reporting in accordance with the Austrian Digital Platforms Reporting Obligations Act (Digitale Plattformen-Meldepflichtgesetz – DPMG))

o   Legal basis: legal obligation (Article 6 (1) (c) GDPR)

o   Registered seat: usually Austria

o   Basis for transfer to third country: in the EU

 

·       Recipient(s) of the data: third parties requesting information

o   Purpose of data processing: Transfer of data to comply with legal mandate. Pursuant to § 18 (4) of the Austrian E-Commerce Act (E-Commerce-Gesetz – ECG), we must transmit information at the request of third parties, provided these third parties have an overriding legal interest in determining the identity of a user or a particular illegal state of affairs, and furthermore substantiate that knowledge of such information constitutes a material prerequisite for legal prosecution.

o   Legal basis: legal obligation (Article 6 (1) (c) GDPR)

o   Registered seat: usually Austria

o   Basis for transfer to third country: in the EU

 

·       Recipient(s) of the data: logistics companies (DIREKT Kurierdienst GmbH)

o   Purpose of data processing: delivery of the purchased goods

o   Legal basis: consent (Article 6 (1) (a) GDPR); legitimate interests (Article 6 (1) (f) GDPR);

o   Registered seat: usually Austria

o   Basis for transfer to third country: in the EU

 

·       Recipient(s) of the data: advertising partners who insert their banner on the site

o   Purpose of data processing: transfer of data to advertising partners

o   Legal basis: consent (Article 6 (1) (a) GDPR)

o   Registered seat: usually Austria

o   Basis for transfer to third country: in the EU

 

·       Recipient(s) of the data: Stripe, Inc.

o   Purpose of data processing: payment services

o   Legal basis: necessary for the performance of the contract (Article 6 (1) (b) GDPR)

o   Registered seat: USA / Ireland

o   Basis for transfer to third country: in the EU / standard data protection clauses (Article 46 (2) (c) GDPR)

 

·       Recipient(s) of the data: payment service providers (Apple Pay; Google Pay, Link.co; Klarna; EPS)

o   Purpose of data processing: payment services

o   Legal basis: necessary for the performance of the contract (Article 6 (1) (b) GDPR)

o   Registered seat: USA / Europe (Sweden and Austria)

o   Basis for transfer to third country: in the EU / standard data protection clauses (Article 46 (2) (c) GDPR)

 

II.1.     Overview of the technical cookies used

 

The above data is stored via so-called “cookies[1]. Cookies are text files that are stored on your computer and which enable an analysis of the use of the website. They are used for recognition and storage of temporary data of the site visitor. We only use cookies to the extent necessary to communicate with you via the website.

 

These technical cookies are activated as soon as you visit our platform.

 

The following cookies are used on our platform based on our legitimate interest (Article 6 (1) (f) GDPR):

 

No technical cookies are set at this time.

 

II.2.     Overview of the advertising cookies used

 

Besides the technical cookies described above, we also use advertising cookies (including statistical cookies). These advertising cookies allow us to better track and evaluate your interests. With the help of the advertising cookies, we can merge your surfing behavior across the boundaries of our site with data from other sites. This helps us to better understand the interests of our site visitors in order to address them in a more targeted manner.

 

We respect that is not the wish of every visitor to our site. We therefore process your data using advertising cookies only if you do not withdraw your consent to do so (Article 6 (1) (a) GDPR). You may withdraw this consent at any time. The withdrawal of consent does not affect the lawfulness of any processing done before withdrawal.

 

·       Name of cookie: ga; ga_* (Google)         

o   Statistical purpose(s):

o   Duration of storage: 730 days          

o   Country: USA           

o   Function: registers a unique ID that is used to create statistical data about repeat visitors to the site

 

·       Name of cookie: _gat (Google)        

o   Statistical purpose(s):

o   Duration of storage: 1 day    

o   Country: USA           

o   Function: used by Google Analytics to regulate requests

 

·       Name of cookie: _gid (Google)       

o   Statistical purpose(s):

o   Duration of storage: 1 day    

o   Country: USA           

o   Function: registers a unique ID that is used to create statistical data about repeat visitors to the site

o    

 

·       Name of cookie: Collect (Google)   

o   Statistical purpose(s):

o   Duration of storage: session

o   Country: USA           

o   Function: used to send data about the visitor’s device and behavior to Google Analytics

III.               For what purposes do we process your data if you are a customer of ours or if you have a business relationship with us?

In the course of our business relationship with customers and business partners, we process data on the basis of contractual obligations (fulfilment of the contractual relationship with you, pre-contractual obligations, invoicing of services, dispatch of documents, communication for the purpose of fulfilling the contract) and legal obligations (legally required storage as outlined in § 132 of the Austrian Federal Fiscal Code (Bundesabgabenordnung – BAO); Digital Platforms Reporting Obligations Act; Article 6 (1) (b) and (c) GDPR) as well as on the basis of our legitimate interests or on the basis of the legitimate interests of third parties (Article 6 (1) (f) GDPR), namely

 

·       for the purpose of internal administration and management of your business case to the extent necessary (e.g. processing your business case, forwarding your business case to various departments, filing, archiving, correspondence with you);

 

·       for the retention of the commission;

 

·       for reporting obligations to the tax office or third parties requesting information; and

 

·       for pursuit and defense of legal claims,

 

in each case to the extent necessary. The processing of your data serves the initiation, maintenance and fulfilment of our business relations. If you do not provide us with this data, we will not be able to process your business case.

 

If applicable, we may process your data based on your voluntary, explicit consent (Article (6) (1) (a) GDPR).

 

IV.                     How long will your data be stored?

 

We will only store your data for as long as is necessary for the purposes for which we collected your data. In this context, there are legal retention obligations that must be considered (tax law, for example, requires that contracts and other documents from our contractual relationship be retained for a period of 7 years (§ 132 BAO)). In justified individual cases, such as for the pursuit and defense of legal claims, we may also store your data for up to 30 years after termination of the business relationship.

 

Data of interested parties is stored for up to 1 year from the date of the last contact by the interested party.

 

Master data for advertisements is stored for 1 year after the ad’s removal.

 

V.                        Who are possible recipients of your data?

 

In the course of our business relationship, it may be necessary for us to transfer your data to the following recipients:

 

·       Recipient(s): financial auditors and tax consultants

o   Purpose: tax advice

o   Legal basis: necessary for the performance of the contract

o   Country: Austria

o   Basis for transfer to third country: within the EEA

 

·       Recipient(s): interested parties/buyers

o   Purpose: contract fulfilment

o   Legal basis: necessary for the performance of the contract

o   Country: within the EEA

o   Basis for transfer to third country: within the EEA

 

·       Recipient(s): banks

o   Purpose: payment processing

o   Legal basis: necessary for the performance of the contract

o   Country: within EEA

o   Basis for transfer to third country: within the EEA

 

·       Recipient(s): lawyers, courts, arbitration boards

o   Purpose: pursuit and defense of legal claims

o   Legal basis: legitimate interests

o   Country: Austria

o   Basis for transfer to third country: within the EEA

 

·       Recipient(s): business partners

o   Purpose: processing of transactions

o   Legal basis: legitimate interests

o   Country: within the EU

o   Basis for transfer to third country: within the EEA

 

·       Recipient(s): insurance companies

o   Purpose: communication in the event of damages

o   Legal basis: legitimate interests

o   Country: within the EU

o   Basis for transfer to third country: within the EEA

 

·       Recipient(s): tax office

o   Purpose: documentation and reporting in accordance with the Austrian Digital Platforms Reporting Obligations Act (Digitale Plattformen-Meldepflichtgesetz – DPMG)

o   Legal basis: legal obligation

o   Country: Austria

o   Basis for transfer to third country: within the EEA

 

 

VI.               Collection of data from other sources (Article 14 GDPR)

 

In the course of a business relationship or the initiation thereof, it is naturally necessary to conduct research on the business partner. This is done exclusively to the extent necessary for this purpose. In this context, data may be retrieved and processed from the following sources:

 

Our company does not obtain data from third-party sources.

 

VII.            Do we use automated decision-making, including profiling (Article 13 (2) (f) GDPR)?

 

No automated decision-making, including profiling, is performed by our company.

 

VIII.          Which rights do you have with regard to data processing?

 

Provided you meet the legal requirements, we would like to inform you that:

 

·       You have the right to obtain information as to which of your data we process (Article 15 GDPR).

·       You have the right to obtain the rectification of inaccurate personal data and to have incomplete personal data completed (Article 16 GDPR).

·       You have the right to obtain the erasure of your personal data (Article 17 GDPR).

·       You have the right to object to processing of personal data that is necessary to protect our legitimate interests or those of a third party (Article 21 GDPR). This applies in particular with regard to the processing of your data for advertising purposes.

·       You have the right to receive a transfer of the personal data that you have provided in a structured, commonly used and machine-readable format.[CvP1] 

 

If we process your data on the basis of your consent, you have the right to withdraw your consent at any time by email. The withdrawal of consent does not affect the lawfulness of processing based on consent before its withdrawal (Article 7 (3) GDPR).

 

IX.               What rights do you have to lodge a complaint?

 

If you feel that your right to lawful processing of your data has been violated, please contact us by post or email. We will make every effort to process the matter as quickly as possible. You also have the right to lodge a complaint with the supervisory authority for data protection matters with proper jurisdiction.

 

The address of the Austrian Data Protection Authority is:

 

Österreichische Datenschutzbehörde

Barichgasse 40-42,

1030 Wien

 

X.                  How can you contact us?

 

Please do not hesitate to contact our data privacy coordinator using the contact information below if you have any further questions regarding the processing of your data.

 

XI.               Data controller

 

The data controller as defined by Article 4(7) GDPR is:

 

Flash Chance GmbH

Tuchlauben 7A

1010 Wien

info@flash-chance.com

+43 664 9312 6900

 

Author of this privacy policy: Dr. Tobias Tretzmüller, LL.M.; www.digital-recht.at

 

Any use of this privacy policy, in whole or in parts, without the consent of the author constitutes a copyright infringement.