top of page

Privacy Policy

Privacy Policy (Datenschutzerklärung)

 

 

Welcome to Vanity by Caosis. We take the protection of your personal data very seriously. This Privacy Policy informs you about the nature, scope, and purpose of the processing of personal data (hereinafter referred to as "Data") when you use our website and our services.

 

1. Controller (Verantwortlicher)

 

The entity responsible for data processing (the Controller) within the meaning of the GDPR is:

Vanity by Caosis 

Wilmersdorferstr.80

10629 Berlin

info@mysite.com

03033002484

 

We collect and process various types of personal data, including:

  • Contact Data: Names, addresses, email addresses, phone numbers.

  • Contract Data: Services booked (e.g., Manicure, Head Spa, Facials), appointment times, payment information, customer history.

  • Usage Data: IP addresses, device information, browser type, websites visited, access times.

  • Content Data: Information you provide in contact forms or communications.

  • Health-Related Data (Special Categories of Data): Information regarding allergies, skin conditions, medications, or other health factors relevant to safely providing cosmetic treatments.

 

3. Purposes and Legal Basis for Processing

 

We process your Data in accordance with the GDPR and the German Federal Data Protection Act (BDSG) for the following purposes and based on these legal grounds:

 

a. Fulfillment of Contract (Art. 6(1)(b) GDPR)

 

Processing is necessary to execute our contract with you or for pre-contractual measures:

  • Booking, managing, and confirming appointments.

  • Providing the requested cosmetic and spa treatments.

  • Processing payments and billing.

 

b. Consent (Art. 6(1)(a) GDPR)

 

We process Data based on your explicit consent for specific activities:

  • Subscription to marketing newsletters.

  • Use of non-essential cookies and tracking technologies.

 

c. Legitimate Interests (Art. 6(1)(f) GDPR)

 

We process Data to protect our legitimate interests, provided your rights do not override these interests:

  • Ensuring IT security, stability, and functionality of our website.

  • Improving our services and customer experience.

  • Direct marketing to existing customers (where permitted by law).

  • Asserting legal claims and defense in legal disputes.

 

d. Legal Obligations (Art. 6(1)(c) GDPR)

 

Processing is necessary to comply with the law, such as tax and commercial record-keeping requirements under German law (HGB and AO).

 

e. Explicit Consent for Sensitive Data (Art. 9(2)(a) GDPR)

 

Processing of special categories of data (like health information) requires your explicit, informed consent to ensure the safety of treatments.

 

4. Data Collection on Our Website

 

 

4.1. Server Log Files

 

When you visit our website, your browser automatically sends information to our server, which is temporarily stored in server log files. This includes your IP address, date and time of access, browser type, operating system, and the referrer URL.

This data is processed to ensure a smooth connection, system security, and stability. The legal basis is our legitimate interest (Art. 6(1)(f) GDPR).

 

4.2. Cookies and Tracking Technologies

 

Our website uses cookies (small text files stored on your device) and similar technologies. We adhere to the requirements of the GDPR and the German TTDSG.

  • Essential Cookies: These cookies are strictly necessary for the technical operation of the website and to provide the service you requested (e.g., session management, booking functionality). The legal basis for storing these cookies on your device is Section 25 (2) No. 2 TTDSG. The subsequent processing of the data is based on our legitimate interest (Art. 6(1)(f) GDPR) or contractual necessity (Art. 6(1)(b) GDPR).

  • Non-Essential Cookies (e.g., Analytics, Marketing): We use these cookies to analyze website usage or for marketing purposes only if you have given your explicit consent via our Cookie Consent Banner. The legal basis for storing these cookies is Section 25 (1) TTDSG in conjunction with Art. 6(1)(a) GDPR.

You can manage your preferences and withdraw consent at any time via our Cookie Consent Tool [Describe where this tool is located, e.g., in the footer].

 

4.3. Website Analytics (e.g., Google Analytics)

 

(Adapt this section based on the tools you use. Example provided for Google Analytics):

If you provide consent, we use Google Analytics, a service provided by Google Ireland Limited, Gordon House, Barrow Street, Dublin 4, Ireland.

We have activated IP anonymization, meaning your IP address is shortened within the EU/EEA before transmission. Data may be transferred to the USA. This transfer is based on appropriate safeguards such as Standard Contractual Clauses (SCCs) or the EU-U.S. Data Privacy Framework.

The legal basis is your consent (Art. 6(1)(a) GDPR and Section 25 (1) TTDSG).

 

5. Specific Services and Functions

 

 

5.1. Contact Form and Email

 

If you contact us, the details you provide are stored for the purpose of processing your inquiry. The processing is based on Art. 6(1)(b) GDPR (if related to a contract) or Art. 6(1)(f) GDPR (legitimate interest in responding).

 

5.2. Online Booking System

 

We use an online booking tool provided by [Name of Booking Software Provider, e.g., Treatwell, Fresha] to manage appointments. When you book, you provide Contact Data and Contract Data.

This is necessary for executing your appointment. The legal basis is the fulfillment of the contract (Art. 6(1)(b) GDPR). We have concluded a Data Processing Agreement (DPA) with [Name of Provider] in accordance with Art. 28 GDPR. Please review their privacy policy at [Link to their privacy policy].

 

5.3. Provision of Services and Health Data

 

For specific treatments (e.g., advanced facials, massages, treatments involving chemicals), it is necessary to collect health-related information (e.g., allergies, skin conditions) to ensure your safety. This constitutes "Special Categories of Data" under Art. 9 GDPR.

We only collect this sensitive data with your explicit, informed consent (Art. 9(2)(a) GDPR), typically obtained in person before the treatment. This data is stored securely and treated with the utmost confidentiality.

 

5.4. Newsletter

 

If you subscribe to our newsletter, we use your email address to send you information and offers. We use the double opt-in procedure for registration (you must confirm your subscription via email).

The legal basis is your consent (Art. 6(1)(a) GDPR). You can unsubscribe at any time via the link in the newsletter. We use [Name of Newsletter Service Provider, e.g., Mailchimp] to manage subscriptions.

 

6. Data Sharing and Recipients

 

We do not sell your personal data. We only transfer your data to third parties if necessary for the performance of a contract, if required by law, based on legitimate interests, or if you have given consent.

Recipients may include:

  • Payment Service Providers: [e.g., Stripe, PayPal, SumUp] for processing payments (Art. 6(1)(b) GDPR).

  • Booking Software Providers: (See section 5.2).

  • IT Service Providers: Hosting, maintenance, and IT support.

  • Authorities: Tax authorities or other legal bodies, if required (Art. 6(1)(c) GDPR).

When we use third-party service providers (Processors), we ensure compliance with GDPR through Data Processing Agreements (DPAs) pursuant to Art. 28 GDPR.

 

7. Social Media Presence

 

We maintain profiles on social networks (e.g., Instagram, Facebook) to communicate with customers and inform them about our services. The legal basis is our legitimate interest in effective communication (Art. 6(1)(f) GDPR).

When you visit these pages, your data is processed by the platform providers, potentially outside the EU/EEA. We have limited influence over their data processing. For details, please refer to the privacy policies of the respective providers.

 

8. International Data Transfers

 

Some service providers are based outside the European Economic Area (EEA), particularly in the USA. We ensure that these transfers comply with Art. 44 et seq. GDPR by using appropriate safeguards, such as:

  • Adequacy Decisions: Relying on decisions by the European Commission that confirm an adequate level of data protection (e.g., the EU-U.S. Data Privacy Framework, if the provider is certified).

  • Standard Contractual Clauses (SCCs): Implementing SCCs approved by the European Commission and conducting Transfer Impact Assessments (TIAs), supplemented with additional security measures where necessary.

 

9. Data Retention and Erasure

 

We store your personal data only for the period necessary to achieve the purpose of storage or as required by law.

  • Contract and Financial Data: Data related to transactions (invoices, contracts) is retained according to German commercial and tax law retention periods (HGB and AO), typically for 10 years.

  • Health-Related Data: Retained only as long as necessary for the safe provision of ongoing treatments and for the defense of potential legal claims, based on your consent.

  • Inquiries: Deleted when the request is completed and no legal retention obligations apply.

  • Server Logs: Typically deleted after [Insert number, e.g., 14] days.

 

10. Your Rights as a Data Subject

 

You have the following rights under the GDPR:

  • Right of Access (Art. 15 GDPR): To request information about your personal data processed by us.

  • Right to Rectification (Art. 16 GDPR): To request the correction of incorrect data.

  • Right to Erasure ("Right to be Forgotten") (Art. 17 GDPR): To request the deletion of your data, subject to certain conditions.

  • Right to Restriction of Processing (Art. 18 GDPR): To request the restriction of processing.

  • Right to Data Portability (Art. 20 GDPR): To receive your data in a structured, commonly used, and machine-readable format.

  • Right to Withdraw Consent (Art. 7(3) GDPR): To withdraw your consent at any time. This does not affect the lawfulness of processing carried out before the withdrawal.

 

Right to Object (Art. 21 GDPR)

 

If your personal data is processed on the basis of legitimate interests (Art. 6(1)(f) GDPR), you have the right to object to the processing, provided there are reasons arising from your particular situation. If you object to processing for direct marketing purposes, you have a general right of objection, which will be implemented by us immediately.

To exercise these rights, please contact us using the details in Section 1.

 

11. Right to Lodge a Complaint

 

You have the right to lodge a complaint with a supervisory authority (Art. 77 GDPR) if you believe the processing of your data violates data protection regulations. The responsible supervisory authority for Berlin is:

Berliner Beauftragte für Datenschutz und Informationsfreiheit Alt-Moabit 59-61 10555 Berlin Email: mailbox@datenschutz-berlin.de

 

12. Data Security

 

We implement appropriate technical and organizational security measures (TOMs) to protect your data against manipulation, loss, destruction, or unauthorized access. Our website uses SSL/TLS encryption for security reasons and to protect the transmission of confidential content.

 

13. Changes to this Privacy Policy

 

We reserve the right to amend this Privacy Policy to adapt it to changed legal situations or changes to our services and data processing. The current version can always be accessed on our website.

bottom of page