1) Information on the Collection of Personal Data and Contact Details of the Data Controller

1.1 We're delighted you're visiting our website and appreciate your interest. Here, we inform you about the handling of your personal data when using our website. Personal data is all data with which you can be personally identified.

1.2 The data controller for processing on this website, according to the General Data Protection Regulation (GDPR), is Lulu Linens. The data controller is the natural or legal person who alone or jointly with others determines the purposes and means of the processing of personal data.

1.3 For security purposes and to protect the transmission of personal data and other confidential content (e.g., orders or inquiries to the data controller), this website uses SSL or TLS encryption. You can recognize an encrypted connection by the character string "https://" and the lock symbol in your browser line.

2) Data Collection When You Visit Our Website

If you use our website for information purposes only, i.e., you do not register or otherwise provide information, we only collect data that your browser transmits to our server (so-called "server log files"). When you visit our website, we collect the following data, which is technically necessary to display the website to you:

  • The pages of our website you visited
  • Date and time at the moment of access
  • Amount of data sent in bytes
  • Source/reference from which you came to our site
  • Browser used
  • Operating system used
  • IP address used (if necessary, in anonymized form)

Processing is carried out in accordance with Article 6(1)(f) GDPR based on our legitimate interest in improving the stability and functionality of our website. The data will not be passed on or used in any other way. However, we reserve the right to check the server log files retrospectively if there are concrete indications of illegal use.

3) Cookies

To make visiting our website attractive and to enable the use of certain functions, we use so-called cookies on various pages. These are small text files stored on your device. Some of the cookies we use are deleted after the browser session ends, i.e., after you close your browser (session cookies). Other cookies remain on your device and allow us or our partner companies (third-party cookies) to recognize your browser on your next visit (persistent cookies). If cookies are set, they collect and process individual user information such as browser and location data as well as IP address values. Persistent cookies are automatically deleted after a specified period.

These cookies are used to simplify the ordering process by storing settings such as remembering the contents of a virtual shopping cart for a later visit. If individual cookies implemented by us also process personal data, processing occurs in accordance with Article 6(1)(b) GDPR for executing the contract or according to Article 6(1)(f) GDPR to optimize our website's functionality and a user-friendly and efficient design of site navigation.

Instructions on Cookie Settings: You can set your browser to notify you about the setting of cookies and decide individually whether to accept them or to exclude the acceptance of cookies for certain cases or in general. Each browser differs in how it manages cookie settings. The respective browser's help menu provides specific instructions for changing cookie settings. Here are some links for more guidance:

  • Internet Explorer: Internet Explorer Cookies Settings
  • Firefox: Firefox Cookie Settings
  • Chrome: Chrome Cookie Settings
  • Safari: Safari Cookie Settings
  • Opera: Opera Cookie Settings

Please note that disabling cookies may limit the functionality of our website.

4) Contact

When you contact us (e.g., via contact form or email), personal data is collected. The data collected via a contact form is evident from the respective contact form. We store and use this data solely for the purpose of responding to your inquiry or contacting you and the associated technical administration.

The legal basis for processing this data is our legitimate interest in responding to your request according to Article 6(1)(f) GDPR. If your contact is aimed at concluding a contract, then additional legal basis for processing is Article 6(1)(b) GDPR. Your data will be deleted after final processing of your inquiry; this is the case if it can be inferred from the circumstances that the matter in question is conclusively resolved.

5) Data Processing for Account Opening and Contract Execution

According to Article 6(1)(b) GDPR, personal data will continue to be collected and processed if you provide it to us for the execution of a contract or when opening a customer account. The data collected is evident from the respective input forms. A deletion of your customer account is possible at any time and can be done by sending a message to the above address of the data controller. We store and use the data provided by you for contract processing. After complete contract processing or deletion of your customer account, your data will be blocked with respect to tax and commercial retention periods and deleted after these periods expire.

6) Use of Single Sign-On Procedures

Facebook Connect You can log in to our website using the social plugin "Facebook Connect" provided by the social network Facebook, operated by Facebook Inc. This service uses "single sign-on" technology. If you have a Facebook profile, you can log in to our website using your Facebook user data without needing to create a separate account. The "Facebook Connect" button on our website can be recognized by the Facebook logo. When you use this button, your browser establishes a direct connection with Facebook servers, and Facebook transmits the content of the button directly to your browser, integrating it into the website.

By using "Facebook Connect", you agree to use your Facebook profile data for logging into our website, depending on your Facebook privacy settings. This might include your user ID, name, profile picture, age, and gender. Please note that changes to Facebook's privacy policy or terms of use may affect the data transfer. You can revoke your consent at any time by sending a message to the data controller specified at the beginning.

Facebook Inc. is certified under the US-European data protection agreement "Privacy Shield", ensuring compliance with EU data protection standards.

More information on Facebook's privacy practices can be found at Facebook's Privacy Policy. If you do not want Facebook to associate data collected through our website directly with your Facebook profile, you must log out of Facebook before visiting our site. You can also completely prevent loading of Facebook plugins using add-ons for your browser, for example with "Adblock Plus".

7) Use of Data for Direct Marketing

Signing up for our Email Newsletter By registering for our newsletter, you agree to receive information about our products and services. The only required information for receiving the newsletter is your email address. Providing further data is voluntary and will be used to address you personally. We use the so-called double opt-in procedure for sending the newsletter, which means that we will send you an email newsletter only after you have explicitly confirmed that you agree to receive newsletters. We will then send you a confirmation email asking you to confirm by clicking a link that you want to receive newsletters in the future.

By clicking the confirmation link, you give us your consent to use your personal data according to Article 6(1)(a) GDPR. We store your IP address entered by your Internet Service Provider (ISP) as well as the date and time of registration to prevent any misuse of your email address at a later time. The data collected by us when registering for the newsletter will be used exclusively for promotional communication through the newsletter. You can unsubscribe at any time via the link provided in the newsletter or by sending a message to the person mentioned above. After unsubscribing, your email address will be immediately deleted from our newsletter distribution list.

8) Data Processing for Order Processing

8.1 The personal data we collect will be passed on to the transport company commissioned with the delivery, insofar as this is necessary for the delivery of the goods. We pass your payment data to the commissioned credit institution as part of payment processing, if this is necessary for payment handling. If we use payment service providers, we explicitly inform you about this below. The legal basis for the transfer of data is Art. 6(1)(b) GDPR.

8.2 To fulfill our contractual obligations to our customers, we cooperate with external shipping partners. We pass on your name and delivery address to a shipping partner selected by us exclusively for the purposes of goods delivery, in accordance with Art. 6(1)(b) GDPR.

8.3 Use of Payment Service Providers (Payment Services)

Amazon Pay If you select "Amazon Pay" as a payment option, the payment will be processed by the payment service provider Amazon Payments Europe sca, 5 Rue Plaetis, L-2338 Luxembourg (hereinafter referred to as "Amazon Payments"). We pass the data you provided during the ordering process along with information about your order to Amazon Payments under Art. 6(1)(b) GDPR. Your data is transmitted only for the purpose of payment processing with Amazon Payments and only as necessary. You can find more information about Amazon Payments' privacy policies at Amazon Payments Privacy Policy.

PayPal When paying via PayPal, credit card via PayPal, direct debit via PayPal, or - if available - "purchase on account" or "payment by installments" via PayPal, we pass your payment details along to PayPal (Europe) Sàrl et Cie, SCA, 22-24 Boulevard Royal, L-2449 Luxembourg (hereinafter referred to as "PayPal"). The transfer takes place according to Article 6 Paragraph 1 Letter b GDPR and only insofar as this is necessary for payment processing.

PayPal reserves the right to perform a credit check for the payment methods credit card via PayPal, direct debit via PayPal, or - if available - "purchase on account" or "payment by installments" via PayPal. Your payment data may be passed on to credit agencies on the basis of PayPal's legitimate interest in determining your solvency under Art. 6(1)(f) GDPR. PayPal uses the results of the credit check in terms of the statistical probability of payment default for the decision on the provision of the respective payment method. The credit information can include probability values (so-called score values). Insofar as score values are included in the result of the credit report, they have their basis in a scientifically recognized mathematical-statistical procedure. Address data among other things is included in the calculation of the score values. Further information on data protection law, including the credit agencies used, can be found in PayPal's data protection declaration at PayPal Privacy Policy.

You can object to this processing of your data at any time by sending a message to PayPal. However, PayPal may still be entitled to process your personal data if this is necessary for contractual payment processing.

SOFORT If you choose the payment method "SOFORT", the payment is processed via the payment service provider SOFORT GmbH, Theresienhöhe 12, 80339 Munich, Germany (hereinafter "SOFORT"), to which we pass on the data you provided during the ordering process along with information about your order according to Art. 6(1)(b) GDPR. Your data is only passed on for the purpose of payment processing with SOFORT and only insofar as it is necessary for this purpose. You can find further information about SOFORT's data protection provisions at SOFORT Privacy Policy.

Stripe If you select a payment method from the payment service provider Stripe, the payment will be processed by Stripe Payments Europe Ltd, Block 4, Harcourt Centre, Harcourt Road, Dublin 2, Ireland, to whom we pass on the information you provided during the ordering process along with information about your order in accordance with Art. 6(1)(b) GDPR. Your data is only transmitted for the purpose of payment processing with Stripe Payments Europe Ltd and only to the extent necessary. You can find further information about Stripe's data protection at Stripe Privacy Policy.

9) Rights of the Data Subject

9.1 The applicable data protection law grants you comprehensive rights (rights of information and intervention) towards the controller with regard to the processing of your personal data, which we inform you about below:

  • Right of Access by the Data Subject according to Art. 15 GDPR: In particular, you have a right to access your personal data processed by us, the purposes of the processing, the categories of processed personal data, the recipients or categories of recipients to whom your data has been or will be disclosed, the planned storage period or the criteria for determining the storage period, the existence of a right to correction, deletion, limitation of processing or opposition, the right to lodge a complaint, the source of your data if it was not collected from you, the existence of automated decision-making including profiling and, if applicable, meaningful information about the involved logic and the scope and intended effects of such processing, as well as your right to be informed of the guarantees under Article 46 GDPR when your data is transferred to third countries;
  • Right to Rectification according to Art. 16 GDPR: You have the right to immediate correction of incorrect data concerning you and/or completion of your incomplete data stored by us;
  • Right to Erasure according to Art. 17 GDPR: You have the right to demand the deletion of your personal data if the requirements of Art. 17(1) GDPR are met. However, this right does not exist in particular if the processing is necessary to exercise the right of freedom of expression and information, to fulfill a legal obligation, for reasons of public interest, or to assert, exercise or defend legal claims;
  • Right to Restriction of Processing according to Art. 18 GDPR: You have the right to demand the restriction of the processing of your personal data as long as the correctness of your data, which you dispute, is verified, if you refuse deletion of your data due to unauthorized data processing and instead demand the restriction of the processing of your data, if you need your data to assert, exercise or defend legal claims, after we no longer need this data after the purpose has been achieved, or if you have lodged an objection for reasons of your special situation, as long as it is not yet determined whether our legitimate reasons prevail;
  • Right to be Informed according to Art. 19 GDPR: If you have asserted the right to rectification, erasure or restriction of processing to the controller, he is obliged to inform all recipients to whom the personal data concerning you was disclosed of this rectification or erasure of the data or restriction of processing, unless this proves to be impossible or involves a disproportionate effort. You have the right to be informed about these recipients.
  • Right to Data Portability according to Art. 20 GDPR: You have the right to receive your personal data, which you have provided to us, in a structured, commonly used and machine-readable format or to request the transmission to another controller, insofar as this is technically feasible;
  • Right to Withdraw consent given according to Art. 7(3) GDPR: You have the right to withdraw your consent to the processing of data at any time with future effect. In case of withdrawal, we will delete the data concerned immediately, unless further processing can be based on a legal basis for processing without consent. The withdrawal of consent shall not affect the lawfulness of processing based on consent before its withdrawal;
  • Right to lodge a complaint according to Art. 77 GDPR: If you believe that the processing of your personal data violates the GDPR, you have the right to lodge a complaint with a supervisory authority, in particular in the Member State of your habitual residence, place of work or place of the alleged infringement.

9.2 Right to object If we process your personal data based on our overriding legitimate interest, you have the right at any time to object to this processing with effect for the future for reasons that arise from your particular situation.

If you exercise your right to object, we will stop processing the affected data. However, we reserve the right to further processing if we can demonstrate compelling legitimate grounds for the processing that outweigh your interests, fundamental rights and freedoms, or if the processing serves to assert, exercise or defend legal claims.

If your personal data is processed by us to operate direct advertising, you have the right to object at any time to the processing of your personal data for the purpose of such advertising. You can exercise the objection as described above.

If you exercise your right to object, we will stop processing the relevant data for direct advertising purposes.

10) Duration of Storage of Personal Data

The duration of the storage of personal data is determined by the respective legal retention period (e.g., commercial and tax retention periods). After expiration of these periods, the corresponding data is routinely deleted, provided it is no longer necessary for the fulfillment or initiation of the contract and/or there is no longer any legitimate interest on our part in the further storage.