Privacy Policy - Dóra - BerriVit

PRIVACY POLICY

Dora Mihalik Einzelunternehmen

1. INFORMATION ABOUT THE DATA CONTROLLER (VERANTWORTLICHER)

Name of the data controller: Dora Mihalik Einzelunternehmen
Registered office: 1140 Vienna, Marz Straße 158, Office 1–2, Austria
Registration number: 38838668
Representative: Dóra Mihalik, sole proprietor
Email: dora.mihalik.at@gmail.com
Phone number: +36 20 566 4758
Website: www.berrivit.com
Tax ID: 09 446/0581
Under the GDPR, the data controller is not required to appoint a Data Protection Officer (Datenschutzbeauftragter / DPO); therefore, for data protection matters, please contact the data controller using the contact information provided above.

2. GENERAL PRINCIPLES AND LEGAL FRAMEWORK

The data controller processes personal data in accordance with the provisions of Regulation (EU) 2016/679 (GDPR) and the Austrian Data Protection Act (DSG). The fundamental principles of data processing are: lawfulness, fairness, and transparency; purpose limitation; data minimization; accuracy; storage limitation; integrity; and confidentiality.
The ordering process takes place via an SSL-encrypted connection (HTTPS), which prevents unauthorized persons from accessing the Customer’s personal data.

3. PERSONAL DATA PROCESSED, LEGAL BASIS, PURPOSE, RETENTION PERIOD

3.1 Website Visits (technical log data)
When you visit the website, the following data is automatically recorded: IP address (anonymized in the case of Google Analytics), date and time of the visit, subpages viewed, browser type, operating system, screen resolution.
Legal basis: The data subject’s consent (GDPR Article 6(1)(a)), provided via the CookieYes
cookie consent system.
Purpose of data processing: Statistical analysis, improvement of the website’s quality.
Retention period: 2 years (Google Analytics default setting).
Note: Statistical data is evaluated only in aggregated, anonymized form; it is not linked to any specific individual.

3.2 Order Placement and Contract Performance
When placing an order, the following personal data is processed:
- full name (last name, first name);
- email address;
- phone number;
- billing address;
- shipping address (if different from the billing address);
- products ordered, quantity, unit price, total amount;
- payment method, transaction amount, and date;
- IP address (at the time of the order);
- any other comments from the Customer (if provided).
Legal basis: Performance of a contract (GDPR Article 6(1)(b)); compliance with a legal obligation (GDPR Article 6(1)(c) – based on accounting and tax law obligations). Purpose of data processing: Processing the order, organizing delivery, issuing invoices, handling warranty claims.
Retention period: 7 years from the last day of the year in which the order was placed (based on the mandatory retention obligation under UGB § 212 and BAO § 132). For the purpose of handling warranty claims, the relevant data will be retained until the warranty period expires.

3.3 Newsletter and Direct Marketing
Data processed: Last name, first name, email address; optionally: areas of interest.
Legal basis: The data subject’s explicit consent (GDPR Article 6(1)(a)).
Purpose of data processing: To provide newsletters, information on promotions, new products, and campaigns.
Retention period: Until consent is withdrawn. After unsubscribing, the data will be physically deleted from all relevant systems.

3.4 SMS Notification
Data processed: Phone number, order status.
Legal basis: Performance of a contract (GDPR Article 6(1)(b)).
Purpose of data processing: To send a shipping notification.
Retention period: Until the notification is fulfilled.

4. DATA PROCESSORS AND DATA TRANSFER (AUFTRAGSVERARBEITER / DATENWEITERGABE)

The data controller engages the following data processors to process data. A valid data processing agreement is in place with each data processor, ensuring that data is processed in compliance with the GDPR.
Financial partner – Stripe Inc.
- Activity: processing online card payments
- Registered office: 354 Oyster Point Blvd, South San Francisco, CA 94080, USA
- Purpose of data transfer: to process the Customer’s online payment transaction
Hosting provider – GoDaddy.com, LLC
- Activity: web store hosting services
- Registered office: 14455 North Hayden Road Suite 219, Scottsdale, AZ 85260, USA
- Purpose of data transfer: operation of the web store
Newsletter and CRM system – SalesAutoPilot Kft.
- Activity: newsletter distribution, customer data management
- Registered office: 1016 Budapest, Zsolt utca 6/C 4th floor 4., Hungary
- Company registration number: 01-09-286773
- Purpose of data transfer: sending newsletters, CRM

Automatic invoicing – sevDesk GmbH
- Activity: electronic invoicing
- Registered office: Gertrude-Fröhlich-Sandner-Straße 2–4, Tower 9, Floor 9, 1100 Vienna, Austria
- Purpose of data transfer: electronic invoicing
Shipping – GLS General Logistics Systems
- Activity: package delivery
- Headquarters: varies by country (see GLS website)
- Purpose of data transfer: delivery of the ordered package to the Customer’s shipping address

Data transfers to third countries (outside the EEA): Stripe Inc. and GoDaddy.com LLC are headquartered in the United States. Data transfers are carried out on the basis of the Standard Contractual Clauses (SCCs) approved by the European Commission (Article 46(2)(c) of the GDPR) and under the EU-US Data Privacy Framework.
Official Requests: In the event of a lawful request from a court, prosecutor’s office, police, tax authority, or other public authority, the data controller will comply with its legal obligations and provide the minimum data necessary to fulfill the purpose of the request (GDPR Article 6(1)(c)).

5. COOKIES

The online store uses cookies. Cookies are small text files stored by the Customer’s browser. For cookies requiring consent, the data controller uses the CookieYes service (app.cookieyes.com), which requests consent upon the first visit.
Essential (technical) cookies: these are essential for the basic functioning of the website (e.g., session cookies, shopping cart contents). No consent is required. Retention period: until the end of the browser session.
Statistical/analytical cookies: Google Analytics – for analyzing website traffic and usage. Consent is required. Retention period: up to 2 years.
Marketing/remarketing cookies: Google Remarketing, Facebook Remarketing – for serving targeted ads. Consent is required. Retention period: up to 180 days.
CookieYes cookies: for recording and managing consent. Retention period: 1 year.
You can manage and delete cookies in your browser settings (Chrome, Firefox, Safari, Edge, Opera). Disabling cookies may result in limited access to certain features.

6. PROFILING AND AUTOMATED DECISION-MAKING

The data controller does not engage in profiling based on Customers’ behavior, interests, or other data, and does not use automated individual decision-making (Article 22 of the GDPR).

7. RIGHTS OF THE DATA SUBJECT (BETROFFENENRECHTE)

Pursuant to Chapter III of the GDPR, the data subject may exercise the following rights. Requests may be submitted via email to dora.mihalik.at@gmail.com. As a general rule, the data controller will respond to requests within one month, free of charge.
7.1 Right of Access (GDPR Article 15 – Right of Access)
The data subject may request information regarding whether the data controller processes personal data concerning them, and if so, what data is processed, for what purpose, to whom it is disclosed, how long it is stored, etc.
7.2 Right to Rectification (GDPR Article 16 – Right to Rectification)
The data subject may request the rectification or completion of inaccurate or incomplete personal data concerning them.
7.3 Right to erasure (GDPR Article 17 – Right to erasure)
The data subject may request the erasure of their data if the data is no longer necessary for the original purpose, the data subject withdraws their consent and there is no other legal basis for the processing, or the processing was unlawful. Erasure cannot be requested if the data processing is necessary to comply with a legal obligation (e.g., accounting retention obligation – UGB § 212).

7.4 The right to restriction of processing (Article 18 of the GDPR – Right to restriction)
The data subject may request the restriction of data processing if they contest the accuracy of the data, if the data processing is unlawful but they request restriction instead of erasure, or if the controller no longer needs the data but the data subject needs it to establish, exercise, or defend legal claims.
7.5 Right to Data Portability (GDPR Article 20 – Right to Data Portability)
If data processing is based on consent or a contract and is carried out by automated means, the data subject has the right to receive the data in a structured, machine-readable format or to have it transmitted to another data controller.
7.6 Right to object (GDPR Article 21 – Right to object)
The data subject has the right to object to data processing based on the data controller’s legitimate interests, as well as to data processing for direct marketing purposes. In the event of an objection to direct marketing, personal data may no longer be processed for such purposes.
7.7 Right to withdraw consent
The data subject may withdraw their consent to data processing based on consent at any time, free of charge (e.g., unsubscribing from a newsletter). The withdrawal does not affect the lawfulness of data processing carried out prior to the withdrawal.

8. RIGHT TO LODGE A COMPLAINT – SUPERVISORY AUTHORITY (BESCHWERDERECHT)

The data subject has the right to lodge a complaint with the supervisory authority if they believe that the processing of their personal data violates the provisions of the GDPR.
Competent supervisory authority:
Austrian Data Protection Authority (DSB)
Barichgasse 40–42, 1030 Vienna, Austria
Website: https://www.dsb.gv.at
Before contacting the data protection authority, please contact the data controller at dora.mihalik.at@gmail.com so that any issues can be resolved quickly.

9. AMENDMENTS TO THIS PRIVACY POLICY

The data controller reserves the right to unilaterally amend this privacy policy. The amended privacy policy shall take effect upon its publication on the online store. The data controller will notify data subjects of any significant changes via email or through a notice posted on the website.

10. FINAL PROVISIONS

The data subject is responsible for providing true and accurate personal data. The data subject is fully liable to indemnify the data controller against any claims arising from the unauthorized disclosure of third-party data.
For matters not covered in this notice, the provisions of the GDPR, the Austrian DSG, and applicable EU and Austrian laws shall apply.

Effective: May 1, 2026

Dora Mihalik Einzelunternehmen, Wien