Privacy Policy
Privacy Policy
Status: 28 July 2025
This Privacy Policy informs you pursuant to Art. 13 et seqq. GDPR, § 165 Telecommunications Act 2021 (TKG) and other applicable regulations about the nature, scope and purposes of the processing of personal data within our online offering (hereinafter “Website”) and the associated external presences (e.g. social media profiles).
1. Data Controller
BerBerSan GmbH
Pfarrgasse 677, 8970 Schladming, Austria
E‑Mail: info@berbersan.at
(“we”, “us”)
No data protection officer is mandatory under current law. For privacy inquiries, please contact the Managing Director.
2. Definitions
The terms used (e.g. “personal data”, “processing”, “controller”) correspond to the definitions in Art. 4 GDPR.
3. Purposes of Processing, Legal Bases and Data Categories
We process personal data only to the extent necessary. Legal bases include Art. 6 (1) lit. a GDPR (consent), lit. b (contract/contract negotiation), lit. c (legal obligation) and lit. f GDPR (legitimate interest).
3.1 Website Visit / Server Log Files
Data: IP address, date/time, requested URL, referrer URL, browser type/version, operating system, provider.
Purpose: Technical operation, security (attack prevention), stability, error analysis.
Legal basis: Art. 6 (1) lit. f GDPR (legitimate interest in secure operation).
Retention: Log files are automatically deleted regularly (max. 30 days), unless security-related analysis is required.
3.2 Cookies and Similar Technologies
We use cookies and similar technologies (e.g. Local Storage, pixels).
Necessary Cookies (e.g. cart, login): Art. 6 (1) lit. b GDPR & § 165 (3) TKG.
Functional & Performance Cookies (e.g. preferences): Art. 6 (1) lit. a GDPR.
Analytics & Marketing Cookies (e.g. Google Analytics, Google Ads, Meta Pixel): Art. 6 (1) lit. a GDPR.
You can withdraw your consent at any time for the future or change your settings by emailing us.
A list of the cookies used can be found in section 11.
3.3 Consent Management Tool (CMP)
Data: Consent status, timestamp, device/browser data, anonymous ID.
Purpose: Documenting consents, managing cookie preferences.
Legal basis: Art. 6 (1) lit. c GDPR (documentation requirement), lit. f GDPR (legitimate interest in legally compliant consent collection).
3.4 Contact Requests (Form, E‑Mail, Phone)
Data: Name, email address, message content, optionally phone number.
Purpose: Handling your request.
Legal basis: Art. 6 (1) lit. b GDPR (pre-contractual measures) or lit. a GDPR (consent for voluntary info).
Retention: Until final processing and thereafter according to statutory retention periods.
3.5 Orders, Customer Account and Contract Fulfillment (Shop)
Data: Master data (name, address, email), order data, payment data (see 3.6), communication data.
Purpose: Order processing, delivery, customer service, accounting.
Legal basis: Art. 6 (1) lit. b GDPR; legal obligations (Art. 6 (1) lit. c GDPR, e.g. tax retention).
Retention: 7 years (tax law) or until expiry of warranty and limitation periods.
3.6 Payment Service Providers
We use external payment providers (e.g. Stripe, PayPal, Klarna – please specify).
Data: Payment method, transaction ID, invoice data.
Legal basis: Art. 6 (1) lit. b GDPR.
Note: Payment providers process data independently under their own privacy policies.
3.7 Shipping Service Providers
For delivery we share address data with shipping companies (e.g. Austrian Post, DPD).
Legal basis: Art. 6 (1) lit. b GDPR.
3.8 Newsletter / Direct Marketing
Data: Email address, phone number, name.
Purpose: Sending information about products and offers.
Legal basis: Art. 6 (1) lit. a GDPR (consent) or § 174 TKG (existing customer exception).
Withdrawal: Possible at any time by email.
3.9 Web Analytics & Reach Measurement (e.g. Google Analytics 4)
Data: IP address (anonymized), device info, usage behavior, events.
Legal basis: Art. 6 (1) lit. a GDPR.
IP Anonymization: Enabled.
Processor Agreement: Concluded with Google.
Third‑Country Transfer: USA (Standard Contractual Clauses, additional safeguards).
3.10 Online Marketing (e.g. Google Ads, Meta Pixel)
Purpose: Conversion tracking, remarketing, campaign optimization.
Legal basis: Art. 6 (1) lit. a GDPR.
Objection/Withdrawal: Via cookie settings or providers’ opt‑out links.
3.11 Social Media Profiles
We maintain profiles on Facebook/Instagram, TikTok, LinkedIn, etc. Data processing is joint with each platform provider. Please refer to their privacy notices.
3.12 Hosting & CDN
Our Website is hosted via Shopify (Shopify International Ltd., Ireland / Shopify Inc., Canada).
Legal basis: Art. 6 (1) lit. f GDPR (legitimate interest in secure and efficient delivery).
Processor Agreement: Concluded with Shopify.
Third‑Country Transfer: Standard Contractual Clauses.
4. Recipients and Categories of Recipients
IT/hosting service providers
Payment and shipping providers
Newsletter/email service providers (e.g. Klaviyo, Mailchimp)
Analytics and marketing providers (Google, Meta, etc.)
External advisors (tax consultants, lawyers)
5. Transfers to Third Countries
Transfers to countries outside the EU/EEA occur only if an adequacy decision by the EU Commission exists (e.g. Canada) or suitable safeguards (e.g. Standard Contractual Clauses) are in place along with additional protective measures.
6. Data Retention
We retain personal data only as long as necessary for the respective purpose or as required by law. Afterwards, data is deleted or anonymized.
7. Your Rights (Data Subject Rights)
You have the right to:
Access (Art. 15 GDPR)
Rectification (Art. 16 GDPR)
Erasure (Art. 17 GDPR)
Restriction of Processing (Art. 18 GDPR)
Data Portability (Art. 20 GDPR)
Objection to processing based on Art. 6 (1) lit. e or f GDPR (Art. 21 GDPR)
Withdraw Consent (Art. 7 (3) GDPR) with future effect
You also have the right to lodge a complaint with the Austrian Data Protection Authority:
Austrian Data Protection Authority
Barichgasse 40–42, 1030 Vienna
Phone: +43 1 521 52‑25 69
E‑Mail: dsb@dsb.gv.at
Web: www.dsb.gv.at
8. Automated Decision-Making / Profiling
No automated decision-making within the meaning of Art. 22 GDPR takes place. Profiling occurs only within marketing and analytics tools based on your consent.
9. Data Security
We use SSL/TLS encryption and implement technical and organizational measures to protect your data against loss, destruction or unauthorized access.
10. Changes to this Privacy Policy
We update this Privacy Policy as needed (e.g. new technologies, legal changes). The version published on the Website applies.
11. Cookie Overview
(Example structure – please fill with your actual shop/tool cookies.)
11.1 Necessary Cookies
| Name | Provider | Purpose | Duration |
|---|---|---|---|
| _shopify_y | Shopify | Session ID/Analytics (shop function) | 1 year |
| cart | Shopify | Cart function | 2 weeks |
11.2 Preferences / Functional
| Name | Provider | Purpose | Duration |
| locale | Own cookie | Store language selection | 1 year |
11.3 Statistics / Analysis
| Name | Provider | Purpose | Duration |
| _ga | Google Analytics | User identification | 2 years |
| _gid | Google Analytics | Session analysis | 24 hours |
11.4 Marketing / Tracking
| Name | Provider | Purpose | Duration |
| _fbp | Meta Platforms Inc. | Remarketing / conversion tracking | 3 months |
| IDE | Google Ads | Conversion / retargeting | 1 year |
12. Contact for Privacy Concerns
If you have questions about the processing of your personal data, please contact:
info@berbersan.at
