Privacy Policy – Saint Charles Organics GmbH

(Status: September 2025)

1. Controller

Saint Charles Organics GmbH
Esterhazygasse 11
1060 Vienna, Austria
Phone: +43 (0)1 8907987
Email: office@saint-charles.eu

2. General Information on Data Processing

We process personal data exclusively in accordance with legal provisions, in particular the General Data Protection Regulation (GDPR) and the Telecommunications Act (TKG 2003).

Personal data refers to information relating to an identified or identifiable natural person (e.g., name, address, email address, IP address, purchasing behavior).

3. Purposes and Legal Bases

  • Contract performance and pre-contractual measures (Art. 6 (1) lit. b GDPR)
  • Compliance with legal obligations (Art. 6 (1) lit. c GDPR)
  • Legitimate interests (Art. 6 (1) lit. f GDPR) – e.g., improving our services, IT security
  • Consent (Art. 6 (1) lit. a GDPR) – e.g., newsletters, marketing, tracking

4. Processing Activities in Detail

a) Contact

If you contact us by email or via form, we store your data to process your request.
Storage period: 6 months after last communication, unless longer retention is required.

b) Orders & Contract Handling

We process order data (name, address, contact details, payment information, order history).

  • Shop platform: Shopify Inc. (Canada/USA) – data transfers based on SCCs and EU–US Data Privacy Framework
  • ERP systems: Xentral ERP Software GmbH (Germany); Sedcloud (EU provider, data processing)
  • Payment providers: Shopify Payments (Shopify International Ltd., Ireland), PayPal, Klarna, credit card providers
  • Shipping companies: for delivery of goods
  • Tax advisors & authorities: for statutory obligations

c) Customer Account & Loyalty Program (Smile.io)

If a customer account is created, data is processed via Smile.io (Canada). Canada has an EU adequacy decision.

d) Newsletter (Klaviyo)

We use Klaviyo Inc., USA, for sending newsletters.
Sign-up is only via double opt-in. Revocation possible at any time.
Data transfer to the USA based on SCCs/DPF.

e) Cloud Storage (Microsoft OneDrive / Office 365)

For internal data management we use Microsoft OneDrive (EU/USA). Primary storage in EU data centers, access possible from the USA. Secured via SCCs/DPF.

f) Reviews & Apps

  • Loox Reviews (Israel/USA): processing customer reviews incl. name/email
  • Elevar Conversion Tracking, Geolizr, Orderly Emails, Searchanise: cookies/trackers for analytics & marketing (only with consent)

5. Cookies & Tracking

We use cookies and similar technologies:

  • Necessary cookies: for shop operation (always active)
  • Statistics cookies: e.g., Google Analytics, Meta Pixel → only with consent
  • Marketing cookies: e.g., Klaviyo Tracking, Elevar → only with consent

You can manage consents at any time via our cookie banner (Complianz) or the „Cookie Settings“ link in the footer.

6. Storage Periods

  • Contract and billing data: 7 years (tax law)
  • Product liability data: 10 years
  • Newsletter data: until revocation
  • Tracking data: max. 26 months

7. Recipients of Data

  • Shopify (platform, Shopify Payments)
  • ERP providers (Xentral, Sedcloud)
  • Payment providers (Shopify Payments, PayPal, Klarna, credit card providers)
  • Shipping companies
  • Newsletter provider (Klaviyo)
  • Loyalty program (Smile.io)
  • Review apps (Loox)
  • IT/Cloud providers (Microsoft, Cloudflare)
  • Authorities & tax advisors

8. Data Transfers to Third Countries

Some providers process data in third countries, in particular the USA.
Legal bases: Standard Contractual Clauses (SCCs), EU–US Data Privacy Framework (DPF), or adequacy decisions.
Risk: US authorities may access data without effective legal remedies.

9. Rights of Data Subjects

You have the following rights:

  • Access (Art. 15 GDPR)
  • Rectification (Art. 16 GDPR)
  • Erasure (Art. 17 GDPR)
  • Restriction (Art. 18 GDPR)
  • Data portability (Art. 20 GDPR)
  • Withdrawal of consent (Art. 7 (3) GDPR)
  • Objection (Art. 21 GDPR)

Complaints may be lodged with the Austrian Data Protection Authority.

10. Technical and Organizational Measures (TOMs)

  • SSL/TLS encryption
  • Multi-factor authentication
  • Access restrictions & role management
  • Logging and monitoring
  • Regular backups
  • Staff training

11. Updates and Amendments

We reserve the right to update this privacy policy in line with changes in legislation or processing activities. The current version is always available on our website.