1) INFORMATION ON THE COLLECTION OF PERSONAL DATA AND CONTACT DETAILS OF THE CONTROLLER

1.1 We are pleased that you are visiting our website and thank you for your interest. Below we inform you about the handling of your personal data when you use our website. Personal data means all data by which you can be personally identified.

1.2 The controller in charge of data processing on this website, within the meaning of the General Data Protection Regulation (GDPR), is Hazel & May Boutique.
The controller is the natural or legal person who alone or jointly with others determines the purposes and means of the processing of personal data.

1.3 For security reasons and to protect the transmission of personal data and other confidential content (e.g. orders or enquiries to the controller), this website uses SSL or TLS encryption. You can recognize an encrypted connection by the character string “https://” and the lock symbol in your browser line.

2) DATA COLLECTION WHEN VISITING OUR WEBSITE

When you use our website for informational purposes only (i.e. if you do not register or otherwise provide us with information), we only collect the data that your browser transmits to our server (so-called “server log files”). When you visit our website, we collect the following data, which is technically necessary to display the website to you:

• Our visited website

• Date and time of access

• Amount of data sent in bytes

• Source/referrer from which you reached the page

• Browser used

• Operating system used

• IP address used (where applicable: in anonymized form)

Processing is carried out in accordance with Art. 6(1)(f) GDPR on the basis of our legitimate interest in improving the stability and functionality of our website. The data will not be passed on or used in any other way. However, we reserve the right to check the server log files retrospectively if there are concrete indications of unlawful use.

3) COOKIES

To make your visit to our website attractive and to enable certain functions, we use cookies on various pages. These are small text files stored on your device. Some cookies are deleted after the end of the browser session (session cookies). Other cookies remain on your device and allow us or our partner companies (third-party cookies) to recognize your browser on your next visit (persistent cookies). If cookies are set, certain user information is collected and processed to an individual extent (e.g. browser and location data, IP address). Persistent cookies are automatically deleted after a specified period, which may vary.

In some cases, cookies simplify the ordering process (e.g. remembering the contents of a shopping cart for a later visit). Insofar as personal data is also processed via cookies implemented by us, processing takes place in accordance with Art. 6(1)(b) GDPR for contract performance or Art. 6(1)(f) GDPR to safeguard our legitimate interests in the best possible functionality of the website and a customer-friendly experience.

We may work with advertising partners who help make our website more interesting for you. For this purpose, cookies from partner companies may also be stored on your hard drive (third-party cookies). If we work with such advertising partners, you will be informed below about the use of such cookies and the scope of the information collected.

You can set your browser to inform you about the setting of cookies and decide individually whether to accept them, or to exclude acceptance for certain cases or in general. Instructions can be found here:
Internet Explorer: https://support.microsoft.com/de-de/help/17442/windows-internet-explorer-delete-manage-cookies
Firefox: https://support.mozilla.org/de/kb/cookies-erlauben-und-ablehnen
Chrome: https://support.google.com/chrome/answer/95647
Safari: https://support.apple.com/kb/ph21411
Opera: https://help.opera.com/en/latest/web-preferences/#cookies

If you do not accept cookies, the functionality of our website may be restricted.

4) CONTACTING US

When contacting us (e.g. via contact form or e-mail), personal data is collected. Which data is collected can be seen from the respective contact form. This data is used exclusively for the purpose of responding to your request or for establishing contact and the associated technical administration. The legal basis is our legitimate interest in responding to your request in accordance with Art. 6(1)(f) GDPR. If your contact aims at concluding a contract, the additional legal basis is Art. 6(1)(b) GDPR. Your data will be deleted after final processing of your request, provided there are no statutory retention obligations.

5) DATA PROCESSING WHEN OPENING A CUSTOMER ACCOUNT AND FOR CONTRACT PROCESSING

In accordance with Art. 6(1)(b) GDPR, personal data will be collected and processed if you provide it to us for the execution of a contract or when opening a customer account. Which data is collected can be seen from the input forms. Deletion of your customer account is possible at any time by sending a message to the controller. We store and use the data you provide for contract performance. After complete processing of the contract or deletion of your account, your data will be blocked with regard to tax and commercial retention periods and deleted after these periods, unless you have expressly consented to further use or we are legally permitted to further use the data.

6) USE OF YOUR DATA FOR DIRECT ADVERTISING

6.1 Subscription to our e-mail newsletter
If you subscribe to our newsletter, we will send you regular information about our offers. Required data: your e-mail address (other data optional). We use the double opt-in procedure. By activating the confirmation link, you consent to the use of your personal data in accordance with Art. 6(1)(a) GDPR. We store your IP address and the date/time of registration to prevent misuse. You can unsubscribe at any time via the link in the newsletter or by contacting the controller; your e-mail will then be deleted from the distribution list unless you consent to further use or we reserve a legally permitted further use.

6.2 Newsletter to existing customers
If you have provided your e-mail address when purchasing, we may send you offers for similar goods/services via e-mail on the basis of our legitimate interest in personalized direct advertising (Art. 6(1)(f) GDPR). You can object at any time; after objection, no further e-mails will be sent.

7) DATA PROCESSING FOR ORDER PROCESSING

7.1 Personal data collected by us will be forwarded to the transport company commissioned with the delivery where necessary and to the payment provider for payment processing (Art. 6(1)(b) GDPR).

7.2 Use of payment service providers

• PayPal (PayPal Europe S.à r.l. et Cie, S.C.A., Luxembourg). Data transfer per Art. 6(1)(b) GDPR. PayPal may carry out a credit check (Art. 6(1)(f) GDPR). Privacy: https://www.paypal.com/de/webapps/mpp/ua/privacy-full

• SOFORT / Klarna (SOFORT GmbH, Germany; part of Klarna Bank AB). Data transfer per Art. 6(1)(b) GDPR. Privacy: https://www.klarna.com/sofort/datenschutz

8) RATING REMINDERS

We may use your e-mail address once to remind you to submit a review if you have expressly consented (Art. 6(1)(a) GDPR). You can revoke consent at any time by contacting the controller.

9) USE OF SOCIAL MEDIA: SOCIAL PLUGINS

9.1 Facebook (Shariff solution)
Buttons are integrated as HTML links to increase data protection. On click, a new window opens to Facebook. Facebook Inc. (USA) is Privacy Shield-certified. Privacy: https://www.facebook.com/policy.php

9.2 Google+ (Shariff solution)
Integrated as HTML links. Google LLC (USA) is Privacy Shield-certified. Privacy: https://www.google.com/policies/privacy/

9.3 Instagram (Shariff solution)
Integrated as HTML links. Instagram LLC (USA) is Privacy Shield-certified. Privacy: https://help.instagram.com/155833707900388/

10) ONLINE MARKETING

10.1 DoubleClick by Google
Uses cookies for ad relevance and conversion tracking (Art. 6(1)(f) GDPR). Settings/opt-out: https://www.google.de/settings/ads and www.aboutads.info. Privacy: https://www.google.de/policies/privacy/

10.2 Google Ads Conversion Tracking
Cookie set after ad click; used for conversion stats (Art. 6(1)(f) GDPR). Opt-out via browser settings or plugin: https://www.google.com/settings/ads/plugin?hl=de. Privacy: https://www.google.de/policies/privacy/

11) WEB ANALYSIS SERVICES

Google (Universal) Analytics
Uses cookies. IP anonymization (“_anonymizeIp()”). Processing per Art. 6(1)(f) GDPR for statistical analysis. Opt-out plugin: https://tools.google.com/dlpage/gaoptout?hl=de
Mobile opt-out via opt-out cookie (browser/domain-specific). Further info: https://support.google.com/analytics/answer/2838718?hl=de

12) RETARGETING / REMARKETING / REFERRAL ADVERTISING

Facebook Custom Audience (Pixel)
With explicit consent (Art. 6(1)(a) GDPR). Data may be linked to Facebook profiles; Privacy: https://www.facebook.com/about/privacy/
Opt-out cookies via browser or www.aboutads.info/choices/

Google Ads Remarketing
Cookie with pseudonymous ID; legitimate interest (Art. 6(1)(f) GDPR). Cross-device remarketing if you consented within your Google account. Opt-outs: https://www.google.com/settings/ads/onweb/ and www.aboutads.info. Privacy: https://www.google.com/policies/technologies/ads/

13) RIGHTS OF THE DATA SUBJECT

You have the following rights under the GDPR vis-à-vis the controller:

• Art. 15 Right of access

• Art. 16 Right to rectification

• Art. 17 Right to erasure

• Art. 18 Right to restriction of processing

• Art. 19 Notification obligation

• Art. 20 Right to data portability

• Art. 7(3) Right to withdraw consent (effective for the future)

• Art. 77 Right to lodge a complaint with a supervisory authority

13.2 RIGHT TO OBJECT
IF WE PROCESS YOUR DATA ON THE BASIS OF LEGITIMATE INTERESTS, YOU MAY OBJECT AT ANY TIME ON GROUNDS RELATING TO YOUR PARTICULAR SITUATION, WITH EFFECT FOR THE FUTURE.
IF YOUR PERSONAL DATA IS PROCESSED FOR DIRECT MARKETING, YOU HAVE THE RIGHT TO OBJECT AT ANY TIME; AFTER OBJECTION, PROCESSING FOR DIRECT MARKETING WILL CEASE.

14) DURATION OF STORAGE OF PERSONAL DATA

The duration of storage is determined by statutory retention periods (e.g. commercial and tax law). After expiry, the corresponding data is routinely deleted if it is no longer required for contract fulfillment or initiation and/or there is no legitimate interest in continued storage.

---

Contact (Privacy):
Hazel & May Boutique
E-mail: vasprodejce1@gmail.com  Let me know if you want this localized (AU spelling), or tailored for Shopify (with cookie banner text + Do Not Track note).