Privacy policy

Last updated: 28 December 2025

Table of contents

I. Controller

II. General information on data processing

III. Disclosure of personal data / recipients

IV. Provision of the website and creation of log files

V. Cookies & consent management (Consentmo)

VI. Webshop / orders / newsletter / payment processing / shipping

VII. Online marketing & social media (Meta/Facebook/Instagram, TikTok, if applicable Google Ads)

VIII. User rights (data subject rights)

IX. Changes and updates

We protect your privacy and your personal data. We collect, process and use your personal data exclusively in accordance with the provisions of the General Data Protection Regulation (GDPR) and the applicable data protection laws.

This Privacy Policy applies to all processing of personal data carried out by us, both in the context of providing our services and in particular on our websites, in mobile applications, and within external online presences, such as our social media profiles (hereinafter collectively referred to as the “Online Offering”).

Below, we inform you in accordance with the GDPR about the nature, scope and purpose of data collection and its use:

I. CONTROLLER

The controller responsible for data processing is:

Stardust Acrylics e.U.
Owner: Tamara Dogan
Margaretendamm 12
6923 Lauterach
Austria
Email: office@stardustacrylics.com
Website: https://stardustacrylics.com

II. GENERAL INFORMATION ON DATA PROCESSING

1. Scope of processing

We collect and use personal data of our users only insofar as this is necessary to provide a functional website and our content and services. Therefore, we process only those personal data that you provide to us as a user of the website and/or as a customer, for example as part of an enquiry or registration or to conclude a contract.

The following types of personal data may be subject to processing by us or by a service used by us:

Inventory data (e.g. names, addresses)

• Content data (e.g. text entries, photographs, videos)
• Contact data (e.g. email, telephone numbers)
• Meta/communication data (e.g. device information, IP addresses)
• Usage data (e.g. websites visited, interest in content, access times)
• Contract data (e.g. subject matter of the contract, term, customer category)
• Payment data (e.g. bank details, invoices, payment history)

Furthermore, we process the above types of data relating to the following categories of data subjects:

• Customers
• Business and contractual partners
• Interested parties
• Communication partners
• Users (e.g. website visitors, users of online services)
• Participants in prize draws and competitions

2. Legal bases for data processing

The legal basis for data processing is:

• Your consent pursuant to Art. 6(1)(a) GDPR. As a general rule, we collect and use our users’ data only with the user’s consent. An exception applies in cases in which obtaining prior consent is not possible for factual reasons and the processing of the data is permitted by statutory provisions.
• Contract performance and pre-contractual enquiries pursuant to Art. 6(1)(b) GDPR. In order to process your enquiry to your complete satisfaction or to be able to contact you, we require your data.
• Compliance with a legal obligation of our company pursuant to Art. 6(1)(c) GDPR, for example by disclosing users’ data to authorities such as the tax office, health insurance carriers or other public bodies.
• Safeguarding a legitimate interest of our company pursuant to Art. 6(1)(f) GDPR. This includes marketing and advertising measures in general. As interested parties and customers of our service offering, we would like to inform you in a current and targeted manner about innovations and offers relating to our services or activities. We subject these activities to a balancing of interests, and no impairments of the fundamental rights and freedoms of users are to be expected. Legitimate interests exist in particular in operation, IT security as well as misuse/fraud prevention. Direct marketing is carried out—where and insofar as permitted—while observing the relevant consent and objection options.

Note on cookies/similar technologies:

If cookies/similar technologies access end devices or store/read information, the applicable consent provisions also apply (in Austria in particular Section 165(3) TKG 2021). Non-essential technologies are only activated after consent (see Section V).

3. Data deletion and retention period

Your personal data will be deleted or blocked as soon as the purpose of storage no longer applies. Storage may continue if this is provided for by EU regulations, laws or other provisions to which we, as controller, are subject. Data will also be blocked or deleted when a retention period prescribed by the above provisions expires, unless continued storage is required for the conclusion or performance of a contract.

III. DISCLOSURE OF PERSONAL DATA / RECIPIENTS

If you have provided us with your data as a user of our website and/or customer, we use it only to answer your enquiries, to process contracts and for technical administration.

We disclose or transmit your data to third parties only if this is necessary for the purpose of contract processing or billing, or if you as a user of the website and/or customer have previously consented.

Recipients of this data may include, for example, payment institutions in the context of payment transactions, service providers commissioned with IT tasks or providers of services and content that are integrated into a website. In such cases, we comply with the statutory requirements and, in particular, conclude the corresponding contracts or agreements that serve to protect your data with the recipients of your data.

Recipients/categories of recipients include in particular:

• Shop/hosting/checkout provider: Shopify (operation of the shop including checkout)
• Payment service providers (depending on the selected payment method; e.g. Apple Pay, Klarna, PayPal, Shop Pay, Visa, Mastercard, Maestro – depending on availability)
• Shipping/logistics providers: Austrian Post, DPD, DHL
• Email/newsletter provider: Shopify Email
• Consent management: Consentmo (management/logging of consents)
  
• Advertising/marketing platforms (only with consent): Meta (Facebook/Instagram), TikTok; if applicable Google (Google Ads, if enabled)

Where required, we conclude data processing agreements (DPA) with service providers.

Note on transfers to third countries: Depending on the service providers used (e.g. Shopify, payment or advertising platforms), processing may take place outside the EU/EEA (in particular the USA). Where required, providers base such transfers on appropriate safeguards (e.g. EU Standard Contractual Clauses) and/or adequacy decisions, where applicable.

IV. PROVISION OF THE WEBSITE AND CREATION OF LOG FILES

1. Description and scope of data processing

Each time our website is accessed, our system automatically collects data and information from the computer system of the accessing computer.

The following data is collected:

• Information about the browser type and version used
• The user’s operating system
• The user’s internet service provider
• The user’s IP address
• Date and time of access
• Websites from which the user’s system accesses our website
• Websites accessed by the user’s system via our website

2. Legal basis

The legal basis for the temporary processing of this data and the log files is Art. 6(1)(f) GDPR.

3. Purpose of data processing

The temporary storage of the IP address by the system is necessary to deliver the website to the user’s computer. For this purpose, the user’s IP address must remain stored for the duration of the session.

The storage of your IP address in log files is carried out to ensure the functionality of the website. In addition, the data helps us to optimise the website and to ensure the security of our information technology systems.

These purposes also constitute our legitimate interest in data processing pursuant to Art. 6(1)(f) GDPR.

4. Storage period / objection and removal options

The data will be deleted as soon as it is no longer required to achieve the purpose for which it was collected. In the case of data collection for providing the website, this is the case when the respective session has ended.

The data is generally stored only as long as necessary for the purposes stated and then deleted or anonymised, unless further retention is required in individual cases (e.g. to defend against/investigate security incidents).

The collection of data for providing the website and the storage of data in log files is essential for the operation of the website. Therefore, the user has no right to object.

V. COOKIES & CONSENT MANAGEMENT (CONSENTMO)

1. Description and scope of data processing

To provide you with the best possible online experience, we use cookies on this website. Cookies are text files that are stored in the internet browser or by the internet browser on the user’s computer system. When a user accesses a website, a cookie may be stored on the user’s operating system. This cookie contains a characteristic string of characters that enables unique identification of the browser when the website is accessed again. Stored information may include, for example, language settings on a website, login status, a shopping cart or the point at which a video or photo was viewed. The term cookies also includes other technologies that perform the same functions as cookies (e.g. where users’ information is stored using pseudonymous online identifiers, also referred to as “user IDs”).

Cookies/technologies we use:

• Technically necessary cookies/technologies: required for core functions (e.g. cart, checkout, security functions).
• Statistics/marketing technologies: used for conversion measurement, campaign optimisation and remarketing (only with consent).

Non-essential technologies are activated only after you have consented via the consent banner. For the management and logging of your consents, we use a consent management tool (Consentmo). This can store and document your selection (e.g. timestamp, selection, technical identifiers).

2. Legal bases

• Technically necessary cookies/technologies: Art. 6(1)(f) GDPR.
• Statistics/marketing technologies: Art. 6(1)(a) GDPR (consent) and the applicable provisions on end device access (e.g. Section 165(3) TKG 2021 in Austria).

3. Purpose of data processing

The purpose of using technically necessary cookies is to simplify the use of websites and/or our webshop for users. Some functions of our website cannot be offered without the use of cookies. For these, it is necessary that the browser is recognised even after a page change.

The user data collected through technically necessary cookies is not used to create user profiles.

4. Storage period, objection and removal options

Cookies are stored on the user’s computer and transmitted by the user to our website. Therefore, as a user you have full control over the use of cookies.

Depending on whether processing is based on consent or statutory permission, you have the option at any time to withdraw consent you have given or to object to the processing of your data through cookie technologies (collectively referred to as “opt-out”). You can initially declare your objection by adjusting your browser settings, for example by disabling the use of cookies (which may also restrict the functionality of our online offering). An objection to the use of cookies for online marketing purposes can also be declared via a number of services, especially in the case of tracking, through the websites http://optout.aboutads.info and http://www.youronlinechoices.com/. In addition, you may receive further objection information within the information provided about the service providers and cookies used.

If cookies are disabled for our website, it may no longer be possible to use all functions of the website to their full extent.

Details (e.g. specific cookies/technologies, providers and storage durations) can be found in the cookie settings.

VI. WEBSHOP / ORDERS / NEWSLETTER / PAYMENT PROCESSING / SHIPPING

1. Description and scope of data processing

On our website, the user has the option to order our products online via the URL https://www.stardustacrylics.com.

For online orders it is necessary to provide the data requested in the input mask, namely first name, last name, street, postal code, city and email address. We process a telephone number only if you provide it and/or if it is required for delivery notifications/coordination. We collect, store and process your data exclusively for the complete processing of your order and for contacting you, if necessary. If we use a carrier to ship your order, we will pass your address on to them. Any further disclosure of your data does not take place.

For shipping, we pass on the data required for delivery to shipping providers:

• Austrian Post
• DPD
• DHL (occasionally)

For payment processing, payment and transaction data are processed by the chosen payment service provider. As a rule, we do not receive full card/account details, but rather status/transaction information.

2. Legal basis

The legal basis is Art. 6(1)(b) GDPR (contract performance) and Art. 6(1)(c) GDPR (legal obligations, e.g. retention). In addition, Art. 6(1)(f) GDPR (fraud prevention) may be relevant.

3. Purpose of data processing

The data is processed for order processing, delivery, communication, compliance with legal obligations and fraud prevention.

4. Newsletter (Shopify Email)

If you subscribe to our newsletter, we process your email address (and, if applicable, your name) for sending.

Legal basis: Art. 6(1)(a) GDPR (consent).

Withdrawal: at any time with effect for the future (e.g. via the unsubscribe link).

5. Storage period

• Contract/order data and accounting documents: generally 7 years (tax/business retention obligations).
• Enquiries/correspondence: until completion; possibly longer for documentation/defence of claims.
• Newsletter data: until consent is withdrawn.
• Consent logs: as long as required in order to prove consent (depending on the tool; exports/reports may serve as evidence).

6. Objection and removal options

Where processing is based on your consent (e.g. newsletter, marketing/tracking), you can withdraw this consent at any time with effect for the future. Otherwise, the statutory data subject rights apply (e.g. access, rectification, erasure, restriction), whereby statutory retention obligations remain unaffected.

VII. ONLINE MARKETING & SOCIAL MEDIA (META/FACEBOOK/INSTAGRAM, TIKTOK, IF APPLICABLE GOOGLE ADS)

1) Social media links and external online presences

We maintain presences in social networks and link to our profiles on our website. When you click such a link, you leave our website and the data protection rules of the respective platform operator apply. Depending on the platform and use, personal data may be processed, e.g. IP address, device/browser information, interactions (likes, comments), profile and usage data, and possibly cookie/tracking information. Processing outside the EU/EEA cannot be excluded.

Platform operators (selection, depending on the linked platform):
- Facebook and Instagram: Meta Platforms Ireland Limited, Merrion Road, Dublin 4, D04 X2K5, Ireland
- TikTok: TikTok Technology Limited, 10 Earlsfort Terrace, Dublin, D02 T380, Ireland (if linked)
- YouTube: Google Ireland Limited, Gordon House, Barrow Street, Dublin 4, D04 E5W5, Ireland; Google LLC d/b/a YouTube, 901 Cherry Ave, San Bruno, CA 94066, USA

Legal basis:
Insofar as we communicate with users within our social media presences (e.g. answering messages, moderating comments, analysing interactions), this is done on the basis of our legitimate interests pursuant to Art. 6(1)(f) GDPR (communication, information, public relations/brand presence).
Otherwise, data processing is primarily carried out by the respective platform operators under their own privacy policies.

Note on “Insights” data at Meta:
Insofar as Meta provides us as page operator with statistical analyses (“Insights”) regarding the use of our Facebook/Instagram presence, rules on joint controllership pursuant to Art. 26 GDPR may apply. For further information, please refer to Meta’s information/documents (see item 3).

2) Marketing/tracking technologies on our website (only with consent)

If enabled by you via the consent banner, we use marketing and tracking technologies to measure conversions (e.g. purchase, add-to-cart), optimise campaigns and build remarketing audiences. Without consent, these technologies are not activated.

Legal basis:
Art. 6(1)(a) GDPR (consent) and—where cookies/similar technologies and/or end-device access are involved—Section 165(3) TKG 2021 (Austria) or corresponding national rules (ePrivacy implementation).

Withdrawal/opt-out:
You can withdraw or adjust your consent at any time via the cookie settings. The lawfulness of processing carried out until withdrawal remains unaffected.

a) Meta (Facebook/Instagram) – pixel/events
With your consent, we use Meta technologies (e.g. Meta Pixel and/or server-side event transmission via integrations) to transmit event data (e.g. page view, add-to-cart, purchase) to Meta for processing. Meta may associate this data with an existing Meta account.

b) TikTok – pixel
With your consent, we use TikTok technologies (e.g. TikTok Pixel) to transmit event data to TikTok for conversion measurement, campaign optimisation and remarketing. TikTok-specific cookies/IDs may be used (e.g. ttcsid variants).

c) Google Ads – conversion tracking/remarketing
If we use Google Ads, and with your consent, we use conversion tracking/remarketing to measure campaign performance (conversions), to optimise ads and for remarketing.

Transfer to third countries:
Depending on the provider, processing outside the EU/EEA (in particular the USA) may take place. Where required, providers rely on appropriate safeguards (e.g. EU Standard Contractual Clauses) and/or adequacy decisions, where applicable.

Storage period:
Details on specific cookies/technologies, storage periods and providers can be found in the cookie settings.

3) Providers’ privacy notices & documents (official sources)

Meta (Facebook/Instagram):
- Privacy Policy: https://www.facebook.com/privacy/policy/
- Meta Business Tools Terms: https://www.facebook.com/legal/technology_terms
- Meta Controller Addendum: https://www.facebook.com/legal/controller_addendum
- (for Page Insights): https://www.facebook.com/legal/terms/page_controller_addendum

TikTok:
- TikTok for Business Privacy Policy: https://ads.tiktok.com/i18n/official/policy/privacy
- TikTok Business Products (Data) Terms: https://ads.tiktok.com/i18n/official/policy/business-products-terms

Google:
- Google Privacy Policy: https://policies.google.com/privacy
- Google Controller-Controller Terms: https://business.safety.google/controllerterms/
- Google Processor Terms: https://privacy.google.com/businesses/processorterms/

VIII. USER RIGHTS (DATA SUBJECT RIGHTS)

If personal data concerning you is processed, you are a data subject within the meaning of the GDPR and you have the following rights vis-à-vis us as controller:

1. Right to object

You have the right, on grounds relating to your particular situation, to object at any time to the processing of personal data concerning you which is carried out on the basis of Art. 6(1)(e) or (f) GDPR. If personal data concerning you is processed for direct marketing purposes, you have the right to object at any time to the processing of personal data concerning you for such direct marketing.

2. Right to withdraw consent

You have the right to withdraw consent given at any time. The withdrawal of consent does not affect the lawfulness of processing based on consent before its withdrawal.

3. Right of access

You have the right to request confirmation as to whether personal data concerning you is being processed and to obtain access to such data as well as further information and a copy of the data in accordance with statutory provisions.

4. Right to rectification

In accordance with statutory provisions, you have the right to request the completion of personal data concerning you or the rectification of inaccurate personal data concerning you.

5. Right to erasure and restriction of processing

In accordance with statutory provisions, you have the right to request that personal data concerning you be erased without undue delay or, alternatively, to request restriction of processing in accordance with statutory provisions.

6. Right to data portability

You have the right, in accordance with statutory provisions, to receive personal data concerning you that you have provided to us in a structured, commonly used and machine-readable format, or to request that it be transmitted to another controller.

7. Complaint to the supervisory authority

Without prejudice to any other administrative or judicial remedy, you have the right to lodge a complaint with the supervisory authority if you believe that the processing of your data violates the GDPR. The supervisory authority within the meaning of the GDPR is the Data Protection Authority, Barichgasse 40–42, 1030 Vienna, Tel: +43/1-52 152-0,
Email: dsb@dsb.gv.at.

The Data Protection Authority will inform you about the status and results of the complaint, including the possibility of a judicial remedy.

IX. CHANGES AND UPDATES

We ask you to regularly inform yourself about the content of our Privacy Policy. We adapt the Privacy Policy as soon as changes to the data processing carried out by us make this necessary. We will inform you as soon as changes require your cooperation (e.g. consent) or any other individual notification.