Privacy Policy - Shop Malle-Schmickl

Last updated: 18 May 2026

1. Controller

Malle-Schmickl GesbR
Dipl.-Ing. Dr. Helge Schmickl and Dipl.-Ing. Dr. Bettina Malle-Schmickl
Ehrentalerstraße 39
9020 Klagenfurt am Wörthersee
Austria
E-Mail: [email protected]
Phone: +43 463 437786
VAT ID: ATU69623838

2. Purposes and legal bases

We process personal data to provide the website, to ensure technical security, to handle inquiries, to operate customer accounts, to process orders, payments and shipments and to comply with statutory obligations.

Legal bases are in particular Art. 6(1)(b) GDPR (performance of a contract and pre-contractual measures), Art. 6(1)(c) GDPR (legal obligations), Art. 6(1)(f) GDPR (legitimate interests) and, where required, Art. 6(1)(a) GDPR as well as § 165(3) of the Austrian Telecommunications Act (TKG 2021) (consent).

3. Website, hosting and server log files

When the website is accessed, technically required access data is processed, in particular IP address, date and time, requested URL, referrer URL, browser, operating system, transferred data volume and status code. The processing serves the delivery of the website, error analysis, system security and abuse prevention on the basis of Art. 6(1)(f) GDPR.

The website is operated by an external hosting provider. Server log files are stored only for as long as necessary for operation, security and error analysis; longer storage takes place only where required to investigate security-related incidents.

4. Cloudflare

We use Cloudflare as technical infrastructure to improve the security, stability and availability of the website. Cloudflare may in particular be used as DNS, CDN, proxy, security or access protection service.

In this context, Cloudflare may in particular process IP addresses, technical connection data, security events and access data. The legal basis is our legitimate interest pursuant to Art. 6(1)(f) GDPR in a secure and stable website. Where personal data is transferred to third countries, this is done on the basis of appropriate safeguards, in particular EU Standard Contractual Clauses, or an applicable adequacy decision.

5. Cookies and consent management

Our website uses cookies and comparable storage technologies. Technically necessary cookies are required for the shopping cart, checkout, login, language settings, session management, security functions and storage of your cookie choice. These cookies are required for the service you have requested.

Typical technically necessary cookies include in particular PHPSESSID, WooCommerce cookies such as woocommerce_cart_hash, woocommerce_items_in_cart and wp_woocommerce_session_*, WordPress login cookies and language cookies from Polylang. A complete, always up-to-date list of cookies and services used can be found in our Cookie Policy.

Non-necessary cookies and services, in particular statistics, marketing or external media services, are only set after your prior consent. You can revoke your consent at any time via the cookie settings.

6. Google Analytics and Google Tag

We use Google Analytics 4 if you have consented to the Statistics category. The provider is Google Ireland Limited, Gordon House, Barrow Street, Dublin 4, Ireland. Processing by Google LLC in the USA cannot be ruled out.

Google Analytics serves to measure reach and improve our offering. Google Analytics may set cookies such as _ga and comparable identifiers. The legal basis is your consent pursuant to Art. 6(1)(a) GDPR and § 165(3) TKG 2021. Without consent, Google Analytics may not be loaded.

You may revoke a consent given at any time via the cookie settings.

7. Google Ads and conversion tracking

If you have consented to the Marketing category, we use Google Ads including conversion tracking to measure the effectiveness of our advertisements and improve our offering. The provider is Google Ireland Limited, Gordon House, Barrow Street, Dublin 4, Ireland. Processing by Google LLC in the USA cannot be ruled out.

When you visit our site via a Google advertisement or complete an order, cookies such as _gcl_au or _gcl_aw may be set to attribute the purchase to an advertisement. Data transferred includes in particular click identifiers, conversion events, browser and device information and pseudonymous identifiers. The legal basis is your consent pursuant to Art. 6(1)(a) GDPR and § 165(3) TKG 2021.

8. Order attribution (Sourcebuster JS)

WooCommerce uses the “Sourcebuster JS” library to internally evaluate the source of orders. It records the channel through which you reached our website (e. g. direct visit, search engine, referral from another website or paid advertisement). This information is stored alongside your order.

Sourcebuster JS works exclusively with local cookies (sbjs_current, sbjs_session and other sbjs_*); the data is not transferred to external servers. The legal basis is our legitimate interest in evaluating our marketing channels pursuant to Art. 6(1)(f) GDPR or, where to be classified as non-essential storage, your consent pursuant to Art. 6(1)(a) GDPR and § 165(3) TKG 2021.

9. Rank Math and Search Console

We use Rank Math for search engine optimisation. Where Rank Math retrieves aggregated data from Google Search Console or Google Analytics in the WordPress backend, this serves to evaluate the visibility and performance of the website. No additional personal data is transferred to Rank Math through the mere visit of the website, provided that no client-side tracking scripts are loaded.

10. Contact

If you contact us by e-mail, telephone, WhatsApp or other means, we process your information such as name, e-mail address, telephone number, content of the message and technical metadata in order to handle your request. The legal basis is Art. 6(1)(b) GDPR if the inquiry is aimed at a contract, otherwise Art. 6(1)(f) GDPR.

If you use WhatsApp, WhatsApp Ireland Limited additionally processes communication and metadata. Please do not send particularly sensitive data via WhatsApp.

11. E-mail dispatch and SMTP

Order confirmations, customer information and system messages are sent via our mail server / SMTP infrastructure. Sender, recipient, content, timestamps and technical dispatch data may be processed in the course of dispatch. IT and mail service providers used process data to the extent necessary for operation and delivery.

12. Customer account

If you create a customer account, we process in particular name, e-mail address, billing and delivery address, telephone number, access credentials, order history and account-related settings. Passwords are not stored in plain text. Processing serves to provide the account and to perform the contract pursuant to Art. 6(1)(b) GDPR.

13. Orders in the online shop

For orders we process first and last name, billing and delivery address, e-mail address, telephone number, ordered products, order number, payment and shipping method, payment status, delivery status and communication data. Processing is carried out to perform the contract pursuant to Art. 6(1)(b) GDPR and to fulfil tax and commercial obligations pursuant to Art. 6(1)(c) GDPR.

14. Payment service providers

The payment methods available during checkout are displayed depending on country, order value and technical availability. Processing is carried out via the following payment service providers:

Stripe (Stripe Payments Europe, Limited, 1 Grand Canal Street Lower, Dublin 2, Ireland) is used for credit and debit card payments as well as the Stripe-based payment methods offered during checkout such as Klarna, EPS and Bancontact. Depending on the payment method, the data transferred includes in particular name, e-mail address, billing data, payment amount, transaction data, IP address, device information and fraud-prevention data. For Klarna, Klarna Bank AB (publ), Sveavägen 46, 11134 Stockholm, Sweden, acts as additional controller and processes payment and credit-relevant data.

PayPal (PayPal (Europe) S.à r.l. et Cie, S.C.A., 22-24 Boulevard Royal, 2449 Luxembourg) is used for PayPal payments. PayPal processes in particular contact data, payment data, transaction data, device and security data and may involve additional bodies for fraud prevention and payment processing.

The transfer to payment service providers takes place for the performance of the contract pursuant to Art. 6(1)(b) GDPR and on the basis of legitimate interests in payment security and fraud prevention pursuant to Art. 6(1)(f) GDPR. Complete card or account data is generally not stored by us.

15. Shipping service providers

For delivery, we transfer the data required for this purpose to the selected shipping service provider, in particular name, delivery address, e-mail address, telephone number, shipment data and, where applicable, customs information. Processing takes place to perform the contract pursuant to Art. 6(1)(b) GDPR.

Depending on delivery country, parcel data and availability, shipping is carried out in particular with Österreichische Post AG and/or UPS. Shipping service providers process data for transport, delivery, tracking, evidence and statutory obligations partly on their own responsibility.

16. Recipients

Recipients of personal data may include in particular hosting and IT service providers, mail / SMTP service providers, payment service providers, shipping service providers, tax advisors, banks, authorities, courts and technical service providers commissioned by us.

17. Third country transfers

For individual services, in particular Google, Stripe, PayPal, WhatsApp, UPS or Cloudflare, personal data may be transferred to countries outside the EU and the EEA. Where there is no adequacy decision for the destination country, transfers are based on appropriate safeguards, in particular EU Standard Contractual Clauses, or on the basis of an adequacy decision such as the EU-U.S. Data Privacy Framework, if the recipient is certified.

18. Storage period

We only store personal data for as long as necessary for the respective purposes. Inquiry and communication data is stored until final processing and beyond only to the extent that statutory obligations or legitimate interests exist. Customer accounts are stored until deletion of the account. Order, invoice and accounting data is stored in accordance with Austrian retention obligations regularly for 7 years; in case of open proceedings or claims, also longer.

19. Your rights

You have, in accordance with the GDPR, the right to information, rectification, deletion, restriction of processing, data portability, objection to processing based on legitimate interests and withdrawal of consents given with effect for the future.

If you believe that the processing of your data violates data protection law, you may contact us or lodge a complaint with the Austrian Data Protection Authority, Barichgasse 40-42, 1030 Vienna, e-mail: [email protected].

20. Necessity of providing data

The provision of certain data is necessary for orders, payment processing, shipping and the customer account. Without this data, we may not be able to provide the respective contract or service. For voluntary information and consent-based services, no obligation to provide data exists.

21. Changes

We adapt this privacy policy if the legal situation, technical implementation or services used change.