Privacy Policy
The protection of your personal data is an important concern for us. In this Privacy Policy, we transparently inform you about the collection, processing and use of your data when you visit and use our online shop at www.splendido.at, in accordance with the General Data Protection Regulation (GDPR), the Austrian Data Protection Act (DSG) and the Telecommunications Act 2021 (TKG).
1. Controller
Splendido e.U.
Dayana Bahchevanova
Neubaugasse 24, 8020 Graz, Österreich
Telephone: +43 681 20808264
Email: info@splendido.at
Web: www.splendido.at
VAT number: ATU80669028
Commercial register number: FN 627740 y
Commercial register court: Regional Court for Civil Matters Graz
For questions regarding data protection or the exercise of your rights, please contact info@splendido.at.
We have not appointed a data protection officer, as the statutory requirements pursuant to Art. 37 GDPR are not met.
2. Collection and Processing of Personal Data
2.1 Visiting the Website (Server Log Files)
When you access our website, technical data is automatically collected and stored in server log files: IP address, date and time of access, pages and files accessed, volume of data transferred, referrer URL, browser type, operating system.
- Purpose: ensuring technical functionality, system security (e.g. detection and prevention of attacks) and optimisation of user-friendliness.
- Legal basis: Art. 6(1)(f) GDPR (legitimate interest in a secure and functioning online shop).
- Storage period: as a rule, 30 days. Longer storage takes place only in the event of security-relevant incidents.
2.2 Orders / Online Shop
For the processing of orders, we collect: first and last name, billing and delivery address, email address, telephone number (if provided) as well as payment information. Payment data is processed exclusively for the processing of the purchase contract and passed on to the respective payment service providers (see Section 5).
- Purpose: performance of the contract, invoicing, shipping and customer support.
- Legal basis: Art. 6(1)(b) GDPR (performance of the contract) as well as Art. 6(1)(c) GDPR (legal obligations, in particular tax retention obligations pursuant to § 132 BAO).
- Storage period: customer data is deleted upon request after the conclusion of the contractual relationship. Accounting-relevant data (invoices, order documents) is retained for 7 years pursuant to § 132 Abs. 1 BAO.
2.3 Customer Account
Optionally, you can create a customer account to manage your orders, store delivery addresses and speed up future orders.
- Data collected: email address, name, password (stored in encrypted form), optional delivery/billing addresses, order history.
- Legal basis: Art. 6(1)(b) GDPR (performance of the contract).
- Storage period: the customer account remains active until you have it deleted. Deletion is possible at any time upon request at info@splendido.at.
2.4 Contact Form and Direct Email Communication
When you use our contact form or make email enquiries, we collect: name, email address and any other information you voluntarily provide for the handling of your enquiry.
- Legal basis: Art. 6(1)(a) GDPR (consent by submitting the enquiry) or Art. 6(1)(b) GDPR (for pre-contractual enquiries).
- Storage period: until your enquiry has been finally dealt with, after which it is deleted, unless statutory retention obligations apply.
2.5 Newsletter
When you subscribe to the newsletter, we use your email address to send information about products, offers and news from Splendido e.U.
- Procedure: double opt-in (after subscribing, you receive a confirmation email with an activation link).
- Unsubscribing: possible at any time via the unsubscribe link in every newsletter email or by email to info@splendido.at.
- Legal basis: Art. 6(1)(a) GDPR (consent) in conjunction with § 174 Abs. 5 TKG 2021.
- Storage period: until consent is withdrawn.
3. Cookies and Tracking Technologies
Our online shop uses cookies and comparable technologies, which are divided into four categories. A complete, automatically updated overview of all cookies used (name, provider, storage period, purpose) can be found in our Cookie Policy.
3.1 Technically Necessary Cookies
These cookies are required for the operation of the shop (e.g. shopping cart, security, checkout, language setting). They cannot be deactivated.
Legal basis: § 165 Abs. 3 TKG 2021 in conjunction with Art. 6(1)(f) GDPR.
3.2 Functional Cookies
These cookies enable convenience functions such as automatic translation, recently viewed products or saved preferences.
Legal basis: Art. 6(1)(a) GDPR (consent) in conjunction with § 165 Abs. 3 TKG 2021.
3.3 Performance / Statistics Cookies
We use the following analytics tools exclusively after your consent:
Google Analytics 4 (GA4)
Provider: Google Ireland Limited, Gordon House, Barrow Street, Dublin 4, Ireland.
GA4 is operated with Google Consent Mode v2 activated and IP truncation. Without your consent, no personal data is transferred to Google (only aggregated, cookieless pings for statistical modelling).
Storage period for GA4 datasets: 14 months.
Shopify Analytics
Provider: Shopify International Ltd., Dublin, Ireland (see Section 4).
Microsoft Clarity
Provider: Microsoft Corporation, One Microsoft Way, Redmond, WA 98052-6399, USA. In the EU: Microsoft Ireland Operations Limited, One Microsoft Place, South County Business Park, Leopardstown, Dublin 18, Ireland.
Purpose: analysis of user behaviour through heatmaps, session recordings, scroll and click tracking to optimise user-friendliness and the checkout process.
Processed data: truncated IP address, device and browser information, approximate location (country/region), interactions on the website, page views, time spent, referrer URL. Sensitive form entries (passwords, payment data) are masked by default.
If consent is given, Microsoft Clarity sets, among others, the cookies _clck (1 year), _clsk (1 day), CLID (1 year), MUID (1 year), ANONCHK (10 minutes), MR (7 days), SM (session). Without consent, no cookies are set; Microsoft Clarity then operates in cookieless mode without identifying data processing.
Microsoft Clarity is operated within the framework of Microsoft Cloud services, which are certified under ISO 27018 (protection of personal data in public clouds) and ISO 27701 (Privacy Information Management System).
Data transfer to the USA on the basis of the EU-U.S. Data Privacy Framework (Microsoft Corporation is certified), supplemented by standard contractual clauses (SCC) pursuant to Art. 46 GDPR.
Note: Microsoft Clarity is currently not part of Microsoft's EU Data Boundary. Processing takes place predominantly on servers in the USA, safeguarded by the aforementioned guarantees (DPF and standard contractual clauses).
Storage period: up to 13 months in pseudonymised form, unless an earlier withdrawal takes place.
Data processing agreement pursuant to Art. 28 GDPR: Microsoft provides a uniform Data Protection Addendum (DPA) for all commercial services, available at microsoft.com/licensing/docs/view/Microsoft-Products-and-Services-Data-Protection-Addendum-DPA.
Further information: privacy.microsoft.com/de-de/privacystatement and clarity.microsoft.com.
Legal basis: Art. 6(1)(a) GDPR (consent) in conjunction with § 165 Abs. 3 TKG 2021.
3.4 Marketing and Targeting Cookies
We use the following marketing tools exclusively after your consent:
Google Ads
Provider: Google Ireland Limited, Dublin, Ireland. Purpose: conversion tracking, remarketing, optimisation of advertisements.
Meta/Facebook Pixel (via the Shopify Facebook & Instagram Channel)
Provider: Meta Platforms Ireland Ltd., 4 Grand Canal Square, Dublin 2, Ireland. Purpose: conversion tracking, remarketing, audience building for advertisements. The pixel is operated via the official Shopify Facebook & Instagram Channel using the Shopify Customer Privacy API and automatically respects your cookie consent.
Klaviyo (email marketing and pop-ups)
Provider: Klaviyo Inc., 125 Summer Street, Boston, MA 02110, USA.
EU representative pursuant to Art. 27 GDPR: European Data Protection Office (EDPO), Ground Floor, 71 Lower Baggot Street, Dublin D02 P593, Ireland. Contact via the official request form: edpo.com/gdpr-data-request/
Purpose: newsletter subscription, pop-ups for lead generation, email marketing campaigns, customer segmentation. Data transfer to the USA on the basis of the EU-U.S. Data Privacy Framework (see Section 8). Cookies set: among others __kla_id (visitor identification).
Legal basis: Art. 6(1)(a) GDPR (consent) in conjunction with § 165 Abs. 3 TKG 2021.
3.5 Consent and Withdrawal
On your first visit to our website, you are given the opportunity, via our cookie banner, to grant your consent for each category individually, to accept all cookies, or to reject all marketing and analytics cookies.
- Consent management: Pandectes GDPR Cookie Consent (Pandectes Ltd., based in Cyprus), integrated with the Shopify Customer Privacy API.
- Withdrawal of consent: you can withdraw your consent at any time by clicking the cookie icon at the bottom left of every page and adjusting your selection.
- Validity: consent is stored for 12 months from the time it is granted; after that, you will be asked to make a decision again.
4. Platform: Shopify
Our online shop is operated via the Shopify platform.
- Provider for EU customers: Shopify International Ltd., 2nd Floor Victoria Buildings, 1-2 Haddington Road, Dublin 4, D04 XN32, Ireland.
- Parent company: Shopify Inc., 151 O’Connor Street, Ottawa, Canada. For Canada, there is an adequacy decision of the EU Commission (Art. 45 GDPR), which ensures an adequate level of data protection.
- Data processing agreement (DPA): exists pursuant to Art. 28 GDPR.
- Categories of processed data: shop data, order data, customer data, payment and analytics data.
Shopify Network Intelligence: Within the Shopify infrastructure, aggregated, pseudonymised usage data is used to improve AI features (e.g. Shopify Magic), fraud detection and marketing recommendations. Other merchants do not gain any insight into your data.
Legal basis: Art. 6(1)(f) GDPR (legitimate interest in platform security and optimisation).
5. Payment Service Providers
For the processing of payments, we pass on your payment data to the following service providers:
- Shopify Payments (Stripe): Stripe Payments Europe Ltd., 1 Grand Canal Street Lower, Dublin 2, Ireland.
- PayPal: PayPal (Europe) S.à r.l. et Cie, S.C.A., 22-24 Boulevard Royal, 2449 Luxembourg.
- Klarna: Klarna Bank AB (publ), Sveavägen 46, 111 34 Stockholm, Schweden.
- Apple Pay / Google Pay: Apple Distribution International Ltd., Ireland / Google Ireland Ltd., Ireland.
Legal basis: Art. 6(1)(b) GDPR (performance of the contract).
6. Shipping Service Providers
To ship your orders, we pass on your name and delivery address to the following shipping partners:
- Österreichische Post AG: Rochusplatz 1, 1030 Wien.
- DHL: Deutsche Post DHL Group, 53113 Bonn, Deutschland.
Legal basis: Art. 6(1)(b) GDPR (performance of the contract).
7. Apps and Third-Party Services Used
7.1 Google & YouTube Sales Channel
Integration with Google Merchant Center, Google Ads and YouTube for the purpose of product listing and advertising.
- Provider: Google Ireland Limited, Dublin, Ireland.
- Legal basis: Art. 6(1)(a) GDPR (consent for marketing functions).
7.2 Translation App (Translation Lab)
Purpose: automatic translation of our website content into your preferred language. Stores your language preference in a functional cookie.
- Legal basis: Art. 6(1)(a) GDPR (consent for functional cookies).
7.3 Email Marketing and Pop-ups (Klaviyo)
Purpose: sending newsletters, automated email marketing campaigns, displaying pop-ups for lead generation (e.g. discount promotions), segmentation of customer groups.
- Provider: Klaviyo Inc., 125 Summer Street, Boston, MA 02110, USA.
- EU representative pursuant to Art. 27 GDPR: European Data Protection Office (EDPO), Ground Floor, 71 Lower Baggot Street, Dublin D02 P593, Ireland. Contact via the official request form: edpo.com/gdpr-data-request/
- Processed data: email address, name (optional), order history, interactions with our emails and our website.
- Data transfer to third countries: USA, on the basis of the EU-U.S. Data Privacy Framework (Klaviyo Inc. is DPF-certified). In addition, standard contractual clauses (SCC) pursuant to Art. 46 GDPR are used.
- Legal basis: Art. 6(1)(a) GDPR (consent through newsletter subscription or double opt-in), in conjunction with § 174 Abs. 5 TKG 2021.
- Storage period: until you withdraw your consent (unsubscribing is possible at any time via the unsubscribe link in every email).
7.4 Cookie Consent Management (Pandectes)
See Section 3.5.
7.5 Analytics and UX Tool (Microsoft Clarity)
See Section 3.3.
7.6 EU Withdrawal Button (Revoq)
To fulfil the legal obligation to provide consumers with an easily accessible withdrawal button, we use the app Revoq. Via the form on the "Cancel contract" page, you can submit your contract withdrawal electronically.
Processed data: order number, name, email address, and the details of your withdrawal.
Purpose: receipt, processing and documentation of your contract withdrawal.
Legal basis: Art. 6(1)(c) GDPR (compliance with a legal obligation) in conjunction with Art. 6(1)(b) GDPR (performance of the contractual relationship).
Processor: Processing is carried out by the provider of the Revoq app as a processor on the basis of a data processing agreement (DPA). The data is hosted on servers within the EU; no transfer to third countries takes place.
Storage period: The data is stored for the duration of processing and within the scope of the statutory retention and documentation obligations, and is deleted thereafter.
8. Data Transfer to Third Countries
Some of the services used transfer data to servers outside the European Union, in particular to the USA and Canada. We ensure the protection of your data on the following bases:
- USA: transfer on the basis of the EU-U.S. Data Privacy Framework (adequacy decision of the EU Commission of 10 July 2023, C(2023)4745). Certified recipients: Google LLC, Meta Platforms Inc., Microsoft Corporation, Klaviyo Inc. Insofar as additional guarantees are required, standard contractual clauses (SCC) pursuant to Art. 46 GDPR are concluded.
- Canada: adequacy decision of the EU Commission pursuant to Art. 45 GDPR (Decision 2002/2/EC).
9. Your Rights as a Data Subject
Under the GDPR, you have the following rights:
- Access (Art. 15 GDPR): information about the data stored about you.
- Rectification (Art. 16 GDPR): rectification of incorrect data or completion of incomplete data.
- Erasure (Art. 17 GDPR): erasure of your data. Note: data required for legal or tax obligations (e.g. invoices, which must be retained for 7 years pursuant to § 132 BAO) cannot be erased before the retention period expires.
- Restriction of processing (Art. 18 GDPR).
- Data portability (Art. 20 GDPR): provision of your data in a common, machine-readable format.
- Withdrawal of consent given (Art. 7(3) GDPR): at any time with effect for the future.
- Objection to processing based on legitimate interests (Art. 21 GDPR), in particular to direct marketing.
To exercise your rights, you can contact us directly by email at info@splendido.at. We will respond to your enquiry within 30 days (Art. 12(3) GDPR).
10. Right to Lodge a Complaint with the Supervisory Authority
You have the right to lodge a complaint with the competent supervisory authority (Art. 77 GDPR):
Austrian Data Protection Authority (DSB)
Barichgasse 40-42, 1030 Wien, Österreich
Telephone: +43 1 52 152-0
Email: dsb@dsb.gv.at
Web: www.dsb.gv.at
11. Data Security
We employ technical and organisational security measures to protect your data against unauthorised access, loss or misuse:
- SSL/TLS encryption (256-bit) for all data transfers between your browser and our servers (HTTPS).
- Password hashing for customer accounts.
- Access controls and regular updating of our security standards.
- Contractual obligation of all processors to comply with the GDPR.
12. Storage Period — Overview
| Data category | Storage period |
|---|---|
| Server log files | 30 days |
| Customer account | until deleted by the customer |
| Order data (accounting) | 7 years pursuant to § 132 BAO |
| Newsletter subscription | until withdrawal |
| Contact enquiries | until finally dealt with |
| Cookie consent | 12 months |
| Google Analytics 4 | 14 months |
| Microsoft Clarity | up to 13 months |
13. Changes to this Privacy Policy
This Privacy Policy may be updated due to legal changes, new service providers or technical adjustments. The current version is available at any time at www.splendido.at/pages/datenschutz. In the event of material changes, we will inform you in an appropriate manner.
14. Packaging Licensing
As a party placing packaging on the market, we fulfil our statutory obligations in the countries to which we deliver:
🇩🇪 Germany — Packaging Act (VerpackG):
LUCID registration number: DE4314073376548 (Stiftung Zentrale Stelle Verpackungsregister, ZSVR)
Dual system: Interzero Recycling Alliance (licensed via Activate by Lizenzero, contract number 102243)
All sales and shipping packaging that we place on the market in Germany is licensed with an approved dual system pursuant to § 7 VerpackG and reported to the ZSVR within the scope of the annual data declaration pursuant to § 10 VerpackG.
Public register: https://oeffentliche-register.verpackungsregister.org
🇦🇹 Austria — Waste Management Act (AWG) and Packaging Ordinance 2014 (VerpackVO):
ARA licence number: 28148
Collection and recovery system: Altstoff Recycling Austria AG (ARA), Mariahilfer Straße 123, 1062 Wien
Portal: https://online.ara.at
All household packaging that we place on the market in Austria is licensed with an approved collection and recovery system pursuant to § 13g AWG. The annual volume declaration takes place by 15 January of the following year.
🇳🇱 Netherlands:
Splendido e.U. is below the statutory threshold of 50,000 kg of packaging per calendar year and is therefore exempt from the registration and contribution obligation with Verpact (formerly Afvalfonds Verpakkingen). Packaging records are kept internally and can be presented upon request by the authorities.
15. Google Customer Reviews
We use the "Google Customer Reviews" service of Google Ireland
Limited (Gordon House, Barrow Street, Dublin 4, Ireland) to collect
and publish reviews from our customers.
**Data processed after a successful purchase:**
- email address
- order number
- delivery country
- estimated delivery date
- product identifiers (SKU)
**Purpose:** sending a voluntary customer satisfaction survey approx.
7–14 days after delivery. Participation is optional and takes place only after
active opt-in at checkout.
**Legal basis:** consent pursuant to Art. 6(1)(a) GDPR via
our cookie banner (category "Marketing"). Without consent, the
script is not loaded.
**Transfer to third countries:** data may be transferred to servers of Google LLC in the
USA. Google is certified under the **EU-US Data Privacy Framework**.
A data processing agreement pursuant to
Art. 28 GDPR is in place with Google.
**Storage period:** at Google in accordance with their retention policies
(maximum 18 months for inactive users).
**Withdrawal:** You can withdraw your consent at any time via the link
"Cookie settings" in the footer.
**Further information:**
- Google Privacy Policy: https://policies.google.com/privacy
- Google Customer Reviews programme: https://support.google.com/merchants/answer/7105653
16. Pinterest Tag and Conversions API
On our website, we use the Pinterest Tag as well as the Pinterest Conversions API of Pinterest Europe Ltd., Palmerston House, 2nd Floor, Fenian Street, Dublin 2, Ireland (hereinafter "Pinterest").
Tag ID: 2614237900906
Purpose: collection of conversion data to measure the performance of our Pinterest campaigns, optimisation of ad delivery and creation of audience-based advertisements (e.g. retargeting).
Processed data:
- IP address (truncated)
- browser and device information
- pseudonymous identifiers (cookies, click IDs)
- pages visited and actions performed (e.g. "Add to Cart", "Purchase")
- for server-side transmission via the Conversions API: hashed email address and order information
Legal basis: consent pursuant to Art. 6(1)(a) GDPR via our cookie banner (category "Marketing"). Without active consent, the Pinterest Tag is not loaded and no data is transmitted to Pinterest.
Transfer to third countries: data may be transferred to Pinterest, Inc. in the USA. Pinterest is certified under the EU-US Data Privacy Framework. Pinterest Europe Ltd. acts as a joint controller pursuant to Art. 26 GDPR for certain processing operations; a corresponding agreement is in place.
Storage period: Pinterest stores the collected data in accordance with their retention policies (cookies typically up to 1 year).
Withdrawal: You can withdraw your consent at any time via the link "Cookie settings" in the footer. In addition, you can deactivate Pinterest advertising in your Pinterest account under "Settings → Privacy and data".
Further information:
- Pinterest Privacy Policy: https://policy.pinterest.com/de/privacy-policy
- Pinterest Ad-Data Terms: https://policy.pinterest.com/de/ad-data-terms
- Pinterest data protection contact: privacy-support@pinterest.com
17. Custom and Made-to-Measure Orders (Made-to-Order Requests)
For selected pieces of jewellery — in particular rings made to order in your size or as a custom piece — we provide an enquiry form ("Made in your size" / "Order made-to-measure") on the relevant product page. Through this form you can submit a non-binding enquiry about a custom-made item and request an individual indicative price quote.
Processed data: first name, email address, the desired ring size or a special size you specify, and the reference to the requested product (name, item and price as context of the enquiry). Technically, the time of the enquiry and your language setting are also processed.
Purpose: processing your enquiry, preparing an individual quote (indicative price), and the associated contact and correspondence.
Legal basis: Art. 6(1)(b) GDPR (taking steps at your request prior to entering into a contract). If a contract is subsequently concluded, further processing is governed by Section 2.2 (Orders / Online Shop).
Recipients / processors: For the technical handling of the enquiry and subsequent email communication we use Klaviyo (see Section 7.3), which processes the data as a processor on our behalf; for third-country transfers and EU representation, Sections 7.3 and 8 apply.
Storage period: Data collected for a custom enquiry is stored for 12 months from the last communication, unless a contract is concluded. If a contract is concluded, the statutory retention periods apply (see Section 12). You may object to the processing or request erasure at any time (see Section 9).
Last updated: 24 June 2026








