Privacy Policy | Splendido e.U.

The protection of your personal data is important to us. In this privacy policy, we transparently inform you about the collection, processing, and use of your data when visiting and using our online shop at www.splendido.at, in accordance with the General Data Protection Regulation (GDPR), the Austrian Data Protection Act (DSG), and the Telecommunications Act 2021 (TKG).

1. Responsible Party

Splendido e.U.
Dayana Bahchevanova
Neubaugasse 24, 8020 Graz, Austria
Phone: +43 681 20808264
Email: info@splendido.at
Web: www.splendido.at

VAT Number: ATU80669028
Company Register Number: FN 627740 y
Company Court: Regional Court for ZRS Graz

For questions about data protection or to exercise your rights, please contact info@splendido.at.

We have not appointed a data protection officer as the legal requirements according to Art. 37 GDPR are not met.

2. Collection and Processing of Personal Data

2.1 Website Visit (Server Log Files)

When accessing our website, technical data is automatically collected and stored in server log files: IP address, date and time of access, pages and files accessed, amount of data transferred, referrer URL, browser type, operating system.

• Purpose: Ensuring technical functionality, system security (e.g., detection and defense against attacks), and optimization of user-friendliness.
• Legal basis: Art. 6 para. 1 lit. f GDPR (legitimate interest in a secure and functional online shop).
• Storage duration: Usually 30 days. Longer storage only occurs in the case of security-relevant incidents.

2.2 Orders / Online Shop

For order processing, we collect: first and last name, billing and delivery address, email address, phone number (if provided), and payment information. Payment data is processed exclusively for the execution of the purchase contract and passed on to the respective payment service providers (see section 5).

• Purpose: Contract fulfillment, invoicing, shipping, and customer support.
• Legal basis: Art. 6 para. 1 lit. b GDPR (contract fulfillment) as well as Art. 6 para. 1 lit. c GDPR (legal obligations, especially tax retention obligations according to § 132 BAO).
• Storage duration: Customer data will be deleted upon request after the contract relationship ends. Accounting-relevant data (invoices, order documents) will be retained for 7 years in accordance with § 132 para. 1 BAO.

2.3 Customer Account

Optionally, you can create a customer account to manage your orders, save delivery addresses, and speed up future orders.

• Collected data: email address, name, password (stored encrypted), optional delivery/billing addresses, order history.
• Legal basis: Art. 6 para. 1 lit. b GDPR (contract fulfillment).
• Storage duration: The customer account remains active until you request deletion. Deletion is possible at any time upon request at info@splendido.at.

2.4 Contact Form and Direct Email Communication

When using our contact form or sending email inquiries, we collect: name, email address, and other information you voluntarily provide to process your request.

• Legal basis: Art. 6 para. 1 lit. a GDPR (consent by submitting the request) or Art. 6 para. 1 lit. b GDPR (for pre-contractual inquiries).
• Storage duration: Until your request is finally processed, then deletion, unless legal retention obligations prevent this.

2.5 Newsletter

When subscribing to the newsletter, we use your email address to send information about products, offers, and news from Splendido e.U.

• Procedure: Double opt-in (after registration you will receive a confirmation email with an activation link).
• Unsubscription: possible at any time via the unsubscribe link in every newsletter email or by email to info@splendido.at.
• Legal basis: Art. 6 para. 1 lit. a GDPR (consent) in conjunction with § 174 para. 5 TKG 2021.
• Storage duration: Until consent is withdrawn.

3. Cookies and Tracking Technologies

Our online shop uses cookies and comparable technologies, which are divided into four categories. A complete, automatically updated overview of all cookies used (name, provider, storage duration, purpose) can be found in our Cookie Policy.

3.1 Technically Necessary Cookies

These cookies are necessary for the operation of the shop (e.g., shopping cart, security, checkout, language settings). They cannot be disabled.

Legal basis: § 165 para. 3 TKG 2021 in conjunction with Art. 6 para. 1 lit. f GDPR.

3.2 Functional Cookies

These cookies enable convenience features such as automatic translation, recently viewed products, or saved preferences.

Legal basis: Art. 6 para. 1 lit. a GDPR (consent) in conjunction with § 165 para. 3 TKG 2021.

3.3 Performance/Statistics Cookies

We use the following analysis tools only after your consent:

Google Analytics 4 (GA4)
Provider: Google Ireland Limited, Gordon House, Barrow Street, Dublin 4, Ireland.
GA4 is operated with Google Consent Mode v2 enabled and IP anonymization. Without your consent, no personal data is transmitted to Google (only aggregated, cookie-less pings for statistical modeling).
Storage duration of GA4 data records: 14 months.

Shopify Analytics
Provider: Shopify International Ltd., Dublin, Ireland (see section 4).

Microsoft Clarity
Provider: Microsoft Corporation, One Microsoft Way, Redmond, WA 98052-6399, USA. In the EU: Microsoft Ireland Operations Limited, One Microsoft Place, South County Business Park, Leopardstown, Dublin 18, Ireland.
Purpose: Analysis of user behavior through heatmaps, session recordings, scroll and click tracking to optimize usability and the checkout process.
Processed data: truncated IP address, device and browser information, approximate location (country/region), interactions on the website, page views, duration of stay, referrer URL. Sensitive form inputs (passwords, payment data) are masked by default.
With consent given, Microsoft Clarity sets cookies including _clck (1 year), _clsk (1 day), CLID (1 year), MUID (1 year), ANONCHK (10 minutes), MR (7 days), SM (session). Without consent, no cookies are set; Microsoft Clarity then operates in cookieless mode without processing identifying data.
Microsoft Clarity is operated within Microsoft Cloud services certified according to ISO 27018 (protection of personal data in public clouds) and ISO 27701 (Privacy Information Management System).
Data transfer to the USA based on the EU-U.S. Data Privacy Framework (Microsoft Corporation is certified), supplemented by Standard Contractual Clauses (SCC) according to Art. 46 GDPR.
Note: Microsoft Clarity is currently not part of Microsoft’s EU Data Boundary. Processing mainly takes place on servers in the USA, secured by the aforementioned guarantees (DPF and Standard Contractual Clauses).
Storage duration: up to 13 months pseudonymized, unless revoked earlier.
Data processing agreement according to Art. 28 GDPR: Microsoft provides a uniform Data Protection Addendum (DPA) for all commercial services, available at microsoft.com/licensing/docs/view/Microsoft-Products-and-Services-Data-Protection-Addendum-DPA.
More information: privacy.microsoft.com/de-de/privacystatement and clarity.microsoft.com.

Legal basis: Art. 6 para. 1 lit. a GDPR (consent) in conjunction with § 165 para. 3 TKG 2021.

3.4 Marketing and targeting cookies

We use the following marketing tools only with your consent:

Google Ads
Provider: Google Ireland Limited, Dublin, Ireland. Purpose: Conversion tracking, remarketing, optimization of advertisements.

Meta/Facebook Pixel (via Shopify Facebook & Instagram Channel)
Provider: Meta Platforms Ireland Ltd., 4 Grand Canal Square, Dublin 2, Ireland. Purpose: conversion tracking, remarketing, audience building for advertisements. The pixel is operated via the official Shopify Facebook & Instagram Channel using the Shopify Customer Privacy API and automatically respects your cookie consent.

Klaviyo (email marketing and pop-ups)
Provider: Klaviyo Inc., 125 Summer Street, Boston, MA 02110, USA.
EU representative according to Art. 27 GDPR: European Data Protection Office (EDPO), Ground Floor, 71 Lower Baggot Street, Dublin D02 P593, Ireland. Contact via the official request form: edpo.com/gdpr-data-request/
Purpose: newsletter registration, lead generation pop-ups, email marketing campaigns, customer segmentation. Data transfer to the USA based on the EU-U.S. Data Privacy Framework (see section 8). Set cookies include, among others, __kla_id (visitor identification).

Legal basis: Art. 6 para. 1 lit. a GDPR (consent) in conjunction with § 165 para. 3 TKG 2021.

3.5 Consent and withdrawal

On your first visit to our website, you will be given the option via our cookie banner to give your consent for each category individually, accept all cookies, or reject all marketing and analytics cookies.

• Consent management: Pandectes GDPR Cookie Consent (Pandectes Ltd., based in Cyprus), integrated with the Shopify Customer Privacy API.
• Withdrawal of consent: You can withdraw your consent at any time by clicking the cookie icon at the bottom left of each page and adjusting your selection.
• Validity: Consent is stored for 12 months from the time it is given; afterwards, you will be asked to make a decision again.

4. Platform: Shopify

Our online shop is operated via the Shopify platform.

• Provider for EU customers: Shopify International Ltd., 2nd Floor Victoria Buildings, 1-2 Haddington Road, Dublin 4, D04 XN32, Ireland.
• Parent company: Shopify Inc., 151 O’Connor Street, Ottawa, Canada. There is an adequacy decision by the EU Commission for Canada (Art. 45 GDPR), ensuring an adequate level of data protection.
• Data processing agreement (DPA): exists according to Art. 28 GDPR.
• Categories of processed data: shop data, order data, customer data, payment and analytics data.

Shopify Network Intelligence: As part of the Shopify infrastructure, aggregated, pseudonymized usage data is used to improve AI functions (e.g., Shopify Magic), fraud detection, and marketing recommendations. Other merchants do not have access to your data.

Legal basis: Art. 6 para. 1 lit. f GDPR (legitimate interest in platform security and optimization).

5. Payment Service Providers

To process payments, we pass your payment data to the following service providers:

• Shopify Payments (Stripe): Stripe Payments Europe Ltd., 1 Grand Canal Street Lower, Dublin 2, Ireland.
• PayPal: PayPal (Europe) S.à r.l. et Cie, S.C.A., 22-24 Boulevard Royal, 2449 Luxembourg.
• Klarna: Klarna Bank AB (publ), Sveavägen 46, 111 34 Stockholm, Sweden.
• Apple Pay / Google Pay: Apple Distribution International Ltd., Ireland / Google Ireland Ltd., Ireland.

Legal basis: Art. 6 para. 1 lit. b GDPR (contract fulfillment).

6. Shipping Service Providers

For shipping your orders, we pass on your name and delivery address to the following shipping partners:

• Österreichische Post AG: Rochusplatz 1, 1030 Vienna.
• DHL: Deutsche Post DHL Group, 53113 Bonn, Germany.

Legal basis: Art. 6 para. 1 lit. b GDPR (contract fulfillment).

7. Used Apps and Third-Party Services

7.1 Google & YouTube Sales Channel

Integration with Google Merchant Center, Google Ads, and YouTube for product listing and advertising purposes.

• Provider: Google Ireland Limited, Dublin, Ireland.
• Legal basis: Art. 6 para. 1 lit. a GDPR (consent for marketing functions).

7.2 Translation App (Translation Lab)

Purpose: Automatic translation of our website content into your preferred language. Stores your language preference in a functional cookie.

• Legal basis: Art. 6 para. 1 lit. a GDPR (consent for functional cookies).

7.3 Email Marketing and Pop-ups (Klaviyo)

Purpose: Sending newsletters, automated email marketing campaigns, displaying pop-ups for lead generation (e.g., discount promotions), segmentation of customer groups.

• Provider: Klaviyo Inc., 125 Summer Street, Boston, MA 02110, USA.
• EU representative according to Art. 27 GDPR: European Data Protection Office (EDPO), Ground Floor, 71 Lower Baggot Street, Dublin D02 P593, Ireland. Contact via the official request form: edpo.com/gdpr-data-request/
• Processed data: Email address, name (optional), order history, interactions with our emails and our website.
• Data transfer to third countries: USA, based on the EU-U.S. Data Privacy Framework (Klaviyo Inc. is certified under DPF). Additionally, standard contractual clauses (SCC) according to Art. 46 GDPR are used.
• Legal basis: Art. 6 para. 1 lit. a GDPR (consent through newsletter registration or double opt-in), in conjunction with § 174 para. 5 TKG 2021.
• Storage duration: Until you withdraw your consent (unsubscribe anytime via the unsubscribe link in every email).

7.4 Cookie Consent Management (Pandectes)

See section 3.5.

7.5 Analysis and UX Tool (Microsoft Clarity)

See section 3.3.

8. Data transfer to third countries

Some of the services used transfer data to servers outside the European Union, especially to the USA and Canada. We ensure the protection of your data on the following bases:

• USA: Transfer based on the EU-U.S. Data Privacy Framework (Adequacy decision of the EU Commission from July 10, 2023, C(2023)4745). Certified recipients: Google LLC, Meta Platforms Inc., Microsoft Corporation, Klaviyo Inc. Where additional guarantees are required, Standard Contractual Clauses (SCC) according to Art. 46 GDPR are concluded.
• Canada: Adequacy decision of the EU Commission according to Art. 45 GDPR (Decision 2002/2/EC).

9. Your rights as a data subject

Under the GDPR, you have the following rights:

• Information (Art. 15 GDPR): Information about the data stored about you.
• Correction (Art. 16 GDPR): Correction of incorrect or completion of incomplete data.
• Deletion (Art. 17 GDPR): Deletion of your data. Note: Data required for legal or tax obligations (e.g., invoices that must be retained for 7 years according to § 132 BAO) cannot be deleted before the retention period expires.
• Restriction of processing (Art. 18 GDPR).
• Data portability (Art. 20 GDPR): Provision of your data in a common, machine-readable format.
• Revocation of given consents (Art. 7 para. 3 GDPR): at any time with effect for the future.
• Objection to processing based on legitimate interests (Art. 21 GDPR), especially against direct advertising.

To exercise your rights, you can contact us directly by email at info@splendido.at. We will respond to your request within 30 days (Art. 12 para. 3 GDPR).

10. Right to complain to the supervisory authority

You have the right to file a complaint with the competent supervisory authority (Art. 77 GDPR):

Austrian Data Protection Authority (DSB)
Barichgasse 40-42, 1030 Vienna, Austria
Phone: +43 1 52 152-0
Email: dsb@dsb.gv.at
Web: www.dsb.gv.at

11. Data security

We implement technical and organizational security measures to protect your data from unauthorized access, loss, or misuse:

• SSL/TLS encryption (256-bit) for all data transmissions between your browser and our servers (HTTPS).
• Password hashing for customer accounts.
• Access controls and regular updates of our security standards.
• Contractual obligation of all processors to comply with the GDPR.

12. Storage Duration — Overview

13. Changes to this Privacy Policy

This privacy policy may be updated due to legal changes, new service providers, or technical adjustments. The current version is always available at www.splendido.at/pages/datenschutz. We will inform you appropriately about significant changes.

14 Packaging Licensing (VerpackG)

As a distributor of packaging, we fulfill our obligations according to
according to the German Packaging Act (VerpackG):

- **LUCID Registration Number:** DE4314073376548
  (Central Packaging Registry Foundation, ZSVR)
- **Dual System:** Interzero Recycling Alliance
  (licensed via Activate by Lizenzero, contract number 102243)

All sales and shipping packaging placed on the market by us in Germany
Shipping packaging is licensed according to § 7 VerpackG with an approved
licensed dual system and the ZSVR as part of the annual
Data report transmitted according to § 10 VerpackG.

An overview of all registered manufacturers is publicly accessible
at: https://oeffentliche-register.verpackungsregister.org

15. Google Customer Reviews

We use the service "Google Customer Reviews" from Google Ireland Limited
Limited (Gordon House, Barrow Street, Dublin 4, Ireland), for the collection
and publication of reviews from our customers.

**Data Processed After Successful Purchase Completion:**
- Email Address
- Order Number
- Delivery Country
- Estimated Delivery Date
- Product Identifiers (SKU)

**Purpose:** Sending a voluntary customer satisfaction survey approx.
7–14 days after delivery. Participation is optional and only takes place after
active opt-in at checkout.

**Legal Basis:** Consent according to Art. 6 para. 1 lit. a GDPR via
our cookie banner (category "Marketing"). Without consent, the
script could not be loaded.

**Third Country Transfer:** Data may be transferred to servers of Google LLC in the
transferred to the USA. Google is certified under the **EU-US Data Privacy Framework**
certified. There is a data processing agreement with Google according to
Art. 28 GDPR.

**Storage Duration:** According to Google's retention policies
(maximum 18 months for inactive users).

**Revocation:** You can withdraw your consent at any time via the link
Revoke "Cookie Settings" in the footer.

**More Information:**
- Google Privacy Policy: https://policies.google.com/privacy
- Google Customer Reviews Program: https://support.google.com/merchants/answer/7105653

Status: April 30, 2026