Privacy policy

Privacy Policy – Neworn

As of: July 2023

1. General

Neworn GmbH, Spitalgasse 27/13, 1090 Vienna ("Neworn", "we", "us") places great importance on the protection of your personal data. We are therefore committed to complying with data protection regulations, in particular the General Data Protection Regulation ("GDPR"), the Austrian Data Protection Act ("DSG") and the Telecommunications Act ("TKG").

This Privacy Policy informs you about the nature, scope and purposes of the collection and processing of your personal data in connection with visiting and using our website and our app. In addition, we operate an online shop via Shopify, for which separate information applies in the corresponding section of this policy.

Controller details:

Name: Neworn GmbH
Address: Spitalgasse 27/13, 1090 Vienna
Phone number: 0043 664 4846256
E-mail address: info@neworn.com

2. What is personal data?

Personal data is information about individuals (natural persons) whose identity is determined or at least determinable (e.g. name, e-mail address or IP address).

3. What data do we collect from visitors and users of our website?

Contact

If you contact us via the contact details provided above or via our contact form on the website https://neworn.com, we process your personal data (name, e-mail address or phone number and your enquiry) for the purpose of handling and responding to your request. The legal basis is the fulfilment of our (pre-)contractual obligations pursuant to Art. 6(1)(b) GDPR or our legitimate interests pursuant to Art. 6(1)(f) GDPR in promptly handling and responding to any follow-up questions.

Newsletter

If you have subscribed to our newsletter about our services and the offers of our partners, we process your e-mail address and newsletter open rates. A list of our partner companies can be found here: [Link]. Processing is based on your voluntary and explicit consent pursuant to Art. 6(1)(a) GDPR in conjunction with § 174 TKG. You may withdraw your consent at any time with effect for the future (e.g. by e-mail or via the unsubscribe link found in every newsletter).

Social Media

You can interact with us on our social media pages by commenting on, reacting to (e.g. via the "Like" button), sharing or sending our posts to other users. We process your interactions, your username and, where applicable, personal data of invited third parties. This data may also be processed by the platforms in this context. The respective platform and we are joint controllers in this case pursuant to Art. 26 GDPR. Further information on data processing by the platforms can be found at:

• Facebook: https://de-de.facebook.com/privacy/policy/
• Instagram: https://de-de.facebook.com/help/instagram/155833707900388
• Pinterest: https://policy.pinterest.com/de/privacy-policy
• TikTok: https://www.tiktok.com/legal/page/eea/privacy-policy/de-DE
• LinkedIn: https://de.linkedin.com/legal/privacy-policy

The data processing serves to answer your questions, to give you the opportunity to express your views and to respond to your opinions and feedback, as well as to promote our offerings. Processing is therefore based on both our and your legitimate interests pursuant to Art. 6(1)(f) GDPR or for the fulfilment of our (pre-)contractual obligations pursuant to Art. 6(1)(b) GDPR.

Usage data

During your visit to our website, we automatically process the following data:

• IP address
• Data about your device
• Referrer URL
• Name and version of your web browser
• Session ID
• Log files
• Date and time of your access to a (sub-)page on our website and data on your interaction with the website (number of visits and time spent)

All of this data is transmitted by your web browser when you access our website. We process this data solely to provide the website, improve our services, for data security purposes and to enhance user-friendliness. These processing activities are based on our legitimate interests pursuant to Art. 6(1)(f) GDPR.

Payment processing

If you make a purchase via our app, payment data is processed by Stripe (Stripe Payments Europe Limited, 1 Grand Canal Street Lower, Grand Canal Dock, Dublin, Ireland). Stripe receives the personal data required for payment processing and processes it in accordance with Stripe's privacy policy: https://stripe.com/de/privacy. The legal basis is the fulfilment of the contract pursuant to Art. 6(1)(b) GDPR.

Cookies

Cookies are small text files stored on the device of a website visitor, provided the visitor's browser settings allow this. Our website uses cookies to store important data in order to provide our services and make usage more convenient.

Legal basis for the use of cookies:

The processing of personal data in connection with the use of cookies and comparable tracking technologies is based on your voluntary consent pursuant to Art. 6(1)(a) GDPR in conjunction with the applicable national implementing provisions of the ePrivacy Directive (2002/58/EC). In Austria, this is in particular § 165(3) TKG. For users in Germany, § 25(1) TTDSG applies.

You may withdraw or adjust your consent at any time with effect for the future — either via the cookie banner on our website or in your app settings, or through the appropriate settings in your browser or device.

(a) Technically necessary cookies: We use technically necessary cookies to display the website and enable its proper use. Data processing is based on our legitimate interests pursuant to Art. 6(1)(f) GDPR in conjunction with § 165(3) TKG.

(b) Preference cookies: Preference cookies allow a website to remember certain information that affects how a website behaves or looks, such as your preferred language. Data processing is based on your voluntary consent pursuant to Art. 6(1)(a) GDPR in conjunction with § 165(3) TKG.

(c) Statistics cookies: We use web analytics services to determine the number of visitors and to observe how visitors behave on our websites. Data processing is based on your voluntary consent pursuant to Art. 6(1)(a) GDPR in conjunction with § 165(3) TKG.

(d) Marketing cookies: We use marketing cookies to follow visitors across websites and to show them relevant advertisements. Data processing is based on your voluntary consent pursuant to Art. 6(1)(a) GDPR in conjunction with § 165(3) TKG.

A complete list of cookies can be found in the cookie banner under "Details". The cookie banner appears automatically the first time you visit our website. You can also access the cookie banner via the "Cookies" menu item in the website footer.

We use the following tools:

Google Tag Manager: We use Google Tag Manager by Google Ireland Limited (Gordon House, 4 Barrow Street, Dublin, D04 E5W5, Ireland) to manage and implement tags on our website via a single interface. Google Tag Manager itself does not store any cookies in your browser.

Google Analytics: Our website uses Google Analytics, a web analytics service by Google Ireland Limited. This includes tracking visited pages, device data, user behaviour and conversion events. Further information: https://policies.google.com/privacy?hl=de and https://support.google.com/analytics/answer/6004245?hl=de

Google Ads: We use Google Ads conversion tracking as well as the retargeting function and the customer matching feature "Customer Match" to display personalised advertising within the Google advertising network. Further information: https://policies.google.com/privacy?hl=de

Google Optimize: We use Google Optimize for website optimisation through statistical evaluation of usage changes. Further information: https://policies.google.com/privacy?hl=de

Meta Ads (incl. Custom Audiences): We use the Meta Pixel by Meta Platforms Ireland Limited (4 Grand Canal Square, Dublin 2, Ireland) for conversion measurement and the "Custom Audiences" feature. The Meta advertising network consists of Facebook, Instagram, WhatsApp and the Meta Audience Network. Further information: https://www.facebook.com/privacy/policy

Microsoft Advertising: We use website conversion tracking via "Universal Event Tracking" (UET) by Microsoft Ireland Operations Limited (One Microsoft Place, South County Business Park, Leopardstown, Dublin 18, Ireland). Further information: https://privacy.microsoft.com/privacystatement

Hotjar: We use Hotjar by Hotjar Limited (Dragonara Business Centre, 5th Floor, Dragonara Road, Paceville St Julian's STJ 3141, Malta) for statistical analysis of user behaviour via heatmaps and session recordings. Further information: https://www.hotjar.com/legal/policies/privacy/

Cookiebot: We use Cookiebot by Cybot A/S (Havnegade 39, 1058 Copenhagen, Denmark) as a consent management platform to obtain and store your data protection consent. Further information: https://www.cookiebot.com/de/privacy-policy/

Hubspot: We use the services of Hubspot (2nd Floor 30 North Wall Quay, Dublin 1, Ireland) to record visitor behaviour for statistical purposes. Further information: https://legal.hubspot.com/privacy-policy

Gleap: We use Gleap as a sub-processor for our help centre. Gleap processes personal data exclusively on our behalf and on the basis of a Data Processing Agreement (DPA). Further information: https://www.gleap.io/privacy-policy

PostHog: We use PostHog by PostHog Inc. (2261 Market Street #4008, San Francisco, CA 94114, USA) for statistical analysis of visitor behaviour on our website. Further information: https://posthog.com/docs/privacy

Adjust: We use Adjust by Adjust GmbH (Saarbrücker Straße 37A, 10405 Berlin, Germany) to analyse user behaviour in our app and to optimise our advertising measures. Further information: https://www.adjust.com/terms/privacy-policy/

Applications

We are always looking for highly motivated people who are passionate about sustainability. If you apply for open positions with us, we process the applicant data you provide (e.g. name, address, e-mail address, phone number, date of birth and data from your CV) as well as our correspondence with you. We process this data to handle your application and for personnel selection. The legal basis is Art. 6(1)(b) GDPR.

4. What data do we collect from visitors and users of our app?

Registration and account

When you register to use the app, we process your name and username, your phone number, e-mail address, postcode and, where applicable, your gender. Via the "Add Children" filter function, you can add your child — in this case, we process the name, date of birth and, where applicable, the gender of your child exclusively to filter search results according to your preferences. Information about your child is voluntary, but required if you wish to use the filter function.

If you provide data about your child, please ensure that you are authorised to do so as a parent or legal guardian. For the processing of personal data of children under the age of 16, German law pursuant to Art. 8 GDPR requires the consent of a parent or legal guardian where processing is based on consent.

We also process data on products you have listed or purchased, products you have marked as "Favourites" and users you follow in the app. The legal basis is Art. 6(1)(b) GDPR.

If you have given your consent, we may send you surveys in the form of in-app notifications about our services. Data processing is based solely on your explicit and voluntary consent pursuant to Art. 6(1)(a) GDPR.

Usage data

While you use our app, we collect the following personal data: IP address of your device, language, operating system, screen resolution and data on usage behaviour. Data processing is based on our and your legitimate interests pursuant to Art. 6(1)(f) GDPR.

Customer service / Help centre

If you contact our help centre, we process your contact details as well as the content of your messages and communications. The legal basis is the fulfilment of our (pre-)contractual obligations pursuant to Art. 6(1)(b) GDPR or our legitimate interests pursuant to Art. 6(1)(f) GDPR.

5. Shopify Shop

New by Neworn additionally operates an online shop based on Shopify (Shopify International Limited, Victoria Buildings, 2nd Floor, 1-2 Haddington Road, Dublin 4, D04 XN32, Ireland). In this section, we inform you about the specific data processing in connection with the shop.

What data do we collect in the shop?

In the course of your use of the shop, we may collect or process the following categories of personal data:

• Contact data: name, postal address, billing address, delivery address, phone number, e-mail address
• Financial data: credit and debit card data, payment card information, transaction details, payment confirmation
• Account information: username, password, security questions, settings
• Transaction information: items viewed, added to cart, purchased, returned or cancelled, as well as past transactions
• Communications with us: content of customer support requests
• Device information: device, browser, network connection, IP address, unique identifiers
• Usage information: interactions with the shop, time and type of use

Sources of data

We collect your data directly from you (e.g. when creating an account or placing an order), automatically via the shop (e.g. through cookies and similar technologies), from our service providers and from our partners and other third parties.

Purposes of processing in the shop

We use your personal data in the context of the shop for the following purposes:

• Provision and improvement of the shop: contract fulfilment, payment processing, order fulfilment, shipping, returns and exchanges, creation and management of your account, personalised product recommendations
• Marketing and advertising: sending marketing and promotional communications by e-mail, SMS or post, and displaying personalised advertising, including based on previous purchases or shopping cart activity
• Security and fraud prevention: authentication, protection against fraudulent or abusive activities
• Communication: customer support, responding to enquiries, maintaining the business relationship
• Legal reasons: compliance with applicable law, responding to regulatory requests, enforcement of our terms and policies

Relationship with Shopify

The shop services are hosted by Shopify. Shopify collects and processes personal data about your access to and use of the shop in order to provide and improve the services. Data you submit to the shop is shared with Shopify and with third parties who may be located in countries other than your country of residence.

For certain advanced Shopify features, Shopify may use personal data collected through your interactions with our shop, other merchants and Shopify. In these cases, Shopify is responsible for the processing of your personal data, including responding to your requests to exercise your rights. Further information can be found in the Shopify Consumer Privacy Policy and the Shopify Privacy Portal at https://privacy.shopify.com/en.

Payment processing

Payment processing in the shop is handled via Shopify Payments. Shopify is responsible for processing the payment data involved. Further information can be found in the Shopify Consumer Privacy Policy at https://privacy.shopify.com/en.

6. Recipients of personal data

We treat your personal data confidentially and deliberately keep the circle of recipients small.

To operate our website, app and shop, we engage IT service providers who may also have access to personal data in order to provide the contracted services. These processors process your data only on our behalf and in accordance with our instructions.

In addition, we transfer your personal data on a case-by-case basis and to the extent necessary to:

• external third parties based on our legitimate interests (e.g. auditors, debt collection agencies, legal representatives)
• authorities and other public bodies to the extent required by law (e.g. tax authorities, data protection authority)
• business and marketing partners who provide marketing services for you and display advertising to you
• affiliated companies within our corporate group
• third parties in connection with a corporate transaction (e.g. merger or insolvency)

Your personal data will not be passed on to any other third parties for their own purposes without your consent.

If personal data is transferred to recipients in third countries outside the EU and no adequacy decision by the EU Commission pursuant to Art. 45 GDPR exists for the country in question, the transfer is subject to appropriate safeguards pursuant to Art. 46 GDPR (e.g. standard contractual clauses) or, where applicable, your consent for specific purposes.

7. Retention periods

We generally store your personal data only for as long as we need it to fulfil the stated purposes. The following retention periods apply:

• Contact enquiries: six months to enable responses to follow-up questions; longer storage in the case of a subsequent business relationship or statutory retention obligation
• Newsletter data: until withdrawal of your consent, for a maximum of three years from the last point of contact
• Usage data (website and app): generally one year
• Account and registration data: for as long as you have an active account or until you request deletion
• Cookies: session cookies are automatically deleted when you leave the website; persistent cookies until the specified expiry date or until manually deleted by you
• Applicant data: six months after the conclusion of an unsuccessful application process; with your consent up to three years; in the event of employment, until termination of the employment relationship and beyond within the framework of statutory retention periods

8. Data security

We comply with the provisions of Art. 32 GDPR and implement appropriate technical and organisational security measures to ensure the confidentiality and security of your personal data. Please note that no security measures are perfect or impenetrable, and information you send to us may also be exposed to risks during transmission. We recommend that you do not use unsecured channels when transmitting sensitive or confidential information.

9. Third-party websites and links

Our website and shop may contain links to third-party websites or online platforms. If you follow such links, you should review their privacy and security policies as well as other terms and conditions. We provide no guarantee and accept no responsibility for the privacy or security of such websites, including the accuracy, completeness or reliability of the information contained therein.

10. Children's data

Our services are not intended for use by children, and we do not knowingly collect personal data from children who have not yet reached the age of majority in their country. If you are the parent or guardian of a child who has provided us with their personal data, you may contact us using the contact details below to request deletion of that data.

11. Your rights (data subject rights)

You have the following rights with regard to your personal data:

• Right of access: You have the right to request access to the personal data we hold about you.
• Right to rectification: You have the right to request the correction of inaccurate personal data.
• Right to erasure ("right to be forgotten"): You have the right to request the deletion of your personal data.
• Right to data portability: You have the right to receive a copy of your data in a structured, commonly used and machine-readable format.
• Right to restriction of processing: You have the right, under certain conditions, to request the restriction of the processing of your data.
• Right to object: You have the right to object to the processing of your data at any time where there are grounds arising from your particular situation.
• Withdrawal of consent: Where we rely on your consent for processing, you have the right to withdraw it at any time with effect for the future. Withdrawal does not affect the lawfulness of processing carried out prior to withdrawal.
• Managing communication preferences: You may object to receiving promotional e-mails at any time by using the unsubscribe link in our e-mails.

These rights are not absolute and may only apply in certain circumstances. We may refuse your request to the extent permitted by law and may need to verify your identity before processing your request. You may, in accordance with applicable law, designate an authorised agent to submit requests on your behalf.

Further information on how Shopify uses your personal data and what rights you have can be found at https://privacy.shopify.com/en.

12. Complaints

If you have complaints about how we process your personal data, please contact us using the contact details provided below.

You also have the right to lodge a complaint with the competent supervisory authority.

In Austria, this is:

Austrian Data Protection Authority
Barichgasse 40-42, 1030 Vienna
E-mail: dsb@dsb.gv.at

If you are resident in Germany, you may also contact the competent German state data protection authority. A current overview can be found at:
https://www.bfdi.bund.de/DE/Infothek/Anschriften_Links/anschriften_links-node.html

For the European Economic Area, a list of competent data protection supervisory authorities is available at:
https://edpb.europa.eu/about-edpb/about-edpb/members_de

13. Changes to this Privacy Policy

We may update this Privacy Policy from time to time to reflect changes in our practices or for other operational, legal or regulatory reasons. We will publish the revised Privacy Policy on our website and update the date accordingly. We recommend checking the current version regularly.

14. Contact

If you have any questions about our data protection practices or this Privacy Policy, or if you wish to exercise any of your rights, please contact us:

Neworn GmbH
Spitalgasse 27/13, 1090 Vienna, Austria
Phone: 0043 664 4846256
E-mail: info@neworn.com

For the purposes of applicable data protection laws, we are the data controller for your personal data.