Privacy Policy
1.1 We are delighted that you are visiting our website and thank you for your interest. Below, we inform you about the handling of your personal data when using our website. Personal data is all data with which you can be personally identified.
1.2 The controller for data processing on this website within the meaning of the General Data Protection Regulation (GDPR) is EctoCare GmbH, E-Mail: support@permacalm.com The controller is the natural or legal person who alone or jointly with others determines the purposes and means of the processing of personal data.
**2) Data Collection When Visiting Our Website**
2.1 When you use our website for informational purposes only, i.e., if you do not register or otherwise transmit information to us, we only collect the data that your browser transmits to the page server (so-called "server log files"). When you access our website, we collect the following data, which is technically necessary for us to display the website to you:
* Our visited website
* Date and time at the time of access
* Amount of data sent in bytes
* Source/reference from which you reached the page
* Browser used
* Operating system used
* IP address used (if applicable: in anonymized form)
The processing is carried out in accordance with Art. 6 (1) lit. f GDPR on the basis of our legitimate interest in improving the stability and functionality of our website. The data is not passed on or used in any other way. However, we reserve the right to check the server log files subsequently if there are concrete indications of illegal use.
2.2 For security reasons and to protect the transmission of personal data and other confidential content (e.g., orders or inquiries to the controller), this site uses an SSL or TLS encryption. You can recognize an encrypted connection by the string "https://" and the lock symbol in your browser line.
**3) Hosting & Content-Delivery-Network**
3.1 **Amazon Web Services**
We use the system of the following provider for hosting our website and displaying page content: Amazon Web Services, Inc., 410 Terry Avenue North, Seattle, WA 98109, USA.
All data collected on our website is processed on the provider's servers. We have concluded an order processing agreement with the provider, which ensures the protection of our site visitors' data and prohibits unauthorized disclosure to third parties.
For data transfers to the USA, the provider has committed to comply with the EU-US Data Privacy Framework (EU-US DPF), which ensures compliance with the European level of data protection based on an adequacy decision by the European Commission.
3.2 **Shopify**
We use the system of the following provider for hosting our website and displaying page content: Shopify International Limited, Victoria Buildings, 2nd Floor, 1-2 Haddington Road, Dublin 4, D04 XN32, Ireland ("Shopify").
Data is also transferred to: Shopify Inc., 150 Elgin St, Ottawa, ON K2P 1L4, Canada.
All data collected on our website is processed on the provider's servers. We have concluded an order processing agreement with the provider, which ensures the protection of our site visitors' data and prohibits unauthorized disclosure to third parties.
For data transfers to Canada, an adequate level of data protection is guaranteed by an adequacy decision of the European Commission.
*(Sections 3.3 AWS CloudFront, 3.4 Cloudflare, and 3.5 imgix would follow the same structure as 3.1, detailing the provider, purpose, legal basis, and data transfer safeguards.)*
**4) Cookies**
To make visiting our website attractive and to enable the use of certain functions, we use cookies, which are small text files that are stored on your device. Some of these cookies are automatically deleted after you close your browser (so-called "session cookies"), while others remain on your device for a longer period and allow page settings to be saved (so-called "persistent cookies").
If personal data is processed by individual cookies we use, the processing is carried out in accordance with Art. 6 (1) lit. b GDPR either for the performance of the contract, in accordance with Art. 6 (1) lit. a GDPR in the case of given consent, or in accordance with Art. 6 (1) lit. f GDPR to safeguard our legitimate interests in the best possible functionality of the website and a customer-friendly and effective design of the site visit.
You can set your browser so that you are informed about the setting of cookies and decide individually about their acceptance or exclude the acceptance of cookies for certain cases or in general. Please note that if you do not accept cookies, the functionality of our website may be limited.
**5) Contacting Us**
5.1 **Judge.me**
For review reminders, we use the services of the following provider: Judge.me Ltd., c/o Buckworths, 2nd Floor, 1-3 Worship Street, London, England, EC2A 2AB, United Kingdom.
Solely on the basis of your explicit consent pursuant to Art. 6 (1) lit. a GDPR, we transmit your email address and, if applicable, other customer data to the provider so that they can contact you with a review reminder by email.
You can revoke your consent at any time with effect for the future by notifying us or the provider.
We have concluded an order processing agreement with the provider, which ensures the protection of our site visitors' data and prohibits unauthorized disclosure to third parties.
For data transfers to the provider's location, an adequate level of data protection is guaranteed by an adequacy decision of the European Commission.
5.2 **WhatsApp Business**
You have the possibility to contact us via the WhatsApp messaging service of WhatsApp Ireland Limited, 4 Grand Canal Square, Grand Canal Harbour, Dublin 2, Ireland. We use the so-called "Business Version" of WhatsApp for this purpose.
If you contact us via WhatsApp in the context of a specific transaction (e.g., an order placed), we store and use the mobile phone number you use on WhatsApp and - if provided - your first and last name pursuant to Art. 6 (1) lit. b. GDPR to process and respond to your request.
We have concluded an order processing agreement with the provider, which ensures the protection of our site visitors' data.
For data transfers to the USA, the provider has committed to comply with the EU-US Data Privacy Framework (EU-US DPF).
5.3 **Other Contact Methods**
When you contact us (e.g., via contact form or email), personal data is processed - solely for the purpose of processing and responding to your request and only to the extent necessary for this purpose.
The legal basis for this processing is our legitimate interest in responding to your request pursuant to Art. 6 (1) lit. f GDPR. If your contact is aimed at concluding a contract, the additional legal basis for the processing is Art. 6 (1) lit. b GDPR. Your data will be deleted when it is evident from the circumstances that the matter in question has been finally clarified and provided that there are no statutory retention obligations to the contrary.
**6) Data Processing When Opening a Customer Account**
Pursuant to Art. 6 (1) lit. b GDPR, personal data will continue to be collected and processed to the extent necessary in each case if you provide it to us when opening a customer account. You can delete your customer account at any time by sending a message to the above address of the controller.
**7) Use of Customer Data for Direct Advertising**
7.1 **Email Newsletter Registration**
When you register for our email newsletter, we regularly send you information about our offers. The only mandatory information for sending the newsletter is your email address. We use the double opt-in procedure for sending the newsletter, which ensures that you only receive newsletters if you have explicitly confirmed your consent to receive the newsletter by clicking on a verification link sent to the email address provided.
With the activation of the confirmation link, you give us your consent for the use of your personal data pursuant to Art. 6 (1) lit. a GDPR. You can unsubscribe from the newsletter at any time via the link provided in the newsletter or by message to the controller mentioned above.
7.2 **Klaviyo**
The dispatch of our email newsletters is carried out via this provider: Klaviyo, Inc., 125 Summer St., Ste 600, Boston, MA 02110, USA.
Based on our legitimate interest in effective and user-friendly newsletter marketing, we pass on the data you provided when registering for the newsletter to this provider in accordance with Art. 6 (1) lit. f GDPR so that they can carry out the newsletter dispatch on our behalf.
Subject to your explicit consent pursuant to Art. 6 (1) lit. a GDPR, the provider also carries out a statistical evaluation of the success of newsletter campaigns via web beacons or tracking pixels in the emails sent.
We have concluded an order processing agreement with the provider. For data transfers to the USA, the provider complies with the EU-US Data Privacy Framework (EU-US DPF).
7.3 **Advertising by Postal Mail**
Based on our legitimate interest in personalized direct mail advertising, we reserve the right to store your first and last name, your postal address, and - insofar as we have received this additional information from you within the framework of the contractual relationship - your title, academic degree, year of birth, and your professional, industry, or business designation in accordance with Art. 6 (1) lit. f GDPR and to use it for sending interesting offers and information about our products by post. You can object to the storage and use of your data for this purpose at any time.
**8) Data Processing for Order Processing**
8.1 For order processing, we work with service providers who support us in whole or in part in the execution of concluded contracts (e.g., shipping service providers, payment service providers). Certain personal data is transmitted to these service providers in accordance with the following information.
8.2 **Shipping Service Providers**
- **DHL**
As a transport service provider, we use the following provider: DHL Paket GmbH, Sträßchensweg 10, 53113 Bonn, Germany.
We will pass on your email address and/or telephone number to the provider prior to delivery of the goods for the purpose of coordinating a delivery date or for delivery notification, provided you have given your express consent for this during the ordering process. Otherwise, we will only pass on the name of the recipient and the delivery address to the provider for the purpose of delivery pursuant to Art. 6 (1) lit. b GDPR. The disclosure is made only to the extent necessary for the delivery of goods.
8.3 **Use of Payment Service Providers**
- **Apple Pay, Google Pay, Klarna, PayPal, Shopify Payments**
When you select a payment method from the respective provider, your payment data (e.g., name, address, bank and payment card information, currency, and transaction number) as well as information about the content of your order are passed on to the respective payment service provider in accordance with Art. 6 (1) lit. b GDPR for payment processing. The transfer of your data takes place exclusively for the purpose of payment processing and only to the extent necessary for this purpose.
**9) Online Marketing**
**Google AdSense**
This website uses Google AdSense, a web advertising service of Google Ireland Limited, Gordon House, 4 Barrow St, Dublin, D04 E5W5, Ireland ("Google"). Google AdSense uses cookies and/or web beacons. The information generated about your use of this website is usually transmitted to a Google server and stored there.
This processing is only carried out if you have given us your express consent to do so in accordance with Art. 6 (1) lit. a GDPR. You can revoke your consent at any time with effect for the future by deactivating this service in the "Cookie-Consent-Tool" provided on the website.
For data transfers to the USA, the provider complies with the EU-US Data Privacy Framework (EU-US DPF).
**10) Web Analytics Services**
10.1 **Google Analytics 4**
This website uses Google Analytics 4, a web analytics service provided by Google Ireland Limited, Gordon House, 4 Barrow St, Dublin, D04 E5W5, Ireland ("Google"). Google Analytics uses cookies.
The information generated by the cookie about your use of the website (including your IP address, which is shortened by the last digits) is typically transmitted to and stored by Google on servers in the USA.
This processing is only carried out if you have given us your express consent in accordance with Art. 6 (1) lit. a GDPR. You can revoke your consent at any time with effect for the future. To exercise your revocation, please deactivate this service via the "Cookie-Consent-Tool" provided on the website.
We have concluded an order processing agreement with Google. For data transfers to the USA, Google complies with the EU-US Data Privacy Framework (EU-US DPF).
10.2 **Google Tag Manager**
We use the Google Tag Manager from Google Ireland Limited, Gordon House, Barrow Street, Dublin 4, Ireland. The Tag Manager itself does not process any personal data. It manages other tools that do collect data, based on your consent settings.
10.3 **Hotjar**
This website uses the web analytics service of Hotjar Ltd, Level 2, St Julians Business Centre, 3, Elia Zammit Street, St Julians STJ 1000, Malta. Hotjar allows us to analyze user behavior (e.g., clicks, mouse-overs, scrolling) on our website via cookies and/or similar technologies. This processing is based on your consent pursuant to Art. 6 (1) lit. a GDPR.
10.4 **PostHog**
This website uses the web analytics service of PostHog Inc., 2261 Market Street #4008, San Francisco, CA 94114, USA. This service enables statistical analysis of the use of new features and content. Processing is based on your consent pursuant to Art. 6 (1) lit. a GDPR. For data transfers to the USA, PostHog complies with the EU-US Data Privacy Framework (EU-US DPF).
10.5 **Shopify Analytics**
This website uses the web analytics service of Shopify International Limited, Victoria Buildings, 2nd Floor, 1-2 Haddington Road, Dublin 4, D04 XN32, Ireland. Data may also be transferred to Shopify Inc. in Canada. Processing is based on your consent pursuant to Art. 6 (1) lit. a GDPR. An adequacy decision exists for Canada.
**11) Retargeting/Remarketing and Conversion Tracking**
11.1 **Meta Pixel**
Within our online offering, we use the "Meta Pixel" from Meta Platforms Ireland Limited, 4 Grand Canal Square, Dublin 2, Ireland ("Meta"). This allows us to track the actions of users after they have seen or clicked on a Facebook/Instagram ad. This technology is used for conversion tracking and to create custom audiences. Processing is based on your consent pursuant to Art. 6 (1) lit. a GDPR. Data may be transferred to the USA, where Meta complies with the EU-US Data Privacy Framework (EU-US DPF).
11.2 **Google Ads Remarketing**
We use the remarketing technology of Google Ireland Limited, Gordon House, 4 Barrow St, Dublin, D04 E5W5, Ireland. This allows us to display targeted, interest-based advertising to visitors of our website. Processing is based on your consent pursuant to Art. 6 (1) lit. a GDPR.
*(Sections 11.3 Outbrain, 11.4 Taboola, 11.5 Microsoft Advertising, 11.6 Outbrain Pixel, 11.7 Taboola Pixel would follow a similar structure, explaining the provider, purpose, legal basis (consent), and data transfer mechanisms.)*
**12) Page Functionalities**
12.1 **Instagram Feed via Mintt Studio**
We use services from Mintt Studio, Portugal, to display preview images of our Instagram profile. This may involve setting cookies and connecting to Instagram/Meta's servers. This processing is based on your consent pursuant to Art. 6 (1) lit. a GDPR.
12.2 **Google Web Fonts**
This site uses so-called web fonts from Google Ireland Limited, Gordon House, 4 Barrow St, Dublin, D04 E5W5, Ireland, for the uniform display of fonts. When you call up a page, your browser loads the required web fonts into its cache to display texts and fonts correctly. A connection to Google's servers is established. This processing is based on your consent pursuant to Art. 6 (1) lit. a GDPR.
12.3 **Shopsync for Shopify**
This website uses the Shopify app "Shopsync" from ShopSync LLC, USA, to synchronize data between our Shopify store and the email marketing service Mailchimp. Data is transferred based on your consent (Art. 6 (1) lit. a GDPR) or, in the case of synchronization of opt-outs, on the basis of our legitimate interests (Art. 6 (1) lit. f GDPR).
**13) Tools and Miscellaneous**
**Cookie-Consent-Tool**
This website uses a "Cookie-Consent-Tool" to obtain effective user consent for cookies and cookie-based applications. The tool sets a technically necessary cookie to store your cookie preferences. Personal data may be processed (e.g., IP address) based on our legitimate interest in a legally compliant, user-specific, and user-friendly consent management (Art. 6 (1) lit. f GDPR) and to fulfill our legal obligation (Art. 6 (1) lit. c GDPR) to make the use of technically unnecessary cookies dependent on user consent.
**14) Rights of the Data Subject**
14.1 The applicable data protection law grants you the following data subject rights (rights of information and intervention) vis-à-vis the controller with regard to the processing of your personal data:
* Right of access pursuant to Art. 15 GDPR;
* Right to rectification pursuant to Art. 16 GDPR;
* Right to erasure pursuant to Art. 17 GDPR;
* Right to restriction of processing pursuant to Art. 18 GDPR;
* Right to notification pursuant to Art. 19 GDPR;
* Right to data portability pursuant to Art. 20 GDPR;
* Right to withdraw consent granted pursuant to Art. 7 (3) GDPR;
* Right to lodge a complaint pursuant to Art. 77 GDPR.
14.2 **RIGHT TO OBJECT**
IF WE PROCESS YOUR PERSONAL DATA WITHIN THE FRAMEWORK OF A BALANCING OF INTERESTS ON THE BASIS OF OUR OVERRIDING LEGITIMATE INTEREST, YOU HAVE THE RIGHT AT ANY TIME TO OBJECT TO THIS PROCESSING WITH EFFECT FOR THE FUTURE ON GROUNDS RELATING TO YOUR PARTICULAR SITUATION.
IF YOU EXERCISE YOUR RIGHT TO OBJECT, WE WILL STOP PROCESSING THE DATA CONCERNED. HOWEVER, WE RESERVE THE RIGHT TO FURTHER PROCESSING IF WE CAN DEMONSTRATE COMPELLING LEGITIMATE GROUNDS FOR THE PROCESSING WHICH OVERRIDE YOUR INTERESTS, FUNDAMENTAL RIGHTS, AND FREEDOMS, OR IF THE PROCESSING SERVES THE ASSERTION, EXERCISE, OR DEFENSE OF LEGAL CLAIMS.
IF YOUR PERSONAL DATA IS PROCESSED BY US FOR DIRECT MARKETING PURPOSES, YOU HAVE THE RIGHT TO OBJECT AT ANY TIME TO THE PROCESSING OF YOUR PERSONAL DATA FOR THE PURPOSE OF SUCH MARKETING.
IF YOU EXERCISE YOUR RIGHT TO OBJECT, WE WILL STOP PROCESSING THE DATA CONCERNED FOR DIRECT MARKETING PURPOSES.
**15) Duration of the Storage of Personal Data**
The duration of the storage of personal data is determined by the respective legal basis, the purpose of processing, and - if applicable - additionally by the respective statutory retention period (e.g., commercial and tax retention periods).
When processing personal data on the basis of explicit consent pursuant to Art. 6 (1) lit. a GDPR, the data concerned will be stored until you revoke your consent.
If there are statutory retention periods for data that is processed within the framework of legal or similar obligations on the basis of Art. 6 (1) lit. b GDPR, this data will be routinely deleted after the retention periods have expired, provided that it is no longer required for the fulfillment or initiation of the contract and/or we no longer have a legitimate interest in further storage.
When processing personal data on the basis of Art. 6 (1) lit. f GDPR, this data will be stored until you exercise your right of objection pursuant to Art. 21 (1) GDPR, unless we can demonstrate compelling legitimate grounds for the processing which override your interests, rights, and freedoms, or the processing serves the assertion, exercise, or defense of legal claims.
When processing personal data for the purpose of direct marketing on the basis of Art. 6 (1) lit. f GDPR, this data will be stored until you exercise your right to object pursuant to Art. 21 (2) GDPR.
Unless otherwise stated in the other information in this declaration about specific processing situations, stored personal data will otherwise be deleted when it is no longer necessary for the purposes for which it was collected or otherwise processed.