Introduction and Security Architecture
The security of your personal data is our highest priority. Our skincare online store employs a multi-layered security architecture to protect your data from unauthorized access, loss, misuse, or alteration. This privacy policy explains in detail the technical and organizational measures we take to protect your data.
Encryption of Data Transmission
All data transmitted between your browser and our server is protected by SSL/TLS encryption. You can recognize this by the padlock symbol in your browser’s address bar and by the address line starting with “https://”. This encryption ensures that your personal data, including your payment information, cannot be read by third parties during transmission. The encryption is performed using state-of-the-art technology with a high key length (TLS 1.3).
Secure Server Infrastructure
Our servers are operated in highly secure data centers that are certified according to international security standards such as ISO 27001. Physical access to the servers is protected by multi-level security controls, including biometric access controls, video surveillance, and 24/7 security personnel. Access to the servers is also only possible via secured connections and is limited to a small group of authorized employees.
Access Control and Permission Management
Access to your personal data is restricted to those employees who need this data to perform their tasks. This particularly applies to employees in customer service, accounting, and IT. Every access to personal data is logged and regularly checked for anomalies. We use a role-based permission system that ensures each employee can only view the data that is actually necessary for their work (need-to-know principle).
Protection Against Data Loss
To prevent data loss, daily backups of your data are created. These backups are encrypted and stored separately from the active systems at a geographically separate location. In the event of a technical defect or other data loss, we can restore your data from these backups. The backups are deleted after the statutory retention periods have expired.
Protection Against Unauthorized Access
We employ a range of technical measures to protect your data from unauthorized access. These include firewalls, intrusion detection systems (IDS), regular security updates, malware protection, and vulnerability scans. These systems are continuously monitored and adjusted as necessary to counter new threats. We work with external security experts who regularly review the effectiveness of our security measures and conduct penetration tests.
Handling Security Incidents
Should a security incident occur despite all security measures that poses a risk to your personal data, we will inform you immediately in accordance with legal requirements. We have an internal emergency plan that regulates how to handle such incidents and ensures a rapid and appropriate response. The relevant supervisory authority will be informed within the prescribed 72-hour period if necessary.
Cookie Data Processing and Anonymization
When cookies reach the end of their lifecycle, the data associated with them is either deleted or anonymized, depending on its nature. Data collected through analytics cookies is aggregated and anonymized before being used for reporting, ensuring that individual users cannot be identified. Data collected through marketing cookies is retained only for the duration specified by the cookie and is not linked to any other personal data without your consent. For strictly necessary cookies, data is deleted immediately after the session ends or as soon as it is no longer required for the technical function. We do not use cookie data for purposes other than those explicitly stated in this privacy policy and our cookie consent tool.