Data protection

Data Protection

Data Protection

At Adrianna Lushezy Cosmetics and Permanent Make-Up Beauty Salon, we place special emphasis on the protection of your personal data. For this reason, we process your data confidentially and in accordance with legal regulations (GDPR, TKG 2003). In this context, the processing of your data is lawful in accordance with the provisions of Article 6 GDPR. Subsequently, we will inform you about the most important aspects of data processing within the framework of our website.

Introduction and Overview

We have drafted this privacy statement (version 27.02.2024-112736201) to explain to you, in accordance with the provisions of the General Data Protection Regulation (EU) 2016/679 and applicable national laws, which personal data (short data) we, as the controller – and the processors (e.g., providers) we have appointed – process, will process in the future, and which legal options you have. The terms used are to be understood as gender-neutral. In short: We provide comprehensive information about the data we process about you. Privacy statements usually sound very technical and use legal jargon. However, this privacy policy aims to describe the most important things as simply and transparently as possible. To enhance transparency, technical terms are explained in a reader-friendly manner, links to further information are provided, and graphics are used. We thereby inform you in clear and simple language that we only process personal data as part of our business activities when there is a corresponding legal basis. This would not be possible if we were to provide overly brief, unclear, and legal-technical explanations, as is often standard on the internet when it comes to data protection. We hope you find the following explanations interesting and informative, and perhaps there is some information you were not previously aware of. If you still have questions, we ask you to contact the responsible entity mentioned below or in the imprint, follow the available links, and view further information on third-party sites. Our contact information can, of course, also be found in the imprint.

General Notes

The following notes provide you with an overview of what happens to your personal data when you visit our website. All terms used in this statement are understood in the sense of Article 4 GDPR. According to Art 4 (1) GDPR, “personal data” means any information relating to an identified or identifiable natural person. An identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier, or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural, or social identity of that natural person. “Processing” in the sense of Art 4 (2) GDPR means any operation or set of operations which is performed on personal data or on sets of personal data, whether or not by automated means, such as collection, recording, organisation, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure or destruction.

Data Security

We also implement technical and organizational security measures to protect personal data that is generated or collected, especially against accidental or deliberate manipulation, loss, destruction, or access by unauthorized persons. Our security measures are continuously improved in line with technological development.

“Restriction of processing” in the sense of Article 4 (3) GDPR means the marking of stored personal data with the aim of limiting their processing in the future; Your data is processed on our websites exclusively on the basis of legal regulations (GDPR, TKG 2003). Accordingly, you have the right at any time to obtain information about your stored personal data. In addition, you have the rights to deletion, restriction, data portability, correction, revocation, and objection. In the event that you believe the processing of your data violates data protection laws or your data protection rights have otherwise been infringed, you have the option to file a complaint with the supervisory authority. In Austria, this is the Data Protection Authority.

Name and Address of the Data Controller and Service Provider

The responsible entity for data processing on this website is: Adrianna Lushezy Cosmetics and Permanent Make-Up Beauty Salon www.kosmetiksalon-lushezy.at www.academyal.com

Schulgasse 5, 1180 Vienna, Austria

Phone: +43699 18883377

For questions or comments about this privacy policy or about data protection in general, please contact the following email address:

office@permanent-lushezy.at adrianalushezy@gmail.com

You can contact our data protection officer as follows:

office@permanent-lushezy.at

Contacting Us

If you contact us via email, telephone, fax, Facebook, Instagram, or in any other way, all personal data arising from this (name, telephone number, address, email address) will be stored and processed by us for the purpose of processing your inquiry. We do not pass on this data without your consent.

Contact Form/Online Booking

If you use the contact form/online booking on our website, the data provided about you from this form will be stored for the purpose of processing the request. We do not pass on this data without your consent.

Informational Use

For merely informational use of our website, it is generally not necessary for you to provide personal data. Rather, in this case, we only collect and use those of your data that your internet browser automatically transmits to us, such as:

• Date and time of retrieval of one of our web pages
• Your browser type
• The browser settings
• The operating system used
• The page you last visited
• The amount of data transferred and the access status (file transferred, file not found, etc.) and
• Your IP address. This data is collected and used exclusively in a non-personal form for an informational visit. This is done to enable the use of the web pages you have retrieved at all and to check if our web pages are displayed optimally for you. We only use the IP address for the duration of your visit and store the data for logging purposes exclusively in an anonymized form by shortening the IP address so that an assignment is no longer possible. The processing is carried out on the legal basis of Art. 6 Para. 1 Sentence 1 lit. f) GDPR (balancing of interests) and in our interest to display our website reliably and as smoothly as possible.

Using the Contact Form

If you wish to contact us via the contact form provided on our website, we collect the following data from you: salutation, name, email address, your message to us.

We use this data to respond to your inquiry. If your inquiry relates to an existing contractual relationship with you or you are interested in concluding a contract, for example, purchasing one of our products, the data processing is based on the legal basis of Art. 6 Para. 1 Sentence 1 lit. b) GDPR (contract initiation and fulfillment). Otherwise, data processing is based on the legal basis of Art. 6 Para. 1 Sentence 1 lit. f) GDPR (balancing of interests) and in our interest to be able to respond to your inquiry with the relevant information for you.

Storage Duration

As a general criterion, we only store personal data for as long as is absolutely necessary for the provision of our services and products. This means that we delete personal data as soon as the reason for data processing no longer exists. In some cases, we are legally obliged to store certain data even after the original purpose has ceased, for example, for accounting purposes. If you wish the deletion of your data or revoke the consent to data processing, the data will be deleted as quickly as possible and as far as there is no obligation to store it. We provide further information about the specific duration of the respective data processing below if we have more information about it. Scope This privacy policy applies to all personal data processed by us in the company and to all personal data processed by companies commissioned by us (processors). By “information” in the sense of Art. 4 No. 1 GDPR, we mean data such as the name, email address, and postal address of a person. The processing of personal data enables us to offer and bill for our services and products, whether online or offline. The scope of this privacy policy includes: all online presences (websites, online shops) that we operate, social media presences, and email communication, as well as mobile apps for smartphones and other devices. In short: The privacy policy applies to all areas where personal data is processed in the company via the mentioned channels in a structured manner. Should we enter into legal relations with you outside these channels, we will inform you separately if necessary.

Data Transfer to Third Countries

We only transfer or process data in countries outside the scope of the GDPR (third countries) if you have consented to this processing or if there is another legal permission. This particularly applies if the processing is legally required or necessary for the fulfillment of a contractual relationship and in every case only as far as this is generally allowed. Your consent is most often the crucial reason that we process data in third countries. The processing of personal data in third countries like the USA, where many software manufacturers offer services and have their server locations, may mean that personal data is processed and stored in unexpected ways.

We explicitly point out that, according to the European Court of Justice, an adequate level of data protection for data transfer to the USA currently exists only if a US company processing personal data of EU citizens in the USA is an active participant of the EU-US Data Privacy Framework. More information can be found at:

https://commission.europa.eu/document/fa09cbad-dd7d-4684-ae60-be03fcb0fddf_en

The data processing by US services that are not active participants of the EU-US Data Privacy Framework could result in data being processed and stored in a non-anonymized manner. Furthermore, US governmental authorities may have access to individual data. It is also possible that collected data may be linked with data from other services of the same provider, if you have a corresponding user account. Whenever possible, we try to use server locations within the EU, if offered. We will provide more precise information about data transfer to third countries in this privacy policy, where applicable.

Security of Data Processing To protect personal data

We have implemented both technical and organizational measures. Where possible, we encrypt or pseudonymize personal data. This makes it as difficult as possible for third parties to deduce personal information from our data.

Art. 25 GDPR refers to “data protection through technology design and through data protection-friendly default settings”, meaning that one should always consider security when using software (e.g., forms) as well as hardware (e.g., access to the server room) and set appropriate measures. We will discuss specific measures in more detail if necessary.

Communication Summary

Affected individuals: Everyone who communicates with us by phone, email, or online form Processed data: e.g., phone number, name, email address, data entered in forms. More details can be found under the respective contact method used Purpose: Handling communication with customers, business partners, etc. Storage duration: Duration of the business case and legal requirements Legal basis: Art. 6 para. 1 lit. a GDPR (consent), Art. 6 para. 1 lit. b GDPR (contract), Art. 6 para. 1 lit. f GDPR (legitimate interests)

When you contact us and communicate via phone, email, or online form, personal data may be processed. The data is processed for handling and processing your question and the related business transaction. The data is stored for as long as the law prescribes.

Affected Persons – All individuals seeking contact with us through the communication channels we provide are affected.

Phone – When you call us, call data is pseudonymized and stored on the respective device and by the telecommunications provider used. Additionally, data such as name and phone number may be sent by email afterward and stored for query response. The data is deleted as soon as the business case has ended and legal requirements allow.

Email – When you communicate with us via email, data may be stored on the respective device (computer, laptop, smartphone,…) and data may be stored on the email server. The data is deleted as soon as the business case has ended and legal requirements allow.

Online Forms – When you communicate with us using an online form, data is stored on our web server and may be forwarded to one of our email addresses. The data is deleted as soon as the business case has ended and legal requirements allow.

Legal Basis

The data processing is based on the following legal bases: Art. 6 Para. 1 lit. a GDPR (Consent): You give us consent to store your data and to use it further for purposes related to the business case; Art. 6 Para. 1 lit. b GDPR (Contract): There is a necessity for the fulfillment of a contract with you or a processor, such as the telephone provider, or we need to process the data for pre-contractual activities, such as the preparation of an offer; Art. 6 Para. 1 lit. f GDPR (Legitimate Interests): We aim to conduct customer inquiries and business communication within a professional framework. For this, certain technical facilities such as email programs, Exchange servers, and mobile network operators are necessary to be able to operate communication efficiently.

Explanation of Terms Used

We always strive to make our privacy policy as clear and understandable as possible. Especially with technical and legal topics, this is not always completely straightforward. It often makes sense to use legal terms (such as personal data) or specific technical expressions (such as cookies, IP address). However, we do not want to use these without explanation. Below you will find an alphabetical list of important terms used, which we may not have adequately explained in the previous privacy policy. If these terms were taken from the GDPR and are definitions of terms, we will also cite the GDPR texts here and add our explanations where necessary. Supervisory Authority Definition according to Article 4 of the GDPR For the purposes of this Regulation, the term: “supervisory authority” means an independent public authority which is established by a Member State pursuant to Article 51; Explanation: “Supervisory authorities” are always state, independent institutions that are also authoritative in certain cases. They serve to carry out so-called state supervision and are located in ministries, special departments, or other authorities. For data protection in Austria, there is an Austrian Data Protection Authority, and in Germany, there is a separate data protection authority for each federal state.

Processor Definition according to Article 4 of the GDPR For the purposes of this Regulation, the term: “processor” means a natural or legal person, public authority, agency, or other body which processes personal data on behalf of the controller; Explanation: As a company and website owner, we are responsible for all data that we process from you. In addition to the controller, there can also be so-called processors. This includes any company or person that processes personal data on our behalf. Processors can therefore include service providers such as tax advisors, as well as hosting or cloud providers, payment or newsletter providers, or large companies such as Google or Microsoft. Concerned Supervisory Authority Definition according to Article 4 of the GDPR For the purposes of this Regulation, the term: “concerned supervisory authority” means a supervisory authority which is concerned by the processing of personal data because a) the controller or the processor is established on the territory of the Member State of that supervisory authority, b) processing has or may have significant effects on data subjects residing in the Member State of that supervisory authority, or c) a complaint has been lodged with that supervisory authority; Explanation: In Germany, each federal state has its own supervisory authority for data protection. So, if your company’s headquarters (main establishment) is located in Germany, the respective state’s supervisory authority is your primary contact. In Austria, there is only one supervisory authority for data protection for the entire country.

Biometric Data

Definition according to Article 4 of the GDPR For the purposes of this Regulation, the term: “biometric data” refers to personal data obtained through specific technical processes related to the physical, physiological, or behavioral characteristics of a natural person, which allow or confirm the unique identification of that natural person, such as facial images or dactyloscopic data; Explanation: Biometric data describe biological characteristics that can be used to obtain personal data through technical processes. This includes DNA, fingerprints, the geometry of various body parts, height, as well as handwriting or the sound of a voice.

Filing System

Definition according to Article 4 of the GDPR For the purposes of this Regulation, the term: “filing system” means any structured set of personal data accessible according to specific criteria, regardless of whether this collection is centralized, decentralized, or organized on a functional or geographical basis; Explanation: Any organized storage of data on a data storage device of a computer is referred to as a “filing system”. If we store your name and email address on a server for our newsletter, then these data are in a so-called “filing system”. The most important tasks of a “filing system” include the rapid searching and finding of specific data and, of course, the secure storage of data.

Information Society Service

Definition according to Article 4 of the GDPR For the purposes of this Regulation, the term: “information society service” refers to a service as defined in Article 1(1)(b) of Directive (EU) 2015/1535 of the European Parliament and of the Council(19); Explanation: The term “information society” generally denotes a society that relies on information and communication technologies. Specifically, as a website visitor, you are familiar with various types of online services, and most online services are considered “information society services”. A classic example of this is online transactions, such as purchasing goods over the internet.

Third Party

Definition according to Article 4 of the GDPR For the purposes of this Regulation, the term: “third party” means a natural or legal person, public authority, agency, or other body, other than the data subject, the controller, the processor, and the persons who, under the direct authority of the controller or the processor, are authorized to process personal data; Explanation: The GDPR essentially defines what a “third party” is not. In practice, any “third party” who has an interest in the personal data but does not belong to the aforementioned persons, authorities, or entities. For example, a parent company can act as a “third party”. In this case, the subsidiary is the controller, and the parent company is the “third party”. However, this does not mean that the parent company can automatically view, collect, or store the personal data of the subsidiary.

Consent

Definition according to Article 4 of the GDPR For the purposes of this Regulation, the term: “consent” of the data subject means any freely given, specific, informed, and unambiguous indication of the data subject’s wishes by which he or she, by a statement or by a clear affirmative action, signifies agreement to the processing of personal data relating to him or her; Explanation: On websites, such consent is usually obtained through a cookie consent tool. You’re probably familiar with this. Whenever you visit a website for the first time, you are usually asked via a banner if you consent to data processing. You can often make individual settings, thus deciding for yourself which data processing you allow and which you do not. If you do not consent, no personal data about you can be processed. Consent can, of course, also be given in writing, not just through a tool.

Recipient

Definition according to Article 4 of the GDPR: In the context of this regulation, the term “recipient” refers to a natural or legal person, authority, institution, or another body to which personal data are disclosed, regardless of whether it is a third party or not. Authorities that may receive personal data as part of a specific investigation order under Union law or the law of the Member States are not considered recipients; the processing of these data by the said authorities is carried out in accordance with the applicable data protection regulations according to the purposes of the processing; Explanation: Every person and company that receives personal data is considered a recipient. Thus, we and our processors are also considered recipients. Only authorities that have an investigation order are not considered recipients.

Genetic Data

Definition according to Article 4 of the GDPR: In the context of this regulation, the term “genetic data” refers to personal data about the inherited or acquired genetic characteristics of a natural person, which provide unique information about the physiology or health of that natural person and are particularly obtained from the analysis of a biological sample from the concerned natural person; Explanation: With some effort, individuals can be identified through genetic data. Therefore, genetic data also fall into the category of personal data. Genetic data can be obtained, for example, from blood or saliva samples.

Health Data

Definition according to Article 4 of the GDPR: In the context of this regulation, the term “health data” refers to personal data related to the physical or mental health of a natural person, including the provision of health services, from which information about their health status can be derived; Explanation: Health data thus include all stored information concerning your own health. Often these are data that are also noted in a patient’s file. For example, these may include what medications you use, X-ray images, your entire medical history, or usually also your vaccination status.

Pseudonymization

Definition according to Article 4 of the GDPR: In the context of this regulation, the term “pseudonymization” refers to the processing of personal data in such a manner that the personal data can no longer be attributed to a specific data subject without the use of additional information, provided that such additional information is kept separately and is subject to technical and organizational measures to ensure that the personal data are not assigned to an identified or identifiable natural person; Explanation: Our privacy policy often mentions pseudonymized data. Through pseudonymization, you as a person can no longer be identified unless additional information is added. However, pseudonymization should not be confused with anonymization. With anonymization, any reference to a person is removed, so that it can only be reconstructed with a disproportionately large technical effort.

Company

Definition according to Article 4 of the GDPR Use of Cookies

Use of Cookies

Our site uses so-called “cookies.”

“Cookies” are small text files that are stored on your device by your browser. They do not cause any damage. Some cookies will remain stored on your device until you delete them. This allows us to recognize your browser on your next visit to our website. If you do not wish this, you have the option to set up your browser to inform you about the presence of cookies and to request your permission on a case-by-case basis. However, we would like to point out that disabling cookies may impair the functionality of our website. Google Analytics

This website uses Google Analytics a web analytics service provided by Google. Cookies are used, which enable an analysis of the use of the website by its users. The data collected in this way is transferred to the provider’s server, in this case, Google, and stored there. Google will also transfer this information to third parties if required by law. You can prevent this by setting up your browser accordingly. Then you will be informed about the presence of cookies in each individual case and your permission will be requested for each case. However, this may impair the functionality of our websites. For more information on Google’s use of cookies, visit https://policies.google.com/technologies/cookies?hl=en You can also prevent this by downloading and installing the appropriate browser plugin. The link for the browser plugin can be found here: https://tools.google.com/dlpage/gaoptout?hl=en

Social Media – YouTube, Instagram, Facebook, TikTok…

To enhance our offerings and provide our customers with the opportunity to connect with us more easily, we also use plugins from various social networks (Facebook, Instagram). By using the relevant plugins, you will automatically be directed to the page of the respective social network. Social networks are online platforms where friends, acquaintances, or strangers with similar interests meet and connect digitally. The relationships formed are utilized by community members to exchange personal data and information, engage in discussions, or share other content with the community. Social networks usually operate through a platform where users sign up and create their unique profiles.

If the person concerned is logged into Facebook or Instagram at the same time, Facebook/Instagram recognizes with each use of our website by the person and throughout the duration of their visit to our website, what specifically they have used on our website and which subpages they have also used. This information is collected by Facebook and assigned to the respective Facebook account of the person concerned. If the person concerned uses one of the Facebook buttons integrated on our website or leaves a comment, Facebook assigns this information to the personal Facebook user account of the person concerned and stores this personal data.

Facebook

As mentioned, our website also integrates components of Facebook. Facebook is a social network. Social networks or social platforms are virtual communities where people from all over the world can meet and exchange information about hobbies, common interests, and much more.

If you use Facebook to contact us, you will automatically be redirected to the Facebook platform. Facebook uses cookies for web analytics. The data collected in this manner are stored on Facebook’s servers. They will also transfer this data to third parties, as far as this is legally permitted.

For more detailed information on the use of cookies by Facebook, visit https://www.facebook.com/policy/cookies/ You can prevent this by setting your browser to inform you about the existence of cookies and to request your permission on a case-by-case basis. In this case, there is a possibility that the functionality of our websites may be impaired.

Instagram

Our website also integrates components of Instagram. Instagram is a social network. Social networks or social platforms are virtual communities where people from all over the world can meet and exchange information about hobbies, common interests, and much more.

If you use Instagram to contact us, you will automatically be redirected to the Instagram platform. Instagram uses cookies for the purpose of web analysis. The data collected in this way are stored on Instagram’s servers. They will also transfer this data to third parties, as far as this is legally permitted.

For more detailed information on the use of Instagram cookies, visit https://help.instagram.com/1896641480634370. You can prevent this by configuring your browser to inform you about the existence of cookies and to request your permission on a case-by-case basis. In this case, there is a possibility that the functionality of our websites may be impaired.

Your Rights

To protect your personal data, the GDPR provides you with the following tools:

• According to Article 15 GDPR, you have the right to access information about the processing of your data.
• You also have the right, according to Article 16 GDPR, to request the correction of inaccurate personal data.
• You have the right to deletion of your stored personal data under the conditions of Article 17 GDPR.
• Article 18 GDPR grants you the right to request a restriction of processing under the conditions specified in the law. Furthermore, every person has the right to object to the processing of their personal data according to Article 21 GDPR.
• You also have the option to transfer your stored data in a suitable format to other parties yourself – the right to data portability according to Article 20 GDPR.
• Often, your consent is required for the processing of your data. You also have the right to withdraw any consent given at any time. This can be done via an informal email to us.

In the event that you believe that the processing of your data violates data protection laws or your data protection rights have otherwise been infringed, you have the option to lodge a complaint with the supervisory authority. In Austria, this is the Data Protection Authority.

Wherever the legal requirements are met, you have the following rights:

• You have the right to request confirmation from us as to whether personal data concerning you are being processed; if this is the case, you have a right to information about these personal data and the detailed information listed in Article 15 of the GDPR.
• You have the right to request us to correct any inaccurate personal data concerning you without undue delay and, where applicable, to have incomplete personal data completed (Article 16 GDPR).
• You have the right to request that personal data concerning you be deleted without undue delay if one of the reasons listed in detail in Article 17 GDPR applies, for example, if the data are no longer needed for the purposes pursued (Right to Erasure).
• You have the right to request a restriction of processing from us if one of the conditions listed in Article 18 GDPR is met, for example, if you have objected to processing, pending the verification by us.
• You have the right to object at any time to the processing of personal data concerning you for the purposes of direct marketing. For processing based on Article 6(1)(e) or (f) of the GDPR, you also have the right to object at any time for reasons arising from your particular situation (Article 21 GDPR). An additional note on the right to object can be found at the end of this privacy policy.
• You have the right to revoke any consent given to us at any time with effect for the future (Right to Withdraw Consent).
• You have the right to receive the personal data concerning you, which you have provided to us, in a structured, commonly used, and machine-readable format. You also have the right to transmit those data to another controller or have the data transmitted directly from us to another controller (Right to Data Portability).

Without prejudice to any other administrative or judicial remedy, you have the right to lodge a complaint with a supervisory authority if you believe that the processing of personal data relating to you infringes the GDPR (Article 77 GDPR). A list of German data protection supervisory authorities and their contact addresses can be found at:

https://www.bfdi.bund.de/DE/Infothek/Anschriften_Links/anschriften_links-node.html

Legal Bases In the following privacy policy, we provide you with transparent information about the legal principles and regulations, i.e., the legal bases of the General Data Protection Regulation, that enable us to process personal data. Regarding EU law, we refer to REGULATION (EU) 2016/679 OF THE EUROPEAN PARLIAMENT AND OF THE COUNCIL of 27 April 2016. This EU General Data Protection Regulation can naturally be read online at EUR-Lex, the access to EU law, at https://eur-lex.europa.eu/legal-content/EN/ALL/?uri=celex%3A32016R0679

Use of Google Analytics

It is important to us to design our websites as optimally as possible and thus make them attractive to our visitors. For this reason, it’s necessary for us to know how different parts of our site are received by our visitors. This website uses Google Analytics, a web analysis service provided by Google LLC, 1600 Amphitheatre Parkway, Mountain View, CA 94043, USA (“Google”).

Google Analytics also uses cookies, which are text files placed on your computer, to help analyze how users use the website. The information generated by the cookie about your use of the website is generally transmitted to and stored by Google on servers in the United States.

On our website, IP anonymization has been activated so that your IP address is shortened by Google within member states of the European Union or in other contracting states of the Agreement on the European Economic Area before being transmitted to the USA. Only in exceptional cases is the full IP address sent to a Google server in the USA and shortened there.

On our behalf, Google will use this information to evaluate your use of the website, to compile reports on website activity, and to provide other services related to website and internet usage to us as the website operator. The IP address transmitted by your browser as part of Google Analytics is not combined with other data by Google.

The storage of Google Analytics cookies and thus tracking of your usage behavior occurs only if you have previously consented to this tracking.

You can also prevent the storage of cookies by selecting the appropriate settings on your browser software; however, please note that if you do this, you may not be able to use all the features of this website to their full extent.

Furthermore, you can prevent Google from collecting the data generated by the cookie and related to your use of the website (including your IP address) and from processing this data by Google by downloading and installing the browser plugin available under the following link: https://tools.google.com/dlpage/gaoptout?hl=en.

You can find Google’s privacy policy here: https://www.google.com/policies/privacy/partners/?hl=en.

The processing of your data via Google Analytics is based on the legal foundation of Article 6(1) sentence 1 lit. a) GDPR in conjunction with the consent you have given.