Subscribe to our newsletter now and save 5%!

Privacy Policy

Privacy Policy
Valid from: November 5, 2025

This privacy policy is intended to inform you about the nature, scope and purpose of the processing of personal data by OSHEE WORLD Sp. z o.o. in connection with your use of our online shop in the territory of the Republic of Austria.

To ensure transparency and easy accessibility, this document is structured modularly.

 

Module M1: General information, contact details, data protection officer and profiling

I. Data Controller

The entity responsible for data processing on this website is:

OSHEE WORLD Sp. z oo

Address: Aleja 3 Maja 9, 30-062 Krakow, Poland

Email: shop@osheeshop.de

Telephone: +48 787 826 314

II. Personal Data

We have appointed a data protection officer for our company. You can reach them at:

Email: m.zak@oshee.eu or privacy@oshee.eu

Postal address: Aleja 3 Maja 9, 30-062 Krakow, Poland (with the addition "Data Protection Officer")

III. Automated decision-making and profiling

We do not make any automated individual decisions (including profiling) within the meaning of Article 22(1) GDPR that produce legal effects concerning you or similarly significantly affect you.

Module M2: Rights of data subjects and legal remedies (DPF)

I. Your rights as a data subject

You have the right to information (Art. 15 GDPR), rectification (Art. 16 GDPR), erasure (Art. 17 GDPR), restriction of processing (Art. 18 GDPR), data portability (Art. 20 GDPR) and the right to object (Art. 21 GDPR) to processing based on our legitimate interest (Art. 6 para. 1 lit. f GDPR).

II. Right to lodge a complaint with a supervisory authority (Art. 77 GDPR)

You have the right to lodge a complaint with a supervisory authority, in particular in the Member State of your habitual residence, your place of work, or the place of the alleged infringement. For Germany, the competent authority is:

The Federal Commissioner for Data Protection and Freedom of Information (BfDI), P.O. Box 14 68, 53104 Bonn, website: https://www.bfdi.bund.de.

III. Transfer to the USA (EU-US Data Privacy Framework – DPF)

The transfer of personal data to the USA (e.g. when using IT services) is based on the European Commission's adequacy decision of 10 July 2023 within the framework of the EU-US Data Privacy Framework (DPF), provided that the respective US recipient is certified accordingly.

Legal protection in connection with the DPF: Separate legal protection options are available to you in connection with the DPF:

1. Complaints against US companies: You can file complaints against certified US companies with your national supervisory authority (e.g., the Federal Commissioner for Data Protection and Freedom of Information). These complaints will be forwarded to the Informal Panel of EU data protection authorities. Use the European Data Protection Board's (EDPB) specific complaint form for commercial matters.

2. Complaints against US intelligence services: In the event of suspected unlawful access to your data by US security or intelligence services, you can submit a complaint using the EDPB's dedicated complaint form for intelligence services. These complaints will be forwarded to the Data Protection Review Court (DPRC).

Module M3: Data processing for ordering and payment (e-commerce)

I. Data processing for order processing

Purpose: Your data (name, address, email, telephone number, payment details, order details) is processed for the fulfillment and execution of the purchase contract.

Legal basis: Art. 6 para. 1 lit. b GDPR (performance of a contract or implementation of pre-contractual measures).

II. Data transfer to logistics and payment service providers

Recipients: To fulfill the contract, we will pass on your data to the following categories of service providers:

1. Logistics service providers (shipping): We will pass on your name, delivery address and, if applicable, email/phone number (if required for delivery or notification) to the logistics companies we have commissioned (e.g. DHL, DPD).

2. Payment Service Providers (PSPs): To process your payment (e.g., credit card payment, instant bank transfer), we forward your payment details (name, address, bank details) to the selected Payment Service Providers (PSPs). This transfer is solely for the purpose of payment processing with the provider and only to the extent necessary for this purpose.

Additional consent for delivery notification: If you have given us your express, voluntary consent (Art. 6 para. 1 lit. a GDPR) during the ordering process, we will forward your email address or telephone number to the delivery service to arrange a delivery date. This consent can be revoked at any time.

III. Storage duration

The data will be stored until the contract has been fully processed. Furthermore, data relevant under commercial and tax law (e.g., invoices, order documentation) will be archived in accordance with German statutory retention periods (usually 6 or 10 years).

IV. Necessity of data provision (obligation)

Providing the data marked as mandatory in the order form is necessary for the conclusion and execution of the purchase contract (Art. 6 para. 1 lit. b GDPR). Without this data, the contract cannot be concluded and your order cannot be processed.

Module M4: Cookies, Tracking and TTDSG Compliance

I. Requirements of the TTDSG

Legal basis: In accordance with Section 25 Paragraph 1 of the Telecommunications and Telemedia Data Protection Act (TTDSG), we only access or store information on your terminal equipment (end device) if you have given your explicit and informed consent (opt-in).

Exception: No consent is required for cookies that are strictly necessary to provide you with the service you have expressly requested (e.g., shopping cart function).

II. Use of tracking tools

1. Google Analytics 4 (GA4):

Purpose: Analysis and statistical evaluation of website usage (e.g., traffic sources, user behavior) to optimize our services.

Legal basis: Your explicit consent (Art. 6 para. 1 lit. a GDPR) in conjunction with § 25 para. 1 TTDSG. Despite the use of GA4, cookies and identifiers will still be set.

2. Meta Pixels (Facebook/Instagram):

Purpose: Retargeting, conversion measurement, creation of custom audiences for marketing purposes.

Legal basis: Your explicit consent (Art. 6 para. 1 lit. a GDPR) in conjunction with § 25 para. 1 TTDSG. The use of the Meta Pixel is highly risky and requires a strict opt-in solution.

III. Withdrawal of consent (opt-out)

You can withdraw your consent to the use of all non-essential cookies and tracking tools at any time with effect for the future via our Cookie Consent Management Tool or change your settings.

Module M5: Social media profiles (Art. 26 GDPR)

I. Joint Controllership (Art. 26 GDPR)

For the operation of our profiles on social networks (LinkedIn, YouTube, X, Facebook, TikTok, Instagram), we are joint controllers with the respective platform operator (e.g., Meta Platforms Ireland Limited) for certain processing operations (in particular Page Insights and ad targeting) within the meaning of Article 26 GDPR. This is a consequence of the case law of the CJEU and the German supervisory authorities (DSK).

II. Key elements of the Article 26 Agreement

Distribution of responsibilities: The essential content of the joint controllership agreement usually stipulates that the platform operator is primarily responsible for fulfilling the data subject rights and complying with data protection obligations regarding processing on the platform (e.g., security of processing, fulfillment of information obligations).

Your right to assert your rights: We would like to inform you that you can assert your rights against both the operator of the social network and us as the operator of the profile.

III. Purpose and legal basis

Purpose: Profile maintenance, contacting users, answering comments, conducting marketing activities, creating statistics (Page Insights).

Legal basis: Art. 6 para. 1 lit. f GDPR (Legitimate interest in external presentation and communication).

Storage period: Until you raise a legitimate objection or until the controller determines that the data is no longer relevant for the purpose of processing.

Module M6: Contact requests and correspondence

I. Processing upon contact

Purpose: Exchange of correspondence, maintaining contact and answering your inquiries.

Legal basis: Art. 6 para. 1 lit. f GDPR (legitimate interest in communication and responding to inquiries). For special categories of personal data (Art. 9 GDPR), processing is based on your consent (Art. 9 para. 2 lit. a GDPR).

Storage duration: The data is stored for the duration of the communication.

II. Determination of claims

Purpose: To establish, assert or defend against claims (e.g. in the case of legal disputes).

Legal basis: Art. 6 para. 1 lit. f and Art. 9 para. 2 lit. f GDPR (Legitimate interest).

Storage period: Until the expiry of the statutory limitation period for claims.

III. Obligation to provide data

Providing your personal data is necessary for communication and maintaining contact between you and the data controller. Failure to provide this data will make it impossible to maintain contact with the data controller and conduct ongoing correspondence.

Module M7: Applicant data (recruitment)

I. Purpose and legal basis (employment contract)

Purpose: To conduct the recruitment process for employment based on an employment contract.

Legal basis: Article 6(1)(c) GDPR in conjunction with the controller's legal obligation pursuant to Section 26(1) sentence 1 of the Federal Data Protection Act (BDSG) (necessity for establishing the employment relationship).

Data retention period: Six months after the conclusion of the recruitment process for the position you applied for. This period serves to defend against potential discrimination claims under the German General Equal Treatment Act (AGG).

II. Consent for future procedures

Purpose: To conduct future recruitment procedures.

Legal basis: Art. 6 para. 1 lit. a GDPR, Art. 9 para. 2 lit. a GDPR (consent).

Storage period: Until you withdraw your consent, but no longer than 3 years.

III. Obligation to provide data

Providing the personal data necessary to establish the employment relationship is a prerequisite for participation in the recruitment process, in accordance with Section 26 Paragraph 1 Sentence 1 of the German Federal Data Protection Act (BDSG). Otherwise, you cannot participate in the recruitment process.

Module M8: Consumer Complaints

Purpose: Receiving and processing consumer complaints; fulfilling the manufacturer's legal obligations (e.g., in the case of food products).

Legal basis: Art. 6 para. 1 lit. f GDPR (legitimate interest in processing); Art. 6 para. 1 lit. c GDPR (compliance with legal obligations).

II. Storage period (compliance with German Commercial Code/German Fiscal Code)

The data will be stored after processing in accordance with the German statutory retention periods for commercial and tax documents:

1. Commercial letters (correspondence): Six years after the end of the calendar year in which the complaint was concluded (Section 257 Paragraph 4 of the German Commercial Code).

2. Booking documents (refunds, credit notes): Ten years after the end of the calendar year in which the booking document was created (§ 147 AO).

III. Obligation to provide data

Providing personal data is voluntary; however, failure to provide it (or revocation of consent) may result in the complaint not being accepted and processed.

Module M9: Business partners (natural persons)

I. Purpose and legal basis

Purpose: Conclusion and fulfillment of a contract between you and the responsible party. 1

Legal basis: Art. 6 para. 1 lit. b GDPR (performance of a contract); Art. 6 para. 1 lit. c GDPR (compliance with legal, tax and accounting obligations).

II. Maintaining contacts and demands

Purpose: Maintaining contacts; establishing, asserting or defending against claims.

Legal basis: Art. 6 para. 1 lit. f GDPR (Legitimate interest).

Storage period: Until the relationship ends or until the legally defined limitation period for claims expires.

III. Obligation to provide data

Providing personal data is a prerequisite for concluding and fulfilling the contract between you and the data controller. Failure to provide data will result in the contract not being concluded and fulfilled.

Module M10: Representatives / Employees of Business Partners

I. Purpose and legal basis

Purpose: Conclusion and fulfillment of the contract between the controller and a business partner, whose representative (agent), employee or staff member you are.

Legal basis: Art. 6 para. 1 lit. f GDPR (Legitimate interest of the controller in the performance of the contract).

II. Data source (if not collected directly)

Your data was provided to us by your employer/business partner or taken from publicly accessible registers.

Storage period: Until the termination of the relationship between the data controller and the business partner.

III. Obligation to provide data

Providing personal data is a prerequisite for concluding and fulfilling the contract between the data controller and the business partner you represent. Failure to provide this data will prevent the contract from being concluded and fulfilled.