Data protection

Last updated: January 21, 2025

Welcome to our CarvaStone website. We would like to inform you about the legal regulations regarding the protection of personal data and data security. This will ensure that you are aware of which data from your visit is used for what purposes. Please note that this privacy policy is updated regularly.

contact person

Nicole Schäfer – Carva Stone

Römerstraße 102

78054 Villingen-Schwenningen

Email: carvastone@gmail.com

Data Protection Officer

Nicole Schäfer

Metzstrasse 23, 70190 Stuttgart

support@carvastone.de

+49 17676087407

Changes and revocation of this privacy policy

We may update this Privacy Policy from time to time, including to reflect changes to our practices or for other operational, legal, or regulatory reasons. We will post the revised Privacy Policy on the Site, update the "Last Updated" date, and take any other steps required by law.

According to Art. 7 (3) GDPR, you have the right to revoke your consent at any time. The legality of the processing carried out on the basis of your consent up to the time of revocation will not be affected by your revocation of consent.

Acceptance of the privacy policy

By using our services and accepting this privacy policy, you expressly consent to us processing the personal data listed below for the purposes described. This consent is in accordance with Art. 6 (1) (a) GDPR and can be revoked at any time.

• Contact details (full name, address, telephone number and email address)
• Order information (full name, billing address, shipping address, payment information, email address and phone number)
• Account information – including your username, password, security questions, and other information used for account security.
• Customer support information (including information you include in your communications with us, for example, when you send a message through the Services)

You may be required to provide certain information about yourself directly to us in order to view all offers. Failure to provide this information may prevent you from using or accessing these features.

Personal data

The term "personal data" refers to all identifiable or identified information relating to a natural person. This includes, for example, a natural person's full name, address, or date of birth. (Section 46 of the Federal Data Protection Act)

The personal data serves as a source of information to communicate with you, to fulfill all legal obligations, to carry out our operational purposes, such as product improvements and offers, and to protect or defend the rights of us and the consumer.

Processing of personal data

The processing of personal data is only lawful under the conditions of Art. 6 GDPR and applies:

• Providing products and services. We use your personal information to provide you with the Services and fulfill our contract with you, including processing your payments, fulfilling your orders, sending you notifications related to your account, purchases, returns, exchanges, or other transactions, creating, maintaining, and otherwise managing your account, arranging for shipping, facilitating returns and exchanges, and other features and functionality related to your account.

We may also enhance your shopping experience by enabling Shopify to match your account with other Shopify services you may choose to use. In this case, Shopify will process your information in accordance with its Privacy Policy and Consumer Privacy Policy.

• Marketing and advertising. We may use your personal information for marketing and advertising purposes. This may include using your personal information to customize the services and advertising on our website and to better serve other websites.
• Security and fraud prevention. We use your personal data to detect, investigate, or take action regarding potential fraudulent, illegal, or malicious activities. If you choose to use the Services and register an account, you are responsible for maintaining the security of your account credentials. We strongly recommend that you do not share your username, password, or other access credentials with anyone. If you believe your account has been compromised, please contact us immediately. If you are located in the EEA, the legal basis for these data processing activities is our legitimate interest in ensuring the security of our website for you and other customers, pursuant to Art. 6 (1) (f) GDPR.
• Communicating with you and improving our services. We use your personal data to provide you with customer support and improve our services. This is in our legitimate interest to respond to you, provide you with effective services, and maintain our business relationship with you. This includes handling complaints and guarantees that may arise after the purchase of a product.

Use of our website

When using our website, no personal data is required from you. Through analysis and tracking tools, we receive technical information for statistical evaluations, such as the length of time you spend on our website and the operating system you use when you visit our website.

Information we collect about your use

We may also automatically collect certain information about your interaction with the Services (" Usage Data "). We may use cookies, pixels, and similar technologies (" Cookies ") to do this. Usage Data may include information about how you access and use our Site and your account, including device information, browser information, your network connection information, your IP address, and other information about your interaction with the Services.

Use of cookies

Our website uses cookies. Cookies are small text files that store information about the user on the user's computer system. If the website is accessed again, the previously stored information remains. They enable the assignment of a user and help make using the website more pleasant for the user. You can withdraw your consent to cookies at any time by changing your browser settings. If you withdraw your consent, you may not be able to use all functions to their full extent. When you access the website again, an information banner will draw your attention to the use of cookies and refer you to this privacy policy.

For specific information about the cookies we use in connection with the provision of our store through Shopify, please visit https://www.shopify.com/legal/cookies . We use cookies to operate and improve our site and services (including remembering your actions and preferences), to perform analytics, and to better understand user interaction with the services (in our legitimate interests to administer, improve, and optimize the services). We may also allow third parties and service providers to use cookies on our site to better customize the services, products, and advertising on our site and other sites.

Most browsers automatically accept cookies by default. However, you can set your browser to remove or reject cookies using the browser controls. Please note that removing or blocking cookies may impact your user experience and may prevent some of the Services, including certain features and general functionality, from working properly or becoming unavailable. Furthermore, blocking cookies may not completely prevent us from sharing information with third parties, such as our advertising partners.

Disclosure of personal data

Under certain circumstances, we may share your personal information with third parties for the purpose of fulfilling a contract, for legitimate purposes, and for other reasons subject to this Privacy Policy. These circumstances may include:

• with vendors or other third parties who provide services on our behalf (e.g., IT management, payment processing, data analysis, customer support, cloud storage, order fulfillment, and shipping).
• with business and marketing partners to provide you with services and advertise to you. Our business and marketing partners use your information in accordance with their own privacy policies.
• If you instruct, request or otherwise consent to us sharing certain information with third parties, for example to send you products or through your use of social media widgets or login integrations, with your consent.
• with our subsidiaries or elsewhere within our group of companies, in our legitimate interest of running a successful business.
• In connection with a business transaction such as a merger or bankruptcy, to comply with any applicable legal obligations (including responding to subpoenas, search warrants, and similar requests), to enforce any applicable terms of service, and to protect or defend the Services, our rights, and the rights of our users or others.

We disclose We disclose the following categories of personal information and sensitive personal information about users for the purposes set out above in “How we collect and use your personal information” and “How we share personal information” .

category	Categories of recipients
Identifiers such as basic contact details and certain order and account information Commercial information such as order information, purchasing information and customer support information Internet or other similar network activities, such as usage data Geolocation data, e.g. locations determined via an IP address or other technical means	Suppliers and third parties who provide services on our behalf (such as internet service providers, payment processors, fulfillment partners, customer support partners, and data analytics providers) Business and marketing partners Affiliates

We will not use or publish your personal data without your consent or for the purpose of inferring your personal data.

With your consent, we will share personal information for the purpose of conducting promotional and marketing activities as follows.

Involvement of third parties

Finally, we may receive information about you from third parties, including vendors and service providers who collect information on our behalf, such as:

• Companies that support our website and services, such as Shopify.
• Our payment processors, who collect payment information (e.g., bank account, credit or debit card information, billing address) to process your payment, fulfill your orders, and provide you with the products or services you have requested in order to fulfill our contract with you.
• When you visit our website, open or click on emails we send you, or interact with our services or ads, we or third parties we work with may automatically collect certain information using online tracking technologies such as pixels, web beacons, software developer kits, third-party libraries, and cookies.

All information we receive from third parties will be treated in accordance with this Privacy Policy. You will be notified before any personal information is shared with third parties.

Transfer of personal data when using online payment service providers

To complete the order process, it is necessary to make payment using one of the payment service providers we offer. Depending on the payment method, the provider's privacy policy applies, which you can find below:

• PayPal (Europe) S.à.rl & Cie. SCA, 22-24 Boulevard Royal, L-2449 Luxembourg: https://www.paypal.com/myaccount/privacy/privacyhub
• Visa Europe Services Inc., London Branch, 1 Sheldon Square, London W2 6TT, United Kingdom: https://www.visa.de/nutzungsbedingungen/visa-globale-datenschutzmitteilung.html
• American Express American Express Services Europe Limited, Frankfurt am Main Branch, Theodor-Heuss-Allee 112, 60486 Frankfurt am Main: https://www.americanexpress.com/de/legal/datenschutzrichtlinien.html
• Apple Inc., Apple Park, Cupertino, California, USA: https://www.apple.com/de/legal/privacy/data/de/apple-pay-later/
• Mastercard Europe SA, Chaussée de Tervuren 198A, B-1410 Waterloo, Belgium. https://www.mastercard.de/de-de/datenschutz.html
• Google LLC, 1600 Amphitheater Parkway Mountain View, CA 94043, USA: https://policies.google.com/privacy

Third-party websites and links.

Our Site may contain links to websites or other online platforms operated by third parties. If you follow links to websites that are not affiliated with or controlled by us, you should review their privacy and security policies and other terms and conditions. We do not guarantee or assume responsibility for the privacy or security of such websites, including the accuracy, completeness, or reliability of any information found on such websites. Information you provide in public or semi-public places, including information you share on third-party social networking platforms, may also be viewed by other users of the Services and/or users of such third-party platforms, without limitation as to their use by us or any third party. Our inclusion of such links does not automatically constitute an endorsement of the content of such platforms or their owners or operators, except as disclosed on the Services.

Children's data

The Services are not intended for use by children, and we do not knowingly collect personal information from children. If you are a parent or guardian of a child who has provided us with personal information, you may contact us using the contact information provided below and request that we delete that information.

As of the effective date of this Privacy Policy, we have no actual knowledge that we “share” or “sell” (as those terms are defined under applicable law) personal information of anyone under the age of 16.

Security and storage of your data

Please note that no security measures are perfect or impenetrable, and we cannot guarantee "perfect security." Furthermore, the information you send us may not be secure during transmission. We recommend that you do not use insecure channels to communicate sensitive or confidential information with us.

How long we retain your personal information depends on a variety of factors, including whether we need the information to administer your account, provide the Services, comply with our legal obligations, resolve disputes, or enforce other applicable agreements and policies.

Your rights

Depending on where you live, you may have some or all of the rights listed below regarding your personal data. However, these rights are not absolute and only apply in limited circumstances. In certain cases, we may refuse your request to the extent permitted by law.

The data subjects ' rights to information are set out in Art. 15 GDPR. They have the right to contact CarvaStone and receive information about the use and processing of their personal data. This includes:

·        The purposes and categories of processing of personal data

·        Disclosure of the recipients to whom the personal data has been sent

·        The duration for which their personal data will be retained or, where this cannot be determined, the criteria used to determine that period

·        The right to erasure of your personal data

·        The existence of a right of appeal to a supervisory authority Art.15 para. (1) lit.f) GDPR

·        Information on the origin of the available data, unless it was collected from the data subject

• the existence of automated decision-making, including profiling, pursuant to Article 22 (1) and (4) GDPR and, at least in these cases, meaningful information about the logic involved, as well as the significance and envisaged consequences of such processing for the data subject (Article 15 (1) (h) GDPR)

·        The right to information about the transfer of your personal data to a third country or an international organization. In this regard, you can request that we inform you of the appropriate safeguards in accordance with Art. 46 GDPR in connection with the transfer.

According to Art. 16 GDPR and Art. 17 GDPR, you have the right to rectification and erasure . You can request the controller to immediately rectify any inaccurate or incomplete personal data concerning you. You also have the right to have personal data concerning you erased immediately, and the controller must carry out this action immediately if one of the following reasons applies:

• ·        The personal data is no longer required or necessary
• ·        You withdraw your consent on which the processing is based in accordance with Art. 6 (1) (a) GDPR and there is no other legal basis for the processing
• ·        You object to the processing pursuant to Art. 21 (1) GDPR and there are no overriding legitimate grounds for the processing, or the data subject objects to the processing pursuant to Art. 21 (2) GDPR.
• ·        Your personal data has been processed unlawfully
• ·        The erasure of personal data concerning you is necessary to fulfil a legal obligation under Union or Member State law to which the controller is subject.
• ·        Your personal data was collected in relation to information society services offered in accordance with Art. 8 (1) GDPR
• ·        Where the controller has made the personal data public and is obliged pursuant to Art. 17 (1) GDPR to erase the personal data, the controller, taking into account available technology and the cost of implementation, shall take appropriate measures, including technical ones, to inform data controllers which process the personal data that the data subject has requested the erasure by such controllers of all links to, or copies or replications of, those personal data.

The reasons just listed do not apply if the processing of your personal data is necessary.  According to Art. 17 (3) GDPR, this applies:

×         to exercise the right to freedom of expression and information

×         to fulfill a legal obligation required by Union or Member State law to which the controller is subject or to perform a task carried out in the public interest or in the exercise of official authority vested in the controller

×         for reasons of public interest in the area of ​​public health pursuant to Art. 9 (2) (h) and (i) GDPR and Art. 9 (3) GDPR

×         for archiving purposes in the public interest, scientific or historical research purposes or statistical purposes pursuant to Article 89(1) GDPR, insofar as the right referred to in paragraph 1 is likely to make the achievement of the objectives of that processing impossible or seriously compromises it, or

×         to assert, exercise or defend legal claims

• Right to portability : You may have the right to receive a copy of the personal information we hold about you and, in certain circumstances and subject to certain exceptions, to request that we transfer that information to a third party.

• According to Art.18 GDPR, you have the right to restrict processing under the following conditions:

  ×         the accuracy of the personal data is contested by the data subject, for a period enabling the controller to verify the accuracy of the personal data

  ×         the processing is unlawful and the data subject opposes the erasure of the personal data and requests the restriction of their use instead

  ×         the controller no longer needs the personal data for the purposes of the processing, but the data subject needs them to assert, exercise or defend legal claims, or

  ×         the data subject has objected to processing pursuant to Art. 21 (1) GDPR and it has not yet been determined whether the legitimate reasons of the controller outweigh those of the data subject.

  Where processing has been restricted pursuant to paragraph 1, such personal data shall, with the exception of storage, only be processed with the consent of the data subject or for the establishment, exercise or defence of legal claims or for the protection of the rights of another natural or legal person or for reasons of important public interest of the Union or of a Member State.

• The right to data portability pursuant to Art. 20 GDPR allows the data subject to receive the personal data concerning him or her, which he or she has provided to a controller, in a structured, commonly used and machine-readable format. He or she has the right to transmit this data to another controller without hindrance from the controller to whom the personal data was provided, provided that the processing is based on consent pursuant to Art. 6 (1) (a) or Art. 9 (2) (a) GDPR or on a contract pursuant to Art. 6 (1) (b) and the processing is carried out using automated procedures.
• Withdrawal of consent : Where we rely on your consent to process your personal data, you may have the right to withdraw that consent.
• Right to appeal : If we refuse to process your request, you may have the right to appeal our decision. You can do so by directly responding to our refusal.
• Manage communication preferences : We may send you promotional emails, and you can opt out of receiving these emails at any time by using the unsubscribe option provided in our emails. If you opt out, we may still send you non-promotional emails, such as those related to your account or orders.

You can exercise these rights as set out on our Site or by contacting us using the contact details provided below.

We will not discriminate against you if you exercise any of these rights. We may need to collect information from you, such as your email address or account information, to verify your identity before we can provide a substantive response to the request. Subject to applicable law, you may designate an authorized agent to make requests to exercise your rights on your behalf. Before we accept such a request from an agent, we will require that the agent verify that you have authorized the agent to act on your behalf. We may also need to confirm your identity directly with us. We will respond to your request in a timely manner, as required by applicable law.

complaints

Pursuant to Art. 77 GDPR, you have the right to lodge a complaint with a supervisory authority if you believe that the processing of your personal data violates the regulation. The supervisory authority with which the complaint was submitted will inform the complainant of the status and outcome of the complaint, including the possibility of judicial redress under Art. 78 GDPR.

category	Categories of recipients
Identifiers such as basic contact details and certain order and account information Commercial information such as order information, purchasing information and customer support information Internet or other similar network activities, such as usage data Geolocation data, e.g. locations determined via an IP address or other technical means	Suppliers and third parties who provide services on our behalf (such as internet service providers, payment processors, fulfillment partners, customer support partners, and data analytics providers) Business and marketing partners Affiliates

We will not use or publish your personal data without your consent or for the purpose of inferring your personal data.

With your consent, we will share personal information for the purpose of conducting promotional and marketing activities as follows.

International users

Please note that we may transfer, store, and process your personal data outside the country you live in. Your personal data will also be processed by employees and third-party service providers and partners in those countries.

When we transfer your personal data to countries outside Europe, we rely on accepted transfer mechanisms such as the European Commission's Standard Contractual Clauses or equivalent contracts from the relevant UK authority, unless the data transfer is to a country determined to provide an adequate level of protection.

contact

If you have any questions about our privacy practices or this Privacy Policy, or if you wish to exercise any of your rights, please call us or email us at support@carvastone.de

For the purposes of applicable data protection laws and unless expressly stated otherwise, we are the controller of your personal data.