Data
privacy,
that fits.

The protection of your personal data is of particular concern to us. We process your data exclusively on the basis of statutory provisions, in particular the General Data Protection Regulation (GDPR) and the Austrian Telecommunications Act 2021 (TKG 2021). With this Privacy Policy, we inform you about the nature, scope, and purpose of the processing of personal data in connection with our website and our online shop.

DATA CONTROLLER 

MIKKA GmbH
Traunuferstraße 110
4052 Ansfelden
Austria

Company Register Number: FN355211w
Company Register Court: Regional Court of Linz
Managing Director: Michael P. Matzner

Phone: +43 7229 23023
E-Mail: info@mikka.com

When you visit our website, information of a general nature is automatically collected. This information is stored in so-called server log files.
The following data is collected in particular:

• IP address
• Date and time of access
• Pages accessed
• Browser type and browser version
• Operating system used
• Referrer URL
• Hostname of the accessing device

This processing is carried out to ensure technical operation, system security, abuse detection, and the technical stability of our website based on our legitimate interest pursuant to Art. 6 (1) (f) GDPR. The log files are only stored for as long as necessary to ensure operation and IT security.

Our online shop is operated via the Shopify platform. The provider is:

Shopify International Limited, Gordon House, Barrow Street, Dublin 4, Ireland.

In connection with the use of our online shop, Shopify processes personal data to provide the shop infrastructure, handle order processing, prevent fraud, ensure IT security, and for analysis and statistical purposes. The following data may be processed in particular:

• IP address
• Device and browser information
• Usage data
• Order information
• Payment information
• Communication data

The processing of technically necessary data is based on Art. 6 (1) (b) GDPR (performance of a contract) as well as Art. 6 (1) (f) GDPR (legitimate interest in a secure and functional online shop). Insofar as analysis, marketing, or tracking cookies are used, this is done exclusively on the basis of your consent pursuant to Art. 6 (1) (a) GDPR in conjunction with § 165 (3) TKG 2021.

third-country data transfer

Personal data may also be processed by affiliated companies of Shopify in third countries, particularly Canada and the USA. An adequacy decision by the European Commission exists for Canada. Insofar as data is transferred to the USA, this is done on the basis of the EU-US Data Privacy Framework (DPF) as well as supplementary Standard Contractual Clauses (SCC) pursuant to Art. 46 GDPR. We have concluded a Data Processing Agreement (DPA) with Shopify pursuant to Art. 28 GDPR. An overview of Shopify's sub-processors can be found at: https://www.shopify.com/legal/subprocessors. Further information on data protection at Shopify can be found at: https://www.shopify.com/legal/privacy.

For the purpose of order processing, customer management, offering quotes, invoicing, inventory management, and communication,
we process personal data such as:

• Name
• Billing and delivery address
• E-mail address
• Phone number
• Company data
• VAT ID number
• Order and payment data
• Communication history

This processing is carried out for the performance of pre-contractual measures and contract fulfillment pursuant to Art. 6 (1) (b) GDPR. To manage our business processes, we use Microsoft Dynamics and Microsoft Business Central. The provider is:

Microsoft Ireland Operations Limited, One Microsoft Place, South County Business Park, Leopardstown, Dublin 18, Ireland.

We have concluded a Data Processing Agreement (DPA) with Microsoft pursuant to Art. 28 GDPR. Insofar as personal data is transferred to the USA, this is done on the basis of Microsoft's certification under the EU-US Data Privacy Framework. Further information on data protection at Microsoft can be found at: https://privacy.microsoft.com/de-de/privacystatement.

For the processing of payments, we pass on payment data to the respectively selected payment service providers. The processing is
carried out for contract fulfillment pursuant to Art. 6 (1) (b) GDPR.

Shopify Payments / Credit Card: Payment processing is handled by Shopify International Limited in cooperation with Stripe Payments Europe Ltd., 1 Grand Canal Street Lower, Grand Canal Dock, Dublin, Ireland. More info: https://stripe.com/at/privacy

PayPal: PayPal (Europe) S.à r.l. et Cie, S.C.A., 22-24 Boulevard Royal, 2449 Luxembourg.
More info: https://www.paypal.com/at/legalhub/privacy-full

Klarna: Klarna Bank AB (publ), Sveavägen 46, 111 34 Stockholm, Sweden. More info: https://www.klarna.com/at/datenschutz/

EPS / Bank Transfer: Payment processing is handled directly via your bank and our internal ERP system.

For the delivery of your order, we pass on the necessary data to the respectively commissioned shipping company. This is done on the basis of Art. 6 (1) (b) GDPR. Depending on the shipping method, data is shared with:

- Österreichische Post AG, Rochusplatz 1, 1030 Vienna, Austria
- DHL Express (Austria) GmbH, Air Cargo Center, Objekt 263, 1300 Vienna Airport, Austria
- GLS Austria GmbH, Bundesstraße 110, 4063 Hörsching, Austria
- UPS Transport Ges.m.b.H., Steinheilgasse 1, 1210 Vienna, Austria
- Schenker & Co AG, Stella-Klein-Löw-Weg 8, 1020 Vienna, Austria

In this context, name, delivery address, e-mail address, and phone number may be processed, insofar as required for the delivery.

Our website uses cookies and similar technologies to provide certain functions, analyze website usage, and for marketing purposes. Non-technically necessary cookies are set exclusively after your explicit consent. We use Shopify's integrated consent management system to manage your preferences. Your selection is documented and can be changed or revoked at any time with effect for the future.

Legal basis:

- Technically necessary cookies: Art. 6 (1) (f) GDPR
- Analysis and marketing cookies: Art. 6 (1) (a) GDPR in conjunction with § 165 (3) TKG 2021

You can revoke or adjust your consent at any time via the cookie settings.

Provided you have given your consent, we use Google Analytics 4, a web analytics service provided by Google Ireland Limited, Gordon House, Barrow Street, Dublin 4, Ireland. Google Analytics uses cookies that enable an analysis of your use of our website. The following data may be processed, among others:

- Shortened IP address
- Device information
- Usage behavior
- Pages visited
- Session duration
- Origin of visitors

Google Analytics 4 does not store full IP addresses within the European Union by default. This processing is carried out exclusively on the basis of your consent pursuant to Art. 6 (1) (a) GDPR. We have concluded a Data Processing Agreement with Google. Insofar as data is transferred to the USA, this is done on the basis of Google's certification under the EU-US Data Privacy Framework. Further info: https://policies.google.com/privacy.

Provided you have given your consent, we use Google Ads and the associated Conversion Tracking. This allows us to determine whether users have reached our website via Google advertisements and performed certain actions. Processing is based exclusively on your consent pursuant to Art. 6 (1) (a) GDPR. Further info: https://policies.google.com/technologies/ads.

When you contact us by e-mail or via the contact form, the data you provide will be processed to handle your inquiry.
This processing is carried out:

- For the performance of pre-contractual measures pursuant to Art. 6 (1) (b) GDPR
- Based on our legitimate interest in processing inquiries pursuant to Art. 6 (1) (f) GDPR

The data is generally stored for six months unless statutory retention obligations apply.

When you contact us by telephone, we offer you the option to consent to the recording of the call. Recording takes place exclusively on the basis of your explicit, active consent pursuant to Art. 6 (1) (a) GDPR, which you grant via our telephone menu before the conversation begins.

Providing your consent is completely voluntary. If you do not consent to the recording, you will still be connected to a member of staff without modification. You will not suffer any disadvantages as a result.

The telephony and the associated audio recording are handled via the Microsoft Teams platform. The audio recording is then automatically processed to create a written text version (transcription) of the call content and to store it in our CRM system (Microsoft Dynamics). This transcript serves to document your request, ensure error-free processing of your support or order request, and for internal
quality assurance purposes.

The provider of these systems is Microsoft Ireland Operations Limited, One Microsoft Place, South County Business Park, Leopardstown, Dublin 18, Ireland. We have concluded a Data Processing Agreement (DPA) with Microsoft. Insofar as data is transferred to the USA, Microsoft is certified under the EU-US Data Privacy Framework.

Storage Period and Deletion:

- Audio recording: The actual voice recording is automatically and irrevocably deleted after a period of 21 days.
- Transcript: The text version created from the recording is stored in our CRM system for the duration of the processing of your request or in accordance with statutory retention obligations (in the case of contractually or accounting-relevant content, usually 7 years pursuant to
§ 132 BAO [Austrian Federal Fiscal Code]).

Right of Withdrawal: You can revoke your consent to the processing and storage of the transcript at any time with effect for the future by sending an e-mail to info@mikka.com.

We store personal data only for as long as necessary to fulfill contractual or legal obligations. In particular, statutory retention obligations
exist under:

- § 132 BAO (Austrian Federal Fiscal Code)
- UGB (Austrian Commercial Code)
- Tax regulations

Accounting and billing-relevant data is generally stored for seven years. Furthermore, specific data is retained to the necessary extent until the expiry of product liability periods (usually 10 years).

We take appropriate technical and organizational security measures pursuant to Art. 32 GDPR to protect personal data. Our website uses
SSL or TLS encryption for the secure transmission of confidential content.

You are fundamentally entitled to the following rights:

- Right of access
- Right to rectification
- Right to erasure ("Right to be forgotten")
- Right to restriction of processing
- Right to data portability
- Right to object
- Right to withdraw given consent

If you believe that the processing of your data violates data protection law or your data protection claims have been violated, you can file a complaint with us or with the competent data protection authority.

competent supervisory authority in austria

Österreichische Datenschutzbehörde (DSB)
Barichgasse 40-42, 1030 Vienna, Austria
E-Mail: dsb@dsb.gv.at
Website: https://www.dsb.gv.at