PRIVACY POLICY ORDER PAGE EVENT CUPS 

CUPSTORYS GmbH, Breiter Weg 40, 51702 Bergneustadt (hereinafter also referred to as ‘CUPSTORYS’, ‘we’, ‘us’) informs you below about the processing of your personal data in the context of our offers. You can access these offers directly via www.cupstorys.de (‘website’).

1. General notes and mandatory information

1. principles of data processing; legal framework
   CUPSTORYS takes the protection of your personal data very seriously. We treat your personal data confidentially and in accordance with the statutory data protection regulations and this privacy policy.

When you use this website, various personal data is collected. This privacy policy explains what data we collect and what we use it for. It also explains how and for what purpose this is done. 

2. SSL or TLS encryption; e-mails

This site uses SSL or TLS encryption for security reasons and to protect the transmission of confidential content, such as the enquiries you send to us as the site operator. You can recognise an encrypted connection by the fact that the address line of the browser changes from ‘http://’ to ‘https://’ and by the lock symbol in your browser line.

If SSL or TLS encryption is activated, the data you transmit to us cannot be read by third parties.

We would like to point out that data transmission via unencrypted e-mail can have security gaps and recommend that you choose a secure transmission method, especially for sensitive content.

1. Responsible body and data protection officer

The controller is the natural or legal person who alone or jointly with others determines the purposes and means of the processing of personal data (e.g. names, e-mail addresses, etc.).

The responsible body within the meaning of the Data Protection Act is

Kivanc Semen

DataCo GmbH

Nymphenburger Str. 86,

80636 Munich

089740045840

Our data protection officer can be contacted at:
E-Mail: datenschutzbeauftragter@gizeh.com

4. definition of terms

Our data protection declaration is based on the terms used by the European legislator for the adoption of the General Data Protection Regulation (GDPR).We would like to explain the key terms below:

1. 1. a) Personal data means any information relating to an identified or identifiable natural person (hereinafter referred to as ‘data subject’).An identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person.
2. 2. b) Data subject is any identified or identifiable natural person whose personal data is processed by the controller responsible for the processing.
3. 3. c) Processing means any operation or set of operations which is performed on personal data or on sets of personal data, whether or not by automated means, such as collection, recording, organisation, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure or destruction.
4. 4. d) Restriction of processing is the marking of stored personal data with the aim of limiting their future processing.
5. 5. e) Profiling means any form of automated processing of personal data consisting of the use of personal data to evaluate certain personal aspects relating to a natural person, in particular to analyse or predict aspects concerning that natural person's performance at work, economic situation, health, personal preferences, interests, reliability, behaviour, location or movements.6. f) Pseudonymisation is the processing of personal data in such a manner that the personal data can no longer be attributed to a specific data subject without the use of additional information, provided that such additional information is kept separately and is subject to technical and organisational measures to ensure that the personal data are not attributed to an identified or identifiable natural person.
6. 6. g) Controller or controller responsible for the processing is the natural or legal person, public authority, agency or other body which, alone or jointly with others, determines the purposes and means of the processing of personal data. Where the purposes and means of such processing are determined by Union or Member State law, the controller or the specific criteria for its nomination may be provided for by Union or Member State law.7. h) Processor is a natural or legal person, public authority, agency or other body which processes personal data on behalf of and under the instructions of the controller in accordance with Art. 28 GDPR.8. i) Recipient is a natural or legal person, public authority, agency or another body, to which the personal data are disclosed, whether a third party or not. However, public authorities which may receive personal data in the framework of a particular enquiry in accordance with Union or Member State law shall not be regarded as recipients.

7. j) Third party means a natural or legal person, public authority, agency or body other than the data subject, controller, processor and persons who, under the direct authority of the controller or processor, are authorised to process personal data.
8. k) Consent is any freely given, specific, informed and unambiguous indication of the data subject's wishes by which he or she, by a statement or by a clear affirmative action, signifies agreement to the processing of personal data relating to him or her.

1. Rights of data subjects pursuant to Art. 15ff and Art. 77 GDPR

1. Right to object to the collection of data in special cases and to direct marketing (Art. 21 GDPR)

If data processing is carried out on the basis of Art. 6 para. 1 lit. e or f GDPR, you have the right to object to the processing of personal data concerning you at any time for reasons arising from your particular situation; this also applies to profiling based on these provisions. The respective legal basis on which processing is based can be found in this privacy policy.

If you lodge an objection, we will no longer process your personal data concerned unless we can demonstrate compelling legitimate grounds for the processing which override your interests, rights and freedoms or for the establishment, exercise or defence of legal claims.

If your personal data are processed for direct marketing purposes, you have the right to object at any time to the processing of personal data concerning you for such marketing, which includes profiling to the extent that it is related to such direct marketing. If you object, your personal data will subsequently no longer be used for the purpose of direct advertising.

Revocation of your consent to data processing

Many data processing operations are only possible with your express consent. We will obtain this from you before commencing the data processing that requires your consent. You can revoke this consent at any time. Insofar as clicking on links or adjusting browser settings does not already result in a revocation option, an informal notification to us by e-mail is sufficient. The legality of the data processing operations carried out until the revocation remains unaffected by the revocation.

Right to lodge a complaint with the competent supervisory authority

Website visitors are advised that they have the right to lodge a complaint with the competent supervisory authority in the event of breaches of data protection law. The competent supervisory authority for data protection issues is the state data protection officer of the federal state in which our company has its headquarters. A list of data protection officers and their contact details can be found at the following link:

https://www.bfdi.bund.de/DE/Infothek/Anschriften_Links/anschriften_links-node.html

The data protection authority responsible for us is

State Commissioner for Data Protection and Freedom of Information North Rhine-WestphaliaPostfach 20 04 44

40102 Düsseldorf

Phone.: 0211/38424-0

E-Mail: poststelle@ldi.nrw.de

1. Right to data portability

You have the right to have data that we process automatically on the basis of your consent or in fulfilment of a contract handed over to you or to another controller in a commonly used, machine-readable format. If you request the direct transfer of the data to another controller, this will only be done to the extent that it is technically feasible.

5. Auskunft, Sperrung, Löschung

Within the framework of the applicable legal provisions, you have the right to free information about your stored personal data, its origin and recipients and the purpose of the data processing and, if necessary, a right to correction, blocking or deletion of this data at any time. You can contact us at any time at the address given in the legal notice if you have further questions on the subject of personal data.

1. Data processing on our website, purposes, legal basis

We collect and process the personal data specified below for the purposes specified therein, on the basis of the legal bases specified therein and for the duration specified therein.

1. Informational use of our website

The provider of the pages automatically collects and stores information in so-called server log files, which your browser automatically transmits to us. These are

- Browser type and browser version

- Operating system used

- Referrer URL

- Host name of the accessing computer

- Time of the server enquiry

- IP address

This data will not be merged with other (in particular analogue) data sources unless you have expressly consented to this. However, we reserve the right to check this data retrospectively if we become aware of specific indications of unlawful use. This data is collected on the basis of Art. 6 para. 1 lit. f) GDPR. The website operator has a legitimate interest in the technically error-free and optimised presentation of its website - the server log files must be recorded for this purpose.

In addition to the purely informational use of our website, we offer various services that you can use if you are interested. To do so, you must generally provide additional personal data that we use to provide the respective service and for which the aforementioned data processing principles apply.

1. Registration

In order to place an order on www.cupstorys.de or if you want to place several orders in the future, you can create an account for which you must register once - if you decide in favour of a customer account.

With your account you can

- order quickly and easily using your e-mail address and password

- manage your personal data such as address, e-mail address and password

- view all orders and the order status

- save image data for future orders

The following data is collected as part of the registration process:

- Surname and first name

- e-mail address

- Password

- Name prefix, date of birth, VAT ID, gender] (voluntary information). 

The following data is also stored at the time of registration:

- Your IP address (will be anonymised)

- Date and time of registration.

You can change the personal data in your account at any time. In addition, you can arrange or request the deletion of your account at any time. To do so, simply contact our customer service team using the contact details provided or send an email to contact@cupstorys.com.

1. Order

In order to process the order, we process the following personal data on the basis of a contract.

- Surname and first name

- Your address

- e-mail address

- Payment information (see the following section: III. 4)

- Image data

- VAT ID

- Gender (optional)

- Telephone number

The legal basis for the processing of the data is Art. 6 para. 1 b) GDPR.

Details on the processing of image files:

Image data from logged-in users is automatically stored digitally in the user account for 30 days after uploading for the purpose of creating photo products. In addition, photo products have the option of saving the current processing status as a ‘project’. Projects are automatically deleted 30 days after the last save date. Furthermore, logged-in users have the option of deleting their image data and projects themselves at any time.

Image files of users who are not logged in are only saved for the duration of the respective Internet session. 

After the order has been completed and delivered, the image data will be kept in production for 8 weeks in order to process any complaints or repeat orders and then irrevocably deleted.  

1. Payment process

We offer you a choice of the following payment options for your purchase in our online shop: SEPA direct debit, VISA or Master Card credit card, PayPal, bank transfer (prepayment), Giropay or Sofortüberweisung.

To process the transaction, including billing, we process your payment data such as bank and credit card details for the purpose of payment processing and billing in accordance with the selected payment method. To process the transaction, your data required to process the transaction will be passed on to payment service providers to the extent necessary and - if necessary - to collection service providers.

The legal basis for the processing of your personal data in connection with the order and billing is Art. 6 para. 1 b) GDPR. Please also refer to the next section (on the group of recipients and third country transfer) and the data protection declarations of the respective payment service providers.

1. Group of recipients; transfer to third countries
   
   Within our company, the departments that are responsible for processing your request have access to your data. We also use external service providers, in particular processors, if we cannot or cannot reasonably perform services ourselves. These external service providers are primarily providers of IT services and telecommunication services. We also use providers of payment services, e.g. PayPal. If you select these service providers as payment processors, we transfer the data required for payment processing to these service providers. Further information can be found in the privacy policies of the service providers and - with regard to the payment process - in the section above (III. 4.).

A transfer to third countries only takes place in exceptional cases and within the framework of Art. 44ff GDPR; in particular, if this should be required by law or if you have given us your consent to do so (Art. 49 GDPR). 

1. Contact us
   
   When you contact us by e-mail or via our general contact form on the website, the data you provide will be stored by us exclusively in order to answer your enquiry. It is necessary to provide certain truthful data in order to process your enquiry; further information is voluntary. The mandatory information that we require in order to answer your enquiry is marked as such in the form; the other information is provided voluntarily. The processing of the above data is based on your consent, which you have expressed by contacting us, in accordance with Art. 6 para. 1 lit. a) GDPR and, insofar as special categories of personal data (e.g. health data or other ‘sensitive’ data) are concerned, in accordance with Art. 9 para. 2 lit. a) GDPR. The personal data collected will be deleted immediately after your enquiry has been dealt with, unless they are required for the initiation or execution of a contract with you. We would like to point out that communication with us by e-mail is unencrypted and we cannot guarantee complete data security in this case.

Internet-specific processing; cookies

Our website uses cookies. Cookies are text files that are stored in the Internet browser or by the Internet browser on the user's computer system. When a user accesses a website, a cookie may be stored on the user's operating system. This cookie contains a characteristic string of characters that enables the browser to be uniquely identified when the website is called up again.

Some elements of our website require that the accessing browser can be identified even after a page change, so that technically necessary cookies are set. By technically necessary cookies, we mean cookies without which the technical provision of the online offer (including the shopping basket function) cannot be guaranteed.

We also use cookies to make our website more user-friendly and needs-orientated and in certain cases use so-called marketing and analysis cookies. We only use these cookies and tracking mechanisms if you have given us your prior consent in each case.

When accessing our website, users are informed separately by a banner about the use of non-essential cookies, in particular cookies for analysis purposes, and asked for their consent with reference to this privacy policy.

The legal basis for the processing of personal data using technically necessary cookies is Art. 6 para. 1 lit. f) GDPR.

The legal basis for the processing of personal data using cookies for analysis and marketing purposes etc. (technically unnecessary cookies) is Art. 6 para. 1 lit. a) GDPR if the user has given consent to this. In addition, Art. 6 para. 1 lit. f) GDPR is an additional legal basis.

Cookies are stored on the user's computer and transmitted by it to our website. Some of the cookies we use are deleted again at the end of the browser session, i.e. after you close your browser (so-called session cookies). Other cookies remain on your end device and enable us or our partner companies (third-party cookies) to recognise your browser on your next visit (persistent cookies). Persistent cookies are automatically deleted after a specified period, which may vary depending on the cookie.

The duration of the respective cookie storage can be found in the overview of the cookie settings of your web browser or in the following overview.

You can deactivate or restrict the transmission of cookies by changing the settings in your web browser. Cookies that have already been saved can be deleted at any time. This can also be done automatically. If cookies are deactivated for our website, it may no longer be possible to use all functions of the website to their full extent. For details regarding analysis cookies, please also refer to the other separate sections of this privacy policy.