Data Protection Statement

 

03/2022

1. This data protection statement explains the collection and processing of personal data. Aseiko processes your data in a similar way for all our services. This Privacy Notice therefore applies to all benefits and services which we offer to our customers. This is true regardless of whether we do this via a website, an app, in transactions, on the phone, at events or via social networks or other channels. For ease of comprehension, we use the term “services” to summarise this “normal case”.

1.1. Personal data are all data with which you can be personally identified.

1.2. The controller for data processing across all our services within the meaning of the General Data Protection Regulation (GDPR) is: ASEIKO, 20148 Hamburg, Germany, contact@aseiko.io

1.3. What you will learn in regard to the data that Aseiko stores.

  • What we do with this data and what it is needed for.

  • Which data protection rights and options you have.

  • Which technologies and data we use to personalise and coordinate our services in order to offer you a secure, simple, seamless and individual website/app/shopping experience.

  • Which technologies and data we use for providing our services.


2. Data collection - scope and purpose of the processing of personal data

 

2.1. We offer you a range of services, which you can also use in different ways. Depending on whether you contact us online, by phone or otherwise and on which services you use, various data from different sources may come into play. Much of the data we process is provided by you yourself when you use our services or contact us, for example when you register and provide your name or email address or address (e. g. for shipment services). We do, however, also receive technical device and access data which is automatically collected when you interact with our services. This may, for example, be information on which device you are using. We may also receive data on you from third parties, for example for payment service providers.

When we talk about “data”, we are referring to personal data. This includes all information which allows us to identify you directly or by combining it with other information. This might be: your name, your phone number, your customer number, order numbers or your email address. All information which cannot be used to identify you (even by combining it with other data) is classified as non-personal data. Non-personal data is also referred to as anonymous data. If we combine your personal data with anonymous data, all the data in this record counts as personal data. If we delete the personal data from a piece of information or a record on your person, the remaining data in this record no longer counts as personal data. This procedure is referred to as anonymisation. The following generally applies: If we request that you share particular personal information with us, you may of course refuse to do this. You can decide which information you share with us. We may, however, be unable to provide you with the desired services (at least not optimally). For example, you cannot have a package delivered without giving a delivery address. If particular information is required in connection with a service (mandatory information), we will inform you by marking it accordingly.

When you access our services via our website, even if you do not contact us directly, data is automatically sent to the server of our website by the Internet browser that you use as a visitor, and stored in a log file for a limited period of time. Until automatic deletion, the following data will be stored without further input by the visitor:

  • IP address of the visitor's terminal device,

  • date and time of access by the visitor,

  • name and URL of the page accessed by the visitor,

  • website from which the visitor accesses the company website (so-called reference URL),

  • the browser and operating system of the visitor's terminal device, and the name of the access provider used by the visitor.

 

The processing is carried out in accordance with Art. 6 § 1 clause 1 f) of the GDPR on the basis of our legitimate interest in improving the stability and functionality of our services, and in order to be able to guarantee the security and administration of the services. The data will not be passed on or used in any other way. However, we reserve the right to subsequently check the server log files if there are concrete indications of illegal use.

 

2.2. Profile information

Profile information is personal and demographic information on your person, along with your individual interests, which you share with us when registering for a customer account. Your profile data includes, for example:

  • Your first and last names

  • Your contact details

  • Your preferences, e. g. in relation to life style, skin concerns, brands or product types/categories

  • Demographic information such as your gender, age, ethnicity and place of residence

 

Mandatory information is usually your name, your email address and a password you choose yourself. Your email address and the password will later constitute your login details.

Profile data may also include further information on your person and your interests. These may be collected in the process of registering for the service, or only subsequently. This is the case, for example, if you later add voluntary information to your profile or you wish to use your customer account to register for a service which requires additional mandatory information.

Note: If you are logged into your customer account, you can view your personal data and can edit it directly there, e.g. in order to update your address or other personal data.

 

2.3. Contact details

If you contact us, we receive your data. Depending on how you contact us (e.g. by phone or by email), your contact details may include your name, postal addresses, telephone numbers, fax numbers, email addresses, detail on your social network profiles, user names and similar contact details.

 

2.4. Shopping information

If you order something via the Aseiko App or on our website (e.g. book Food-For-Skin advice session), we collect your shopping/booking data. Depending on the type of purchase and processing status, shopping/booking data may include the following information:

  • Order number

  • Details on the purchased items (name, size, price, brand, advisory session etc.)

  • Payment method information

  • Delivery and billing addresses

  • Messages and communication relating to purchases (e.g. notice of revocation, complaints and messages to customer service)

  • Delivery and payment status, e.g. “completed” or “dispatched”

  • Information on service providers involved in executing the contract (for order purchasing perhaps shipment numbers of parcel services)

 

Note: You can view your essential shopping data in your customer account.

 

2.5. Payment details

We offer you the common payment methods in online retail such as Google Pay, PayPal, Apple Pay or Credit Card. We collect the payment details shared by you in order to execute the payment. We might receive further payment details from external payment service providers and credit agencies which we work with in executing payments and carrying out credit checks. We only forward information to our payment service providers which is necessary for processing payment. Payment details include:

  • Preferred payment method

  • Billing addresses

  • IBAN and BIC or account number and sort code

  • Credit card details

  • Creditworthiness data

 

The payment details also include other information directly connected to payment processing and credit checking. This applies, for example, to information which external payment service providers use for identification such as your PayPal ID (if you are paying with PayPal).

Cooperation with external payment service providers and credit agencies is on a country-specific basis, in order to take country-specific features and requirements into account.

 

2.6 Messages, conversation content

If you communicate with us or other users regarding products (e.g. product evaluations) and other topics by phone, post, social media, contact forms or any other medium, we collect the content of your messages. We may forward your messages to the office responsible for your concerns, perhaps to partner companies or manufacturers. If your messages are forwarded to another company (e.g. if you provide us with feedback on the manufacturer of a product), you of course have the option to tell us that the data should only be used by Aseiko. If so, we will not forward your information to the responsible office, or will only do so without your personal information, provided that your concerns can be processed in this way.

If you transmit messages to us for other users via functions provided for this purpose (e.g. product evaluations or in-app messenger), we may publish these within the scope of our services.

 

2.7 Site data

For particular purposes, we also collect data on your device’s current location when you use our services. Two different technologies are used for this.

If you approve your device’s location services for an app, a website or another online service by Aseiko, Aseiko processes the location data collected by your device and provided to us in order to provide you with location-specific services.

Example: Our app suggests to you products or shows you local shops which correspond to your current location.

If you allow our app to access your device’s location services, your location will be processed by Aseiko only when you are using the app. This serves to improve the user experience, for example by loading location-dependent content faster when you use the app at your location, or displaying location-based push notifications and for shipment services. We do not use this data to produce any motion profiles. You can obtain further information on location-based services if required.

We also collect location data derived from your device’s IP address (down to the city level). An anonymised IP address shortened to three characters is used for this purpose. Therefore, this cannot be used to identify your internet connection or device.

Note: What is an IP address? It is a unique address that identifies a device on the internet or a local network. IP stands for "Internet Protocol," which is the set of rules governing the format of data sent via the internet or local network (example: 193.99.144.85). The first three characters of an IP address are usually assigned to a particular region or a particular internet provider. The approximate location of the internet connection can therefore be derived from the IP address. This procedure (so-called geolocalisation) might be to identify fraud and suspicious orders (e.g. it may be suspicious in particular situations if an order from your customer account uses an IP address from a country where you have never previously made any orders).

 

2.8. Photos and other personal content

Our service-specific application Aseiko allows you to share photos and other personal content with us or other users, in order to deliver our services, to communicate with us or other users or to personalise services (e.g. by uploading a non-selfie picture of just a part of your face, Aseiko classifies your current skin condition and recommends you products).

Before you can take and upload your image, you are as asked to give your permission to Aseiko to access the camera of your device. We collect the image-data for the purposes of providing you personalised services and for the training of Aseiko’s AI-model for image classification. We cannot identify you, because we do not need and we do not collect full-selfie images.     

 

2.9. Information for campaigns and surveys

If you take part in a campaign (e.g. competition) or survey (e.g. customer satisfaction survey for market research purposes) offered by Aseiko or some of our partner brands, we ask you for personal information. It might be in general data such as name and email address, so that we can inform you if you win as well as to ensure that each participant only takes part in the competition once. If we need further information, e.g. for particular campaigns, we inform you separately about the information required and how we use it.

 

2.10 Device and access data

When using online and mobile services, it is inevitable that technical data will be generated and processed in order to provide the features and content offered and to display them on your device. We refer to this data as "Device and Access Data". Device and Access Data are created whenever online and mobile services are used. It does not matter who the provider is. Device and Access Data are therefore created, for example, when using:

  • Websites

  • Apps

  • Social media fan pages

  • Email newsletters (only if your newsletter interaction is recorded)

  • Location-based services

 

Aseiko collects device and access data for online and mobile services offered by Aseiko itself. We may receive device and access data from online and mobile services of other companies, as long as they are social media or partners of Aseiko or participate in the same online advertising networks (e.g. the "Google Network").

Device and access data includes the following categories:

General device information, such as information on the device type, operating system version, configuration settings (e.g. language settings, system authorisations), information on internet connection (e.g. name of the mobile data network, connection speed) and on the app used (e.g. name and version of the app).

Identification data (IDs), such as session IDs, cookie IDs, unambiguous device ID numbers (e.g. Google advertising ID, Apple Ad ID), third party account IDs (if you use social plug-ins or social logins or pay by PayPal) and other common internet technologies, to facilitate recognition of your web browser, your device or a particular app installation.

Access data automatically transmitted by apps and web browsers whenever you access web servers and databases (within the framework of so-called HTTP requests). This is standardised information on the required content (such as the name and file type of a retrieved file) as well as further information on server access (such as amount of data transferred and error codes), on your device (e.g. device type, operating system, software versions, device identifications, IP address, the site previously visited and the time of access).

2.11. Aseiko Messenger Service and Access to your device

Aseiko is a future-oriented "all-in-one solution": You can shop for your favorite cosmetics, but you can also use the app to stay in touch with friends and family via our messenger. Aseiko's Messenger works similarly to all other mobile social communication solutions. Your privacy is important and we follow all requirements to encrypt and protect your communications.

In order to use all messenger functions, e. g. sending real-time messages, making voice and/or video calls, you will be asked to grant permissions to use your microphone (for voice calls) and your camera (for video calls).  

 

You will be also asked to grant access to your contacts in order to process a call. Aseiko doesn’t actively use these permissions because the calls and messages you make or receive are processed via your internet connection and Aseiko doesn’t need your phone number or contact lists to establish connection.

In addition, you can send a message or call a user only when your invitation was actively accepted and you’re added to someone’s friends-list.

It is only up to you to decide if to grant the requested permissions to the app as well as to decide if and when to share access to your device. If you wish, you can restrict the permitted access only for the time when you actively use Aseiko.

 

Example: If you want to connect with a friend, you must first send a friend request. If your request is accepted you will be notified and you can connect with your friend on Aseiko. Go to your "My Friends" list, tap on your friend's name and start the conversation. If you start a phone call or video call for the first time via the Aseiko's Messenger,  you will be asked to share access to your microphone and camera. If you grant these permissions you will be able to use the messenger services but you can also opt-out - it is entirely up to you how you go about it. Should you have any questions, us know please.

2.12. Contact form
Visitors can use an online contact form on the website to submit messages to Aseiko Skin UG. In order to receive a reply, a valid e-mail address, first and last name are required. All further data may be voluntarily provided by the inquiring person. By sending the message via the contact form, the visitor consents to the processing of the transmitted personal data. The data is used exclusively for the purpose of processing and responding to enquiries via the contact form. This is done on the basis of voluntary consent pursuant to Art. 6 § 1 clause 1 a) GDPR. The personal data collected for the use of the contact form are automatically deleted as soon as the enquiry is completed and there are no reasons for further storage (e. g. subsequent commissioning of our company).

 

3. Personalised services

Personalised services allow us to offer you better, more practical and more secure services. To this end we use the data we have stored about you in order to determine your needs and interests. On this basis we can offer you high-personalized content which matches your needs and interests. Of course, you still have access to all content. Personalisation allows you to see content which is more relevant to you more quickly, or content is specially presented to you (e.g. in the form of individual product recommendations). For this purpose, you are asked to set up your customer account (profile) and share with us your age, ethnicity, life style and skin concerns. This data you can always delete or change in your customer account.

Personalised services are based only on the data stored on your customer account. If device and access data is used which is not saved on your customer account, these are only pseudonymised for the relevant personalisation (so e.g. in connection with your customer number, but not in connection with your name or other directly identifying profile data) for the duration of the usage.

 

4. Disclosure, correction, blocking and deletion

Personal data will only be collected, processed, used, and stored where it is inaccessible to third parties for the purpose of responding to inquiries, handling contracts, and technical administration, unless you have explicitly instructed us to do so and you have consented to such use. The data will only be disclosed to third parties for the purpose of contract processing or with your consent. Personal data will not be disclosed or sold. You may withdraw your consent to the use of your data at any time. You may obtain information at any time about the stored data or the following information:

  • purpose of such processing,

  • categories of your personal data that we process,

  • recipients or categories of recipients to whom your personal data is disclosed, in particular recipients in third countries,

  • if possible, the planned duration for the storage of your personal data; if this is not possible, the criteria for determining the duration of storage,

  • the existence of a right to rectification, deletion, or limitation of the processing of your personal data, or the right to object to such processing,

  • the existence of a right of appeal to a data protection supervisory authority,

  • if the personal data have not been collected from you as the data subject, the available information on the origin of the data,

  • the existence of automated decision making, including profiling and significant information on the logic involved, as well as the scope and intended effects of automated decision making,

  • in the case of transfers to recipients in third countries if no decision of the EU Commission on the adequacy of the level of protection pursuant to Art. 45 § 3 GDPR is available, information on the appropriate guarantees provided for the protection of personal data pursuant to Art. 46 § 2 GDPR.

 

All enquiries, requests for information, or objections to data processing should be sent by email to contact@aseiko.io or support@aseiko.io.

 

5. Cookies

Aseiko’s services (e.g. website) use Google Analytics, a web analysis service of Google Inc. "("Google"). Google Analytics uses "cookies", which are text files placed on your computer, to help the website analyse how users use the site. The information generated by the cookie about your use of this website is usually transferred to a Google server in the USA and stored there. However, if IP anonymization is activated on this website, Google will shorten your IP address within Member States of the European Union or in other states that are party to the Agreement on the European Economic Area. Google Ireland Limited is legally responsible for EEA and Swiss users’ information. Only in exceptional cases will the full IP address be transmitted to a Google server in the USA and shortened there. On behalf of the operator of this website, Google will use this information to evaluate your use of the website, to compile reports on website activity, and to provide the website operator with other services relating to website and Internet use. The IP address transmitted by your browser in the context of Google Analytics is not merged with other Google data. You may refuse the use of cookies by selecting the appropriate settings on your browser; however, please note that if you do this, you may not be able to use the full functionality of the website. You can also prevent Google from collecting data generated by the cookie and relating to your use of the website (including your IP address) as well as the processing of this data by Google by clicking on the following link (http://tools.google.com/dlpage/gaoptout?hl=de) , download and install available browser plugins.
On this website, Google Analytics has been extended by the code "anonymizeIp", which deletes the last 8 digits of your IP addresses and consequently makes them anonymous.
If you do not wish Google Analytics to collect your data, please click on the following link to unsubscribe. This sets an opt-out cookie that prevents future collection of your data when you visit this website: Disable Google Analytics
Information on terms of use and data protection can be found under:

http://www.google.com/analytics/terms/de.html and https://www.google.de/intl/de/policies/

You can also view the website without cookies. If you do not want your computer to be recognized, you can prevent cookies from being stored on your hard drive by selecting "do not accept cookies" in your browser settings. You will find instructions on the website of the respective browser provider:

 

Please note that the functionality of our website may be limited if cookies are not accepted.

 

6. Analytics services

On our website we use the Google Analytics website analysis service.
The legal basis for the use of the analysis tools is Art. 6 § 1 clause 1 f) GDPR. The website analysis is within the legitimate interest of our company, and serves the statistical documentation of the use of the website for the continuous improvement of our company homepage and the offer of our services.

 

7. Social networking plugins (Social Plugins)

The legal basis for the use of social plug-ins is Art. 6 § 1 clause 1 f) GDPR. A legitimate interest of our company and the purpose of using plugins for social networks is to make our offer known to a wide audience. The social networks are responsible for the data protection-compliant handling of their users' data:

 

7.1. Facebook Plugins

On our web pages plugins of the social network Facebook, 1601 South California Avenue, Palo Alto, CA 94304, USA are / might be integrated. The Facebook plugins can be recognized by the Facebook logo or the "Share-Button" ("Share") or the "Like-Button" ("Like"). An overview of the Facebook plugins can be found here: http://developers.facebook.com/docs/plugins/. The legal basis for the data processing is the legitimate interest to optimize the range of our web pages in accordance with Art. 6, 1. f) GDPR.

When you visit our pages, the plugin generally establishes a direct connection between your browser and the Facebook server. In order to prevent an immediate direct connection, we installed a solution on our web pages which ensures that a direct connection between your browser and the Facebook server will only be established if you click on the Facebook "Share-Button" or the "Like Button" for a second time. Facebook receives the information that you have visited our site with your IP address. If you click on the Facebook "Share-Button" or "Like Button" while you are logged into your Facebook account, you can share or like the contents of our pages on your Facebook profile. As a result, Facebook can assign your visit to our web pages to your user account. We point out that we as the provider of the pages are not aware of the content of the data transmitted and their use by Facebook. Further information can be found in the Facebook privacy policy at http://de-de.facebook.com/policy.php.

If you do not wish Facebook to associate your visit to our pages with your Facebook user account, please log out of your Facebook user account before visiting our web pages and delete the Cookies in your browser.

7.2. Twitter

Functions of the Twitter service are / might be integrated on our web pages. These features are provided by Twitter Inc., Twitter, Inc. 1355 Market St, Suite 900, San Francisco, CA 94103, USA. By using Twitter and the "Re-Tweet" function, the websites you visit can be linked to your Twitter account and shared with other users. The legal basis for the data processing is the legitimate interest to optimize the range of our web pages in accordance with Art. 6, 1. f) GDPR.

This data is generally also directly transmitted to Twitter. In order to prevent an immediate direct connection between your browser and the Twitter server, we installed a solution on our web pages which ensures that a direct connection between your browser and the Twitter server will only be established if you click on the “Tweet Button” for a second time. If you do not wish Twitter to associate your visit to our pages with your Twitter user account, please log out of your Twitter user account before visiting our web pages and delete the Cookies in your browser.

We point out that we as the provider of the pages are not aware of the content of the transmitted data and their use by Twitter. For more information, see the Twitter Privacy Policy at https://twitter.com/privacy.

You can change your privacy settings on Twitter in the Account Settings at http://twitter.com/account/settings.

8. Encrypted transmission

All data entered by visitors to our company website are transmitted to us in encrypted form so that they are protected from being accessed by third parties. We use state-of-the-art encryption technologies.

9. Disclosure of data

Personal data will be transmitted to third parties if

  • it has been expressly consented to by the data subject pursuant to Art. 6 § 1 clause 1 a) GDPR,

  • the disclosure pursuant to Art. 6 § 1 clause 1 f) GDPR is necessary to assert, exercise, or defend legal claims, and there is no reason to assume that the data subject has an overriding interest that is worthy of protection by not disclosing his or her data,

  • a legal obligation exists for data transmission in accordance with Art. 6 § 1 clause 1c) GDPR, and/or

  • this is necessary according to Art. 6 § 1 clause 1 b) GDPR for the fulfillment of a contractual relationship with the data subject.

In other cases, personal data will not be passed on to third parties.

10. Rights of the parties concerned

10.1. Right to confirmation: Every individual concerned shall have the right conferred by the European legislator of directives and regulations to require the responsible data processor to confirm whether personal data concerning him or her are being processed. If the data subject wishes to exercise this right of confirmation, he or she may contact an employee of the responsible data processor at any time.

10.2. Right of access: In particular, you have a right of access regarding your personal data processed by us, the purposes of processing, the categories of personal data processed, the recipients or categories of recipients to whom your data have been or will be disclosed, the planned storage period or the criteria for determining the storage period, the existence of a right of correction, deletion, restriction of processing, objection to processing, a complaint to a supervisory authority, the source of your data if these were not collected by us from you, the existence of automated decision-making including profiling and, where applicable, the existence of an automated decision-making process and, if applicable, meaningful information on the logic involved and the scope and intended effects of such processing, as well as your right to be informed of the guarantees provided for in Art. 46 of the GDPR for the transfer of your data to third countries.

10.3. Right to rectification: You have the right to immediately rectify any inaccurate data concerning you and/or to complete your incomplete data stored by us.

10.4. Right of erasure: You have the right to request the erasure of your personal data pursuant to Art. 17 § 1 GDPR, in particular if the personal data are no longer necessary for the purposes for which they were collected or otherwise processed, if you have withdrawn your consent and no other legal basis for processing exists, if you have objected to the processing, if the processing was unlawful, or if the erasure of the personal data is necessary to fulfill a legal obligation. However, this right shall not apply in particular if the processing is necessary to exercise the right to freedom of expression and information, to fulfill a legal obligation, for reasons of public interest or to assert, exercise, or defend legal claims.

10.5. Right to restriction of processing: You have the right to request that the processing of your personal data be restricted as long as the accuracy of your data is verified, if you refuse to have your data deleted because of inadmissible data processing and instead request that your data be restricted, if you need your data to assert, exercise, or defend legal claims, after we no longer need this data once the purpose has been achieved or if you have filed an objection for reasons of your particular situation, as long as it is not yet clear whether our legitimate reasons predominate.

10.6. Right of notification: If you have exercised your right to have the processing corrected, deleted, or restricted, the controller must notify all recipients to whom the personal data concerning you have been disclosed of such correction, deletion, or restriction of the processing, unless this proves impossible or involves a disproportionate effort. You have the right to be informed of these recipients.

10.7. Right to data portability: You have the right to receive the personal data you have provided to us in a structured, conventional, and machine-readable format, or to request its transfer to another responsible party if this is technically feasible.

10.8. Right to withdraw consent (Art. 7 § 3 GDPR): You have the right to withdraw consent once given for the processing of data at any time with effect for the future. In the event of withdrawal, we will delete the data concerned without delay, unless further processing can be based on a legal basis for processing without consent. The withdrawal of consent shall not affect the legality of the processing carried out on the basis of the consent until withdrawal.

10.9. Right to lodge a complaint: If you believe that the processing of personal data concerning you infringes on the GDPR, you have the right to lodge a complaint with a supervisory authority, in particular in the Member State where you are located, at your place of work, or at the place where the suspected infringement is presumed, without prejudice to any other administrative or judicial remedy.

10.10. Right to object: If we process your personal data within the framework of a weighing of interests on the basis of our overriding legitimate interest, you have the right at any time to object to this processing with future effect for reasons arising from your particular situation.
If you exercise your right to object, we will stop processing the data concerned. However, we reserve the right to further processing if we can prove compelling reasons worthy of protection for the processing which outweigh your interests, fundamental rights, and freedoms, or if the processing serves to assert, exercise, or defend legal claims.
If we process your personal data for direct marketing purposes, you have the right to object at any time to the processing of personal data concerning you for the purpose of such advertising. You can exercise the objection as described above.

If you exercise your right to object, we will stop processing the data concerned for direct advertising purposes.

11. Duration of storage of personal data

The duration of the storage of personal data is determined by the respective legal retention period. After expiry of this period, the corresponding data will be routinely deleted, provided that they are no longer necessary for the performance or initiation of the contract and/or there is no longer any legitimate interest on our part in the further storage.

12. Status and validity of updates

This data protection statement is valid as of March 01, 2022, and we reserve the right to update this data protection statement, especially if this becomes necessary due to technical developments or changes in legislation or jurisdiction.

Thank you for reading this far. Don't hesitate to get in touch with us if you have any questions. 🙏