China|English
Your current delivery country is China and your order will be billed in EUR €.
Privacy Policy
Privacy Policy – Chinese Mainland
MYTHERESA: APP Privacy Policy
Registration party: Mytheresa Business Information Consulting (Shanghai) Co., Ltd. (黛立夏商务信息咨询(上海)有限公司)
Registration number: Hu ICP备 Bei No.19028211 号
APP name: Mytheresa美遴世
Mobile app ICP registration number: 沪ICP备19028211号-3A
Data processing controller
Controller and service provider responsible:
mytheresa.com GmbH
Mytheresa (Luxury Fashion Selection APP) is a mobile app developed by mytheresa.com GmbH, with Mytheresa Business Information Consulting (Shanghai) Co., Ltd. (with its registered address at Rooms 1176 and 1177, No. 968, West Beijing Road, Jing'an District, Shanghai) responsible for its operation in Chinese Mainland.
Einsteinring 9
85609 Aschheim/Munich.
The protection of your personal data is very important to us. We would therefore like to inform you in the following pages about the data collected during your visit and the purposes it is used for. Should you still have any queries about the handling of your personal data, please contact our data protection officer.
The ongoing further development of technology, changes in our services or the legal situation as well as other reasons can require adjustments of our data protection notice. We therefore reserve the right to change this data protection notice at any time and will notify you with a pop-up window whenever there is a change. We also encourage you to regularly check for updates to stay informed.
The reference to GDPR provisions in this privacy policy shall be understood as including the reference to provisions (if any) under PRC data protection laws (including but not limited to the Personal Information Protection Law of the People's Republic of China), the contents of which are substantially similar to relevant GDPR provisions.
Data Protection Officer
The data protection officer responsible is:
Wolfgang Steger
Am neuen Weg 21
82041 Oberhaching
1 BASIC INFORMATION ON DATA HANDLING
1.1 Extent of the personal data processing
We fundamentally collect and use the personal data of our users only insofar as this is required for the provision of normal functions of a website, mobile application, and various new products that have emerged with technological development (the "Website") and of our contents and services as well as for the implementation of our business purpose. As a rule we collect and use the personal data of our users only after the user has given his/her consent. Exceptions apply in such cases where it was not possible to obtain prior consent for factual reasons and where the processing of the data is permitted because of statutory requirements.
You acknowledge, understand, and agree that in most cases, the data we collected about you is not considered sensitive information, but in certain circumstances, we may collect your sensitive personal data. In cases where we may collect data about you, the following data may be considered sensitive personal data: financial account information, payment information, transaction and purchase records, address or location information (to the extent that it may expose your whereabouts), product browsing history, etc. The necessity of processing such sensitive personal information and its impact on your interests are described in the following scenarios. Before processing sensitive personal data about you, we will inform you of and obtain your separate consent for the processing. In each of the above cases, we will ensure that the collection or processing of your personal data is for specific purposes (the purposes of processing specific sensitive personal data are explained in subsequent sections of this privacy policy) and sufficiently necessary (in principle, it is necessary for us to provide the content and services you requested), and we will take strict security measures to process your sensitive personal data in a way that minimizes any impact on your personal interests.
1.2 Purposes and legal basis for the processing of personal data
We process personal data only to fulfil our contractual obligations or to preserve our overriding legitimate interests. Our legitimate interests are the implementation of our business purpose.
Insofar as we obtain consent from the data subject for processing operations of personal data, Article 6, paragraph 1, sentence 1 lit. a EU General Data Protection Regulation (EU-GDPR) and/or Article 13 (1) of the Personal Information Protection Law of the People's Republic of China serve as the legal basis for the processing of personal data.
In the processing of personal data required to perform a contract of which the contractual party is the data subject, Art. 6 paragraph 1 sentence 1 lit. b of GDPR and/or Article 13 (2) of the Personal Information Protection Law of the People's Republic of China serve as the legal basis. They also apply to processing operations that are necessary to carry out pre-contractual measures.
Insofar as processing of personal data is required to fulfil a legal requirement that our company is subject to, Art. 6 paragraph 1 sentence 1 lit. c GDPR and/or Article 13 (3) of the Personal Information Protection Law of the People's Republic of China serve as the legal basis.
In the case that vital interests of the data subject or another natural person make the processing of personal data necessary, Art. 6 paragraph 1 sentence 1 lit. d GDPR and/or Article 13 (4) of the Personal Information Protection Law of the People's Republic of China serve as the legal basis.
If processing is required to protect a legitimate interest of our company or of a third party and the interests do not override the interests, fundamental rights and freedoms of the data subject of the first-named interest, Art. 6 paragraph 1 sentence 1 lit. f GDPR serves as the legal basis for the processing.
1.3 Categories of recipients and personal data, origin of the same; data transmission
We forward personal data to our business partners and service providers for the implementation of the business purpose. To implement our business purpose we use typical contact and address data of our customer and business partners. We typically receive the personal data direct from the data subject or with the consent of the data subject and also in exceptional cases from third parties.
Insofar as nothing to the contrary is stated in the following sections, no forwarding of your data to third parties takes place, unless we are legally obliged to do so, or the data transmission is required to perform the contractual relationship or you have previously given your explicit consent to the forwarding of your data. External service providers and partner companies, such as, for example, online payment providers or the shipping company tasked with the delivery, only receive your data insofar as it is necessary for the execution of your order. However, in these cases the extent of the transmitted data is restricted to the minimum required. Insofar as our service providers come into contact with your personal data, we assure that the regulations of the data protection laws are observed in the same manner. Please also observe the data protection notices of the individual providers. The individual service provider is responsible for the contents of third party services, whereby we verify as far as can be reasonably expected that the services observe statutory requirements. In case your data is provided to a third party, you can contact us via privacy@mytheresa.com to inquiry about the purpose, method, and scope of data processing, as well as the identity of the third-party with whom we will share the data, purpose of sharing, and type of the data to be shared, in order to give your consent.
You acknowledge, understand, and agree that in order to provide the content and services you requested, implement our business purpose, and achieve the basic functions of the Website, we may provide your personal data to third parties, including email service providers (see Section 5), payment service providers (see Section 8), logistics service provider (see Section 9), survey service providers (see Section 14), anti-fraud service providers (see Sections 19, 20 and 21) and other business partners.
We have the right to change business partners at our own discretion based on business development needs, changes in service and content providers, and for other reasons. To the extent required by applicable laws, we will notify you of the identity of such business partners, the types of your personal data they may receive, the purpose of processing your personal data, and other legal information, and obtain your separate consent (if necessary) for the transfer of such personal data.
1.4 Transmission to third countries
You acknowledge, understand, and agree that we mainly process your personal data outside Chinese Mainland and store your personal data outside Chinese Mainland. To the extent required by applicable laws, we will notify you of the transfer of such data and obtain your separate consent (if necessary) for such transfer.
Essentially we do not forward personal data to recipients in third countries (i.e. countries outside of the EU). Should data be forwarded to recipients in third countries, we assure not only that we will obtain the permission required for the forwarding, but that the third country recipient also assures an adequate level of data protection (or derogations for specific situations pursuant to Art 49 paragraph 1 GDPR applies).
In specific case we forward personal data to recipients in third countries (i.e. countries outside of the EU).
United States of America
In these specific cases, we guarantee compliance with the following provisions as described in Art. 44 of GDPR:
EU standard contractual clauses
Privacy Shield
1.5 Data security
We have taken extensive technical and organisational precautions to protect your data from accidental or intentional manipulation, loss, destruction or access by unauthorised persons. Our security procedures are regularly checked and revised to take into account technological progress.
1.6 Data deletion and storage periods
The personal data of the data subject is deleted or blocked, as soon as the purpose for which it was stored no longer applies. Storage can also be effected if this was required by the European or national legislators in European Union regulations, laws or other stipulations that the person responsible is subject to. The data is also blocked or deleted if a statutory storage period prescribed by the cited standards expires, unless there is a need for continued data storage for the purposes of a conclusion or performance of a contract.
2 GENERAL DATA COLLECTION WHEN VISITING OUR WEBSITE
When visiting our Website for purely informational purposes, i.e. when you do not register or transfer other information to us on our Website, we collect only the personal data that your browser transmits to our server.
Within the framework of the balancing of interests, pursuant to Art. 6 paragraph 1 senteince1 lit. f GDPR we have taken into account and weighed up our interest in provision and your interest in the processing of your personal data in compliance with data protection requirements. As the data below is necessary for the technical provision of our service in order to be able to offer you access to our Website and also to ensure stability and security, in particular to offer protection against misuse, we have come to the conclusion that this data - in conjunction with an assurance of data security based on the state of technology - can be processed, whereby your interest in processing in compliance with data protection requirements is adequately taken into account.
Description and extent of data collection
Whenever our Website is visited, our system automatically records data and information from the computer system of the visiting computer.
The following data is collected:
1. Information about the browser type and version used
2. The operating system and the interface of the user
3. The internet server provider of the user
4. The IP address of the user
5. Access status/http status code
6. Date and time of the visit
7. Time zone difference to Greenwich Mean Time
8. Content of the request (specific internet page)
9. The quantity of data transmitted
10. Websites, from which the system of the user accessed our Website
11. Websites that are visited by the system of the user via our Website
12. Regarding mobile end devices: Manufacturer and type designation of the Smartphone, tablet or other mobile end devices, Android ID (when we use relevant SDK; for a detailed list of SDKs, please refer to the schedule attached to this privacy policy)
13. Low-level tracker
The data is likewise stored in the logfiles of our system. Storage of this data together with other personal data of the user does not take place.
Legal basis for data processing
The legal basis for the temporary storage of the data and the logfiles is Art. 6, paragraph 1, sentence1 lit. f GDPR and/or Article 13 of the Personal Information Protection Law of the People's Republic of China.
Purpose of data processing
The temporary storage of the IP address by the system is necessary so as to enable delivery of the Website's content to the computer of the user. To do this, the IP address of the user remains stored for the duration of the session.
Storage in logfiles is required in order to assure the functionality of the Website. In addition, the data serves to optimise the Website and to assure the security of our IT systems. In particular, our Website and our other IT system help us to adapt to the browser, operating system and end devices used.
An evaluation of the data for marketing purposes does not take place in this connection.
These purposes are also our legitimate interest in data processing pursuant to Art. 6 paragraph 1 sentence1 lit. f GDPR and/or Article 13 of the Personal Information Protection Law of the People's Republic of China.
Duration of the storage
The data is deleted as soon as it is no longer required to achieve the purpose for which it was collected. If the data is recorded in order to provide the Website's content, it will be deleted when the session in question has ended.
In the case of storage of data in logfiles, this is the case after seven days at the latest. Storage above and beyond this period is possible. In this case the IP addresses of the user are deleted or distorted so that it is no longer possible to recognise the calling client.
Right to object and removal
The recording of data for the provision of the Website services and the storage of the data in logfiles are absolutely essential for the normal operation of the Website. As a consequence, the user has no right to object in this regard. A user who objects to the temporary storage of such data records and logfiles shall immediately stop visiting the Website.
3 REGISTRATION
On our Website we offer users the possibility to register by entering their personal data. The data is entered in the input mask and is transferred to us and stored. The data is not forwarded to third parties. The following data is collected as part of the registration process:
Salutation
Academic title (optional)
First name
Last name
Email
Password
Address
Telephone number
Company (optional)
Country
Packing station (if available)
CPF – natural person registration (only Brazil)
At the time of registration, the following data is also stored:
1. The IP address of the user
2. Date and time of the registration
3. Customer number
4. Entity-ID
5. Email hash
The user is asked as part of the registration process to consent to the processing of this data. After registration has been completed, you receive a personal access protected by password and can view and manage the registration data. Registration is effected on a voluntary basis, but may be a precondition for using our services.
In this connection your data is forwarded to our email service provider Emarsys so that we can send you an email confirming your registration.
Legal basis for the data processing
Assuming the user gives his or her consent, the legal basis for the processing of the data is Art. 6 paragraph 1 sentence1 lit. a GDPR and/or Article 13(1) of the Personal Information Protection Law of the People's Republic of China.
If registration serves to perform a contract, of which the contractual partner is the user or in order to take steps prior to entering into a contract, the legal basis for the processing of the data is also Art. 6 paragraph 1 sentence1 lit. b GDPR and/or Article 13(2) of the Personal Information Protection Law of the People's Republic of China.
Purpose of data processing
User registration is necessary for the provision of certain contents and services, in particular the extended use of our web shop on our website. User registration also serves for the performance of a contract with the user or to take steps prior to entering into a contract. Registration refers in particular to the use of our web shop.
Sales contracts are typically concluded via the web shop for the following product groups:
Clothing
Shoes
Bags
Accessories (including jewelry)
Children's clothing
Furnishings
Gift vouchers
Duration of the storage
The data is deleted as soon as it is no longer required to achieve the purpose for which it was collected.
The data collected during the registration process will be deleted if the registration on our Website is cancelled or modified.
Insofar as the data collected during the registration process is required to perform a contract or to take steps prior to entering into a contract, the data will only be deleted when it is no longer required to perform the contract. Even after conclusion of the contract, it may still be necessary to store personal data in order to fulfil contractual or statutory obligations.
Personal data is stored as a measure to prevent fraud.
The deadline for data deletion is 6 months for the purposes of fraud prevention as well as for combating actual attempts of fraud.
Right to object and removal
As a user you can cancel your registration at any time. You can have the data stored about you altered at any time.
You can send an email to delete-account@mytheresa.com requesting to cancel your account and delete all your personal information and data, and we will handle it within one month or such shorter period of time as required by applicable laws (15 working days for example).
If the data is required for the performance of a contract or to take steps prior to entering into a contract, a premature deletion of the data is only possible insofar as no contractual or statutory obligations contradict this.
4 CONTACT
Our Website has a contact form which can be used to contact us by electronic means. If the user takes advantage of this possibility, the data entered in the input mask is transmitted to us and stored. This data includes:
Below is a list of the data in the input mask:
1. First and last names
2. Email address
3. Subject
4. Message
No data is stored when the message is sent. Alternatively, contact can be established via the email address provided. In this case, the personal data of the user transmitted via the email is stored. In this connection the data is not forwarded to third parties. The data is solely used for the processing of the conversation.
Legal basis for the data processing
If the user has given his or her consent, the legal basis for the processing of the data is Art. 6 paragraph 1 sentence1 lit. a GDPR. paragraph 1 sentence1 lit. a GDPR and/or Article 13(1) of the Personal Information Protection Law of the People's Republic of China.
Legal basis for the processing of the data that is transmitted as part of sending an email is Art. 6 paragraph 1 sentence1 lit. a GDPR and/or Article 13(1) of the Personal Information Protection Law of the People's Republic of China.
If the email contact is made for the conclusion of a contract, the legal basis for the processing is also Art. 6 paragraph 1 sentence1 lit. a GDPR and/or Article 13(1) of the Personal Information Protection Law of the People's Republic of China.
Purpose of data processing
The processing of personal data from the input mask is used solely for the process of establishing the contact. In the case of contact by email there is also the necessary and legitimate interest in processing the data.
The personal data otherwise processed during the sending process is used to prevent misuse of the contact form and to assure the security of our IT systems.
Duration of the storage
The data is deleted as soon as it is no longer required to achieve the purpose for which it was collected. The personal data from the input mask of the contact form and the personal data sent by email will be deleted when the conversation with the user has ended. The conversation is deemed to have ended when the circumstances suggest that the subject matter in question has been conclusively clarified.
The personal data additionally collected during the sending process is deleted at the latest seven days afterwards.
Right to object and removal
The user can revoke his or her consent to the processing of personal data at any time. If the user establishes contact with us via email, he or she can object to the storage of his or her personal data at any time. The conversation cannot be continued in such a case.
You can inform us of your revocation of consent as well as your objection to storage of your personal data by sending an email to privacy@mytheresa.com.
In this case all personal data stored during the establishment of the contact is deleted.
5 NEWSLETTER
We use the so-called confirmed opt-in procedure. The confirmed opt-in procedure, means that we directly send a welcome email to the email address you provide and your email address will be saved. The storage serves the sole purpose of being able to send you the newsletter. In addition, we also store your IP addresses when you register and confirm as well as the times, in order to prevent misuse of your personal information.
Email service provider: Newsletters are sent by Emarsys eMarketing Systems GmbH (Hans-Fischer-Straße 10, 80339 Munich, Germany, hereinafter referred to as the "Email Service Provider Emarsys"). You can view the relevant privacy policy here: https://www.emarsys.com/de/datenschutzrichtlinie/.
Furthermore, newsletters are also sent by D Martech China, with its address at 5th Floor, Xinli Center, 380 South Huangpi Road, Huangpu District, Shanghai, China (hereinafter referred to as the “Email Service Provider Webpower“). You can view the privacy policy of the email service provider here: https://www.webpowerchina.com/zh/privacy
The email address is the only required information for sending the newsletter. The provision of additional, specially marked information is voluntary, and it will be used solely for the purpose of personalising the newsletter. In addition, we store the IP addresses you use for registration and confirmation, as well as the times these events take place. The purpose of this procedure is to have evidence of your registration and, if necessary, to clarify any possible misuse of your personal data. After your confirmation, we save your registration data for the purpose of sending you the newsletter. The legal basis for this is Art. 6(1)(1)(a) GDPR and/or Article 13(1) of the Personal Information Protection Law of the People's Republic of China.
If we have received your email address in connection with your order and you have not objected to this, we reserve the right to send you regular offers by email for products similar to those you have already purchased from us.
You can object at any time to the use of your email address and the processing and use of the data to create user profiles without stating reasons by sending a message to privacy@mytheresa.com or by using the unsubscribe link in the email newsletter, without incurring any costs other than the transmission costs according to the basic rates, i.e. your existing Internet contract.
We would like to point out that we evaluate your user behaviour when sending the newsletter. For this evaluation, the emails we send contain, among other things, so-called web beacons also known as tracking pixels. These are one-pixel image files linked to our Website that enable us to evaluate your user behavior. This is done by collecting web beacons, which are assigned to your email address and linked to your own ID. The links in newsletters also include such beacons.
We use the Email Service Provider Emarsys as well as Certona (see 13.1.1 Certona in the privacy policy) to store cookies on your computer through your web browser. The cookies and the identification numbers stored in them will not be associated with your name, address, email address or other personally identifiable information unless you have expressly permitted us to send you information specifically tailored to your interests, and you can object to this use at any time by notifying us. The Email Service Provider Emarsys and Certona use these cookies to recognize your browser, so that we can track your movements on our Website as well as recording and measuring the success of certain marketing actions. We use this information to improve our Website and email newsletters, in particular by adapting our information and offers to the individual interests and needs of users.
The storage of these cookies is carried out on the basis of Art. 6(1)(a) GDPR and/or Article 13(1) of the Personal Information Protection Law of the People's Republic of China.
With the data obtained in this way, we create a pseudonymous user profile in order to be able to provide you with a newsletter tailored to your interests. The following data will be collected:
Did you open the newsletter? And what did you click to view?
When did you visit and how long did you browse our Website? What products and categories did you view?
When and what did you purchase? What category, and in what amount? Moreover have you cancelled any order?
We associate this data with your user account, if you have logged in.
We also transfer the data collected to our Email Service Provider Webpower. Pursuant to Article 44 et seq. GDPR and other applicable laws, guarantees are provided by means of an order data processing contract between us and Certona and between us and the Email Service Provider Webpower, which contain EU standard contractual clauses.
You can opt out of the cookie-based collection and analysis of online data described above at any time by clicking the Opt-out button below. If you exercise this option, an anonymous "opt-out" cookie will be stored in your web browser, informing the Emarsys web server and/or the Certona web server of your opting out and preventing the servers from collecting data. The opt-out cookie will remain in effect in the browser you are using until you delete it using that browser. However, if you delete the cookie or use a different browser or computer, the Email Service Provider Emarsys and Certona will no longer be able to identify that you have declared your objection. Alternatively, you can configure your browser so that it does not accept cookies.
If you have registered with our online shop and placed products on your wish list, you will receive emails about the products on the wish list. You can unsubscribe from these notifications by unchecking the box at the end of the wish list or by using the unsubscribe link in the email.
6 SMS
We use the short message service provided by D Martech China for the sending of promotional and transactional SMS to our customers. The data will be stored and processed by us at Ali Cloud and in SHANGHAI, CHINA.
The following data is required to be transmitted for sending SMS:
Telephone number
Your consent of receiving SMS
Email hash
For transactional SMS, the following personal data will be further transmitted
Order list, order ID, product ID, prices
Additionally, all pseudonymized data such as customer data identifier, customer segmentation identifier will be further transmitted for promotional SMS.
Guarantees are provided by means of an order data processing contract between us and Ali cloud, which contains standard EU contractual clauses, pursuant to Article 44 of GDPR and other applicable laws. To view the standard contractual clauses, please send an email to privacy@mytheresa.com.
The legal basis for processing of data is Article 6 (1) paragraph 1a of GDPR and/or Article 13(1) of the Personal Information Protection Law of the People's Republic of China. Our legitimate interests lie in usage analysis and the related continuous optimization of our Website as well as in the offer of personalized web content.
You can object at any time to the use of your telephone number and the processing and use of the data to send you SMS without stating reasons by sending a message to privacy@mytheresa.com or by replying specified unsubscribe keyword without incurring any costs.
EMARSYS & CERTONA
OFF
ON
7 YOUR ORDER IN OUR ONLINE SHOP
If you would like to place an order in our online shop, it is necessary for the purposes of concluding the contract that you provide personal data which we require to process the order. Mandatory details required for the processing of contracts are specifically marked as such (including the receiver's name, email address, delivery address and billing address, mobile phone number and payment information (for bank cards: the cardholder's name, card number, card expiration date, CVC/CVV verification code; for Alipay: Alipay account number; for WeChat Pay: WeChat Pay account number; for PayPal: PayPal account number), other details are voluntary (including company information)). We use the data given by you to process your order. In addition, we may forward your payment details to the payment service provider selected by you. Additionally, we forward your address details to the logistics service provider responsible for delivery.
The legal basis for this is Art. 6 paragraph 1 sentence1 lit b. GDPR and/or Article 13(2) of the Personal Information Protection Law of the People's Republic of China.
You can also create a user account on a voluntary basis, which we can then use to store your data for additional purchases at a later date. This registration is based on Section 3 of this privacy policy.
We can also process the data given by you in order to notify you about additional products in our range that you may find of interest or have emails about technical information sent to you, and you can object to this use at any time by notifying us.
Commercial and fiscal stipulations require us to store your address, payment and order details for the period of ten years. Nevertheless, we restrict processing after two years; this means your data is only used to observe the statutory requirement.
You can object to the use of your data for advertising and data analysis purposes at any time. Please send your objection to privacy@mytheresa.com.
To prevent unauthorised access to your personal data, in particular financial data, the order process is encrypted by the "Secure Socket Layer" (SSL) hybrid encryption protocol for the secure data transmission.
8 OUR PAYMENT SERVICE PROVIDERS
We offer different payment options, such as payment by credit card or payment by PayPal.
For this purpose, to facilitate third party payment transactions, payment data can be transferred to payment service providers with whom we work with. This type of data is required by applicable laws or necessary for providing third party payment services, and does not include user information unrelated to your specific transaction. Legal basis for data transfer is Art. 6 paragraph 1 sentence1 lit b and f GDPR and/or Article 13(2) of the Personal Information Protection Law of the People's Republic of China.
You can find more details about the processing of your personal data by the payment service providers in their privacy policies:
Please find below the list of our payment providers:
Payment provider | Payment method |
Adyen N.V. | Credit Card |
PayPal (Europe) S.à r.l. et Cie, S.C.A. | PayPal |
9 OUR LOGISTICS SERVICE PROVIDER
9.1 DHL
DHL (Deutsche Post AG, with its address at Gabriela Krader, LL.M Deutsche Post AG 53250 Bonn) is our logistics service provider. When we ask DHL to provide logistics services, we will transmit the following data to DHL: the receiver's name, mobile phone number, and delivery address. The purpose of data processing is to provide product delivery services through DHL. The legal basis for data transmission is Art. 6 paragraph 1 sentence1 lit b of GDPR and/or Article 13(2) of the Personal Information Protection Law of the People's Republic of China. You have no right to object to such data transmission, as such data processing is necessary for delivering product(s) to you.
10 COOKIE
We use cookies in order to improve our Website and to optimize use for you, but also for advertising purposes. Cookies are small text files that are stored on your computer when you visit our Website and enable a renewed identification of your browser. Cookies store information, such as your language setting, the length of visit to our Website or the entries you made there. This avoids the need to re-input all the required data afresh at every session. Moreover, cookies enable us to detect your preferences and to tailor our Website to your interest.
Most browsers accept cookies automatically. If you would like to prevent the acceptance of cookies, you can select "accept no cookies" in the browser settings. How this works in detail can be found in the instructions of your browser manufacturer. Cookies already stored on your computer can be deleted at any time. However, we would like to point out this may restrict the functionality of our Website.
11 FIRST PARTY COOKIE
This type of cookie is set by the Website that the user visits. Only such Website is permitted to read the cookie information.
11.1 Cookies used
We use cookies in order to design our Website in a user-friendly fashion. Some elements of our Website require the calling browser to be identified also after a page change.
The following data is stored and transmitted in the cookies:
Below is a list of data stored. For example:
Language settings
Products in the shopping cart
Log-In information
We also use cookies on the Website to analyze user browsing behavior.
In this way, the following data is transmitted:
Below is a list of data collected. For example:
Keywords entered
Frequency of page views
Utilization of Website functions
Device or browser information
Products and categories viewed
Wish list and the shopping cart as well as the adding of new products
Number of products in the shopping cart
Point of origin of the page visitor
Abbreviated IP address
Email hash
The user data collected in this manner is pseudonymized by technical precautions. Therefore, the data can no longer be traced to a visiting user. When calling up our Website, the user is informed about the use of cookies for analysis purposes. In this regard, a reference is also made to this data protection notice.
Legal basis for data processing
The legal basis for the processing of personal data by the means of cookies is Art. 6 paragraph 1 sentence1 lit. a and f GDPR and/or Article 13 of the Personal Information Protection Law of the People's Republic of China.
Purpose of data processing
The reason why cookies are employed technically is to simplify use of the Website for the users. Some functions of our Website cannot be offered without the use of cookies. To use these functions, it is essential that the browser is also recognized after a page changes.
We require cookies for the following functions:
Shopping cart
To protect the Website from attacks
Marking of sessions - settings
The user data collected by the technically necessary cookies is not used to generate user profiles.
We use analysis cookies to improve the quality of our Website and its contents. The analysis cookies enable us to find out how the Website is being used and therefore allow us to ensure an ongoing improvement of our Website. In addition, they enable us to continuously provide high-quality content and constantly improve the user experience.
These purposes are also our legitimate interests in processing personal data pursuant to Art. 6 paragraph 1 sentence1 lit. f of GDPR.
Duration of storage, right to object and erasure
Cookies are stored on the computer of the user and are transferred from it to our Website. Therefore, you as the user also have full control over the use of cookies. By altering the settings in your internet browser, you can disable or restrict the transfer of cookies. Cookies already stored can be deleted at any time. This can also be effected automatically. Disabling cookies for our Website may mean that not all functions of the Website can be used to their full extent.
Our Website uses transient cookies, which are automatically deleted when you close your browser. These are typically so-called session cookies. They store a so-called session ID with which various queries form your browser can be assigned to a common session. It means that your computer can be recognized when you return to our Website. These cookies are deleted when you log out or close the browser.
Our Website also uses persistent cookies, which are automatically deleted after a predetermined period that can vary depending on the cookie. These cookies, too, can be deleted at any time.
12 THIRD-PARTY COOKIE
Third-party cookies are set by organisations that are not the operators of the Website the user visits. These cookies are used by marketing companies, for example. For a detailed list of SDKs, please refer to the schedule attached to this privacy policy.
12.1 Criteo GmbH
We employ technology of Criteo GmbH (Criteo GmbH, Rosenheimer Str. 143c, 81671 Munich) on our site to create and deliver personalised advertising. Our website mytheresa.com uses cookies/advertising IDs for the purpose of advertising. This enables us to show our advertisements to visitors who are interested in our products on partner websites, apps and emails. Re-targeting technologies use your cookies or advertising IDs and display advertisements based on your past browsing behavior. You can opt-out of interest based advertising by visiting the following websites:
http://www.networkadvertising.org/choices/
http://www.youronlinechoices.com/
We may share data, such as technical identifiers derived from your registration information on our mytheresa.com website or our CRM system with our trusted advertising partners. This allows them to link your devices and/or environments and provide you a seamless experience across the different devices and environments that you use. To read more about their linking capabilities, please refer to their privacy policy listed in the above-mentioned Websites or listed below.
Legal basis for the processing of personal data by the means of marketing cookies is Art. 6 paragraph 1 sentence 1 lit. a GDPR
You can find more information concerning Criteo data protection here: https://www.criteo.com/privacy/
Should you no longer wish to be shown any personalised advertising material, you can unsubscribe from Criteo advertising here.
12.2 Microsoft Bing Tracker
We use the following technology of Microsoft Corporation (One Microsoft Way, Redmond, WA 98052-6399, USA):
For a detailed list of SDKs, please refer to the schedule attached to this privacy policy.
12.2.1 Bing Conversion Tracking
We also use Bing Ads Conversion Tracking. A Bing Ads cookie is set on your computer as soon as you visit our Website via a Bing search ad. Using Bing Conversion Tracking, campaigns for search machine advertising are directed to Bing on a frequency basis, i.e. ads are placed more frequently for search queries that often lead to a purchase, whereas search queries that are less relevant see fewer ads.
The following data is collected:
Browser type / version,
Operating system used,
Hostname of the calling computer (IP address),
Time of the server query
If you would not like this, you can unsubscribe at any time on https://account.microsoft.com/privacy/ad-settings. For more information on Bing Ads Conversion Data Protection, please consult https://privacy.microsoft.com/zh-cn/privacystatement.
For the exceptional cases in which personal data is transferred to the USA, Microsoft has submitted a report to the EU - US Privacy Shield, which you can view here.
Legal basis for data processing is Art. 6 paragraph 1 sentence 1 lit. a and f of GDPR and/or Article 13 of the Personal Information Protection Law of the People's Republic of China. We use Bing Conversion Tracking to optimize our search engine marketing activities on Bing, thereby improving advertising efficiency. These purposes are also our legitimate interests under Art. 6 paragraph 1 sentence1 lit. f of GDPR.
12.2.2 Bing Ads Remarketing Lists for Search Ads (RLSA)
We also use Microsoft Bing Ads Remarketing Lists for Search Ads. Here, the users that visit our Website are detected by means of a general Website tag and optional event snippets and their behavior recorded. The recorded behavior pattern such as the dwell time on the Website, concluded or aborted shopping cart operations, direct abort of the visit (bounce) can be used to adapt the advertising to the Bing search results page. This means that users that have a great interest in our Website see more ads placed at the top positions of the list, while visitors that have less interest in our Website see fewer ads in the search engine or even none at all. For more information on Bing Ads Remarketing Lists for Search Ads data protection, please consult https://privacy.microsoft.com/zh-cn/privacystatement.
The following data is collected by means of cookies:
Browser type / version,
Operating system used,
Hostname of the calling computer (IP address),
Time of the server query
For the exceptional cases in which personal data is transferred to the USA, Microsoft has submitted a report to the EU - US Privacy Shield, which you can view here.
Legal basis for data processing is Art. 6 paragraph 1 sentence 1 lit. a and f of GDPR and/or Article 13 of the Personal Information Protection Law of the People's Republic of China. Our legitimate interests lie in the evaluation of the statistical data obtained from the survey results on user behavior and advertising effectiveness. This also helps to continuously improve the content and services of our Website.
If you would not like this, you can unsubscribe at any time on https://account.microsoft.com/privacy/ad-settings. For more information on Bing Ads Conversion data protection, please consult https://privacy.microsoft.com/zh-cn/privacystatement.
12.3 EternityX Marketing Technology Limited
We use the technology of EternityX Marketing Technology Limited (located at 16/F, CentreHollywood, 151 Hollywood Road, Hong Kong) to create and place personalized advertisements on our Website. Our Website mytheresa.com utilizes cookies/advertising IDs for digital advertising promotion. This allows us to display advertisements to visitors interested in our products on partner Websites, applications, and emails. Repositioning technology will utilize your cookie or ad ID and display ads based on your browsing history.
You can find more information about EternityX data protection via the link below:
https://eternityx.com/privacy/
If you would not like to receive advertisements from EternityX Marketing Technology Limited, you can manage your option by the following means: Your online options.
Important note: When you choose not to receive cookies, a cookie will still be set in your browser. The purpose of running such cookie in a browser is to help EternityX Marketing Technology Limited recognize that you have chosen not to accept their cookie/ad ID.
12.4 Braze
In the mytheresa.com app, we use the services of Braze (Braze, Inc. 330 W 34th Street, 18th Floor, New York, NY 10001, USA). Braze is a marketing and analysis service app. The service enables us to understand the function and use of our mobile content on your device. Furthermore, we use Braze in order to send you tailored promotions and information on our products per push notification or in-app message, and you can object to this use at any time by notifying us. We also inform you via Braze about items you have forgotten in your shopping bag.
Braze uses the following personal data:
IP address (which is not stored)
Device-related data such as device type, model, operating system, browser type and version
Usage-related information such as time of use,
Name
Email hash
Braze SDK and message interaction data
Installation ID
Device ID
Legal basis for the processing of the data is Art. 6 paragraph 1 sentence 1 lit. a GDPR and/or Article 13(1) of the Personal Information Protection Law of the People's Republic of China.
There is data transfer to the USA. We guarantee compliance with Art 44ff of GDPR and other applicable laws by concluding EU standard contractual clauses with Braze or transmission in other ways that comply with applicable laws. If you would like to view these clauses, please send an email to privacy@mytheresa.com.
If you object to the transfer of the data, please send an email to privacy@mytheresa.com.
12.5 Adjust
We use the services of Adjust GmbH, with its address at Saarbrücker Str. 37A, 10405 Berlin | Germany, for mobile analytics and attribution services.
Adjust SDK and APIs (collectively the "Adjust Technology") may process some of the following data from you as the end user:
Hashed IP address
Mobile device identifiers such as the ID for Advertising for iOS (IDFA), or similar mobile device identifiers
Installation and first opening of an app on your mobile device
Your interactions within an app (e.g. in-app purchases, registration)
Information regarding which advertisements you have seen or clicked on
For the Unbotify/Fraud product additionally: sensory data including touch events, counting text changes, accelerometer, gyroscope, battery, light sensor, device hardware specifications and operating system version
The aforementioned data is used for providing mobile analytics and attribution services, which allows us to track the marketing performance, to match end user to our campaigns and to understand how the user engage with our app. Customer interactions in our app is tracked in real time in order to see the engagement over the full lifecycle. The aforementioned data is therefore processed in order to analyze the performance of marketing campaigns and to provide performance reports.
Adjust does not combine the data with any other data that would enable us to personally identify You. Any information processed via the Adjust Technology is owned and controlled by Mytheresa who has implemented the Adjust Technology into their mobile app.
Adjust does not share the user data with or disclose it to anyone else except disclosure to our server providers and in response to lawful requests by public authorities, including national security or law enforcement requirements. The data is stored as long as we are using the Adjust Technology.
There is data transfer to the USA. We guarantee compliance with Art. 44ff of GDPR and other applicable laws by concluding EU standard contractual clauses and, if necessary, supplementary measures or transmission in other ways that comply with applicable laws.
If you object to the transfer of the data, please send an email to privacy@mytheresa.com.
12.6 Clarity
We likewise use the analysis and personalizing service Microsoft Clarity of the company (located at One Microsoft Way, Redmond, WA 98052, United States) to capture how you use and interact with our Website through behavioral metrics, heatmaps, and session replay to improve and market our products/services. Website usage data is captured using first party and third party cookies and other tracking technologies to determine the popularity of products/services and online activity. Additionally, we use this information for Website optimization, fraud/security purposes, and advertising. Clarity uses cookies that are stored on your computer, thus allowing us to analyze the usage of our Website and its optimization. The information generated by the cookies due to your use of this Website is transferred to a Clarity server in the USA and stored and processed there on our behalf. Before further processing, your IP address is anonymized and replaced by a generic one, i.e. one that can no longer be used to identify a person. A direct identification of person is therefore excluded.
The following data is transmitted:
IP address (anonymized)
Device-related data such as device type, model, operating system, browser type and version
Usage-related information such as time of use, dwell time, point of origin
Legal basis for the processing of the data is Art. 6 paragraph 1 sentence 1 lit. a of GDPR and/or Article 13(1) of the Personal Information Protection Law of the People's Republic of China. Our legitimate interests reside in usage analysis and the related continuous optimization of our Website.
If you object to the transfer of data, please send an email to privacy@mytheresa.com.
For more information about how Microsoft collects and uses your data, visit the Microsoft Privacy Statement at Microsoft Privacy Policy– Microsoft Data Protection.
12.7 ad-Shot GmbH
We use the re- and pre-targeting function of fatmedia.io (a brand of ad-shot LLC) on our websites.
This enables us to address visitors to our websites with targeted advertising by placing personalized, interest-based ads for visitors to the websites.
fatmedia.io uses cookies to analyze website usage, which forms the basis for creating interest-based ads.
No personal data of the website visitor is stored. If the user visits another website, they will see advertisements that are highly likely to take into account the product and information areas previously accessed or that are highly relevant to the user.
Opt-out link: https://analytics.fatmedia.io/opt-out
13 SPECIAL TOOLS
In addition to the above-mentioned cookies we also employ additional tools for the purposes of usage analysis, content optimization, marketing analysis and advertising optimization. The explanations in Section 10 do not apply to these tools. We will now inform you about each of these special functions, including the extent of data collection, the legal basis, the purposes for the data collection as well as the possible ways you have at your disposal to prevent the use of these tools.
For a detailed list of SDKs, please refer to the schedule attached to this privacy policy.
13.1 Tools for marketing purposes
We use cookies for marketing purposes in order to offer our users appealing advertising. In addition, we use the cookies to cap the display frequency of an advertisement and to measure the efficacy of our advertising measures. This information can also be shared with third parties, such as Ad-networks.
13.1.1 Certona
We use the Certona Product Recommendations analysis and advertising service provided by Certona Corporation, having its address at 10431 Wateridge Circle, Suite 200, San Diego, CA 92121, USA ("Certona"). Certona Product Recommendations uses cookies stored on your computer to help us analyze and optimize the use of our Website, as well as to personalize your visit to our Website and improve our advertising. The information generated by the cookie about your use of this Website is generally transmitted to a Certona server in the United States and stored and processed there on our behalf.
The following data will be transmitted:
IP address without assignment to a specific user profile
Device-related data such as device type and model, operating system and browser type and version.
Usage-related information such as time of use, dwell time, point of origin
Information about purchasing behavior such as purchases, placement of items into the shopping cart, deletion from the shopping cart, inclusion on the wish list, deletion from the wish list, product search, product reviews
Certona tracking ID (anonymized)
Order list, order ID, product ID (pseudonymized), prices
Email hash
A data transfer to the USA takes place. Guarantees pursuant to Article 44 of GDPR and other applicable laws are provided by means of an order data processing contract between us and Certona, which contains standard EU contractual clauses. To view the standard contractual clauses, please send an email to privacy@mytheresa.com.
Legal basis for the processing of data is Art. 6 paragraph 1 sentence 1 lit. a and f of GDPR and/or Article 13 of the Personal Information Protection Law of the People's Republic of China. Our legitimate interests include usage analysis and the related continuous optimization of our Website as well as the offer of personalized web content.
If you don't want to have your data transmitted, please click the following link (Note: If you use opt-out, an opt-out cookie is stored on your device. If you delete the cookies in the browser, then you must make the selection again. Furthermore, the opt-out only applies within the browser you are using, and within our web domain where the box has been unchecked).
CERTONA
OFF
ON
13.1.2 Monetate
We likewise use the analysis and personalizing service Monetate of Monetate Inc (located at 951 Hector St, Conshohocken, PA 19428, United States). Monetate uses cookies that are stored on your computer, thus allowing us to analyze the usage of our Website and its optimization. The information generated by the cookies due to your use of this Website is transferred to a Monetate server in the USA and stored and processed there on our behalf. Before further processing, your IP address is anonymized and replaced by a generic one, i.e. one that can no longer be used to identify a person. A direct identification of person is therefore excluded.
The following data is transmitted:
IP address (anonymized)
Device-related data such as device type, model, operating system, browser type and version
Usage-related information such as time of use, dwell time, point of origin
We have not been informed of the storage period by Monetate. There is data transfer to the USA. Monetate is subject to the Privacy Shield and gives guarantees pursuant to Art. 44ff of GDPR, and you can find the details here.
Legal basis for the processing of the data is Art. 6 paragraph 1 sentence 1 lit. a and f of GDPR. Our legitimate interests reside in the usage analysis and the related continuous optimization of our Website.
If you object to the transfer of data, please send an email to privacy@mytheresa.com.
For more information regarding Monetate data protection, please consult the Data Protection Notice of Monetate.
13.2 Tracking pixel
So-called tracking pixels (also 1x1 pixels, web beacons or pixel tags) are 1x1 GIFs loaded when our Website is called up. They enable our partners and us to record statistical data for marketing and web analysis. With appropriate analytical tools, we can use this data for various purposes. The various marketing approaches are explained in more detail below. However, such tracking pixels cannot be used to identify your identity.
13.3 Tracking systems
We use different tracking systems on the Website to partially record your data. This section involves information about the system providers, the purpose of using the provider, whether and what data is collected, how can you prevent data collection, etc. and links to each provider's data protection clauses.
13.3.1 CommandersAct
Our provider CommandersAct, located at Fjord Technologies headquarters | Commanders Act | 3/5 rue Saint-Georges | 75009 Paris | France, provides a solution for the central management and control of our marketing tags as well as the interface for data transfer to our service providers. It also helps us analyze and optimize our offerings and services.
The following personal data is collected:
Communication data
Contract master data (such as product of interest to a user)
Data will be passed on to third parties, but only subject to a contractual agreement in accordance with Art. 28 (2) to (4) of GDPR and/or Article 21 of the Personal Information Protection Law of the People's Republic of China. Data will not be transferred to third countries.
The legal basis for the processing of data by Commanders Act is Art. 6 paragraph 1 sentence 1 lit. a and f of GDPR and/or Article 13 of the Personal Information Protection Law of the People's Republic of China. The use of Commanders Act serves to simplify and continuously improve our marketing activities. These purposes are also our legitimate interests under Art. 6 paragraph 1 sentence1 lit. f of GDPR.
The personal data collected via this system will only be used for reference purposes. You also have the right to object to this processing. If you object to such processing, processing via this system will be blocked for the future. To object to the processing, please use the option created by Commanders Act to set an opt-out cookie.
To do this, please use the link: https://www.commandersact.com/en/privacy/. You can also visit the commandersact.com website for more information about the collection, use and security of data.
13.3.2 Sentry
We use Sentry, an error management tool. The service provider is the American company Functional Software, Inc, 132 Hawthorne Street, San Francisco, CA 94107, USA.
In the event of errors or crashes of the app, Sentry collects the following data for logging purposes:
Name of your mobile device
individual device ID
device operating system
Functional Data processes data in the USA, among other places. Sentry, or Functional Software, is an active participant in the EU_US Data Privacy Framework, which regulates the correct and secure transfer of personal data from Europe into the USA. In addition, Functional Software uses so-called standard contractual clauses (Art. 46 para. 2 and 3 GDPR).
The legal basis is Art. 6 para. 1 letter f GDPR. The data is not transferred to third parties. The data logged by Sentry is deleted after 90 days.
Since the processing described is absolutely necessary for the operation of the app, there is no possibility of objection.
You can find out more about the Data processed through the use of Sentry at https://sentry.io/privacy/.
13.3.3 Validity
We use Validity, a service from Validity, Inc. having its address at 100 Summer St, Suite 2900, Boston, MA 02110, to optimize our email delivery and increase the profitability of email channels. Validity uses web beacons to track user behavior.
The following data is processed:
Email address
Email service provider
The time the email was opened & the duration of the read-time
Campaign type (e.g newsletter, transactional emails)
A data transfer to the USA takes place.
Validity adheres to the principles set forth in the Data Privacy Framework. As such, Validity complies with the EU-U.S. Data DPF, the UK Extension to the EU-U.S. DPF, and Swiss-U.S. DPF as set forth by the U.S. Department of Commerce.
Validity has certified to the U.S. Department of Commerce that it adheres to the EU-U.S. Data Privacy Framework Principles (EU-U.S. DPF Principles) with regard to the processing of personal data received from the European Union in reliance on the EU-U.S. DPF and from the United Kingdom (and Gibraltar) in reliance on the UK Extension to the EU-U.S. DPF
The legal basis for processing of data is Art. 6 paragraph 1 sentence 1 lit. a and f of GDPR and/or Article 13 of the Personal Information Protection Law of the People's Republic of China. Our legitimate interests reside in the use of optimized customized emails to maximize the response and conversion rates of marketing activities.
If you object to the transmission of the data, please send an email to privacy@mytheresa.com.
You can find more information about the privacy policy of Validity in the Privacy Policy - Validity.
13.3.4 Snowplow
This website uses the following technology of Snowplow Analytics Ltd 3rd Floor, 48-50 Scrutton Street, London EC2A 4HH, United Kingdom. Snowplow serves as a pipeline as a service, i.e. a pipeline is provided that is deployed in our infrastructure to stream data from our product (web/app) to a database (our database in AWS) to visualize user behavior and map events to campaigns. Cookies and similar technologies are used to process user data from your tablet, mobile phone, or computer, such as:
HTTP-header information, which can be used to identify your web browser, device, OS, and screen resolution. This header may also contain information about your country of origin, language settings, and the URL from which you were referred. For apps also, type of the operating system, version of the mobile operating system, device vendor, model of the device, system language and screen resolution in pixels.
Identifiers related to your device, browser, network or account, such as your:
• IP address (anonymised)
• cookie ID
• device ID
• user ID (pseudomised)
• advert id
• Geo-information based on IP address (country, region, city)
• Interactions with our website and app, which includes page views, click, touch, and scroll interactions, searches, installs, and completed and incomplete purchases via our websites and apps.
The use takes place based on Art. 6 paragraph 1 sentence 1 lit. a. GDPR and Art. 6 paragraph 1 sentence 1 lit. f. GDPR.
The user can prevent such analyses by not agreeing to the use of marketing and analysis cookies when accessing the website or by revoking their consent later by rejecting them in the cookie settings.
14 PERSONALIZED RECOMMENDATIONS
At Mytheresa, we use data to provide personalized recommendations to enhance your shopping experience. By analyzing user interactions with our website and services, we tailor content and suggestions to better suit your preferences. These recommendations are generated using advanced algorithms that process anonymized and pseudonymized data.
(a) Scope of Personalized Recommendations: Personalized recommendations may include tailored product suggestions aimed at improving your experience with our services.
(b) Data Used for Recommendations: The following data is utilized to create personalized recommendations:
IP address: Collected without assignment to a specific user profile.
Device-related data: Such as device type and model, operating system, browser type, and version.
Usage-related information: Including time of use, dwell time, and point of origin.
Information about purchasing behavior: Such as purchases, placement of items into the shopping cart, deletion from the shopping cart, inclusion on and deletion from the wish list, product searches, and product reviews.
Certona tracking ID: An anonymized identifier.
Order-related data: Including order list, order ID, product ID (pseudonymized), and prices.
Email hash: Used to match anonymized user profiles for accurate personalization.
(c) Control and Preferences: While personalized recommendations aim to improve your experience, you can disable them by adjusting your settings as described in our Privacy Policy Section 13.1.1.
15 SURVEYS
15.1 Customer Satisfaction Surveys
We conduct customer satisfaction surveys to continuously optimize our products and services. You can voluntarily participate in the customer satisfaction survey, either by clicking on an appropriate link we sent you by email as a selected customer, or by participating as a selected customer in a customer satisfaction survey displayed to you on our Website. We use the tool Forsta provided by Dapresy Deutschland GmbH, Engersche Str. 176, 33611 Bielefeld, a service provider based in the USAGermany, to conduct the customer satisfaction survey. The following data will be provided to Forsta when you participate in the customer satisfaction survey:
Email address
Email hash
Language, such as German
Forsta stores the following data:
Email address
IP address
Email hash
Survey results
A response ID
Language, such as German
Participant's country
Forsta stores the data for 6 months. A data transfer to the USA takes place. The guarantees under Article 44 of GDPR and other applicable laws are ensured by means of EU standard contracts or transmission is made in other ways that comply with applicable laws.
The legal basis for processing of data is Art. 6 paragraph 1 sentence 1 lit. a and f of GDPR and/or Article 13 of the Personal Information Protection Law of the People's Republic of China. Our legitimate interests lie in the optimization of our products and services.
15.2 Trustpilot
You have the opportunity to rate our company as well as your purchase from us on Trustpilot, Inc., located at 245 5th Avenue, 4th floor, New York, NY 10016, USA ("Trustpilot"). These ratings are voluntary, and the results will be published on https://www.trustpilot.com/ under a freely selectable pseudonym. We would like to thank you for your feedback – every feedback helps us improve our services even further. By submitting a rating of our company, you agree that we may publish your rating on Trustpilot and on our Website. The terms and conditions and privacy policy of Trustpilot apply, as published at https://legal.trustpilot.com/for-reviewers/end-user-privacy-terms. As part of your voluntary participation in the rating via Trustpilot, we will pass on your email address, your first and last names and your customer ID to Trustpilot.
16 AFFILIATE NETWORKS
In addition, we collaborate with affiliate networks, such as Commission Junction/Zanox/etc.
An affiliate network is a service provider from the online advertising sector and an agent between the advertiser (mytheresa.com) and publishers (Website operators). A publisher can enter into a partnership via the affiliate network with mytheresa.com and thus take part in special promotions. Therefore, the publisher integrates a mytheresa advertisement/promotion code/hyperlink in the content on its Website and thus leads the customer to our online shop through, for example, an editorial text.
As soon as the user buys on mytheresa.com, the publisher receives an appropriate commission. Only the information on the sale, such as order ID, product ID and the prices of the products sold, is transferred to the network. No personal data is collected or transferred.
17 SOCIAL BOOKMARKS
So-called social bookmarks (e.g. from Weibo, WeChat and Xiaohongshu) are integrated into our Website. Social bookmarks are internet bookmarks, with which the user of such a service can collect links and news messages. These are integrated into our Website only as a link to the relevant services. After clicking the integrated graphic, you will be forwarded to the site of the relevant provider, i.e. only then will user information be transferred to the relevant provider. Information on processing your personal data in the use of these websites can be found in the relevant data protection terms and conditions of the provider.
18 PERMISSION FOR DIRECT ADVERTISING PURSUANT TO ART. 7, PARA. 3 OF THE GERMAN FAIR TRADE PRACTICES ACT [UWG]
We use the email address collected at the purchase of goods on our Website for direct advertising for our own and similar products. If you no longer wish to receive any direct advertisements, you can object to the use of your email address at any time. To this end, you will find a corresponding link in each newsletter. You can unsubscribe here.
19 USE OF SIGNIFYD
For the administration of payments or to fight fraud in credit card payments, we share rare d
ata with Signifyd Inc. (located at 2540 North First Street, Ste 300, San Jose, CA 95131, USA), which is processed only for the purpose of preventing fraud.
Signifyd uses the transferred data only in suspicious cases to compare it with their database and then provide an estimate of the risk of fraud.
The following data is transferred:
Transaction data (delivery and invoicing address, name, telephone number)
Email address
Shipping country
IP address
The legal basis for the use of the data for fighting fraud is Art. 6, para.1, sentence 1, lit. a and f, GDPR and/or Article 13 of the Personal Information Protection Law of the People's Republic of China.
Personal data may be transferred to the USA. Guarantees are provided pursuant to Art. 44 et seq. of GDPR by means of EU standard contractual clauses or transmission is made in other ways that comply with applicable laws. If you wish to view the standard contractual clauses, please send an email to privacy@mytheresa.com.
20 USE OF EKATA
To combat credit card fraud, we occasionally share with Ekata (Ekata, Inc., located at 1301 Fifth Avenue, Suite 1600, Seattle, WA 98101, USA) information that is processed solely for this purpose.
Ekata uses the provided data only in suspicious cases, to check it against their database and then make an assessment of the risk of fraud.
The following data will be transmitted:
First and last names
Complete address (delivery and billing addresses, if different)
Telephone number
IP address
Email address
The legal basis for processing of data is Article 6, para.1, sentence 1, lit. a and f of GDPR and/or Article 13 of the Personal Information Protection Law of the People's Republic of China. As part of the weighing of interests pursuant to Art. 6, para.1, lit. f of GDPR, we have considered and weighed our interests in the service of Ekata and your interests in processing your personal data in compliance with data protection regulations, and have come to the conclusion that our legitimate interests prevail, namely the intention to make a profit, the reduction of default rate and protection against credit risks.
Personal data will be transmitted to the United States. Guarantees are provided pursuant to Articles 44 et seq. of GDPR by means of standard EU contractual clauses or transmission is made in other ways that comply with applicable laws. If you would like to view these standard contractual clauses, please send an email to privacy@mytheresa.com. Ekata does not provide precise information about the duration of data storage. You can find the Ekata privacy policy here.
21 USE OF RISK.IDENT
To avoid cases of fraud, we use the services of Risk.Ident GmbH (business registration No.: HRB 124968, having its address at Am Sandtorkai 50, 20457 Hamburg) to operate our Website.
The data you provide when placing an order can be used to check whether the ordering process is typical.
Risk.Ident collects and processes data using cookies and other tracking technologies. There is no assignment to any specific user in this process. If IP addresses are collected by Risk.Ident, they are immediately encrypted.
The data is stored by Risk.Ident in a database for fraud prevention.
As part of an ordering process on our Website, we retrieve a risk assessment from the Risk.Ident database.
The legal basis for processing the data for the purpose of fraud prevention is Article 6 paragraph 1 lit. f GDPR and/or Article 13 of the Personal Information Protection Law of the People's Republic of China.
22 DISCLOSING DATA
There will be no transfer of your personal data to a third party apart from for the specified purposes.
We disclose your personal data to a third party only if:
you have given your explicit consent to do so,
the disclosure is required for asserting, exercising or defending legal rights and there are no grounds for assuming that you have overriding legitimate interests in the non-disclosure of your data,
there is a statutory obligation for the disclosure, and
this is legally permissible and required for establishing the contractual relationship with you.
Fundamentally, the high level of data protection in Europe does not apply to data transfer outside the European Union. For a transfer, there is currently no adequacy decision by the EU Commission in the sense of Art. 45, para. 1(3) of GDPR. This means that the EU Commission has not yet positively determined that the country-specific level of data protection corresponds to the level of data protection of the European Union based on GDPR, which is why we have created the abovementioned suitable guarantees.
Possible risks, which cannot be completely excluded in connection with the data transfer include the following in particular:
Your personal data could possibly be processed beyond the actual purpose.
Moreover, there is a possibility that you cannot sustainably assert and implement any of your legal data protection rights, such as your right to information, correction, deletion or data portability.
There may also be a higher probability that there could be incorrect data processing and the personal data does not quantitively and qualitatively meet or not fully meet the requirements of GDPR and other applicable laws.
23 INSTRUCTION ON THE RIGHTS OF AFFECTED PERSONS
23.1 Rights of the affected person
If your personal data is processed, you are the affected person in the meaning of GDPR, the Personal Information Protection Law of the People's Republic of China or other applicable laws and you have the following rights against the controller:
23.2 Right to Information
You can demand from the responsible person a confirmation of your personal data processed by us which affects you.
If there is such processing, you can demand information on the following from the responsible person:
the purpose for which your personal data is being processed;
the categories of personal data being processed;
the recipient and/or the categories of recipients to whom the personal data affecting you is being or will be disclosed;
the planned storage time for the personal data affecting you or, if concrete details on this are not available, the criteria for determining the duration of storage;
the existence of a right to correction or deletion of the personal data affecting you, a right to restrict the processing by the responsible person or a right to object to this processing;
the existence of a right to appeal to a supervisory authority;
all available information on the origin of the data if the personal data is not collected from the affected person;
the existence of automated decision-making, especially profiling, pursuant to Art. 22, paragraphs 1 and 4 of GDPR and – at least in these cases – significant information about the logic involved and the scope and the intended effects of such processing on the affected person.
You have the right to demand information about whether the personal data affecting you is transferred to a third country or an international organization. In this context, you can demand to be informed about the suitable guarantees in Art. 46 of GDPR or other applicable laws in connection with the transfer.
23.3 Right of Correction
You have the right to correction and/or completion against the responsible person, if the personal data processed that affects you is incorrect or incomplete. The responsible person must make the correction without delay.
23.4 Right of Restricting the Processing
Under the following prerequisites, you can demand for restricting the processing of the personal data affecting you:
if the correctness of the personal data affecting you has been disputed over a period, which enables the responsible person to check the correctness of the personal data;
if the processing is unlawful and you reject deletion of the personal data and instead of this, you request the restriction of the use of the personal data;
if the responsible person no longer needs the personal data for the purpose of processing, but you need the data for asserting, exercising or defending legal rights, or
if you have appealed against the processing pursuant to Art. 21, para. 1 of GDPR and it has still not been determined whether the legitimate grounds of the responsible person outweigh your grounds.
If the processing of the personal data affecting you is restricted, such data, apart from their storage, may only be processed with your consent or be used for asserting, exercising or defending legal rights or to protect the rights of another natural person or legal entity or on the grounds of an important public interest of the Union or a member state.
If the processing is restricted pursuant to the abovementioned prerequisites, you will be notified by the responsible person before the restriction is lifted.
23.5 Right of Deletion
a) Obligation of Deletion
You can demand the responsible person that the personal data affecting you be deleted without delay and the responsible person is duty bound to delete the data without delay, unless one of the following grounds applies:
the personal data affecting you is no longer necessary for the purpose for which it was collected or processed in another way.
You withdraw your consent on which the processing under Art. 6, para. 1(1), lit. a or Art. 9, para. 2, lit. a, GDPR or Article 13 of the Personal Information Protection Law of the People's Republic of China is based and there is an absence of another legal basis for the processing.
Pursuant to Art. 21, para. 1, GDPR, you appeal against the processing and there are no overriding legitimate grounds for processing or you appeal against the processing under Art. 21, para. 2, GDPR.
The personal data affecting you has been unlawfully processed.
The deletion of the personal data affecting you is necessary for fulfilling a legal obligation under Union law or the law of the member state to which the responsible person is subject.
The personal data affecting you was collected regarding the services offered by the information society under Art. 8, para. 1, GDPR.
b) Information to Third Parties
If the responsible person has disclosed the personal data affecting you and is obligated to delete the data under Art. 17, para. 1, GDPR and/or Article 47 of the Personal Information Protection Law of the People's Republic of China, they shall take suitable measures, taking account of the available technology and the costs of implementation, including of a technological type, to inform the person responsible for the data processing, who processes the personal data, that you, as the affected person, have demanded the deletion of all links to such personal data or of copies or replications thereof.
c) Exceptions
There is no right of deletion if the processing is required
to exercise the right to freedom of expression and information;
to fulfil a legal obligation, for which the processing is required under Union law or the law of the member state to which the responsible person is subject, or to perform a task which is in the public interests or ensues in exercising public authority which has been transferred to the responsible person;
on grounds of public interests around public health pursuant to Art. 9, para. 2, lit. h and I as well as Art. 9, Para 3, GDPR;
for purposes of archiving, scientific or historical research or for statistical purposes pursuant to Art. 89, para. 1, GDPR, insofar as the laws cited under item a) are anticipated to make this processing impossible or seriously impair it, or
to assert, exercise or defend legal rights;
in other circumstances stipulated by applicable laws.
23.6 Right of Notification
If you exercise the right of correction, deletion or restriction of the processing to the responsible person, they are obligated to notify all recipients to whom the personal data affecting you has been disclosed of this correction or deletion of the data or restriction of the processing, unless this proves to be impossible or is associated with disproportionate expenditure.
You have the right against the responsible person to inform these recipients.
23.7 Right of Data Portability
You have the right to receive the personal data affecting you, which you made available to the responsible person, in a structured, accessible and machine-readable format. In addition, you have the right to transfer such data to another responsible person without hindrance by the responsible person to whom the personal data was made available, if
the processing was based on consent pursuant to Art. 6, para. 1(1), lit. a GDPR or Art. 9, para. 2, lit. a, GDPR and/or Article 13(1) of the Personal Information Protection Law of the People's Republic of China or on a contract pursuant to Art.6, para. 1(1), lit. b, GDPR and/or Article 13(2) of the Personal Information Protection Law of the People's Republic of China; and
the processing is done with the help of an automated process.
In addition, in exercising this right, you also have the right to have the personal data affecting you transferred directly from a responsible person to another responsible person, if this is technically possible. Freedom and rights of other persons may not be affected by this.
The right of data portability does not apply to the processing of personal data that is necessary for performing a task which lies in the public interests or ensues in exercising public authority, which has been transferred to the responsible person.
23.8 Right to Object
You have the right to object at any time to the processing of the personal data affecting you ensuing from Art. 6, para. 1(1), lit. e or f, GDPR and/or Article 13 of the Personal Information Protection Law of the People's Republic of China, for reasons arising from your own special situation; this also applies to profiling supported by one of these provisions.
The responsible person no longer processes the personal data affecting you, unless they can demonstrate compelling, legitimate reasons for the processing which outweigh your interests, rights and freedoms, or the processing serves to assert, exercise or defend legal rights.
If the personal data affecting you is processed for direct advertising, you have the right to object at any time to the processing of the personal data affecting you for the purpose of such advertising; this also applies to profiling if it is related to such direct advertising.
If you object to the processing for the purpose of direct advertising, the personal data affecting you will no longer be processed for this purpose.
Irrespective of EU Directive 2002/58/EU and other applicable laws, in connection with the use of the services of the information society, you can exercise your right to object by means of automated process in respect of which technical specifications are applied.
23.9 Right to Revoke the Declaration of Consent under Data Protection Law
You have the right to revoke your declaration of consent under data protection law at any time. By revoking the consent, the legality of the processing undertaken up to the revocation is not affected.
23.10 Automated Decision-making in the Individual Case, Including Profiling
You have the right not to be subject to a decision based exclusively on automated processing, including profiling which has a legal effect on you or which seriously impairs you in a similar way. This does not apply if the decision
is required for concluding or fulfilling a contract between you and the responsible person,
is permissible on the basis of the legal provisions of the Union or the member state to which the responsible person is subject, and these legal provisions contain reasonable measures for safeguarding your rights and freedom, or
takes place with your explicit consent.
However, these decisions may not be based on special categories of personal data under Art. 9, para. 1 of GDPR, insofar as Art. 9, para. 2, lit. a applies and reasonable measures have been taken for protecting your rights and freedom as well as your legitimate interests.
Regarding the cases cited in (1) and (3), the responsible person takes reasonable measures to safeguard your rights and freedom and your legitimate interests. Therefore, you have at least the right to effect the intervention on behalf of the responsible person who can hear the presentation of your standpoint and the appeal against the decision.
23.11 Right to Complain to a Supervisory Authority
Regardless of any other administrative or judicial remedy, you have the right to complain to a supervisory authority, especially in the member state of your place of residence, your place of work or the location of the alleged breach, if you are of the view that the processing of the personal data affecting you breaches the GDPR, the Personal Information Protection Law of the People's Republic of China and other applicable laws.
The supervisory authority to which the complaint was made informs the complainant about the state and the result of the complaint, including but not limited to the opportunity of a judicial remedy under Art. 78 of GDPR.
The following supervisory authority is responsible:
Bayerisches Landesamt für Datenschutzaufsicht
Promenade 27
91522 Ansbach
Telephone: 0981 53 1300
In addition, depending on your country, you may have the right to file a complaint with local supervisory authorities.
24 RIGHT IN THE CASE OF DATA PROCESSING FOR OPERATING DIRECT ADVERTISING
Pursuant to Art. 21, para. 2, GDPR and/or Article 44 of the Personal Information Protection Law of the People's Republic of China, you have the right to object at any time to the processing of personal data affecting you. In the event of a complaint from you against the processing of your personal data for the purpose of direct advertising, your personal data will no longer be processed for this purpose. Please note that the objection has effect only for future data processing. Processing carried out prior to the objection are not affected by this.
25 REFERENCE TO THE RIGHT TO OBJECT IN A BALANCING OF INTERESTS
If we base the processing of your personal data on a balancing of interests, you can object to the processing. In exercising such a right to object, we request that the grounds on which we should not process your personal data as described by us are presented. In the event of your justifiable objection, we will examine the facts and will either cancel or adjust the data processing or explain our compelling, legitimate grounds to you.
26 LINKS TO OTHER WEBSITES
Our Website may contain links to other providers. We point out that this data protection notice applies exclusively to the Website(s) of mytheresa.com. We have no influence on and do not control whether the other providers adhere to the data protection provisions. In addition, we will not frequently start other third party apps automatically or in association without informing you and without your consent or in the absence of reasonable use scenarios.
27 CHANGES TO THE DATA PROTECTION NOTICE
We reserve the right to change or adjust this data protection notice at any time, taking account of the applicable data protection provisions.
