Privacy at Huber:Transparency, responsibility and trust.

The protection of personal data is of particularly high importance to HUBER. We therefore comply with the statutory provisions, such as the General Data Protection Regulation (GDPR) and the Austrian Data Protection Act (DSG), when collecting, using and processing personal data. In the following, we inform you about the scope and purpose of our data processing as well as about your related rights.

• Where we have obtained the consent of the data subject for the processing of personal data, Article 6(1)(a) GDPR shall apply as the legal basis.
• Where the processing of personal data is necessary for the performance of a contract with the data subject or for pre-contractual measures initiated by the data subject, Article 6(1)(b) GDPR shall serve as the legal basis.
• Where data processing is the result of a legal obligation to which we are subject, we rely on Article 6(1)(c) GDPR as the legal basis.
• Where the processing of personal data is necessary in order to safeguard legitimate interests of the controller or of a third party – without endangering the interests, fundamental rights or fundamental freedoms of the data subject – Article 6(1)(f) shall apply as the legal basis.

You can visit our site without providing any information about yourself. We only store access data without personal reference, such as the name of your internet service provider, the page from which you visit us or the name of the requested file. This data is evaluated exclusively to improve our offering and does not allow any conclusions to be drawn about your person.

Personal data is only collected if you voluntarily provide it to us as part of your goods order, when opening a customer account, when submitting an enquiry via the contact form or when registering for our newsletter, vouchers, SMS, direct mailings or other electronic mail, or by consenting to optional cookies. Without your consent, we use the data provided by you exclusively to fulfil and process your order or to respond to your enquiry. Personal data means all information relating to an identified or identifiable natural person.

For the purpose of contract processing, the following data is stored by us, provided that you have made it available to us, and may, where applicable, be passed on to third parties for the provision of services:

• Name
• Date of birth, where applicable
• Gender
• Address
• Delivery address
• Email address
• Telephone number
• Bank details, credit card number and credit card company, whereby such data is generally processed exclusively by the payment provider and, in the context of payment processing, HUBER is not the controller within the meaning of the GDPR
• Information about the order (order, confirmation message, shipping confirmation)
• IP address
• Password

The data provided by you is necessary for the performance of the contract or for carrying out pre-contractual measures. Without this data, we cannot conclude a contract with you. We therefore use this data for the purposes of order and contract processing (including payment processing), for processing enquiries and for evaluations. The legal basis for this is Article 6(1)(b) GDPR. If you open a customer account, your orders and saved goods are also stored together with the customer account. For this purpose, you give your consent (Article 6(1)(a) GDPR).

When registering for the newsletter, your name and your email address are used with your consent for our own advertising purposes until you unsubscribe from the newsletter or the specified email address is clearly incorrect. Unsubscribing from the newsletter is possible at any time and can be done either by sending a message to the contact option described below or via a link provided for this purpose in the newsletter.

You can also register under the same conditions for SMS messages, other electronic mail (e.g. push-up messages in apps) or direct mailings so that you receive all current news and information about our company and products at regular intervals.

With your consent, we transfer the data within the group and to the locations cooperating with us for the purpose of analysing user behaviour and, based on this, for the purpose of sending information for advertising purposes.

In addition, we use your data to display vouchers and personalised product recommendations based on your ordered or viewed products and your wishlist data, or to send them to you by email.

Data that we have collected from interested parties and customers for marketing and information purposes or for sending a newsletter or surveys as well as for advertising products that may be of interest to you is processed, in the case of consent, until such consent is withdrawn; otherwise, on the basis of our legitimate interest for marketing purposes, for a period of generally three years from the last purchase or from the contact initiated by the interested party.

If you have given us your express consent during or after your order, or because it is permissible on the basis of another legal basis pursuant to Article 6 GDPR, we will send you an email reminder to submit a review of your order. Any consent granted for this purpose may be withdrawn at any time by sending a message to the contact option described below.

On our website, we regularly offer competitions in order to increase the attractiveness of our site and to achieve more interactions by visitors.

The personal data disclosed as part of a competition is used by us exclusively for carrying out the competition and not for marketing purposes. If, as part of registering for the competition, your express and voluntary consent is given to receive a newsletter or other marketing measures from us, this will be taken into account within the scope of the consent.

If you contact us via the contact form on the website or by email, the data you provide will be stored by us for 24 months for the purpose of processing the enquiry and in the event of follow-up enquiries.

If you register on our website and/or create a customer account, or place an order, the purpose of processing your data is the technical operation of this website, the operation and administration of your customer account, the processing of your order(s) and the ongoing provision of information about current promotions (in particular by electronic newsletter or email). We use the personal data provided by you exclusively to the extent that your data is necessary for fulfilling the respective purpose (e.g. registration as a customer, sending the newsletter, processing an order, sending information material, carrying out a competition, answering a question), and/or this is permitted by law.

We collect data from applicants for job vacancies at our company for the purpose of initiating a possible employment relationship pursuant to Article 6(1)(b) GDPR or, where applicable, on the basis of explicit consent for record-keeping purposes. Further data protection information relating to application processes can be found here.

We use partner programmes from various providers. With your consent, the use of a partner programme may result in data about you being transferred to, stored and processed by the respective partner programme provider. This means that as soon as you interact with products and services of a partner programme, this provider also collects data about you independently of us (in particular IP address, location, etc.).

Exactly which data is stored depends on the individual providers. In particular, we participate in the affiliate programme of AWIN. Data processing takes place in compliance with this Privacy Policy and that of AWIN (AWIN Privacy Policy).

Your customer data, which is lawfully processed by a HUBER company for the reasons set out, may under certain circumstances be consolidated with the data systems (CRM, etc.) of the entire HUBER Group. This takes place either

I. because other group companies act exclusively as processors or

II. because you have given your consent that you have granted for the consolidation and processing of your personal data within the HUBER Group.

The consent to the processing of your customer data by the CDP serves the purpose of gaining comprehensive insights into customer behaviour and customer preferences. This enables us to provide personalised marketing campaigns and improved customer experiences. Customer data is consolidated from various sources or databases of HUBER, including our internal systems, website interactions, social media and other data sources with which we have a business relationship. You consent to the processing and consolidation of personal data within the HUBER Group.

For this purpose, we also use Klaviyo Inc., based in the USA, as a processor. This also involves the transfer of your personal data to the USA. Klaviyo has incorporated and committed to the European Commission’s Standard Contractual Clauses. Further information can also be found here: https://www.klaviyo.com/legal/privacy.

The development and provision of personalised functionalities and services is our highest priority. Examples of our personalised services include, among others:

• If you place a product in the shopping cart, we can provide you with recommendations for selecting a suitable clothing size on the basis of your previous orders and returns.
• If you have subscribed to our newsletter, we can present you with products that match your previous orders.
• We also take your previous orders into account when suggesting products to you that correspond to your shopping preferences.

In addition, you may also receive advertising messages from the HUBER brands without subscribing to our newsletter, either on the basis of your corresponding consent or to the extent that this is legally permissible even without consent. These include individual recommendations based on your purchasing behaviour. As part of our services, we present you with information and offers based on your interests. You receive from us a limited number of product recommendations, surveys and requests for product reviews, even if you have not subscribed to a newsletter. When selecting these individual product recommendations, we preferably use the data from your previous orders in compliance with the statutory provisions.

If you do not wish to receive individual product recommendations from us by email, you may object to this at any time by clicking on the unsubscribe link available in every email.

In order to be able to offer you more personalised content, we collect data on the basis of your previous user behaviour and your use of the services. If, for example, you open our newsletters more frequently, we interpret this as interest on your part and ensure that your expectations with regard to the frequency and content of the emails are met.

Personal data processed in connection with purchase transactions is stored for as long as required due to statutory provisions (retention obligations, etc.).

If you register on our website and/or create a customer account or make a purchase and provide us with personal data in this regard within the framework of our user agreement, we generally store this data until three years after your last contact with us, unless you request deletion at an earlier point in time and there are no mandatory statutory requirements that make longer data retention necessary.

If you contact us via the contact form on the website or by email, the data you provide will be stored by us for 24 months for the purpose of processing the enquiry and in the event of follow-up questions. Personal data that we have received on the basis of surveys is anonymised after 12 months.

If you have given consent to the use of your personal data and we subsequently carry out continuous activities on this basis (e.g. when sending the newsletter), we delete your data only after you have withdrawn your consent.

Your personal data will be passed on to third parties if this is necessary for the purpose of contract processing or for providing customers with information, for fulfilling legal obligations or if you have consented to the transfer. Where applicable, we may also use service providers who support us with advertising and information that may be of interest to you as well as with carrying out surveys that help us improve our offering. The service providers used by us (e.g. payment service providers for processing payment, shipping companies for processing delivery, providers for shipping communication, IT companies for technical support in order processing, for email marketing) receive the data in order to perform the contracts concluded with you or to support us with advertising or surveys in the above-mentioned sense. Our service providers may use the data only for the fulfilment of their task.

We use services in the course of which a data transfer abroad takes place or may take place. The transfer may take place if the European Commission has confirmed an adequate level of data protection for this third country or if other appropriate data protection safeguards exist (e.g. binding corporate data protection rules or EU Standard Contractual Clauses).

A new adequacy decision pursuant to Article 45 GDPR for the USA has been adopted by the European Commission. This adequacy decision applies to those data importers in the USA that are registered in the Data Privacy Framework List (https://www.dataprivacyframework.gov/s/participant-search).

For each of our service providers, we check whether it is registered in the Data Privacy Framework List or whether the requirements for a data transfer to third countries otherwise legally exist. Where applicable, your consent is required for this (Article 49(1)(a) GDPR).

We have no direct influence on access by US authorities to personal data that is transferred to service providers in the USA when these services are used. Even if we assume that the level of protection is ensured, access by US authorities to data processed in the USA is nevertheless conceivable.

In order to make visiting our website attractive and to enable the use of certain functions, we use so-called cookies on various pages. These are small text files that are stored on your end device. Some of the cookies we use are deleted again after the end of the browser session, i.e. after closing your browser (so-called session cookies). Other cookies remain on your end device and enable us or our partner companies to recognise your browser on your next visit (persistent cookies). You can set your browser so that you are informed about the setting of cookies and decide individually whether to accept them, or exclude the acceptance of cookies for certain cases or in general. If cookies are not accepted, the functionality of our website may be restricted.

Since the cookies used in this context also change regularly, we have recorded the information on the cookies used by us in a separate Cookie Policy, which can be viewed here and forms an integral part of this Privacy Policy.

We use Google Analytics, a web analytics service of Google Inc. (google.com). Google Analytics uses so-called “cookies”, text files that are stored on your end device and that enable an analysis of your use of the website. The information generated by the cookie about your use of this website is usually transferred to a server of Google in the USA and stored there. In the event that IP anonymisation is activated on this website, your IP address will, however, first be shortened by Google within member states of the European Union or in other contracting states of the Agreement on the European Economic Area. Only in exceptional cases will the full IP address be transferred to a server of Google in the USA and shortened there. IP anonymisation is active on this website. On behalf of the operator of this website, Google will use this information to evaluate your use of the website, to compile reports on website activities and to provide other services related to website use and internet use to the website operator. The IP address transmitted by your browser within the scope of Google Analytics will not be merged with other data from Google. You can prevent the storage of cookies by selecting the appropriate settings in your browser software; however, we point out that in this case you may not be able to use all functions of this website to their full extent.

You can also prevent the collection of the data generated by the cookie and relating to your use of the website (including your IP address) by Google as well as the processing of this data by Google by downloading and installing the browser plugin available under the following link: http://tools.google.com/dlpage/gaoptout?hl=de. As an alternative to the browser plugin, you can click this link to prevent collection by Google Analytics on this website in the future. An opt-out cookie will be stored on your end device. If you delete your cookies, you must click the link again.

We also use the offerings of Google Maps on our website. If you are logged in to Google, the data is directly assigned to your account. Google uses your data for the purposes of advertising, market research and demand-oriented website design. Further information on the purpose and scope of data collection as well as on the right to object can be found at http://www.google.de/intl/de/policies/privacy.

Google may process your data in the USA. Before you give consent to the storage of cookies through the use of Google Analytics, please read the relevant information in the Privacy Policy. Google LLC is registered in the Data Privacy Framework List.

We are also represented on various social networks. In this context, data processing takes place in part. Further data protection information can be found in their privacy policies:

• Facebook, operated by Meta Platforms Ireland Limited, 4 Grand Canal Square, Grand Canal Harbour, Dublin 2, Ireland. The parent company, Meta Platforms Inc., Menlo Park, California, is registered in the Data Privacy Framework List. Further information can be found here: https://developers.facebook.com/docs/plugins.
• Instagram, operated by Meta Platforms Ireland Limited, 4 Grand Canal Square, Grand Canal Harbour, Dublin 2, Ireland. The parent company, Meta Platforms Inc., Menlo Park, California, is registered in the Data Privacy Framework List.
• YouTube, operated by Google Ireland Limited, Gordon House, Barrow Street, Dublin 4, Ireland. Further information can be found here: https://www.youtube.com/intl/ALL_at/howyoutubeworks/our-commitments/protecting-user-data/.
• Pinterest, operated by Pinterest Europe Limited, Palmerston House, 2nd Floor, Fenian Street, Dublin 2, Ireland. Further information can be found at: https://help.pinterest.com/de/topics/privacy-safety-and-legal.
• TikTok, operated by TikTok Technology Limited, 1601 Willow Road, Menlo Park CA, 10 Earlsfort Terrace, Dublin, D02 T380, Ireland. Further information can be found at: https://www.tiktok.com/safety/de-de/privacy-and-security-on-tiktok/.

Please refer to the privacy notices of the providers for the purpose and scope of data collection and the further processing and use of the data by the providers, as well as your related rights and settings options for protecting your privacy. If you do not want the data collected via our web presence to be directly assigned to your profile in the respective service, you must log out of the corresponding service before visiting our website.

Use of personal data within the scope of the Loyalty Programme:

With your first order, registration for the Loyalty Programme takes place. In the course of this, your name and email address, and optionally also your date of birth, are stored. For the calculation or administration of the statuses, the order number, the amount of the order, the returns information as well as the device, information about the device used by you and the IP address are also processed. The legal basis for this processing is your consent to our GTC. This data processing serves the purpose of carrying out the Loyalty Programme. Unsubscribing from the Loyalty Programme is possible at any time and can be done by sending a message to cs@hanro.com.

With your consent, we transfer the data within the group and to the locations cooperating with us for the purpose of analysing user behaviour and, based on this, for the purpose of sending information for advertising purposes.

In addition, we use your data to display vouchers and personalised product recommendations based on your ordered or viewed products and your wishlist data, or to send them to you by email.

Data that we have collected from customers within the scope of the Loyalty Programme is processed, in the case of consent, until such consent is withdrawn.

For carrying out the Loyalty Programme, we use the programme “Yotpo” of Yotpo Ltd., New York, 400 Lafayette St, New York, USA (see also https://www.yotpo.com/privacy-policy/). Against this background, personal data is also processed in the USA. Please also refer to Section VI. Processing of Data Abroad.

We use HTTPS (Hypertext Transfer Protocol Secure stands for “secure hypertext transfer protocol”) to transmit data over the internet in a manner protected against interception. This means we have introduced an additional layer of security and comply with data protection by design. By using TLS (Transport Layer Security), an encryption protocol for secure data transmission on the internet, we can ensure the protection of confidential data. You can recognise the use of this protection of data transmission by the small lock symbol at the top left of the browser, to the left of the internet address, and by the use of the https scheme (instead of http) as part of our internet address.

We reserve the right to amend this Privacy Policy at any time in order to adapt it to changed legal requirements or technical changes. The current version of the Privacy Policy is always available on our website. If you have any questions about data protection or wish to exercise your rights in relation to your personal data, you may contact us at any time.

Within the meaning of the GDPR, you are considered a data subject if personal data concerning you is processed by us. For this reason, you may make use of various data subject rights that are enshrined in the General Data Protection Regulation. These are the right of access (Article 15 GDPR), the right to rectification (Article 16 GDPR), the right to erasure (Article 17 GDPR), the right to restriction of processing (Article 18 GDPR), the right to object (Article 21 GDPR), the right to lodge a complaint with a supervisory authority (Article 77 GDPR) and the right to data portability (Article 20 GDPR).

If you believe that the processing of your data violates data protection law or that your data protection claims have otherwise been infringed in any way, you may lodge a complaint with the supervisory authority. In Austria, this is the Data Protection Authority.

If you have any questions regarding the collection, processing or use of your personal data, requests for information, rectification, blocking or deletion of data, or the withdrawal of consents granted, please contact:

Huber Holding AG
Exerzierplatz 1
6841 Maeder
Austria

Email: dataprotectioncoordinator@huberholding.com