Data Protection Policy

Overview

Welcome to www.ecco-verde.ie! Pursuant to Art 13, Art 14 GDPR and § 165 para 3 TKG, we'll comprehensively inform you about how your data is processed in this section. Please familiarise yourself with how your personal data (hereinafter referred to as "data") is processed and why, when you:

Visit our website
Subscribe to our newsletter email
Contact us
Use our webshop
Have a business relationship with us, as well as:
How long your data will be stored
Which data we collect from other sources (Art 14 GDPR)
Whether automated decision-making takes place
What rights you have in regard to data processing and
Who the data controller is, the contact details of our Data Protection Officer, and how you can contact us.

All the statements in this data protection declaration also comply with the information requirements pursuant to Art 19 of the Swiss Data Protection Act.

We may make changes to this Privacy Policy from time to time to reflect changes in our practices or for other operational, legal or regulatory reasons.

1) What data do we process when you visit our website?

When you visit our website, the following categories of your data may be processed:

Selected language
Browser type
Type of end device used to access the site
Operating system
Country
Date, time and duration of access
Partially masked IP address
Pages visited on our website, including entry and exit pages
Data that you enter via a contact form

These categories of data are processed only to the extent necessary in each case. The processing of this data is justified by our legitimate interest in operating our website (Art 6 Para 1 lit f GDPR).

To operate of our website, it may be necessary for us to transmit your data to the following recipients:

Service provider and data protection information of the provider	Description	Place of processing	Legal bases for data transmission
Hetzner Online Ltd	Website hosting including backup storage	EU/EEA	Order processing according to Art. 28 GDPR

Cookies and other Third Party Services

The above categories of data may also be processed by so-called "cookies" or other third party services. Cookies are small text files that are stored on your device and may include, for example, personal settings, preverences, or browsing history, which can then quickly be retreived by the web server at a later time.

"Technical" cookies exclusively ensure the functionality of our website and do not require your consent. They could, for example, allow you to add items to your shopping basket or allow you to log into your customer account. We use these technical cookies exclusively to the extent that is absolutely necessary. The settings of these technical cookies are determined by pre-contractual measures (Art 6 Para 1 lit b GDPR) or are justified by our overriding legitimate interest in the functionality of our website (Art 6 Para 1 lit f GDPR).

In addition to these technical cookies, we may also use "third party services" (e.g. "marketing cookies", "analysis cookies", "non-required cookies", "pixels", "fingerprinting", "local -/session storage" or similar technologies) if we have your prior, voluntary approval to do so. These services enable us to better understand and evaluate your interests. With the help of these services, we can merge your surfing behaviour beyond the boundaries of our website with data from other websites. This data allows us to better understand the interest of visitors to our websites and to address them in a more targeted manner. For this purpose, the respective categories of your required data will also be transmitted to the respective service provider. We respect that not every visitor to our website wants this. Therefore, we only process your data through these third party services if you give us your prior consent to do so.

You consent to the processing of your data by services that process your data within the EU or the EEA, or in other countries for which there is a valid EU adequacy decision pursuant to Art. 45 GDPR, based on Art 6 Para 1 lit a GDPR, in place. Such an adequacy decision ensures an adequate level of data protection based on the European Commission's standards.

On July 10, 2023, the European Commission published a decision regarding adequacy for the USA. Pursuant to the EU-US Data Privacy Framework (EU-US DPF), data transfers to service providers in the USA are adequate if they are certified in accordance with the Data Privacy Framework (DPF) Program.

Your consent to data processing via services that process your data in countries outside of the EU or EEA that do not have an adequacy decision, or, by services in the United States that have not yet been "Data Privacy Framework Program (DPF)" certified, is based on Art 6 para 1 lit. a in connection with Art 49(1)(a) of the GDPR (exceptions for specific cases).

Your rights in accordance to the processing of your data in such cases cannot be guaranteed, which we expressly point out to you before your consent.

You can manage your consent or revocations at any time via our "cookie banner" pop up window. This pop up window appears on your first visit to our website, and can be called up again by clicking "Privacy settings" at the footer of our website. You can also independently revoke your consent at any time by deleting the activated services from the browser of your device, whereby the data processing that took place until the time of revocation remains justified.

The following third-party services my be activated on our websites prior to your consent. You can find out which of these third-party services are available for selection at www.ecco-verde.ie directly in our cookie banner.

Service	Description	Duration of storage	Place of processing	Legal Basis for Data Transfer	Service provider and data protection information of the provider
Adform	Performance analysis and optimisation of online advertising campaigns	180 days	EU/EEA	Data processing according to Art. 28 GDPR	Adform A/S
Adition	Performance analysis and optimisation of online advertising campaigns	180 days	EU/EEA	Data processing according to Art. 28 GDPR	Virtual Minds GmbH
AdUp	Creating personalised advertising offers	12 months	EU/EEA	Data processing according to Art. 28 GDPR	Axel Springer Teaser Ad Gmbh
AWIN	Targeted display of online advertising	30 days	EU/EEA	Joint responsibility according to Art. 26 GDPR under the conclusion of a joint responsibility agreement. Both parties are contact points for the exercise of rights according to Art.15-20 GDPR	AWIN AG
Brevo	Analysis and statistical evaluation of the website	24 months	EU/EEA	Data processing according to Art. 28 GDPR	SendinBlue GmbH
Clarity	Analysis and statistical evaluation of the website	12 months	EU/EEA, USA	Data processing in accordance with Art. 28 GDPR and via service providers that are Data Privacy Framework (DPF) certified.	Microsoft Corporation
creativecdn.com	Creating personalised advertising offers	12 months	EU/EEA	Joint responsibility according to Art. 26 GDPR under the conclusion of a joint responsibility agreement. Both parties are contact points for the exercise of rights according to Art.15-20 GDPR	RTB House S.A.
Criteo	Creating personalised advertising offers	13 months	EU/EEA	Joint responsibility according to Art. 26 GDPR under the conclusion of a joint responsibility agreement. Both parties are contact points for the exercise of rights according to Art.15-20 GDPR	Criteo SA
Floodlght	Performance analysis and optimisation of online advertising campaigns (the provider may use the data collected to contextualise and personalise ads on its own advertising network, especially if you are logged into an existing account from the service)	2 years	EU/EEA, USA	Data processing according to Art. 28 GDPR and Data Privacy Framework (DPF) certification	Google Ireland Limited
Meta-Pixel	Performance analysis and optimisation of online advertising campaigns (the provider may use the data collected to contextualise and personalise ads on its own advertising network, especially if you are logged into an existing account from the service)	3 months	EU/EEA/USA	Joint responsibility according to Art. 26 GDPR under the conclusion of a joint responsibility agreement and Data Privacy Framework (DPF) certification. Both parties are contact points for the exercise of rights according to Art.15-20 GDPR	Meta Platforms Ireland Limited
Flashtalking	Targeted display of online advertising	60 months	EU/EEA	Data processing according to Art. 28 GDPR	Simplicity Marketing Ltd
Google Analytics	Analysis and statistical evaluation of the website (under privacy-protecting settings, in particular, the deactivation of Google Signals, User ID, personalised ads, data sharing for Google products and services, and the restriction of the collection of location and device data from individual regions).	maximum 14 months	EU/EEA, US	Data processing in accordance with Art. 28 GDPR and Data Privacy Framework (DPF) certification.	Google Ireland Limited
Google Ads	Targeted display of online advertising (The provider may use the data collected to contextualise and personalise the ads of its own advertising network, especially if you are logged into an existing account of the service)	3 months	EU/EEA, US	Data processing in accordance with Art. 28 GDPR and Data Privacy Framework (DPF) certification.	Google Ireland Limited
Google Customer Reviews	Participation in surveys	90 gays	EU/EEA, US	Data processing in accordance with Art. 28 GDPR and Data Privacy Framework (DPF) certification.	Google Ireland Limited
Google Tag Manager	Integration of Google Tag Manager for easy reloading of services	24 months	EU/EEA, US	Data processing in accordance with Art. 28 GDPR and Data Privacy Framework (DPF) certification.	Google Ireland Limited
Hotjar	Optimisation of our online offers and website presentation	12 months	EU/EEA	Data processing according to Art. 28 GDPR	Hotjar Ltd.
Hubspot	Optimisation of our online offers	6 months	EU/EEA, US	Data processing in accordance with Art. 28 GDPR and Data Privacy Framework (DPF) certification.	HubSpot, Inc.
Microsoft Advertising	Targeted display of online advertising (The provider may use the data collected to contextualise and personalise the ads of its own advertising network, especially if you are logged into an existing account of the service)	13 months	EU/EEA, US	Data processing in accordance with Art. 28 GDPR and Data Privacy Framework (DPF) certification.	Microsoft Corporation
Omniconvert	Optimisation of our online offers and website presentation	6 months	EU/EEA	Data processing according to Art. 28 GDPR	Omniconvert SRL
Pinterest Tag	Performance measurement and targeted display of online advertising	180 days	EU/EEA, US	Data processing in accordance with Art. 28 GDPR under conclusion of the final standard data protection clauses in accordance with Art. 46 Para. 3 lit a GDPR	Pinterest Inc.
Sovendus	Display and performance measurement of Sovendus voucher offers	30 days	EU/EEA	Joint responsibility according to Art. 26 GDPR. Both parties are contact points for exercising their rights according to Art. 15-20 GDPR.	Sovendus GmbH
TikTok Pixel	Measuring the success and optimisation of online advertising (The provider may use the data collected to contextualise and personalise the ads of its own advertising network, especially if you are logged into an existing account of the service)	13 months	EU/EEA, China, US	Joint responsibility according to Art. 26 GDPR under the conclusion of an agreement on joint responsibility, including the final standard data protection clauses according to Art. 46 Para. 3 lit a GDPR. The provider is the point of contact for exercising rights according to Articles 15-20 GDPR.	TikTok Technology Limited
twiago	Optimising our online offers	30 days	EU/EEA	Data processing according to Art. 28 GDPR	twiago GmbH
uptain	Creation of personalised advertising and business offers	12 months	EU/EEA	Data processing according to Art. 28 GDPR	uptain GmbH
Vimeo	Playing Vimeo video services	24 months	USA	Data processing in accordance with Art. 28 GDPR under conclusion of the final standard data protection clauses in accordance with Art. 46 Para. 3 lit a GDPR	Vimeo LLC
Youtube	Playing YouTube video services (the provider may use the data collected to contextualise and personalise ads on its own advertising network, especially if you are logged into an existing account from this service)	24 months	EU/EEA, USA	Data processing in accordance with Art. 28 GDPR and Data Privacy Framework (DPF) certification.	Google Ireland Limited
Zemanta	Optimising our advertising campaigns	3 months	EU/EEA, UA	Joint responsibility according to Art. 26 GDPR under the conclusion of the final standard data protection clauses according to Art. 46 Para. 3 lit a GDPR. Both parties are the point of contact for exercising rights in accordance with Art. 15-20 GDPR.	Outbrain Inc.

Click Fraud Technology

If you reach our website by clicking on advertisements displayed via search engines, we can use services to analyze and prevent "click fraud". Click fraud occurs when clicks on ads are generated by automated tools or when multiple clicks on ads are unlikely to be driven by genuine interest.

Service	Description	Duration of storage	Place of processing	Legal Basis for Data Processing and Data Transmission	Service Provider and Data Protection Information of the Provider
Ads Defender	Analysis of clicks on Google Ads, transmission of the IP address to Google Ireland Limited if click fraud is suspected	365 days	EU/EEA	Overriding legitimate interests (Art. 6 Para. 1 lit f GDPR; you can submit your objection to the processing in accordance with Art. 21 GDPR here in the form of an "opt-out"), data processing in accordance with Art. 28 GDPR	Hurra Communications GmbH

2) What data do we process when you sign up for our email newsletter?

The following categories of data may be processed (in addition to the data processed during your visit to our website) when you subscribe to our newsletters over e-mail:

E-mail address

The processing of this data is based on your voluntary consent (Art 6 Para 1 lit a GDPR). You can revoke this consent at any time by unsubscribing via the link provided in each newsletter or via your existing customer account, whereby the data processed up to the time of revocation remains justified. You are not obliged to provide this data, but we cannot provide you with a newsletter subscription without it.

In order to send our e-mail newsletters, it may be necessary for us to transmit your data to the following recipients:

Service provider and data protection information of the provider	Description	Place of processing	Legal bases for data transmission
Amazon Web Services EMEA SARL	Sending the e-mail newsletter	EU/EEA	Data processing according to Art. 28 GDPR
SendinBlue GmbH	Sending the e-mail newsletter	EU/EEA	Data processing according to Art. 28 GDPR

3) What data do we process when you contact us?

When you contact us, the following categories of your data may be processed (in addition to the data processed during your visit to our website):

Name
Contact details
E-mail address
Telephone number
Any order data
Correspondence data, including any data you provide to us during communication

We process this data for the following purposes:

Handling customer enquiries, customer care and other customer support services via e-mail, chat or telephone.

These categories of data are processed to the extent necessary for each case. The processing of this data is justified by our overriding legitimate interest in efficient and satisfactory communication (Art 6 Para 1 lit f GDPR).

For this purpose, it may be necessary for us to transmit your data to the following recipients:

Service provider and data protection information of the provider	Description	Place of processing	Legal bases for data transmission
Freshworks GmbH Germany	Customer inquiries and customer care services via email or chat or telephone	EU/EEA, occasionally USA if you contact us via social media platforms	Data processing in accordance with Art. 28 GDPR under conclusion of the final standard data protection clauses in accordance with Art. 46 Para. 3 lit a GDPR
CallOne GmbH	Customer inquiries and customer care services via telephone	EU/EEA	Data processing in accordance with Art. 28 GDPR

4) What data do we process when you use our webshop?

When you use our webshop, the following categories of your data may be processed (in addition to the data processed during your visit to our website):

Name
Contact details
Billing and shipping address
E-mail address
Telephone number
Order and delivery data
Account and payment data
Assigned account number
Data that you enter via a contact form
Correspondence data, including all data you provide in connection with your order
Date of birth (in the case of legally required proof of age)

We process this data for the following purposes:

Processing the entire contractual relationship with you
Transfer of orders to payment service providers
Commissioning shipping or forwarding services, including drop-shipping
Communication for processing orders
Legally required storage as defined by the § 132 BAO (Federal Fiscal Code)
Legally permitted direct advertising (e.g.: per mail, e-mail, satisfaction surveys, congratulatory letters, statistical evaluations); We would like to expressly inform you that you can object to the processing of your data for the purpose of direct advertising
Prevention and clarification of cases of fraud or attempted fraud
Assertion and defence of legal claims

Processing these categories of data occurs to the extent necessary in each case and is required for the fulfilment of the contract (Art 6 para 1 lit b GDPR) or is justified by our overriding legitimate interest in smoothly running our business (Art 6 para 1 lit f GDPR).

It may be necessary for us to transmit your data to the following categories of recipients as required for the use in our webshop:

Service provider and data protection information of the provider	Description	Place of processing	Legal bases for data processing and data transmission
Credit card companies, banks, payment providers (Data protection information according to teh website of the selected provider)	Payment processing for your order	Usually EU/EEA – but also third countries in exceptional cases	Fulfilment of contract (Art 6 Para 1 lit b GDPR). If the recipient is in a third country without a valid adequacy decision – Art 49 Para 1 b and e GDPR
Logistics service provider (Data protection information according to the website of the selected provider)	Transportation and delivery of orders	Usually EU/EEA – but also third countries in exceptional cases	Fulfilment of contract (Art 6 Para 1 lit b GDPR). If the recipient is in a third country without a valid adequacy decision – Art 49 Para 1 b and e GDPR
Drop-shipping or Drop-shipping Service Provider (Data protection information according to the website of the selected provider)	Execution of orders for products that are not in stock and transfer to logistics service providers for transport	Usually EU/EEA – but also third countries in exceptional cases	Fulfilment of contract (Art 6 Para 1 lit b GDPR). If the recipient is in a third country without a valid adequacy decision – Art 49 Para 1 b and e GDPR
Debt Collection Service Provider (Data protection information according to the website of the respective service provider)	If necessary, for collecting outstanding debts	Usually EU/EEA countries, but also third countries in exceptional cases	Overriding legitimate interests (Art 6 Para 1 lit f GDPR). If the recipients are in a third country (non-EU) without a valid adequacy decisions - Art. 49 Para 1 lit e GDPR
Amazon Web Services EMEA SARL	Sending automated emails	EU/EEA	Overriding legitimate interests (Art 6 Para 1 lit f GDPR), data processing in accordance with Art 28 GDPR

Customer Account

You have the option of registering for a customer account. If you do so, the following categories of your data may also be processed:

Order history and wish lists
Product data (ratings, testimonials, questions, and answers about products)
Assigned customer number
Customer segmentation

We process this data for the following purposes:

Storage of your information in your customer account, including the publication of your ratings, reviews, questions, and answers about products, insofar as you do this independently
Customer segmentation carried out to offer benefits or discounts.

This data is processed based on your voluntary consent (Art 6 para 1 lit a GDPR) and is justified by our overriding legitimate interest in evaluating our product reviews and customer segmentation (Art. 6 Para. 1 lit f GDPR). You are not obliged to register for a customer account, but we cannot provide you with the additional services mentioned above without a customer account.

Sovendus Voucher Network

Based on your prior voluntary consent (Art. 6(1)(a) GDPR) through our "Cookie Banner" (see Section 1), we can display offers by the Sovendus coupon network after completing an order. For this purpose, the pseudonymized, encrypted hash value of your email address and your IP address will be transmitted to Sovendus GmbH, Hermann-Veit-Str. 6, 76135 Karlsruhe, Germany (Legal basis Sovendus: Art. 6(1)(f) GDPR). The pseudonymized hash value of your email address will be used by Sovendus to take into account any existing objections to advertising from Sovendus (Art. 21(3), Art. 6(1)(c) GDPR). The IP address will be used by Sovendus exclusively for data security purposes and will generally be anonymized after seven days (Art. 6(1)(f) GDPR). In addition, for billing purposes, the pseudonymized order number, order value with currency, session ID, coupon code, and timestamp will be transmitted to Sovendus (Art. 6(1)(f) GDPR). If you want to take advantage of a Sovendus voucher offer, and have not objected to advertising measures being sent to your email address, and also click on the coupon banner displayed only in this instance, we will transmit encrypted information such as your name, postal code, country, and email address to Sovendus for use in the preparation of your voucher (Art. 6(1)(b), (f) GDPR). For further information on how Sovendus processes your data, please refer to Sovendus' online privacy policy.

5) Which data do we process if you have a business relationship with us?

If you have a business relationship with us as a partner or supplier, we may process the following categories of your data:

Name
Company data
Contact details
E-mail address
Telephone number
Business data, order, delivery and invoice data
Correspondence data, including all data that you provide to us in connection with our business relationship.

We process this data for the following purposes:

The initiation, maintenance and processing of our entire business relationship with you (e.g. pre-contractual obligations, invoicing of services, dispatch of documents, communication for processing the contract).
Legally required storage as defined by the § 132 BAO (Federal Fiscal Code)
Internal administration and management of our business relationship to the extent required (e.g.: Processing your business case, forwarding business cases to various departments, filing, archiving purposes, correspondence with you).
Assertion and defence of legal claims

These categories of data are processed to the extent necessary in each case. If you do not provide us with this data, we will unfortunately not be able to process your business transaction.

Processing this data is necessary for the contractual fulfilment of our business relationship (Art 6 Para 1 lit b GDPR), necessary for the fulfilment of our legal obligations in connection with retention periods (Art 6 para 1 lit c GDPR) or justified by our overriding legitimate interest smoothly running our business (Art 6 Para 1 lit f GDPR).

6) How long will your data be stored?

We only store your data for as long as is necessary for the purposes for which we collected your data. In this context, statutory retention obligations must be taken into account (for example, for reasons of tax law, contracts, order data or other documents from a contractual relationship must generally be retained for a period of seven years (§ 132 BAO)). Your name, address, purchased goods and date of purchase are also stored until the product liability expires (after 10 years according to § 13 Product Liability Law). In justified individual cases, such as for the assertion and defence of legal claims, we may also store your data for up to 30 years after the termination of the business relationship.

We store the data that we process in the context of contacting you for up to three years from the time you last contacted us.

7) Collection of data from other sources (Art 14 GDPR)

Data is only collected from other sources if you wish to enter into a business relationship with us as a partner or supplier in accordance with point 5. For this purpose, it may be necessary to carry out research on the business partner. This will only be done to the extent required. In this context, data may be retrieved and processed from the following sources:

Source	Public?	Affected Data	Purpose/Justification
Company website	Yes	Contact/structure data	Contact for business purposes
Contractor	No	Name, address, phone no.	Contract fulfilment, delivery

8) Does automated decision-making or profiling take place (Art 13 (2) (f) of the GDPR)?

No automated decision-making takes place on our website. However, over the order process, it is possible that the respective payment service provider uses profiling for fraud detection.

9) What rights do you have in regard to data processing?

We would like to inform you that, provided that the legal requirements are met, you have the right to:

request information about what personal data we're processing (see Art 15 GDPR for more details)
demand the correction or completion of incorrect or incomplete data concerning you (see Art 16 GDPR for more details)
delete your data (see Art 17 GDPR for more details), insofar as this does not conflict with any retention obligations
restrict the processing of your data (see Art. 18 GDPR for more details)
data portability - receipt of the data you have provided in a structured, common and machine-readable format (see Art. 20 of the GDPR).
object to the processing of your data based on Article 6(1)(e) or (f) of the GDPR (see Art 21 of the GDPR). This applies particularly to the processing of your data for advertising purposes.

If we process your data on the basis of your consent, you have the right to revoke this consent at any time. This will not affect the lawfulness of the data processed up to that point (Art 7 (3) GDPR).

If, contrary to expectations, your right to lawful processing of your data is violated, please contact us. We will endeavour to deal with your request promptly, at the latest within the statutory period of one month. You also always have the right to lodge a complaint with the supervisory authority responsible for data protection matters.

10) Who is responsible for data protection and how can you contact us?

The person responsible for Data Processing as presented here (within the meaning of Art 4 Z 7 GDPR) is:

niceshops GmbH
Saaz 99
8341 Paldau
Austria
ireland@ecco-verde.com
CEO: Roland Fink, Mag. Christoph Schreiner, Barbara Unterkofler

Joint responsibility within the niceshops Group, or via commissioned processing by the niceshops Group, and your rights:

This website is operated by the niceshops Group, an Austrian e-commerce company that specialises in the development of online shops in various product segments.
The data processing outlined in this privacy statement can be carried out:

under joint responsibility within the niceshops group (according to Art 26 GDPR). If necessary, we'd be happy to provide you with the essential contents of the corresponding agreement upon request.

or: