Privacy policy

Contact possibility via the website

Based on statutory provisions, the website of the ARTDECO cosmetic GmbH contains data that enable a quick electronic contact to our enterprise, as well as direct communication with us, which also includes a general address of the so-called electronic mail (e-mail address). If a data subject contacts the controller by e-mail or by using a contact form, the personal data transmitted by the data subject will be stored automatically. Such personal data transmitted on a voluntary basis by a data subject to the controller will be stored for the purpose of processing or contacting the data subject. No disclosure of this personal data to third parties will take place.

We use the tool "Gorgias" from Gorgias Inc., San Francisco, CA, 34 Harriet St, San Francisco, USA, to process your inquiries from various channels (contact form, chat, email) quickly and efficiently.

When using Gorgias, the following personal data is collected and processed: Customer email address, information about the customer's order(s), information about previous interactions between the customer and our customer support team. This data is used exclusively for the purpose of processing customer inquiries and improving our customer support.

The storage and analysis of data is based on Art. 6 (1) lit. f GDPR. The website operator has a legitimate interest in communicating with customers and interested parties in the most straightforward manner possible. If consent has been requested (e.g., consent to the storage of cookies), processing is carried out exclusively on the basis of Art. 6 (1) lit. a GDPR; consent can be revoked at any time.

As a US provider, Gorgias is Privacy Shield certified and is therefore committed to complying with EU data protection law. In addition, we have concluded a data processing agreement (DPA) with Gorgias. This ensures that Gorgias only uses user data in accordance with EU data protection standards exclusively for the purpose of processing inquiries and does not pass it on to third parties. This data will not be passed on to third parties unless this is necessary to fulfill our contractual obligations or we are legally obliged to do so.

If you do not agree to your inquiry being processed by us via Gorgias, you can alternatively communicate with us by telephone. You can find the data in the legal notice.

Further information can be found in Gorgias' privacy policy at https://www.gorgias.com/privacy.

Information on further data processing procedures

Specific information about the application process

The controller collects and processes the personal data of applicants for the purpose of handling the application procedure. The processing may also take place electronically. This is the case, in particular, when an applicant submits relevant application documents to the controller by electronic means, for example, by e-mail or via a web form located on the website. If the controller concludes an employment contract with an applicant, the transmitted data will be stored for the purpose of processing the employment relationship in compliance with the statutory provisions. If the controller does not conclude an employment contract with the applicant, the application documents will be automatically deleted four months after notification of the rejection decision, provided that no other legitimate interests of the controller conflict with such deletion. Other legitimate interest in this sense is, for example, a duty to provide evidence in proceedings under the General Equal Treatment Act (AGG).

Specific information on the processing of customer data/prospect data

Data concerned: Data provided for the performance of the contract; if applicable, data beyond this for processing on the basis of your express consent.

Processing purpose: Contract execution, including quotes, orders, sales and invoicing, quality assurance.

Categories of recipients: Public bodies in the case of overriding legal provisions. External service providers or other contractors. Other external bodies insofar as the data subject has given his/her consent or a transfer is permissible for overriding interest.

Third country transfers: Processors outside the European Union are used.

Duration data storage: The duration of data storage is based on the statutory retention obligations and is usually 10 years.

Specific information on the processing of employee data

Data concerned: Data provided for the performance of the contract; if applicable, data beyond this for processing on the basis of your express consent.

Processing purpose: Contract execution.

Categories of recipients: Public bodies in the case of overriding legal provisions. External service providers or other contractors. Other external bodies insofar as the data subject has given his/her consent or a transfer is permissible for overriding interest.

Third country transfers: Within the framework of the execution of the contract, processors outside the European Union may also be used.

Duration data storage: The duration of data storage is based on the statutory retention obligations and is usually 10 years.

Specific information on the processing of supplier data

Data concerned: Data provided for the performance of the contract; if applicable, data beyond this for processing on the basis of your express consent.

Processing purpose: Contract execution.

Categories of recipients: ublic bodies in the case of overriding legal provisions. External service providers or other contractors. Other external bodies insofar as the data subject has given his/her consent or a transfer is permissible for overriding interest.

Third country transfers: Within the framework of the execution of the contract, processors outside the European Union may also be used.

Duration data storage: The duration of data storage is based on the statutory retention obligations and is usually 10 years.

Specific information on the use of video conferencing/webinar software

Data concerned: Data provided for the use of the video conferencing software or the webinar software (esp. first name, last name, e-mail address; optional: sound transmission; optional: image transmission; optional: questions when using chat functions); to the extent technically necessary, processing of data from your system to establish the connection with the provider of the conferencing software.

Processing purpose: Conducting video conferences or webinars.

Categories of recipients: Public bodies in the case of overriding legal provisions. External service providers or other contractors, including for data processing and hosting. Other external bodies insofar as the data subject has given his/her consent or a transfer is permissible for overriding interest.

Third country transfers: Processors outside the European Union are used (here: United States of America); standard contractual clauses have been concluded with the service provider accordingly.

Duration data storage: Video conferences are only recorded with the previously documented consent of the participants. The technical data is deleted if it is no longer required. The duration of data storage otherwise depends on the statutory retention obligations and is usually 10 years.

Use of hCaptcha

To protect our forms and prevent spam and abuse, we use the Captcha service hCaptcha by Intuition Machines, Inc., 350 Alabama St, San Francisco, CA 94110, USA. hCaptcha is used to verify whether the data entered on our websites is provided by a human or by automated programs.

Data Collected

When using hCaptcha, personal data is collected that is necessary for the functionality of the service. This includes, among other things:

• IP address
• Information about the operating system
• Browser and device settings
• Date and time of access
• Mouse movements or user interactions on the page

This data is required to determine whether the use of our website is carried out by a human or if it constitutes abusive access.

Legal Basis: The legal basis for processing this data is Art. 6 para. 1 lit. f GDPR. Our legitimate interest lies in protecting our web services from misuse and spam and ensuring the stability of our services.

Data Transfer to Third Countries: hCaptcha also processes your data in the USA. To ensure an adequate level of data protection, hCaptcha has implemented the European Commission's standard contractual clauses. For more information, please refer to the hCaptcha Privacy Policy.

Retention Period: The data collected by hCaptcha is stored for the duration necessary to fulfill the aforementioned purpose. The collected data is then automatically deleted.

Right to Object: You have the right to object to the processing of your data at any time. However, please note that using the website may be restricted without the use of hCaptcha.

Where legally required, we have obtained your consent for the above-described processing of your data in accordance with Art. 6 para. 1 lit. a GDPR. You may withdraw your consent at any time with effect for the future. To exercise your right to withdraw, please follow the procedure for raising an objection described above.

For more information about hCaptcha, please refer to the Privacy Policy and Terms of Service at the following links: https://www.hcaptcha.com/privacy and https://hcaptcha.com/terms.

Content Delivery Network (CDN)

Shopify CDN

Our website is provided via the e-commerce platform Shopify. To deliver the website content quickly, reliably, and securely, Shopify uses a so-called Content Delivery Network (CDN). This is a network of globally distributed servers designed to optimize loading times and ensure stable availability of the website—regardless of the user's location.
As part of this CDN usage, personal data—particularly IP addresses—may be transmitted to and processed on Shopify’s servers. The processing is based on our legitimate interest pursuant to Art. 6 (1) lit. f GDPR in the technically secure, fast, and efficient provision of our online offering. A data processing agreement (DPA) has been concluded with the provider.

Note on Geo-IP detection
The Geo-IP detection on our website is part of the Shopify app Geolocation – Orbe. It is used to automatically suggest the appropriate country version of the website to visitors. For this purpose, the IP address is analyzed without being stored permanently.

Rebuy CDN

To optimize the user experience and to provide personalized content, we use services from the provider Rebuy, in particular the Content Delivery Network (CDN) under the domain cdn.rebuyengine.com. This CDN provides features such as personalized product recommendations and dynamic content. This may involve the transmission of personal data—especially the IP address and device-specific information—to Rebuy’s servers. The processing is based on our legitimate interest pursuant to Art. 6 (1) lit. f GDPR in improving user guidance and customizing our offering. A data processing agreement (DPA) pursuant to Art. 28 GDPR has been concluded with Rebuy, ensuring that your data is processed exclusively according to our instructions and is protected by appropriate technical and organizational measures.

Amplitude CDN

To efficiently support analytical functions of our website, we use services from the provider Amplitude, specifically the Content Delivery Network (CDN) under the domain cdn.amplitude.com. This CDN loads scripts and libraries required for collecting and analyzing usage data. Retrieving this content may involve the transmission of personal data—especially IP addresses and technical information about the used device—to Amplitude’s servers.
The data processing is based on our legitimate interest pursuant to Art. 6 (1) lit. f GDPR in the usage-based optimization of our online offering and the improvement of the user experience. A data processing agreement (DPA) pursuant to Art. 28 GDPR is in place with Amplitude, ensuring that your data is processed solely under our instructions and secured by appropriate technical and organizational measures.

Yotpo CDN

To integrate product reviews and other user-generated content, we use services from the provider Yotpo Inc., particularly the Content Delivery Network (CDN) under the domain api-cdn.yotpo.com. This CDN ensures that content such as review elements, widgets, or scripts is delivered reliably, quickly, and efficiently—regardless of the website visitors’ location.
For more information on data processing by Yotpo, please visit: https://www.yotpo.com/privacy-policy/

Cloudflare R2 Object Storage

To deliver certain content on our website in a performant and scalable manner, we use Cloudflare R2, a service for decentralized storage and delivery of data. R2 enables us to provide static content such as images, scripts, or other media files efficiently and cost-effectively via distributed servers, without relying on traditional cloud storage solutions. This may involve the transmission of personal data—particularly IP addresses—to Cloudflare’s servers in order to deliver the requested content.
The processing of this data is based on our legitimate interest pursuant to Art. 6 (1) lit. f GDPR in providing our online offering in a fast, reliable, and resource-efficient manner. A data processing agreement (DPA) pursuant to Art. 28 GDPR has been concluded with Cloudflare, ensuring that your data is processed solely according to our instructions and protected by appropriate technical and organizational measures.

More information and contacts

In addition, you may at any time exercise your rights of access, rectification or erasure, or to restrict processing or exercise your right to object to processing, as well as the right to data portability. Here you will find the possibility to contact us by e-mail or letter.

You also have the right to contact the data protection supervisory authority in case of complaints.

Status of the information: April 2025