0

PRIVACY STATEMENT OF WAX IN THE CITY GMBH

Protecting your privacy in connection with the processing of personal data in connection with our website (www.wax-in-the-city.com) and our WAX IN THE CITY Q-App (referred to hereinbelow as the “App”) is a matter that we take very seriously. We will collect, process, and use personal data concerning you exclusively in conformity with the principles described below and in compliance with all applicable data protection laws.
All the data processing workflows on our website that are described in this Privacy Statement apply for the usage of both our website and our App, except insofar as this Privacy Statement expressly provides otherwise hereinbelow.

1. Name and contact data of the controller responsible for the processing
The present privacy statement applies to the processing of data by the following controller:
WAX IN THE CITY GmbH
Lindower Straße 18,
13347 Berlin, Germany
Tel: +49 (30) 8145202-0
datenschutz@wax-in-the-city.com
www.wax-in-the-city.com,
referred to hereinbelow as “WAX IN THE CITY” or “we”).

2. Collection and storage of personal data as well as the nature and form of its usage

a) When you visit our website
When you call up the website www.wax-in-the-city.com, the browser in use on your terminal device will automatically transmit information to the server of our website. This information will be stored temporarily in a so-called “log file.” In the process, the following information will be collected without any further action on your part and will be stored until such time as it is erased automatically in keeping with the stipulations of data protection law:
• The IP address of the requesting computer;
• The date and time of access;
• The name and URL of the retrieved file,
• The website from which access was made (referrer URL);
• The browser used, and possibly also the operating system of your computer as well as the name of your access provider.
• When the App is used, also the following: Hardware model, version of the operating system, language setting, and unique equipment ID code of the mobile terminal device.
We will process the above data for the following purposes:
• To ensure that a connection to the website can be established without disruptions;
• To ensure the user-friendly operability of our website;
• To evaluate our systems’ security and stability, as well as
• For additional, administrative purposes.
The legal basis for this processing is Article 6 paragraph 1 sentence 1 lit. f) of the General Data Protection Regulation (GDPR). Our legitimate interest in this context results from the data processing purposes listed above. In no case will we use the data for the purpose of drawing any factual conclusions about you personally.
We will also deploy cookies and analytic services when you visit our website. Please see below for a more detailed explanation.

b) When you register for our newsletter
Assuming you have given your express consent pursuant to Article 6 paragraph 1 sentence 1 lit. a) of the GDPR, we will use your name and your email address to regularly send you our newsletter. Providing an email address is sufficient for purposes of receiving the newsletter.
It is possible at any time to unsubscribe, e.g. by clicking on the link at the bottom of each newsletter. Alternatively, you can also unsubscribe at any time by notifying us via email at info@wax-in-the-city.com.

c) When you use our contact form
We provide you the option of getting in touch with us by means of a contact form available on our website. You must provide a valid email address so as to let us know who the enquiry is from and to allow us to answer it appropriately. You may also provide additional information on a voluntary basis.
The processing of data for purposes of your communication with us will be performed pursuant to Article 6 paragraph 1 sentence 1 lit. a) of the GDPR and on the basis of your voluntarily granted consent. The personal data that we collect in connection with your use of the contact form will be erased in keeping with the applicable statutory requirements once your enquiry has been dealt with.

d) Use of the App
You have the option of downloading our App. In order to be able to make full use of the App’s functionalities, you must register for an App account or log in using your existing Google account or Facebook account.

aa) Registration
In order to register, you must provide your first and last name, a valid email address, a password, as well your gender, so that we can then set up a personalized App account for you. In order to verify your identity and complete your registration, we will send you a verification link to the email address you have provided. Once your registration is complete, you will have the option to store your existing customer ID number (if any) in your profile. If you are using the services of WAX IN THE CITY for the first time or opt not to store your customer ID number, you will be automatically assigned a customer ID number when you make your first booking.
We will process the aforementioned data concerning you in order to fulfill the App Usage Agreement we have concluded with you; the legal basis for such data processing will be Article 6 paragraph 1 sentence 1 lit. b) of the GDPR.

bb) Registration/login via Google or Facebook
You also have the opportunity to identify yourself using your existing profile at Facebook (Facebook Ireland Ltd., 4 Grand Canal Square, Grand Canal Harbour, Dublin 2, Ireland) or Google (Google Ireland Limited, Gordon House, Barrow St Dublin 4, Ireland) and to then register, respectively log in. To this end, the corresponding buttons (plug-ins) of Facebook and Google (“Login with Facebook” and “Login with Google”) have been included on the App’s registration/login page. Clicking on the respective button and confirming that the information may be shared for purposes of logging in with Facebook, respectively Google, will open a new window where you will have to log in using your login data for Facebook, respectively Google. This will create a direct connection to the servers of Facebook, respectively Google, in the United States of America. Facebook and Google are certified under an adequacy decision by the European Commission for the United States of America (EU/US-Privacy Shield). By way of this interconnection, Facebook, respectively Google, will receive the information that you called up the corresponding page of our App (along with your IP address) even if you do not have a Facebook or Google profile or are not currently logged in at Facebook, respectively Google. For more information on how your data are processed, please consult the privacy policies published by Facebook, respectively Google.
Once you have logged in successfully, you will be informed which data will be transmitted to us for purposes of confirming your identity as part of the registration/login process. In the case of Google, this will include your name, email address, language setting, and profile photo. In the case of Facebook, this may also involve the transmission of your profile photos, of your list of friends and of these friends’ user IDs, assuming these items have been marked “public” in your Facebook privacy settings. If you have consented to this data transmission, then only the fields that we require for the registration (name and email address) will be filled with the transmitted data. Only once you consent to the use of the data transmitted and required for the registration will we use these data (name and email address) for the purposes listed under item 2 above. Your consent will serve as the legal basis for this data processing pursuant to Article 6 paragraph 1 lit. a) of the GDPR. If you wish to the cancel the connection to Facebook, respectively Google, please contact the corresponding provider or make the required setting changes on the provider’s site.

cc) Booking of treatments
Once you have registered, you will be able to book treatments via our App. In order to process your booking request, we will store the type and time of the appointment you have requested and will transmit your booking information and customer data to the WAX IN THE CITY studio that you have selected for the treatment. In order to best fulfill your wishes and requirements and to serve you optimally during your visit to a WAX IN THE CITY studio, we will store your booking history in the App as well as in the customer-management systems of the individual WAX IN THE CITY studios that you visit.
The legal basis on which data are processed for booking purposes is Article 6 paragraph 1 lit. b) of the GDPR. The storage of your booking history will be performed on the basis of our legitimate interest (Article 6 paragraph 1 lit. f) of the GDPR) in providing you with end-to-end service.

dd) Digital bonus program – Waxing Card
If you activate our digital bonus program in the App (referred to hereinbelow as the “Waxing Card Program”), then a personal identification number (referred to hereinbelow as the “Waxing Card Number”) will be assigned to your user profile; this is required in order to link the WAX IN THE CITY studios to your user profile. When you next visit a WAX IN THE CITY studio following the activation of your Waxing Card, the respective studio will assign what is known as a “franchise number” to you for accounts-settlement purposes.
Once you have activated the Waxing Card in the App, you will be able to collect Waxing Card Points in accordance with our Terms of Participation by booking a treatment via the App or by showing the Waxing Card on your mobile terminal device when you purchase products and/or obtain treatments at a studio. Thereupon, the WAX IN THE CITY studio will transmit to WAX IN THE CITY information on the treatments and products that you obtained from them, when this was, and what price you paid (referred to hereinbelow as the “Bonus-Specific Data”). WAX IN THE CITY stores this information, computes the Waxing Card Points to be credited to your account based on the purchases made, and maintains the points account on your behalf. When you redeem your points, WAX IN THE CITY will provide your current points balance to the studio at which you wish to do so and the studio will notify WAX IN THE CITY of the number of points redeemed.
You may cancel your Waxing Card at any time, respectively deactivate it in the App, by sending an email to info@wax-in-the-city.com. In this event, we will irrevocably cancel the Waxing Card Points you have collected.
The legal basis for the data processing performed in the context of the bonus program is Article 6 paragraph 1 sentence 1 lit. b) of the GDPR.
You may cancel your App account (including the Waxing Card) at any time. If you cancel your App account, then WAX IN THE CITY will erase your profile data unless they are subject to retention periods stipulated by commercial law or tax law (this pertains especially to the Bonus-Specific Data); in that case, WAX IN THE CITY and the respective WAX IN THE CITY studios will retain these data until the respective retention period has expired and will erase them thereafter (no later than after ten years). Furthermore, we will erase your data if you have not used your App account for a period of more than ten years.

e) Waxing Shop
If you use our Waxing Shop and instruct us to send you products or credit vouchers, then the personal data concerning you – insofar as they are required to establish, substantively structure or amend the contractual relationship (existing customer data) – will be used exclusively to fulfill the sales contracts concluded between you and us, e.g. to deliver the products or credit vouchers you have ordered to the address you have provided. The legal basis for data processing in these cases will be Article 6 paragraph 1 sentence 1 lit. b) of the GDPR. We will collect only those data that we need to provide the respective service, respectively to fulfill your order. Providing any additional information is voluntary.

3. Forwarding of data to third parties
The personal data concerning you will not be forwarded to third parties except for the specific purposes listed below.
We will forward the personal data concerning you to third parties only in the following cases:
• You have granted your express consent in accordance with Article 6 paragraph 1 sentence 1 lit. a) of the GDPR to the personal data being forwarded that concern you;
• Forwarding said data is required to safeguard our legitimate interests or the legitimate interests of a third party in accordance with Article 6 paragraph 1 sentence 1 lit. f) of the GDPR, and there is no reason to assume that you have an overriding protectable interest in not having forwarded said data concerning you;
• Forwarding said data is mandated by law in accordance with Article 6 paragraph 1 sentence 1 lit. c) of the GDPR; or
• Forwarding said data is lawful and required for the performance of contractual relations with you in accordance with Article 6 paragraph 1 sentence 1 lit. b) of the GDPR.

4. Cookies
When you visit our online webpages, we will store information on your end device in the form of “cookies.” Cookies are small files that are transferred to your browser by an internet server and that are stored on your hard drive. A cookie serves as a repository of certain information associated with the specific terminal device you are using in each case. This does not mean, however, that the cookie will give us direct knowledge of your identity. In these guidelines, we use the term “cookies” for all files that collect data in this manner.
On the one hand, the use of cookies allows us to make our offering more user-friendly for your benefit. Thus, we use so-called “session cookies” allowing us to determine which individual pages of our website you have visited. These session cookies are automatically deleted once you leave our website. On the other hand, we also deploy “temporary cookies,” which are stored on your terminal device for a pre-defined period, in order to further optimize user-friendliness. If you return to our website at a later time in order to use our services, we automatically will be alerted to the fact that you have already visited us before and you will not have to re-input any of the information and settings you have already provided.
We also use cookies in order to collect statistical data on the usage of our website and to optimize our products and services for your benefit, as well as for retargeting purposes (see Section 5: “Analysis Tools” and Section 6 “Marketing”). Whenever you return to our website, these cookies will automatically alert us to the fact that you have visited us before. These cookies automatically will be deleted after a pre-defined period.
Our website uses the cookies listed below.
Technically mandatory: Technically mandatory cookies help make a website usable by enabling basic functions such as page navigation and access to secure areas of the website. Without these cookies, the website cannot function properly.
Name Purpose Storage period Type

· Preferences: Preference cookies allow a website to remember information that will influence how that website will look or behave (e.g. your preferred language or the region in which you are located).
Name Purpose Storage period Type

· Statistics: Statistics cookies help website owners understand how visitors interact with websites by collecting and reporting information anonymously.
Name Purpose Storage period Type

· Marketing: Marketing cookies are used to track visitors to websites. The aim is to steer advertising in a targeted manner and to measure the effectiveness of our promotional campaigns.
Name Purpose Storage period Type

When you visit our website, we will ask you for your consent to our use of all those cookies that are not absolutely necessary to make our website available. Of course, you also have the option of visiting our platform without accepting cookies. You can use our Cookie Settings function to manage your cookie settings and to select the cookies for which you wish to give us your consent.
If you do not wish your end device to be recognized when you pay us a subsequent visit, you can block the use of cookies by changing your browser settings to “disable cookies.” Please consult the user instructions of your browser to determine the correct procedure. Please note that if you disable the use of cookies, this could impair your ability to use certain parts of our platform.
The data that we collect and utilize using cookies are processed to analyze the website, for marketing measures, and for the functionality of our website (see Section 5).

5. Analysis tools
The tracking measures we use that are listed below are performed on the basis of your voluntarily granted consent. We use these tracking measures to assure that our website is configured in accordance with requirements and that it is optimized on an ongoing basis; our additional aim is to be able to provide you with personalized recommendations based on your user behavior. We also use the tracking measures to collect statistical data on the usage of our website and to optimize our offerings for your benefit. Providing these data is neither mandated by law nor contractually stipulated, nor is it required for the conclusion of a contract. You are not under obligation to provide such personal data.

a) Deployment of Google Analytics
In order to allow us to properly structure and progressively optimize our webpages in line with our customers’ requirements, we take advantage of Google Analytics, a web-based analytic service provided by Google Ireland Limited (www.google.de/intl/de/about), Gordon House, Barrow St Dublin 4, Ireland (referred to hereinbelow as “Google”). The legal basis for this usage is Article 6 paragraph 1 sentence 1 lit. f) of the GDPR. In this context, pseudonymized user profiles are created and cookies are used. These interests qualify as legitimate in the sense of the aforementioned statutory provision. The cookie will generate specific information on your use of this website, for example:
• The browser type/version;
• The operating system being used;
• The referrer URL (the previously visited site);
• The hostname of the accessing computer (IP address);
• The time of the server request.
This information will then be sent to a Google server in the United States, where it will be stored. An adequacy decision by the European Commission is available for the United States of America (under the EU/US Privacy Shield program) which serves to officially certify Google. The information will be used to evaluate usage of the website, to compile reports on website activities, and to provide other services associated with usage of the website and the internet for purposes of doing market research and structuring these webpages in line with our customers’ requirements. The information also may be transmitted to third parties, insofar as this is mandated by law or insofar as the third parties have been commissioned to collect the data. In no case will your IP address be combined with other data held by Google.
You have the option to block the installation of cookies by adjusting the settings of your browser software accordingly. Please note, however, that this may impair the full operability of some of the functions available on this website. You also have the option of preventing the collection of the data regarding your usage of the website (including your IP address) which the cookie has generated, and to prevent the processing of said data by Google, namely by downloading and installing a browser add-on.
As an alternative to the browser add-on, especially when browsers on mobile terminal devices are involved, you can also prevent the collection of data by Google Analytics by clicking on this link. This will cause an opt-out cookie to be installed that will block any future collection of your data whenever you visit this website. The opt-out cookie, which will be placed onto your device, will work only for this browser and only for our website. If you delete the cookies contained in this browser, you will have to re-install the opt-out cookie.
A good place to find further information on data protection in connection with Google Analytics is in the Google Analytics Help section.

b) Bugsnag
Our App uses the analytical service provided by Bugsnag Inc. (10 Sutter St, Suite 1000, San Francisco, CA 94104, USA) (“Bugsnag”). Bugsnag allows us to identify any errors (“bugs”) in the App quickly if the App is disrupted or if it breaks down. If an error arises while you are logged into the App, an error protocol that includes your assigned User ID will be transmitted to Bugsnag so that the error can be analyzed. Bugsnag will not be able to use the User ID to trace this information back to you personally. On the other hand, the User ID will allow us to get in touch with you in the event the error cannot be analyzed successfully. The legal basis for this data processing is Article 6 paragraph 1 lit. f) of the GDPR, since it allows us to pursue our legitimate interest in correcting errors and problems that impair the functionality of our App. Bugsnag is certified under the EU/US-Privacy Shield. For further information on data protection in relation to Bugsnag, please navigate here.

6. Marketing
When we receive your email address in connection with the sale of a product or service and you have not lodged an objection, we also reserve the right to periodically email information to you about similar services or products that we offer, since this represents a legitimate interest of WAX IN THE CITY.
You can object to the use of your email address at any time by emailing a corresponding declaration to the following address datenschutz@wax-in-the-city.com or by following the link provided for this purpose in our advertising emails.
Furthermore, we also perform retargeting. “Retargeting” is a term used in online marketing to refer to a process in which the visitor to a website or app is flagged and then re-contacted in pseudonymized form on other websites and presented with targeted advertising. Users of the website or app are flagged in pseudonymized form to allow them to be recognized on the platform or another website. This information is then used as a basis to derive pseudonymized usage profiles. The pseudonymized usage profiles are not matched up with data about the actual person bearing the pseudonym. The aim of this process is to remind a user about a platform or product in which he or she has already shown interest on a previous occasion, thereby boosting the relevance of advertising and thus the click and conversion rate (e.g. order rate). For retargeting, we use time-limited cookies with a set duration. For further information, please see Section 4 of this Privacy Statement. We can combine your pseudonymized personal data with other pseudonymized data that we receive from other sources and can use them to improve and personalize the advertising messages and marketing activities that we present to you.
If you do not wish us to collect data regarding your visit to our platform and regarding your usage of our services, applications, and tools, you can object to such data collection with effect for the future at any time by deactivating cookies in your browser or device settings.

a) Google Ads Conversion
Our website also uses the online advertising service Google Ads and, in this context, the Conversion-Tracking service of Google-Analytics (which evaluates the actions you take during your visit to our website). The data will be processed on the basis of Article 6 paragraph 1 sentence 1 lit. f) of the GDPR, in keeping with our legitimate interest in performing targeted advertising and in analyzing the effectiveness and efficiency of this advertising.
If you have reached our website by way of a Google ad, Google Ads will store a cookie on your terminal device. This cookie will have a limited life and will not serve to identify you personally. If you visit certain pages of our website and the cookie has not yet expired, both we and Google will be able to discern that you clicked on the respective ad and that you were referred to our pages from there. Each customer of Google Ads will receive a different cookie. This precludes the possibility that cookies can be tracked via the websites of Google Ads customers. We, for our part, will not collect and process any personal data in the course of the aforementioned advertising measures. Instead, we will merely receive statistical analyses from Google. These analyses allow us to determine which of the advertising measures deployed have proven the most effective. We do not receive any additional data from the deployment of advertising measures; in particular, we are not able to use this information to identify the users.
You have the option of blocking the installation of cookies by adjusting the settings of your browser software accordingly. Please note, however, that this may impair the full operability of some of the functions available on this website. You may also keep personalized advertising from being sent to you by deactivating this function in Google’s advertising settings. Instructions on how to do this are available here.
For further information as well as Google’s Privacy Policy, please navigate here.

b) Use of Facebook Pixel and Facebook Conversion
The tracking tool “Facebook Pixel” provided by Facebook Ireland Ltd., 4 Grand Canal Square, Grand Canal Harbour, Dublin 2, Ireland (referred to hereinbelow as “Facebook”) is implemented on this website. Facebook Pixel allows interest-based advertising (“Facebook Ads”) to be presented to visitors to this website based on the information collected about their usage of this website. These Facebook Ads are presented via the social network Facebook or when the persons targeted visit other websites that participate in the Facebook advertising network. The legal basis for processing these data is Article 6 paragraph 1 sentence 1 lit. f) of the GDPR, which concerns our legitimate interest in performing targeted advertising and in analyzing the effectiveness of this advertising. When the website is called up, the tool may cause certain information to be stored on your terminal device in the form of cookies and also may trigger the transmission of certain information to a Facebook server in the United States of America. An adequacy decision by the European Commission is available for the USA (under the EU/US Privacy Shield program) which serves to officially certify Facebook.
Facebook Pixel is a program code implemented on this website. When the website is called up, the program code may cause certain information to be stored on your terminal device in the form of cookies and also may trigger the transmission of certain information to Facebook. This includes information that is generated for technical reasons by the Hypertext Transfer Protocol (HTTP) when the website is called up, such as your IP address, as well as additional information already stored in cookies on your terminal device, such as your Facebook user ID. Thus, when the website is called up, Facebook can recognize that you have visited this website and which of the website’s contents you called up. If you have a Facebook user account, Facebook will be able to match this information to your user account.
This data analysis by Facebook allows us to follow the movements of the website’s users (user tracking). It also allows us to determine which users carried out a conversion, respectively action, on the website (conversion tracking). The data also allow us to define target groups for targeted advertising (re-targeting).
For further details on the collection and usage of data by Facebook, as well as on your rights in this context and the settings you can use to protect your privacy, please navigate to the Facebook Privacy Policy.
You may refuse to accept the collection of data for these purposes by installing the corresponding add-ons for your browser and/or by deactivating cookies in your browser/device settings.

7. Script and font libraries
In order to present the contents of our website in a correct and graphically appealing away across all browsers, we rely on script and font libraries such as Google Fonts and Bootstrap CDN (Content Delivery Network) provided by StackPath, LLC, 2021 McKinney Ave. Suite 1100, 75201, Dallas, TX USA).
If you have not already downloaded these libraries during your visit to another website, they will be transferred into the cache of your browser so as to obviate the need for multiple downloading. When the script or font libraries are called up, this will automatically establish a connection to the operator of the respective library. In the process, it is possible that the operator of these libraries may collect personal data (e.g. your IP address).
For further information, please refer to the respective privacy statements of the library operators Google and Stackpath.

8. Security
When you visit our website, we ensure secure transmission via the commonly used SSL procedure (Secure Socket Layer) in conjunction with the highest encryption level supported by your browser. As a general rule, this will be 256 bit encryption. You can tell that one of our webpages is being transmitted in encrypted form when the key icon or padlock icon in the lower status bar of your browser is shown as being closed.
Aside from that, we have also taken technical and administrative safeguards to protect the personal data concerning you against loss, destruction, tampering, and unauthorized access. All of our employees as well as all the service providers working on our behalf have contractually pledged to observe the applicable data protection laws. We continually review our security safeguards for improvement and our Privacy Statements are regularly revised. Please make sure that you have access to the most current version.

9. Rights of data subjects
You have the following rights:
• Pursuant to Article 15 of the GDPR, you have the right to request information about the personal data concerning you that are being processed by us;
• Pursuant to Article 16 of the GDPR, you have the right to request that any incorrect or incomplete data concerning you that are being stored by us be rectified and/or completed without undue delay;
• Pursuant to Article 17 GDPR, you have the right to request erasure of the personal data concerning you that are being stored by us, except insofar as the processing is necessary in order to exercise the right of freedom of expression and information, to comply with a legal obligation, for reasons of public interest, or to assert, exercise or defend legal claims. If we have made public the personal data concerning you, then we are under obligation, taking account of the available technologies and technical means, to inform other controllers who collect personal data concerning you that you have requested the erasure of all links to the personal data as well as of any copies or replications of said data;
• In accordance with Article 18 of the GDPR, you have the right to request that the processing of the personal data concerning you be restricted insofar as you contest the accuracy of the data; insofar as the data’s processing is unlawful and you oppose their erasure; insofar as we no longer require the data but you still require them in order to establish, exercise or defend legal claims; or insofar as you have objected to the processing pursuant to Article 21 of the GDPR;
• In accordance with Article 20 of the GDPR, you have the right to receive the personal data concerning you that you have provided to us, namely in a structured, commonly used, and machine-readable format; you also have the right to demand that said data be transmitted to another controller;
• In accordance with Article 7 paragraph 3 of the GDPR, you have the right to withdraw consent at any time that you have previously granted. This will mean that, effective thenceforward, we will no longer be able to perform the data processing that was based on the consent you have now withdrawn;
• In accordance with Article 77 of the GDPR, you have the right to lodge a complaint with a supervisory authority. As a general rule, you may turn to the supervisory authority that is competent either for your habitual residence or for your place of work or for our registered seat.

10. Right to lodge objections
Insofar as the personal data concerning you are processed on the basis of a legitimate interest pursuant to Article 6 paragraph 1 sentence 1 lit. f) of the GDPR, you have the right, pursuant to Article 21 of the GDPR, to lodge an objection against the processing of personal data concerning you, provided you have grounds that arise from your particular situation or provided your objection is targeted at direct advertising. In the latter case, you will enjoy a general right to object that we will honor without requiring you to state grounds arising from a special situation.
If you would like to exercise your right to withdraw consent or to lodge an objection, you need simply notify us accordingly by sending us an email at datenschutz@wax-in-the-city.com.

11. Amendments to the present Privacy Statement
This Privacy Statement is currently valid.
Due to our continual enhancement of our website and the commercial offers that we make by way of the website, or due to changes in the stipulations of the law, respectively of the competent public authorities, it may become necessary to amend the present Privacy Statement. The respectively current Privacy Statement is available for retrieval from our website and printout at any time under: https://wax-in-the-city.com/en/data-privacy-policy-disclaimer/.
Effective as of: January 14th, 2020
* * *