Data Protection Policy
This Data Protection Policy informs about which personal data is collected in the using of the website www.xouxouberlin.com (hereinafter: “Website”), the purposes, the methods the referring data will be used, and the rights which users are entitled.
§1 Responsible Party
The responsible party within the meaning of the General Data Protection Regulation
(hereinafter: “GDPR”) for the processing of personal data concerning the use of the website:
XOUXOU Berlin - Inh. Richard Kirschstein
(hereinafter: “xouxouberlin”, “us”, “we”)
§2 Processing of data by navigating the website
When you navigate the website, the personal data is collected and transmitted by your browser on the server of the website and stored in temporarily Log Files. In this meaning, stored data means especially the following data:
- IP Address of the inquiring computer
- Name and URL of the accessed data
- Date and hour of the access
- Status of the access/HTTP Code Status
- Respectively transferred data volume
- Identification data from the used browser
The processing of this referring data is technically essential to ensure the stability and security as well as connection reports of the website. The storage in the Log Files occurs to guarantee the functionality of the website. Besides, this data is also used to optimize the website and to guarantee the security of our systems.
The processing of the data is the object of Article 6 (1) (f) GDPR (named as legitimate interests) insofar the processing of respective data is within the framework of the navigation of the website. The legitimate interests arise from the purposes aforementioned.
Concerning cookies the following data are stored and transferred:
- Language settings
- Items in the shopping cart
- Log in/User information
- Frequency of product view
- Order procedure
- Use of the website functions
You can configure the browser settings accordingly to your wishes, for instance, the acceptance of third-party cookies or the rejection of all cookies. We inform you that if you have rejected the use of all cookies, you may not be able to use the full functionality of this website.
§4 Marketing on our website
When you visit our website we analyze and we keep records of your user behavior to make our website more interesting and to target our advertising individually. In addition, we process your personal data for advertising purposes in the form of remarketing.
4.1. Google AdWords
We use on our website the online advertising system called Google-Ads which is provided by Google LLC., 1600 Amphitheatre Parkway, Mountain View, CA 94043, USA.
In the context of Google Ads, we use the conversion tracking service (visit evaluation). If you click on an advertisement placed by Google, a conversion tracking cookie is set. After 30 (thirty) days this mentioned cookie is not valid which means that the users cannot be individually identified. When you visit specific pages of our website and the cookies have not yet expired, Google and we can identify that you clicked on an advertising and that you have been transferred to this website.
Each Google-Ad customer receives a different cookie. Thus, the cookies cannot be tracked through the websites of AdWords customers. The conversion cookie collects information which is used in the production of conversion statistics and for ads customers who have opted-in for conversion tracking. Customers are informed about the total number of users who clicked on the ad and were forwarded to a conversion tracking tag page. However, you will not receive any information enabling you to identify users personally.
The use of Google Ads is legally based on Article 6 (1) (f) GDPR (legitimate interests). We have the legitimate interests concerning targeted advertising and the analysis pursuant to the effects and efficiencies of this targeted advertising. You are also entitled by law to refute at any time the processing of your personal data based on the Article 6 (1) (f) GDPR.
You can set your browser up to be informed when cookies are set and only allow cookies in certain cases, such as to accept cookies for specific cases or total exclusion, including to activate automatic deletion of cookies when the browser is closed. You will find instructions on how to do this under this link.
If cookies are deactivated, the functionality of this website may be restricted.
For the exceptional cases in which personal data is transferred to the USA, Google has submitted to the EU-US Privacy Shield.
We use the tool analysis named as “Facebook-Pixel” provided by the social media Facebook. Facebook-Pixel is a part of Facebook Inc., and it is located at 1 Hacker Way, Menlo Park, CA 94025, USA, in case you are located in the EU, Facebook Ireland Ltd., 4 Grand Canal Square, Grand Canal Harbour, Dublin 2, Ireland („Facebook“).
Facebook-Pixel helps us concerning the measurement of our advertising efficiency and the analysis of actions taken by users on our website. Through Facebook-Pixel we are able to identify you as a visitor of our website as a target group for the presentation of ads (so-called "Facebook ads").
We use Facebook-Pixel to target the Facebook-Ads only to display to Facebook users who have shown interest in our website or who shown certain features (for instance interest in certain topics or products) that we transfer to Facebook (named as “custom audience”). We want to ensure you that the Facebook-Ads are in accordance with the potential interest of the user. In addition, we can track the effectiveness of Facebook ads for statistical and market research purposes by seeing if users were redirected to our website after clicking on a Facebook ad (name as "conversion").
The establishment of Facebook Pixel as the storage of the “Conversion Cookies° are based on Article 6 (1) (f) GDPR (legitimate interests). We have a legitimate interest in the analysis of the behaviour of the user in order to optimize our website and advertising.
For the exceptions where personal information is transferred to the United States, Facebook has submitted to the EU-US Privacy Shield, please access this link.
4.3. Google Analytics Remarketing
On the website, we use the Google Analytics Remarketing features in conjunction with the cross-device features of Google Ads and Google DoubleClick. The provider is Google LLC, 1600 Amphitheatre Parkway, Mountain View, CA 94043, USA.
This feature enables you to link the advertising target groups created with Google Analytics Remarketing with the cross-device functions of Google Ads and Google DoubleClick. This allows us to display interest-based, personalized ads that have been customized to you based on your past usage and browsing behaviour on one device (e.g., mobile phone) on another of your devices (e.g., tablet or PC). If you have given your consent, Google will link the web and app browser history to your Google Account for this purpose. In this way, the same personalized advertising messages can be displayed on any device on which you sign in with your Google Account. To support this feature, Google Analytics collects Google-authenticated user IDs that are temporarily linked to our Google Analytics data. This allows target audiences to be defined and created for cross-device advertising.
You can permanently opt out of cross-device remarketing/targeting by deactivating personalized advertising in your Google Account here and/or by following the link below and downloading and installing the plug-in provided here.
The data collected in your Google account is summarized on the basis of your consent, which you can give or revoke at Google (Art. 6 (1) (a) GPDR). In the case of data processing that is not merged into your Google Account - for example, because you do not have a Google Account or because you have been objected to the merging - the legal basis is the processing of the data Art. 6 (1) (f) GDPR (legitimate interests). The legitimate interest results from our interest in the anonymous analysis of website visitors for advertising purposes in order to address you in a targeted manner with interest-related advertising.
For the exceptional cases in which personal data is transferred to the USA, Google has submitted to the EU-US Privacy Shield. You can find further information here.
§5 Establishment of contact
A contact form is available on the website, which can be used for electronic contact. The data entered in the registration form will be transmitted to us and stored, if you send us an inquiry. These data are:
- Your name
- E-mail address
Moreover, at the time the message is sent, the date and time will be stored and, if applicable, other data provided by you if you specify in the message sent.
Alternatively, you can contact us via the e-mail address provided. In this case, the personal data of the user transmitted with the e-mail will be stored. The data is used exclusively for the purpose of processing contact inquiries and serves to prevent misuse of the contact form and to ensure the security of our information technology systems.
The legal basis for the processing of this personal data is Art. 6 (1) (f) GDPR (legitimate interests). The legitimate interest arises from the fact that we can only process the user accordingly with the user has acknowledged (e.g. answering inquiries). Additionally, the legal foundation of data processing is Art. 6 (1) (b) GDPR if the purpose of the contact is to conclude a contract.
On the website, there is a possibility to sign up for free newsletter. When you sign up for it, your email is transferred. The customer’s email address is collected in order to send the newsletter.
We use for the registration of the newsletter a Double-Opt-In procedure. This means that after registration we will send you an email to the given email address in which we will ask you to confirm that you wish to receive the newsletter. If you do not confirm your registration within 24 hours, your information will be blocked and automatically deleted after one month. In addition, we store the IP addresses you use and the dates of registration and confirmation. The purpose of this procedure is to prove your registration and to clarify and clear any possible misuse of your data.
The newsletter is sent by a service called “MailChimp”, which is located in the USA. Therefore, the transmitted data is processed in this mentioned jurisdiction.
The email delivery MailChimp has certified to the EU-U.S. Privacy Shield Framework, and therefore offers a guarantee to comply with the European data protection level.
The data protection regulations of this service provider can be viewed here.
"MailChimp" can use the data of the recipients without allocation to an individual user, to optimize its own service or for statistical purposes. The email delivery service does not use the data of our newsletter recipients to itself or to forward the data to third parties. When the newsletter is sent, your user behavior is evaluated by MailChimp. For this evaluation, the e-mails sent contain so-called Web-beacons, more specifically, tracking pixels, which represent one-pixel image files stored on our website. For evaluation purposes, we link the data specified in §2 and the Web-Beacons with your e-mail address and an individual ID. We use the data obtained in this way to create a user profile in order to target the newsletter to your individual interests. We record when you read our newsletter, which links you click in it and infer your personal interests from this. We link this data with the actions you take on our website. You can unsubscribe this tracking at any time by clicking on the separate link provided in each e-mail or by informing us through another contact procedure. The information is stored as long as you have subscribed to the newsletter. After you have unsubscribed, we store the data purely statistically and anonymously. Such tracking is also not possible if you have deactivated the display of images in your e-mail program by default. In this case, the newsletter will not be displayed completely and you may not be able to use all functions. If you display the images manually, the above tracking will take place in connection with data processing for the delivery of newsletters, except for the provider MailChimp, no data is forwarded to third parties. The data will be used exclusively for the email delivery of the newsletter.
The data will only be stored until you unsubscribe from the newsletter. Subsequently, the e-mail address will be blocked for the delivery of the newsletter and may be deleted altogether. You can unsubscribe from the newsletter at any time. For this purpose, you will find a corresponding opt-out link in every newsletter. You can also declare your cancellation by e-mail or by sending a message to the address given in our Imprint.
The legal basis for the processing of data relating to the delivery of newsletter by us is Article 6 (1) (a) GDPR (consent of the user) or, if there is a business relationship with regard to information on at least similar services by us, also Art. 6 (1) (b) GDPR (performance of contract). The email delivery service provider "MailChimp" will be informed based on legitimate interests pursuant to Art. 6 (1) (f) GDPR as well as data processing agreement under Art. 28 (1) (3) GDPR.
§7 Third parties
If you have a Vimeo user account and you do not want that Vimeo collects information about you and link it to your Vimeo member information through this website, you must log out of Vimeo before visiting this website.
Besides, Vimeo uses the Google Analytics tracker via an iFrame in which the video is played. This is Vimeo's own tracking and we do not have any access to it. You can cancel the tracking through Google Analytics by using the deactivation tools that Google offers for determined Internet browsers. You can also prevent Google from collecting the data generated by Google Analytics and according to your use of the website (including your IP address) as well as prevent Google from processing this data by downloading and installing the browser plug-in available on the following link.
The legal foundation is Art. 6 (1) (f) GDPR (legitimate interests). The legitimate interest hereby is that the provider has a legitimate interest in understanding whether and how often the website is used to ensure and improve the functionality of its services. In addition, our legitimate interest lies in an appealing presentation and illustration of our offers through videos on the website for the benefit of the users and a needs-based design of our website.
7.2. Social Media
We currently use the following social media plug-ins: Facebook, Instagram, and Pinterest. We use the so-called Double-click solution.
This means that when you visit our website, no personal data will be forwarded to providers of the plug-ins. You can recognize the provider of the plug-in by the marking on the box above its initial letter or logo. The buttons allow you to communicate directly with the provider of the plug-in. If you click on the marked area and thereby activate it, the plug-in provider receives the information that you have visited the corresponding website of our online service. In addition, the data aforementioned to in §2 (Processing of data by navigating the website) shall be transmitted.
In Germany, the IP information originated through the Facebook platform will be automatically anonymized after collection. By activating the plug-in, your personal data will be transferred to the Plug-In provider and then stored in the USA in case the provider is situated in this jurisdiction. Since the plug-in provider collects data in particular via cookies, we recommend that you delete all cookies via your browser's security settings before clicking on the grey box.
We do not influence the collected data and data processing procedures, nor are we aware of the full scope of the data processing, the purposes of data processing, the periods of storage. Moreover, no information is present to us according to the deletion of the raised data by the plug-in providers.
The plug-in provider stores the data collected about you as usage profiles, and uses the following data for purposes of advertising, market research and/or demand-oriented designs of its website. Such evaluation is carried out in particular (also for users who are not logged in) to display demand-driven and oriented advertising and to attract your network about your activities on our website. You are entitled to object to the creation of these user profiles, whereby you must contact the respective plug-in provider to exercise this right. Through the plug-ins, we offer the possibility to interact with social networks and other users, so that we can improve our offer and make it more interesting for you as a user.
The legal basis for the use of the plug-ins is Art. 6 (1) (f) GDPR (legitimate interests).
The data transfer takes place regardless of whether you have an account with the plug-in provider and are logged in. If you are logged in at the plug-in provider, your data collected by us will be directly transferred to your existing account in the platform of the plug-in. If you press the activated button and, for example, link the page, the plug-in provider also stores this information in your user account and communicates it publicly to your contacts. We recommend that you log out regularly after using a social network, especially before activating the button, as this avoids assigning your profile to the plug-in provider.
7.2.2. Website of the Company
With the help of page insights, we obtain information about how our fan pages are used, which interests the visitors of our fan pages have and which topics and contents are particularly popular. This enables us to optimize our fanpage activities, for example by better addressing the interests and usage habits of our audience when planning and selecting our content.
We and Facebook are jointly responsible for the processing of your data for the provision of page insights. For this purpose, we and Facebook have agreed in an agreement which company fulfils which data protection obligations under the observance of the GDPR with regard to the processing of Page Insights data.
When you visit our fan pages, we generally collect all shared posts , content and other information that you directly communicate to us there, such as when you post something on a fan page or send us a private message. If you have an account with the mentioned social network, we may also see your public information, such as your username, information in your public profile and content you share with a public audience.
To the extent that you have consented to Facebook's creation of Page Insights as described above, the legal basis is Article 6 (1) (a) GDPR (consent). Otherwise, the legal basis is Article 6 (1) (f) GDPR, whereby our legitimate interests lie in the above-mentioned purposes.
7.2.3. Further Information about the Social Media Providers
Further information on the purpose and scope of data processing and the processing by social media providers can be found in the Data Privacy Policies of these providers. In the mentioned policies, you will also find further information on the relevant rights and setting options to protect your privacy.
Instagram, Facebook Ireland Limited, 4 Grand Canal Square, Dublin 2, Ireland, under the following link.
Pinterest, Pinterest Europe Ltd., Palmerston House, 2nd Floor, Fenian Street, Dublin 2, Ireland, under the following link.
Vimeo, LLC, 555 West 18th Street, New York, New York 10011, USA, under the following link.
8.1. Registration and User Account
You can create a user account on our website. The data is entered in an entry form and transmitted to us and stored. When registering for a user account, the following data is collected and stored:
- IP ADDRESS
- DATE AND TIME OF REGISTRATION
- YOUR FIRST AND LAST NAME
- YOUR EMAIL ADDRESS
- DELIVERY ADDRESS
- INFORMATION ON PAYMENT METHOD SUCH AS ACCOUNT NUMBER; CREDIT CARD NUMBER; IBAN OR PAYPAL
As part of the login process, your e-mail address and a self-chosen password need to be inserted. Moreover, the IP address of the user as well as the date and time of the login are stored at the time of the login.
The legal basis for the processing of the aforementioned data is Art. 6 (1) (b) GDPR (performance of contract and pre-contractual measures).
The registration and the login area are necessary for the performance of the contract or the implementation of pre-contractual measures.
The purpose of registration and login is to provide the login function for the order, to view your most recent orders, to manage your delivery and billing addresses and to edit the password and account details.
Your personal information will be used to support your user experience on our website and to manage the access to your account.
In addition, on the website, we offer the possibility to request and purchase our products without registering for a customer account via an order form.
The following data is collected as part of the order process through the order form:
- First and last name (required)
- Billing or delivery address (required)
- E-mail address (required)
- If applicable, it will be required details of payment method such as bank account number or credit card number, IBAN or Paypal
The order form serves the purpose of concluding a contract with us or sending a manufacturing request. The data which is processed in the order form, thus serves to conclude or terminate the contract with the user.
The legal basis for this data processing is Art. 6 (1) (b) GDPR (fulfilment of contract and pre-contractual measures), as the user provides us with the data based on the respective contractual relationship (for example, managing the customer account, processing the purchase contract).
For the operation of our online store, we use Shopify, a service of Shopify Inc 1266 York Street, Suite 200, Ottawa, ON, Kanada, K1N 5T5. Shopify provides an e-commerce platform through which we sell our goods.
Shopify sets cookies while you navigate our homepage. These are small text files that are stored on your Internet browser or by the Internet browser on your computer system. If you visit a website as a user, a cookie can be stored on your operating system. This cookie contains a unique string of characters that enables the browser to be uniquely identified when the website is visited again. The cookies are set in order to make our website user-friendly. Some elements of our website require that the calling browser can be identified even after a page change. The following data is stored and transmitted in the cookies:
In addition, cookies allow an analysis of the user behaviour while visiting the website. In this way, the following data can be transmitted:
- Keywords entered
- Frequency of homepage views
- Use of the website functions
The data collected in this way is pseudonymized by technical precautions. It is therefore not possible to assign the data to an individualized user. The data are not stored together with other personal data of the users.
When you select a direct payment portal to complete your purchase, Shopify stores your credit card information. Your personal data is encrypted during the online ordering process using PCI-DSS (Payment Card Industry Data Security Standard). Your purchase processing data will only be stored for as long as is necessary to complete the transaction. Your purchase transaction data will then be deleted.
The legal foundation of such data processing is found on is Art. 6 (1) (f) GDPR. The purpose of using Shopify is to distribute our products online quickly, easily and securely. Likewise, we would also like to simplify the use of our websites for you and make your visit more attractive to you. With the collaboration of Shopify, we learn how our website is used and can therefore always optimize our offer and better match it to your needs and interests. For this purpose, our legitimate interest lies in the processing of personal data in accordance with Art. 6 (1) (f) GDPR.
On our website, we offer you the "Back-in-Stock" option, a service of SureSwift Capital, Inc., 5201 Eden Ave Suite 300, Edina, MN 55436 Canada. If a product from our website is not available, you can leave your email address via Back-in Stock and receive an e-mail notification as soon as the item is available again.
When you visit our store and register for back-in-stock notification, your web browser's email address, language and time zone, and any marketing permissions you may have are collected and submitted to the vendor.
The Provider will retain your information for as long as it deems necessary to provide the User with an appropriate service, unless a User has specifically requested that its information be deleted. The provider stores and transmits the data to provide you with the best possible service and experience, in particular to improve the products and services and to provide you with the opportunity to make automated decisions, including the creation of profiles, with the aim of providing new users with a better and more personalized experience for the user or optimized marketing. The Provider may from time to time use the services of other parties to process certain processes necessary to operate the Site. Providers of such services may have access to certain personal information provided by users of this Site and may be located in different locations around the world. In addition, data may be shared with third parties for relevant marketing purposes at the sole discretion of Back in Stock.
The legal basis is Art. 6 (1) (f) GDPR. The purpose of the use of Back in Stock is to improve our service to our customers by providing them with an opportunity to obtain information about products that are available again, thus making their visit more attractive. For this purpose, our legitimate interest is also based on the processing of personal data pursuant to Art. 6 (1) (f) GDPR.
8.5. Payment Service Providers
We use external payment service providers such as Paypal, Instant Transfer, Google Pay and Apple Pay to process credit card payments, whose platforms are used to process payment transactions. The following data belong to the data processed by the payment service providers: Inventory data, such as name and address, bank data, such as account numbers or credit card numbers, passwords, TANs and checksums, as well as contract, totals and recipient details. Depending on the service provider, this information is mandatory in order to successfully complete the transactions.
The data entered by you will only be processed and stored by the external payment service providers named by us. We do not receive account or credit card related information. We will be only informed either the payment is completed or we will receive negative information. Under certain circumstances, the data may be transmitted to credit agencies of the payment service providers named by us. The purpose of this transmission is to check identity and creditworthiness. The payment transactions are subject to the data protection notices of the respective payment service providers, which can be accessed within the respective websites or transaction applications. We refer to these also for the purpose of further information and assertion of revocation, information and any other affected rights:
- Paypal under the following link
- Apple Pay under the following link
- Google Pay under the following link
- Instant transfer under the following link
The legal basis is Art. 6 (1) (f) GDPR (legitimate interests). The legitimate interest is based on the fact that payment providers have a legitimate interest in understanding whether and how often the website is used to ensure and improve the functionality of your services. In addition, we have a legitimate interest in offering our customers different payment methods.
§9 Transmission of Data
The personal data collected within the framework of the use of the website will not be passed on to third parties or transmitted in any other way without your consent, unless otherwise expressly described in this Data Protection Policy.
For the operation of the website and the services offered on the website, external service providers (e.g. hosting providers; newsletter service providers) are used who process your personal data on our behalf and exclusively in accordance with our instructions. The legal basis for such data processing is Art. 6 (1)(b) GDPR (performance of contract and pre-contractual measures) and Art. 28 GDPR (data processing agreement).
If necessary, personal data will be transferred to state institutions and authorities, insofar as there is a legal obligation to do under Art. 6 (1) (c) GDPR.
§10 Storage Duration
Your personal data will only be stored for as long as is necessary to process your requests to us, unless a different storage duration results from other provisions of this Data Protection Policy. Moreover, we store your data only to the extent and to the extent that we are obliged to do so by mandatory statutory storage obligations. If we no longer need your data for the purposes described above, they will only be stored during the respective legal retention period and not processed for other purposes.
§11 Rights of affected persons
11.1. Right of Objection
You have the right of objection against the processing of your personal data (Art. 21 GDPR) if the relevant personal data is processed based on legitimate interests (Art. 6 (1) (f) GDPR) and in case reasons are arising from your particular situation. In case of direct advertising, you may object to the processing of the data is possible at any time without providing any particular information.
11.2. Further Rights
Moreover, you have the right to:
a) to request information about the personal data stored about you at any time (Art. 15 GDPR);
b) to demand the correction or completion (Art. 16 GDPR), deletion (Art. 17 GDPR) or restriction (Art. 18 GDPR) of the processing of the corresponding personal data, insofar as the legal requirements are met;
c) to receive your personal data in a structured, common and machine-readable format (Art. 20 GDPR);
d) revoke at any time for the future any consent granted to the use of personal data (Art. 7 para. 3 GDPR); and
e) complain to the competent data protection supervisory authority if you are of the opinion that the processing of your personal data concerning the use of the website violates applicable data protection law (Art. 77 GDPR).
To make use of one of your rights mentioned above, simply send an e-mail to
§12 Data Security
To guarantee data security, in particular, to protect your personal data from the risks involving data transmissions and from third parties gaining knowledge, we use current technical and organizational measures when operating the website. These are being adjusted accordingly to the latest forms of technology.
§13 Changes and Update
Stand November 2019