Data Protection Policy
Welcome to www.vitalabo.co.uk! Get an idea of how your personal data is processed when visiting our platform, utilising our online shop or conducting any other business with us. (Art 13, Art 14 GDPR; § 96 Paragraph 3 Austrian Telecommunications Act (TKG)).
Which Information is Processed When You Visit Our Platform?
The following data may be processed when you visit our platform:
- Browser type
- Operating system
- Date, time and duration of the visit when accessing the platform
- Partially masked IP address and pages visited on our website including the entry and exit pages
- Payment data entered for the purpose of using the online shop
- Contact details entered for the purpose of using the online shop
- Data that you enter via a contact form
- Email address
- Newsletter dispatch
- Telephone number
- Date of birth (for products containing alcohol)
- Purchased products
Processing the previously mentioned data is justified by the interest of operating our platform (Art. 6 Paragraph 1 Point f GDPR)
We may be required to disclose your data to the following parties in order to operate our platform and online shops:
|Recipient of the data||Purpose of data processing||Legal basis for data processing||Registered office||Basis for transmission to a third country||User affected|
|Hetzner Online GmbH||Website hosting||Predominantly legitimate interests (Art. 6 Para 1 Point f GDPR)||Germany||Within the EEA||Website User|
|AWS EMEA SARL||Newsletter dispatch||Consent according to Art. 6 Paragraph 1 Point a GDPR||
|Within the EEA||Customers|
|Adyen N.V.||Processing of online transactions||Predominantly legitimate interests (Art. 6 Para 1 Point f GDPR)||Netherlands||Within the EEA||Customers|
|Klarna Bank AB (publ)||Processing of online transactions||Predominantly legitimate interests (Art. 6 Para 1 Point f GDPR)||
|Within the EEA||Customers|
|SIX Payment Services Ltd||Processing of online transactions||Predominantly legitimate interests (Art. 6 Para 1 Point f GDPR)||Switzerland||Outside the EEA (adequacy decision according to Art 45 GDPR)||Customers from Switzerland (country of delivery)|
|Amazon Payments Europe s.c.a.||Processing of online transactions||Predominantly legitimate interests (Art. 6 Paragraph 1 Point f GDPR)
Contractual obligation (Art. 6 Para 1 Point b GDPR)
Within the EEA
|Freshworks Inc||Processing of customer enquiries||Processor (Art. 28 GDPR)||USA||Standard data protection clause according to Art 46 GDPR||Website User & Customers|
|Bamboo HR LLC||Compliant applicant management||Processor (Art. 28 GDPR)||USA||Standard data protection clause according to Art 46 GDPR||Applicants for Niceshops GmbH|
Overview of the "Technical" Cookies We Use
These technical cookies are activated as soon as you visit our platform.
The following cookies are used on our platform on the basis of our predominantly legitimate interest (Art. 6 Paragraph 1 Point f GDPR):
|Name||Purpose of processing||Duration of storage||Country of residence of the recipient|
|shopcart||Stores the selected products on the website in order to shop at a later date.||Session||Austria|
|S||A server classification is made to prepare the website.||Session||Austria|
|NICEID||The user is anonymously identified on the server which helps with fraud detection, among other things.||
|consent_cookie||Stores all cookies and cookie opt-ins that have been accepted||10 years||Austria|
About Advertising Cookies
In addition to using "technical cookies" as described above, we also utilise so-called advertising cookies ("statistical cookies"). These advertising cookies make it possible to better understand and evaluate your interests. With the help of advertising cookies, we can combine your browsing behaviour beyond the boundaries of our website with data sourced from other websites. This allows us to better understand the user's interests and address them on a more personalised level.
These advertising cookies are only activated once consent has been given.
|Name||Purpose of processing||Duration of storage||Registered office||Purpose of disclosure|
|uid||Marketing purposes||1 year||France||The information collected is used to personalise advertising placements.|
|uid||Marketing purposes||1 year||The information collected is used to personalize advertising placements.|
|mdrds_vid||Marketing purposes||1 year||Germany||The information collected is used to personalize advertising placements.|
|mdrds_nin_668||Marketing purposes||Session||Germany||The information collected is used to personalize advertisements.|
|fr||Marketing purposes||90 days||USA||The information collected is used to personalize advertisements.|
|fatm_vid||Marketing purposes||1 year||USA||The information collected is used to personalize advertisements.|
|fatm_nin_660||Marketing purposes||1 day||USA||The information collected is used to personalize advertising placements.|
|cvt||Marketing purposes||14 days||Austria||Use of remarketing campaigns|
|_uetvid||Marketing purposes||16 days||Austria||Use of remarketing campaigns|
|_uetsid||Marketing purposes||1 day||Austria||Use of remarketing campaigns|
|_hjid||Experience improvements||1 year||Malta||Improvement of the user experience through more precise data on browsing behaviour|
|_hjTLDTest||Experience improvements||Session||Malta||Improvement of the user experience through more precise data on browsing behaviour|
|_hjAbsoluteSessionInProgress||Experience improvements||Session||Malta||Improvement of the user experience through more precise data on browsing behaviour|
|_gid||Statistical purposes||1 day||Austria||Statistical traceability of browsing behaviour|
|_gcl_au||Statistical purposes||90 days||Austria||Statistical traceability of browsing behaviour|
|_ga||Statistical purposes||2 years||Austria||Statistical traceability of surfing behaviour|
|_fbp||Marketing purposes||90 days||Austria||Use of remarketing campaigns|
|__Secure-3PSIDCC||Detection of logged-in users||1 year||USA||Detection of logged-in Google accounts|
|__Secure-3PSID||Detection of logged-in users||2 years||Ireland||Detection of logged-in Google accounts|
|__Secure-3PSID||Detection of logged-in users||2 years||USA||Detection of logged-in Google accounts|
|__Secure-3PAPISID||Detection of logged-in users||2 years||USA||Detection of logged-in Google accounts|
|__Secure-3PAPISID||Detection of logged-in users||2 years||Ireland||Detection of logged-in Google accounts|
|SSID||Marketing purposes||2 years||USA||Use of remarketing campaigns|
|SIDCC||Marketing purposes||1 year||USA||Use of remarketing campaigns|
|SID||Marketing purposes||2 years||USA|
|SEARCH_SAMESITE||Marketing purposes||6 months||USA|
|SAPISID||Marketing purposes||2 years||USA||Use of remarketing campaigns|
|NID||Marketing purposes||1 year||Ireland||Use of remarketing campaigns|
|NID||Marketing purposes||6 months||USA||Use of remarketing campaigns|
|MUID||Marketing purposes||1 year||USA||Use of remarketing campaigns|
|HSID||Marketing purposes||2 years||USA||Use of remarketing campaigns|
|APISID||Marketing purposes||2 years||USA|
|AID||Marketing purposes||1.5 years||USA|
|_fw_crm_v||Contact option||1 year||Ireland||Onsite chat option|
When Do We Process Your Data for Business Transactions?
While conducting business with you, we process contractual data (executing our contractual relationship with you, pre-contractual obligations, billing of services, dispatch of documents, communication for the execution of the contract) and legal obligations (legally required storage within the scope of Section 132 BAO, Federal Fiscal Code) (Art. 6 Paragraph 1 Point b and c GDPR), as well as data used for our legitimate interests or for the legitimate interests of third parties (Art. 6 Paragraph 1 Point f GDPR), such as:
- Data used for the internal administration and management of your business transaction (e.g. processing your business transaction, forwarding your business transaction to various departments, filing, archiving purposes, correspondence)
- Data used for the purpose of direct advertising (e.g. postage, emailing, customer satisfaction surveys, congratulatory letters, statistical evaluations); You can object to the processing of your data for direct marketing purposes.
- Data used for law enforcement and in defence of legal claims
Your data is used only to the extent required. Processing your data serves to initiate, maintain and process your business transaction. If you do not provide us with the data we require, we will not be able to process your business transaction.
How Long Will Your Data Be Stored?
We will only store your data for as long as is necessary to fulfil the purposes for which we collected your data. Statutory retention requirements must be taken into account during this time period (for example, for tax purposes, contracts and other documents regarding our contractual relationship are generally kept for a period of seven years (Federal Fiscal Code, § 132 BAO)). In justified individual cases, for example, to assert and defend legal claims, we can store your data for up to 30 years after our business relationship has ended.
We store data from interested parties for up to three years from the time the interested party has last contacted us.
Who May Obtain Your Data?
Over the course of our business relationship, it may be necessary for us to transfer your data to the following recipients:
|Recipient of the data||Purpose of data processing||Legal basis for data processing||Registered office||Basis for transmission to a third-party country|
|Logistics service provider||Shipment of orders||Legal obligation (Art. 6 Para 1 Point c GDPR)||Generally EEA - but also third-party countries in exceptional cases||If outside the EEA - Art. 49 Paragraph 1 Point b and e GDPR|
Collection of Data From Other Sources (Art. 14 GDPR)
Over the course of a business relationship, it is necessary to make enquiries regarding the business partner. This is done only to the extent necessary. In this context, data can be accessed and processed from the following sources:
|Source||Publicly available?||Data affected||Purpose / Reason|
|Company website||Yes||Contact / structural data||Contacting us for business purposes|
Do We Use Automated Decision-Making or Profiling (Art. 13 (2) Point f GDPR)?
No automated decision-making takes place on our website. Over the ordering process, however, it is possible that the respective payment service provider uses profiling to detect fraud.
What rights do you have with regard to data processing?
Provided that the legal requirements are met, you have the right to:
- request information about what type of data we process (see Art. 15 GDPR).
- request amendments to or completion of incorrect or incomplete data (see Art. 16 GDPR).
- have your data deleted (see Art. 17 GDPR).
- object to the processing of your data that is necessary to safeguard your legitimate interests or that of a third party. This applies, in particular, to the processing of your data for advertising purposes.
- receive a copy of the data you provided in a structured, prevalent and machine-readable format.
If we process your data on the basis of your consent, you have the right to revoke this consent at any time via email. This does not affect the legality of the data processing that has taken place up to this point in time (Art. 7 (3) GDPR).
What are Your Rights of Appeal?
If, contrary to expectations, your right to the lawful processing of your data is violated, please contact us via post or email. We will do our best to handle your request immediately. However, you also have the right to lodge a complaint with the supervisory authority responsible for data protection.
How Can You Contact Us?
If you have any further questions about how your data is processed, please feel free to contact our data protection coordinator using the contact details below.
The person responsible in respect to Art. 4 Z 7 GDPR is:
(+43) 720 710740 9000
Chief executive officers: Roland Fink, Mag. Christoph Schreiner, Barbara Unterkofler
Graz Regional Court for Civil Matters
District Commission Southeast Styria
Member of the trade division, the Styrian Chamber of Commerce.
Author: Attorney-at-law, Dr. Tobias Tretzmüller, LL.M (IT-LAW); https://www.digital-recht.at/
Copyright information: Use of this data protection declaration, or even parts thereof, without the consent of the author constitutes a copyright infringement.