Privacy Policy

This privacy policy has been automatically translated and may contain errors – the German original version is the legally binding document.

Table of Contents

• Introduction and Overview
• Scope
• Legal Bases
• Contact Details of the Controller
• Retention Period
• Rights under the GDPR
• Data Transfers to Third Countries
• Security of Data Processing
• Communication
• Data Processing Agreement (DPA)
• Cookies
• Web Analytics Introduction
• Email Marketing Introduction
• Social Media Introduction
• Blogs and Publication Media Introduction
• Online Marketing Introduction
• Content Delivery Networks Introduction
• Cookie Consent Management Platform Introduction
• Security & Anti-Spam
• Payment Providers Introduction
• External Online Platforms Introduction
• Audio & Video Introduction
• Review Platforms Introduction
• Web Design Introduction
• Explanation of Terms Used
• Face Width Scan (SHYFT Frame Fitting)
• Closing Remarks

Introduction and Overview

We have written this Privacy Policy (version 25.08.2025-111725926) to explain to you, in accordance with the requirements of the General Data Protection Regulation (EU) 2016/679 and applicable national laws, which personal data (hereinafter "data") we as the controller – and the processors commissioned by us (e.g. providers) – process, will process in the future, and what lawful options you have. The terms used are to be understood in a gender-neutral manner.

In short: We inform you comprehensively about the data we process about you.

Privacy policies usually sound very technical and use legal jargon. This Privacy Policy, however, aims to describe the most important things as simply and transparently as possible. Where transparency is served, technical terms are explained in a reader-friendly way, links to further information are provided, and graphics are used. We thus inform you in clear and plain language that we only process personal data in the course of our business activities when there is a corresponding legal basis. This is certainly not possible if one gives the briefest, most obscure, and most legalistically technical explanations, as is often the standard on the internet when it comes to data protection. I hope you find the following explanations interesting and informative, and perhaps there is some piece of information you did not already know.
If questions remain, we ask that you contact the responsible body mentioned below or in the imprint, follow the available links, and look at further information on third-party sites. Our contact details can of course also be found in the imprint.

Scope

This Privacy Policy applies to all personal data processed by us within the company and to all personal data processed by companies commissioned by us (processors). By personal data we mean information within the meaning of Art. 4 No. 1 GDPR, such as a person's name, email address and postal address. The processing of personal data enables us to offer and bill our services and products, both online and offline. The scope of this Privacy Policy covers:

• all online presences (websites, online shops) that we operate
• social media presences and email communication
• mobile apps for smartphones and other devices

In short: The Privacy Policy applies to all areas in which personal data is processed in a structured manner within the company via the channels mentioned. Should we enter into legal relationships with you outside of these channels, we will inform you separately if necessary.

Legal Bases

In the following Privacy Policy we provide you with transparent information about the legal principles and regulations, i.e. the legal bases of the General Data Protection Regulation, that allow us to process personal data.
With regard to EU law, we refer to REGULATION (EU) 2016/679 OF THE EUROPEAN PARLIAMENT AND OF THE COUNCIL of 27 April 2016. You can of course read this EU General Data Protection Regulation online on EUR-Lex, the access to EU law, at https://eur-lex.europa.eu/legal-content/EN/ALL/?uri=celex%3A32016R0679.

We only process your data if at least one of the following conditions applies:

1. Consent (Article 6(1)(a) GDPR): You have given us your consent to process data for a specific purpose. An example would be the storage of data you entered in a contact form.
2. Contract (Article 6(1)(b) GDPR): In order to fulfil a contract or pre-contractual obligations with you, we process your data. For example, if we conclude a purchase contract with you, we require personal information in advance.
3. Legal obligation (Article 6(1)(c) GDPR): If we are subject to a legal obligation, we process your data. For example, we are legally required to retain invoices for accounting purposes. These usually contain personal data.
4. Legitimate interests (Article 6(1)(f) GDPR): In the case of legitimate interests that do not restrict your fundamental rights, we reserve the right to process personal data. For example, we must process certain data in order to operate our website securely and economically efficiently. This processing is therefore a legitimate interest.

Other conditions such as the performance of tasks in the public interest and the exercise of official authority as well as the protection of vital interests generally do not apply to us. If such a legal basis should be relevant, it will be indicated in the appropriate place.

In addition to EU regulation, national laws also apply:

• In Austria, this is the Federal Act on the Protection of Natural Persons with regard to the Processing of Personal Data (Data Protection Act), abbreviated as DSG.
• In Germany, the Federal Data Protection Act, abbreviated as BDSG, applies.

If further regional or national laws apply, we will inform you in the following sections.

Contact Details of the Controller

If you have any questions about data protection or the processing of personal data, you will find the contact details of the controller below in accordance with Article 4(7) of the EU General Data Protection Regulation (GDPR):
NAKED GmbH
Dorfstrasse 36
5101 Bergheim, Salzburg
Austria
Authorised representative: Christoph Fink
Email: office@nakedoptics.net

Imprint: https://nakedoptics.net/policies/legal-notice

Retention Period

The general criterion for us is that we only store personal data for as long as is absolutely necessary for the provision of our services and products. This means that we delete personal data as soon as the reason for data processing no longer exists. In some cases, we are legally obliged to store certain data even after the original purpose has ceased to apply, for example for accounting purposes.

If you wish to have your data deleted or withdraw your consent to data processing, the data will be deleted as quickly as possible provided there is no obligation to retain it.

We will inform you in more detail below about the specific duration of the respective data processing, provided we have further information on this.

Rights under the General Data Protection Regulation

In accordance with Articles 13 and 14 GDPR, we inform you of the following rights to which you are entitled so that data is processed fairly and transparently:

• Pursuant to Article 15 GDPR, you have the right of access to whether we process data about you. If this is the case, you have the right to receive a copy of the data and the following information:
  • for what purpose we carry out the processing;
  • the categories, i.e. the types of data that are processed;
  • who receives this data and, if the data is transferred to third countries, how security can be guaranteed;
  • how long the data is stored;
  • the existence of the right to rectification, erasure or restriction of processing and the right to object to processing;
  • that you can lodge a complaint with a supervisory authority (links to these authorities can be found below);
  • the origin of the data if we have not collected it from you;
  • whether profiling is carried out, i.e. whether data is automatically evaluated to create a personal profile of you.
• Pursuant to Article 16 GDPR, you have the right to rectification of data, which means that we must correct data if you find errors.
• Pursuant to Article 17 GDPR, you have the right to erasure ("right to be forgotten"), which specifically means that you may request the deletion of your data.
• Pursuant to Article 18 GDPR, you have the right to restriction of processing, which means that we may only store the data but not use it further.
• Pursuant to Article 20 GDPR, you have the right to data portability, which means that we will provide you with your data in a common format upon request.
• Pursuant to Article 21 GDPR, you have the right to object, which, once enforced, entails a change in processing.
  • If the processing of your data is based on Article 6(1)(e) (public interest, exercise of official authority) or Article 6(1)(f) (legitimate interest), you can object to the processing. We will then examine as quickly as possible whether we can legally comply with this objection.
  • If data is used for direct marketing, you can object to this type of data processing at any time. We may no longer use your data for direct marketing thereafter.
  • If data is used for profiling, you can object to this type of data processing at any time. We may no longer use your data for profiling thereafter.
• Pursuant to Article 22 GDPR, you may under certain circumstances have the right not to be subject to a decision based solely on automated processing (e.g. profiling).
• Pursuant to Article 77 GDPR, you have the right to lodge a complaint. This means you can lodge a complaint with the data protection authority at any time if you believe that the processing of personal data violates the GDPR.

In short: You have rights – do not hesitate to contact the responsible body listed above!

If you believe that the processing of your data violates data protection law or your data protection rights have been violated in any other way, you can lodge a complaint with the supervisory authority. For Austria, this is the Data Protection Authority, whose website you can find at https://www.dsb.gv.at/. In Germany, there is a data protection commissioner for each federal state. For more information, you can contact the Federal Commissioner for Data Protection and Freedom of Information (BfDI). The following local data protection authority is responsible for our company:

Austrian Data Protection Authority

Head: Dr. Matthias Schmidl
Address: Barichgasse 40-42, 1030 Vienna
Phone: +43 1 52 152-0
Email: dsb@dsb.gv.at
Website: https://www.dsb.gv.at/

Data Transfers to Third Countries

We only transfer or process data in countries outside the scope of the GDPR (third countries) if you consent to this processing or if there is another legal permission. This applies in particular if the processing is required by law or necessary for the fulfilment of a contractual relationship and only insofar as this is generally permitted. Your consent is in most cases the most important reason why we have data processed in third countries. Processing personal data in third countries such as the USA, where many software manufacturers offer services and have their server locations, can mean that personal data is processed and stored in unexpected ways.

We expressly point out that, in the opinion of the European Court of Justice, there is currently only an adequate level of protection for data transfers to the USA if a US company processing personal data of EU citizens in the USA is an active participant in the EU-US Data Privacy Framework. More information can be found at: https://commission.europa.eu/document/fa09cbad-dd7d-4684-ae60-be03fcb0fddf_en

Data processing by US services that are not active participants in the EU-US Data Privacy Framework may result in data not being processed and stored anonymously. Furthermore, US government agencies may be able to access individual data. Additionally, data collected may be linked to data from other services of the same provider, provided you have a corresponding user account. Where possible, we try to use server locations within the EU, provided this is offered.

Security of Data Processing

To protect personal data, we have implemented both technical and organisational measures. Where possible, we encrypt or pseudonymise personal data. In this way, we make it as difficult as possible, within our means, for third parties to infer personal information from our data.

Art. 25 GDPR refers to "data protection by design and by default" and means that both software (e.g. forms) and hardware (e.g. access to the server room) always consider security and appropriate measures are taken. In the following, we will, where necessary, go into specific measures in more detail.

TLS Encryption with HTTPS

TLS, encryption and HTTPS sound very technical and indeed they are. We use HTTPS (the Hypertext Transfer Protocol Secure stands for "secure hypertext transfer protocol") to transmit data securely on the internet. This means that the entire transmission of all data from your browser to our web server is secured – nobody can "eavesdrop".

By using TLS (Transport Layer Security), an encryption protocol for secure data transfer on the internet, we can ensure the protection of confidential data. You can recognise the use of this data transfer protection by the small padlock symbol at the top left of the browser, to the left of the internet address (e.g. beispielseite.de) and by the use of the scheme https (instead of http) as part of our internet address.

Communication

Communication Summary 👥 Affected parties: All who communicate with us by telephone, email or online form 📓 Data processed: e.g. telephone number, name, email address, entered form data 🤝 Purpose: Processing communication with customers, business partners, etc. 📅 Retention period: Duration of the business case and legal requirements ⚖️ Legal bases: Art. 6(1)(a) GDPR (Consent), Art. 6(1)(b) GDPR (Contract), Art. 6(1)(f) GDPR (Legitimate interests)

If you contact us and communicate by telephone, email or online form, personal data may be processed.

The data is processed for handling and processing your enquiry and the associated business transaction. The data is stored for as long as the case requires or as the law prescribes.

Affected Persons

All those who contact us via the communication channels we provide are affected by the aforementioned processes.

Telephone

If you call us, the call data is stored in pseudonymised form on the respective terminal device and with the telecommunications provider used. In addition, data such as name and telephone number may subsequently be sent by email and stored to answer enquiries. The data is deleted as soon as the business case has been completed and legal requirements permit.

Email

If you communicate with us by email, data may be stored on the respective terminal device (computer, laptop, smartphone, etc.) and data is stored on the email server. The data is deleted as soon as the business case has been completed and legal requirements permit.

Online Forms

If you communicate with us via an online form, data is stored on our web server and may be forwarded to an email address of ours. The data is deleted as soon as the business case has been completed and legal requirements permit.

Legal Bases

The processing of data is based on the following legal bases:

• Art. 6(1)(a) GDPR (Consent): You give us consent to store your data and continue to use it for purposes relating to the business case;
• Art. 6(1)(b) GDPR (Contract): There is a necessity to fulfil a contract with you or a processor such as the telephone provider, or we must process the data for pre-contractual activities, such as preparing a quotation;
• Art. 6(1)(f) GDPR (Legitimate interests): We want to conduct customer enquiries and business communication in a professional setting. Certain technical facilities such as email programmes, exchange servers and mobile phone operators are necessary to operate communication efficiently.

Data Processing Agreement (DPA)

In this section we would like to explain what a Data Processing Agreement (DPA) is and why it is needed. As most companies do, we do not work alone, but also make use of the services of other companies or individuals. By involving various companies or service providers, it is possible that we pass on personal data for processing. These partners then act as processors, with whom we conclude a contract, the so-called Data Processing Agreement (DPA). For you, the most important thing to know is that the processing of your personal data takes place exclusively according to our instructions and must be governed by the DPA.

Who are Processors?

As a company and website operator, we are responsible for all data we process from you. In addition to the controllers, there may also be so-called processors. This includes any company or person who processes personal data on our behalf. More precisely, and according to the GDPR definition: any natural or legal person, authority, institution or other body that processes personal data on our behalf is a processor. Processors can therefore be service providers such as hosting or cloud providers, payment or newsletter providers, or large companies such as Google or Microsoft.

Content of a Data Processing Agreement

As mentioned above, we have concluded a DPA with our partners who act as processors. The DPA stipulates above all that the processor only processes the data to be processed in accordance with the GDPR. The contract must be concluded in writing, although in this context electronic contract conclusion also counts as "written". Processing of personal data only takes place on the basis of the contract. The contract must contain the following:

• Binding to us as the controller
• Obligations and rights of the controller
• Categories of data subjects
• Type of personal data
• Type and purpose of data processing
• Subject and duration of data processing
• Place of data processing

The contract also contains all obligations of the processor. The most important obligations are:

• Ensuring data security measures
• Taking possible technical and organisational measures to protect the rights of the data subject
• Maintaining a data processing register
• Cooperating with the data protection supervisory authority upon request
• Carrying out a risk analysis with regard to the personal data received
• Sub-processors may only be commissioned with the written consent of the controller

Cookies

Cookies Summary 👥 Affected parties: Website visitors 🤝 Purpose: depends on the respective cookie. More details can be found below or with the manufacturer of the software that sets the cookie. 📓 Data processed: Depends on the cookie used. More details can be found below or with the manufacturer of the software that sets the cookie. 📅 Retention period: depends on the respective cookie, can range from hours to years ⚖️ Legal bases: Art. 6(1)(a) GDPR (Consent), Art. 6(1)(f) GDPR (Legitimate interests)

What are Cookies?

Our website uses HTTP cookies to store user-specific data. Below we explain what cookies are and why they are used so that you can better understand the following Privacy Policy.

Whenever you browse the internet, you use a browser. Well-known browsers include Chrome, Safari, Firefox, Internet Explorer and Microsoft Edge. Most websites store small text files in your browser. These files are called cookies.

Cookies are genuinely useful helpers. Almost all websites use cookies. More precisely, they are HTTP cookies, as there are also other cookies for other areas of application. HTTP cookies are small files that are stored on your computer by our website. These cookie files are automatically stored in the cookie folder, the "brain" of your browser. A cookie consists of a name and a value. When defining a cookie, one or more attributes must also be specified.

Cookies store certain user data from you, such as language or personal page settings. When you visit our site again, your browser transmits the "user-related" information back to our site. Thanks to cookies, our website knows who you are and offers you the settings you are used to.

What Types of Cookies are There?

There are 4 types of cookies:

Essential Cookies: These cookies are necessary to ensure basic functions of the website.

Functional Cookies: These cookies collect information about user behaviour and whether the user receives any error messages. They also measure the loading time and the behaviour of the website in different browsers.

Targeting Cookies: These cookies ensure better user-friendliness. For example, entered locations, font sizes or form data are stored.

Advertising Cookies: Also called targeting cookies, these are used to deliver individually tailored advertising to the user.

Legal Basis

Since 2009, there have been the so-called "cookie guidelines". These stipulate that storing cookies requires your consent (Article 6(1)(a) GDPR). For strictly necessary cookies, there are legitimate interests (Article 6(1)(f) GDPR). Insofar as non-strictly necessary cookies are used, this only takes place with your consent. The legal basis is therefore Art. 6(1)(a) GDPR.

Web Analytics Introduction

Web Analytics Summary 👥 Affected parties: Website visitors 🤝 Purpose: Evaluation of visitor information to optimise the web offering 📓 Data processed: Access statistics containing data such as access locations, device data, access duration and time, navigation behaviour, click behaviour and IP addresses 📅 Retention period: depends on the web analytics tool used ⚖️ Legal bases: Art. 6(1)(a) GDPR (Consent), Art. 6(1)(f) GDPR (Legitimate interests)

What is Web Analytics?

We use software on our website to evaluate the behaviour of website visitors, known as web analytics. Data is collected and stored by the respective analytics tool provider (also called a tracking tool). Using the data, analyses of user behaviour on our website are created and made available to us as website operators. Most tools also offer various testing options. For example, we can test which offers or content are best received by our visitors.

Legal Basis

The use of web analytics requires your consent, which we obtained with our cookie popup. This consent constitutes the legal basis pursuant to Art. 6(1)(a) GDPR (Consent). In addition, we have a legitimate interest in analysing the behaviour of website visitors to improve our offering technically and economically. The legal basis for this is Art. 6(1)(f) GDPR (Legitimate interests). We only use the tools insofar as you have given consent.

Google Analytics Privacy Policy

Google Analytics Summary 👥 Affected parties: Website visitors 🤝 Purpose: Evaluation of visitor information to optimise the web offering 📓 Data processed: Access statistics including access locations, device data, access duration, navigation and click behaviour 📅 Retention period: individually configurable; Google Analytics 4 stores data for 14 months by default ⚖️ Legal bases: Art. 6(1)(a) GDPR (Consent), Art. 6(1)(f) GDPR (Legitimate interests)

We use the analytics tracking tool Google Analytics in the version Google Analytics 4 (GA4) by Google Inc. For the European region, Google Ireland Limited (Gordon House, Barrow Street Dublin 4, Ireland) is responsible for all Google services. Google Analytics collects data about your actions on our website.

Google Analytics is a tracking tool that serves the traffic analysis of our website. The basis of these measurements and analyses is a pseudonymous user identification number. GA4 uses an event-based model that captures detailed information about user interactions such as page views, clicks, scrolling and conversion events.

The use of Google Analytics requires your consent, obtained via our cookie popup. Legal basis: Art. 6(1)(a) GDPR. Additionally, we have a legitimate interest pursuant to Art. 6(1)(f) GDPR. Google processes data in the USA and is an active participant of the EU-US Data Privacy Framework. More information: EU-US Data Privacy Framework. Further information: Google Privacy Policy.

Meta Conversions API Privacy Policy

We use Meta Conversions API, a server-side event tracking tool. The provider is Meta Platforms Ireland Limited (4 Grand Canal Square, Grand Canal Harbour, Dublin 2, Ireland). The Meta Conversions API is a tool that can measure the performance of our advertising campaigns in real time. Legal basis: Art. 6(1)(a) GDPR (Consent) and Art. 6(1)(f) GDPR (Legitimate interests). Further information: Meta Privacy Policy.

Pinterest Web Analytics Privacy Policy

We use Pinterest Web Analytics by Pinterest Europe Ltd. (Palmerston House, 2nd Floor, Fenian Street, Dublin 2, Ireland). Legal basis: Art. 6(1)(a) GDPR and Art. 6(1)(f) GDPR. Further information: Pinterest Privacy Policy.

TikTok Pixel Privacy Policy

We use the tracking software TikTok Pixel. The provider for the European region is TikTok Technology Limited, 10 Earlsfort Terrace, Dublin, D02 T380, Ireland. Legal basis: Art. 6(1)(a) GDPR and Art. 6(1)(f) GDPR. Further information: TikTok Privacy Policy.

Klar! Insights – Attribution

We use the services of Klar Insights GmbH, Marktstr. 18, 80802 Munich, Germany. Klar Insights GmbH collects, processes and stores user and session IDs, email addresses, IP addresses, online identifiers (cookie ID, device ID) for reach measurement and statistical analysis on our behalf. We have concluded a Data Processing Agreement with Klar Insights GmbH. Legal basis: Art. 6(1)(a) GDPR (Consent). Further information: https://app.getklar.com/legal/data-protection.

Cookie opt-out: To generally object to the use of Klar! Insights, please use this link. This will set a cookie named "september_do_not_track" from the domain "nakedoptics.net". Please do not delete this cookie, as otherwise it cannot be guaranteed that you will not be tracked by Klar.

Email Marketing Introduction

Email Marketing Summary 👥 Affected parties: Newsletter subscribers 🤝 Purpose: Direct advertising by email, notification of system-relevant events 📓 Data processed: Data entered upon registration, at minimum the email address 📅 Retention period: Duration of the subscription ⚖️ Legal bases: Art. 6(1)(a) GDPR (Consent), Art. 6(1)(f) GDPR (Legitimate interests)

To keep you up to date, we also use email marketing. If you have consented to receiving our emails or newsletters, data from you will be processed and stored. Email marketing is a subarea of online marketing in which news or general information about a company, products or services is sent by email to a specific group of interested people.

Email newsletter registration generally works using the so-called "double opt-in process". After registering for our newsletter on our website, you receive an email confirming your newsletter subscription. This ensures that the email address belongs to you and that no one has signed up with someone else's email address.

Legal basis: Consent pursuant to Art. 6(1)(a) GDPR.

Social Media Introduction

Social Media Summary 👥 Affected parties: Website visitors 🤝 Purpose: Presentation and optimisation of our services, contact with visitors and interested parties, advertising 📓 Data processed: Data such as telephone numbers, email addresses, contact data, user behaviour data, device information and IP address 📅 Retention period: depends on the social media platforms used ⚖️ Legal bases: Art. 6(1)(a) GDPR (Consent), Art. 6(1)(f) GDPR (Legitimate interests)

In addition to our website, we are also active on various social media platforms. Data of users may be processed so that we can specifically address users who are interested in us via social networks. Furthermore, elements of a social media platform may be embedded directly on our website.

Facebook Privacy Policy

We use selected tools from Facebook. Facebook is a social media network of Meta Platforms Ireland Limited, 4 Grand Canal Square, Grand Canal Harbour, Dublin 2, Ireland. Legal basis: Art. 6(1)(a) GDPR and Art. 6(1)(f) GDPR. Further information: Facebook Privacy Policy.

Instagram Privacy Policy

We have integrated functions of Instagram on our website. Instagram is a social media platform of Instagram LLC, a subsidiary of Meta Platforms Inc. Legal basis: Art. 6(1)(a) GDPR and Art. 6(1)(f) GDPR. Further information: Instagram Privacy Policy.

Pinterest Privacy Policy

We use buttons and widgets of the social media network Pinterest by Pinterest Europe Ltd. (Palmerston House, 2nd Floor, Fenian Street, Dublin 2, Ireland). Legal basis: Art. 6(1)(a) GDPR and Art. 6(1)(f) GDPR. Further information: Pinterest Privacy Policy.

TikTok Privacy Policy

We use the TikTok integration on our website. The provider for the European region is TikTok Technology Limited, 10 Earlsfort Terrace, Dublin, D02 T380, Ireland. Legal basis: Art. 6(1)(a) GDPR and Art. 6(1)(f) GDPR. Further information: TikTok Privacy Policy.

Blogs and Publication Media Introduction

Blogs and Publication Media Summary 👥 Affected parties: Website visitors 🤝 Purpose: Presentation and optimisation of our services and communication between website visitors, security and management 📓 Data processed: Data such as contact data, IP address and published content 📅 Retention period: depends on the tools used ⚖️ Legal bases: Art. 6(1)(a) GDPR (Consent), Art. 6(1)(f) GDPR (Legitimate interests), Art. 6(1)(b) GDPR (Contract)

We use blogs or other communication tools on our website with which we can communicate both with you and you can communicate with us. Data from you may be stored and processed by us in the process. Legal basis: Art. 6(1)(f) GDPR and, where applicable, Art. 6(1)(a) GDPR.

Online Marketing Introduction

Online Marketing Summary 👥 Affected parties: Website visitors 🤝 Purpose: Evaluation of visitor information to optimise the web offering 📓 Data processed: Access statistics, device data, access duration, navigation behaviour, click behaviour, IP addresses, and possibly name and email address 📅 Retention period: depends on the online marketing tools used ⚖️ Legal bases: Art. 6(1)(a) GDPR (Consent), Art. 6(1)(f) GDPR (Legitimate interests)

Online marketing refers to all measures carried out online to achieve marketing goals such as increasing brand awareness or making a business deal. Our online marketing measures aim to draw people's attention to our website. Legal basis: Art. 6(1)(a) GDPR and Art. 6(1)(f) GDPR.

Microsoft Advertising Privacy Policy

We use the advertising programme Microsoft Advertising by Microsoft Corporation, One Microsoft Way, Redmond, WA 98052-6399, USA. Legal basis: Art. 6(1)(a) GDPR and Art. 6(1)(f) GDPR. Microsoft is an active participant of the EU-US Data Privacy Framework. Further information: Microsoft Privacy Statement.

PayPal Marketing Solutions Privacy Policy

We use the sales optimisation tool PayPal Marketing Solutions. The provider is PayPal Europe (S.à r.l. et Cie, S.C.A., 22-24 Boulevard Royal, L-2449 Luxembourg). Legal basis: Art. 6(1)(a) GDPR and Art. 6(1)(f) GDPR. Further information: PayPal Privacy Policy.

Content Delivery Networks Introduction

Content Delivery Networks Summary 👥 Affected parties: Website visitors 🤝 Purpose: Optimisation of our services (to load the website faster) 📓 Data processed: Data such as your IP address 📅 Retention period: data is mostly stored until it is no longer needed for service delivery ⚖️ Legal bases: Art. 6(1)(a) GDPR (Consent), Art. 6(1)(f) GDPR (Legitimate interests)

We use a Content Delivery Network (CDN) on our website. A CDN is a network of regionally distributed servers that are all connected to each other via the internet. This network enables website content to be delivered quickly and smoothly even during large load peaks.

Cloudflare Privacy Policy

We use Cloudflare by Cloudflare, Inc. (101 Townsend St., San Francisco, CA 94107, USA) to make our website faster and more secure. Cloudflare is an active participant of the EU-US Data Privacy Framework. Legal basis: Art. 6(1)(a) GDPR and Art. 6(1)(f) GDPR. Further information: Cloudflare Privacy Policy.

Cookie Consent Management Platform Introduction

Cookie Consent Management Platform Summary 👥 Affected parties: Website visitors 🤝 Purpose: Obtaining and managing consent for certain cookies and thus the use of certain tools 📓 Data processed: Data for managing cookie settings such as IP address, time of consent, type of consent, individual consents 📅 Retention period: depends on the tool used; periods of several years should be expected ⚖️ Legal bases: Art. 6(1)(a) GDPR (Consent), Art. 6(1)(f) GDPR (Legitimate interests)

We use a Consent Management Platform (CMP) on our website that makes it easier for us and you to handle used scripts and cookies correctly and securely. The software automatically creates a cookie popup, scans and controls all scripts and cookies, provides the legally required cookie consent for you and helps us and you to keep track of all cookies.

AdSimple Consent Manager Privacy Policy

We use the AdSimple Consent Manager by AdSimple GmbH, Fabriksgasse 20, 2230 Gänserndorf. The AdSimple Consent Manager offers us the possibility of providing you with a comprehensive and data protection-compliant cookie notice. Legal basis: Art. 6(1)(a) GDPR (Consent) and Art. 6(1)(f) GDPR (Legitimate interests). Further information: AdSimple Consent Manager.

Security & Anti-Spam

Security & Anti-Spam Summary 👥 Affected parties: Website visitors 🤝 Purpose: Cybersecurity 📓 Data processed: Data such as your IP address, name or technical data such as browser version 📅 Retention period: data is mostly stored until no longer needed for service delivery ⚖️ Legal bases: Art. 6(1)(a) GDPR (Consent), Art. 6(1)(f) GDPR (Legitimate interests)

Security and anti-spam software can protect us from various spam or phishing emails and possible other cyber attacks. We also use general firewall and security systems that protect our computers from unwanted network attacks. Legal basis: primarily Art. 6(1)(f) GDPR (Legitimate interests).

Google reCAPTCHA Privacy Policy

We use Google reCAPTCHA by Google Ireland Limited (Gordon House, Barrow Street Dublin 4, Ireland) to protect our website from spam software and abuse by non-human visitors. Legal basis: Art. 6(1)(a) GDPR and Art. 6(1)(f) GDPR. Google is an active participant of the EU-US Data Privacy Framework. Further information: Google Privacy Policy.

Payment Providers Introduction

Payment Providers Summary 👥 Affected parties: Website visitors 🤝 Purpose: Enabling and optimising the payment process on our website 📓 Data processed: Data such as name, address, bank details (account number, credit card number, passwords, TANs etc.), IP address and contract data 📅 Retention period: depends on the payment provider used ⚖️ Legal bases: Art. 6(1)(b) GDPR (Contract fulfilment)

We use online payment systems on our website that enable a secure and smooth payment process for us and you. Personal data may also be sent to the respective payment provider, stored and processed there. Legal basis: Art. 6(1)(b) GDPR.

American Express Privacy Policy

We use American Express, a globally operating financial service provider. Provider: American Express Europe S.A. (Avenida Partenón 12-14, 28042, Madrid, Spain). Further information: American Express Privacy Policy.

eps Transfer Privacy Policy

We use eps Transfer, a service for online payment processes by Stuzza GmbH, Frankgasse 10/8, 1090 Vienna, Austria. Further information: eps Privacy Policy.

Google Pay Privacy Policy

We use the online payment provider Google Pay by Google Ireland Limited (Gordon House, Barrow Street Dublin 4, Ireland). Further information: Google Privacy Policy.

Klarna Checkout Privacy Policy

We use the online payment system Klarna Checkout by Klarna Bank AB, Sveavägen 46, 111 34 Stockholm, Sweden. Legal basis: Art. 6(1)(c) GDPR and Art. 6(1)(f) GDPR. Further information: Klarna Privacy Policy.

PayPal Privacy Policy

We use the online payment service PayPal by PayPal Europe (S.à r.l. et Cie, S.C.A., 22-24 Boulevard Royal, L-2449 Luxembourg). Legal basis: Art. 6(1)(b) GDPR and Art. 6(1)(a) GDPR. Further information: PayPal Privacy Policy.

Shop Pay Privacy Policy

We use Shop Pay, an online payment solutions service by Shopify International Limited (Victoria Buildings, 2nd Floor, 1-2 Haddington Road, Dublin 4, D04 XN32, Ireland). Further information: Shopify Privacy Policy.

Visa Privacy Policy

We use Visa, a globally operating payment provider by Visa Europe Services Inc. (1 Sheldon Square, London W2 6TT, United Kingdom). Further information: Visa Privacy Policy.

External Online Platforms Introduction

External Online Platforms Summary 👥 Affected parties: Website visitors or visitors to the external online platforms 🤝 Purpose: Presentation and optimisation of our services, contact with visitors and interested parties 📓 Data processed: Data such as telephone numbers, email addresses, contact data, user behaviour data, device information and IP address 📅 Retention period: depends on the platforms used ⚖️ Legal bases: Art. 6(1)(a) GDPR (Consent), Art. 6(1)(f) GDPR (Legitimate interests)

To offer our services or products beyond our website, we also use external platforms such as online marketplaces. Legal basis: Art. 6(1)(a) GDPR and Art. 6(1)(f) GDPR.

Amazon (Europe) Privacy Policy

We use the online trading platform Amazon Europe by Amazon Europe Core S.à r.l. (38 avenue John F. Kennedy, L-1855 Luxembourg). Amazon is an active participant of the EU-US Data Privacy Framework. Further information: Amazon Privacy Policy.

Shopify Privacy Policy

We use the online marketplace Shopify by Shopify International Limited (Victoria Buildings, 2nd Floor, 1-2 Haddington Road, Dublin 4, D04 XN32, Ireland). Further information: Shopify Privacy Policy.

Audio & Video Introduction

Audio & Video Summary 👥 Affected parties: Website visitors 🤝 Purpose: Optimisation of our services 📓 Data processed: Data such as contact data, user behaviour data, device information and IP address may be stored 📅 Retention period: data is generally stored for as long as needed for the service purpose ⚖️ Legal bases: Art. 6(1)(a) GDPR (Consent), Art. 6(1)(f) GDPR (Legitimate interests)

We have embedded audio and/or video elements on our website so that you can watch videos or listen to music/podcasts directly via our website. Contents are provided by service providers. All content is therefore also retrieved from the corresponding servers of the providers. Legal basis: Art. 6(1)(a) GDPR and Art. 6(1)(f) GDPR.

YouTube Privacy Policy

We have embedded YouTube videos on our website. YouTube is a video portal that has been a subsidiary of Google since 2006, operated by YouTube, LLC, 901 Cherry Ave., San Bruno, CA 94066, USA. For data processing in the European region, Google Ireland Limited (Gordon House, Barrow Street Dublin 4, Ireland) is responsible. Legal basis: Art. 6(1)(a) GDPR and Art. 6(1)(f) GDPR. Google/YouTube is an active participant of the EU-US Data Privacy Framework. Further information: Google Privacy Policy.

Review Platforms Introduction

Review Platforms Summary 👥 Affected parties: Website visitors or visitors to a review platform 🤝 Purpose: Feedback on our products and/or services 📓 Data processed: Including IP address, email address, name 📅 Retention period: depends on the respective platform ⚖️ Legal bases: Art. 6(1)(a) GDPR (Consent), Art. 6(1)(f) GDPR (Legitimate interests)

On various review platforms you can rate our products or services. We participate in some of these platforms so that we can receive feedback from you and optimise our offering. Legal basis: Art. 6(1)(a) GDPR and Art. 6(1)(f) GDPR.

Google Customer Reviews Privacy Policy

We use the review platform Google Customer Reviews by Google Ireland Limited (Gordon House, Barrow Street Dublin 4, Ireland). Google is an active participant of the EU-US Data Privacy Framework. Further information: Google Privacy Policy.

Web Design Introduction

Web Design Summary 👥 Affected parties: Website visitors 🤝 Purpose: Improving user experience 📓 Data processed: Data such as IP address, technical data, language settings, browser version, screen resolution and browser name 📅 Retention period: depends on the tools used ⚖️ Legal bases: Art. 6(1)(a) GDPR (Consent), Art. 6(1)(f) GDPR (Legitimate interests)

We use various tools on our website that serve our web design. Web design is not, as often assumed, just about making our website look good, but also about functionality and performance. Legal basis: Art. 6(1)(a) GDPR and Art. 6(1)(f) GDPR.

Google Fonts Privacy Policy

We use Google Fonts by Google Ireland Limited (Gordon House, Barrow Street Dublin 4, Ireland) on our website. Google Fonts is a directory of over 800 fonts that Google makes available to its users free of charge. Legal basis: Art. 6(1)(a) GDPR and Art. 6(1)(f) GDPR. Google is an active participant of the EU-US Data Privacy Framework. Further information: Google Privacy Policy.

Google Fonts (Local) Privacy Policy

We use Google Fonts on our website, integrated locally, i.e. on our web server – not on Google's servers. This means there is no connection to Google servers and therefore no data transfer or storage.

Explanation of Terms Used

We always strive to write our Privacy Policy as clearly and comprehensibly as possible. However, especially with technical and legal topics, this is not always easy. It often makes sense to use legal terms (such as personal data) or certain technical expressions (such as cookies, IP address). We would like, however, not to use these without explanation. Below you will find an alphabetical list of important terms used that we may not have addressed sufficiently in the previous Privacy Policy.

Processor

"Processor" means a natural or legal person, public authority, agency or other body which processes personal data on behalf of the controller.

Explanation: As a company and website operator, we are responsible for all data we process from you. In addition to the controllers, there may also be so-called processors. This includes any company or person who processes personal data on our behalf. Processors can therefore be service providers such as hosting or cloud providers, payment or newsletter providers, or large companies such as Google or Microsoft.

Consent

"Consent" of the data subject means any freely given, specific, informed and unambiguous indication of the data subject's wishes by which he or she, by a statement or by a clear affirmative action, signifies agreement to the processing of personal data relating to him or her.

Explanation: On websites, such consent is usually given via a cookie consent tool. You certainly know this. Whenever you visit a website for the first time, you are usually asked via a banner whether you agree to or consent to data processing. You can usually also make individual settings and thus decide for yourself which data processing you allow and which you do not.

Personal Data

"Personal data" means any information relating to an identified or identifiable natural person ("data subject"); an identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person.

Explanation: Personal data is all data that can identify you as a person. This generally includes data such as name, address, email address, postal address, telephone number, date of birth, bank details, and IP address. According to the European Court of Justice (ECJ), your IP address also counts as personal data. There are also so-called "special categories" of personal data that are particularly worthy of protection, including racial and ethnic origin, political opinions, religious or philosophical beliefs, trade union membership, genetic data, biometric data, health data, and data on sexual orientation or sexual life.

Profiling

"Profiling" means any form of automated processing of personal data consisting of the use of personal data to evaluate certain personal aspects relating to a natural person, in particular to analyse or predict aspects concerning that natural person's performance at work, economic situation, health, personal preferences, interests, reliability, behaviour, location or movements.

Explanation: In profiling, various pieces of information about a person are compiled to learn more about that person. In the web area, profiling is frequently used for advertising purposes or for credit checks.

Controller

"Controller" means the natural or legal person, public authority, agency or other body which, alone or jointly with others, determines the purposes and means of the processing of personal data.

Explanation: In our case, we are responsible for the processing of your personal data and therefore the "controller". If we pass on collected data to other service providers for processing, they are "processors". A Data Processing Agreement (DPA) must be signed for this purpose.

Processing

"Processing" means any operation or set of operations which is performed on personal data or on sets of personal data, whether or not by automated means, such as collection, recording, organisation, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure or destruction.

Note: When we refer to processing in our Privacy Policy, we mean any type of data processing. This includes, as mentioned above in the original GDPR definition, not only collection but also storage and processing of data.

Face Width Scan (SHYFT Frame Fitting)

Processing of Biometric Measurement Data

To ensure the perfect fit for your Shyft glasses, we offer an optional face width scan. Using the front camera of your smartphone or your computer's webcam, the scan estimates the width of your face.

Technology & Data Processing

The scan is powered by the Google Face Mesh algorithm, which estimates facial width based on landmark reference points. All measurement points and intermediate data generated during the scan are processed locally in your browser only and are never transmitted or stored.

The only data saved is the final measurement result – your face width in millimetres (e.g. 142 mm) – in order to recommend the most suitable frame size for you.

Summary of Data Processed

Data Category	Processing	Storage
Camera / video feed	Local in browser only	No
Facial landmark points	Local in browser only	No
Final face width (mm)	Transmitted	Yes

Legal Basis

The processing of measurement data is based on your explicit consent (Art. 6(1)(a) GDPR) and for the purpose of fulfilling your request (Art. 6(1)(b) GDPR). You may cancel the scan at any time without any disadvantage to you.

Your Rights

You have the right to access, correct, and request deletion of your stored face width measurement. Please contact us at: support@nakedoptics.net

Closing Remarks

Congratulations! If you are reading these lines, you have really worked your way through our entire Privacy Policy – or at least scrolled down this far. As you can see from the scope of our Privacy Policy, we do not take the protection of your personal data lightly.

It is important to us to inform you to the best of our knowledge and belief about the processing of personal data. We want not only to tell you what data is processed, but also to explain the reasons for using various software programmes. Privacy policies usually sound very technical and legal. Since most of you are neither web developers nor lawyers, we also wanted to take a different approach linguistically and explain matters in simple and clear language. This is of course not always possible given the subject matter. For this reason, the most important terms are explained in more detail at the end of the Privacy Policy.

If you have any questions about data protection on our website, please do not hesitate to contact us or the responsible body. We wish you a pleasant time and hope to welcome you back to our website soon.

All texts are protected by copyright.

Source: Privacy Policy created with the Privacy Policy Generator for Austria by AdSimple