Privacy policy

1) Information on the collection of personal data and contact details of the controller

1.1 We are pleased that you are visiting our website and thank you for your interest. On the following pages, we will inform you about how we handle your personal data when you use our website. Personal data is any data that can be used to identify you personally.

1.2 The person responsible for data processing on this website within the meaning of the General Data Protection Regulation (GDPR) is Mariana Bayer and Christoph Bayer GbR, Oberer Wingertweg 82, 75177 Pforzheim, Germany, e-mail: info@redwood.fashion. The controller of personal data is the natural or legal person who alone or jointly with others determines the purposes and means of the processing of personal data.

1.3 This website uses SSL or TLS encryption for security reasons and to protect the transmission of personal data and other confidential content (e.g. orders or enquiries to the controller). You can recognise an encrypted connection by the character string https:// and the lock symbol in your browser line.

2) Data collection when visiting our website

When you use our website purely for information purposes, i.e. if you do not register or otherwise transmit information to us, we only collect data that your browser transmits to our server (so-called "server log files"). When you visit our website, we collect the following data, which is technically necessary for us to be able to display the website to you:

Our visited website
The date and time at the time of access
Amount of data sent in bytes
Source/reference from which you came to the page
Browser used
Operating system used
IP address used (if applicable: in anonymised form)

The data processing is carried out pursuant to Art. 6 (1) lit. f GDPR on the basis of our legitimate interest in improving the stability and functionality of our website. The data will not be passed on or used in any other way. However, we reserve the right to check the server log files retrospectively if there are concrete indications of unlawful use.

3) Hosting & Content Delivery Network

3.1 Shopify

We use the system of the following provider to host our website and display the page content: Shopify International Limited, Victoria Buildings, 2nd floor, 1-2 Haddington Road, Dublin 4, D04 XN32, Ireland.

Data is also transferred to: Shopify Inc. 150 Elgin St, Ottawa, ON K2P 1L4, Canada, Shopify Data Processing (USA) Inc, Shopify Payments (USA) Inc. or Shopify (USA) Inc.

All data collected on our website is processed on the provider's servers. We have concluded an order processing contract with the provider, which ensures the protection of our website visitors' data and excludes any unauthorised disclosure to third parties.

For the transmission of data, the provider is responsible for the data protection.

For the transfer of data to the USA, the provider relies on standard contractual clauses of the European Commission, which are intended to ensure compliance with the European level of data protection.

For data transfers to Canada, an adequate level of data protection is guaranteed by an adequacy decision of the European Commission.

3.2 - Cloudflare

We use a content delivery network provided by the following provider: Cloudflare Inc, 101 Townsend St. San Francisco, CA 94107, USA.

This service enables us to deliver large media files such as graphics, page content or scripts more quickly via a network of regionally distributed servers. The processing is carried out to protect our legitimate interest in improving the stability and functionality of our website in accordance with Art. 6 (1) lit. f GDPR. We have concluded an order processing agreement with the provider, which ensures the protection of our website visitors' data and excludes unauthorised disclosure to third parties.

4) Cookies

To make visiting our website attractive and to enable the use of certain functions, we use cookies, i.e. small text files that are stored on your terminal device. In some cases, these cookies are automatically deleted again after the browser is closed (so-called "session cookies"), in other cases, these cookies remain on your end device for longer and allow page settings to be saved (so-called "persistent cookies"). In the latter case, you can read the duration of storage in the overview of the cookie settings of your web browser.

If personal data are also processed by individual cookies set by us, the processing is carried out either in accordance with Art. 6 (1) lit. b GDPR for the fulfilment of the contract.

We would like to expressly point out that we do not set any tracking cookies. That is why you will not find a cookie banner on our website. All cookies set by us serve exclusively the processing of your order, and we refuse to pass on your customer information to data octopuses such as Google, Meta and the like.

5) Contacting us

When you contact us (e.g. via contact form or e-mail), personal data is collected. Which data is collected in the case of a contact form can be seen from the respective contact form. This data is stored and used exclusively for the purpose of answering your enquiry or contacting you and the associated technical administration. The legal basis for processing the data is our legitimate interest in responding to your enquiry in accordance with Art. 6 (1) lit. f GDPR. If your contact aims at the conclusion of a contract, the additional legal basis for the processing is Art. 6 (1) lit. b GDPR. Your data will be deleted after final processing of your request; this is the case if it can be inferred from the circumstances that the matter concerned has been conclusively clarified, provided that this does not conflict with any statutory retention obligations.

6) Data processing when opening a customer account and for contract processing

Pursuant to Art. 6 para. 1 lit. b DSGVO, personal data will continue to be collected and processed to the extent necessary in each case if you provide us with this data when opening a customer account. The data required for opening an account can be found in the input mask of the corresponding form on our website. The deletion of your customer account is possible at any time and can be done by sending a message to the address of the responsible person mentioned above. After deletion of your customer account, your data will be deleted, provided that all contracts concluded via it have been fully processed, no legal retention periods conflict with this and there is no legitimate interest on our part in further storage.

7) Comment function

When using the comment function on this website, in addition to your comment, information about the time of the creation of the comment and the name of the commentator you have chosen will be stored and published on the website. In addition, your IP address is recorded and stored. This IP address is stored for security reasons, in case the person in question infringes the rights of third parties by posting a comment or posts illegal content. We need your e-mail address in order to be able to contact you if a third party objects to your published content as being illegal. The legal basis for storing your data is Art. 6 (1) lit. b and f GDPR. We reserve the right to delete comments if they are objected to as unlawful by a third party.

8) Use of customer data for direct marketing

Notification by email of product availability
If our online shop offers the option of informing you by email of the time of availability of selected items that are temporarily unavailable, you can sign up for our product availability email notification service. When you sign up for our product availability email notification service, we will send you a one-time email message about the availability of your selected item. The only mandatory information required to send this notification is your email address. The provision of further data is voluntary and may be used to address you personally. When sending this notification, we use the so-called double opt-in procedure. This means that we will only send you a corresponding notification once you have expressly confirmed that you agree to receive such a message. We will then send you a confirmation e-mail in which you confirm that you would like to receive such a notification by clicking on a link.

By activating the confirmation link, you consent to the use of your personal data in accordance with Art. 6 (1) lit. a GDPR. When you register for our product availability email notification service, we store your IP address registered by your Internet Service Provider (ISP) as well as the date and time of registration in order to be able to track any misuse of your email address at a later date. The data we collect when you register for our e-mail notification service about the availability of goods is used solely for the purpose of informing you about the availability of a particular item in our online shop. You can unsubscribe from the goods availability email notification service at any time by sending a message to the data controller mentioned at the beginning of this page. After you have unsubscribed, your e-mail address will be deleted from our mailing list immediately, unless you have expressly consented to the further use of your data or we reserve the right to further use your data in accordance with the legal provisions, which we inform you about in this statement.

9) Processing of data for the purpose of order processing

9.1 Insofar as it is necessary for the processing of the contract for delivery and payment purposes, the personal data collected by us will be passed on to the commissioned transport company and the commissioned credit institution in accordance with Art. 6 (1) lit. b GDPR.

If we owe you updates for goods with digital elements or for digital products on the basis of a corresponding contract, we process the contact data (name, address, e-mail address) you provided when placing the order in order to inform you personally by suitable means of communication (e.g. by post or e-mail) about upcoming updates within the legally prescribed period within the scope of our legal duty to inform according to Art. 6 (1) lit. c GDPR. Your contact details will only be used for the purpose of informing you about updates owed by us and will only be processed by us for this purpose to the extent necessary for the respective information.

In order to process your order, we also work together with the following service provider(s), who support us in whole or in part in the performance of the contracts concluded. Certain personal data is transferred to these service providers in accordance with the following information.

9.2 Use of specific service providers for the performance of the contract

- SendCloud
The dispatch takes place via the dispatch portal SendCloud (SendCloud GmbH, Kanalstr. 10, 80538 Munich). In accordance with Art. 6 Para. 1 lit. b GDPR, we pass on your data to SendCloud exclusively for the purpose of processing your online order. Data will only be transmitted if this is necessary for the processing of the order. Details of SendCloud's privacy policy can be found at https://www.sendcloud.com/privacy-policy.

9.3 Use of payment service providers

- Amazon Pay
If you choose the payment method "Amazon Pay", payment processing is carried out via the payment service provider Amazon Payments Europe s.c.a., 38 avenue John F. Kennedy, L-1855 Luxembourg (hereinafter referred to as "Amazon Payments"), to whom we pass on the data you provided during the ordering process together with the information about your order in accordance with Art. 6 (1) lit. b GDPR. Your data will only be passed on for the purpose of payment processing with the payment service provider Amazon Payments and only to the extent necessary. Further information on the data protection provisions of Amazon Payments can be found at https://pay.amazon.com/uk/help/201751600
- Paypal
When paying by PayPal, credit card via PayPal, direct debit via PayPal or - if offered - "purchase on account" or "payment by instalments" via PayPal, we transmit your payment data to PayPal (Europe) S. a.r.l. et Cie, S.C.A., 22-24 Boulevard Royal, L-2449 Luxembourg (hereinafter "PayPal"). The transmission takes place in accordance with Art. 6 para. 1 lit. b DSGVO and only to the extent necessary for the payment processing.
PayPal reserves the right to carry out a credit check for the payment methods credit card via PayPal, direct debit via PayPal or, if offered, "purchase on account" or "payment by instalments" via PayPal. For this purpose, your payment data may be forwarded to credit agencies on the basis of PayPal's legitimate interest in determining your solvency in accordance with Art. 6 (1) lit. f GDPR. PayPal uses the result of the credit check in relation to the statistical probability of a payment default to decide on the provision of the respective payment method. The creditworthiness information may contain probability values (so-called score values). Insofar as score values are included in the result of the credit report, they are based on recognised scientific, mathematical-statistical methods. Address data, among other things, are included in the calculation of the score values. Further information on data protection law, including the credit agencies used, can be found in PayPal's data protection declaration at: https://www.paypal.com/uk/webapps/mpp/ua/privacy-full.
You can object to this processing of your data at any time by sending a message to PayPal. However, PayPal may still be entitled to process your personal data if this is necessary to process payments in accordance with the contract.
- Paypal Checkout
This website uses PayPal Checkout, an online payment system from PayPal, which consists of PayPal's own payment methods and local third-party payment methods.
When you pay via PayPal, credit card via PayPal, direct debit via PayPal or - if offered - "Pay Later" via PayPal, we pass on your payment data to PayPal (Europe) S.a.r.l. et Cie, S.C.A., 22-24 Boulevard Royal, L-2449 Luxembourg (hereinafter "PayPal") as part of the payment processing. The transmission takes place in accordance with Art. 6 Para. 1 lit. b DSGVO and only insofar as this is necessary for the payment processing.
For the payment methods credit card via PayPal, direct debit via PayPal or - if offered - "Pay later" via PayPal, PayPal reserves the right to carry out a credit check. For this purpose, your payment data may be passed on to credit agencies pursuant to Art. 6 (1) lit. f DSGVO on the basis of PayPal's legitimate interest in determining your solvency. PayPal uses the result of the credit check in the sense of a statistical probability of default for the purpose of deciding on the provision of the respective payment method. The creditworthiness information may contain probability values (so-called score values). Insofar as score values are included in the result of the credit report, they have their basis in a scientifically recognised mathematical-statistical procedure. Address data, among other things, are included in the calculation of the score values. You can object to this processing of your data at any time by sending a message to PayPal. However, PayPal may be entitled to process your personal data if this is necessary to process the payment in accordance with the contract.
If you choose the PayPal payment method "Purchase on account", your payment data will first be transmitted to PayPal to prepare the payment, whereupon PayPal will forward this data to Ratepay GmbH, Franklinstraße 28-29, 10587 Berlin ("Ratepay") to process the payment. The legal basis in each case is Art. 6 (1) lit. b GDPR. In this case, RatePay carries out an identity and credit check on its own behalf to determine solvency in accordance with the principle already mentioned above and passes your payment data to credit agencies on the basis of the legitimate interest in determining solvency in accordance with Art. 6 (1) lit. f GDPR. A list of the credit reference agencies that Ratepay may use can be found here: https://www.ratepay.com/legal-payment-creditagencies/
If you use the payment method of a local third-party provider, your payment data will first be passed on to PayPal in preparation for payment in accordance with Art. 6 (1) lit. b GDPR. Depending on your selection of an available local payment method, PayPal will then transmit your payment data to the relevant provider to prepare the payment in accordance with Art. 6 para. 1 lit. b GDPR:
- Sofort (SOFORT GmbH, Theresienhöhe 12, 80339 Munich, Germany)
- iDeal (Currence Holding BV, Beethovenstraat 300 Amsterdam, Netherlands)
- giropay (Paydirekt GmbH, Stephanstr. 14-16, 60313 Frankfurt am Main, Germany)
- bancontact (Bancontact Payconiq Company, Rue d'Arlon 82, 1040 Brussels, Belgium)
- blik (Polski Standard Płatności sp. z o.o., ul. Czerniakowska 87A, 00-718 Warsaw, Poland)
- eps (STUZZA Studiengesellschaft für Zusammenarbeit im Zahlungsverkehr GmbH, Frankgasse 10/8, 1090 Vienna, Austria)
- MyBank (PRETA S.A. S, 40 Rue de Courcelles, F-75008 Paris, France)
- Przelewy24 (PayPro SA, Kanclerska 15A, 60-326 Poznań, Poland)
For more information on data protection, please refer to PayPal's privacy policy: https://www. paypal.com/en/webapps/mpp/ua/privacy-full
- Shopify Payments
We use the payment service provider "Shopify Payments", 3rd Floor, Europe House, Harcourt Building, Harcourt Street, Dublin 2. If you choose a payment method offered by the payment service provider Shopify Payments, the payment is processed by the technical service provider Stripe Payments Europe Ltd, 1 Grand Canal Street Lower, Grand Canal Dock, Dublin, Ireland, to whom we transfer the data provided by you in connection with your order (name, address, account number, bank sort code, credit card number if applicable, invoice amount, currency and transaction number) in accordance with Art. 6 (1) lit. f GDPR. Your data will only be shared for the purpose of processing payments with Stripe Payments Europe Ltd. and only to the extent necessary. You can view the privacy policy of Shopify Payments at: https://www.shopify.com/legal/privacy
For more information about the privacy policy of Stripe Payments Europe Ltd. see: https://stripe.com/en-de/privacy

10) Functionalities of the website

10.1 Use of Vimeo videos
Plugins of the video portal Vimeo of Vimeo, LLC, 555 West 18th Street, New York, New York 10011, USA are embedded on our website. When you call up a page of our website that contains such a plugin, your browser establishes a direct connection to the Vimeo servers. The content of the plugin is transmitted by Vimeo directly to your browser and integrated into the page. Through this integration, Vimeo receives the information that your browser has accessed the corresponding page of our website, even if you do not have a Vimeo account or are not currently logged in to Vimeo. This information (including your IP address) is transmitted by your browser directly to a Vimeo server in the USA and stored there.
If you are logged in to Vimeo, Vimeo can immediately assign your visit to our website to your Vimeo account. If you interact with the plugins (e.g., If you interact with the plugins (e.g., press the start button of a video), this information is also transmitted directly to a Vimeo server and stored there.
If you do not want Vimeo to assign the data collected via our website directly to your Vimeo account, you must log out of Vimeo before visiting our website.
The purpose and scope of the data collection and the further processing and use of the data by Vimeo, as well as your rights in this regard and setting options for protecting your privacy, can be found in the data protection information of Vimeo: https://vimeo.com/privacy
With videos from Vimeo that are embedded on our site, the Google Analytics tracking tool of Google Ireland Limited, Gordon House, 4 Barrow St, Dublin, D04 E5W5, Ireland, is automatically integrated. This is Vimeo's own tracking, to which we have no access and which cannot be influenced by our site. Google Analytics uses "cookies", which are text files placed on your computer, to help the website analyse how users use the site. The information generated by the cookie about your use of this website is usually transmitted to a Google server in the USA and stored there, and may also be transmitted to servers of Google LLC.
The processing described above, in particular the setting of cookies to read out information on the end device used, only takes place if you have given us your express consent to do so in accordance with Art. 6 (1) lit. a GDPR. Without this consent, Vimeo videos will not be used during your visit to the website.
You can revoke your consent at any time with effect for the future. If you wish to exercise your right of revocation, please deactivate this service in the "Cookie Consent Tool" on the website.

On this website we also use the reCAPTCHA function of Google Ireland Limited, Gordon House, 4 Barrow St, Dublin, D04 E5W5, Ireland ("Google"). This function is mainly used to distinguish whether an input originates from a natural person or is abused by automatic and automated processing. The service involves the transmission of the IP address and, where applicable, other data required by Google for the reCAPTCHA service to Google. The use of Google reCAPTCHA may also result in the transmission of personal data to the servers of Google LLC. in the USA and is carried out in accordance with Art. 6 para. 1 lit. f GDPR on the basis of our legitimate interest in determining the individual's willingness to act on the Internet and to prevent abuse and spam.

For more information on Google reCAPTCHA and Google's privacy policy, please visit: https://policies.google.com/privacy?hl=en-GB

11) Tools and miscellaneous

- Lexoffice
We use the cloud-based accounting software of Haufe-Lexware GmbH & Co. KG, Munzinger Straße 9, 79111 Freiburg ("Lexoffice") to process our accounting.
Lexoffice processes incoming and outgoing invoices and, if applicable. also our company's banking transactions, in order to automatically record invoices, match them with business transactions and create the financial accounting from them in a semi-automatic process.
If personal data is also processed in this process, the processing is carried out on the basis of Art. 6 para. 1 lit. f GDPR on the basis of the legitimate interest in the efficient organisation and documentation of our business transactions.
Further information on Lexoffice, the automated processing of data and the data protection declaration can be found at https://www.lexoffice.de/datenschutz/

12) Data subject rights

12.1 The applicable data protection law grants you the following comprehensive data subject rights (rights of access and intervention) against the controller with regard to the processing of your personal data:

- Right of access by the data subject under Art. 15 GDPR: You have the right to obtain the following information: The personal data we process; The purposes of the processing; The categories of personal data processed; The recipients or categories of recipients to whom the personal data have been or will be disclosed; The intended duration of the storage of the personal data or, if this is not possible, the criteria for determining this duration; The existence of the right to obtain from the controller the rectification or erasure of the personal data or the restriction of the processing of the personal data concerning the data subject or to object to such processing; the right to lodge a complaint with a supervisory authority; if the personal data have not been collected from the data subject, any available information about their origin; the existence of automated decision-making, including profiling, and, at least in such cases, meaningful information about the underlying logic and the significance and likely consequences of such processing for the data subject; the appropriate safeguards pursuant to Article 46 where personal data are transferred to a third country.

- Right to rectification under Article 16 GDPR: You have the right to obtain from the controller the rectification without undue delay of inaccurate personal data relating to you and/or the right to obtain the completion of any incomplete personal data held by us.

- Right to erasure ("right to be forgotten") pursuant to Art. 17 GDPR: You have the right to request the controller to erase the personal data concerning you if the conditions of Art. 17 (2) GDPR are met. However, this right does not apply to the exercise of the right to freedom of expression and information, for compliance with a legal obligation, for reasons of public interest or for the establishment, exercise or defence of legal claims.

- Right to restriction of processing under Art. 18 GDPR: You have the right to request the controller to restrict the processing of your personal data on the following grounds: While the accuracy of the personal data you dispute is being verified. If you object to the erasure of your personal data because of unlawful processing and instead request the restriction of its use. If you need the personal data for the assertion, exercise or defence of legal claims, as soon as we no longer need this data for the purposes of processing. If you have objected to the processing on grounds relating to your personal situation until it has been assessed whether our legitimate grounds override your grounds.

- Right to information pursuant to Art. 19 DSGVO: If you have asserted the right to rectification, erasure or restriction of processing against the controller, the controller is obliged to inform each recipient to whom the personal data have been disclosed of any rectification or erasure of the personal data or restriction of processing, unless this proves impossible or involves a disproportionate effort. You have the right to be informed about these recipients.

- Right to data portability pursuant to Art. 20 GDPR: You have the right to receive the personal data concerning you that you have provided to us in a structured, commonly used and machine-readable format or to request that this data be transferred to another controller, where this is technically feasible.

- Right to withdraw consent given according to Art. 7 (3) GDPR: You have the right to withdraw your consent to the processing of personal data at any time with effect for the future. In the event of revocation, we will immediately delete the data concerned, unless further processing can be based on a legal basis for processing without consent. The revocation of consent shall not affect the lawfulness of the processing carried out on the basis of the consent until the revocation.

- Right of appeal under Article 77 GDPR: Without prejudice to any other administrative or judicial remedy, you have the right to lodge a complaint with a supervisory authority, in particular in the Member State of your habitual residence, place of work or the place of the alleged infringement, if you consider that the processing of personal data relating to you infringes the GDPR.

12.2 RIGHT OF REVIEW

WHEN WE PROCESS YOUR PERSONAL DATA IN THE CONTEXT OF AN INTEREST CONSULTATION BASED ON OUR URGENT LEGAL INTERESTS, YOU HAVE THE RIGHT AT ANY TIME TO OBJECT TO SUCH PROCESSING WITH EFFECT FOR THE FUTURE BASED ON YOUR PARTICULAR SITUATION.
If you exercise your right to object, we will stop processing the data concerned. However, we reserve the right to continue processing if we can demonstrate compelling legitimate grounds for processing that override your interests, fundamental rights and freedoms, or if the processing is for the purpose of applying, exercising or defending legal rights.

If WE PROCESS YOUR PERSONAL DATA FOR DIRECT MARKETING PURPOSES, YOU HAVE THE RIGHT TO OBJECT AT ANY TIME TO THE PROCESSING OF YOUR PERSONAL DATA USED FOR DIRECT MARKETING PURPOSES. YOU MAY EXERCISE THE OBJECTION AS DESCRIBED ABOVE.

YOU MAY EXERCISE THE OBJECTION AS DESCRIBED ABOVE.

If YOU EXERCISE YOUR RIGHT TO CONSENT, WE WILL STOP PROCESSING THE DATA CONCERNED FOR DIRECT ADVERTISING PURPOSES.

13) Duration of storage of personal data

The duration of the storage of personal data depends on the respective legal basis, the purpose of the processing and - where relevant - the respective statutory retention period (e.g. retention periods under commercial and tax law).

If the processing of personal data is based on explicit consent pursuant to Art. 6 (1) lit. a GDPR, this data will be stored until the consent is revoked by the data subject.

If there are legal retention periods for data processed in the context of legal or similar obligations on the basis of Art. 6 (1) lit. b GDPR, this data will be routinely deleted after the retention periods have expired if it is no longer required for the performance or initiation of the contract and/or if we have no legitimate interest in continuing to store it.

Where personal data are processed on the basis of Art. 6 (1) lit. f GDPR, these data are stored until the data subject exercises his/her right to object pursuant to Art. 21 (1) GDPR, unless we can demonstrate compelling legitimate grounds for the processing which override the interests, rights and freedoms of the data subject, or the processing serves the purpose of asserting, exercising or defending legal claims.

Where personal data are processed for the purposes of direct marketing based on Art. 6 (1) lit. f GDPR, such data shall be stored until the data subject exercises his/her right to object pursuant to Art. 21 (2) GDPR.

Unless otherwise indicated by the information on specific processing situations contained in this statement, stored personal data will be deleted when they are no longer necessary for the purposes for which they were collected or otherwise processed.