We value your privacy and want to keep you informed about how your personal data is collected and used during your visit. If you have any questions, please contact us. This policy may be updated due to changes in technology, services, or legal requirements. Please check back regularly for the latest version.

1. BASIC INFORMATION ON DATA PROCESSING

1.1 Scope of Personal Data Processing

We only collect and use personal data when necessary to operate our website, deliver content or services, or implement our business purposes. Typically, this happens with the user’s consent, unless legal requirements or practical reasons justify processing without prior approval.

1.2 Purpose and Legal Grounds

We handle personal data to meet contractual duties or support legitimate business interests. EU General Data Protection Regulation (EU-GDPR) serves as the legal basis for the processing of personal data. Depending on the context, processing is based on:

• Consent (Art. 6(1)(a) GDPR)
• Contractual necessity (Art. 6(1)(b) GDPR)
• Legal obligations (Art. 6(1)(c) GDPR)
• Protection of vital interests (Art. 6(1)(d) GDPR)
• Legitimate interests (Art. 6(1)(f) GDPR), provided user rights are not overridden

1.3 Data Security

We implement technical and organizational measures to protect your data from loss, misuse, or unauthorized access. These safeguards are regularly reviewed and updated to reflect technological advancements.

1.4 Data Retention and Deletion

Personal data is deleted or restricted once it is no longer needed for its original purpose. Data may be retained if required by EU or national laws. Once any mandatory retention period ends, the data is deleted unless it is still needed to fulfill or manage a contract.

2. GENERAL DATA COLLECTION DURING YOUR VISITING OUR WEBSITE

When you visit our website without registering or submitting information, we only collect the data your browser automatically sends to our server. This data is processed under Art. 6(1)(f) GDPR, based on our legitimate interest in ensuring the website’s functionality, security, and protection against misuse.

Description and Scope of Data Collection

When you visit our website, certain data is automatically collected by our system from your device. This includes:

1. Browser type and version
2. Operating system and interface
3. Internet service provider
4. IP address
5. Access status/HTTP status code
6. Date and time of access
7. Time zone relative to GMT
8. Requested page or content
9. Data volume transferred
10. Referring website
11. Pages visited via our site
12. For mobile devices: device manufacturer and model
13. Low-level tracer data

This information is stored in server log files. It is not linked to other personal data.

Legal Basis for Data Processing

The temporary storage of data and log files is based on our legitimate interests under Art. 6(1)(f) GDPR.

Purpose of Data Processing

Storing the IP address is necessary to deliver the website content to your device. Log files help maintain website functionality, enhance performance, and ensure IT security. This includes adapting content to your browser, operating system, and device.

No data is used for marketing purposes. These functions represent our legitimate interest in accordance with Art. 6(1)(f) GDPR.

Data Retention

Data is deleted once it is no longer needed for its original purpose. For website access, this means deletion occurs at the end of the session.

Log file data is typically erased after seven days. Longer storage is possible if IP addresses are anonymized so users cannot be identified.

Right to Object

Collecting and storing this data is essential for website operation. Therefore, users cannot opt out of this processing.

3. USER REGISTRATION

Users can voluntarily register on our website by providing personal details through a form. The data entered is transmitted securely to us and not shared with third parties, except as noted below. Collected data includes:

• Salutation
• Academic title (optional)
• First and last name
• Email and password
• Address and phone number
• Company (optional)
• Country

System-generated data stored at registration:

• IP address
• Registration date and time
• Customer number
• Entity ID
• Email hash

Users must consent to data processing during registration. Upon completion, they receive password-protected access to manage their information. While optional, registration may be required to access certain services. To confirm registration, your data is shared with our email service provider Emarsys.

Legal Basis for Data Processing

If the user consents, data processing is based on Art. 6(1)(a) GDPR. When registration is needed to fulfill or prepare for a contract, Art. 6(1)(b) GDPR also applies.

Purpose of Data Processing

Registration is required to access certain features, especially our web shop. It enables users to place orders and manage purchases. This includes sales of:

• Clothing
• Footwear
• Bag
• Accessories

Data Retention

Your data is deleted once it is no longer needed for its original purpose. This applies if you cancel or change your registration. If the data is tied to a contract, it will be stored as long as necessary to fulfill the contract or meet legal obligations.

Right to Object and Data Removal

You can cancel your registration or request data changes at any time by emailing: privacy@velisfashion.com. However, if your data is required for a contract or legal reasons, it can only be deleted once those obligations no longer apply.

4. CONTACT

Our website includes a contact form that allows users to reach us electronically. If used, the following data is collected and stored:

• First and last name
• Email address
• Subject
• Message

Alternatively, you can contact us via the provided email address. In both cases, the data is used exclusively to handle your inquiry and is not shared with third parties. No additional data is stored when sending a message through the form.

Legal Basis for Data Processing

Data submitted via the contact form or email is processed based on your consent under Art. 6(1)(a) GDPR. If your inquiry relates to entering into a contract, Art. 6(1)(b) GDPR also applies.

Purpose of Data Processing

The data is used solely to respond to your inquiry. Additional data processed during submission helps ensure IT security and prevent misuse of the contact form.

Data Retention

Personal data is deleted once it is no longer needed—typically when the conversation has clearly concluded. Any additional data collected during submission is deleted within seven days.

Right to Object

You may withdraw your consent or object to data storage at any time by emailing privacy@velisfashion.com. In that case, the conversation cannot continue, and all related personal data will be deleted.

5. NEWSLETTER SUBSCRIPTION

We use a confirmed opt-in method for our newsletter. After signing up, you’ll receive a welcome email to confirm your address. Your email, IP address, and the time of registration and confirmation are stored to prevent misuse.

Newsletter Provider: Emails are sent via Emarsys eMarketing Systems AG. Their privacy policy can be found here: Emarsys Privacy Policy.

Only your email is required for subscription. Any extra information you provide helps personalize the content. The legal basis for sending newsletters is Art. 6(1)(a) GDPR (with your consent). If you’ve made a purchase and haven’t opted out, we may also email you similar product offers under Art. 6(1)(f) GDPR.

You can unsubscribe at any time via the link in the email or by contacting privacy@velisfashion.com.

Usage Tracking

Newsletters contain tracking pixels (web beacons) to analyze email interactions such as:

• Email opens and clicks
• Website visits and viewed products
• Purchases and returns

This behavior data is linked to your user account (if logged in) and used to tailor newsletter content.

We also use cookies from Emarsys and Certona for behavior tracking and performance analysis. These cookies help customize offers and improve services. Data processing is based on Art. 6(1)(a) GDPR.

You may opt out of tracking at any time by clicking the opt-out link provided. An anonymous cookie will be stored to remember your preference. Note: deleting this cookie or using a different browser/device resets your opt-out status.

Additionally, if you’ve created a wishlist, you may receive email updates about saved items. You can disable these notifications in your account settings or via the unsubscribe link.

6. ORDERS IN OUR ONLINE SHOP

To complete a purchase through our webshop, certain personal details are required to process your order. Mandatory fields are clearly marked, while optional ones can enhance your experience. Your information is used to fulfill the contract, including forwarding payment details to your chosen payment provider and your address to our delivery partner.

Legal basis: Art. 6(1)(b) GDPR – necessary for contract execution.

You may also register for a user account to streamline future purchases. This is optional and governed by Section 3 of this policy.

We may use your data to send you relevant product recommendations or important technical updates.

In compliance with tax and legal obligations, we retain order, payment, and address data for 10 years, though after 3 years we limit access to this data unless legally required.

You can opt out of marketing or data analysis at any time by emailing privacy@velisfashion.com.

All order-related data is encrypted and securely transmitted using SSL (Secure Socket Layer) to prevent unauthorized access, particularly to sensitive financial information.

7. PAYMENT SERVICE PROVIDERS

We offer various payment methods, including credit card and PayPal. To process these transactions, your payment details may be shared with the respective payment providers.

Legal basis: Art. 6(1)(b) and (f) GDPR – necessary for contract execution and our legitimate interest in secure payment processing.

For more information on how each provider handles your data, please refer to their individual privacy policies.

Payment providers we work with include:

8. COOKIES

We use cookies and comparable technologies to enhance your experience on our website, support functionality, and serve advertising purposes. Cookies are small text files stored on your device that help recognize your browser during future visits. They store preferences like language, session duration, and form inputs, reducing the need for repeated entries and allowing us to tailor content to your interests.

Required cookies are essential for the website to function and cannot be disabled. In addition to these, we use analytics and marketing cookies to measure traffic and personalize advertising efforts. These technologies may include tracking tools like web beacons or pixel tags, which help gather statistical data.

Most browsers accept cookies by default, but you can adjust your settings to reject or delete cookies at any time. However, disabling cookies may limit some features of our site.

No direct personal identification is made through these cookies.

9. PRIMARY PROVIDER COOKIES – ESSENTIAL COOKIES

These cookies are set by our website and can only be accessed by it. They are essential for various functions and usability features.

9.1 Use of Cookies

To ensure a smooth and user-friendly experience, our site uses cookies that help recognize your browser across different pages. These cookies store the following information:

• Language preferences
• Items in the shopping cart
• Login credentials
• Search queries
• Page visit frequency
• Website feature usage
• Device and browser info
• Viewed products and categories
• Wishlist and cart activity
• Number of cart items
• Referrer information
• Abbreviated IP address
• Hashed email

All collected data is pseudonymized, making personal identification impossible. Users are notified about cookie use for analytical purposes, and our privacy policy offers more details.

Legal Basis

The processing of personal data via cookies is based on our legitimate interest per Art. 6(1)(f) GDPR.

Purpose of Processing

Technically essential cookies are used to support key site functions like:

• Operating the shopping cart
• Website security and attack prevention
• Maintaining session settings

These cookies are not used to build user profiles.

We also use analytics cookies to assess and enhance the website's quality and content. These help us understand user behavior, ensuring ongoing improvements and a better user experience—aligning with our legitimate interests under Art. 6(1)(f) GDPR.

Storage Duration & User Rights

Cookies are saved on your device and transmitted back to us. You have full control over their use. Through browser settings, you can block or delete cookies—manually or automatically. Note that disabling cookies may limit some site functions.

We use two types of cookies:

• Session (Transient) Cookies: Deleted when you close the browser. These track session-specific data.
• Persistent Cookies: Remain for a set period unless deleted manually. They help us recognize returning users.

10. THIRD-PARTY COOKIES - MARKETING COOKIES

Third-party cookies are placed by external organizations—typically advertising or marketing partners—rather than by the website you are currently visiting. These cookies are only activated if you have provided your consent to the use of marketing cookies. Such cookies are used to:

• Deliver personalized advertisements based on your browsing behavior
• Track your interactions across different websites
• Measure the effectiveness of marketing campaigns

By allowing these cookies, you enable third-party providers to gather information about your usage patterns to create targeted advertising tailored to your interests. You can withdraw your consent at any time through your browser settings or via our cookie consent tool.

10.1 Google Tracker

We utilize services provided by Google Ireland Ltd., Gordon House, Barrow Street, Dublin 4, Ireland ("Google Ireland"), a subsidiary of Google LLC, 1600 Amphitheatre Parkway, Mountain View, CA 94043, USA ("Google").

10.1.1 Google Ads and Conversion Tracking

To promote our services, we use Google Ads and integrate Google’s conversion tracking functionality. This allows us to deliver personalized advertisements based on user interests and location data. IP address anonymization is managed internally via Google Tag Manager, in accordance with applicable data protection requirements, and is not visible in the website source code.

Our ads are displayed following user search queries across the Google Advertising Network. We can associate our ads with specific keywords and utilize cookies to deliver ads based on users’ prior interactions with our website.

When a user clicks on one of our ads, Google places a cookie on their device. This cookie enables Google—and us as the advertiser—to determine when users click on an ad and which pages they visit afterward. The data collected is used solely for aggregated statistical analysis to optimize our advertising strategies. We do not receive information that could personally identify users. Google provides us with anonymized reports indicating how many users clicked on our ads and, if applicable, whether they reached a specific page with a conversion tag. This allows us to understand which search terms and ad placements lead to desired actions such as filling out a contact form.

If you prefer not to be included in this process, you can prevent the storage of the relevant cookies by adjusting your browser settings. Doing so will exclude your visit from our tracking metrics.

You can also opt out of tracking in the following ways:

a) by disabling third-party cookies in your browser;

b) by blocking cookies from the domain "www.googleadservices.com" via your browser settings (https://www.google.de/settings/ads);

c) by using the opt-out function provided by the “About Ads” self-regulation program (http://www.aboutads.info/choices);

d) by installing a browser plugin to permanently disable interest-based ads (http://www.google.com/settings/ads/plugin).

Please note that some website features may not work properly if these cookies are disabled.

The legal basis for the processing of data via marketing cookies is your consent, in accordance with Art. 6(1)(a) GDPR.

For more details on how Google handles your data, please refer to:

Google Privacy Policy

Google Ads Conversion Tracking Info

Network Advertising Initiative (NAI)

In addition, we and Google may continue to receive anonymized statistics about website usage. If you wish to prevent this, consider using browser extensions such as Ghostery to block tracking tools.

10.1.2 Google Ads & Remarketing with Google Analytics (RLSA)

We use the remarketing features of Google Ads and Google Analytics Remarketing Lists for Search Ads (RLSA).

Description and Scope of Processing

Visitors to our website are identified by a Google remarketing tag, and their behavior on our site is tracked. Based on this, users are added to one or more remarketing lists which may be used to tailor advertising on Google’s Search Network based on their interactions with our website. Users remain on the list for a default period of 30 days, with a maximum duration of 540 days, depending on behavioral criteria and Google settings.

The following data may be collected:

• Browser type and version
• Operating system used
• Referrer URL (previously visited page)
• Hostname of the accessing computer (IP address)
• Time of server request
• User interactions (e.g. time spent on site, product views, cart activity, bounce behavior)

This information is typically transmitted to and stored on servers operated by Google in the United States. In exceptional cases involving transfers of personal data to third countries (e.g., the U.S.), appropriate safeguards are applied pursuant to Art. 44 et seq. GDPR, particularly through the conclusion of EU Standard Contractual Clauses (SCCs) and, where necessary, additional contractual or technical measures.

Legal Basis

The processing of your personal data through the use of Google Ads and RLSA is based on your explicit consent pursuant to Art. 6(1)(a) GDPR, obtained via our cookie consent management platform.

Purpose of Processing

The purpose of this processing is:

• To provide interest-based and behaviorally tailored advertising
• To improve campaign performance through remarketing strategies
• To increase advertising efficiency by retargeting users with prior engagement

Data Subject Rights

You may withdraw your consent at any time with future effect. The withdrawal of consent does not affect the lawfulness of processing carried out prior to the withdrawal.

10.1.3 Google Customer Match

We use the Google Customer Match feature to deliver personalized advertisements to our users across different Google services (such as Search, Gmail, and YouTube). This service is provided by Google Ireland Ltd., Gordon House, Barrow Street, Dublin 4, Ireland ("Google").

Scope and Purpose of Processing

With your prior consent, we may use your contact details or other identifiers (such as email addresses or hashed customer IDs), collected through your registration on velisfashion.com or our CRM system, to create audience segments within Google Ads. These identifiers are matched against Google's user data to deliver personalized advertising across devices and platforms you use.

We may also use cookies and/or advertising IDs to serve interest-based ads to users who have previously interacted with our website (retargeting). This processing enables a seamless user experience and improves the relevance of displayed advertisements.

Data Sharing and Transfers

Your personal data may be shared with trusted advertising partners, particularly for cross-device tracking and personalized marketing. In cases where data is transferred to the USA, such transfers are safeguarded under Art. 44 et seq. GDPR, primarily through the implementation of EU Standard Contractual Clauses and, where applicable, further technical or organizational measures.

Legal Basis

The legal basis for this processing is your consent in accordance with Art. 6(1)(a) GDPR.

Opt-Out Options

You can opt out of interest-based advertising through the following platforms:

• Network Advertising Initiative
• Your Online Choices
• To opt out from Google ads specifically, visit: https://adssettings.google.com

10.1.4 Google reCAPTCHA

We use Google reCAPTCHA, a service by Google Ireland Ltd., to protect our website against spam and abuse by verifying that user interactions are made by human users and not automated bots.

Scope and Purpose of Processing

This service collects the IP address of the user and possibly other data required by Google for the reCAPTCHA service. It analyzes your interaction behavior (e.g. mouse movements or keyboard strokes) and may involve the transmission of this data to Google's servers in the USA.

Legal Basis

The use of Google reCAPTCHA is based on Art. 6(1)(f) GDPR. Our legitimate interest lies in ensuring the security of our online offerings and preventing misuse.

10.2 Facebook Custom Audiences

Use of Facebook Pixel and Conversions API (CAPI)

We use the Facebook Custom Audiences feature provided by Facebook Ireland Ltd., 4 Grand Canal Square, Dublin 2, Ireland (“Facebook”), which includes: Facebook Pixel (a web tracking script in the browser), and Conversions API (server-side data transmission).

These tools help us display personalised Facebook Ads to users based on their interests and behavior when visiting our website. The goal is to ensure our ads are relevant and useful, enhancing your experience with our online content.

How Data is Collected and Processed

Browser-based tracking (Pixel): When you visit our website, your browser connects directly to Facebook servers and transmits specific user actions (e.g. page views, product interactions).

Server-side tracking (Conversions API): In parallel, we may transmit the same actions securely via our server, including hashed identifiers, for better accuracy in tracking and matching.

These technologies help us measure ad performance, build Custom Audiences, and optimise advertising campaigns (e.g. by tracking conversions after ad clicks).

If you have a Facebook account and are logged in, Facebook can directly associate the visit with your profile. Even if you’re not logged in, Facebook may still link the visit to your device using cookies or other identifiers.

Purpose and Legal Basis

Purpose: To show relevant advertising, measure effectiveness, and improve ad targeting.

Legal Basis: The legal basis for this processing is your explicit consent under Art. 6(1)(a) GDPR.

For performance measurement and audience analysis, we may also rely on our legitimate interests under Art. 6(1)(f) GDPR, provided you have not withdrawn your consent.

Data Transfers and Safeguards

Data collected through Facebook Pixel and Conversions API may be transferred to Facebook servers in the USA. These transfers are safeguarded under Art. 44 ff. GDPR, including the use of EU Standard Contractual Clauses and, where necessary, additional safeguards.

Facebook as a Third Party

Controller: Facebook Ireland Ltd.

Company Registration: CRO Ireland No. 462932

Further information: Facebook Privacy Policy

Details on how Facebook uses collected data for its own purposes, including profiling and cross-device tracking, can be found in their privacy policy.

Opt-Out Options

You can manage or withdraw your consent to Facebook Ads personalization and tracking in the following ways:

Facebook Settings:

Go to your ad preferences:

https://www.facebook.com/adpreferences/ad_settings

Site-specific Opt-out:

You can also disable Facebook Pixel tracking via our cookie settings interface on this website.

Note: If you opt out via a cookie mechanism, an opt-out cookie will be stored on your browser. Deleting your browser cookies will remove this preference, and you will need to opt out again.

Summary of Data Processed

The following data may be collected and transmitted:

• IP address
• Browser and device information
• Referring URL
• Events triggered on the website (e.g. product views, purchases)
• Hashed identifiers (e.g. email address, if provided by you)

11. USE OF ANALYTICAL AND MARKETING TOOLS (Cookies and Similar Technologies)

Beyond essential cookies, this website and app utilize additional tools for analytics, content optimization, marketing measurement, and advertising purposes, subject to your prior consent pursuant to Art. 6(1)(a) GDPR. The provisions in Section 10 do not apply to these services. Below, we outline the scope of processing, legal bases, categories of personal data, international transfers, and opt-out mechanisms for each tool.

Marketing and Analysis Tools

These services rely on cookies or SDKs to collect pseudonymized or anonymized data for user analytics and targeted advertising. Data may be transferred to third parties, including service providers and advertising networks, under Art. 28 GDPR agreements. International data transfers are based on adequacy decisions (e.g., EU-U.S. DPF) or Standard Contractual Clauses (Art. 44 ff. GDPR).

Google Analytics & Google Conversion Tracking

Provider: Google LLC, USA

Purpose: Web traffic analysis and conversion tracking

Data: IP address (anonymized), browser/OS, referrer URL, device info

Legal Basis: Art. 6(1)(a) GDPR

Safeguards: EU-U.S. DPF, SCCs

Opt-out: Browser Add-on

12. SOCIAL BOOKMARKS

Our website includes links to external social bookmarking services such as those provided by Meta, Pinterest, Tiktok, Youtube, Telegram, and Wechat. These features allow users to save and share website links or news articles through their personal accounts on these platforms.

Please note that these social bookmarks are implemented as external hyperlinks rather than active plugins. This means that no personal data is transmitted to the respective third-party providers merely by visiting our website.

Only when you actively click on one of these icons will your browser initiate a connection to the relevant social network or bookmarking service. As a result, user data—such as your IP address or any cookies stored by the provider—may then be transmitted to and processed by that third-party provider.

For more information on how your personal data is handled by these external services, please refer to the privacy policies provided by each respective provider.

13. DISCLOSURE OF PERSONAL DATA

Your personal data will not be shared with third parties except for the purposes outlined in this policy.

We disclose your personal data to third parties only if one of the following applies:

• You have given your explicit consent;
• Disclosure is necessary to assert, exercise, or defend legal rights and no overriding legitimate interest of yours against disclosure exists;
• There is a legal obligation to disclose;
• Disclosure is legally permissible and necessary for the performance of contractual obligations with you.

Please note that when personal data is transferred outside the European Union, the high EU standard of data protection may not apply. In particular, the EU Commission may not have issued an adequacy decision under Article 45 GDPR confirming that the destination country ensures an equivalent level of protection. In these cases, we rely on appropriate safeguards, such as EU Standard Contractual Clauses.

Possible risks associated with international data transfers include:

• Your data might be processed for purposes beyond the original intent;
• It may be difficult to enforce your rights related to data access, correction, deletion, or portability;
• There may be a higher risk of incorrect data processing or insufficient compliance with GDPR requirements.

14. RIGHTS OF DATA SUBJECTS

14.1 General Rights

If your personal data is processed, you are considered a data subject under GDPR and have the following rights with respect to the data controller:

14.2 Right to Information

You may request confirmation as to whether your personal data is being processed and, if so, obtain information about:

• The purposes of processing;
• Categories of personal data processed;
• Recipients or categories of recipients of your data;
• The intended storage period or criteria for determining it;
• Your rights to correction, deletion, restriction, or objection to processing;
• The right to lodge a complaint with a supervisory authority;
• The origin of your data if it was not collected directly from you;
• The existence of automated decision-making, including profiling, and meaningful information about the logic and impact involved;
• Whether your data is transferred internationally and what safeguards apply.

14.3 Right to Rectification

You may request correction or completion of inaccurate or incomplete personal data relating to you, and the data controller must act without undue delay.

14.4 Right to Restriction of Processing

You may request processing restrictions if:

• You contest the accuracy of the data for a period allowing verification;
• The processing is unlawful but you oppose deletion in favor of restriction;
• The data is no longer needed by the controller but required by you for legal claims;
• You have objected to processing pending a balancing test of interests.

Restricted data may only be processed with your consent or for legal claims, protecting others' rights, or important public interest.

You will be notified prior to lifting any restrictions.

14.5 Right to Erasure (“Right to be Forgotten”)

a) Obligation to Delete

You may request deletion of your personal data without undue delay unless processing is necessary for:

• Compliance with legal obligations;
• Exercising freedom of expression and information;
• Public interest reasons in public health;
• Archiving, research, or statistical purposes where deletion impairs objectives;
• Establishing, exercising, or defending legal claims.

Deletion is required if:

• Data is no longer needed for processing purposes;
• You withdraw consent and no other legal basis exists;
• You object to processing under Article 21 GDPR without overriding legitimate interests;
• Data was unlawfully processed;
• Data relates to services offered to minors (Art. 8 GDPR).

b) Notification to Third Parties

If data has been disclosed to third parties, the controller will take reasonable steps to inform them of your erasure request, considering technology and costs.

c) Exceptions

No erasure is required when processing is necessary for:

• Exercising freedom of expression;
• Compliance with legal obligations;
• Tasks in the public interest or official authority;
• Public health reasons;
• Archiving and research purposes;
• Legal claims.

14.6 Right to Notification

If you request correction, deletion, or restriction, the controller will inform third parties who received your data unless impossible or disproportionate. You have the right to request information about these recipients.

14.7 Right to Data Portability

You may receive your personal data in a structured, commonly used, and machine-readable format and transfer it to another controller if:

• Processing is based on consent or contract; and
• Processing is carried out by automated means.

You may also request direct transfer between controllers if technically feasible, provided your rights or others’ rights are not affected.

This right does not apply to processing necessary for public interest or official authority tasks.

14.8 Right to Object

You have the right to object at any time, for reasons related to your particular situation, to processing based on legitimate interests or public interest (Article 6(1)(e) or (f) GDPR), including profiling related to such processing.

The controller must then stop processing unless they demonstrate compelling legitimate grounds outweighing your interests or processing is for legal claims.

If data is processed for direct marketing, you can object at any time without giving reasons; processing for marketing will then cease.

14.9 Right to Withdraw Consent

You may withdraw your consent at any time. Withdrawal does not affect the legality of prior processing based on consent.

14.10 Automated Individual Decision-Making, Including Profiling

You have the right not to be subject to decisions based solely on automated processing (including profiling) that produce legal effects or similarly significant impacts, except when:

• Necessary for contract performance;
• Authorized by Union or Member State law with safeguards;
• Made with your explicit consent.

In such cases, the controller provides measures to safeguard your rights, including human intervention and the ability to challenge decisions.

14.11 Right to Lodge a Complaint

You may lodge a complaint with a supervisory authority, particularly in your member state of residence, work, or where the alleged infringement occurred.

The relevant supervisory authority will inform you about the complaint’s status and outcome, including judicial remedies under Article 78 GDPR.

15. RIGHT TO OBJECT TO DIRECT MARKETING

You may object at any time to the processing of your personal data for direct marketing purposes. Following your objection, your personal data will no longer be processed for such purposes. This right applies prospectively only and does not affect processing done before the objection.

16. RIGHT TO OBJECT TO PROCESSING BASED ON LEGITIMATE INTERESTS

If we process your data based on a balancing of interests, you may object by providing reasons related to your situation. Upon receiving your objection, we will assess the situation and either cease or adjust processing or inform you of compelling legitimate grounds overriding your objection.

17. CHANGES TO THIS PRIVACY POLICY

We reserve the right to update or modify this privacy policy at any time in compliance with applicable data protection laws. Changes will be posted on this page.