Skip to the main content

Privacy policy

1) Information regarding the collection of personal data, and contact details for the Data Controller.

1.1 We are delighted that you are visiting our website and would like to thank you for your interest. The following information will explain how we process your personal data when you visit our website. "Personal data" means any data which can be used to identify you personally.

1.2 The data controller responsible for processing data on our website in accordance with the German data protection regulation (GDPR), is air up GmbH, Friedenstraße 22A, 81671 Munich, Germany, email: datenschutz@air-up.com. The controller responsible for processing personal data is a natural person or legal entity who alone or together with others, decides on the purposes and methods used for processing personal data.

1.3 The data controller has appointed a data protection officer, who can be contacted as follows: Mrs Pia Bosseler, Friedenstraße 22A, 81671 Munich, Germany, E-mail: datenschutz@air-up.com

1.4 For security reasons and to secure the transmission of personal data and other confidential information (such as orders or enquiries sent to the data controller), this website uses either SSL or TLS encryption. An encrypted connection can be identified by seeing the characters "https://" and the padlock symbol in your browser's address bar.

2) Data collection when visiting our website

When you use our website for information purposes only, i.e. if you do not register or send us other information, we collect only the data which your browser sends to our server (known as server log files). When you access our website, we collect the following details, which we require for technical reasons in order to display our website to you:

  • Which website visited

  • Date and time visited

  • Amount of data sent in bytes

  • Source/link from which you reached the page • Which browser was used

  • Which operating system was used

  • IP address (if applicable: in anonymised form)

Data is processed under Article 6 (1) (f) of the GDPR, based on our legitimate interest in improving the stability and functionality of our website. The data will not be shared with third parties or used for other purposes. We do, however, reserve the right to check the server log files at a later date, should there be specific indications of illegal use.

3) Hosting

Hosting by Shopify

We use the shopping app provided by Shopify International Limited, Victoria Buildings, 2nd floor, 1-2 Haddington Road, Dublin 4, D04 XN32, Ireland ("Shopify“) for the purpose of hosting and displaying the online shop, based on relevant data being processed on our behalf. All the data collected on our website is processed on the Shopify servers. Shopify ensures, using appropriate technical and organizational measures, that the data is only processed within the EU/EEA. Regarding the theoretical possibility of the Canadian parent company, Shopify Inc., 150 Elgin St, Ottawa, ON K2P 1L4, Canada, accessing the data, the European Commission has adopted an adequacy decision for Canada, certifying that an adequate level of data protection is guaranteed. For more information about Shopify's privacy policy, please visit the following website:

https://www.shopify.de/legal/datenschutz and here: https://help.shopify.com/de/manual/your-account/privacy/GDPR.

Hosting by Vercel

Parts of this website are hosted using the cloud platform Vercel, provided by Vercel Inc., 340 S Lemon Ave #4133, Walnut, CA 91789, USA. This means that each visit to our website may be handled or delivered through Vercel. Personal data you send to our website will therefore also be transmitted to Vercel. This is necessary in order to handle your browser requests to our site. The transmitted information includes:

  • The hostname of the accessing computer

  • The IP address

Depending on the server location, this information may also be sent to the USA. Vercel has signed a data processing agreement governed by the European General Data Protection Regulation with us. Moreover, Vercel is certified under the EU-US Data Protection Agreement and thereby obliged to observe EU data protection legislation. You can view Vercel’s privacy policy at https://vercel.com/legal/privacy-policy.

This data is not merged with other data sources.

This data is recorded on the basis of Art. 6 Sec. 1 lit. f GDPR. The delivery of the personal data is necessary in order for you to use our website.

4) Cookies

We use "cookies". Cookies are small text files which are stored on the device being used, and which are saved by the browser. Cookies are used to make our website more user-friendly, more effective and more secure. There are various kinds of cookies, which are used for different purposes.

Some cookies ensure that our website functions properly, or that, having registered successfully, you can be identified on your device ("essential" cookies). By storing these essential cookies, we make it considerably easier for you to visit our website, and to use the services available there. Other cookies are stored for the purpose of analyzing your user preferences and so to improve our website ("advanced cookies").

We only store advanced cookies with your consent. When you visit our website for the first time, a pop-up window is displayed with an explanatory message about cookies. Once you click on the relevant "agree" button, you are giving consent for us to use the cookies selected at that point, as described in the relevant pop-up window and in this Data Protection Policy.

You can configure your browser so that you are notified when cookies are being stored, and only allow cookies on a case-by-case basis, accept cookies for particular purposes, or disable them altogether, as well as enabling cookies to be deleted when you close the browser. We wish to point out that, if cookies are disabled, this may limit the functionality of this website.

Where personal data is processed when "essential" cookies are used, the lawful basis for this is Article 6 (1) (1) (f) of the GDPR, on account of a legitimate interest in ensuring quality, and in the interests of the web page displaying without any technical issues. Processing your personal data when using so-called "additional cookies" is based on your consent (lawful basis: Art. 6 (1) (1) (a) of the GDPR). Please note that if cookies are not accepted, the functionality of our website may be restricted.

5) Contacting us

Personal details are collected when you get in contact with us (by using the contact form or by email, for instance). With the contact form, it is clear what data is being collected from the form itself. This data will only be stored and used for the purpose of responding to your request or for contacting you, and associated technical administration work. If you contact us with a view to entering into a contract, this represents an additional lawful basis for data processing under Article 6 (1) (b) of the GDPR. Otherwise, Article 6 (1) (a) of the GDPR applies. This would be the case if, based on the circumstances, it is reasonable to conclude that the matter in hand has been dealt with, and so there is no legal requirement to retain the data.

6) Processing data when opening a customer account and processing a contract

Under Article 6 (1) (b) of the GDPR, additional personal data will be collected and processed when you send this to us for the purpose of performing a contract, or when opening a customer account. The data being collected will be clear from the relevant submission form. When you open a customer account with us, you are automatically enrolled into our loyalty programme as a registered customer. Membership of the loyalty programme is free and not tied to any purchase. For this purpose, we use the services of the British provider LoyaltyLion Ltd. The data provided will be processed for the purpose of delivering the service. You may delete your customer account at any time simply by sending an email to the data controller at the address above. We store and use the data you send us for the purpose of processing the contract. Once we have fully processed a contract, or have deleted your customer account, your data is retained, taking into account any statutory tax and commercial law retention periods, and then deleted once these have expired, except where you have expressly given your consent for your data to be used subsequently, or if, on our page, we have reserved the right to use your data subsequently as permitted in law.

7) Using your data for the purpose of direct marketing

7.1 Signing up for our email newsletter

If you sign up for our email newsletter, we will send you regular information about our special offers. You just need to provide us with your email address in order to receive our newsletter. Providing additional data is voluntary and is used in order to contact you personally. We use the so-called double opt-in procedure to send the newsletter. This means that we only send you an email newsletter, if you have specifically confirmed that you agree to receive the newsletter. We then send out a confirmation email which asks you to click on the relevant link, in order to confirm that you would like to receive the newsletter in future.

By activating the confirmation link, you are giving us your consent to use your personal data under Article 6 (1) (a) of the GDPR. When you register for the newsletter, we store the IP address specified by the internet service provider (ISP), as well as the date and time you registered, in order to be able to trace potential misuse of your email address at some later time. The data we collect from you when you register to receive the newsletter is only used for the purposes of targeted advertising in the form of the newsletter. You can unsubscribe from the newsletter at any time using the link provided in the newsletter, or by sending an email to the nominated data controller. Once you unsubscribe, your email address will immediately be deleted from our email distribution list, except where you have expressly consented to your data being used subsequently, or except where we have reserved the right to use your data subsequently, as permitted in law, in which case we have notified you of this in this policy.

7.2 Sending the email newsletter out to existing customers

If, when purchasing goods or services from us, you have provided us with your email address, we reserve the right to send you regular offers by email in respect of products and services in our range similar to those you have purchased in the past. Under § 7 (3) of the German Fair Trade Practices Act (UWG), we do not have to obtain your separate consent for this. In this case, data processing is based solely on our legitimate interest in personalized direct marketing under Article 6 (1) (f) of the GDPR. If you did not initially consent to your email address being used for this purpose, we will not send out any such emails. You are entitled to revoke consent for continued use of your email address for the purpose previously stated at any time, by notifying the data controller as named above. The only cost to you will be the cost of sending the message, based on standard rates. Once we receive notice that you wish to revoke consent, the use of your email address for marketing purposes will cease immediately.

7.3 WhatsApp newsletter

If you sign up for our WhatsApp newsletter, we will periodically send you information about our offers on WhatsApp (1601 Willow Rd, Menlo Park, CA, United States). The only information we require to send this newsletter is your mobile number.

In order to receive the newsletter, you need to add the mobile number we send you to your contacts in the address book on your phone, and message us the word, "Start," using WhatsApp. By sending us this WhatsApp message, you are giving your consent to use your personal data in accordance with Article 6 (1) (a) of the GDPR, for the purpose of sending out the newsletter. We will then add you to our newsletter distribution list.

The data we collect from you when you register to receive the newsletter is only processed for the purposes of targeted advertising in the form of the newsletter. You can unsubscribe from the newsletter at any time by using WhatsApp to send us the message "Stop". Once you unsubscribe, your mobile number will immediately be deleted from our email distribution list, except where you have expressly consented to your data being used subsequently, or except where we have reserved the right to use your data subsequently, as permitted in law, in which case we have notified you of this in this policy.

Please note that WhatsApp obtains access to the address book on the mobile we use to send out the newsletter, and the numbers saved in the address book are automatically sent to a Facebook server in the US. In order to guarantee an adequate level of data protection, the provider has implemented clauses from what is referred to as the European Union standard contract. We also carry out case-by-case risk analysis in order to ensure data protection over and above the standard contract clauses.

In order to send out our WhatsApp newsletter, we therefore use a mobile with an address book containing only the WhatsApp contact details for those receiving our newsletter. This ensures that every person whose WhatsApp contact details are saved in our address book has already accepted the WhatsApp Conditions of Use, doing so when they first used the app on their device, and has thus already given consent for their WhatsApp phone number to be sent from their address books of chat contacts, in accordance with Article 6 (1) (a) of the GDPR. Sharing data belonging to users who do not use WhatsApp or who have not contacted us using WhatsApp is therefore prevented.

The purpose and scope of data collection, and subsequent processing and use of the data by WhatsApp, as well as your associated rights and settings options, with a view to protecting your privacy, may be found in WhatsApp's data protection policy at: https://www.whatsapp.com/legal/?eea=1#privacy-policy

7.4 Marketing by post

Based on our legitimate interest in personalized direct advertising, we reserve the right to use your first and last name, your postal address and - where we receive this additional information from you as part of the contractual relationship - to store your title, academic degree, year of birth and your profession, industry or business in accordance with Art. 6 (1) (f) of the GDPR and to use it for sending offers which may be of interest and information about our products by post.

You may object to our storing and using your data for this purpose at any time by sending an appropriate email to the data controller.

7.5 CleverPush

You can register for our push notifications. We use the "CleverPush" service for sending out our push notifications, which is operated by CleverPush UG (limited liability), Tondernstrasse 1, 22049 Hamburg, Germany ("CleverPush“). We will send out regular information about available products via our push notifications. To subscribe, you must confirm your browser's request to accept notifications. This process is documented and stored by CleverPush. This includes storing when you registered for this service, as well as your browser ID and/or your device ID. This data has to be collected, so that, in the event of misuse, we are able track what happened, and this is therefore for the purpose of our legal protection. In order to be able to show you push notifications, CleverPush collects and processes your browser ID and, if accessing via a mobile, your device ID on our behalf. By subscribing to our push notifications, you agree to receive them. The legal basis for processing your data once you have registered for our push notifications is the consent you have given as per Article 6 (1) (a) of the GDPR. CleverPush also analyzes the statistics relating to our push notifications. CleverPush can therefore recognise if and when our push notifications were displayed and clicked by you. You may revoke your consent at any time and effective going forward to our storing and using your personal data in order to receive our push notifications, and to our collecting data for statistical purposes. In order to revoke your consent, you can alter the relevant setting in your browser for receiving push notifications. If you use our push notifications on a desktop PC with the Windows operating system, you can also unsubscribe to our push notifications by right-clicking on the relevant push notification in the setting that appears there. Your data will be deleted once it is no longer required for the purpose for which it was collected. Your data will therefore be stored for as long as the subscription to our push notifications is active. There is a detailed explanation of how to unsubscribe at the following link: https://cleverpush.com/faq

7.6 Email notification that a certain product is available

Where we offer the option of notifying you by email when certain items which were temporarily out of stock in our online shop become available again, you can sign up for our email notification service for stock availability. If you sign up for our stock availability email notification service, we will send you a one-off message by email that the relevant item you selected is available. You just need to provide us with your email address in order to receive notifications. Providing additional data is voluntary and is used in order to contact you personally. We use the so-called double opt-in procedure to send notifications. This means that we only send you the relevant notification if you have specifically confirmed that you agree to receive such notification. We then send out a confirmation email which asks you to click on the relevant link, in order to confirm that you would like to receive such notifications in future.

By activating the confirmation link, you are giving us your consent to use your personal data under Article 6 (1) (a) of the GDPR. When you register for the stock availability notification emails, we store the IP address specified by the internet service provider (ISP), as well as the date and time you registered, in order to be able to trace potential misuse of your email address at some later time. The data we collect when you register for our stock availability notification emails is used exclusively for the purpose of advising you about the availability of a certain item in our online shop. You can unsubscribe from the product availability email notification service at any time by sending an appropriate email to the data controller as named above. After unsubscribing, your email address will be deleted immediately from our mailing list set up for this purpose,

except where you have expressly consented to your data being used subsequently, or except where we have reserved the right to use your data subsequently, as permitted in law, in which case we have notified you of this in this policy.

7.7 Optimove

We use the marketing technology of Optimove UK Limited, 35 Luke Street, 2nd Floor, Unit 2.01, London EC2A 4LH, United Kingdom ("Optimove").

Optimove is a tool that helps businesses to better understand and connect with their customers. With its range of features, including data analysis, marketing automation, and personalized communication, Optimove enables businesses to deliver a more personalized and relevant experience to their customers.

For this purpose, customer data (e-mail address, name and order details, and browsing behavior), will be shared with Optimove in accordance with the GDPR so that Optimove can operate the service. Optimove uses algorithms and machine learning to analyze this data and generate insights about customer behavior and preferences. This information is then used to inform the creation of personalized marketing campaigns, executed via email, SMS, or WhatsApp. We are sending campaigns to consumers who opted-in to these channels, customers will be able to revoke their permission at any time. 

Personal data of customers based in the EEA, the United Kingdom or Switzerland is currently stored in Germany.

In addition, we carry out an individual risk analysis to ensure data protection that goes beyond the standard contractual clauses.

The processing of the data takes place voluntarily and only with your express consent, in accordance with Art. 6 para. 1 sen. 1 lit. a GDPR.

Optimove uses cookies to distinguish Website visitors in order to provide them with a personalized experience when they browse. You can block these cookies by activating the setting on your browser that allows you to refuse the setting of all or some cookies.

You can revoke your consent at any time by declining cookies on air-up.com and by clicking the unsubscribe button in our email newsletters. For more details on how Optimove processes your personal data, please refer to the following link for Optimove's Privacy Policy: https://www.optimove.com/privacy-policy

7.8 Sinch

We use a communication tool provided by Sinch Sweden AB, located in Lindhagensgatan 74, 112 18 Stockholm, Sweden (“Sinch”). Sinch is a messaging tool that allows air up to send text messages. For this purpose, your mobile phone number can be shared with Sinch in accordance with Art. 6 para. 1 sen. 1 lit. a GDPR so that Sinch can operate the service.

Your mobile phone number will only be shared with Sinch when you give us permission to contact you through SMS. You can revoke your consent at any time with future effect, after revoking it can take up to 72 hours to process. For more details on how Sinch processes your personal data, please refer to the following link in Sinch's Privacy Policy: https://www.sinch.com/privacy-policy

8) Processing data for the purposes of processing an order

8.1 In order to process your order, we work in partnership with the following service provider(s) who support us to a greater or lesser extent as we perform the contracts we have accepted. Certain personal data is shared with these service providers, as stated below.

When processing your order, personal data we collect is passed on to transport companies taking care of delivery, where this is required for the purpose of delivering the goods. When processing payment, we send your payment details to the financial institution we are using, where this is necessary for processing the payment. Where payment service providers are used, we will explicitly notify you of this below. The lawful basis for sharing data is Article 6 (1) (b) of the GDPR.

8.2 Use of payment service providers (payment services)

Apple Pay

If you opt for "Apple Pay" from Apple Distribution International (Apple), Hollyhill Industrial Estate, Hollyhill, Cork, Ireland, then payment will be processed using the "Apple Pay“ function on your device, operated using iOS, watchOS or macOS, by charging a payment card saved on "Apple Pay". This will involve Apple Pay using security functions which are integrated into the hardware and software for your device, in order to protect your transactions. To authorize a payment, you must therefore enter a code you have previously set up, or verify it using the "Face ID" or "Touch ID" function on your device. For the purpose of processing payment, the information you provide during the ordering process, together with information about your order, will be passed on to Apple in encrypted form. Apple then re-encrypts this information using a developer-specific key before the data is sent to the relevant payment service provider (for the payment card saved on Apple Pay) for the purpose of processing the payment. Encryption ensures that only the website where the purchase was actioned is able to access the payment details. Once payment is complete, Apple sends your device account number and a transaction-specific dynamic security code to the originating website to confirm the payment has been successful. Where personal data is processed in the above transfers, processing is exclusively for the purpose of processing payment in accordance with Article 6 (1) (b) of the GDPR. Apple retains anonymised transaction information, including approximate purchase value, date and time, and whether the transaction was completed successfully. Anonymisation protects you entirely from being identified. Apple uses the anonymised data to improve Apple Pay and other Apple products and services. If you use Apple Pay on the iPhone or Apple Watch to complete a purchase you have actioned via Safari on the Mac, then the Mac and the authorization device communicate with one another over an encrypted channel on Apple's servers. Apple does not process or save any of this information in a format which would make it possible to identify you. You can disable the option to use Apple Pay on your Mac using the settings on your iPhone. Go to "Wallet & Apple Pay", and uncheck "Allow payments on Mac". Further information on data protection with Apple Pay can be found at the following website: https://support.apple.com/de-de/HT203027

Google Pay

If you decide to use the “Google Pay” payment method from Google Ireland Limited, Gordon House, 4 Barrow St, Dublin, D04 E5W5, Ireland (“Google”), payment will be processed using the “Google Pay” application on your device, if running at least Android 4.4 ("KitKat") with NFC capability, by debiting a payment card stored with Google Pay or a verified payment method recorded there (such as PayPal). To authorize payments for more than €25 using Google Pay, your mobile device will need to be unlocked using the relevant verification method already set up (such as facial recognition, password, fingerprint or pattern). For the purpose of processing payment, the information you provide during the ordering process, together with information about your order, will be passed on to Google in encrypted form. Google then passes your payment information, stored on Google Pay, to the original website in the form of a one-off transaction number. This is used to verify that payment has been successful. This transaction number does not include any information on the actual payment details for your payment method stored on Google Pay, but is generated and sent as a one-time numeric token. For any transactions using Google Pay, Google acts purely as an agent for processing the payment. The transaction is processed exclusively within the relationship between the user and the source website by debiting the means of payment stored with Google Pay. Where personal data is processed in the transmissions set out above, this processing is exclusively for the purpose of payment processing in accordance with Article 6 (1) (b) of the GDPR. Google reserves the right to collect, store and analyze certain process-specific information for any transactions made using Google Pay. This includes the date, time and amount of the transaction, merchant location and description, a description provided by the merchant of the goods or services being purchased, any photos you included with the transaction, the name and email address of the seller and buyer or sender and recipient, the payment method used, your description of the reason for the transaction, and the website associated with the transaction, where applicable. According to Google, this processing is carried out exclusively in accordance with Art. 6 (1) (f) of the GDPR based on the legitimate interest in accurate invoicing, verification of transaction data and optimization and functional maintenance of the Google Pay service. Google also reserves the right to merge processed transaction data with other information which is collected and stored by Google when using other Google services. Google Pay's terms of service can be found at: https://payments.google.com/payments/apis-secure/u/0/get_legal_document?ldo=0&ldt=googlepaytos&ldl=de. You can find further information on data protection with Google Pay from the following website https://payments.google.com/payments/apis-secure/get_legal_document?ldo=0&ldt=privacynotice&ldl=de

Klarna (only Finland and Denmark)

If you select the Klarna payment service, payment will be processed by Klarna Bank AB (publ) [https://www.klarna.com/de], Sveavägen 46, 111 34 Stockholm, Sweden (hereinafter "Klarna"). In order to enable payment to be processed, your personal data (first and last name, street, house number, postcode, town, gender, email address, phone number and IP address) as well as data relating to the order (such as invoice amount, item, type of delivery) is passed on to Klarna for the purpose of identity and credit checks, provided you have expressly consented to this during the ordering process, in accordance with Article 6 (1) (a) of the GDPR. You can view which parties your data may be forwarded to here: https://cdn.klarna.com/1.0/shared/content/legal/terms/0/de_de/credit_rating_agencies. The credit check may also include risk scores (credit scoring). Where credit scores are included in the results of the credit report, they are based on a scientifically recognised mathematical-statistical process. One element, but not the only one, fed into the credit score calculation is address data. Klarna uses information received about the statistical probability of default to make a considered decision about setting up, continuing or terminating the contractual relationship. You may revoke your consent at any time by sending an email to the data controller or to Klarna. However, Klarna may still be entitled to process your personal data where this is necessary for processing payments under a contract. Your personal data will be processed in accordance with the applicable data protection provisions and as specified in Klarna's Privacy Policy for Data Subjects living in Germany https://cdn.klarna.com/1.0/shared/content/legal/terms/0/de_de/privacy, or for Data Subjects located living in Austria https://cdn.klarna.com/1.0/shared/content/legal/terms/0/de_at/privacy.

Shopify Payments

We use the payment service provider "Shopify Payments", 3rd Floor, Europa House, Harcourt Building, Harcourt Street, Dublin 2. If you choose a payment method offered via the payment service provider Shopify Payments, payment is processed by the technical service provider Stripe Payments Europe Ltd, 1 Grand Canal Street Lower, Grand Canal Dock, Dublin, Ireland, to whom we pass on the information you provided during the ordering process, together with information about your order (name, address, account number, bank sort code, any credit card number, invoice amount, currency and transaction number) in accordance with Art. 6 (1) (b) of the GDPR. Your data is shared exclusively for the purpose of processing the payment with Stripe Payments Europe Ltd. and only where this is necessary. You can find more detailed information about data protection for Shopify Payments from the following website: https://www.shopify.com/legal/privacy. Data protection information about Stripe Payments Europe Ltd. can be found here: https://stripe.com/de/privacy

SOFORT (only Spain and Portugal)

When the "SOFORT" option is selected as the method of payment, payment is made using the payment service provider SOFORT GmbH, Theresienhöhe 12, 80339, Munich, Germany (hereinafter: "SOFORT"), with whom we share the information you have shared with us during the ordering process, along with the information regarding your order as per Article 6 (1) (b) of the GDPR. Sofort GmbH is part of the Klarna Group (Klarna Bank AB (publ), Sveavägen 46, 11134 Stockholm, Sweden). Your data is shared exclusively for the purpose of processing the payment with the payment service provider, SOFORT, and only where this is required for this purpose. You can find more information about SOFORT's privacy policy at the following web address: https://www.klarna.com/so fort/datenschutz.

Eps-Überweisung

Erfolgt die Zahlung mittels einer von EPS-Uberweisung angebotenen Zahlungsmethode, wird die Zahlung durch den Zahlungsdienstleister PSA Payment Services Austria GmbH ("PSA"), Handelskai 92, Tor 2, 1200 Wien, abgewickelt. Weitere Informationen zur Datenverarbeitung durch "eps-Überweisung" finden Sie hier: https://eps-ueberweisung.at/de/datenschutz.

Narvar

We use the return management tool from Narvar, Inc. , 3 East Third Avenue, Suite 211, San Mateo, CA 94401, United States (“Narvar").

We use Narvar to automate and simplify the return process. It makes it easier for customers to return items bought on our website.

For this purpose, e-mail address and order number will be shared with Narvar in accordance with the GDPR so that Narvar can operate the service.

Once you place the order and it is fulfilled, you can initiate the order return process using return automation provided by Narvar. By typing in your email and order number in the return widget, you can select items you want to return. After selecting the items and choosing the shipping method, you will receive an email with detailed instructions on how to return the items.

For this purpose, we will collect and process your personal data (name, e-mail address, phone number, address from initial order, IP address) and order details, in encrypted, pseudonymized form. By using these data, Narvar will create a return order which will be used to process your return. The data is passed on to Narvar exclusively in pseudonymised form.

Personal information may be transferred, stored and processed in a country other than the country in which it was collected, including but not limited to the United States. Narvar transfers personal data under the European Commission's Standard Contractual Clauses pursuant to Commission Decision 2021/914/EU to ensure that it is adequately protected.

In addition, we carry out an individual risk analysis to ensure data protection that goes beyond the standard contractual clauses. The processing of the data takes place voluntarily and only with your express consent, in accordance with Art. 6 para. 1 sen. 1 lit. a GDPR.

You can revoke your consent at any time with future effect. (https://narvar.my.onetrust.com/webform/04b3731f-2a9a-42ce-bd6b-106d4b4ec3bf/a7c944bf-3cec-4f00-9dc5-dea5bf2b6f4f).

For more details on how Narvar processes your personal data, please refer to the following link in Narvar's Privacy Policy: https://corp.narvar.com/privacy-policy

Narvar places cookies in your browser when you initiate the return process. These cookies are used to track statistical data about usage of the return process. The collected data is used for improvement of user experience. More information about cookies can be found here: https://corp.narvar.com/cookie-policy

8.3 Subscription Service Provider

We use the subscription tool Recharge App, 3030 Nebraska Avenue, Los Angeles California US 90404.

We use Recharge for the order processing of subscriptions. We use the Recharge App through Shopify when you purchase a subscription for our products, to auto-bill the payment card you pro-vide and to process your order.

For this purpose, name, email address, shipping address, billing address and payment information will be shared with Recharge in accordance with the GDPR so that Recharge can operate the service.

When a customer creates an air up subscription, Recharge stores the data and all subsequent order data which is generated.

For this purpose, we will collect your personal data (name, email address, shipping address, billing address and payment information, computer and network traffic) in encrypted, pseudonymized form with Recharge so that you can participate in our subscription service. Recharge uses this information for security purposes and to provide you with our service. data is passed on exclusively in pseudonymised form. Personal data of customers based in the EEA, the United Kingdom or Switzerland is currently stored in the USA. Recharge transfers personal data to the USA under the European Commission's Standard Contractual Clauses pursuant to Commission Decision 2021/914/EU to ensure that it is adequately protected.

In addition, we carry out an individual risk analysis to ensure data protection that goes beyond the standard contractual clauses.

The processing of the data takes place voluntarily and only with your express consent, in accordance with Art. 6 para. 1 sen. 1 lit. a GDPR.

You can revoke your consent at any time with future effect by cancelling your subscription in your user account. For more details on how Recharge processes your personal data, please refer to the following link to Recharge’s Privacy Policy: https://rechargepayments.com/privacy-policy/

9) Contacting you to remind you to leave a review

Reminder to leave a rating (not sent by a customer rating app). We use your email address to send a one-off reminder to submit a rating about your order for the rating system we use, provided that you have given us your express consent to do so during or following your order in accordance with Art. 6 (1) (a) of the GDPR. You can revoke your consent at any time by sending an email to the data controller.

10) Online marketing

10.1 Facebook Pixel for creating Custom Audiences with advanced data matching.

Our website uses the so-called "Facebook pixel" for extended data matching, which is operated by Meta Platforms Ireland Limited, 4 Grand Canal Square, Dublin 2, Ireland ("Facebook").Based on their explicit consent, when a user clicks on an advertisement displayed on Facebook and placed by us, Facebook Pixel adds a piece of code to the URL of our linked page. Once the user has been redirected in the browser, this URL parameter is then registered by means of a cookie set by our linked page. This cookie also collects specific customer data such as, for example, their email address, which we collect on our website linked to the Facebook ad during processes such as purchasing, applications to open an account or registrations (extended data matching). Facebook Pixel then reads the cookie, and this allows the data, including specific customer details, to be forwarded to Facebook. The information generated by Facebook is, as a rule, transferred to a Facebook server, and saved there, which means data may be sent to servers belonging to Facebook Inc. in the US. In order to guarantee an adequate level of data protection, the provider has implemented clauses from what is referred to as the European Union standard contract. We also carry out case-by-case risk analysis in order to ensure data protection over and above the standard contract clauses. Facebook can use the Facebook pixel with extended data comparison to accurately identify visitors to our website as a target group for displaying advertisements to ("Facebook Ads"). We therefore use Facebook Pixel with enhanced data matching so that we only show our Facebook ads to those Facebook users who have also shown interest in our online presence, or who meet various criteria (such as interest in particular topics or products, determined by websites they have visited) which we have communicated to Facebook (what are called "custom audiences"). By using Facebook Pixel with extended data matching we also want to ensure that our Facebook Ads match users' potential interests, and are not annoying. This allows us to analyze the effectiveness of Facebook ads for the purposes of statistics and market research by understanding whether users were redirected to our site having clicked on a Facebook ad (referred to as "conversion"). Compared to the standard version of Facebook Pixel, the advanced data matching feature helps us better measure the effectiveness of our ad campaigns by capturing more attributed conversions. All data transmitted is stored and processed by Facebook so that a link can be established to the respective user profile and Facebook can use the data for its own advertising purposes, in accordance with the Facebook Data Usage Policy (https://www.facebook.com/about/privacy/). The data may enable Facebook and its partners to serve ads on and off Facebook. These processes only happen if explicit consent is given in accordance with Art. 6 (1) (a) of the GDPR. You can revoke your consent at any time by disabling Facebook pixel tracking. Clicking on the following link stores an opt-out cookie, which disables Facebook Pixel tracking. This opt-out cookie only works in this browser and only for this domain. If you delete cookies in this browser, you will need to click on the above link again.

10.2 Use of Google Ads Conversion Tracking

This website uses the online "Google Ads" advertising program, and, in connection with Google Ads, conversion tracking from Google Ireland Limited, Gordon House, 4 Barrow St, Dublin, D04 E5W5, Ireland ("Google“). We use Google Ads to draw attention on external websites to what we have to offer, with the help of these marketing tools (known as Google Adwords). The data from the advertising campaigns allows us to determine how successful individual advertising initiatives have been. We are therefore motivated by a desire to show you advertising which you are interested in, to present our website in a way which is of more value to you, and to calculate the advertising costs incurred fairly.

The cookie for conversion tracking is stored when a user clicks on one of the ads displayed by Google. Cookies are small text files which are saved on your device. As a rule, these cookies expire after 30 days and cannot be used to identify someone personally. When the user visits certain pages on this website, and providing the cookie has not expired, both we and Google can tell that the user has clicked on the ad, and has been forwarded to this page. Each Google Ads customer gets a different cookie. This means that cookies cannot be tracked via the websites of Google Ads customers. The information gathered using the conversion cookie serves the purpose of compiling statistics for Google Ads customers who have chosen conversion tracking. Customers can see the total number of users who have clicked on their ad, and who were redirected to a page featuring a conversion tracking tag. However, they do not obtain any information which would allow users to be identified personally. If you don't want to take part in tracking, you can block this by disabling the Google conversion tracking cookie on your internet browser using the keyword "user settings". You will then not be included in conversion tracking statistics. We only place Google Ads with your consent as in accordance with Art. 6 (1) (a) of the GDPR. It is possible that your personal data may be sent to Google LLC. servers in the US In connection with using Google Ads. In order to guarantee an adequate level of data protection, the provider has implemented clauses from what is referred to as the European Union standard contract. We also carry out case-by-case risk analysis in order to ensure data protection over and above the standard contract clauses.

You can find more information about Google's data protection policy from the following website: https://www.google.de/policies/privacy/

You can permanently disable cookies relating to ad preferences by blocking these using the relevant setting in your browser software, or by downloading and installing the browser plug-in available at the following link: https://www.google.com/settings/ads/plugin?hl=de

Please note that some functions of this website may not be available or may only be available to a limited extent if you disable the use of cookies.

10.3 Google Marketing Platform

This website uses the online marketing tool, Google Marketing Platform, operated by Google Ireland Limited, Gordon House, 4 Barrow St, Dublin, D04 E5W5, Ireland ("GMP").

GMP sets cookies in order to show users relevant ads, to improve reports on campaign performance, or to avoid a user seeing the same ads several times. Using a cookie ID, Google finds out which ads have been displayed in which browsers, and so can avoid these being displayed more than once. Data is processed based on your consent in accordance with Article 6 (1) (a) of the GDPR.

Moreover, GMP can, using cookie IDs, also record what are called conversions, which relate to enquiries in respect of the ad. This is the case where a user sees a GMP ad, and later, using the same browser, accesses the advertiser's website and makes a purchase there. According to Google, the GMP cookies do not contain any personal data.

Based on the marketing tools used, your browser automatically sets up a direct connection with the Google server. We do not have any influence on the volume and subsequent use of data collected by Google using this tool, and therefore can only advise what we know: by embedding GMP, Google obtains the information that you have accessed the relevant part of our internet presence, or have clicked on one of our ads. If you are registered with a Google service, Google can assign the visit to your account. Even if you are not registered with Google, or have not logged it, there is a possibility of your provider finding out and saving your IP address. It is possible that your personal data may be sent to Google LLC. servers in the US In connection with using GMP. In order to guarantee an adequate level of data protection, the provider has implemented clauses from what is referred to as the European Union standard contract. We also carry out case-by-case risk analysis in order to ensure data protection over and above the standard contract clauses.

If you wish to object to participating in this tracking process, you can disable cookies for conversion tracking by configuring your browser to block cookies from the www.googleadservices.com domain (see https://www.google.de/settings/ads). This setting is cleared if you disable cookies. Alternatively, you can find out about setting cookies from the Digital Advertising Alliance at www.aboutads.info, and configure your settings accordingly. Finally, you can configure your browser so that you are notified when cookies are being set, and only accept cookies on a case-by-case basis, or prevent cookies being set in particular cases or in general. If cookies are not accepted, the functionality of our website may be restricted.

You can find more information about GMP by Google's data protection policy from the following website: https://www.google.de/policies/privacy/

10.4 Newsletter

Some emails with product recommendations (newsletters) are sent using the technical service provider Clerk.io ApS, Kigkurren 8G, 2nd floor, 2300 Copenhagen, Denmark, www.clerk.io, to whom we transmit the data you provided when registering for the newsletter. This data is being transmitted to a third party in accordance with Article 6 (1) (f) of the GDPR, and is based on our legitimate interest in the use of an effective, secure and user-friendly marketing newsletter system. If you register to receive product recommendations, you are also giving your consent under Art. 6 (1) (a) of the GDPR to the disclosure of the following customer data:

  • Customer email address

  • Pages visited by customer

  • Content viewed by customer via Clerk.io

  • Clicks on content via Clerk.io

  • Products in orders placed by a customer (if any).

Clerk.io uses this information to provide personalized product recommendations and for statistical evaluation and analysis on our behalf. If you wish to disable data analysis for the statistical evaluation of recommendations, you should unsubscribe from the email newsletter.

11) Web analysis services

11.1 Google (Universal) Analytics with Google Signals

This website uses Google (Universal) Analytics, a web analysis service from Google Ireland Limited, Gordon House, 4 Barrow St, Dublin, D04 E5W5, Ireland ("Google"). Google (Universal) Analytics uses small files called "cookies", which are saved on your computer and allow website use to be analyzed. The information generated by the cookie about your use of this website (including the abbreviated IP address) is usually transmitted to a Google server and stored there. This can also lead to transmission to Google LLC. servers in the US. This website uses Google (Universal) Analytics exclusively with the extension "_anonymizeIp()", which ensures anonymisation of the IP address by shortening it and leaves out any direct personal reference. The extension means that Google will shorten your IP address beforehand within a member state of the European Union and EEA. Only in exceptional cases will the full IP address be sent to a Google LLC. server in the US, and shortened there. In order to guarantee an adequate level of data protection, the provider has implemented clauses from what is referred to as the European Union standard contract. We also carry out case-by-case risk analysis in order to ensure data protection over and above the standard contract clauses. Google will use this information on our behalf for the purpose of analyzing your website use, compiling reports on website activity and providing other services relating to website activity and internet use. The IP address transmitted by your browser as part of Google (Universal) Analytics is not merged with other data from Google. You can prevent cookies being set by changing the settings in your browser software. However, we would like to point out that in such event as you may not be able to use all the functionality of this website to the full extent. You can also prevent Google from collecting data generated by the cookie relating to your use of the website (including your IP address) and also from processing that data, by downloading and installing the browser plug-in available from the following link: https://tools.google.com/dlpage/gaoptout?hl=de. As an alternative to the Browser plugin or from within browsers on mobile devices, please click on the following link to set an opt-out cookie that will prevent Google Analytics from collecting data within this website in future (this opt-out cookie only works in this browser and only for this domain. If you delete your cookies in this browser, you will have to click this link again): Disable Google Analytics. Further information on Google (Universal) Analytics can be found at: https://policies.google.com/privacy?hl=de&gl=de

This website also uses the Google Signals service as an extension of Google Analytics. Google Signals allow us to perform cross device tracking using Google. If you have activated "personalized ads" in the settings on your Google account, and have linked your internet-enabled devices with your Google account, Google can perform cross-device analysis of your user behavior, and create database models based on this. This takes into account the log-in history and type of device for anyone who has visited the page, who is logged into a Google account and has performed a conversion. Among other things, the data shows which device you were using when you first clicked on an ad, and on which device the associated conversion occurred. We do not receive any personal data from Google, only statistics based on Google Signals. Data is processed based on your consent in accordance with Article 6 (1) (a) of the GDPR.

11.2 Mixpanel

Mixpanel, Inc. and its affiliated companies, including Mixpanel International, Inc., Mixpanel S.L., Mixpanel UK Limited, and Mixpanel APAC Pte. Ltd. (referred to as "Mixpanel," "we," "our," and "us"), are dedicated to ensuring the security and confidentiality of the data collected.

Mixpanel, as a first-party analytics provider, collects user data to understand behavior and preferences. We utilize first-party cookies for analytics and enhancing the overall user experience, crucial for tracking events and gaining insights into user interactions. The use of hashed email addresses during user identification ensures a privacy-conscious method without storing sensitive information directly. Data deletion requests are accommodated.

All data is stored on Mixpanel's servers within the EU, and no data is transferred outside this region. Mixpanel’s EU Data Residency Program empowers you to process, protect, and manage personal data in Europe. To safeguard privacy, we anonymize IP addresses before sending them to Mixpanel. Geolocation data is extracted, and the IP address is redacted, ensuring that it is not retained on our servers.

When you visit our Site or use our Applications, certain information is automatically collected. This includes OS type and language, IP Address, browser type, the preceding website visited, web-elements interacted with, metadata about your activity, changes in user state, and visit duration.

We use cookies to identify popular areas and features, as well as to count visits. Most web browsers accept cookies by default, but you can adjust settings to remove or reject them. Additionally, you may find options to control cookie use when visiting the Site or using our Applications.

For more information about Mixpanel privacy measurements, please refer to this link: https://mixpanel.com/legal/privacy-policy

Mixpanel operates server-side on our website rather than client-side. This strategic choice allows us to gather valuable insights into user behavior and engagement while minimizing the impact on page load times. It's important to note that Mixpanel utilizes Google Analytics requests for its functionality. Consequently, if you opt to deactivate Google Analytics tracking or cookies, it will automatically deactivate Mixpanel as well. To disable Google Analytics tracking, you can conveniently use the Chrome extension available at this link: https://tools.google.com/dlpage/gaoptout?hl=de. This enables you to manage your privacy preferences effectively while ensuring a seamless user experience on our website.

12) Retargeting/remarketing/recommendations

Microsoft Advertising (Microsoft Corporation) Universal Event Tracking

This website uses the universal event tracking in conversion tracking technology "Microsoft Advertising" from Microsoft (Microsoft Corporation, One Microsoft Way, Redmond, WA 98052-6399, USA). In order to use Universal Event Tracking, a tag has been placed on each page of our website, which interacts with the conversion cookie set by Microsoft Advertising. This interaction means user behavior can be tracked on our website and sends the information collected to Microsoft Advertising. The purpose of this is that certain predefined objectives, such as purchases or leads, can be recorded statistically and analyzed in order to make the targeting and content of our offers more interest-driven. The tags are at no time used to identify users personally. Where information on user behavior sent to Microsoft Advertising includes personal user data, this occurs in accordance with Article 6 (1) (a) of the GDPR, based on your consent. Where data is sent to the US, the provider has implemented what is known as the European Union standard contract clause in order to guarantee an adequate level of data protection. We also carry out case-by-case risk analysis in order to ensure data protection over and above the standard contract clauses. If you don't want to take part in tracking, you can object to this by disabling the Microsoft Advertising conversion tracking cookie on your internet browser in "user settings". You will not then be included in the Conversion Tracking statistics. Alternatively, you can check whether Microsoft advertising cookies are set in your browser and disable them by visiting the disable page for EU consumers http://www.youronlinechoices.com/de/praferenzmanagement/. For more information about the Microsoft Advertising privacy policy, please visit the following website: https://privacy.microsoft.com/de-de/privacystatement.

Google Ads Remarketing

Our website uses the services of Google Ads Remarketing, which we use to advertise this website in Google search results and on third-party websites. The provider is Google Ireland Limited, Gordon House, 4 Barrow St, Dublin, D04 E5W5, Ireland (“Google”).To this end Google sets a cookie in the browser on your device, which automatically, using a pseudonymised cookie ID, based on the pages you have visited, allows us to show you advertising based on your interests. Data is processed based on your consent in accordance with Article 6 (1) (a) of the GDPR. Data will only be processed subsequently where you have given your consent to Google linking your internet and app browser history to your Google account and using information from your Google account to personalize ads which you view on the web. If this is the case, then when you visit pages on our website while you are logged into Google, then Google will use your data, along with Google Analytics data, to create and define target group lists for the purposes of cross-device remarketing. Google does this by temporarily linking your personal data to Google Analytics data, in order to form target groups. It is possible that your personal data may be sent to Google LLC. servers in the US In connection with using Google Ads Remarketing. You can permanently disable cookies relating to ad preferences by downloading and installing the browser plug-in available at the following link: https://www.google.com/settings/ads/onweb/. Alternatively, you can find out about setting cookies from the Digital Advertising Alliance at www.aboutads.info, and configure your settings accordingly. Finally, you can configure your browser so that you are notified when cookies are being set, and only accept cookies on a case-by-case basis, or prevent cookies being set in particular cases or in general. If cookies are not accepted, the functionality of our website may be restricted. Where personal data is transmitted to Google LLC. based in the US, the provider has implemented the so-called European Union standard contractual clauses to ensure an appropriate level of data protection. In addition, we carry out a case-by-case risk analysis in order to ensure data protection over and above the standard contract clauses. You can find more information, and the relevant data protection regulations in respect of advertising and Google, at the following URL: https://www.google.com/policies/technologies/ads/

13) Using a live chat system

Freshchat

In order to operate a live chat system for answering live requests on this website, your chat name and the conversation you share are collected as data, and saved for the duration of the chat. The conversation and your chosen chat name are only stored in what is known as RAM (Random Access Memory), and deleted immediately once one of us has ended the chat, but in any case no later than 2 hours after the last message in the chat conversation. Cookies are used to operate the chat function. Cookies enable recognition of the site visitor's internet browser in order to distinguish individual users of the chat function on our website. If the information collected in this way includes personal data, this is processed in accordance with Art. 6 (1) (f) of the GDPR on the basis of our legitimate interest in effective customer service and the statistical analysis of user behavior for optimisation purposes. Cookies are placed on the basis of your consent, as per Article 6 (1) (b) of the GDPR. In order to avoid cookies being saved, you can configure your internet browser so that cookies cannot be stored on your computer in future, or so that cookies which have already been stored are deleted. If you disable all cookies, this might however mean that the chat function on our internet site will no longer work.

14) Tools and miscellaneous

14.1 Google reCAPTCHA

We also use the reCAPTCHA function on this website, from Google Ireland Limited, Gordon House, 4 Barrow St, Dublin, D04 E5W5, Ireland ("Google“). Above all, this function is used for identifying whether information has been entered by a human, or fraudulently by a machine or automated means. The service involves sending Google the IP address and, if relevant, other data required by Google for the reCAPTCHA service, and this is done in accordance with Article 6 (1) (f) of the GDPR on the basis of our legitimate interest in establishing personal responsibility on the internet, and the avoidance of misuse and spam. Personal data may also be sent to Google LLC. servers in the US In connection with using Google reCAPTCHA. Where data is sent to the US, the provider has implemented what is known as the European Union standard contract clause in order to guarantee an adequate level of data protection. We also carry out case-by-case risk analysis in order to ensure data protection over and above the standard contract clauses.

You can find more information on Google reCAPTCHA, as well as Google's data protection policy, at: https://www.google.com/intl/de/policies/privacy/

Where this is a legal requirement, we have obtained your consent to process your data as described above in accordance with Article 6 (1) (a) of the GDPR. You may revoke your consent at any time with immediate effect going forward. In order to exercise your right to withdraw consent, please follow the procedure for registering your objection as set out above.

We use the service of LoyaltyLion Ltd., based at 165 Fleet Street London, England (“LoyaltyLion”) on our website.

LoyaltyLion is a tool through which we operate loyalty points and give our customers the opportunity to earn bonuses. For this purpose, the data you provide when registering, and other data required to manage your loyalty points, will be shared with LoyaltyLion in accordance with the GDPR so that LoyaltyLion can operate the service.

Processing the data is voluntary and only with your express consent, in accordance with Art. 6 (1) (a) of the GDPR.

You can revoke your consent with future effect at any time. (opt-out link- to delete account) For more details on how LoyaltyLion processes your personal data, please see the LoyaltyLion Privacy Policy at the following link: https://loyaltylion.com/privacy

14.2 Google customer reviews (previously Google's certified trader programme)

We work in partnership with Google as part of the "Google customer reviews" programme. The service provider is Google Ireland Limited, Gordon House, 4 Barrow St, Dublin, D04 E5W5, Ireland (“Google”).This programme allows us to obtain customer reviews from our website users. This involves asking you, after you have purchased something from our website, whether you would like to take part in an email survey from Google. If you give your consent, under Article 6 (1) (a) of the GDPR, we will share your email address with Google. You will get an email from Google customer reviews, which will ask you to rate your customer experience

on our website. Your rating will then be combined with others, and displayed under our Google customer reviews logo, and on our Merchant Center dashboard. Your rating will also be used for Google Seller analysis. It is possible that your personal data may be sent to Google LLC. servers in the US In connection with using Google Customer Reviews. Where data is sent to the US, the provider has implemented what is known as the European Union standard contract clause in order to guarantee an adequate level of data protection. We also carry out case-by-case risk analysis in order to ensure data protection over and above the standard contract clauses.

Further information on Google's data protection in connection with the Google customer reviews program can be found under the following link: https://support.google.com/merchants/answer/7188525?hl=de

You can read more information about data protection in relation to Google seller ratings under this link: https://support.google.com/google-ads/answer/2375474

14.3 YouTube

Our website includes links to videos from YouTube LLC, 901 Cherry Ave., San Bruno, CA 94066, USA, which are not stored on our servers.

Videos from YouTube are embedded on our website. We have added a nocookie parameter to the embedded link so that the cookies are not set until the user plays the video. A cookie is therefore only set once the video is played.

This means YouTube receives the usage data that is technically necessary in this context. We have no influence on subsequent data processing by the third-party provider.

The embedding of YouTube videos is based on Art. 6 (1) (f) of the GDPR (legitimate interest in making the website look attractive, public relations and communications).

Personal data may be transferred to, stored and processed in a country other than the country where it was collected, including but not limited to the United States. YouTube may

transfer personal data about our website visitors outside the EEA, Switzerland and the United Kingdom, and when it does so, it relies on recognised safeguards under the GDPR, including adequacy decisions and standard contractual clauses under Commission Decision 2021/914/EU.

For more information about the privacy policies in place at YouTube/Google, please click here: https://policies.google.com/privacy.

14.4 Advertising vacancies by email

We use the applicant management service provided by Greenhouse Inc. ("Greenhouse"). Its headquarters are located at 18 West 18th Street, 11th Fl., New York, New York 10011, USA.

Greenhouse is a leading provider of cloud-based software services which help companies manage and optimize their recruitment and HR processes. We use the company's software as an applicant management system.

For this purpose, applicant data will be shared with Greenhouse in accordance with the GDPR so that Greenhouse can provide the service.

Using Greenhouse as our applicant management system, we manage our recruitment process at system level. We process information about the application process exclusively using this system. Within the system, only the interested parties responsible for the particular job posting are granted access rights, so the decision to appoint can be made at the end of the process. For this purpose, we collect your personal data such as salary requirements, notice period, address, work permit for Germany, all documentation relevant to the recruitment process, CV, cover letter and references so that you can be included in our application process. The data submitted will help us find the perfect candidate. Your personal data will be processed to this end.

Personal data about customers located in the EEA, the United Kingdom or Switzerland is currently stored in the EU. Greenhouse transfers personal data to the US based on the European Commission's standard contractual clauses under Commission Decision 2021/914/EU, to ensure it is adequately protected.

We also carry out case-by-case risk analysis in order to ensure data protection over and above the standard contract clause.

Data is processed on a voluntary basis in accordance with Article 6, (1) (b) of the GDPR.

Where special categories of personal data within the meaning of Article 9 (1) of the GDPR (medical records such as information on severely disabled status, for instance) are requested from applicants as part of the application process, this is processed in accordance with Article 9 (2) (b) of the GDPR so that we can respect employment and social protection rights and meet our obligations.

In addition or in the alternative, special data categories can also be processed based on Article 9 (1) (h) of the GDPR, provided they are used for healthcare or occupational medicine purposes, to assess the applicant's ability to work, for medical tests, care or treatment in the healthcare or social sector or for the administration of systems and services in the healthcare or social sector.

Where the applicant is not selected as part of the assessment process described above, or if an applicant withdraws their application beforehand, the data sent by email and any electronic correspondence, including the original application email, will be deleted no later than 6 months following notification. This retention time is based on our legitimate interest in being able to answer any follow-up questions regarding the application and, if necessary, to be able to meet our obligations to provide evidence in accordance with the regulations on the equal treatment of applicants.

If the application is successful, the data provided will be subsequently processed under Article 6 (1) (b) of the GDPR for the purpose of managing the employment relationship.

For more details on how Greenhouse processes your personal data, please see the Greenhouse Privacy Policy at the following link: https://www.greenhouse.io/privacy-policy

14.5 TikTok Pixel

Our website uses the "TikTok Pixel" provided by social network TikTok, which is operated by TikTok Technology Limited, 10 Earlsfort Terrace, Dublin, D02 T380, Ireland. By using the TikTok Pixel, it is possible for TikTok to identify you as one of our online customers and therefore in the target group for serving ads.

When a customer clicks on a web ad placed by us and displayed in TikTok, the TikTok Pixel adds a suffix to the URL of the page we link to, based on the customer's explicit consent. Once the customer's browser is redirected, this URL parameter is registered by means of a cookie set by the page which it links to. This cookie also records specific customer data such as the email address we collect on our webpage linked to the TikTok ad for transactions such as purchases. The cookie is then read by TikTok Pixel and allows the data to be forwarded to TikTok. The information generated by TikTok is transmitted to a TikTok server and stored there. Personal data relating to customers based in the EEA, the UK or Switzerland is currently stored in the US or Singapore. TikTok transfers personal data to the US based on the European Commission's standard contractual clauses under Commission Decision 2021/914/EU, to ensure it is adequately protected.

We also carry out case-by-case risk analysis in order to ensure data protection over and above the standard contract clause. Using the TikTok Pixel with enhanced data matching, TikTok is able to identify exactly who has visited our website, creating a target group to be shown ads (known as "TikTok ads"). We therefore use the TikTok Pixel with enhanced data matching so that we only show our TikTok ads to those TikTok users who have also shown interest in our online presence, or who meet various criteria (such as interest in particular topics or products, determined by websites they have visited) which we have communicated to TikTok (known as "custom audiences").

All data transmitted will be stored and processed by TikTok so that it can be linked to the relevant user profile and TikTok can use the data for its own advertising purposes in accordance with the TikTok Data Usage Policy.

Information and details about TikTok Pixel and how it works can be found in TikTok's help section at https://www.tiktok.com/legal/privacy-policy-eea?lang=de. TikTok's privacy policy: https://www.tiktok.com/legal/new-privacy-policy. TikTok's terms and conditions: https://www.tiktok.com/legal/new-terms-of-service. Processing will only happen where you give your explicit consent in accordance with Art. 6 (1) (a). You can revoke your consent at any time by disabling TikTok Pixel tracking. Disable TikTok Pixel

This opt-out cookie works only in this browser and only for this domain. If you delete cookies in this browser, you will need to click on the above link again: Disable TikTok Pixel

14.7 SYZYGY Performance Marketing GmbH

Some SEO recommendations are provided by the technical service provider Syzygy, to whom we send the data you provide when navigating our website. The data is transmitted in accordance with Art. 6 (1) (f) of the GDPR and serves our legitimate interest in improving the air up online store. If you click on accept in our cookie banner, you are also giving consent under Art. 6 (1) (f) of the GDPR to share the following customer data: Google Analytics Cookie ID

Syzygy has access to Google Analytics and Google Analytics 4 for the purpose of making SEO recommendations and for statistical reporting and analysis on our behalf. If you do not want us to share your cookie ID with third parties, you must disable the Google Analytics and Google Analytics 4 cookies. Disable

14.8 Usercentrics

We use the Usercentrics consent management service provided by Usercentrics GmbH, Sendlinger Str. 7, 80331 Munich, Germany (Usercentrics). This allows us to obtain and manage the consent of website users for data processing. This processing is necessary in order to meet a legal obligation (Art. 7 (1) of the GDPR) which we are bound by (Art. 6 (1) (c) of the GDPR). The following data is processed for this purpose:

  • Date and time of access

  • Browser information

  • Device information

  • Geographic location

  • Cookie preferences

  • URL of the page visited

The functionality of the website cannot be guaranteed without this processing. Usercentrics is a recipient of your personal data and acts as a processor on our behalf. Processing happens in the European Union. For more information about opting out and removal options with respect to Usercentrics, please visit: https://usercentrics.com/de/datenschutzerklaerung/.

The data will be deleted after 3 years.

14.9 Google Tag Manager

This website uses the Google Tag Manager provided by Google Ireland Limited, Gordon House, 4 Barrow St, Dublin, D04 E5W5, Ireland (hereinafter referred to as “Google”'). With Google Tag Manager it is possible to manage website tags from one interface. The Tag Manager tool itself (which manages the tags) is a cookieless domain and does not collect any personal data. The tool triggers other tags, which in turn may collect data. Google Tag Manager does not access this data. If disabled at the domain or cookie level, this remains the case for all tracking tags implemented with Google Tag Manager.

14.10 Pinterest tag conversion tracking

This website uses "Pinterest Tag“ conversion tracking technology from Pinterest Europe Ltd., Palmerston House, 2nd Floor, Fenian Street, Dublin 2, Ireland ("Pinterest“).

If you have reached our website via a Pin on Pinterest, we will set a cookie on your computer which interacts with a "tag", set in a similar fashion, in the form of a JavaScript code from Pinterest. Cookies are small text files which are stored on your device. These cookies expire after 180 days and cannot be used to identify you personally.

Where the user has been redirected to our website by a Pin on Pinterest, and provided the cookie has not expired, the tag detects certain user activity we have pre-defined, and can track these (such as transactions completed, leads, search requests, product pages accessed). Should you perform this action, your browser will send an HTTP request, via the Pinterest tag from the cookie, to the Pinterest server, with particular information on the activity in question (including type of activity, time, and type of browser used on the device). Given the possibility that personal data may be sent to the US, in order to guarantee an adequate level of data protection, the service provider has implemented what is referred to as the European Union standard contract clause. In addition, we carry out case-by-case risk analysis in order to ensure data protection over and above the standard contract clause.

Sending the data in this way allows Pinterest to compile statistics on user behavior on our website after users have been redirected from a Pinterest Pin, which we use to optimize what we have to offer.

Where personal data is processed in this connection, this is in accordance with Article 6 (1) (a) of the GDPR on the basis of your consent.

However, we do not receive any information which would allow users to be identified personally. If you do not wish to participate in tracking, you can decline this by disabling the Pinterest Tag conversion tracking cookie under user settings in your internet browser. You will not then be included in the conversion tracking statistics. Alternatively, using the deactivation page for users in the EU http://www.youronlinechoices.com/de/praferenzmanagement/, you can check whether Pinterest has set ad cookies in your browser, and disable them. You can find further information on Pinterest's data protection rules from the following website: https://policy.pinterest.com/de/privacy-policy.

14.11 HOTJAR WEB ANALYSIS SERVICE

air up uses HotJar analytics services to improve customer usability and experience. These services can track both mouse clicks and scrolling movements. The service may also track information entered via the user's keyboard on this website. This information is not personalized and therefore remains anonymous. HotJar does not track such information on any pages which do not use the HotJar system. The HotJar service can be disabled at: https://www.hotjar.com/privacy/do-not-track/

14.12 Reviews.io

We use the Reviews.co.uk & REVIEWS.io ("reviews.io") platform, owned by Liquid New Media Limited Trading and located at 29 St Nicholas Place, Leicester, LE1 4LD UK, to manage reviews.

Reviews.io allows us to collect, manage and publish customer reviews on our website.

To this end, your name and rating will be shared with reviews.io in accordance with the GDPR in order for reviews.io to operate its service.

Review.io collects customer feedback via SMS, email or in-store app.

In order for you to be able to join in submitting reviews, we will share and process your email address, your name and your order data as well as your telephone number in encrypted, pseudonymised form to reviews.io to this end.

In either case, data will only be shared in pseudonymised form. Personal data is processed and stored in the region where it is collected.

Data processing is voluntary and only with your express consent, in accordance with Art. 6 (1) (a) of the GDPR.

You may revoke your consent at any time with immediate effect going forward. (Opt-out link, usercentrics banner) For further details on processing your personal data by reviews.io, please see the following link in the reviews.io privacy policy: https://www.reviews.io/front/user-privacy-policy

14.13 Builder.io

Our website content is created using Builder.io, from Builder.io, Inc. registered at 1501 Filbert St #7B San Francisco, CA 94123. Builder.io tracks user behavior and other activity on our website.

If you wish to disable data analysis, you must disable Builder.io under the "Services" section of our Consent Management Tool, which you can access by clicking on "Cookie Settings" in the webpage footer or by clicking here.

Builder.io may itself also use the data collected in accordance with Art. 6 (1) (f) of the GDPR based on its legitimate interest in the demand-oriented design and optimisation of the service and for market research purposes.

Personal data may be transferred, stored and processed in a country other than the country where it was collected, including but not limited to the United States. Builder.io may transfer personal data about our website visitors outside the EEA, Switzerland and the United Kingdom, and when it does so, it relies on recognised safeguards under the GDPR, including adequacy decisions and standard contractual clauses under Commission Decision 2021/914/EU. If you have any questions about Builder.io's information policy, please email steve@builder.io. If you would like to read more, you can find Builder.io's privacy policy here. You can read about GDPR-specific disclosures here.

14.14 Twilio

We use a marketing tool provided by Twilio Germany GmbH, based at: Rosenheimer Str. 143 C, 81671 Munich, Germany ("Twilio").

Twilio is a messaging tool that enables a connection between air up and its customers on all digital channels (SMS, WhatsApp, Facebook Messenger).

For this purpose, Customer Data will be shared with Twilio in accordance with the GDPR in order for Twilio to operate the service.

Twilio processes your personal data as a customer (or potential customer) of Twilio services, such as email address, name, phone number, IP address, device ID (communication metadata) and order data (supply chain management data).

Twilio processes your personal data as a customer who uses or interacts with the application we have developed on the Twilio Platform, as well as the individuals with whom we communicate through that application. This includes information Twilio uses to route messages and metadata about messages, as well as the content of the communication.

For this purpose, we collect your personal data (email address, name, telephone number and order data) in an encrypted, pseudonymised form so that you can interact with our marketing tool and then send messages to us and receive messages from us.

Your email address, name, telephone number and IP address are processed for this purpose. In any case, data will only be shared in pseudonymised form.

Data processing is voluntary and only with your express consent, in accordance with Art. 6 (1) (a) of the GDPR. You can revoke your consent at any time with immediate effect going forward. (https://support.twilio.com/hc/en-us/articles/360034798533-Getting-Started-with-Advanced-Opt-Out-for-Messaging-Services). For more details about how Twilio processes your personal data, please see Twilio's Privacy Policy at the following link: https://www.twilio.com/legal/privacy

14.15 TikTok

We share email addresses in encrypted form as a user ID with TikTok. The aim is to display social media ads on the TikTok platform in a person-specific manner. In addition, the tracking of personal data serves to measure the success of marketing activities.

14.16 Snapchat

When we carry out personalized advertising via Snapchat, we share email addresses in encrypted form as well as information on the associated orders to Snapchat. The encrypted email allows for accurate attribution. The email is encrypted using a one-way algorithm and it is not possible to convert it to its original value.

14.17 Google Analytics

We share email addresses in encrypted form as a user ID with Google Analytics. User ID allows us to associate a persistent ID for a single user with that user's engagement data from one or more sessions initiated from one or more devices. With a user ID, Google Analytics will provide a more consistent, holistic story about a user's relationship with air up.

The email is encrypted with a one-way algorithm and it is not possible to convert it to its original value.

14.18 Kustomer

We use the customer helpdesk software platform of Kustomer LLC, 372 9th Ave, 4th floor, New York, NY 10001 ("Kustomer").

Kustomer provides a SaaS customer relationship management platform that optimizes the communications and interactions between us and our customers.

For this purpose, customer data will be shared with Kustomer in accordance with the GDPR so that Kustomer can operate their service.

We will collect your personal data (e-mail address, name, physical address, social media handle, telephone number and IP address) data about your devices (such as browser type, operating system, device identification number and IP address) and usage of Kustomer’s services (such as pages viewed, date/time stamps, order status and history, support conversations history and searches performed) through log files and other technologies, some of which may qualify as personal data with Kustomer so that you can participate in our customer helpdesk software platform.

Kustomer uses the collected data to operate and provide its services and for related internal purposes, including: (a) enabling users to access and use the services; (b) maintain the security of the services; (c) providing information about the services, responding to inquiries, complaints, and requests for support; (d) to comply with applicable law, enforce the terms and conditions that govern Kustomer’s services, protect Kustomer’s rights, privacy, safety or property, and/or that of you or others, and protect, investigate and deter against fraudulent, harmful, unauthorized, unethical or illegal activity; and (e) improving its services, including by using aggregated and/or de-identified data.

For this purpose, your email address, name, physical address, social media handle, telephone number and IP address will be processed.

Personal data of customers is currently stored in the USA and the European Union. Kustomer may transfer personal data outside of the country in which users are located, including to the USA or to other jurisdictions that may not be subject to equivalent data protection laws under the European Commission's Standard Contractual Clauses pursuant to Commission Decision 2021/914/EU to ensure that it is adequately protected. In addition, we carry out an individual risk analysis to ensure data protection that goes beyond the standard contractual clauses.

The processing of the data takes place voluntarily and only with your express consent, in accordance with Art. 6 para. 1 sen. 1 lit. a GDPR.

14.19 Meta

We use encrypted email addresses for personalized advertising on Meta platforms (e.g. Facebook, Instagram). The e-mail address is encrypted before it is sent to Meta and replaced by a random ID. It is not passed on to other third parties. We use technical and organizational measures to protect your data against misuse or unauthorized access. You have the right to information, correction, deletion and restriction of the processing of your data as well as data portability and objection. If you have any questions about data protection, please contact us by email.

14.20 Google

We use encrypted email addresses for personalized advertising on Google platforms. This First-party customer data (such as an email address, name, home address or phone number) is captured at check-out via conversion tags. This hashed first-party conversion data is sent from our website to Google in a privacy-safe way. The feature uses a secure one-way hashing algorithm called SHA256 on first-party customer data.

Google is committed to protecting the confidentiality and security of your data and your data will be kept confidential and secure using the same industry-leading standards that we use to protect our own user data.

You may opt out of the automated collection of information by third-party ad networks for the purpose of delivering advertisements tailored to your interests, by editing or opting-out your Google Display Network ads' preferences at http://www.google.com/ads/preferences/.

14.21 Sentry

We use the services provided by Functional Software, Inc’s (45 Fremont Street 8th Floor San Francisco, CA 94105, United States of America) https://www.sentry.io to enable our server maintenance and security team to analyze errors and potential threats in real time. The legal basis for this processing of your data is Art. 6 Sec. 1 lit. f of the GDPR, which allows the processing of data for our legitimate interests, that is technically required to ensure a stable, secure and functioning website. This data is deleted after 90 days. The Functional Software Inc privacy policy for Sentry.IO is available at https://sentry.io/privacy/

14.22 Datadog

This site uses the services of Datadog (Datadog, Inc., 620 8th Avenue, Floor 45, New York, NY 10018, United States of America), monitoring service for cloud-scale applications. It enables monitoring of servers, databases, tools and services via a software as a service-based data analytics platform. 

The legal basis for this is Art. 6 para. 1 s. 1 lit. a GDPR.

14.23 Contentful

This site uses Contentful (Contentful GmbH, Max-Urich-Straße 3, 13355 Berlin, Germany), a software service to manage content, integrate tools and publish across channels.

The legal basis for the processing of data is Art. 6 para. 1 s. 1 lit. f GDPR.

14.24 Unleash

This site uses Unleash (Bricks Software AS, Nedre Slottsgate 13 c/o Evolve, 0157 Oslo, Norway), an open source feature management platform. It is used to allow developers and enterprises to have control over their product features and subsequent roll-out.

The legal basis for this is Art. 6 para. 1 s. 1 lit. a GDPR. The privacy policy can be found at https://www.getunleash.io/privacy-policy

15) Data subject rights

15.1 Current data protection legislation guarantees you wide-ranging rights as a data subject vis-à-vis the data controller with regards to processing your personal data (right of access and right to rectification), as explained below:

  • Right of access under Article 15 of the GDPR: in particular, you have the right to access your personal data processed by us, know the purpose for which it is being processed, the categories of personal data processed, the recipients or categories of recipients to whom your data has been or will be disclosed, the planned retention time or the criteria for setting the retention time, the validity of the right to rectification, erasure or restriction of processing, objection to processing, complaints to competent authorities, the source of your data (if this was not collected from you), the use of automated decision-making, including profiling and significant information on the logic involved, and the scope and intended effects of the data processing in question, as well as your right of rectification, and what guarantees apply in respect of your data being forwarded to third countries, under Article 46 of the GDPR;

  • Right to rectification under Article 16 of the GDPR: you have the right to rectify immediately any personal data which is inaccurate, and/or complete any data we hold which is incomplete;

  • "Right to be forgotten" under Article 17 of the GDPR: you have the right to request that your personal data be deleted, if the conditions set out in Article 17 (1) of the GDPR are met. This right does not apply, however, in particular where data processing is required in order to exercise the right to freedom of expression and the right to information, in order to meet a legal obligation, on the grounds of public interest, or in order to assert, exercise or defend someone's rights:

Right to restrict data processing under Article 18 of the GDPR: you have the right to request that processing your personal data be restricted, as long as the accuracy of the data you are contesting can be verified, if you refuse to allow your data to be deleted on the grounds of unlawful data processing, and, instead, demand that processing be restricted, should you require your data to assert, exercise or defend your rights, after we no longer require the data in question for the purpose for which it was collected, or if you have lodged an objection based on your specific circumstances, unless it has been established that our legitimate grounds outweigh yours;

  • Right of rectification under Article 19 of the GDPR: if you have exercised your right, vis-a-vis the data controller, to rectify, erase or restrict data processing, then they are obliged to notify each recipient to whom the personal data has been disclosed, of its rectification or deletion or restriction being applied to processing, except where this proves impossible or involves disproportionate effort. You have the right to be informed as to who these recipients are.

  • Right to data portability under Article 20 of the GDPR: you have the right to obtain your personal data, which you have provided to us, in a structured, standard and machine-readable format, or to request that this be sent to some other designated person, where this is technically feasible;

  • Right to withdraw consent under Article 7 (3) of the GDPR: you have the right to revoke with immediate effect going forward any consent you have given allowing your data to be processed. In the case of consent being revoked, we will immediately delete the data in question, provided there is no legal basis for subsequently processing the data without your consent. Where consent is revoked, this does not affect the lawfulness of the data having been processed prior to consent being revoked;

  • Right to complain under Article 77 of the GDPR: if you feel that your personal data has been processed in breach of the GDPR, you have the right - regardless of any other administrative or legal proceedings - to lodge a complaint with a competent authority, in particular in the Member State where you live or work or where the breach allegedly occurred.

15.2 RIGHT OF OBJECTION

WHERE WE PROCESS YOUR PERSONAL DATA IN THE CONTEXT OF A BALANCING OF INTERESTS ON THE BASIS OF OUR OVERRIDING LEGITIMATE INTEREST, YOU HAVE THE RIGHT TO OBJECT TO THIS PROCESSING WITH IMMEDIATE EFFECT GOING FORWARD ON GROUNDS ARISING FROM YOUR PARTICULAR SITUATION. IF YOU MAKE USE OF YOUR RIGHT TO OBJECT, WE WILL CEASE

PROCESSING THE DATA CONCERNED. HOWEVER, WE RESERVE THE RIGHT TO SUBSEQUENT PROCESSING IF WE CAN DEMONSTRATE COMPELLING LEGITIMATE GROUNDS FOR PROCESSING WHICH OVERRIDE YOUR INTERESTS, FUNDAMENTAL RIGHTS AND FREEDOMS, OR IF PROCESSING IS FOR THE PURPOSE OF ASSERTING, EXERCISING OR DEFENDING LEGAL CLAIMS.

WHERE WE PROCESS YOUR PERSONAL DATA FOR DIRECT MARKETING PURPOSES, YOU HAVE THE RIGHT, AT ANY TIME, TO FILE AN OBJECTION TO THE RELEVANT PERSONAL DATA BEING PROCESSED FOR THE PURPOSE OF THIS KIND OF MARKETING. YOU CAN EXERCISE YOUR RIGHT OF OBJECTION IN THE MANNER DESCRIBED ABOVE.

IF YOU EXERCISE YOUR RIGHT OF OBJECTION, WE WILL CEASE PROCESSING THE DATA CONCERNED FOR THE PURPOSES OF DIRECT MARKETING.

16) Retention time for personal data

The retention time for personal data depends on the applicable lawful basis, the purpose for which it is processed, and - if applicable - any additional retention time based on statutory grounds (such as retention times based on commercial and tax legislation).

Where personal data is processed based on express consent under Article 6, (1) (a) of the GDPR, this data is retained until the data subject revokes their consent.

If there are statutory retention times for data processed as part of contractual or similar obligations, under Article 6 (1) (b) of the GDPR, then the data in question is routinely deleted once the retention times have expired, provided that the data is not required for implementing or setting up a contract and that in our view there is no longer a legitimate interest in it being stored any longer.

In the case of data processing based on Article 6 (1) (f) of the GDPR, this data is stored for as long as the data subject does not exercise their right of objection under Article 21(1) of the GDPR, except where we can prove that there are compelling, legitimate grounds which outweigh the interests, rights and freedoms of the data subject, or if processing the data can be used to assert, exercise or defend a person's rights.

When processing personal data for the purpose of direct marketing on the basis of Article 6 (1) (f) of the GDPR, the data in question is saved for as long as the data subject does not exercise their right of objection under Article 21 (2) of the GDPR.

Except where stated otherwise elsewhere in this policy, with regard to instances of data processing, any other personal data which has been stored will be deleted if it is no longer required for the purposes for which it was collected or otherwise processed.

Shopping from United States?

We noticed you’re visiting from United States. Would you like to switch to the store for your region?