With regard to the processing of your personal data, you have the following rights - provided the legal requirements are met:

Right to information (Art. 15 DSGVO)

Right to rectification (Art. 16 DSGVO)

Right to erasure ("right to be forgotten") (Art. 17 DSGVO)

Right to restriction of processing (Art. 18 GDPR)

Right to data portability (Art. 20 GDPR)

Right to object (Art. 21 DSGVO)

Pursuant to Art. 21 No. 1 DSGVO, you have the right to object at any time, on grounds relating to your particular situation, to the processing of your personal data based on Art. 6(1)(e) or (f) DSGVO, including profiling based on these provisions. Pursuant to Art. 21 No. 2 DSGVO, you have the right to object at any time to the processing of your personal data for direct marketing, including profiling, insofar as it is related to such direct marketing.

Detailed information on the legal basis of the processing can be found below.

Right to withdraw consent (Art. 7(3) DSGVO).

Right to complain to the supervisory authority (Art. 77 (1) DSGVO).

To exercise your rights, you can contact our data protection officer.

In connection with our online activities, various personal data are processed for different purposes. In the following, we inform you comprehensively about the specific circumstances of the respective processing of your personal data.

General information

In the context of tracking, personal data may also be processed which may relate to you personally. However, it is not possible for programs to be executed or viruses to be transmitted to your end device used.

When you visit our website, your browser uses so-called cookies. These are small text files that are stored on your hard drive. When you visit our website again, OUI can retrieve the stored cookie information. We use browser and Flash cookies and other common technologies such as counting pixels, pixel tags, web beacons or clear GIFs to track our users' use of our online services. These are used in the course of providing our Services. Generally, we refer to such technologies and cookies as "cookies".

Please note that you can generally prohibit the use of cookies or delete cookies already stored in the settings of your browser. For the specific procedure, please refer to the corresponding instructions of the manufacturer.

In summary, cookies and tracking technologies are referred to as "tracking technologies".

OUI uses different types of tracking technologies, specifically necessary tracking technologies, functional tracking technologies, tracking technologies for analytics purposes and tracking technologies for marketing purposes. Below you will find more information about these different types of tracking technologies.

Within our company, we only disclose your personal data to those bodies and persons who need this data to fulfil their contractual and legal obligations or to safeguard our legitimate interests. No automated individual decision-making within the meaning of Art. 22 DSGVO takes place.

1. Necessary tracking technologies

Some functions of our website cannot be offered without the use of technically necessary tracking technologies. We collect technical communication and usage data in these tracking technologies, such as the IP address, technical log information, log-in information if applicable, and a unique cookie/user ID that enables us to recognise you when you come back to our website or open our app.

The provision of your personal data is necessary to use the website. Please note that you will not be able to use the website to its full extent if you do not provide your data to the extent set out above.

2. Functional tracking technologies

Functional tracking technologies are used to provide you with a better browsing experience. These tracking technologies are not required, but they simplify your visit to the website by storing communication and usage data, such as font, country and currency settings, as well as a unique cookie/user ID that allows us to recognise you when you return to our website.

Providing your personal data is not required to use the website. Please note that it may have a negative impact on the presentation and user comfort (usability) if you do not provide your data to the extent mentioned above.

3. Tracking technologies for analytics

OUI uses various tracking technologies for analytics purposes, e.g. to better understand the use of the website and to improve the service. For this purpose, we collect technical communication and usage data, such as IP address, technical log information, log-in information if applicable, and a unique cookie/user ID that allows us to recognise you when you come back to our website. We also collect certain data in connection with your order as well as analysis data, i.e. aggregated data on the basis of which deductions are made.

The provision of your personal data is not necessary for the use of the website.

4 Tracking Technologies for Marketing Purposes

OUI uses various tracking technologies for advertising and targeted marketing purposes, i.e. e.g. to serve personalised advertisements. This also includes the use of tracking technologies from various social media providers, such as Facebook.

For this purpose, we collect technical communication and usage data, such as the IP address, technical log information, log-in information if applicable, and a unique cookie/user ID that enables us to recognise you when you come back to our website. We also collect certain data in connection with your order as well as analysis data, i.e. aggregated data on the basis of which deductions are made.

The provision of your personal data is not necessary for the use of the website.

During the purely informational use of the website, the browser used on your end device sends certain information to the server of our website for technical reasons, for example your IP address. We process this information to provide you with the content of the website that you have accessed. To ensure the security of the IT infrastructure used to provide the website, this information is also temporarily stored in a so-called web server log file. Furthermore, we provide you with various functions to support you during your visit to the website or the app (e.g. contact form, store locator). Depending on which functions you use, further data processing is carried out, which is also described below.

You will receive more detailed information below:

Details of the personal data that is processed.

Categories of personal data that are processed

Protocol data that are technically generated when the website is called up via the Hypertext Transfer Protocol (Secure) ("HTTP(S) data").

Personal data included in the categories.

On the website: IP address, type and version of your internet browser, operating system used, the page called up, the page previously visited (referrer URL), date and time of the call-up.

Obligation to provide the data

Provision is not required by law or contract or necessary for the conclusion of a contract. There is no obligation to provide the data.

If the data is not provided, we will not be able to provide the website content accessed.

Storage period

Data is stored in server log files in a form that allows the identification of the data subjects for a maximum period of 7 days, unless a security-relevant event occurs (e.g. a DDoS attack).

In the event of a security-relevant event, server log files are stored until the security-relevant event has been eliminated and fully clarified.

_____________________________________________________________________________________________________________

Categories of personal data processed

Data that you provided during a previous visit ("return data")

Personal data included in the categories

Information about the last products you visited, e.g. information about products you added to your wish list or shopping cart or the selected specification such as size and colour.

Obligation to provide the data

Provision is not required by law or contract or necessary for the conclusion of a contract. There is no obligation to provide the data.

In the event that the data is not provided, we will not be able to display information tailored to you.

Storage period

The data is collected by tracking technologies. Information on the storage period can be found on the website via the cookie banner/ cookie settings or in the app via the consent overlay/ consent settings.

_____________________________________________________________________________________________________________

Categories of personal data processed

For (optional) use of personalised size and fit recommendations and virtual try-on with avatar creation:

Data you provide in order to receive a personalised size recommendation, e.g. under the link "What is my size?" or "Try on now" or "Virtual fitting" ("personalised size data").

Personal data included in the categories

Body-related information such as height, shoulder width, arm length, hip circumference, weight, information on body type, preferred fit, photo/video recordings of your body, etc.

Obligation to provide data

Provision is not required by law or contract or necessary for the conclusion of a contract. There is no obligation to provide the data.

In the event that the data is not provided, we will not be able to provide the content accessed.

Storage period

The data is collected by tracking technologies. For information on the storage period, please refer to the website via the cookie banner/cookie settings or in the app via the consent overlay/consent settings.

_____________________________________________________________________________________________________________

Categories of personal data processed

In the case of (optional) use of the store locator or the "availability in the stores" function :Data that allows us to determine your location ("location data").

Personal data included in the categories

Location Data

Obligation to provide the data

Provision is not required by law or contract or necessary for the conclusion of a contract. There is no obligation to provide the data.

In the event that the data is not provided, we will not be able to provide the website content accessed.

Storage period

The data is processed to display your location or to determine the nearest store when you access either the map or the availability of products in our stores and share your location with our website in your browser. The data is not stored beyond this.

_____________________________________________________________________________________________________________

Categories of personal data processed

When (optionally) using the online chat, chat assistant or style advice:

Data that you provide to us in the online chat/via the style advice ("online chat data").

Personal data contained in the categories

All information in connection with your online chat, e.g. user ID, IP address, picture, audio,

communication content and time

Obligation to provide the data

Provision is not required by law or contract or necessary for the conclusion of a contract. There is no obligation to provide the data.

If the data is not provided, we will not be able to process your request.

Storage period

The voice or video calls are neither recorded nor stored.

The voice or video calls are neither recorded nor stored.

a) Data is stored until your request has been dealt with.

b) We store this data for evidence purposes for the possible assertion, exercise or defence of legal claims in addition for a transitional period of three years from the end of the year in which you provided us with the data and in the event of any legal disputes until their conclusion.

c) We also store this data in so far as legal, in particular commercial and tax law, retention obligations exist. Depending on the type of documents, there may be commercial and tax retention obligations of six or ten years (§ 147 of the German Fiscal Code (AO), § 257 of the German Commercial Code (HGB)).

d) Insofar as you use the co-browsing function, the image of your browser is not stored.

Insofar as the data is collected by tracking technologies, you can find information on the storage period on the website via the cookie banner/cookie settings or in the app via the consent overlay/consent settings.

_____________________________________________________________________________________________________________

Categories of personal data processed

In case of (optional) use of the contact form:

Data you provide to us in contact forms on the website ("contact form data").

Personal data included in the categories

First name, last name, street, house number, postcode, city, country, e-mail address, your request, your message (obligatory), title, telephone number, order number salutation (optional).

Obligation to provide data

Provision is not required by law or contract or necessary for the conclusion of a contract. There is no obligation to provide the data.

If the data is not provided, we will not be able to process your request.

Storage period

We store the data as previously described under a), b) and c).

_____________________________________________________________________________________________________________

Categories of personal data processed

In case of (optional) contact via other communication channels:

Data that you provide to us when you contact us ("contact data").

Personal data included in the categories

Depending on the communication channel: telephone number when calling by telephone, mobile phone number and user name when contacting by messenger (communication service provider),

e-mail address when contacting us by e-mail

In addition, the information you provide on the reason for contacting us.

Obligation to provide the data

The provision of data is not required by law or contract or necessary for the conclusion of a contract. There is no obligation to provide the data.

In the event that the data is not provided, we will not be able to accept your request.

Storage period

We store the data as previously described under a), b) and c).

_____________________________________________________________________________________________________________

Categories of personal data processed

Data you share with us and our partners when you connect your Wallet to us or one of our partners ("Blockchain Data"). ("Blockchain Data")

Personal data included in the categories.

Wallet ID, User ID, public blockchain user information.

We do not store your private key. You are responsible for maintaining the confidentiality of your Wallet Information, including your private key.

Obligation to provide the data

In case of failure to provide the data, you will not be able to participate in Blockchain-related activities with us.

Storage period

Permanent storage of information within the Blockchain. At your request, only a disconnection from your Wallet ID to us is possible.

_____________________________________________________________________________________________________________

Categories of personal data processed

Log data that is generated for technical reasons when subscribing to push notifications ("Push Notification Log Data").

Personal data included in the categories are.

Date and time of subscription, push token, device ID, operating system.

Obligation to provide the data

Provision is not required by law or contract or necessary for the conclusion of a contract. There is no obligation to provide the data.

In case of non-provision of the data, you will not be able to subscribe for push notifications.

Storage period

We store this data for as long as you subscribe to push notifications.

In addition, we store this data exceptionally if and as long as we are subject to legal retention or documentation obligations for this data or as far as this is necessary for evidence purposes.

Purpose of the processing of personal data

Provision of the contents of the website accessed by the user.

Categories of personal data processed

HTTP(S) data

Legal basis and, where applicable, legitimate interests

Weighing of interests (Art. 6 para. 1 f) DSGVO). Our legitimate interest is the provision of the website content accessed by the user.

Recipients

Hosting provider

_____________________________________________________________________________________________________________

Purpose of the processing of personal data

Ensuring the security of the IT infrastructure used for the provision of the website, in particular for the detection, elimination and evidentiary documentation of faults (e.g. DDoS attacks).

Categories of personal data processed

HTTP(S) data

Legal basis and, if applicable, legitimate interests

Weighing of interests (Art. 6 para. 1 f) DSGVO). Our legitimate interest is to ensure the security of the IT infrastructure used to provide the website, in particular to detect, eliminate and document faults (e.g. DDoS attacks) in an evidential manner.

Recipients

Hosting provider

_____________________________________________________________________________________________________________

Purpose of the processing of personal data

Personalised display of information about payment and financing options depending on the contents of the shopping cart.

Categories of personal data processed

HTTP(S) data

Legal basis and, if applicable, legitimate interests

Consent (Art.6Abs.1a) DSGVO via the cookie banner on our website.

Recipients

Service provider

_____________________________________________________________________________________________________________

Purpose of the processing of personal data

Personalised display of information about payment and financing options depending on the contents of the shopping cart.

Categories of personal data processed

HTTP(S) data

Legal basis and, if applicable, legitimate interests

Consent(Art.6Abs.1a) DSGVO via the cookie banner on our website.

Recipients

Service provider

_____________________________________________________________________________________________________________

Purpose of the processing of personal data

Personalised display of information, e.g. on the attractiveness of our products, on current price or product changes as well as on equivalent or thematically related products and content, in order to tailor the website visit to the respective personal interests in the best possible way.

This also includes tracking the response behaviour to the personalised advertisements (e.g. click and purchase behaviour).

Categories of personal data processed

HTTP(S) data, return data, possibly your order form data.

Legal basis and, where applicable, legitimate interests

Consent(Art.6Abs.1a) DSGVO via the cookie banner on our website.

Recipients

Service provider

_____________________________________________________________________________________________________________

Purpose of the processing of personal data

Provision of a personal size and fit recommendation and creation of an individual avatar (only in DE, FR and UK).

Categories of personal data processed

Personalised size data

Legal basis and legitimate interests, if applicable

Consent (Art. 6 para. 1 a) DSGVO via the cookie banner or via a pop-up window on our website.

Recipients

Service provider

_____________________________________________________________________________________________________________

Purpose of the processing of personal data

To display your location or nearby stores.

Categories of personal data processed

Location data

Legal basis and, where applicable, legitimate interests

Weighing of interests (Art. 6 para. 1 f) DSGVO). Our legitimate interest is to support our customers in finding our stores. The data is only transmitted when you release it in the browser.

_____________________________________________________________________________________________________________

Purpose of the processing of personal data

Processing your request

Categories of personal data processed

Online chat data, contact form data or contacting data

Legal basis and, if applicable, legitimate interests

Consent (Art. 6 para. 1 a) DSGVO via the cookie banner on our website for the use of the chat tool .

Insofar as your enquiry concerns a contract to which you are a party, or concerns the implementation of pre-contractual measures: Art. 6 para. 1

b) DSGVO.

Otherwise: balancing of interests (Art.6Abs.1f) DSGVO). In this case, our legitimate interest is the processing of your request.

Recipients

Hosting provider, communication service provider if applicable.

_____________________________________________________________________________________________________________

Purpose of the processing of personal data

Optimising our customer service and improving customer satisfaction, e.g. by creating chat reports or conducting customer satisfaction surveys.

Categories of personal data processed

Contact data, contact form data, online chat data, purchase data, e.g. order value.

Legal basis and, if applicable, legitimate interests

Consent (Art. 6 para. 1 a) DSGVO or weighing of interests (Art. 6 para. 1 f) DSGVO). Our legitimate interest is to improve our customer service.

Recipients

Hosting provider, service provider

_____________________________________________________________________________________________________________

Purpose of the processing of personal data

Storage and processing for evidence purposes for the possible assertion, exercise or defence of legal claims.

Categories of personal data processed

Contact form data or contacting data, online chat data

Legal basis and, if applicable, legitimate interests

Art. 6 No.1 (f) DSGVO. After weighing the interests, our legitimate interest is the establishment, exercise or defence of legal claims.

_____________________________________________________________________________________________________________

Purpose of the processing of personal data

Display of push notifications with order information, shipping information, parcel tracking status as well as marketing content, provided you have agreed to receive push notifications within your mobile device.

Categories of personal data processed

Push notification log data, purchase data.

Legal basis and legitimate interests, if applicable

Consent (Art. 6 para. 1 a) DSGVO via the communication settings in our appor via the settings in your mobile device.

Recipients

Service provider, hosting provider,

_____________________________________________________________________________________________________________

There is no automated decision-making in the sense of Art. 22 DSGVO.

Recipient

Hosting provider, service provider

Role of the recipient

Processor/ Shared responsibility

Location of the recipient

EU

_____________________________________________________________________________________________________________

Recipient

Communication service provider

Role of the recipient

Responsible

Location of the recipient

Depending on your means of communication and location

_____________________________________________________________________________________________________________

Recipient

Service Provider

Role of the recipient

Processor

Registered office of the recipient

USA

Adequacy decision or appropriate or adequate safeguards for transfers to third countries and/or to international organisations.

The transfer is subject to the EU standard data protection clauses pursuant to Art. 46 (2) (c), (5) DSGVO.

In addition to the purely informational use of our website (described in section C.II.), you have the option of making a purchase via our Online Store, which triggers further data processing, which is described below. We process different personal data for the provision of different functions in our Online Store, for the conclusion and execution of purchase contracts and for the administration and collection of our purchase price claims.

You will find more detailed information on this below.

_____________________________________________________________________________________________________________

1. details of the personal data that is processed

_____________________________________________________________________________________________________________

Categories of personal data processed

Data that you provide to us in order to process your order ("order form data").

Personal data included in the categories

Salutation, first name, surname, address as well as your e-mail address

Obligation to provide the data

Provision is required for the conclusion of a purchase contract.

If you do not provide the data, you will not be able to purchase any items via our online store.

Storage period

a) We store the data until your order has been completely processed, i.e. until the goods have been dispatched.

b) We also store this data for evidence purposes for the possible assertion, exercise or defence of legal claims for a transitional period of three years from the end of the year in which you provided us with the data and, in the event of any legal disputes, until their conclusion.

c) We also store this data in so far as legal, in particular commercial and tax law, retention obligations exist. Depending on the type of documents, there may be commercial and tax law retention obligations of six or ten years (§ 147 of the German Fiscal Code (AO), § 257 of the German Commercial Code (HGB).

_____________________________________________________________________________________________________________

Categories of personal data that are processed

Technical data about the device used in the order ("device data").

Personal data included in the categories

On the website: browser type, type of device (e.g. iPad, iPhone, Android mobile), IP address

Obligation to provide the data

Provision is not required by law or contract or necessary for the conclusion of a contract. There is no obligation to provide the data. If the data is not provided, we will not be able to process your request.

Storage period

We store the data as described above under a) and b).

_____________________________________________________________________________________________________________

Categories of personal data processed

Data that you provide to us in the course of the payment process for your ordered items or in the course of a contract reversal for the purpose of repayment ("payment data").

Personal data contained in the categories

Indication of the selected payment method (e.g. PayPal, credit card, purchase on account, hire purchase, instant transfer, Amazon Pay, Santander, Amazon Pay), if applicable also details (e.g. user name of the account) to be provided for the respective payment method.

We may receive information from your chosen payment service provider about the confirmation or cancellation of the payment.

Obligation to provide data

Provision is necessary for the conclusion of a purchase contract or the reversal of a purchase contract.

In the event that the data is not provided, you will not be able to purchase any items via our Online Store.

Storage period

We store the data as described above under a), b) and c).

_____________________________________________________________________________________________________________

Categories of personal data processed

In case of (optional) use of PayPal, Santander, Amazon Pay:

Your contact details provided to us by PayPal, Santander, AmazonPay ("Payment Contact Data").

Personal data included in the categories

Salutation, first name, last name, address and your e-mail address.

Obligation to provide the data

Provision is required for the conclusion of a purchase contract via the PayPal, Santander, Amazon Pay and order channels.

If the data is not provided, you will not be able to purchase any items via this order channel.

Storage period

We store the data as described above under a),b) and c).

_____________________________________________________________________________________________________________

Categories of personal data that are processed

Information about your purchase that we need to process your order ("purchase data").

Personal data included in the categories

Details of the items purchased (item name, item number, quantity, size, colour, price, currency, order number), store version used, date and time of the respective purchase, selected payment method and shipping method, status of your order incl. information on the return of products

Obligation to provide the data

Provision is necessary for the conclusion of a purchase contract.

If the data is not provided, you will not be able to purchase any items via our Online Store.

Storage period

We store the data as described above under a), b) and c).

_____________________________________________________________________________________________________________

Categories of personal data processed

Information in transaction e-mails that we send for the (return) processing of your order, e.g.

Order receipt confirmation ("transactional email data")

Personal data contained in the categories

Order form data, purchase data, further content and time of the transactional e-mails.

Obligation to provide the data

Provision is necessary for the conclusion of a purchase contract.

If the data is not provided, you will not be able to purchase any items via our online store.

Storage period

We store the data as described above under a), b) and c).

_____________________________________________________________________________________________________________

Categories of personal data processed

Information about your responses to our transactional emails.

("response behaviour data").

Personal data included in the categories are.

Clicking and opening behaviour with date and time information

Storage period

We store the data for a period of one year after sending the email.

_____________________________________________________________________________________________________________

2. details on the processing of personal data

_____________________________________________________________________________________________________________

Purpose of the processing of personal data

Provision of our online store functions on the website

Categories of personal data processed

HTTP(S) data

Legal basis and legitimate interests, if applicable

Weighing of interests (Art.6Abs.1 f) DSGVO). Our legitimate interest is the provision of the website content accessed by the user.

Recipients

Hosting provider

_____________________________________________________________________________________________________________

Purpose of the processing of personal data

Conclusion and fulfilment of purchase contracts concluded via our online store or app.

This includes, in particular, the preparation of the dispatch of the goods ordered by you by the dispatch service provider selected by you as well as the determination of the delivery date and the dispatch of transaction emails to inform you about the respective status of your order.

This also includes registering a potential return with the relevant shipping service provider to provide a returns label for you.

Categories of personal data processed

Order form data, payment data, purchase data, transactional email data.

Legal basis and, where applicable, legitimate interests

Fulfilment of a contract (Art. 6 para.1b)DSGVO) or balancing of interests (Art. 6 para. 1 f) DSGVO). Our legitimate interest is the reversal of the purchase contract.

Recipients

Hosting provider, e-mail service provider, payment service provider, gift card service provider if applicable, shipping service provider.

_____________________________________________________________________________________________________________

Purpose of the processing of personal data

In case of (optional) selection of the Klarna payment methods "Invoice",

"Instalment purchase" and "Instant payment":

Provision of the aforementioned payment options for processing the purchase price payment.

Your data will be transmitted to Klarna. Klarna may carry out its own risk and fraud checks to determine whether the selected payment method can be offered. For this purpose, Klarna may process further personal data on its own responsibility. You can find out more about this and other data protection issues in connection with the Klarna payment methods in the Klarna data protection declaration. Questions regarding data processing within the framework of the Klarna-

payment methods should be addressed to Klarna. You can also find contact details for the relevant data controller and detailed information on your rights in the Klarna data protection information linked above.

Klarna Bank AB (publ), Sveavägen 46, 111 34 Stockholm, Sweden

Categories of personal data processed

Order form data, purchase data

Legal basis and legitimate interests, if applicable

Conclusion and performance of a contract (Art. 6 para. 1 b) DSGVO).

Recipients

Payment service provider

_____________________________________________________________________________________________________________

Purpose of the processing of personal data

In case of (optional) selection of the payment method Amazon Payments

Provision of the aforementioned payment options for processing the purchase price payment.

Your data will be transmitted to Amazon. Amazon may independently carry out a risk and fraud check to determine whether the selected payment method can be offered. For this purpose, Amazon may process further personal data on its own responsibility. You can find out more about this and other data protection issues in connection with Amazon payment methods in Amazon's data protection declaration. Questions regarding data processing within the framework of Amazon payment methods should be addressed to Amazon. You can also find contact details for the relevant data controller and detailed information on your rights in the Amazon data protection information linked above.

Amazon Payments Europe S.C.A. 38 Avenue J.F. Kennedy, L-1855 Luxembourg

Categories of personal data processed

Order form data, purchase data

Legal basis and, where applicable, legitimate interests

Conclusion and fulfilment of a contract (Art. 6 para. 1 b) DSGVO).

Recipients

Payment service provider

_____________________________________________________________________________________________________________

Purpose of the processing of personal data

In case of (optional) selection of the payment method PayPal

Provision of the aforementioned payment options for processing the purchase price payment.

Your data will be transmitted to PayPal. PayPal may independently carry out a risk and fraud check to determine whether the selected payment method can be offered. For this purpose, Amazon may process further personal data on its own responsibility. You can find out more about this and other data protection issues in connection with the Amazon payment methods in PayPal's data protection declaration. Questions regarding data processing within the framework of PayPal payment methods should be addressed to PayPal. You can also find contact details for the relevant data controller and detailed information on your rights in the PayPal data protection information linked above.

PayPal (Europe) S.à r.l. et Cie, S.C.A., 22-24 Boulevard Royal, L-2449 Luxembourg

Categories of personal data processed

Order form data, purchase data

Legal basis and, where applicable, legitimate interests

Conclusion and performance of a contract (Art. 6 para. 1 b) DSGVO).

Recipients

Payment service provider

_____________________________________________________________________________________________________________

Purpose of the processing of personal data

In case of (optional) selection of the credit card payment option:

Provision of the credit card payment option for processing the purchase price payment. Credit card information is processed exclusively by our payment service provider, which is subject to strict information security measures.

Carrying out a fraud check to prevent credit card misuse. Various parameters are used - including the use of address data - to check the extent to which there is a risk of fraud/credit card misuse. If such a risk is identified, the customer must additionally verify his identity with the card issuer using the "3-D Secure procedure".

Categories of personal data processed

Order form data, purchase data, payment data, device data.

Legal basis and, if applicable, legitimate interests

Conclusion and fulfilment of a contract(Art.6Abs.1b)DSGVO) and balancing of interests (Art. 6 Abs. 1 f) DSGVO). Our legitimate interest is the prevention of fraud / credit card misuse.

Recipients

Payment service provider

_____________________________________________________________________________________________________________

Purpose of the processing of personal data

Address completion and validation

Categories of personal data processed

Address

Legal basis and, if applicable, legitimate interests

Initiation of a contract(Art.6Abs.1 b) DSGVO).

Recipient

Address validation provider

_____________________________________________________________________________________________________________

Purpose of the processing of personal data

Reversal of purchase contracts in the event of revocation or other reasons for reversal.

We will use the same means of payment that you used to pay the purchase price to refund the purchase price.

If you use our "Order from Store" service, pay directly at the checkout and decide to cancel your purchase, we will collect and use your bank details for the repayment of the purchase price, as we do not store the details of your payment at the checkout systems of our stationary stores. For this purpose, we will contact you by e-mail and inform you about the further procedure.

Categories of personal data processed

Order form data, payment data, purchase data, transactional email data.

Legal basis and, if applicable, legitimate interests

Fulfilment of a contract (Art. 6 para.1b)DSGVO) or balancing of interests (Art. 6 para. 1 f) DSGVO). Our legitimate interest in this case is the reversal of the purchase contract.

Recipients

Hosting provider,

E-mail service provider

_____________________________________________________________________________________________________________

Purpose of the processing of personal data

Retention of data to comply with legal, in particular commercial and tax law, retention obligations.

Depending on the type of documents, there may be retention obligations under commercial and tax law of six or ten years (§147 of the German Fiscal Code (AO), §257 of the German Commercial Code (HGB)).

Categories of personal data that are processed

Order form data, payment data, purchase data, transactional e-mail data.

Legal basis and, if applicable, legitimate interests

Fulfilment of a legal obligation(Art.6Abs.1c) DSGVO).

Recipients

Hosting provider

There is no automated decision-making in the sense of Art. 22 DSGVO.

_____________________________________________________________________________________________________________

3. details on recipients of personal data and transfer of personal data to third countries and / or international organisations

_____________________________________________________________________________________________________________

Recipients

Hosting provider, email service provider, address validation service provider, gift card service provider.

Role of the recipient

Processor

Recipient's location

EU

Adequacy decision or appropriate or adequate safeguards for transfers to third countries and/or to international organisations.

-

_____________________________________________________________________________________________________________

Recipient

Payment service provider

Role of the recipient

Responsible party / processor

Registered office of the recipient

EU

Adequacy decision or appropriate or adequate safeguards for transfers to third countries and/or to international organisations

-

In addition to the purchase via our online store, you have the option to purchase our products via sales platforms of other providers (Zalando, Amazon, etc.), so-called marketplaces, which triggers further data processing. We receive order form and purchase data from our respective marketplace partner, which we use for the processing of your order, e.g. preparation of the dispatch of the goods ordered by you, provision of shipping information/shipping tracking. We give your data to the shipping service provider selected by you or the Marketplace partner. The legal basis for this data processing on our side is contract performance (Art. 6 para. 1 b) DSGVO). We store the data until your order has been fully processed, i.e. until the goods have been shipped. In addition, we store this data for evidence purposes for any assertion, exercise or defense of legal claims beyond that for a transitional period of three years from the end of the year in which you provided us with the data and in the event of any legal disputes until their termination. We also store this data insofar as legal, in particular commercial and tax law, retention obligations exist. Depending on the type of documents, there may be retention obligations under commercial and tax law of six or ten years (§ 147 of the German Fiscal Code (AO), § 257 of the German Commercial Code (HGB).

The marketplace partner of the sales platform remains responsible for the processing of your data under data protection law. There is no joint processing of your data with the marketplace partner or on our behalf. Our marketplace partners have their own privacy policies, which can usually be found on their websites. We are not responsible for the privacy policies and data processing practices of the marketplace partners.

We use the service provider "Mapp", a renowned platform of Mapp Digital Germany GmbH, to send our newsletter. Mapp acts as our order processor. To ensure the security of your data, we have concluded a special order processing contract with "Mapp".

Our newsletters are equipped with "web-beacon" technology. When you open the newsletter, a pixel-sized file is retrieved that collects technical information - including details of your browser and system, your IP address and the time of retrieval. This information enables us to remind you of cancelled shopping basket transactions and to tailor our offers to your interests.

We would like to point out one important regulation in particular: If you are already a customer of ours and have ordered at least once in our online shop, we are allowed to send you a shopping basket reminder email without explicit consent according to §7 (3) UWG. This exception applies under the following conditions:

• Your email address may be used for direct marketing of our own similar products or services. The similarity of the products is important here, for example a meaningful connection between a pair of jeans and a jumper, but not between a pair of jeans and a washing machine.
• You have not objected to the use of your email address for this purpose.

In each shopping cart reminder email, we of course offer you a simple option to object to this use.

The processing of your data is based on your consent according to Art. 6 Para. 1 lit. a) DSGVO, which you give us during the registration process. You can revoke this consent at any time. You will find a corresponding revocation link at the end of each newsletter. After revocation of your consent, your data will be deleted, provided that there are no legal storage obligations to the contrary.

You can find more information about Mapp and its handling of data protection at https://mapp.com/privacy/. Detailed information on your further rights regarding data processing can be found in our general data processing principles under the section "Rights of the data subject".

We use a white-label solution from PAQATO GmbH, a third-party provider, to efficiently manage shipping communications. As part of this solution, we transfer certain customer data, including your email address, to PAQATO, which acts as a processor. In doing so, PAQATO acts on our behalf and in accordance with the provisions of the General Data Protection Regulation (GDPR). PAQATO is contractually bound to our instructions and may not use your data for other purposes. The communication in connection with the shipment takes place in our name.

The processing of your customer data as part of PAQATO's white label solution serves our legitimate interest in improving shipping notifications and customer service. We ensure that appropriate technical and organizational measures are taken to ensure the security of your data.

By using our services, you consent to the transfer of your data as part of PAQATO's white label solution. You have the right to revoke your consent at any time or to obtain information about the processing of your personal data. For more information on data processing and your rights, please see our full privacy policy.

In addition, PAQATO is subject to the provisions of its own data protection regulation.

OUI has taken various technical and organizational measures to ensure an appropriate level of data security when processing your personal data.

In order to ensure the confidentiality, integrity and availability of your personal data, OUI has taken, among others, the following technical and organizational measures (list not exhaustive):

• Encryption of personal data
• Pseudonymization of personal data
• Consistent application of the "need-to-know principle" (access to your personal data is strictly limited to those employees who need access in order to provide the requested products and services)
• OUI employees and service providers are bound by confidentiality obligations
• Implementation of numerous precautionary measures to protect your personal data from unauthorized access, loss or alteration
• Service providers contracted by OUI are contractually obligated to provide the same appropriate level of security.

All technical and organizational measures used by OUI always comply with the "state of the art".

STATUS AND MODIFICATION OF THIS PRIVACY INFORMATION

This privacy policy is effective immediately.

Service provider

Amazon Payments Europe S.C.A.38 avenue J.F. Kennedy, L-1855 Luxembourg

Type of service

Payment service

Data protection officer / privacy policy of the processing company

eu-privacy@amazon.co.uk

https://pay.amazon.de/help/201751600

Technologies used

Cookies

Collected data

Address, browser information, date of birth, device information, email address, first name, geographical location, IP address, last name, phone number, time zone, usage data, bank details, clickstream data, purchase details.

Legal basis

Art. 6 para. 1 p. 1 lit. b DSGVO

Place of processing

European Union

Retention period

Maximum limit for the storage of cookies: 1 year.

Transfer to third countries

USA

Data recipient

Amazon Payments Europe s.c.a. , Amazon Payments, Inc., Amazon.com, Inc.

_____________________________________________________________________________________________________________

Service provider

ImgIx

Zebrafish Labs Inc.

423 Tehama St, San Francisco, CA 94103, United States of America

Type of service

This service is used to optimize images in real time.

Data protection officer / privacy policy of the processing company

privacy@imgix.com

https://www.imgix.com/privacy

Used technologies

Cookies

Web beacons

Collected data

Browser type, Device information, Hardware/software type, IP address, Operating system information, Referrer URL, Time of access or retrieval, Unique device identifier, Mobile network information, Pages viewed.

Legal basis

Art. 6 para. 1 p. 1 lit. a DSGVO

Place of processing

USA

Retention period

Maximum limit for the storage of cookies: 1 year.

Transfer to third countries

Worldwide

Data recipient

imgix Inc.

_____________________________________________________________________________________________________________

Service provider

PayPal (Europe) S.à r.l. et Cie, S.C.A.

22-24 Boulevard Royal, L-2449 Luxembourg

Type of service

Payment service

Data protection officer / privacy policy of the processing company

https://www.paypal.com/uk/smarthelp/contact-us/privacy

https://www.paypal.com/de/webapps/mpp/ua/privacy-full#2

https://www.paypal.com/de/webapps/mpp/ua/cookie-full

Used technologies

Cookies

Collected data

Browser information, Credit and debit card number, First name, Geographic location, Internet service provider, IP address, Last name, Payment information, Purchase activity, Transaction information, Bank account information, Master and contract information, Password, TAN and checksum, Device type, Network connection type, Device information, Account information, Email address.

Legal basis

Art. 6 para. 1 p. 1 lit. a DSGVO

Place of processing

Worldwide

Retention period

Maximum storage period for cookies: 10 years

Transfer to third countries

Worldwide

Data recipient

PayPal (Europe) S.à r.l. et Cie, S.C.A, PayPal Group, PayPal Service Providers, Financial institutions

_____________________________________________________________________________________________________________

Service provider

Prismic Networks, Inc. 185 Alewife Brook Parkway, #410 Cambridge, MA 02138

Type of service

Content Delivery Network (Prismic)

Data protection officer / privacy policy of the processing company

https://prismic.io/legal/privacy

https://prismic.io/security

Technologies used

Determination of the loading speed of the respective page content

Collected data

To optimize the presentation of these web pages, in particular to increase the loading speed of the respective page content, we use the technology partner

Legal basis

The legal basis is Art. 6 para. 1 lit. f) DSGVO. The legitimate interest lies in the optimization and economic operation of the website.

Place of processing

Worldwide

Retention period

Period of the visit of the website

Transfer to third countries

Worldwide

Data recipient

Prismic Networks, Inc. 185 Alewife Brook Parkway, #410 Cambridge, MA 02138

_____________________________________________________________________________________________________________

Service provider

reCAPTCHA

Google Ireland Limited

Google Building Gordon House, 4 Barrow St, Dublin, D04 E5W5, Ireland

Type of service

- Bot protection

- Spam prevention

- Fraud detection

Data protection officer / privacy policy of the processing company

Below you can find the email address of the data protection officer of the processing company.

https://support.google.com/policies/contact/general_privacy_form

Technologies used

Scripts

Collected data

Browser language, Browser plugins, Click path, Date and time of visit, IP address, User behavior, Time spent on a page, User input, Device information, Mouse movements, Geographic location, Device operating system.

Legal basis

Art. 6 para. 1 p. 1 lit. a DSGVO

Place of processing

European Union

Retention period

The data is deleted as soon as it is no longer required for the purposes of processing.

Transfer to third countries

- United States of America

- Singapore

- Taiwan

- Chile

Data recipients

The following is a list of the recipients of the data collected.

Alphabet Inc.

Google LLC

Google Ireland Limited

_____________________________________________________________________________________________________________

Service provider

Usercentrics GmbH

Sendlinger Str. 7, 80331 Munich, Germany

Type of service

This is a consent management service. On the website, Usercentrics GmbH is used as a processor for the purpose of consent management.

Data protection officer / privacy policy of the processing company

datenschutz@usercentrics.com

Technologies used

Local Storage

Pixel

Collected data

Opt-in and opt-out data, referrer URL, user agent, user preferences, consent ID, time of consent, consent type, template version, banner language, IP address

Legal basis

Art. 6 para. 1 p. 1 lit. c DSGVO

Place of processing

European Union

Retention period

The consent data (granted consent and revocation of consent) are stored for one year. The data will then be deleted immediately.

Transfer to third countries

-

Data recipient

Usercentrics GmbH

_____________________________________________________________________________________________________________

Service provider

Vimeo LLC

555 West 18th Street, New York, New York 10011, United States of America

Type of service

This is a service for viewing video content.

Data protection officer / privacy policy of the processing company

Privacy@vimeo.com

Technologies used

Cookies

Collected data

Browser information, Browser language, Browser type, Cookie information, Device information, Device operating system, Information from third-party sources, IP address, Pages visited, Referrer URL, Information users provide on the site, Search queries, Geographic location, Content viewed

Legal basis

Art. 6 para. 1 p. 1 lit. a DSGVO

Place of processing

USA

Retention period

Data is deleted as soon as it is no longer needed for the processing purposes.

Transfer to third countries

USA

Data recipient

Vimeo LLC

_____________________________________________________________________________________________________________

Service Provider

Appocalypsis 9AM INTERNET MEDIA LABS , V.DALLAS & SIA EE, Louizis Riankour 64, 11523 Athens

Type of service

With the Appocalypse Call Application, the web server automatically stores data (access data) in the form of a server log file, which contains, for example, the date and time of access, your IP address in shortened form and the requesting provider.

Data protection officer / privacy policy of the processing company

https://www.appocalypsis.com/terms

Technologies used

-

Collected data

-

Legal basis

Art. 6 para. 1 p. 1 DSGVO

Place of processing

Worldwide

Retention period

This access data is not evaluated and is automatically overwritten no later than seven days after the end of your visit.

Transfer to third countries

Worldwide

Data recipient

-_____________________________________________________________________________________________________________

Service provider

Conversion Linker - Google Ireland Limited

Google Building Gordon House, 4 Barrow St, Dublin, D04 E5W5, Ireland

Type of service

This service stores click data to effectively measure conversions.

Data protection officer / privacy policy of the processing company

https://support.google.com/policies/troubleshooter/7575787?hl=en

Technologies used

Cookies

Collected data

IP address, usage data, pages viewed, referrer URL, cookie information, ads clicked, click path, clicks, date and time of visit.

Legal basis

Art. 6 para. 1 p. 1 lit. a DSGVO

Place of processing

EU

Retention period

Data is deleted as soon as it is no longer needed for the processing purposes.

Transfer to third countries

United States of America

Singapore

Chile

Taiwan

Data recipient

Google Ireland Limited

Google LLC

_____________________________________________________________________________________________________________

Service provider

Criteo SA

32 Rue Blanche, 75009 Paris, France

Type of service

This is an advertising service. It is used to create personalized ads for consumers

Data protection officer / privacy policy of the processing company

dpo@criteo.com

Technologies used

Cookies

Data collected

Browser information, click path, date and time of visit, device information, files viewed, location information, IP address, mobile advertising IDs, number of page views, products viewed, search terms, technical IDs, usage data, number of ads served, referrer URL

Legal basis

Art. 6 para. 1 p. 1 lit. a DSGVO

Place of processing

EU

Retention period

Technical data is retained for up to 13 months. Cookies expire 13 months after their last update.

Transfer to third countries

Worldwide

Data recipients

Subsidiaries

Affiliated companies

_____________________________________________________________________________________________________________

Service provider

Facebook Pixel - Meta Platforms Ireland Ltd.

4 Grand Canal Square, Grand Canal Harbour, Dublin, D02, Ireland

Type of service

This is a tracking technology offered by Facebook and used by other Facebook services. It is used to track interactions of visitors with websites ("events") after they click on an ad placed on Facebook or other services provided by Meta ("conversion").

Data protection officer / privacy policy of the processing company

https://www.facebook.com/help/contact/1650115808681298

Technologies used

Cookies

Pixel

Data collected

Ads viewed, Content viewed, Device information, Geographic location, HTTP headers, Interactions with ads, services and products, IP address, Items clicked on, Marketing information, Pages visited, Pixel ID, Referrer URL, Usage data, User behavior, Facebook cookie information, Facebook user ID, Usage/click behavior, Browser information, Device operating system, Device ID, User agent, Browser type.

Legal basis

Art. 6 para. 1 p. 1 lit. a DSGVO

Place of processing

EU

Retention period

Data must be deleted as soon as it is no longer needed for the specified processing purposes.

User interactions recorded on the websites are stored for no longer than two years. However, the data will be deleted as soon as it is no longer needed for the purposes of processing.

Disclosure to third countries

Singapore

United States of America

United Kingdom

Data recipients

Meta Platforms Ireland Ltd, Meta Platforms Inc.

_____________________________________________________________________________________________________________

Service provider

FACT Finder - Omikron Data Quality GmbH

Habermehlstr. 17, 75172 Pforzheim, Germany

Type of service

This is an e-commerce product search and navigation platform.

Data protection officer / privacy policy of the processing company

datenschutz@omikron.net

Used technologies

Cookies

Collected data

User ID, Session ID, Search information, Date and time of visit, Geographical location, Usage data, Keywords, IP address, Browser information, Device operating system, Referrer URL.

Legal basis

Art. 6 para. 1 p.1 lit. a GDPR

Place of processing

EU

Retention period

Data must be deleted as soon as it is no longer needed for the specified processing purposes.

Data shall be deleted as soon as it is no longer needed for the processing purposes.

Transfer to third countries

-

Data recipient

Omikron Data Quality GmbH

_____________________________________________________________________________________________________________

Service provider

Google Ads Conversion Tracking - Google Ireland Limited

Google Building Gordon House, 4 Barrow St, Dublin, D04 E5W5, Ireland

Type of service

This is a conversion tracking service. This service records what happens after a click on an ad placed by us via Google Ads when users subsequently visit the website. With conversions, we measure whether users perform a certain action on the website (e.g. whether services are ordered) after clicking on an ad placed by us via Google Ads. This allows us to track which keywords, ads, ad groups or campaigns lead to the desired user interaction.

Data protection officer / privacy policy of the processing company

https://support.google.com/policies/troubleshooter/7575787?hl=en

Technologies used

Tracking Pixel

Tracking code

Collected data

Browser language, browser type, ads clicked, cookie ID, date and time of visit, IP address, referrer URL, web request, user behavior

Legal basis

Art. 6 para. 1 p. 1 lit. a DSGVO

Place of processing

EU

Retention period

Data must be deleted as soon as it is no longer needed for the specified processing purposes.

Data shall be deleted as soon as it is no longer needed for the processing purposes.

Transfer to third countries

United States of America

Singapore

Taiwan

Chile

Data recipients

Google Ireland Limited, Google LLC, Alphabet Inc

_____________________________________________________________________________________________________________

Service provider

Googel Analytics - Google Ireland Limited

Google Building Gordon House, 4 Barrow St, Dublin, D04 E5W5, Ireland

Type of service

it is a web analytics service. It allows the user to measure advertising return on investment "ROI" as well as track user behavior with Flash, video, websites and applications.

Data protection officer / privacy policy of the processing company

https://support.google.com/policies/contact/general_privacy_form

Technologies used

Cookies, pixels, JavaScript, device fingerprint.

Collected data

Click path, date and time of visit, device information, location information, IP address, pages visited, referrer URL, browser information, host name, browser language, browser type, screen resolution, device operating system, interaction data, user behavior, URL visited.

Legal basis

Art. 6 para. 1 p. 1 lit. a DSGVO

Place of processing

EU

Retention period

Data must be deleted as soon as it is no longer needed for the specified processing purposes.

The retention period depends on the type of data stored. Each customer can choose how long Google Analytics stores data before it is automatically deleted.

Transfer to third countries

United States of America

Singapore

Chile

Taiwan

Data recipients

Google Ireland Limited, Alphabet Inc, Google LLC

_____________________________________________________________________________________________________________

Service provider

Googel Analytics 4 - Google Ireland Limited

Google Building Gordon House, 4 Barrow St, Dublin, D04 E5W5, Ireland

Nature of the service

This service allows users to measure traffic and engagement on their websites and mobile apps using customizable reports.

Data protection officer / privacy policy of the processing company

https://support.google.com/policies/contact/general_privacy_form

Technologies used

Tracking code

Cookies

Collected data

Account data, anonymized IP address, bounce rates, browser information, click path, date and time of visit, device information, downloads, visit duration, location information, internet service provider, mouse movements, screen resolution, behavioral data, referrer URL, app updates.

Legal basis

Art. 6 para. 1 p. 1 lit. a DSGVO

Place of processing

EU

Retention period

Data must be deleted as soon as it is no longer needed for the specified processing purposes.

The customer can choose how long Google Analytics stores data. The maximum retention period is 26 months.

Transfer to third countries

United States of America

Singapore

Taiwan

Chile

Data recipients

Alphabet Inc, Google LLC, Google Ireland Limited

_____________________________________________________________________________________________________________

Service provider

Google Fonts - Google Ireland Limited

Gordon House, 4 Barrow St, Dublin 4, Ireland

Type of service

This is a collection of fonts for commercial and personal use.

Data protection officer / privacy policy of the processing company

https://support.google.com/policies/contact/general_privacy_form

Technologies used

API

Collected data

IP address, aggregated usage numbers, font request, referrer URL, CSS requests, user agent, browser information.

Legal basis

Art. 6 para. 1 p. 1 lit. a DSGVO

Place of processing

EU

Retention period

Data must be deleted as soon as it is no longer needed for the specified processing purposes.

Data shall be deleted as soon as it is no longer needed for the processing purposes.

Transfer to third countries

United States of America

Singapore

Taiwan

Chile

Data recipients

Alphabet Inc, Google LLC, Google Ireland Limited

_____________________________________________________________________________________________________________

Service provider

Google Maps - Google Ireland Limited

Gordon House, 4 Barrow St, Dublin 4, Ireland

Type of service

This is an integrated map service.

Data protection officer / privacy policy of the processing company

https://support.google.com/policies/contact/general_privacy_form

Technologies used

API

Collected data

Date and time of visit, location information, IP address, URL, usage data, search terms, geographic location.

Legal basis

Art. 6 para. 1 p. 1 lit. a DSGVO

Place of processing

EU

Retention period

Data must be deleted as soon as it is no longer needed for the specified processing purposes.

Data shall be deleted as soon as it is no longer needed for the processing purposes.

Transfer to third countries

United States of America

Singapore

Taiwan

Chile

Data recipients

Google Ireland Limited, Google LLC, Alphabet Inc

_____________________________________________________________________________________________________________

Service provider

Googel Tag Manager - Google Ireland Limited

Google Building Gordon House, 4 Barrow St, Dublin, D04 E5W5, Ireland

Type of service

This is a tag management system. Using Google Tag Manager, tags can be integrated centrally via a user interface. Tags are small sections of code that can track activity. Script codes from other tools are included via the Google Tag Manager. The Tag Manager makes it possible to control when a particular tag is triggered.

Data protection officer / privacy policy of the processing company

https://support.google.com/policies/contact/general_privacy_form

Technologies used

Website tags

Collected data

Aggregated data about tag triggering

Legal basis

Art. 6 para. 1 p. 1 lit. a DSGVO

Place of processing

EU

Retention period

Data must be deleted as soon as it is no longer needed for the specified processing purposes.

The data will be deleted after 14 days after retrieval.

Transfer to third countries

Singapore

Taiwan

Chile

United States of America

Data recipients

Alphabet Inc, Google LLC, Google Ireland Limited

_____________________________________________________________________________________________________________

Service Provider

Microsoft Advertising - Microsoft Ireland Operations Limited

One Microsoft Place, South County Business Park, Leopardstown, Dublin 18, Ireland

Type of service

This is a tracking and advertising service.

Data protection officer / privacy policy of the processing company

https://aka.ms/privacyresponse

Technologies used

Cookies

Web beacons

Collected data

Browser language, Ads clicked, Digital signature, GUID generated by UET tag, IP address, Microsoft click ID, Microsoft cookie, Page title, Referrer URL, Screen color depth, Screen resolution, UET ID tag, Page load time, Publisher/URL accessed

Legal basis

Art. 6 para. 1 p. 1 lit. a DSGVO

Place of processing

EU

Retention period

Data must be deleted as soon as it is no longer required for the specified processing purposes.

The data will be deleted as soon as it is no longer required for the purposes of processing.

Transfer to third countries

Worldwide

Data recipient

Microsoft Corporation

_____________________________________________________________________________________________________________

Service Provider

WhatsApp

Type of service

Instant messaging service

Data protection officer / privacy policy of the processing company

https://www.whatsapp.com/legal/privacy-policy-eea

Technologies used

WhatsApp uses various technologies to provide the instant messaging service, including the use of mobile apps for iOS and Android as well as a web application that can be used via a web browser on a computer or tablet. However, the exact technical structure and technologies used are not known in detail, as WhatsApp is a proprietary system and does not have an open architecture.

Collected data

Name, telephone number

Legal basis

https://www.privacyshield.gov/participant?id=a2zt00000011sfnAAA&status=Active

Place of processing

WhatsApp Ireland Limited, 4 Grand Canal Square, Grand Canal Harbour, Dublin 2,Irland

Retention period

The exact length of time WhatsApp retains data is not known as this depends on a number of factors, including the type of data and how it is used by the user. However, WhatsApp states that it only retains data for as long as is necessary for the purpose for which it was collected and to comply with legal obligations. When the data is no longer needed, WhatsApp deletes it or makes it unidentifiable. However, it does not specify exactly how long the data is kept.

Transfer to third countries

WhatsApp states in its privacy policy that it may share personal data with other companies within and outside the Facebook group of companies. This includes the transfer of personal data to countries outside the European Union (EU) and the European Economic Area (EEA), including the US. However, it should be noted that WhatsApp takes measures to ensure that personal data transferred outside the EU and EEA is adequately protected and that the transfer complies with applicable data protection laws. These measures include WhatsApp's participation in the EU-US Privacy Shield Framework, which aims to ensure an adequate level of data protection for personal data transferred from the EU to the US. However, it should be noted that the EU-US Privacy Shield Framework was invalidated by the European Court of Justice in 2020 and WhatsApp may use other mechanisms to ensure an adequate level of data protection.

Data recipient

WhatsApp states in its privacy policy that it may share personal data with other companies within and outside the Facebook group of companies, including companies that provide IT services, customer service, payment processing and other services. However, the exact recipients of the data are not specified.

_________________________________________________________________________________________________________

Service Provider

SAIZ GmbH, Nostiltzstr. 23, 10961 Berlin, Germany

Type of service

SAIZ, collects, processes and stores personal data from visitors to the website for the purpose of providing personalised size and fit recommendations, statistical analysis and business cost optimisation

Data protection officer / privacy policy of the processing company

https://www.saiz.io/datenschutz

Technologies used

Persistente Cookies

Collected data

Data that you provide in order to receive a personalised size recommendation such as age, gender, size in cm, chest circumference if applicable, hip circumference if applicable, waist circumference if applicable, weight, information on the body type and the body shape of visitors to the website. In addition, the IP address of the website visitor is stored.

Legal basis

Art. 6 Abs. 1 S. 1 lit. a DSGVO

Place of processing

EU

Retention period

The visitor's personal data is deleted as soon as the processing purposes for which it was collected have been achieved or you have withdrawn your consent to the data collection. For more information on the storage period, please refer to the website via the cookie banner / cookie settings.

Transfer to third countries

Worldwide

Data recipient

The data recipient of the collected data is SAIZ GmbH and its external service provider:

- DataDog Inc.

-Microsoft Corp.

-Google LLC

- Amazon Web Services Inc

In connection with the use of these service providers, we have ensured through appropriate agreements that the personal data collected is only stored on servers in the EU. However, it cannot be guaranteed with 100 percent certainty that no data will be transferred to a third country as a result of the use of service providers by SAIZ as their subcontractor. If personal data is processed in a third country, this may only take place if the special requirements of Article 44 ff. GDPR are met. This includes in particular the conclusion of standard data protection clauses (“EU-SCC”) and a so-called “Transfer Impact Assessment” (“TIA”) was carried out by SAIZ.

_________________________________________________________________________________________________________

Service Provider

Mapp Digital Germany GmbH

Type of service

Mapp Digital Germany GmbHThis is a platform for customer intelligence and digital marketing.

Data protection officer / privacy policy of the processing company

privacy@mapp.com

Technologies used

Persistente Cookies

Collected data

This list contains all (personal) data collected by or through the use of this service.

Browser information, Date and time of visit, Device information, Usage data, Clicked links, IP address, Referrer URL

Legal basis

Art. 6 Abs. 1 S. 1 lit. a DSGVO

Place of processing

EU

Retention period

Data are deleted as soon as they are no longer needed for the processing purposes.

Transfer to third countries

USA

Data recipient

Mapp Digital Germany GmbH, Mapp Digital US, LLC

_________________________________________________________________________________________________________

Service Provider

Wunderpen GmbH, Aroser Allee 76, 13407 Berlin

Type of service

Creation of automated, handwritten documents (e.g. postcards or letters) including labelling with text and (personal) address data plus possible enveloping

Data protection officer / privacy policy of the processing company

datenschutz@wunderpen.com

Technologies used

Self-developed writing robots are used to create handwritten postal mailings

Collected data

Gender, first name, surname, street, house no., postcode, town, country

Legal basis

Art. 4 No. 8 & Art. 28 of Regulation (EU) 2016/679 GDPR

Place of processing

EU

Retention period

Data is deleted as soon as it is no longer required for the processing purposes.

Transfer to third countries

-

Data recipient

The recipient of the data collected is Wunderpen GmbH and its external service providers:

• PORTFORMANCE GmbH, Bahnhofstraße 7, 92318 Neumarkt
• Bett Ingenieure GmbH, Ziegelbrennestr. 5, 70374 Stuttgart
• Couvert Versand Service GmbH, Blockdammweg 49, 10318 Berlin

_________________________________________________________________________________________________________

Service Provider

Innkeepr UG Senefelderstr. 35, 09126 Chemnitz, Germany

Type of service

Innkeepr allows usage data to be collected and analyzed for improved advertising purposes. It enables the integration of data from various tracking and analytics tools to optimize the targeting of advertising content.

Data protection officer / privacy policy of the processing company

Below you will find the contact details for the Data Protection Officer of the processing company. https://innkeepr.com/privacy

Technologies used

This list includes all technologies used by Innkeepr to collect data. Typical technologies include cookies, pixels, and website tags stored in the browser.

• Tracking pixels
• Cookies

Collected data

Innkeepr itself does not collect any personal data. However, users of the service have the option to submit personal data in connection with the collected usage data. The processing of such data is carried out in accordance with the respective customer's specifications and in compliance with applicable data protection regulations.

Legal basis

Art. 6 Abs. 1 S. 1 lit. a DSGVO

Place of processing

EU

Retention period

unlimited

Transfer to third countries

-

Data recipient

Innkeepr UG Senefelderstr. 35, 09126 Chemnitz, Germany

_________________________________________________________________________________________________________

Service provider

hellomateo (Mateo Estate GmbH)

Type of service

Software as a Service (communication and contact management)

Data protection officer / privacy policy of the processing company

heyData GmbH datenschutz@heydata.eu | www.heydata.eu

Technologies used

WhatsApp Business API AWS (EU-Central-1)Encryption, VPN, Firewall

Collected data

Name, title, phone, email, Communication metadata, Product interest

Legal basis

Art. 6 para. 1 p. 1 lit. b DSGVO

Place of processing

Germany / EU

Retention period

Defined by the client, deletion concept exists

Transfer to third countries

Yes, with safeguards (SCCs or DPF)

Data recipient

Sub-processors listed in the AVV

We would like to inform you that your personal data that you provide to the partner company [list of partner companies] or that is collected during your interaction with our services is automatically transmitted to the OUI Group and its affiliated companies (hereinafter referred to as the OUI Group). The OUI Group works closely with [list of partner companies] to provide you with our products and services.

The transfer of your data to OUI Group is for operational and business reasons to ensure efficient administration of our services, customer support, analysis of sales data and other business purposes.

OUI Group will handle your data in accordance with its own privacy policy, which you can view on our website www.oui.com/datenschutz or on request. We would like to emphasis that your data will be treated with the same care and confidentiality by OUI Group as by [list of partner companies]

If you have any questions about data processing or the transfer of your data to the OUI Group, please do not hesitate to contact us. Your data protection rights are important to us and we endeavor to protect your privacy.

Voluntariness and revocability of your consent

Your consent is completely voluntary and can be withdrawn at any time without giving reasons. You can inform us of a cancellation at any time. Withdrawing your consent does not affect the lawfulness of the processing of your data that has taken place on the basis of your consent up to the point of withdrawal.