Privacy Policy of Mister Spex GmbH

1. Responsible Body

The responsible body for the processing of personal data is:

Mister Spex GmbH,
Greifswalder Straße 156,
D-10409 Berlin

Customer Service: +49 (0)800 472 54 57

Our Data Protection Officer may be contacted as follows:

Mister Spex GmbH,
- Data Protection Officer of Mister Spex GmbH -
Greifswalder Straße 156,
D-10409 Berlin
E-mail: service@misterspex.co.uk

2. Purposes of Data Processing, Legal Bases, Legitimate Interests and Categories of Recipients

a) Data Processing upon the Conclusion of a Contract

We collect, store and process personal data exclusively in accordance with the valid legal stipulations and inasmuch as this should be necessary and requisite for the fulfilment of the contractually assumed performance obligations between ourselves and the user or for the provision of the products ordered. This comprises of:

• First Name, Family Name
• Invoice and Delivery Address
• E-Mail Address
• Invoice and Payment Data
• Date of Birth
• Telephone Number (optional)

Should you purchase contact lenses or corrective spectacles from us, we also gather and store your correction values.

The legal basis for this is Art. 6 Para. 1 lit. b) General Data Protection Regulation (GDPR) as the collection of these data is necessary for the fulfilment of our contract or in order to implement pre-contractual measures. The legal basis for collecting the date of birth is Art. 6 Para 1 lit. f) GDPR. Our legitimate interest lies in the dispatching of e-mails on your birthday, customer segmentation with subsequent direct advertising and guaranteeing your creditworthiness in the context of the credit assessment. Should you have given us your telephone number we may use this in order to contact and support you in the ordering and contract processing procedures. The legal basis for this is Art. 6 Para. 1 lit. b) GDPR.

We shall store your data as long as you uphold an active business relationship with us. After the termination of the said business relationship we shall archive the information pertaining to the contractual relationship according to commercial and tax laws for the statutorily determined periods of six and ten years respectively. Personal data that is not subject to these archiving obligations will be deleted immediately on termination of the business relationship.

Your personal data shall be forwarded by us to service providers deployed in the context of carrying out the order. These are: payment services providers, logistics companies, providers of a ticket system for customer services, cloud service providers and newsletter dispatchers. We also send your e-mail address to the logistics company commissioned by us in order to ensure that the goods are dispatched in accordance with your wishes. The logistics company will be contacting you in the run-up to the delivery, in order to inform you of the time of delivery or to agree particulars of the delivery with you. The data shall be transmitted solely for this purpose. The transmission shall follow for this purpose and in our legitimate interest according to Art. 6 Para. 1 lit. f) GDPR in order to guarantee as smooth a delivery as possible. You may object to this transmission with future effect by sending a relevant notification to the contact named in Figure 1.

b) Accessing our website/application

When you access our website, information will automatically be sent to the server of our website by the browser being used on your terminal device and stored temporarily in a so-called log file. The following information will thereby be collected without any activity on your part and stored until they are deleted automatically:

• the IP-address of the inquiring internet-capable device,
• the date and time of access,
• the name and URL of the file accessed,
• the website/application from which the access had been affected (referrer URL),
• the browser used by you and, if need be, the operating system of your internet-capable computer and the name of your access provider.

The legal basis for the processing of the IP-address is Art. 6 Para. 1 lit. f) GDPR. Our legitimate interest derives from the purposes of the data collection listed:

• guaranteeing the smooth establishment of a connection,
• guaranteeing comfortable use of our website,
• assessment of system security and stability
• other administrative purposes.

The data will be stored for a period of 30 days and subsequently deleted automatically. Furthermore, we use so-called cookies, tracking tools and targeting processes on our website. Which process exactly the manner in which your data is used for this purpose. This is explained in more detail below.

Inasmuch as you, in your browser, operating system or other settings of your terminal device, should have agreed to so-called geo-localisation, we shall use this function in order to be able to display services relating to your current location (e.g. our nearest store). We shall be using your location data processed in this manner exclusively for this function. Upon ending your usage, the data will be deleted.

c) Other Data Collection on our Site

i. Customer Account

When you place an order, you may also open a customer account at the same time. You may also set up a digital account in our store. The setting up of such an account and thus the conclusion of a usage agreement pertaining to the setting up of the customer account is voluntary and effected on the basis of Art. 6 Para. 1 lit. b) GDPR. The customer account may be cancelled at any time; a notification in text form (e.g. e-mail, fax, letter) shall suffice for this. Subsequent to a cancellation, we shall delete your data completely unless the processing thereof should be legally permitted or accord with the following regulations.

As long as your customer account exists, the data that you have communicated in connection with your orders will be stored there in addition to those orders. You have the right to demand information concerning the data stored in your customer account at any time. Access to your customer account is only possible after the entry of your personal password. You should always treat your access information as confidential and close your browser window after ending your communication with us, particularly if you share usage of the computer with others.

You may also order from us without opening a customer account. If you wish to do so, simply select the option “order as a guest”. Inasmuch as you should order from us without a customer account, we shall process your data as described in the above for the fulfilment of the purchasing contract and for guarantee purposes. We shall furthermore process your data in order to shape our offer specifically in accordance with your needs. You may object to this processing at any time by sending a written message to the contact address specified in Figure 1.

ii. Contact Establishment by You

In order to establish contact with us you may choose from a variety of communication paths. Contact establishment is voluntary and the collection of data effected on the basis of our legitimate interest in being able to contact you on the basis of your inquiry, Art. 6 Para. 1 lit. f) GDPR. In this context we request that you communicate to us certain data such as your name and/or your e-mail address. This serves the exclusive purpose of being able to identify you without any doubt, to process your concern and to thus be able to inform and advise you in accordance with your wishes. The data will be deleted after the statutory storage obligations have expired.

iii. Digital Spectacles Fitting

We offer you the possibility of comfortably trying on your spectacles at home online by way of 2D-or 3D fitting. To this end you may either upload your photograph or use your webcam. The digital spectacles fitting is voluntary and the data are collected on the basis of our legitimate interest in being able to offer you the corresponding service, Art. 6 Para. 1 lit. f) GDPR. In the case of the 3D fitting, we make use of an external provider in order to implement the service. We use the photographic/video material you supply solely in order to be able to offer you our service. Video material is deleted immediately, an uploaded photograph automatically after 14 days.

iv. Particularly Sensitive Data

In order to protect particularly sensitive data including your payment data, we use the so-called SSL-protocol (Secure Sockets Layer), by way of which your personal data are submitted in encrypted form.

If the payment method credit card is selected, you add a link to your customer account to your credit card information in order not to have to enter said credit card information again when placing further orders. The storage of this link is carried out in accordance with our legitimate interest and for the purpose of offering you this comfort function and is based upon Art. 6 Para. 1 lit. f) GDPR. We do not additionally store your credit card data as a basic principle. The storage and processing of the credit card information is undertaken by our PCI-DSS-certified payment services provider PAYONE GmbH, Fraunhoferstraße 2-4, D-24118 Kiel, Germany. In order to pre-empt misuse in cases of unauthorised access, the complete credit card number is never visible in your customer account. Should you wish to delete a credit card from your customer account you may do so on the site “Payment”. Please note that if you choose this payment option we may contact you and for verification purposes request that you send us a form of identification. This serves our legitimate interests pursuant to Art. 6 Para. 1 lit. f) GDPR for the protection of ourselves and you against credit card fraud. We will only use the proof of identity that you send to verify your identity and will delete it after the legal retention period has expired.

v. Voucher offers of Sovendus GmbH

In order to select a currently interesting voucher offer for you, we will transmit your pseudonymised hash value of your e-mail address and your IP-address in encrypted form to Sovendus GmbH, Moltkestrasse 11, D 76133 Karlsruhe (Sovendus) (Art. 6 par. 1 f GDPR). The pseudonymised hash value of your e-mail address is used to consider a possibly existing objection to receive offers from Sovendus (Art. 21 par.3, Art. 6 par. 1 c GDPR). The IP-address will be exclusively used for data security purposes and as a rule the same will be anonymised after seven days (Art. 6 par. 1 f GDPR). Furthermore, we will transmit order number, session ID, coupon code, and time stamp in pseudonymised form to Sovendus for billing purposes (Art. 6 par. 1 f GDPR).

You will find further information about the processing of your data by Sovendus in their Online Data Protection Notice at www.sovendus.co.uk/privacy_policy.

vi. Integration of the Trusted Shops Trust Badge

The Trusted Shops Trust Badge is integrated on this website to display our Trusted Shops seal of approval and the possibly collected evaluations, as well as to offer Trusted Shops products to buyers after an order is placed. This serves to safeguard our legitimate interest in accordance with Art. 6 para. 1 lit. f) within GDPR for optimal marketing of our offer within the scope of a balancing of interests. The trust badge and the services advertised with it are an offer of the Trusted Shops GmbH, Subbelrather Str. 15C, 50823 Cologne, Germany. When the trust badge is activated, the server automatically stores a so-called server log-file, which contains, for example, your IP address, date and time of retrieval, amount of data transmitted and the requesting provider (access data) that contains and documents the call. This access data will not be evaluated and automatically overwritten within seven days after the end of your page visit. Other personal data (order number, hashed e-mail address, sum, currency, payment method) will only be transferred to Trusted Shops if you decided to use Trusted Shops products after completing an order or if you have already registered. In this case, the contractual agreement between you and Trusted Shops applies.

vii. Mention me

We operate a refer-a-friend programme to enable our customers to recommend Mister Spex to their friends and family. Our refer-a-friend programme is operated on our behalf by Mention Me Limited as our data processor. Mention Me Limited is a UK company whose registered office is at 20-22 Wenlock Road, London, N1 7GU. We will share some of your data (including email address, name and order details) with Mention Me to enable you to participate in our refer-a-friend programme. Mention Me does not use this data for any purpose other than operating our refer-a-friend programme. You can find more details of the data Mention Me processes for us in their privacy policy which can be viewed here: https://mention-me.com/help/privacy_policy_s#referrers. You can object to us processing your data in connection with our refer-a-friend programme at any time by contacting Mention Me at Mention Me unsubscribe.

viii. Trustpilot rating service

We use the rating service of Trustpilot A/S, Pilestræde 58, 3rd floor, 1112 Copenhagen K, Denmark ("Trustpilot"). By clicking on the corresponding link, you will be redirected to Trustpilot's platform, where you can leave a rating for our shop. Only when you actually click the link will we forward your hashed email address, name, and customer number for verification purposes, based on our legitimate interest, as per Art. 6 paras. 1 lit. f) DSGVO. The submission of a rating is voluntary. Details regarding data collection by Trustpilot on their platform can be found here: https://uk.legal.trustpilot.com/end-user-privacy-terms

We have also integrated the Trustpilot widget to display the reviews collected. This serves to protect our legitimate interests within the context of a weighing of interests as per. Art. 6 paras. 1 lit. f) DSGVO on the optimal marketing of our offers. The running of the widget automatically sends the IP address to the server, but then deleted immediately.

3. Processing of your Data for Advertising Purposes

In addition to processing your data for the purpose of implementing the contracts concluded with us, we also use your data in order to exchange information with you concerning your orders, to communicate with you concerning certain products or marketing actions and to be able to recommend products or services that might be of interest to you. The duration of the storage of data for advertising purposes is oriented towards the question of whether the data is necessary for advertising. This is to be assumed in the case of registration for the newsletter until such time as consent is revoked as well as for the duration of an active business relationship.

a) Advertisement by mail

In case you concluded a contract with us and are therefore a regular customer, we process your postal contact data without your explicit consent in order to inform you about new products and offers. The legal basis for this usage is to be found in Art. 6 Para. 1 lit. f) GDPR. We engage a service provider to send out advertisement by mail.

b) Dispatching of the Newsletter

We offer you the possibility of registering for our newsletter. In order to be able to be certain that no errors have been made in entering your e-mail address we use the so-called double opt-in procedure: after you have entered your e-mail address in the registration field we will send you a confirmation link. Your e-mail address will not be included on our circulation list until you have clicked on this confirmation link. The processing of your electronic contact data for this purpose is thus affected solely on the basis of your consent (Art. 6 Para. 1 lit. a) GDPR); these data will be stored until your consent is revoked. You may revoke your declared consent at any time with future effect without giving any reasons. For this purpose, you may either click on the relevant link in every newsletter or send a short notification by e-mail to the e-mail address indicated under Figure 2. You can also access the de-registration form for the dispatch of the newsletter here.

c) Service and Product Information

Should we receive your e-mail address in the context of ordering goods from our online shop, we shall use said e-mail address, until revocation, in order to inform you via service and product information mails of similar products that could be of interest to you (e.g. concerning the content of your shopping basket). We shall only use your e-mail address for such purposes, however, if you have not objected to this usage. You may object at any time by sending a message to the e-mail address indicated under Figure 1 without giving any reasons and without incurring any costs other than the transmission costs according to the basic tariffs. The legal basis for this usage is to be found in Art. 6 Para. 1 lit. f) GDPR.

d) Interest-related Advertising

We endeavour to make our online shop as attractive as possible for you and to optimise the said shop. In order that you only receive such information you may be interested in, we categorise and supplement your customer profile with additional information. For this purpose, both statistical information as well as information relating to your person (e.g. basic data of your customer profile) are used. The aim is to be able to send you only advertising that is oriented towards your actual or supposed requirements and accordingly not to bother you with useless advertising.

The legal basis for the aforementioned types of processing is in each case Art. 6 Para. 1 lit. f) GDPR. The processing of regular customers’ data for our own advertising purposes is to be regarded as a legitimate interest.

You may object to data processing for the aforementioned purposes at any time at no cost, separately for each respective communications channel and with future effect. For this purpose, an e-mail or a letter sent by post to the contact data indicated under Figure 1 shall suffice.

4. Online Presence and Website Optimisation