1. responsible persons and contact

Controller (Art. 4 Z 7 GDPR):
RAK Beauty Project
Owner: Yuliia Sotula
Hegergasse 21/1, 1030 Vienna, Austria
E-mail: rakbeauty.office@gmail.com
Website: rakbeauty.com

Data Protection Manager: Ms. Yuliia Sotula (contact as above)

2. general information on data processing

We process personal data in accordance with the General Data Protection Regulation (GDPR) and the applicable Austrian data protection regulations. In this privacy policy, we provide information on what data we process, for what purposes, on what legal basis and what rights you are entitled to.

3. categories of processed data

Depending on the use of our services and communication channels, we process in particular

• Master data: Name, address if applicable (e.g. for invoices)
• Contact details: Telephone number, e-mail, social media handle if applicable
• Date and service data: Dates, booked services, relevant organizational notes
• Payment/transaction data: Payment status, transaction references (no complete card/account data in our systems)
• Communication data: Content of inquiries (e-mail, telephone, Instagram/meta lead forms)
• Online/usage data: IP address, device/browser data, cookie IDs, interactions on the website (if cookies/tracking are used)

4. purposes and legal bases

We process data for the following purposes:

1. Making appointments, carrying out our services, customer service 

Legal basis: Art. 6 para. 1 lit. b GDPR (contract/pre-contractual measures)

1. Communication and administration (e.g. queries, appointment changes, organizational processes) 

Legal basis: Art. 6 para. 1 lit. b and/or lit. f GDPR (legitimate interest in efficient communication/organization)

1. Accounting/taxes and legal obligations 

Legal basis: Art. 6 para. 1 lit. c GDPR

1. Marketing/advertising (esp. Instagram): Campaign management, performance measurement, retargeting 

Legal basis: Art. 6 para. 1 lit. a GDPR (consent - in particular for cookies/pixel/analytics, if required) and/or Art. 6 para. 1 lit. f GDPR (legitimate interest in direct advertising within the permissible framework)

5. storage period

We only store personal data for as long as is necessary for the respective purposes or for as long as there are statutory retention obligations. In particular:

• Customer/contract data: for the duration of the business relationship and beyond in accordance with statutory periods
• Invoicing/accounting documents: in accordance with statutory retention obligations
• Marketing/tracking data: until revocation of consent or expiry of cookie expiry dates or justified objection

6. website/hosting & store system (Hostinger)

Our website rakbeauty.com is hosted by Hostinger. Hostinger provides the technical infrastructure (web hosting) to make our website accessible.

The following data in particular may be processed as part of hosting: IP address, date and time of access, pages/files accessed, data volumes transferred, browser and device information and log data (server log files).

Purpose: Technical provision of the website, ensuring stability and security (e.g. defense against attacks), error analysis.

Legal basis: Art. 6 para. 1 lit. f GDPR (legitimate interest in the secure and reliable operation of our website).

Webshop on the website: The webshop is integrated into our website. For orders/enquiries via the webshop, we process the necessary data (e.g. name, contact details, invoice data, order data) for contract processing.

Legal basis: Art. 6 para. 1 lit. b GDPR (contract/pre-contractual measures) and Art. 6 para. 1 lit. c GDPR (legal obligations, e.g. storage of invoices).

7. appointment booking/customer management (Altegio)

We use Altegio to organize appointments and manage customers.

Processed data: Name, contact details, dates, booked services, organizational notes (if necessary).

Purpose: Appointment management, service communication, organization of our studio processes.

Legal basis: Art. 6 para. 1 lit. b GDPR and/or Art. 6 para. 1 lit. f GDPR.

Data location/jurisdiction: Server infrastructure in Europe (typically Germany or the Netherlands via European hosting providers); processing in accordance with GDPR (specific details can be found in the provider's DPA).

8. payments (Stripe)

We use Stripe for payment processing.

Processed data: Transaction data, payment status, invoice data if applicable; payment data is processed in accordance with PCI DSS.

Purpose: Payment processing, fraud prevention, billing.

Legal basis: Art. 6 para. 1 lit. b GDPR and, if applicable, Art. 6 para. 1 lit. f GDPR.

Data location/jurisdiction: global infrastructure (USA + Europe); for EU customers, some processing takes place via European data centers (e.g. Ireland). Third country transfers are possible due to US parent company (see point 12).

9. advertising via Instagram / Meta (Lead Forms + Meta Pixel)

We place advertisements via Instagram (Meta Platforms, Inc.).

9.1 Meta Lead Forms (Lead Ads)

If you contact us via an Instagram lead form, the data you enter will be stored in the meta system (Business Manager) and transmitted to us.

Purpose: Processing your request, making appointments, customer communication.

Legal basis: Art. 6 para. 1 lit. b GDPR; for further promotional use Art. 6 para. 1 lit. a GDPR (consent).

9.2 Meta Pixel

We use the Meta Pixel to measure success (conversion tracking), target group formation (remarketing/retargeting) and campaign optimization. Among other things, cookie IDs, device/browser data, IP address and interactions can be processed and transmitted to Meta.

Legal basis: generally Art. 6 para. 1 lit. a GDPR (consent via cookie/consent banner, if required).

Data location: Main server USA; additional data centers in the EU (e.g. Ireland, Denmark, Sweden). Data can be transferred within the global meta-infrastructure (third country transfers possible; see point 12).

10. Google Analytics (in connection with Google Ads)

We use Google Analytics to analyze the website and to optimize marketing measures (in particular in connection with Google Ads).

Processed data: Usage data (e.g. page views, click paths), technical data (browser/device), cookie IDs, IP address (depending on configuration).

Purpose: Reach measurement, statistics, campaign measurement, improvement of our website and advertising.

Legal basis: Art. 6 para. 1 lit. a GDPR (consent via cookie/consent banner).

Data location/jurisdiction: Processing via Google data centers in the USA and Europe. As a US company, third country transfers are possible; protection can be provided via standard contractual clauses (SCC) (see point 12).

11. cookies / consent management

We use cookies and similar technologies. These may be technically necessary or serve statistical/marketing purposes (e.g. Google Analytics, Meta Pixel).

Where legally required, we only set analysis and marketing cookies after you have given your consent. You can revoke or adjust your consent at any time via the cookie settings on the website.

12. third country transfers (outside EU/EEA)

For certain service providers (in particular Meta, Google, Stripe and Hostinger in the context of technical provision), the transfer of personal data to third countries - in particular the USA - cannot be ruled out.

Where necessary, we base such transfers on suitable guarantees (in particular standard contractual clauses (SCC)) and additional protective measures.

13. data security

We take appropriate technical and organizational measures (TOMs) to protect personal data from unauthorized access, loss, misuse or unauthorized disclosure.

14 Rights of data subjects

You have the right to information, correction, deletion, restriction, data portability, objection (in particular to direct marketing) and revocation of consents granted with effect for the future.

Right to lodge a complaint: You can lodge a complaint with the supervisory authority: Austrian Data Protection Authority (DSB), Barichgasse 40-42, 1030 Vienna.

15. changes to this privacy policy

We reserve the right to update this privacy policy if processes, services or the legal situation change. The current version on our website applies.