Thank you very much for visiting our website. We take the protection of your personal data very seriously. That is why we process your personal data exclusively in compliance with the legal provisions of the General Data Protection Regulation (GDPR), the Austrian Data Protection Act (DSG), the Austrian Telecommunications Act (TKG) and any other applicable national data protection laws. This privacy policy explains exactly how we collect and process your personal data when you visit our website https://woom.com/en_INT (hereinafter referred to as the "website"), including the types of data, the legal bases and the purposes.

CONTROLLER

woom GmbH
Muthgasse 109 A, 1190 Vienna, Austria
Telephone number: +43 800 404 332
Email address: [email protected] (you can also refer to the legal information provided on our website),
hereinafter referred to as "woom", "we" and "us"

DATA PROTECTION OFFICER

dsgvoschutzteam.com - Lukmann Consulting GmbH
Packerstraße 131a
8561 Söding, Austria
Telephone number: +49 7223 95 666 77
Email address: [email protected]

1.            GENERAL INFORMATION ON DATA PROCESSING

1.1          LEGAL BASIS
Where the legal basis is not specified in the privacy policy, this clause applies. The legal basis for obtaining consent is Art. 6 (1) (a) in conjunction with Art. 7 of the GDPR. The legal basis for processing data in order to provide our services, perform a contract and respond to requests is Art. 6 (1) (b) of the GDPR. The legal basis for processing data in order to comply with our legal obligations is Art. 6 (1) (c) of the GDPR. If it is necessary to process personal data for the purpose of legitimate interests pursued by our company or a third party – except where such interests are overridden by the interests or fundamental rights and freedoms of the data subject – Art. 6 (1) (f) of the GDPR provides the legal basis for processing that data. Where it is necessary to process personal data to protect the vital interests of the data subject or another natural person, Art. 6 (1) (d) of the GDPR provides the legal basis.

1.2          DIRECT MARKETING

woom also processes customer data (but not personal data relating to children or special categories of personal data specified in Art. 9 of the GDPR ("sensitive data")) for the purpose of direct marketing about (other) woom products. woom has a legitimate interest in processing personal data for direct marketing purposes (Recital 47, last sentence of the GDPR). As a customer, you can use the contact details provided above at any time to request that woom does not contact you. Membership of the woom Riders Club and the associated opportunities to save your purchase history to receive access to discounts and special offers is offered with a view to converting you, as a member, into a paying customer, meaning it is used for advertising purposes. We only process the customer data we have obtained through the contractual relationship in line with the applicable storage period. The duration for which the data is stored is not extended as a result. The overriding purpose for processing this data is to gain and retain customers with the aim of entering into another precontractual/contractual relationship. For this purpose, woom relies on its freedom to pursue a business activity which is protected by conventions and the constitution (Art. 6 of the Austrian Constitution) and freedom of communication (especially Art. 10 of the European Convention on Human Rights which also protects advertising activities) and the right to
• transmit marketing material via mail;
• make sales calls once consent has been provided;
• transmit electronic mail after receiving the recipient's consent;
• transmit electronic mail pursuant to Section 107 (3) of the Austrian Telecommunications Act.

When using this data, woom complies with all provisions of communication law, especially Section 107 of the Austrian Telecommunications Act.

1.3          STORAGE PERIOD
Unless a different storage period is explicitly specified when the data is collected, we only store your data for as long as it is needed to fulfill its specific purpose (e.g. until our business relations have come to an end), to fulfill contractual duties or to comply with statutory requirements for data storage.

We generally store data until our business relations or the warranty, guarantee or limitation periods have come to an end. Data may be stored for longer than specified if required to assert our legal rights or defend against legal claims. In that case, the data will be stored based on our legitimate interests as per Art. 6 (1) (f) of the GDPR.

You can read more about statutory requirements to store data in Austria here (available in German only): https://www.wko.at/service/wirtschaftsrecht-gewerberecht/eu-dsgvo-speicher-und-aufbewahrungsfristen.html

Specific information about data storage periods is provided in relation to individual technologies on our website. The storage periods for specific cookies are outlined in our cookie table. If the storage period is not specified, your data will only be stored for as long as it is needed to fulfill its specific purpose. You also have the option of contacting us at any time using the contact details specified above to ask us exactly how long we will be storing your data for.

1.4          PERSONAL DATA TRANSFER TO THIRD PARTIES
We do not transfer your personal data to third parties for any purposes not specified in this privacy policy. We will only ever share your personal data with third parties when:

• you have provided your explicit consent for us to do so in accordance with Art. 6 (1) (a) of the GDPR;
• it is necessary for us to share your data for the purposes of legitimate interests as per Art. 6 (1) (f) of the GDPR and to assert or exercise legal rights or defend against legal claims and there is no reason to assume that you have an overriding legitimate interest in your data not being shared;
• there is a legal obligation to share your data in accordance with Art. 6 (1) (c) of the GDPR and this is legally admissible; and/or
• it is necessary for us to share your data for the purpose of performing a contract to which you are party in accordance with Art. 6 (1) (b) of the GDPR.

When the sole legal basis for transferring data is that you have explicitly provided your consent, you can revoke that consent at any time without having to give a reason – either using the contact details provided in this privacy policy or in the cookie consent tool if your consent relates specifically to cookies.

We use external services on our website. External services are services provided by third parties that we use on our website. We use external services for various purposes, such as embedding videos and keeping our website secure. When these external services are used, personal data is also shared with the relevant providers. If we do not have a legitimate interest in using these services, we will ask you to give your consent before using them (Art. (6) (a) of the GDPR). You can withdraw your consent at any point.

We share your personal data with the following external service providers (data processors) where necessary:

• IT service providers and/or providers of services such as data hosting and data processing
• Other service providers and providers of software solutions and tools (e.g. newsletter sending services, survey tools and marketing service providers) that we commission to support us in providing our services

We take great care when selecting service providers that process personal data on our behalf. When we commission third parties to process personal data, this processing is governed by a contract in accordance with Art. 28 of the GDPR. You can submit a request to be provided with a list of data recipients at any time by contacting us using the details provided.

We also share your personal data with the following recipients where necessary:

• Third parties we rely upon to fulfill our obligations to you (e.g. banks for processing payments and parcel service providers for delivering orders)
• Other external third parties as required, based on our legitimate interests (e.g. auditors, insurance providers and legal representatives)
• Authorities and other government offices as required by law (e.g. financial authorities and data protection authorities)

We will only process your data in a third country outside of the European Union (EU) or the European Economic Area (EEA) if you have given your explicit consent and if the third country has an adequate level of protection (e.g. data protection adequacy decision in line with the EU–US Data Privacy Framework) or on the basis of appropriate safeguards, such as standard contractual clauses adopted by the EU Commission, proof of certifications or binding internal data protection regulations, in accordance with Art. 44–49 of the GDPR. You can request that we send you a copy of these appropriate safeguards if we are processing your data or having your data processed in a third country.

1.6          AUTOMATED DECISION-MAKING, PURPOSE LIMITATION

Customers are not subject to automated decision-making that will have a legal effect on them. woom will only ever process personal data for the purpose for which it was originally collected.

1.7          SSL encryption

We use the standard SSL (Secure Sockets Layer) protocol with the highest level of encryption supported by your browser to protect your data when you visit our website. You can tell that the connection between your browser and the page you are visiting on our website is encrypted by the padlock icon in the browser address bar. The legal basis for our use of this protocol is our legitimate interest in using suitable encryption technology.

We are also committed to taking other appropriate technical and organizational security measures to protect your data against accidental or deliberate tampering, partial or complete loss, destruction and unauthorized access by third parties. We keep our security measures up to date and continue to improve them as the technology develops.

2.            PROCESSING YOUR DATA WHEN YOU VISIT OUR WEBSITE

2.1          SERVER LOG FILES

If you just browse our website and do not provide us with any information beyond that, we will only process the following personal data, which is transferred automatically to our server by your browser:

IP address of the website visitor's device
Date and time of access, time zone difference to Greenwich Mean Time (GMT)
Specific page visited
Access status/HTTP status code
Volume of data transferred
Referring website
Browser type and version
Operating system and interface
Language and version of browser software

This data is not associated with a natural person and is only used to run statistical analyses, ensure that our website is functioning properly and securely, and optimize our website. This data is only transferred to our website host. It is not linked to or combined with any other sources of data. We reserve the right to inspect this data later if we suspect that our website is being used unlawfully. The legal basis for processing this data is our legitimate interest in operating our website without technical issues and optimizing our website. Personal data (especially the IP address) of (non-registered) website users will be stored for seven days for reasons of IT security and will subsequently be deleted.

2.2          CONTACT WITH US

If you get in touch with us via the contact form on our website, via email or over the phone, we process the personal data you voluntarily provide us (e.g. your name and contact details) and the content of your message. You might need to provide us with certain details so we can process your request properly. If you do not provide those details, we might not be able to process your request fully or at all. Personal data collected from contact requests can also be stored in a customer or lead database to improve our communications and customer service, with our legitimate interest as the legal basis. We need this data to process your requests and, in the event of further questions, to fulfill our precontractual/contractual duties as per Art. 6 (1) (b) of the GDPR. We only store this data for as long as it is needed to fulfill its specific purpose. After that point, we delete the data or restrict its processing if there is a statutory requirement to store it for longer.

2.3          ONLINE ORDERS, PAYMENT PROVIDERS

If you place an order in our online shop, we process your name, email address, telephone number, address, order details and payment details to process and fulfill your order. Again, we process your data in this way to fulfill our precontractual/contractual duties under Art. 6 (1) (b) of the GDPR. Information that must be provided because it is not possible for us to fulfill our contractual duties without it is marked as mandatory. You are not required to provide any other information but can do so voluntarily.

If required to enable us to fulfill our contractual duties, especially when it comes to processing payments, we will share your personal data with third parties, usually payment providers. SSL/TLS encryption is always used for transactions processed using standard means of payment (Visa/MasterCard, direct debit). Encrypting your payment data in this way protects it so that third parties cannot access it. These payment providers are controllers in their own right in accordance with Art. 24 of the GDPR. Transactions made through the specified payment providers are subject to the contractual terms and data protection provisions of those payment providers. The data provided will only be processed and stored by the payment providers themselves. This means that we do not receive any account or credit card details. The only payment information we receive is whether or not a transaction has been successful.

We use the following payment services/providers for our online shop:

• PayPal: Provided by PayPal (Europe) S.à.r.l. et Cie, S.C.A., 22–24 Boulevard Royal, 2449 Luxembourg (hereinafter referred to as "PayPal"). Privacy statement available at https://www.paypal.com/us/legalhub/privacy-full.
• Apple Pay: Provided by Apple Inc., Infinite Loop, Cupertino, CA 95014, USA. Security and privacy overview available at https://support.apple.com/en-us/HT203027.
• Google Pay: Provided by Google Ireland Limited, Gordon House, Barrow Street, Dublin 4, Ireland. Privacy policy available at https://policies.google.com/privacy.
• Klarna: Provided by Klarna AB, Sveavägen 46, 111 34 Stockholm, Sweden (hereinafter referred to as "Klarna"). Klarna provides a number of payment options (such as payment in installments). If you choose to pay with Klarna (Klarna Checkout solution), Klarna will collect your personal data. Klarna uses cookies to optimize the user experience of its Klarna Checkout solution. You can read more about how Klarna uses cookies at https://www.klarna.com/us/cookies/ and consult the Klarna privacy policy at https://www.klarna.com/us/privacy/.
• eps: "eps" is a payment method offered by Austrian banks in partnership with PSA Payment Services Austria GmbH (PSA), Handelskai 92, Gate 2, 1200 Vienna, Austria. eps transfers are only available to customers who are based in Austria and paying in euros. If you decide to pay using this payment method, you will be redirected to the eps website and presented with a list of Austrian banks that offer the payment method. Once you have selected your bank, you will be connected to its online banking service. The data required to process the payment, such as the amount to be paid, the purpose of the payment and the recipient, is transferred automatically so that all you have to do is approve the payment with a TAN (transaction authentication number). Security is not compromised when this data is transferred because the ordering process is kept strictly separate from the payment process. Further details are available (in German only) at https://www.eps-ueberweisung.at/. Data protection information is available from PSA at: https://eservice.psa.at/en/datenschutzerklaerung.html.

We are required by commercial and tax law to store your address, payment details and order details for seven years. However, we do restrict processing of your data after two and a half years (at the end of contractual claims), which means that your data is not being processed and is just being stored to comply with statutory requirements.

3.            CUSTOMER LOYALTY SCHEME

3.1          upCycling

If you choose to join our customer loyalty scheme, we process the data you voluntarily provide, including your personal details (title, first name, surname), contact details (email address, home address) and bike details, to manage your membership (e.g. to send you your membership card). We process your data in this way to fulfill our precontractual/contractual duties under Art. 6 (1) (b) of the GDPR. We store your data until six months after your cancel your membership.

3.2          WOOM RIDERS CLUB

If you join our woom Riders Club, we process the data you voluntarily provide as a member, including your personal details (title, first name, surname), your contact details (email address, home address), your child's birthday and your child's bike details. woom also collects other personal data about its members that includes electronic identification data (IP address (log files), PC details, browser, app, etc.) and specific details about the individual member's buying behavior, usage behavior and campaign behavior.  We process personal details, contact details, IP addresses, preferred email clients, sign-up sources and campaign-related details (receipt, open and click rates) with contract performance and preparation as the legal basis, allowing us to operate the club, manage customer accounts and provide communication channels for maintaining member relations. woom offers members benefits through the club as a way of encouraging them to become and remain a buyer of its own products and products from other providers. In other words, we use the personal data you provide for advertising activity that is targeted and responds to your interests. We also process data relating to your buying behavior, usage behavior and campaign behavior with (overriding) legitimate interests as the legal basis since this activity allows us to share relevant and interesting information with you for targeted marketing and promotional campaigns with the aim of boosting sales, increasing customer loyalty (including through direct marketing), attracting new customers and retaining existing customers. You can object to the use of your data for direct marketing at any time and without having to give a reason. If you object, woom will no longer process your data for these purposes.

4.            COMPETITIONS, EVENTS, CUSTOMER SURVEYS

We regularly organize competitions and events for our customers. In order to participate, you can register on our website, by email or on social media. If you do so, we process your name, your contact details (e.g. email address and telephone number) and your address for the purpose of organizing and running the event. Some competitions also require you to submit an entry (e.g. in photo or text form). In that case, we need to process the entries in order to pick a winner. We process your data in this way to fulfill our precontractual/contractual duties under Art. 6 (1) (b) of the GDPR and to comply with the legal obligations associated with competitions as per Art. 6 (1) (c) of the GDPR (e.g. competition taxes). If we process any further data as part of a competition or event, we will inform you separately. Data associated with competitions and events is stored until the corresponding competition or event has ended provided that there are no requirements to store it for longer under commercial or tax law. We conduct customer surveys in order to constantly develop and improve our products.

5.            WARRANTY AGREEMENTS, HANDLING WARRANTY CLAIMS

Some of our products come with manufacturer warranties. Once a warranty agreement has been registered or a warranty claim has been submitted, the warranty agreement provides the legal basis for data processing.

6.            NEWSLETTER

We send out a newsletter to keep you updated about our products and services and invite you to participate in events and competitions.

If we send you our newsletter in the post, we process your name and address. We have a legitimate interest in processing your personal data for the purpose of direct marketing in accordance with Art. 6 (1) (f) of the GDPR (see Section 1.2 of this privacy policy).

You also have the option of subscribing to our personalized digital newsletter. Based on your voluntary consent, we process your name, email address, preferred language and information about your buying habits and consumer behavior so that we can provide you with relevant and interesting information by email about our company, our products and our services. The legal basis is your consent as per Art. 6 (1) (a) of the GDPR. We also process your IP address, your preferred email client, the sign-up source and campaign-related details (receipt, open and click rates) to track the success of our newsletter. You can revoke your consent with immediate effect at any time without providing a reason by contacting us directly or by clicking on the unsubscribe link in the email. If you have subscribed to our newsletter, we will continue to process your data until you revoke your consent or object to us processing your data in this way. Otherwise, we will delete your data no later than six months after the last contact.

7.            COOKIES AND LOCAL STORAGE

We use cookies on our website to improve the functionality and user experience. Some cookies are stored on your device. 

Cookies are small pieces of data that are exchanged between your browser and our web server when you visit our website. Cookies can only store information provided by your browser, which means it is only ever information that you have entered into the browser yourself or that is available on the website. Cookies cannot run code or be used to gain access to your device. They are only used to remember returning website visitors. The next time you visit our website on the same device, the information stored in cookies can be sent back to us directly (first-party cookies) or to a web application belonging to the third-party provider responsible for the cookie (third-party cookies). Using the information that is stored and sent, the web application can identify that you have accessed and visited the website using the browser on your device before.  

Cookies store the following information:

• Cookie name
• Name of the server the cookie originally came from
• Cookie ID number
• The date on which the cookie will be automatically deleted

Cookies are divided into the following categories depending on how they are used and how they work: 

• Technically necessary cookies are required for our website to function properly. For example, these cookies are used to retain important information (such as login details and cart contents) for the duration of the session.
• Statistics cookies allow us to understand how visitors interact with our website by collecting and analyzing information – always anonymously. This provides us with valuable insights that we can harness to optimize our website as well as our products and services.
• Marketing cookies enable us to target our advertising activity to our website users. 
• Non-classified cookies are cookies that we are attempting to classify with providers of individual cookies. 

Cookies can also be classified as session cookies or persistent cookies depending on how long they are stored on your device for. Session cookies store information that is used during the current browser session and then deleted automatically when the browser is closed. Persistent cookies store information between one visit to the website and the next. This information is used to remember a website visitor next time they visit so the website can respond accordingly. The cookie provider decides how long a persistent cookie will be stored for. 

The legal basis for the use of technically necessary cookies is our legitimate interest in providing a website that functions properly and smoothly for our visitors. Our website cannot function properly without these cookies. You have to consent to the use of statistics cookies and marketing cookies. You can withdraw your consent to the use of cookies at any time with immediate effect. Your consent is voluntary. There will be no negative consequences if you do not give your consent. You can find further information about the cookies we use (including what they are used for and how long they are stored for) in this privacy policy and in the information about our use of cookies in our cookie banner.

You have the option of updating your internet browser settings so that cookies are never stored on your device or so that you are asked to consent to cookies being stored on your device every time. You can delete cookies that have been stored on your device at any time. Refer to your browser help information for detailed instructions on how to manage cookies. Please note that disabling cookies as standard might restrict the functionality of our website.

We also use local storage on our website. This means that data is stored locally in your browser cache and can still be accessed even after you have closed the browser (unless you clear the cache or the data was stored in session storage). Third parties cannot access data in local storage. If you do not want plugins or tools to use local storage, you need to update your browser settings. Just be aware that this might restrict functionality.

Shopify (online shop)

We use Shopify, a service provided by Shopify Inc., 151 O'Connor Street, Ottawa, ON K2P 2L8, Canada, for our online shop. Shopify processes the following data for the purpose of processing orders – name, address, email address, IP address, order details, customer account details and payment details. The legal basis is Art. 6 (1) (a) and then Art. (1) (b) and (f) of the GDPR once an order is complete. Your data may be transferred to a third country (USA, Canada) on the basis of standard contractual clauses when you use this service. You can find out more in the privacy policy published on the provider's website at https://www.shopify.com/at/legal/privacy/app-users.

Help Scout (customer service software)
We use Help Scout, a service provided by Help Scout Inc., 131 Tremont St, Boston, MA 02111, USA, to process customer service support requests. For this purpose, we process your IP address, name, contact details, email address, browser details, chat details and any other data provided voluntarily by you for the purpose of customer communications. The legal basis for processing your data in this way is your consent (Art. 6 (1) (a) of the GDPR) and Art. 6 (1) (b) of the GDPR when you contact us. Your data may be transferred to a third country (USA) on the basis of standard contractual clauses when you use this service. You can find out more in the privacy policy published on the provider's website at https://www.helpscout.com/company/legal/privacy/.

AWIN
Our website uses the AWIN affiliate marketing network provided by AWIN AG, Otto-Ostrowski-Straße 1A, 10249, Berlin, Germany. Affiliate links are processed through AWIN so that commission can be allocated to advertising partners. AWIN also uses tracking tools to save and track user activity. Cookie IDs, transaction data and (truncated) IP addresses are processed for billing purposes within the affiliate scheme on the legal basis of your consent in accordance with Art. 6 (1) (a) of the GDPR. Data is not transferred to a third country. You can find out more in the privacy policy published on the provider's website at https://www.awin.com/gb/privacy.

ANALYTICS

We process our website visitors' personal data to analyze user behavior and collate information about the use of individual elements of our website. These insights allow us to make our website more user-friendly and improve our market research and marketing activities. We use the solutions outlined below for analytics. Unless specified otherwise, the legal basis for processing your data in this way is your consent (Art. 6 (1) (a) of the GDPR). If you do not give your consent, your data will not be processed in this way. We will stop processing your data in this way as soon as you withdraw your consent (e.g. via the consent banner or using any other means available on this website). The legality of processing your data until the time of withdrawal remains unaffected.

CONSENT MANAGEMENT

We use tools on our website to provide services relating to campaigns, web analytics and personalization. This allows all data to be captured centrally, which is essential for planning and optimizing digital campaigns. Our advertising partners can implement and use these services on our website to create a profile of your interests and display relevant adverts to you on other websites. The legal basis for processing your data in this way is your consent (Art. 6 (1) (a) of the GDPR). If you do not give your consent, your data will not be processed in this way. We will stop processing your data in this way as soon as you withdraw your consent (e.g. via the consent banner or using any other means available on this website). The legality of processing your data until the time of withdrawal remains unaffected.

TikTok Pixel
We use Tik Tok Pixel, a service provided by TikTok Technology Limited, 10 Earlsfort Terrace, Dublin, D02 T380, Ireland
Parent company: ByteDance Ltd., No 48, Zhichun Road, Haidian District, Beijing City, Beijing, 100098, China. We process your IP address, browser data (user agent), date and time you access the website (time stamp), information on the buttons you click on and the pages you visit, event data relating to purchases and form submissions for the purpose of conversion tracking, optimizing advertising campaigns, communicating with target groups, remarketing, event tracking and detailed analyses. Data is transferred to third countries (Singapore, USA, China). WARNING! This service involves data being transferred to China and this cannot be ruled out. As it stands, there is no European Union data protection adequacy decision for China in accordance with the General Data Protection Regulation. This means that special precautionary measures and legal frameworks have to be applied when personal data is being transferred from the EU to China to ensure adequate protection for data subjects. The legal basis for processing your data in this way is your consent (Art. 6 (1) (a) of the GDPR). If you do not give your consent, your data will not be processed in this way. All relevant information relating to cookies, including the name, how they are used and how long they are stored for, is included in our detailed list of the cookies in use. You can read further information on data protection at  https://www.tiktok.com/legal/page/eea/privacy-policy/en.

Dynatrace

We use Dynatrace on our website, a service provided by Dynatrace Austria GmbH, Am Fünfundzwanziger Turm 20, 4020 Linz, Austria. Performance data relating to applications, usage statistics and system metrics for monitoring, optimizing and scaling applications in multi-cloud environments are processed. Your data may be transferred to a third country (USA) when you use this service. The provider is certified under the EU–US Data Privacy Framework, which verifies that they provide an adequate level of protection. You can find out more in the privacy notice published on the provider's website at https://www.dynatrace.com/company/trust-center/privacy/.

Influence.vision
We use Influence.vision, a tracking tool provided by Influence.vision GmbH, Neustiftgasse 94 / B5, 1070 Vienna, Austria. Web analytics services are mainly used to analyze website visitor numbers and optimize online marketing campaigns. The following personal data can be processed by influence.vision: online identifiers, including cookie IDs, IP addresses, device information, customer identifiers, referrers and transaction data. This data can also be used to analyze and optimize the success of marketing campaigns and their return on investment, with information being provided about the products visitors to the website are ordering and which other actions they took (this is known as conversion tracking). Cookies are used here so that a web browser can be recognized when it is used to visit the website again. Unique online identifiers known as cookie IDs may be stored on your device in these cookies. Data is not transferred to a third country. You can read more about how Influence.vision processes data at https://www.influencevision.com/en/privacy-policy/.

We use the X Ads Manager service on our website. This service is provided by X Corporation, 1355 Market St., Suite 900 San Francisco, CA 94103, USA. Your data may be transferred to a third country (USA) when you use this service. The provider is certified under the EU–US Data Privacy Framework, which verifies that they provide an adequate level of protection. You can find out more in the privacy policy published on the provider's website at https://x.com/en/privacy.

SEARCH ENGINE - Google

We use the service provided by Google to make it easier to find content on our website. This service is provided by Google Ireland Limited, Gordon House, Barrow Street, Dublin 4, Ireland. It involves the transfer of technical data such as your IP address. The legal basis for processing your data in this way is your consent (Art. 6 (1) (a) of the GDPR). We will stop processing your data in this way as soon as you withdraw your consent (e.g. via the consent banner or using any other means available on this website). The legality of processing your data until the time of withdrawal remains unaffected. Your data may be transferred to a third country (USA) when you use this service. The provider is certified under the EU–US Data Privacy Framework, which verifies that they provide an adequate level of protection. You can find out more in the privacy policy published on the provider's website at https://business.safety.google/privacy.

9.            SOCIAL MEDIA – SOCIAL PLUGINS

There are links to social plugins (hereinafter referred to as "plugins") on our website. We do not collect any personal data in relation to these plugins or your use of them. It is, however, possible that data about you as a visitor to our website is collected, transferred to the relevant service provider and linked to other data by them via the plugins. We use the Shariff solution on our website to stop data being transferred to service providers without your knowledge. This means that plugins are initially displayed as an image. The image includes a link to the service provider's website, but you have to click on the image to be taken to that website. No personal data is shared automatically with the plugin provider. When you click on the image, the service provider will be told that you have visited our website. You do not need to be logged in or even have a user account with that service provider for them to receive that information. We have no say on whether and to what extent the service provider collects personal data. We do not know which personal data is processed or how it is processed or used. We have no insight into the purpose of data processing or how long data is stored for. You will need to refer to the privacy policy provided on the service provider's website to find out this information along with details on your rights as a data subject and your options for changing the settings.

• Facebook Inc., 1 Hacker Way, 94025 Menlo Park, USA; https://www.facebook.com/help/186325668085084: Your data may be transferred to a third country (USA) when you use this service. The provider is certified under the EU–US Data Privacy Framework, which verifies that they provide an adequate level of protection.
• Facebook Connect, Meta Platform Ireland Limited (Marketplace), 4 Grand Canal Square Grand Canal Harbour Dublin 2, Ireland https://www.facebook.com/privacy/center/.Your data may be transferred to a third country (USA) when you use this service. The provider is certified under the EU–US Data Privacy Framework, which verifies that they provide an adequate level of protection.
• Instagram Inc., 1601 Willow Road, Menlo Park, CA, 94025, USA; https://help.instagram.com/155833707900388
• YouTube LLC, headquarters at 901 Cherry Avenue, San Bruno, CA 94066, USA, represented by Google Inc. at 1600 Amphitheatre Parkway, Mountain View, CA 94043, USA; https://policies.google.com/privacy
• LinkedIn Ireland Unlimited Company Attn: Legal Dept. (Privacy Policy and User Agreement), Wilton Plaza, Wilton Place, Dublin 2, Ireland; https://www.linkedin.com/legal/privacy-policy Your data may be transferred to a third country (USA) when you use this service. The provider is certified under the EU–US Data Privacy Framework, which verifies that they provide an adequate level of protection.
• Pinterest: Pinterest Inc., 808 Brannan Street, San Francisco, CA 94103-490, USA (hereinafter referred to as "Pinterest"); https://policy.pinterest.com/en/privacy-policy. Your data may be transferred to a third country (USA) when you use this service.
• Reddit: Reddit Inc., 548 Market Street, San Francisco, California, 94103, USA.  https://www.redditinc.com/policies/privacy-policy. Your data may be transferred to a third country (USA) when you use this service. The provider is certified under the EU–US Data Privacy Framework, which verifies that they provide an adequate level of protection.
• X (Twitter): X Corporation, 1355 Market St., Suite 900 San Francisco, CA 94103, USA. https://x.com/en/privacy. Your data may be transferred to a third country (USA) when you use this service. The provider is certified under the EU–US Data Privacy Framework, which verifies that they provide an adequate level of protection.

Embedded YouTube videos

We have embedded YouTube videos into our website. These videos are stored on http://www.YouTube.com and can be played directly from our website. All these videos are embedded in privacy-enhanced mode, which means that none of your personal data is transferred to YouTube if you do not play the videos. Your data is only transferred if you play the videos. We do not have any control over this data transfer.

When you play a video on our website, YouTube will be informed that you accessed the corresponding page on our website. The data listed below will also be transferred to YouTube. This will happen whether you have a YouTube account or not and whether you are logged into your YouTube account or not. If you are logged into Google, your data will be linked directly to your account. If you do not want your data to be linked to your YouTube profile, you must remember to log out before clicking on the play button. YouTube saves your data as a usage profile and uses it for advertising, market research and/or customization of what is displayed on its website. Usage is analyzed (even when a user is not logged in) primarily to provide targeted advertising and to tell other users of the social media platform about your activities on our website. You have the right to object to the creation of these usage profiles by contacting YouTube directly.

Further information about the purpose and scope of data collection and the processing of your personal data by YouTube is provided in the YouTube Privacy Policy. You can also find out more about your rights and how to adjust your privacy settings at https://policies.google.com/privacy. Google also processes your personal data in the USA. Google is subject to the EU–US Data Privacy Framework. https://www.dataprivacyframework.gov

10.          VOUCHERS FROM SOVENDUS GmbH

We share your email address and IP address with Sovendus GmbH, Hermann-Veit-Str. 6, 76135 Karlsruhe, Germany (hereinafter referred to as "Sovendus"), so that an appropriate voucher offer can be selected for you (Art. 6 (1) (f) of the GDPR). Sovendus will use your email address to check whether you have objected to your data being processed for direct marketing purposes (Art. 21 (3) and Art. 6 (1) (c) of the GDPR). Sovendus will use your IP address for the sole purpose of guaranteeing data security and will usually anonymize it after seven days (Art. 6 (1) (f) of the GDPR). We will also share your order number, order value and currency, session ID, coupon code and time stamp with Sovendus for billing purposes (Art. 6 (1) (f) of the GDPR).

If you are interested in a voucher offer from Sovendus, you have not objected to your personal data being processed for direct marketing purposes under your email address and you click on the voucher banner being displayed to you, your title, name, postcode, country and email address will be shared with Sovendus so that your voucher can be prepared (Art. 6 (1) (b) and (f) of the GDPR).

You can read more about how Sovendus processes your data in the online privacy policy available at https://online.sovendus.com/en/online-privacy-notice/.

11.          REFERRAL SCHEME  ("Refer a Friend")

If you wish to take part in our referral scheme, you have to register on the platform first. User accounts and personal data identifying you are processed as part of the registration process. The technical infrastructure is provided by the software provider Code 57, Ksiecia Witolda 46/27, Poland, which involves technical data being transmitted. The software provider has access to the data when support needs to be provided. Data including your user account and electronic and personal data identifying you also has to be processed in order for the infrastructure to be provided. You will also be provided with a code that you can share with others to receive discounts or other benefits when placing an order. Digital identification data is stored for this purpose. The data specified above has to be processed for the performance of a contract (legal basis as per Art. 6 (1) (b) of the GDPR). Where support needs to be provided, the legal basis for data processing is a legitimate interest on the part of woom (as per Art. 6 (1) (f) of the GDPR).

12.          CUSTOMER REVIEWS (“Reviews.io”)

We use Reviews.io, a service provided by REVIEWS.io 2020 GMBH, Stralauer Allee 6, 10245 Berlin, Germany, to provide a quick and straightforward way for our customers to share their feedback on our products on the woom website. We can collect reviews from our customers through Reviews.io, publish them on our website for other website visitors to read, and share them via other digital channels. 

You have to enter your name (or a pseudonym) and your email address (which isn't published) when writing a review for us. The service will automatically create an account for you when you write a review using Reviews.io. 

Legal basis: The legal basis for processing your data in this way is your consent (Art. 6 (1) (a) of the GDPR). You can withdraw your consent at any time by simply sending us an email. The legality of processing your data before withdrawal of your consent remains unaffected.

Publication and use: When you submit your review, you grant us the right to publish your text and any photos you have uploaded on our digital channels and use them for marketing purposes with no limitations in terms of time or location. For example, we might share your review on our website, in email newsletters, on social media and in other advertising materials. We also have the right to translate your review into other languages.

Volunteering information: You can write reviews without other website users being able to identify you. It is up to you whether you include identifying personal details in the compulsory fields when you are submitting your review. There is a chance that people could also identify you from your pseudonym, what you write in the free-text fields and the photos you upload. We recommend that you do not include any personal details when writing your review. You should also make sure that it is not possible to identify anyone in the photos you upload. We reserve the right to anonymize (in full or in part) or refuse to publish reviews that contain personal details.

Content: You are solely responsible for your own content, including in particular comments and reviews that your share on the website, and any consequences that arise as a result of sharing that content. You confirm that the content you have shared does not infringe upon the rights of any third parties (e.g. patents, trademarks, copyright, privacy rights and name rights) or break any laws.

Above all, we do not accept any content that is racist, indecent, pornographic, sexual in nature or extremist, content that could be harmful to young people, incite or trivialize violence, glorify war, promote terrorist or extremist political views or encourage crime, or content that is defamatory, offensive, unsuitable for children or illegal in any way whatsoever.

Moderation: We check reviews before we publish them and reserve the right to not publish or to remove any reviews that do not follow our review guidelines or that break any laws.

Processing by Reviews.io: Reviews.io also processes data relating to reviews on our behalf as follows: identifying you as a reviewer when you log into our website and visit the website again, verifying your reviews, answering your questions and providing customer service to you as required, and forwarding our messages when we have responded to your review.

You can read more about how Reviews.io processes your data in the terms of use and privacy policy published by Reviews.io at https://www.reviews.io/front/data-protection.

13.          RIGHTS OF DATA SUBJECTS

You have the right to receive information about whether and to what extent your personal data is being processed.

You have the right to ask for inaccurate personal data to be corrected and incomplete personal data to be completed without delay.

You also have the right to ask for your personal data to be erased without delay provided that the reasons defined in Art. 17 (1) of the GDPR are met.

You have the right to restrict the processing of your personal data provided that the reasons defined in Art. 18 (1) of the GDPR are met.

You have the right to object to the processing of your personal data on the basis of an overriding legitimate interest. You also have the right to withdraw your consent with immediate effect at any time without providing a reason.

You also have the right to receive personal data you have provided in a structured, commonly used and machine-readable format.

Right to lodge a complaint

Data subjects have the right to lodge a complaint with the supervisory authority if they consider that the processing of their personal data violates this regulation.

Supervisory authority

Austrian Data Protection Authority
Barichgasse 40–42
1030 Vienna, Austria
Telephone number: +43 1 52 152-0
Email address: [email protected]

Before you lodge a complaint with the supervisory authority or if you have any other questions relating to data protection, you can get in touch with us at any time using the contact details provided above in Section 1.