Skip to main content

OUT NOW: The woom EXPLORE for kids aged 6–14 – discover it here!

PRIVACY NOTICE

Thank you very much for visiting our website. We take the protection of your personal data very seriously. That is why we process your personal data exclusively in compliance with the legal provisions of the General Data Protection Regulation (GDPR), the Austrian Data Protection Act (DSG) and the Austrian Telecommunications Act (TKG). This privacy notice explains how we use your personal data when you visit our website https://woom.com/en_INT (hereinafter referred to as the "website").

1. Controller

woom GmbH
Muthgasse 109 A, 1190 Vienna, Austria
Telephone number: +43 800 404 332
Email address: [email protected] (please also refer to the legal information on our website)

Hereinafter referred to as "woom", "we" and "us"


2. The personal data (information that relates to you as an identified or identifiable natural person) we process and the purpose and legal basis for processing that data

2.1 Website visits

If you just browse our website and do not provide us with any information beyond that, we will only collect the personal data transferred to our server by your browser. We only collect the following data that is required for technical reasons because it allows us to display our website and ensure that our website is stable and secure (the legal basis is Art 6 (1) (f) of the GDPR): IP address, date and time of access, time zone difference to Greenwich Mean Time (GMT), specific page visited, access status/HTTP status code, volume of data transferred, referring website, browser, operating system and interface, language and version of browser software.

In addition to the above data being processed, cookies are also stored on your computer when you use our website. Cookies are small text files that are stored on your hard drive and assigned to the browser you are using. They provide specific information to the entity placing the cookies (us in this case). Cookies cannot be used to run programs or deliver viruses to your computer. Their purpose is to improve the website and the user experience. More information about cookies appears in a popup when you first access our website. You can accept and reject certain cookies by updating your browser settings.

We also include content from third parties on our website (such as links, pixels and plugins) to allow us to provide our services. For technical reasons, when you access that content on our website, electronic identification data is sent automatically to third parties. Those third parties can then process that data in their own right. This data primarily includes your IP address and browser settings as the user. When you use the Controller's social media channels, the primary contractual relationship is between you and the relevant provider. Further information on this is provided below.

2.2 Contact with us

If you get in touch with us via the contact form on our website, via email or over the phone, we process the personal data you voluntarily provide us (e.g. your name and contact details) and the content of your message. We need this data to process your enquiry and, in the event of further questions, to fulfill our precontractual/contractual duties as per Art. 6 (1) (b) of the GDPR. We only store this data for as long as it is needed to fulfill its specific purpose. After that point, we delete the data or restrict its processing if there is a statutory requirement to store it for longer.

Further details are provided below to explain how your data is processed and how long it is stored for in the event that we need to commission service providers to enable specific features on our website or if we intend to use your data for marketing purposes.

2.3 Orders in our online shop

If you place an order in our online shop, we process your name, email address, telephone number, address and payment details to process and fulfill your order. Again, we process your data in this way to fulfill our precontractual/contractual duties under Art. 6 (1) (b) of the GDPR. Information that must be provided because it is not possible for us to fulfill our contractual duties without it is marked as mandatory. You are not required to provide any other information but can do so voluntarily. We may use third-party services to enable us to fulfill our contractual duties, especially when it comes to processing payments. In this case, we will share your personal data with those third parties, usually payment providers. SSL/TLS encryption is always used for transactions processed using standard means of payment (Visa/MasterCard, direct debit). Encrypting your payment data in this way protects it so that third parties cannot access it. Transactions made through the specified payment providers are subject to the contractual terms and data protection provisions of those payment providers.

We use the following payment services/providers for our online shop:

  • PayPal: Provided by PayPal (Europe) S.à.r.l. et Cie, S.C.A., 22-24 Boulevard Royal, 2449 Luxembourg (hereinafter referred to as "PayPal"). Privacy statement available at https://www.paypal.com/us/legalhub/privacy-full.
  • Apple Pay: Provided by Apple Inc., Infinite Loop, Cupertino, CA 95014, USA. Security and privacy overview available at https://support.apple.com/en-us/HT203027.
  • Google Pay: Provided by Google Ireland Limited, Gordon House, Barrow Street, Dublin 4, Ireland. Privacy policy available at https://policies.google.com/privacy.
  • Klarna: Provided by Klarna AB, Sveavägen 46, 111 34 Stockholm, Sweden (hereinafter referred to as "Klarna"). Klarna provides a number of payment options (such as payment in installments). If you choose to pay with Klarna (Klarna Checkout solution), Klarna will collect your personal data. Klarna uses cookies to optimize the user experience of its Klarna Checkout solution. You can read more about how Klarna uses cookies at https://www.klarna.com/us/cookies/ and consult the Klarna privacy policy at https://www.klarna.com/us/privacy/.
  • eps: "eps" is a payment method offered by Austrian banks in partnership with PSA Payment Services Austria GmbH (PSA), Handelskai 92, Gate 2, 1200 Vienna, Austria. eps transfers are only available to customers who are based in Austria and paying in euros. If you decide to pay using this payment method, you will be redirected to the eps website and presented with a list of Austrian banks that offer the payment method. Once you have selected your bank, you will be connected to its online banking service. The data required to process the payment, such as the amount to be paid, the purpose of the payment and the recipient, is transferred automatically so that all you have to do is approve the payment with a TAN (transaction authentication number). Security is not compromised when this data is transferred because the ordering process is kept strictly separate from the payment process. Further details are available (in German only) at https://www.eps-ueberweisung.at/. Data protection information is available from PSA at: https://eservice.psa.at/en/datenschutzerklaerung.html.

We are required by commercial and tax law to store your address, payment details and order details for seven years. However, we do restrict processing of your data after two and a half years (at the end of contractual claims), which means that your data is not being processed and is just being stored to comply with statutory requirements.

2.4 Our "upCYCLING" customer loyalty scheme

If you choose to join our customer loyalty scheme, we process your name and payment details to manage your membership. We also process your address and contact details so we can send you your membership card. We process your data in this way to fulfill our precontractual/contractual duties under Art. 6 (1) (b) of the GDPR.

2.5 Competitions and events

We regularly organize competitions and events for our customers. In order to participate, you can register on our website or by email. If you do so, we process your name, your contact details (e.g. email address and telephone number) and your address for the purpose of organizing and running the event. Some competitions also require you to submit an entry (e.g. in photo or text form). In that case, we need to process the entries in order to pick a winner. We process your data in this way to fulfill our precontractual/contractual duties under Art. 6 (1) (b) of the GDPR and to comply with the legal obligations associated with competitions as per Art. 6 (1) (c) of the GDPR (e.g. competition taxes). If we process any further data as part of a competition or event, we will inform you separately.

2.6 Customer surveys

We conduct customer surveys in order to constantly develop and improve our products.

2.7 Management of contractual relationships with customers arising from warranty agreements; handling of warranty claims

Conclusion of warranty agreements: Some of the controller's products include manufacturer warranties. Once a warranty agreement has been registered or a warranty claim has been submitted, the warranty agreement provides the legal basis for data processing.

2.8 Newsletter

We send out a newsletter to keep you updated about our products and services and invite you to participate in events and competitions.

If we send you our newsletter in the post, we process your name and address. We have a legitimate interest in processing your personal data for the purpose of direct marketing in accordance with Art. 6 (1) (f) of the GDPR.

You also have the option of subscribing to our personalized digital newsletter. Based on your voluntary consent, we process your name, email address, preferred language and information about your buying habits and consumer behavior so that we can provide you with relevant and interesting information by email about our company, our products and our services. The products and services being advertised are specified in the declaration of consent. The legal basis is your consent as per Art. 6 (1) (a) of the GDPR. We also process your IP address, your preferred email client, the sign-up source and campaign-related details (receipt, open and click rates) to track the success of our newsletter. You can revoke your consent with immediate effect at any time without providing a reason by contacting us directly or by clicking on the unsubscribe link in the email.

2.9 Voucher offers from Sovendus GmbH

We share your email address and IP address with Sovendus GmbH, Hermann-Veit-Str. 6, 76135 Karlsruhe, Germany (hereinafter referred to as "Sovendus"), so that an appropriate voucher offer can be selected for you (Art. 6 (1) (f) of the GDPR). Sovendus will use your email address to check whether you have objected to your data being processed for direct marketing purposes (Art. 21 (3) and Art. 6 (1) (c) of the GDPR). Sovendus will use your IP address for the sole purpose of guaranteeing data security and will usually anonymize it after seven days (Art. 6 (1) (f) of the GDPR). We will also share your order number, order value and currency, session ID, coupon code and time stamp with Sovendus for billing purposes (Art. 6 (1) (f) of the GDPR).

If you are interested in a voucher offer from Sovendus, you have not objected to your personal data being processed for direct marketing purposes under your email address and you click on the voucher banner being displayed to you, your title, name, postcode, country and email address will be shared with Sovendus so that your voucher can be prepared (Art. 6 (1) (b) and (f) of the GDPR).

You can read more about how Sovendus processes your data in the online privacy policy available at https://online.sovendus.com/en/online-privacy-notice/.

2.10 "Refer a Friend" scheme

If you wish to take part in our referral scheme, you have to register on the platform first. User accounts and personal data identifying you are processed as part of the registration process. The technical infrastructure is provided by the software provider Code 57, Ksiecia Witolda 46/27, Poland, which involves technical data being transmitted. The software provider has access to the data when support needs to be provided. Data including your user account and electronic and personal data identifying you also has to be processed in order for the infrastructure to be provided. You will also be provided with a code that you can share with others to receive discounts or other benefits when placing an order. Digital identification data is stored for this purpose. The data specified above has to be processed for the performance of a contract (legal basis as per Art. 6 (1) (b) of the GDPR). Where support needs to be provided, the legal basis for data processing is a legitimate interest on the part of woom (as per Art. 6 (1) (f) of the GDPR).

There is no intention for this data to be transferred to a third country.

2.11 Website usage data

When you visit our website, we store your IP address for seven days in order to prevent targeted attacks that overload servers (denial of service attacks) and other damage to our systems. The legal basis for processing your data in this way is our overriding legitimate interest in keeping our website working and secure as per Art. 6 (1) (f) of the GDPR in conjunction with Section 96 (3) of the TKG.

3. Automated decision-making

Customers are not subject to automated decision-making that will have a legal effect on them.

4. Purpose limitation

woom will only ever process personal data for the purpose for which it was originally collected.

5. External data recipients

We share your personal data with the following external service providers (data processors) where necessary:

  • IT service providers and/or providers of services such as data hosting and data processing
  • Other service providers and providers of software solutions and tools (e.g. newsletter sending services, survey tools, marketing service providers) that we commission to support us in providing our services

We take great care when selecting all our data processors. They only ever process your data on our behalf and on the basis of our instructions for providing the services specified above. We monitor our data processors regularly. You can submit a request to be provided with a list of data recipients at any time by contacting us using the details provided.

We also share your personal data with the following recipients where necessary:

  • Third parties we rely upon to fulfill our obligations to you (e.g. banks for processing payments and parcel service providers for delivering orders)
  • Other external third parties as required, based on our legitimate interests (e.g. auditors, insurance providers and legal representatives)
  • Authorities and other government offices as required by law (e.g. financial authorities and data protection authorities)

If we process your data in a third country outside of the European Union (EU) or the European Economic Area (EEA), or if your data is processed through the use of third-party services, it will only be to the extent required for us to fulfill our precontractual/contractual duties or our legal obligations or on the basis of your consent or our legitimate interests. We have implemented appropriate and adequate safeguards to ensure that the transfer of your data to the respective third country is carried out in conformity with data protection regulations (e.g. adequacy decisions, binding corporate rules and agreement on standard privacy protection clauses). This does not apply to stamped.io – please refer to Section 2.9 for further information. We need your consent before we can transmit your data to this service provider. You have the right to withdraw that consent at any time. You can request that we send you a copy of these safeguards if we are processing your data or having your data processed in a third country.

6. Social plugins and analytics tools

There are links to social plugins (hereinafter referred to as "plugins") on our website. We do not collect any personal data in relation to these plugins or your use of them. It is, however, possible that data about you as a visitor to our website is collected, transferred to the relevant service provider and linked to other data by them via the plugins. We use the Shariff solution on our website to stop data being transferred to service providers without your knowledge. This means that plugins are initially displayed as an image. The image includes a link to the service provider's website, but you have to click on the image to be taken to that website. No personal data is shared automatically with the plugin provider. When you click on the image, the service provider will be told that you have visited our website. You do not need to be logged in or even have a user account with that service provider for them to receive that information. We have no say on whether and to what extent the service provider collects personal data. We do not know which personal data is processed or how it is processed or used. We have no insight into the purpose of data processing or how long data is stored for. You will need to refer to the privacy policy provided on the service provider's website to find out this information along with details on your rights as a data subject and your options for changing the settings.

Embedded YouTube videos

We have embedded YouTube videos into our website. These videos are stored on http://www.YouTube.com and can be played directly from our website. All these videos are embedded in privacy-enhanced mode, which means that none of your personal data is transferred to YouTube if you do not play the videos. Your data is only transferred if you play the videos. We do not have any control over this data transfer.

When you play a video on our website, YouTube will be informed that you accessed the corresponding page on our website. The data listed below will also be transferred to YouTube. This will happen whether you have a YouTube account or not and whether you are logged into your YouTube account or not. If you are logged into Google, your data will be linked directly to your account. If you do not want your data to be linked to your YouTube profile, you must remember to log out before clicking on the play button. YouTube saves your data as a usage profile and uses it for advertising, market research and/or customization of what is displayed on its website. Usage is analyzed (even when a user is not logged in) primarily to provide targeted advertising and to tell other users of the social media platform about your activities on our website. You have the right to object to the creation of these usage profiles by contacting YouTube directly.

Further information about the purpose and scope of data collection and the processing of your personal data by YouTube is provided in the YouTube Privacy Policy. You can also find out more about your rights and how to adjust your privacy settings at https://policies.google.com/privacy. Google also processes your data in the USA. Google is subject to the EU-US Data Privacy Framework. https://www.dataprivacyframework.gov

Google Analytics

We use Google Analytics to analyze the use of our website. The data collected is used to optimize our website and our advertising. Google Analytics is a service provided by Google Ireland Limited (Gordon House, Barrow Street, Dublin 4, Ireland). Google processes data relating to the use of our website on our behalf and is contractually committed to taking steps to ensure the data processed is secure and confidential.

Types of data processed: When someone is visiting the website, the data collected includes the following: pages visited, order details including the value and products ordered, website actions taken (e.g. contact requests and newsletter subscriptions), interaction with the website (e.g. session duration, clicks, scroll depth), rough location of the visitor (country and town/city), IP address (truncated for anonymization), technical details (e.g. browser, internet provider, device and screen resolution), traffic source (i.e., which website or which advert originally drove the visitor to our website).

This data is transferred to Google servers in the USA. Google is subject to the EU-US Data Privacy Framework. https://www.dataprivacyframework.gov

The data transferred to Google Analytics does not include names, addresses or contact details. Google Analytics stores cookies on the user's web browser for two years after their last visit to our website. These cookies contain a randomly generated user ID that makes it possible to recognize the user when they visit the website again in the future.

The data collected is stored with the randomly generated user ID, making it possible to analyze anonymized usage profiles. This usage data is deleted automatically after 14 months. Other data is stored indefinitely in aggregated form.

If you do not want your data to be collected in this way, you need to install the opt-out browser add-on to disable Google Analytics or reject cookies in our cookie banner dialogue box.

influence.vision tracking tool

Web analytics services are mainly used to analyze website visitor numbers and optimize online marketing campaigns. The following personal data can be processed by influence.vision: online identifiers, including cookie IDs, IP addresses, device information, customer identifiers, referrers and transaction data. This data can also be used to analyze and optimize the success of marketing campaigns and their return on investment, with information being provided about the products visitors to the website are ordering and which other actions they took (this is known as conversion tracking). Cookies are used here so that a web browser can be recognized when it is used to visit the website again. Unique online identifiers known as cookie IDs may be stored on your device in these cookies. More information about cookies appears in a popup when you first access our website. You can accept and reject certain cookies by updating your browser settings.

7. Storage period

We only store your data for as long as it is needed to fulfill its specific purpose (e.g. until our business relations have come to an end or our contractual duties have been fulfilled). Personal data (especially the IP address) of (non-registered) website users will be stored for seven days for reasons of IT security and will subsequently be deleted.

If you sign up for our customer loyalty scheme, we store your data for six months after you cancel your membership.

Data required for us to fulfill our accounting (Section 190 and 212 of the Austrian Commercial Code) and tax obligations (Section 132 of the Austrian Federal Tax Code) within the context of our contractual relationship is stored for seven years. If you sign up for our customer loyalty scheme, we continue to store the associated data for seven years after you cancel your membership.

If you sign up for our customer loyalty scheme, we store your data for six months after you cancel your membership.

We store any data associated with your enquiries for six months to allow us to respond to any questions or queries. Data associated with competitions and events is stored until the corresponding competition or event has ended provided that there are no requirements to store it for longer under commercial or tax law.

If you have subscribed to our newsletter, we will continue to process your data until you revoke your consent or object to us processing your data in this way. Otherwise, we will delete your data no later than six months after the last contact.

Data may be stored for longer than specified if required to assert our legal rights or defend against legal claims. In that case, the data will be stored based on our legitimate interests as per Art. 6 (1) (f) of the GDPR.

You can read more about statutory requirements to store data in Austria here (available in German only): https://www.wko.at/service/wirtschaftsrecht-gewerberecht/eu-dsgvo-speicher-und-aufbewahrungsfristen.html

8. Rights of data subjects

You have the right to receive information about whether and to what extent your personal data is being processed.

You have the right to ask for inaccurate personal data to be corrected and incomplete personal data to be completed without delay. You also have the right to ask for your personal data to be erased without delay provided that the reasons defined in Art. 17 (1) of the GDPR are met.

You have the right to restrict the processing of your personal data provided that the reasons defined in Art. 18 (1) of the GDPR are met.

You have the right to object to the processing of your personal data on the basis of an overriding legitimate interest. You also have the right to withdraw your consent with immediate effect at any time without providing a reason.

You also have the right to receive personal data you have provided in a structured, commonly used and machine-readable format.

9. Right to lodge a complaint

Data subjects have the right to lodge a complaint with the supervisory authority if they believe that the processing of their personal data violates this regulation.

Supervisory authority

Austrian Data Protection Authority
Barichgasse 40–42
1030 Vienna, Austria
Telephone number: +43 1 52 152-0
Email address: [email protected]

Before you lodge a complaint with the supervisory authority or if you have any other questions relating to data protection, you can get in touch with us at any time using the contact details provided above in Section 1.