Go to homepage
Legal

Privacy Policy Webshop Mallia Aesthetics GmbH

1. General information on data protection

This privacy policy is aimed at consumers in the European Economic Area (EEA) and explains how Mallia Aesthetics GmbH and its affiliated companies and subsidiaries (the “Mallia Group”) collect, use, share, and store personal data. It applies to all online and offline services that refer to this notice, including websites, mobile apps, and other offerings of the Mallia Group.

2. Controller and scope

The controller responsible for data processing is Mallia Aesthetics GmbH, Henkestr. 91, 91052 Erlangen (“Mallia Aesthetics”). The data protection practices are governed by the applicable legal requirements of the countries in which Mallia Aesthetics operates via the Mallia Group. For specific information regarding other regions, please refer to the respective local privacy policy.

3. Collection and use of personal data

Personal data are information relating to an identified or identifiable natural person (Art. 4(1) EU General Data Protection Regulation 2016/679 “GDPR”). A person is identifiable if they can be identified directly or indirectly, for example by name, addresses, email, telephone numbers, dates of birth, preferences (such as product choices), payment and delivery data, as well as information about user behaviour on the website.

The collection of these data depends on the particular interaction, such as when placing orders, creating a customer account, using support services, or participating in marketing activities. Processing is based on various legal grounds, including the performance of contractual obligations, your consent, Mallia Aesthetics’ legitimate interests, and legal requirements.

4. Purposes of data processing

4.1. Mallia Aesthetics uses personal data in particular to:

  • Process orders and deliver products, incl. payment processing, invoicing, shipping, shipment tracking, and returns handling.
  • Manage customer accounts, e.g., registration/login, password reset, maintenance of addresses and payment methods.
  • Carry out identity and eligibility checks (e.g., for discounts/possible VAT ID verification, fraud prevention, abuse prevention).
  • Personalise the user experience, e.g., by remembering the shopping cart, language/country.
  • Handle support requests (customer service via email/phone/contact form).
  • Send system and transactional emails required by contract (e.g., order, shipping and delivery information, status updates).
  • Send marketing and promotional communications (only with your consent, e.g., newsletters).
  • Conduct reach, conversion and usage analyses to improve products, content and processes (only with consent for non-essential cookies/technologies).
  • Manage and document consents (consent management pursuant to the GDPR/TTDSG).
  • Ensure the security and stability of the webshop, including through server logs, error management and access controls.
  • Fulfil legal obligations (e.g., commercial/tax retention, warranty/guarantee cases, compliance).
  • Refund payments and handle claims/complaints in a legally compliant manner.
  • Protect legitimate interests, e.g., assertion/defence of legal claims.

4.2. In detail:

Processing activity Purpose of processing Legal basis
Place an order (mandatory data)Order processing, delivery, invoicingArt. 6(1)(b) GDPR
Disclosure to payment service providers (e.g., Stripe/Klarna)Execute payment, refundArt. 6(1)(b) GDPR; individual providers are separate controllers
Disclosure to logistics/shippingDelivery, trackingArt. 6(1)(b) GDPR
Create account (mandatory details)Provide user accountArt. 6(1)(b) GDPR
Account – voluntary detailsPersonalization/comfortArt. 6(1)(a) GDPR (consent)
VAT ID/identity check (if needed)Tax/eligibility check, fraud preventionArt. 6(1)(c) GDPR (legal obligation) and/or Art. 6(1)(f) GDPR (legitimate interest)
System & transactional emailsOrder/shipping/status infoArt. 6(1)(b) GDPR
Customer service/supportProcessing inquiriesArt. 6(1)(b) GDPR
Complaint management/returnsContractual handling, legal complianceArt. 6(1)(b) and (c) GDPR
Financial accounting & retentionTax/commercial law, record-keeping obligationsArt. 6(1)(c) GDPR
Fraud prevention/IT security/server logsSecurity, detection of abuse/attacksArt. 6(1)(f) GDPR (legitimate interest)
Browsing/navigation analysisUsage analysis, UX optimizationArt. 6(1)(a) GDPR; Section 25(1) TTDSG
Personalization (e.g., recommendations, A/B tests)Display relevant contentGenerally Art. 6(1)(a) GDPR; Section 25(1) TTDSG (where cookies/IDs are used)
Marketing emails/newslettersPromotional communicationsArt. 6(1)(a) GDPR (consent) / where applicable: Section 7(3) UWG soft opt-in
Cart reminder/back-in-stockReminder/availability infoArt. 6(1)(a) GDPR (consent)
Shopping/purchase analyticsAssortment/process improvementArt. 6(1)(f) GDPR (without tracking IDs) — with cookies/IDs: Art. 6(1)(a) GDPR + Section 25(1) TTDSG
“Stay logged in” / convenience cookiesConvenience login, remember settingsArt. 6(1)(a) GDPR (consent) + Section 25(1) TTDSG; session cookies: Art. 6(1)(b) GDPR (necessary)
Default settings (language/country)Correct display/contentNecessary server-side: Art. 6(1)(b)/(f) GDPR; via cookie/local storage: Art. 6(1)(a) GDPR + Section 25(1) TTDSG
Google Maps/Places API (address validation)Address completion & validation in checkout/accountArt. 6(1)(b) GDPR, additionally Art. 6(1)(f) GDPR; cookies only with Art. 6(1)(a) GDPR + Section 25(1) TTDSG; transfers safeguarded (SCC)
GTM / Google Ads / Meta Pixel / Analytics (client-/server-side, e.g., stape.io)Reach, conversions, campaign managementArt. 6(1)(a) GDPR (consent) + Section 25(1) TTDSG; stape.io as a processor
Process data protection rightsAccess, erasure, objection, etc.Art. 6(1)(c) GDPR
Tag management (Google Tag Manager)Technical management & delivery of tags/tracking scripts; GTM itself does not set its own tracking cookies.Art. 6(1)(f) GDPR (legitimate interest in efficient tag management); insofar as consent-required tags are triggered: Art. 6(1)(a) GDPR in conjunction with Section 25(1) TTDSG.
Microsoft Clarity (session replay/heatmaps) – integration via GTMUsage analysis (e.g., clicks, scroll depth, heatmaps, session replays) for error analysis & UX optimization; inputs are masked as far as technically possible.Consent, Art. 6(1)(a) GDPR in conjunction with Section 25(1) TTDSG; possible third-country transfer (USA) – safeguarded by EU SCCs (see chapter “International data transfers”)

In detail:

Processing activity: Place an order (mandatory data)

Purpose of processing: Order processing, delivery, invoicing

Legal basis: Art. 6 (1) b GDPR

Processing activity: Disclosure to payment service providers (e.g., Stripe/Klarna)

Purpose of processing: Execute payment, refund

Legal basis: Art. 6 (1) b GDPR; individual providers are separate controllers

Processing activity: Disclosure to logistics/shipping

Purpose of processing: Delivery, tracking

Legal basis: Art. 6 (1) b GDPR

Processing activity: Create account (mandatory details)

Purpose of processing: Provide user account

Legal basis: Art. 6 (1) b GDPR

Processing activity: Account – voluntary details

Purpose of processing: Personalization/convenience

Legal basis: Art. 6 (1) a GDPR (consent)

Processing activity: VAT ID/identity check (if needed)

Purpose of processing: Tax/eligibility check, fraud prevention

Legal basis: Art. 6 (1) c GDPR (legal obligation) and/or Art. 6 (1) f (legitimate interest)

Processing activity: System & transactional emails

Purpose of processing: Order/shipping/status information

Legal basis: Art. 6 (1) b GDPR

Processing activity: Customer service/support

Purpose of processing: Handling inquiries

Legal basis: Art. 6 (1) b GDPR

Processing activity: Complaint management/returns

Purpose of processing: Contractual handling, legal compliance

Legal basis: Art. 6 (1) b and c GDPR

Processing activity: Financial accounting & retention

Purpose of processing: Tax/commercial law, record-keeping obligations

Legal basis: Art. 6 (1) c GDPR

Processing activity: Fraud prevention/IT security/server logs

Purpose of processing: Security, detection of abuse/attacks

Legal basis: Art. 6 (1) f GDPR (legitimate interest)

Processing activity: Browsing/navigation analysis

Purpose of processing: Usage analysis, UX optimization

Legal basis: Art. 6 (1) a GDPR; Section 25 (1) TTDSG

Processing activity: Personalization (e.g., recommendations, A/B tests)

Purpose of processing: Display relevant content

Legal basis: Generally Art. 6 (1) a GDPR; Section 25 (1) TTDSG (where cookies/IDs are used)

Processing activity: Marketing emails/newsletters

Purpose of processing: Promotional communication

Legal basis: Art. 6 (1) a GDPR (consent) / where applicable: Section 7 (3) UWG soft opt-in

Processing activity: Cart reminder/back-in-stock

Purpose of processing: Reminder/availability info

Legal basis: Art. 6 (1) a GDPR (consent)

Processing activity: Shopping/purchase analytics

Purpose of processing: Assortment/process improvement

Legal basis: Art. 6 (1) f GDPR (without tracking IDs) — with cookies/IDs: Art. 6 (1) a + Section 25 (1) TTDSG

Processing activity: “Stay logged in” / convenience cookies

Purpose of processing: Convenience login, remember settings

Legal basis: Art. 6 (1) a GDPR (consent) + Section 25 (1) TTDSG; session cookies: Art. 6 (1) b (necessary)

Processing activity: Default settings (language/country)

Purpose of processing: Correct display/content

Legal basis: Necessary server-side: Art. 6 (1) b/f; via cookie/local storage: Art. 6 (1) a + Section 25 (1) TTDSG

Processing activity: Google Maps/Places API (address validation)

Purpose of processing: Address completion & validation in checkout/account

Legal basis: Art. 6 (1) b GDPR, additionally Art. 6 (1) f; cookies only with Art. 6 (1) a + Section 25 (1) TTDSG; transfers safeguarded (SCC)

Processing activity: GTM / Google Ads / Meta Pixel / Analytics (client-/server-side, e.g., stape.io)

Purpose of processing: Reach, conversions, campaign management

Legal basis: Art. 6 (1) a GDPR (consent) + Section 25 (1) TTDSG; stape.io as processor

Processing activity: Process data protection rights

Purpose of processing: Access, erasure, objection, etc.

Legal basis: Art. 6 (1) c GDPR

Processing activity: Tag management (Google Tag Manager)

Purpose of processing: Technical management & delivery of tags/tracking scripts; GTM itself does not set its own tracking cookies.

Legal basis: Art. 6 (1) f GDPR (legitimate interest in efficient tag management); insofar as consent-required tags are triggered: Art. 6 (1) a GDPR in conjunction with Section 25 (1) TTDSG.

Processing activity: Microsoft Clarity (session replay/heatmaps) – integration via GTM

Purpose of processing: Usage analysis (e.g., clicks, scroll depth, heatmaps, session replays) for error analysis & UX optimization; inputs are masked insofar as technically possible.

Legal basis: Consent, Art. 6 (1) a GDPR in conjunction with Section 25 (1) TTDSG; possible third-country transfer (USA) – safeguarded by EU SCCs (see chapter “International data transfers”)

5. Disclosure of data to third parties

Personal data are shared with the following categories of recipients:

  • Group companies: Mallia Innovations GmbH, Henkestr. 91, 91052 Erlangen
  • Hosting &a technical infrastructure: Operation of the website, storage/backups, logging and security purposes (EU/EEA).
  • IT service providers / maintenance & support: Operation, maintenance and further development of our systems (e.g., shop/ERP/integration services).
  • Payment service providers: Processing payments, where applicable risk/fraud prevention. The privacy notices of the respective provider apply.
    Legal basis: Art. 6(1)(b) GDPR.
  • Fulfilment & shipping: Order processing, warehousing/picking, transport and shipment tracking by logistics and transport service providers.
    Legal basis: Art. 6(1)(b) GDPR.
  • Address validation / maps API: Validation of entered addresses (e.g., at checkout) via a maps/address service through an API call.
    Legal basis: Art. 6(1)(b) and, where applicable, (f) GDPR; cookies/IDs only with consent.
  • Analytics, tag management & marketing (only with consent)
    Use of tag management (e.g., Google Tag Manager) as well as analytics/marketing technologies (e.g., Google Ads/Analytics, Meta Pixel, Microsoft Clarity); where applicable, server-side tagging/proxy (e.g., stape.io) as a processor. GTM itself does not set tracking cookies, but controls the delivery of tags.
    Legal basis: Art. 6(1)(a) GDPR; for setting/reading cookies/IDs additionally Section 25(1) TTDSG. Note on possible third-country transfer/SCC—see chapter “International data transfers”.
  • Communication & customer service
    Sending transactional emails/newsletters (if subscribed) and customer support tools.
  • Advisors & auditors
    Legal and tax advice, auditing.
    Legal bases: Art. 6(1)(c) and/or (f) GDPR.
  • Authorities & courts
    Where legally required or for the establishment, exercise or defence of legal claims.
    Legal basis: Art. 6(1)(c) or (f) GDPR.
  • Corporate transactions
    In the context of restructurings/mergers/acquisitions while maintaining confidentiality.
    Legal basis: Art. 6(1)(f) GDPR.

6. International data transfers

Principle. We primarily process personal data within the European Union or the European Economic Area (EU/EEA). The webshop is hosted on servers within the EU/EEA.

Transfers to third countries. Where, in individual cases, service providers outside the EU/EEA are used (in particular providers of tag management, analytics, advertising, maps/address services or payment services), a transfer to so-called third countries— including the USA—may occur. Data potentially affected include, for example, IP address, device/browser data, usage/event data (page views, clicks), and, where required for the respective purpose, order or payment metadata.

Legal bases & safeguards. For such transfers we ensure an adequate level of data protection, in particular through:

  • Adequacy decisions under Art. 45 GDPR (e.g., EU-U.S. Data Privacy Framework, provided the respective provider is certified), and/or
  • Standard Contractual Clauses (SCC) of the EU Commission under Art. 46(2)(c) GDPR including supplementary technical and organizational measures.

Additional protective measures. Depending on the service, we use, among other things, data minimization, pseudonymization/IP truncation, encryption in transit and at rest, strict access rights and—where possible—EU-based processing paths (e.g., server-side tagging/proxy within the EU/EEA).

Consent-based tools. Analytics, marketing and maps/address services (e.g., Google Ads/Analytics, Meta Pixel, Microsoft Clarity, Google Maps/Places; controlled via Google Tag Manager) are loaded only after your consent in the consent manager. With your consent (Art. 6(1)(a) GDPR; for cookies/IDs additionally Section 25(1) TTDSG), a third-country transfer may also be triggered. You can withdraw consent at any time with effect for the future.

Transparency. The providers used, categories of data, processing purposes and transfer mechanisms (adequacy decision/SCC) are listed in our consent manager and/or in the list of service providers in this privacy policy. Upon request, we will provide you with copies of the relevant Standard Contractual Clauses or information on how to inspect them.

Payment services & logistics. For payments and shipping, depending on your selection, international sub-processors of the respective providers may also be involved. The privacy notices of these providers apply additionally; we select service providers with appropriate safeguards pursuant to Art. 44 et seq. GDPR.

7. Retention period and data security

Personal data are stored only for as long as necessary for the respective purposes or as required by law. Mallia Aesthetics implements technical, organizational and administrative measures to ensure data security and to protect data against unauthorized access, loss or misuse.

8. Your rights as a data subject

  • Access to stored data,
  • Rectification of inaccurate or incomplete information,
  • Erasure of data where no statutory retention obligations apply,
  • Restriction of processing,
  • Objection to processing,
  • Withdrawal of consent given,
  • Data portability to another provider,
  • Complaint to a data protection supervisory authority.

To exercise these rights, you can contact Mallia Aesthetics at datenschutz@mallia.com. In certain cases, Mallia Aesthetics may request proof of identity.

9. Cookies, tracking and marketing

Mallia Aesthetics uses cookies that identify your browser. These cookies collect and store information when you visit our website in order to learn how you use this website. They enable recording of website usage, optimized service and a better browsing experience, as well as the performance of analytics. The personal data we collect using these technologies are also used to manage your session.

Further information about cookies and their use can be found in the information provided in our consent manager, through which you can also give or withdraw your consent and manage your overall cookie preferences.

10. Special notes for children

Our services are not directed to children under 16 years of age. We do not knowingly process personal data of children. Parents/guardians can contact us at any time at datenschutz@mallia.com if they suspect unlawful data collection; we will promptly review and take deletion/protection measures.

11. Contact and competent supervisory authority

11.1. Contact

If you have questions or concerns about data protection, you can contact Mallia Aesthetics at datenschutz@mallia.com. Complaints can also be addressed to the competent supervisory authority.

11.2. Competent supervisory authority

The supervisory authority for Mallia Aesthetics is:

  • The Bavarian Data Protection Commissioner
  • Write: Postfach 22 12 19, 80502 Munich
  • Visit: Wagmüllerstraße 18, 80538 Munich (Please by prior appointment only)
  • Call: 089 212672-0
  • Fax: 089 212672-50
  • Email: poststelle@datenschutz-bayern.de

12. Notice of changes

Mallia Aesthetics reserves the right to update this privacy policy as needed. You will be informed of material changes, for example through notices on the website or by email.