Data Protection Policy

Thank you for visiting our website. In this policy, we will provide you with detailed information on how we deal with your data.

Processing activities

  1. Online accessibility of information about the controller's business and his products for interested parties and clients1 (currently accessible at www.woombikes.com as well as via the controller's social media channels)
  2. Running an online shop
  3. Running a loyalty programme
  4. Managing warranty agreements with clients

Controller

woom GmbH
Inkustraße 1-7, Halle Nr. 14, Top 5, 3400 Klosterneuburg
Telephone: +43 2243 23923
E-mail: woom@woombikes.com

Data protection officer

Kristin Thomseth
privacy@woombikes.com

Data processing purpose

Contract performance or preparation:

  1. Ensuring accessibility to information and advertising about the controller's business and his goods and services ("products")
  2. Ensuring accessibility of the online shop for purchasing products
  3. Operating the "upCycling" customer loyalty programme
  4. Operating the "woom Club" customer loyalty programme
  5. Increasing customer loyalty by organizing sweepstakes, events and customer surveys
  6. Managing contractual relations with clients resulting from warranty contracts, handling warranty issues
  7. Making communication channels available for sharing content and maintaining client relations

(Predominant) legitimate interest:

  1. Sharing/displaying information (may include advertising) for services and events via direct marketing activities ("marketing purposes"), to the extent that it is legally admissible
  2. Maintaining and increasing client satisfaction and customer loyalty by analyzing their user behavior with the goal of improving our service offering by using Google Analytics and Google Data Studio
  3. Sending newsletters (may include advertising elements) to clients; the legal basis being Section 107 (3) of the Austrian Telecommunications Act with the possibility to opt-out at any given time
  4. Transmission of electronic user identification data to third-party providers in order to embed content via posts on social networks (e.g. YouTube) and other applications (e.g. Google Maps)
  5. Transmission of electronic user identification data via Facebook Pixel to Facebook Ireland Ltd., 4 Grand Canal Square, Grand Canal Harbour, Dublin 2, also for retargeting purposes
  6. Transmission of electronic user identification data to Microsoft Corporation, One Microsoft Way, Redmond, WA 98052-6399, USA, also for retargeting purposes
  7. Transmission of electronic user identification data to Google LLC, 1600 Amphitheatre Parkway Mountain View, CA 94043, USA, also for retargeting purposes
  8. Transmission of electronic user identification data to "Instagram," operated by Facebook Ireland Ltd., 4 Grand Canal Square, Grand Canal Harbour, Dublin 2, also for retargeting purposes

Consent:

  1. Sending newsletters (may include advertising elements) to clients based on their consent, with the possibility to opt-out at any given time

Legal basis of data processing

Contract performance

  1. Ensuring online accessibility: the use of the controller's online services relies on a contract as defined in Article 6 (1) (b) of the GDPR2. By registering, a registration relation is created.
  2. Conclusion of sales agreements: if products provided by the controller are purchased, the legal basis for data processing shall be the sales agreement.
  3. Running customer loyalty programmes: if customers join the "upCycling" or "woom Club" programmes, the legal basis for data processing shall be the service contract.
  4. Signing warranty agreements: some of the controller's products include manufacturer warranties. Whenever a warranty agreement has been recorded or a warranty is claimed, the legal basis for data processing shall be the warranty agreement.

Additional services: consent

For specific services (e.g. newsletters), the controller shall ask for the client's explicit consent. This consent can be revoked at any time with prospective effect.

Predominant legitimate interests (see below)

Description of (predominant) legitimate interests for the purposes of IT security

The controller stores the IT addresses of users who merely visit the website for a period of 7 days in order to prevent targeted attacks to overload servers ("denial of service" attacks) and other damage to the company's systems. The controller has a predominant legitimate interest in this data processing for the purpose of maintaining the functionality of his online services (recital 49 of the GDPR).

Description of (predominant) legitimate interests for the purposes of sharing information/direct marketing3

The controller also processes client data (but not data of children or special categories of personal data as defined in Article 9 of the GDPR4 ("sensitive data")) in order to use them for direct marketing purposes for (additional) products and services provided by the controller. The controller has a legitimate interest in processing personal data for the purpose of direct marketing (recital 47, last sentence of the GDPR). The primary goal of data processing is client acquisition. For this purpose, the controller relies on his freedom to pursue a business activity which is protected by conventions and the constitution (Section 6 of the Austrian Constitution) and freedom of communication (especially Article 10 of the ECHR which also protects advertising activities) and the right to

  1. transmit marketing material via mail
  2. transmit electronic mail after receiving the recipient's consent and pursuant to Section 107 (3) of the Austrian Telecommunications Act.

When using this data, the controller shall comply with all provisions of communication law, especially Section 107 of the Austrian Telecommunications Act.

Description of (predominant) legitimate interests for the purposes of retargeting

Facebook, Google and Microsoft use the so-called "Pixel" placed by the controller for his services to store cookies on the user's device and to identify existing cookies and other identifying information in order to ultimately enrich the profile created for the identifier or user. The controller does not have access to this data collected by Facebook, Google and Microsoft, but will use them to display ads for the target audience interested in the controller's products.

Changing the purpose

Advertising: please note that the controller also processes the user's personal data for the purpose of sharing information/direct marketing and for retargeting purposes. The controller's objective is to provide information about his own products and to advertise them. No incompatibility exists with the purpose of the original data collection. Clients may object to the use of their personal data for the purpose of direct marketing at any time and without having to state reasons.

Evaluating clients' personal aspects ("profiling")

None of the clients' personal aspects will be evaluated.

Duty to provide data

When using these services, clients have no duty to provide data. During the purchasing process, all required fields must be truthfully completed.

Automated decision-making

Clients are not subject to automated decisions that will have a legal effect on them.

Types of processed data

Provided by clients

  • Name(s)/company
  • E-mail address
  • Address
  • Date of birth
  • Bank account information, payment and credit card information, gift certificate information
  • Phone and fax number
  • Password (encrypted)
  • VAT ID
  • User name
  • Order information
  • Refunds
  • Returned goods
  • Wish list
  • Content of messages and client reviews
  • Information related to the child: first name/last name, date of birth, gender
  • Frame number
  • Information about salesperson
  • Personal information about bike use

Additionally compiled by controller

  • IP addresses (log files)
  • User ID, push ID, device ID
  • Browser used
  • Device used
  • Communication protocol
  • Information related to the use of the account (e.g. date created, number of logins, data of last inquiry)
  • Information about purchased products
  • User behavior data (view, fav, rate, add to cart, buy)

Data sources (unless provided by the client or collected by the controller)

Source Types of data
For sending e-mails: “Mailchimp”: The Rocket Science Group, LLC, 675 Ponce de Leon Ave NE, Suite 5000, Atlanta, GA 30308 USA https://mailchimp.com/legal/privacy/ IP location, preferred e-mail client, source of log-in, campaign details (received, opened, clicks)
For client surveys: SurveyMonkey Europe UC, 2nd Floor, Shelbbourne Building, 2 Shelbourne Road, Dublin, Ireland. https://en.surveymonkey.com/mp/legal/privacy-policy/ Information from surveys

External data recipients

Integration of third-party services into the platform: transmission of electronic identification data, especially IP address:

Order data processors

  • IT support: WT-IO-IT GmbH, Heiligenstädter Straße 201 Top 17, 1190 Vienna
  • IT support: Dieter Weitz, Hermannstraße 14, 3400 Klosterneuburg
  • CRM: HubSpot Ireland Limited, One Dockland Central, Guild Street, Dublin 1, Ireland, https://www.hubspot.com/
  • Hosting services: Hetzner Online GmbH, Industriestr. 25, 91710 Gunzenhausen, Germany
  • Hosting services: Amazon Web Services EMEA SARL 38, avenue John F. Kennedy, L-1855, Luxembourg
  • Google Analytics (with “anonymize IP”) : Google LLC, 1600 Amphitheatre Parkway Mountain View, CA 94043, USA, https://safety.google/privacy/
  • E-mail campaign distribution service "Mailchimp": The Rocket Science Group, LLC, 675 Ponce de Leon Ave NE, Suite 5000, Atlanta, GA 30308 USA, https://mailchimp.com/legal/privacy/
  • Data management: Qlik, Qlik Technologies Inc., 211 South Gulph Road, Suite 500, King of Prussia, PA 19406 USA, https://qlik.com/us/legal/privacy-shield-policy
  • QR code creation: qr1°at, owner: Peter Hlavac, Deublergasse 37, 1210 Vienna, https://qr1.at/dsgvo
  • Affiliate programme: Online United GmbH, Bauhofstraße 4, 90571 Schwaig bei Nürnberg, Germany, http://www.online-united.de/datenschutz/
  • Trusted Shops: Trusted Shops GmbH, Subbelrather Straße 15c, 50823 Cologne, Germany https://www.trustedshops.eu/imprint/
  • Customer surveys: SurveyMonkey Europe UC, 2nd Floor, Shelbourne Building, 2 Shelbourne Road, Dublin, Ireland. https://en.surveymonkey.com/mp/legal/privacy-policy/

The controller explicitly reserves the right to use additional order data processors. These will be disclosed in the next update to the data protection policy after they have started providing their services. Data will be processed by order data processors under the responsibility of the controller.

Internal recipients

  • System administrator
  • Department
  • Managing directors

Transfer to third countries

The following data will be shared for data processing purposes performed in countries outside the EU:

Country Use Types of data
USA Google (EU/US Privacy Shield) IP address, title of website, browser-specific information, information related to website use
USA Mailchimp (EU/US Privacy Shield) E-mail address, name
USA Hubspot (EU/US Privacy Shield) Customer data, contractual data

Presence on social media channels

Please note that the controller has an independent online presence on social media channels for advertising purposes and for communicating with clients. For this online presence, the clients' data may be processed outside of the European Union, which increases the risk of data protection violations. Most operators of such social media channels have agreed to comply with the EU/US Privacy Shield Agreement, provided that they are based in the USA.
These online presences are kept accessible in the technical environment of the social media operator in question. Social media operators subsequently use the user visits to the online presence for their own purposes, especially to display (interest-based) advertising. Social media operators benefit from the visit to their channel to place so-called cookies on the client's device, to read previously placed cookies and identifiers, to infer the client's interests from his user behavior and to ultimately enrich the user profile created by the client or identifier. The goal is to display interest-based advertising to the client. Such ads might also be shown on third-party websites visited by the client at a later point.
The legal basis for processing clients' personal data is the controller's legitimate interest in advertising activities and customer communication, which are protected by conventions and the constitution through the freedom to pursue a business activity (Section 6, Austrian Constitution) and the freedom of communication (especially Article 10 of the ECHR which also protects advertising activities). If clients use social media, they might also have given their consent to the data processing.
The controller declares that he has no access whatsoever to clients' data. The controller recommends that clients who would like to claim their right to information, rectification, erasure, restriction, objection and data portability contact the respective social media channel directly. Users of social media channels also have the option of making changes to their data protection settings themselves. If needed, the controller will assist clients in making these changes.
Additional information for clients is available here:
Facebook (Facebook Ireland Ltd., 4 Grand Canal Square, Grand Canal Harbour, Dublin 2, Ireland)
Data protection policy: https://www.facebook.com/about/privacy/
Opt-out: https://www.facebook.com/settings?tab=ads and http://www.youronlinechoices.com
Instagram (Instagram Inc., 1601 Willow Road, Menlo Park, CA, 94025, USA)
Data protection policy/Opt-out: http://instagram.com/about/legal/privacy/
Twitter (Twitter Inc., 1355 Market Street, Suite 900, San Francisco, CA 94103, USA)
Data protection policy: https://twitter.com/en/privacy
Opt-out: https://twitter.com/personalization

Storage period

Non-registered clients: personal data (especially the IP address) of (non-registered) website users will be stored for 7 days for reasons of IT security and will subsequently be deleted.

Contractual relationships as a legal basis:given the above-mentioned legal basis, the controller will generally store personal data for up to 40 months after the contractual relationship has ended (= 36 months for possible claims for damages as defined in the agreement + a maximum of 4 months to serve the papers for the lawsuit). Afterwards, they will be deleted (the connection to the person in question will be deleted in any case).

Statutory requirement as a legal basis: if a statutory requirement for storing data, especially pursuant to Section 132 of the Austrian Federal Fiscal Code, exists, personal data related to invoicing will be processed at least until the end of the statutory storage period (it is currently generally 7 years after the end of the business year when the data was collected).

Rights of data subjects

Basis Content
Article 15 of the GDPR, "Access" The data subject shall have the right to receive information if and to what extent his or her personal data are being processed.
Article 16, GDPR "Rectification" The client shall have the right to obtain from the controller without undue delay the rectification of inaccurate personal data concerning him. The client shall have the right to have incomplete personal data completed.
Article 17, GDPR "Erasure" The client shall have the right to obtain the erasure of personal data concerning him without undue delay provided that the reasons defined in Article 17 (1) of the GDPR are met.
Article 18, GDPR "Restriction" The client shall have the right to obtain restriction of personal data processing provided that the reasons defined in Article 18 (1) of the GDPR are met.
Article 21, GDPR "Objection" The client shall have the right to object to processing of personal data concerning him on the basis of a predominant legitimate interest.
Article 20, GDPR "Data portability" The client shall have the right to receive personal data concerning him, which he has provided, in a structured, commonly used and machine-readable format.

Right to complain

Basis Content
Article 77, GDPR
Section 24, Austrian Data Protection Act
Clients shall have the right to complain to the supervisory authority if they believe that the processing of personal data concerning them violates this regulation.

Supervisory authority

Österreichische Datenschutzbehörde/Austrian Data Protection Authority
Barichgasse 40-42
A-1030 Vienna
Telephone: +43 1 52 152-0
E-mail: dsb@dsb.gv.at

Footnotes

  1. Wherever this data protection policy uses the male form to refer to natural persons, it is meant to include women and men alike. If the term is used for specific natural persons, the correct gender form shall be used. Clients include both consumers and businesses.
  2. Kühling/Buchner DS-GVO2, Art. 6 (59)
  3. Direct marketing refers to directly addressing specific persons for advertising purposes, e.g. for sending them letters or brochures, by calling them or sending electronic messages.
  4. General Data Protection Regulation, available at https://eur-lex.europa.eu/legal-content/EN/TXT/?uri=CELEX%3A32016R0679