This privacy policy describes how we process personal data when you use our websites.

1. What are personal data?
Personal data is all information that relates to an identified or identifiable natural person. This can be data that can be related to you personally, for example name, address, email addresses, user behavior.

2. Responsible body and information on the data protection officer
The responsible body according to Article 4 No. 7 of the General Data Protection Regulation (GDPR) is Nilha Kapur, ROSENGOLD ATELIER, PO Box 26 01 07, 40094 Düsseldorf.

3. What personal data do we collect?
On our websites you can shop with us, find out about our company and the products we offer and contact us. Depending on which functions you use, we collect different data from you. The data and information we collect can be divided into the following categories:

Information collected automatically:
When you access and use our website, we automatically collect information, including personal information about you:

• Log files and device information: Log files and device information include data that your browser automatically transmits to our web server. These log files contain information about
• Your IP address, the date and time of the request, the requested URL (specific page), access status/HTTP status code, the amount of data transferred, the website from which the request comes (referrer URL), the browser type and the browser language setting
• Cookies: We use cookies and also allow third parties to use this technology on our website. Cookies are small units of information that your browser automatically stores in your computer’s memory. Cookies contain various data, such as information about the pages visited, the frequency of page views and the actions you perform on our website (such as the fact that you have shared our websites with one of your social networks). This data is pseudonymized using technical precautions, so that it is not easy for us to assign the data to a specific user.
• Web beacons: Web beacons are small graphics that are integrated into the source code of our website and our newsletter and are automatically loaded onto your device as soon as you access the website in question or open the newsletter. Similar to cookies, web beacons provide us with information about usage behavior.

Data and information you provide:
Some functions of our websites require you to provide personal data. This is the case, for example, when you place an order through our website, register for a customer account, contact us or otherwise interact with us.

• Profile data: This is personal data that you provide to us when you register for a customer account with us and information that you can save in your customer account. Profile data includes:
• Your first and last name, your email address, your password, your billing and delivery address, your order history
• To set up an account, you will need your name, email address and a password of your choice. Your email address and password will later be your login details. You can view and change your billing and delivery address at any time in your customer account.
• Communication data: When you contact us, we collect your communication data. Depending on how you contact us (e.g. by phone, email or via our contact form), we collect your name, address, telephone numbers, email addresses and similar contact details.

It is your free decision what other data you share with us. We will endeavor to answer your query as best as possible to your satisfaction and assure you that we will only use your personal data for the purpose corresponding to your query. However, we reserve the right not to fulfill your contact request without certain information required in individual cases. If necessary, we will contact you and request further data and information. The communication data also includes the content of the messages, for example if you send us a question about one of our products or use the rating or recommendation function for one of the products on our website. In addition to the personal data you provide, we also store the IP address of your device.

• Purchase and payment data: When you order something from us, we collect your purchase and payment data. Depending on the type of sale and processing status, this may include the following information:
• Order number: Details of the items purchased (name, purchase price, etc.), information on the (preferred) payment method, delivery and billing addresses, notices and communications relating to purchases (e.g. declarations of cancellation, complaints and messages to customer service), delivery and payment status, return status, information from service providers involved in the execution of the contract (in the case of mail order purchases, for example, shipment numbers from parcel service providers), IBAN and BIC or account number and bank code, credit card details, information – which external payment service providers use for identification – such as your PayPal ID (if you pay with PayPal).

4. How do we use the data we collect from you? What is the legal basis for this use?
We use, store and process information, including personal data, about you for the following purposes and based on the following legal bases:

Provision, improvement, further development and security of the website: We use the log files and device information that we automatically collect from you to provide you with the website, including its functionalities. We also use this information and data to optimize our website and ensure the security of our IT systems. For this purpose, your IP address must be stored for the duration of the session.

We use log files as part of our legitimate interest in the availability and continuous development of our website. The legal basis for the use of log files and device information is Article 6 (1) (f) GDPR.

Google Webfonts (http://www.google.com/webfonts/) are used to visually improve the display of various information on this website. The webfonts are transferred to your browser’s cache when you visit the website so that they can be used for display. In addition to technical information about your device and the browser you use, your IP address is sent to resource-specific domains such as fonts.googleapis.com or fonts.gstatic.com. They are not associated with data that may be collected or used in connection with the parallel use of authenticated Google services.

You can set your browser so that the fonts are not loaded from the Google servers (e.g. by installing add-ons such as NoScript or Ghostery for Firefox). If your browser does not support Google Fonts or you prevent access to the Google servers, the text will be displayed in the system’s standard font.

Information on Google Webfonts’ privacy policy can be found at: https://developers.google.com/fonts/faq/privacy. General information on data protection can be found in the Google Privacy Center at: http://www.google.com/intl/de-DE/privacy/

The legal basis for the use of Google Webfonts is our legitimate interest according to Article 6 (1) (f) GDPR.

Provision of our online offer, purchase processing: We process your profile, purchase and payment data as well as communication data to the extent necessary in order to fulfil the contract and to provide and carry out the online offer you have requested (such as creating a customer account). The purposes of the data processing required in each case therefore depend on the purpose of the contract agreed with you (including our general terms and conditions) or the online offer you use. The most important purposes are:

• The provision and needs-based design of our online offering, in particular the web shop;
• Personalization of the online offering by setting up a customer account including the use of the rating function;
• The execution of purchase contracts and customer service including shipping and payment processing, accounts receivable management and the processing of returns, complaints and warranty cases;
• Ensuring the general security, operability and stability of our online offering, including defense against attacks;
• Non-promotional communication with you on technical, security and contract-related matters (e.g. fraud warnings, account blocking or contract changes).

If the purpose is to carry out a contract concluded with you or to provide a service requested by you, the legal basis is Article 6 (1) (b) GDPR. Otherwise, the legal basis is Article 6 (1) (f) GDPR, whereby our legitimate interests lie in the purposes mentioned above.

Communication: We use the communication data that we request from you or that you provide to us when you contact us in order to be able to answer and process your request quickly and in the best possible way. We also use the communication data to ensure security, only in the event that a user spreads unauthorized comments and postings, e.g. insults or prohibited political propaganda. In this case, we could be held liable for this unauthorized comment. We are therefore interested in identifying the true author of the respective comment or in contributing to his identification. The use of your data in the context of communication with you corresponds to our legitimate interest in accordance with Article 6 (1) (f) GDPR. If it is a specific inquiry about our products, your data will be used to execute the contract or to carry out pre-contractual measures at your request in accordance with Article 6 (1) (b) GDPR.

5. Will the data and information about me be shared with others?
To fulfil the aforementioned purposes, we work with a number of service providers, such as technical service providers (e.g. operation of data centers) or logistics companies (e.g. postal companies such as DHL). To the extent that we use these service providers as data processors, the service providers will only receive access to your data to the extent and for the period necessary to provide the respective service.

6. How long will my data be stored?
We only store the data you provide to us for as long as it is necessary to fulfil the purpose for which you have provided us with your data or to comply with legal requirements.
Log and device files are automatically deleted as soon as the respective session is ended. Log files for security purposes and as a precaution against attacks on our websites are automatically deleted after 7 days at the latest. The storage period of cookies varies depending on the type of cookie and depends on your browser settings. Analysis data collected and processed by Google Analytics is automatically deleted after 14 months.
If you close your customer account, we will delete all data stored about you. If a complete deletion of your data is not possible or not necessary for legal reasons, the data in question will be blocked for further processing, i.e. the access rights to this data will be restricted. This is the case, for example, with data that is subject to statutory retention periods, such as those under the German Commercial Code (HGB) and the German Fiscal Code (AO). The law obliges us to keep this data for tax audits and financial audits for up to ten years. Only then may we permanently delete the data in question. Even if your data is not subject to a statutory retention period, we can refrain from immediate deletion in cases permitted by law and instead initially block it. This applies in particular in cases where we may still need the data in question for further contract processing or legal prosecution or legal defense (e.g. in the case of complaints). The decisive criterion for the duration of the blocking is then the statutory limitation periods. After the relevant limitation periods have expired, the data in question will be permanently deleted.

7. Is data also transmitted to recipients outside the European Union or the European Economic Area (EEA)?
We also pass on personal data to processors based in non-EEA countries. In this case, before passing on the data, we ensure that the recipient either has an appropriate level of data protection (e.g. due to an adequacy decision by the EU Commission for the respective country or by agreeing so-called EU standard contractual clauses of the European Union with the recipient) or that sufficient consent has been given.
You can obtain an overview of the recipients in third countries and a copy of the specific regulations agreed to ensure an appropriate level of data protection from us. Please use the information in the Contact section for this purpose.

8. Automated decision-making
We do not use automated decision-making. However, our payment processors can use various algorithms for automated decision-making to prevent fraudulent transactions by customers. If the data and other parameters provided by the customer indicate that, for example, the payment method is stolen, the transaction will not be carried out based on the result calculated by the algorithm. We may receive a message from the payment processor asking us to decide whether the transaction should be carried out.

9. What rights do I have?
Under applicable data protection laws, you have the right to access, rectification, portability, erasure and restriction of processing of your personal data.
You have the right to revoke your consent at any time. You can revoke your consent to receive the newsletter or to use your data to receive the newsletter, including an analysis of user behavior in connection with the newsletter by the Klaviyo service, at any time by clicking on the corresponding unsubscribe button included in each newsletter or by sending us an email.
In the case of cookies, you can revoke your consent by deleting the cookies from your device using the corresponding functions of your browser. In addition, you can prevent cookies from being stored in various ways by setting your browser so that it does not accept cookies. However, we would like to point out that in this case you may not be able to use all functions of our website to their full extent.
You can also revoke your consent to the collection of data for advertising purposes with the respective provider:

• Logged-in users can deactivate the Facebook Custom Audience function at https://www.facebook.com/settings/?tab=ads#_.
• You can prevent data collection via Google Ads at https://adssettings.google.com/anonymous?sig=ACi0TChJPUjU9CBXYH84vwQu3AWAq7qsUOHhkz_yZloU_6uID82a5L4fG_WquLUwb6AUxglN1KTUXhoU5hlxT-ZHIA8BmINBQhl=de

To the extent that we process data based on our legitimate interest in accordance with Article 6 (1) (f) GDPR, you have the right to object to the processing of personal data. To assert your rights, please send us an email to contact@rosengoldatelier.de. Without prejudice to the rights set out above, you have the right to lodge a complaint with a supervisory authority, in particular in the Member State of your residence, place of work or place of the alleged infringement, if you believe that the processing of personal data concerning you violates the GDPR.