Privacy policy

We take data protection seriously. The protection and security of your personal data, i.e. all data that can be related to you (hereinafter referred to as "personal data"), is our top priority.

We therefore treat all data you entrust to us with the utmost care and in accordance with the applicable data protection regulations, namely the General Data Protection Regulation (hereinafter referred to as "GDPR") and the Data Protection Act ("DSG").

Below you will find information about which of your data we collect, how we collect it, on what legal basis we collect it, for what purpose we use it, how we protect it and what rights you have in relation to its processing.

I. CONTROLLER

The controller responsible for the processing of your personal data when you visit our website at www.westwing.at or our app, including the sale of goods and the provision of the services we offer, as well as our Westwing accounts on social media platforms such as Facebook, Instagram, TikTok and Pinterest, within the meaning of the GDPR, is:

Westwing GmbH, Moosacher Straße 88, 80809 Munich, Germany, email address: service@westwing.de (hereinafter referred to as "Westwing" or "we").

Westwing and Westwing Group SE, Moosacher Straße 88, 80809 Munich, are also joint controllers in some cases. Against this background, Westwing and Westwing Group SE have entered into an agreement in accordance with Art. 26 GDPR to determine which of them fulfils which data protection obligations.

II. DATA PROTECTION OFFICER

If you have any questions about data protection, you can also contact our external data protection officer, Mr Christian Volkmer, and his team at any time:

Mr Christian Volkmer, Projekt 29 GmbH & Co. KG, Ostengasse 14, 93047 Regensburg, Tel.: 0941 2986930, Fax: 0941 29869316, Email: anfrage@projekt29.de, Website: www.projekt29.de

III. CATEGORIES OF PERSONAL DATA

The personal data collected when you visit our website, our app or our social media accounts may fall into the following categories:

Data collected when you browse our website or app, depending on which of our cookies you have accepted (e.g. login information, i.e. the date and time you logged into our website, language settings, products in your shopping cart, or data about your preferences, e.g. in relation to product categories)
Data collected when you create your customer account (e.g. your name, address, email address, preferred title (if provided), telephone number (if provided), your encrypted password for your customer account),
Data processed in connection with your order (e.g. the products you have purchased or the services you have used and the payment information you have provided to us)
Data about you that is collected when you contact us (e.g. your name, your email address, your telephone number, your customer, order and item numbers, as well as any other information you provide to us)
Data about you that we transfer to our external service providers in certain cases in order to communicate with you on our website or in our app and to personalise the communication (e.g. your name, your email address or products you are interested in based on your browsing behaviour),
Data collected when you consent to receive newsletters, customer satisfaction surveys, product reminders and data about your behaviour in relation to the content of our advertising emails (e.g. opening the newsletter or clicking on a link in the newsletter)
Data about you that we receive in certain cases from our cooperation partners (e.g. from credit agencies, technical service providers, debt collection service providers or payment service providers),
Data that we process for participation in competitions (e.g. your name and email address),
statistical or aggregated data about your usage behaviour on our social media accounts,
Data about you that we receive from a friend or other contact who would like to invite you to use our website or app (e.g. your email address).

IV. PURPOSES FOR WHICH WE PROCESS YOUR PERSONAL DATA

We use your personal data for various purposes, including, for example:

to provide certain technical functions on our website and in our app (e.g. to store your goods in your shopping basket) and to protect our website and our app,
to analyse your behaviour on our website in order to optimise our offering and our content for you and make it more interesting,
to create a customer account,
to execute and process orders for goods and services placed with us (e.g. to ship goods),
to contact you (e.g. to answer any questions you may have, to send you order confirmations and order notifications or to inform you about changes that are important to you, e.g. the applicable General Terms and Conditions or this Privacy Policy),
for advertising and marketing purposes (e.g. to send you our newsletter, to inform you about vouchers or special offers, to remind you of your shopping cart history, to send you product reviews and opinion surveys or for other similar advertising activities),
to process payments by us or our cooperation partners, for fraud checks by us or our cooperation partners and for debt collection by our cooperation partners,
for participation in competitions,
for statistical analysis of your behaviour on our social media accounts in order to optimise our offer and our posts for you,
for the purpose of inviting a friend or other contact to use our website or app.

We do not process special categories of personal data in accordance with Art. 9 GDPR (such as health data or data relating to your religion) at any time, unless you provide us with such information unsolicited in the course of communicating with our customer service.

If we wish to collect and process further personal data from you, we will inform you separately in advance and, if necessary, obtain your consent.

V. LEGAL BASIS FOR THE PROCESSING OF YOUR PERSONAL DATA

The processing of your personal data is carried out on the basis of a legal permission standard, namely either on the basis of your consent in accordance with Art. 6 para. 1 a) GDPR, or our overriding legitimate interest in the processing in accordance with Art. 6 para. 1 f) GDPR, or the performance of the contract with you or the implementation of pre-contractual measures in accordance with Art. 6 para. 1 b) GDPR or the fulfilment of a necessary legal obligation of Westwing in accordance with Art. 6 para. 1 c) GDPR.

VI. RECIPIENTS OF YOUR PERSONAL DATA

Westwing remains responsible at all times for your personal data collected on our website, in our app or on our social media accounts.

Your data will only be passed on to third parties in the following cases, based on the respective legal provisions listed below:

If the transfer of your personal data is necessary for the fulfilment or execution of your contract (Art. 6 para. 1 b) GDPR; this includes, for example, data transfers to payment and logistics service providers or suppliers if they deliver directly to you), or
if this is necessary to fulfil a legal obligation (Art. 6 para. 1 c) GDPR; this includes, for example, data transfers to government agencies and law enforcement authorities in order to comply with our legal obligations to disclose, provide information and make statements or to pursue recourse claims), or
on the basis of our overriding legitimate interest or the overriding legitimate interest of a third party (Art. 6 para. 1 f) GDPR; this includes, for example, data transfers in the context of certain assignments of claims or for administrative purposes within the group of companies), or
if we use external service providers, known as processors, to process your personal data, who have been obliged to handle your data with care and act exclusively on our behalf and in accordance with our instructions (Art. 28 GDPR; this includes, for example, service providers who provide the technical infrastructure).

Apart from this, we only transfer your personal data to third parties if you have given us your consent to the relevant data transfer in accordance with Art. 6 para. 1 a) GDPR, whereby you can revoke your consent at any time with effect for the future.

VII. DATA TRANSFER TO THIRD COUNTRIES

When transferring your personal data to third countries, i.e. external bodies outside the European Union ("EU") and the European Economic Area ("EEA"), we ensure that the external bodies in question treat your personal data with the same care as we do.

In addition, we only transfer your personal data to third countries for which the EU Commission has confirmed an adequate level of protection or if a comparable level of data protection as in the EU or EEA can be guaranteed through contractual agreements or other suitable guarantees (Art. 45ff. GDPR).

VIII. DELETION OF YOUR PERSONAL DATA

Unless there are legal retention periods under German law (including tax and commercial law retention obligations under Sections 257 HGB, 147 of the German Fiscal Code (AO), and beyond that for as long as they are relevant to the tax authorities in pending proceedings), we will only store your personal data for as long as is necessary for the respective purpose of processing or until you inform us that your personal data should be deleted.

Such tax or commercial law retention periods apply, for example, to data in connection with your orders, such as invoices. The latter are retained for 10 years, for example.

We delete accounts of customers who have not actively used their account for more than six years.

We generally store log files that we collect when you surf our website or use our app for network security and abuse prevention for 20 days and only in individual cases, where longer storage is necessary to investigate possible cyber attacks, fraud or abuse, for 180 days. Your data will then be deleted or anonymised in such a way that it can no longer be traced back to you as an individual.

IX. DETAILS ON THE PROCESSING OF YOUR PERSONAL DATA

1. DATA PROCESSING WHEN BROWSING OUR WEBSITE

When you visit our website, the following technically necessary information is collected and stored in so-called "server log files". This information is automatically transmitted to us by your browser so that our website can be displayed in your browser and you can use our website:

The IP address of your Internet service provider,
the website from which you visit us and the web pages you visit from our website,
the date and time of access and crash data,
information about the browser and operating system used,
the email address you use to register on our website,
identification numbers stored in so-called cookies or eTags on your device, which enable us to recognise your device on the website,
Page and product views or clicks.

The processing or storage of your aforementioned access data or your IP address is necessary for technical reasons to provide and ensure system security on our website.

The processing or temporary storage of your technical access data is based on our overriding legitimate interest pursuant to Art. 6 para. 1 f) GDPR, which consists of being able to provide you with a technically functioning and secure website.

The access data collected during your visit to our website will only be stored for the period of time required to achieve the above purposes. The server log files are stored for a maximum of 180 days and then deleted.

2. DATA PROCESSING WHEN SETTING UP A CUSTOMER ACCOUNT

To create your customer account, we require your email address and a password of your choice. We also collect the following contact details: your name, your address, your preferred form of address (if provided), your telephone number (if provided).

Your email address serves as your login ID for your customer account. After successful registration, you will automatically receive a confirmation email. You can update all your details at any time in the personal area of your customer account ("My Account").

The legal basis for this is Art. 6 (1) b) GDPR, according to which the processing of personal data is permitted for the fulfilment of a contract or for the implementation of pre-contractual measures.

We use the "stay logged in" function to make your visit to our website as pleasant as possible. This function allows you to use our services without having to log in again each time. Technically speaking, a cookie is stored on your device so that you do not have to log in again on subsequent visits to our website. This function is not available to you if you have deactivated this cookie via the cookie settings or if you have deleted the cookie in your browser settings after logging out of our website.

We store the aforementioned personal data for the duration of your customer account. In addition, we store personal data insofar as statutory retention obligations (see point VIII.) exist. 3. DATA PROCESSING FOR THE PURPOSE OF PROCESSING YOUR ORDER

When you place an order with us, your data is processed for the purpose of concluding and executing the contract and processing your order, including payment and delivery. In particular, contract, payment and invoice data are processed.

The legal basis for the associated data processing is Art. 6 para. 1 b) GDPR, according to which the processing of personal data is permitted for the fulfilment of a contract or for the implementation of pre-contractual measures.

We store the personal data processed in connection with your order for the duration of the contractual relationship and beyond in accordance with the statutory retention obligations (see Section VIII). If no new order is placed, your data will be deleted after these periods have expired. If you do not actively use your customer account for more than six years, it will also be deleted.

3.1. SELECT YOUR PREFERRED PAYMENT METHOD

Depending on your preferred payment method, the necessary data will be forwarded directly to the respective payment service provider. The respective payment service provider is responsible for your payment data. Westwing is also responsible for processing payment data for the purpose of fulfilling the order within the scope of the contractual relationship.

If you do not agree with the payment methods offered to you, you can notify us in writing by email to service@westwing.de. We will then review our decision, taking your point of view into account.

3.1.1. CREDIT CARD PAYMENT

When you pay by credit card, we receive the so-called payment ID and the last four digits of your credit card number from our payment service provider Stripe Payments Europe, 1 Grand Canal Street Lower, Grand Canal Doc, Dublin, D02 H210, Ireland. These are used to authenticate and assign your order and to transmit it for your security. The personal data required to process the payment is collected directly by the above-mentioned payment service provider.

The legal basis for the above data processing is Art. 6 para. 1 b) GDPR, according to which processing is permitted for the fulfilment of a contract, or Art. 6 para. 1 f) GDPR, as our legitimate interest in offering you a secure credit card payment option outweighs any other interests in a balancing of interests.

3.1.2. APPLE PAY

If you choose Apple Pay as your payment method to pay for purchases directly from your bank account, we will receive the relevant account details from our payment service provider Stripe Payments Europe, 1 Grand Canal Street Lower, Grand Canal Doc, Dublin, D02 H210, Ireland. The personal data required for processing and completing the payment will be collected directly by the aforementioned payment service provider.

The legal basis for the aforementioned data processing is Art. 6 para. 1 b) GDPR, according to which the processing of data is permissible for the fulfilment of the contract, or Art. 6 para. 1 f) GDPR, as our legitimate interest in offering you a secure payment option via Apple Pay outweighs any interests or rights and freedoms that may be affected, based on a balancing of interests. Further information on data protection at Apple Pay can be found on the Apple Pay website: https://support.apple.com/de-de/101554.

3.1.3. GOOGLE PAY

If you choose Google Pay as your payment method to pay for purchases directly from your bank account, we will receive the relevant account details from our payment service provider Stripe Payments Europe, 1 Grand Canal Street Lower, Grand Canal Doc, Dublin, D02 H210, Ireland. The personal data required for processing and completing the payment will be collected directly by the aforementioned payment service provider.

The legal basis for the aforementioned data processing is Art. 6 para. 1 b) GDPR, according to which the processing of data is permissible for the fulfilment of the contract, or Art. 6 para. 1 f) GDPR, as our legitimate interest in offering you a secure payment option with Google Pay outweighs any interests in the processing of your data in the context of a balancing of interests.

Further information on data protection at Google Pay can be found on the Google Pay website: https://support.google.com/googlepay/answer/9039712?hl=de.

3.1.4. PAYPAL

If you choose PayPal as your payment method, the personal data required for this (i.e. your first and last name, your delivery address, your email address, your telephone number, the amount to be paid and your IP address) will be transferred to PayPal (Europe) S.à.r.l. et Cie, S.C.A., 22-24 Boulevard Royal, 2449 Luxembourg, so that you can authorise the payment to us via PayPal. You will need a PayPal account for this.

The legal basis for the aforementioned data processing is Art. 6 para. 1 b) GDPR, according to which the processing of personal data is permitted for the fulfilment of a contract or for the implementation of pre-contractual measures.

Further information on data protection at PayPal can be found on the PayPal website at: https://www.paypal.com/de/webapps/mpp/ua/privacy-full.

3.1.5. KLARNA

If you choose the Klarna payment method with immediate payment or payment within 30 days, payment in three interest-free instalments or financing with interest via Klarna Bank AB (publ), Sveavägen 46, 111 34 Stockholm, Sweden, your personal data required for this purpose (i.e. your contact and identification data as well as your payment information) will be transferred to Klarna.

Klarna may carry out a credit check and transfer your data to one of the following credit agencies for this purpose: SCHUFA, Boniversum and Arvato.

The legal basis for the credit check described above is Art. 6 para. 1 f) GDPR (balancing of interests based on the interest in avoiding payment defaults).

Further details can be found at the following link: https://www.klarna.com/de/datenschutz/.

3.1.6. PREPAYMENT

If you choose the prepayment method, you will be asked to transfer the relevant purchase price to our bank account. The goods will be shipped to you immediately after receipt of the transfer.

In this context, we process the following personal data in particular: first name and surname, delivery address, billing address, selected payment method, order data, email address and, if applicable, account details or payment reference.

3.1.7. PURCHASE ON INVOICE (COMMERCIAL CUSTOMERS ONLY)

If you choose to pay by invoice, we may transfer your relevant data to credit agencies such as SCHUFA Holding, Kormoranweg 5, 65201 Wiesbaden ("SCHUFA"), in order to obtain information about your identity or to assess your credit risk on the basis of mathematical-statistical procedures ("scoring"), whereby your address data, among other things, is included in the calculation. We use scoring solely to protect ourselves against possible payment defaults.

If the credit check is positive, an order can be placed on account. Other reasons why purchase on account cannot be offered may include, among other things, that the delivery and billing addresses are different or that a packing station or parcel depot is specified as the billing and/or delivery address.

The processing is carried out to prevent payment defaults and is therefore based on Art. 6 (1) b) GDPR and Art. 6 (1) f) GDPR.

You can object to the transfer of your data to a credit agency at any time, but in this case, you will no longer be able to place an order on account.

4. FRAUD PREVENTION

In order to prevent fraud and payment defaults, we manually check for frequent fraud patterns and anomalies with the partial assistance of a fraud prevention service provided by our cooperation partner Shopify International Limited, Victoria Buildings 1-2, Haddington Road, Dublin 4, D04. For this purpose, order and payment data (e.g. address, items, payment method) and device information (e.g. device, browser) are processed. The legal basis is Art. 6 para. 1 f) GDPR based on our legitimate interest in protection against misuse.

If an automated check reveals that there is a suspicion of fraud, you will be informed of this and of the specific possibility of lodging a complaint by a Westwing employee.

In addition, we may transfer information about non-claim-related behaviour to individual credit agencies, such as SCHUFA, in order to prevent fraud (e.g. in the case of credit card fraud). This is done in accordance with legal requirements, insofar as it is necessary to protect our legitimate interests and the legitimate interests of third parties and there is no reason to believe that your interests or fundamental rights and freedoms requiring the protection of personal data prevail. Processing is therefore carried out for the purpose of fraud prevention on the basis of Art. 6 para. 1 f) GDPR.

We only store personal data processed in the context of communication via our website or app for as long as is necessary to carry out the respective measure. In the event of a revocation of your consent or deregistration from the service, we will delete your data unless there are legal storage obligations (see point VIII) that prevent this.

5. DATA PROCESSING WHEN YOU CONTACT US

5.1. CHANNELS FOR CONTACTING US

You have various options for contacting us. You can reach our customer service via the following communication channels:

by telephone,
by letter,
by email,
via the contact form, or
via WhatsApp message

In order to process your request, we collect your name, email address, telephone number, customer number, order number and item number, as well as any other information you provide to us, depending on the communication channel you use to contact us.

The legal basis for this is Article 6(1)(b) of the GDPR, according to which data processing is necessary for the performance of a contract, or Article 6(1)(f) of the GDPR, based on our legitimate interest in processing enquiries from visitors to our website.

We store the personal data you provide when contacting us for the duration of the processing of your request and beyond in accordance with the statutory retention periods (see point VIII), provided that your request is related to a contractual relationship.

5.2. OUR CUSTOMER SERVICE SYSTEM ZENDESK

We use the Zendesk customer service system to process your contact enquiries. The service provider is Zendesk, Inc., 1019 Market Street, San Francisco, CA 94103, USA.

We use Zendesk to process your customer enquiries quickly and efficiently. We would like to point out that you can also send your enquiries by simply providing your email address and without giving your name.

As we have concluded a data processing agreement with Zendesk, your personal data may only be processed by Zendesk in accordance with our instructions and in compliance with the GDPR.

Your data may be transferred to Zendesk servers in the USA and stored there. The legal basis for this is the adequacy decision of the European Commission of 10 July 2023 (known as the Data Privacy Framework) in accordance with Art. 45 GDPR and the Binding Corporate Rules (BCR) approved by the Irish Data Protection Authority. These are binding internal company regulations that legitimise internal data transfers to third countries outside the EU and the EEA. Details can be found here: https://www.zendesk.de/blog/update-privacy-shield-invalidation-european-court-justice/.

The legal basis for data processing by Zendesk is our legitimate interest pursuant to Art. 6 (1) f GDPR. If you do not agree to your request being processed via Zendesk, you can alternatively contact us by email or telephone.

Further information can be found in Zendesk's privacy policy: https://www.zendesk.de/company/customers-partners/privacy-policy/.

6. DATA PROCESSING FOR ADVERTISING PURPOSES

6.1. SENDING ADVERTISING E-MAILS

If you have given your consent, Westwing will regularly send you the Westwing newsletter by email to inform you about the latest trends in home & living, must-have home & living styles, highlights from the Westwing online and retail shops, as well as special offers, "sales of the day" and "sales highlights of the week" ("newsletter"). You can find details on this in section 6.1.1.

In addition, subject to your consent, you will receive notifications from us by email about personal benefits, such as vouchers or special promotions, reminders about products in your shopping basket, reviews of Westwing products you have purchased, and opinion polls regarding Westwing or Westwing's services ("Notifications"). Details on this can also be found in section 6.1.1.

If you have already purchased a product or service from us and have not objected to receiving such communications, you will also receive promotional emails from us about similar products and/or services. For more details, please refer to section 6.1.2.

In this context, we process personal contact data such as your full name, residential address, telephone number and email address.

We store the aforementioned personal data until you revoke your consent. Revocation means that we will no longer process your data for advertising purposes from that point in time. The legality of the processing carried out until revocation remains unaffected.

6.1.1. SENDING OF ADVERTISING E-MAILS BASED ON YOUR CONSENT

If you have given your consent on our website by ticking a checkbox, we will send you newsletters and/or notifications by email.

Please note, however, that we will only send you newsletters and/or notifications by email if you have previously confirmed that you wish to receive the relevant emails by clicking on a button. We will send you the relevant button in a notification email to the email address you provided after receiving your consent (so-called "double opt-in procedure"). This is to prevent misuse by third parties who could enter your email address to subscribe you to the Westwing newsletter or Westwing notifications without your consent. The legal basis for the double opt-in procedure is Art. 6 para. 1 f) GDPR, as we have an overriding legitimate interest in preventing such misuse and documenting your consent.

The relevant legal basis for the processing of your personal data in connection with the sending of the aforementioned advertising emails is your consent in accordance with Art. 6 para. 1 a) GDPR.

You can withdraw your consent at any time with future effect as follows:

Click on the unsubscribe link at the end of our promotional emails so that you are redirected to the newsletter management or notification management area in your customer account (together "promotional email management"), depending on whether you wish to unsubscribe from the newsletter or email notifications. There, you can simply uncheck the boxes for the newsletters or notifications you no longer wish to receive.

Optionally, you can also log in to your customer account and then click on the "My newsletters" or "My notifications" tab (depending on the type of emails you wish to unsubscribe from) and then unsubscribe from the relevant newsletters or notifications you no longer wish to receive by removing the corresponding check marks in the aforementioned newsletter management or notification management section.

You can also withdraw your consent to receive newsletters and/or notifications and unsubscribe from receiving the relevant promotional emails by sending an email to service@westwing.de.

With the help of our advertising email management system mentioned above, we enable you to declare and revoke your consent to receive our newsletters and/or notifications in a differentiated manner. By ticking or unticking a box, you can decide individually whether and when or how often you wish to receive a newsletter or notification by email, depending on which newsletter you are interested in or which notifications you consider useful and how often you wish to receive the newsletter or notification(s) in question.

Please note that we use standard technologies in our advertising emails to measure whether the emails have been opened and/or which links you have clicked on. We use this data for general statistical analysis and to optimise and further develop our content and customer communication. This is done with the help of small graphics embedded in the newsletters (so-called pixels). The legal basis for this is our legitimate interest ( ) in optimising and further developing our content and customer communication (Art. 6 para. 1 f) GDPR). If you do not want your usage behaviour to be analysed, you can unsubscribe from the promotional emails at any time or disable graphics in your email programme by default.

Our newsletters and notifications are sent via the mailing service provider Braze, Inc., 318 West 39th Street, 5th Floor, New York, New York 10018, USA (“Braze”). A data processing agreement in accordance with Art. 28 GDPR has been concluded with Braze for the processing of personal data. Further information can be found in Braze's privacy policy https://www.b raze.com/company/legal/privacy.

6.1.2. SENDING E-MAILS WITH ADVERTISEMENTS FOR PRODUCTS AND SERVICES THAT MAY BE OF INTEREST TO YOU BASED ON YOUR PREVIOUS PURCHASE BEHAVIOUR

If you have provided your email address when purchasing a product or service in our online shop, we will send you offers and information about products and services from our range that may be of interest to you, as you have already purchased similar products and services from Westwing. In addition, we will send you product evaluation and feedback surveys to ask about your satisfaction with purchased products or services (e.g. our customer service). However, we will only send you advertising emails if you have not objected to receiving them, despite our corresponding notice below the purchase button.

The relevant legal basis for the processing of your personal data is our legitimate interest pursuant to Art. 6 (1) f) GDPR in conjunction with § 174 (4) TKG 2021.

You can also object to receiving such advertising emails at any time by simply clicking on the unsubscribe link at the end of our advertising emails. Optionally, you can log into your customer account and unsubscribe via the advertising email management function (see section 6.1.1.). You can also object to receiving the relevant advertising emails at a later date by sending an email to service@westwing.de.

6.2. NEWSLETTER DISTRIBUTION VIA WHATSAPP

We also enable you to receive our newsletter via a WhatsApp message. We use the WhatsApp Business app to send the newsletter via WhatsApp.

For this purpose, we cooperate with our processors charles GmbH, Gartenstraße 86-87, 10115 Berlin, Germany, and Braze, Inc., 318 West 39th Street, 5th Floor, New York, New York 10018, USA ("Braze").

With regard to the use of WhatsApp, the privacy policy of WhatsApp Ireland Limited, 4 Grand Canal Square, Grand Canal Harbour, Dublin 2, Ireland, applies. Among other things, this stipulates that every WhatsApp message is end-to-end encrypted and therefore protected from access by third parties.

The legal basis for the processing of your data by Westwing is Art. 6 para. 1 a) GDPR, as you have consented on our website and confirmed via your WhatsApp message that you wish to receive newsletters, i.e. messages about new products and interior design trends, via this channel. You can revoke your consent at any time with future effect by sending the message "Stop".

The data in question may be transferred to Braze or WhatsApp servers in the USA and stored there. The legal basis for this is the adequacy decision of the European Commission of 10 July 2023 (known as the Data Privacy Framework) in accordance with Art. 45 GDPR and Art. 49(1)(a) GDPR in conjunction with your consent.

Westwing undertakes to comply with the WhatsApp Business privacy policy, which you can find here: https://business.whatsapp.com/privacy-protections.

7. DATA PROCESSING FOR COMMUNICATION WITH YOU ON OUR WEBSITE AND VIA OUR APP

We use the service provider "Braze" to communicate with you on our website and in our app. For this purpose, we display so-called "overlays" with an interaction option, for example.

Braze is also used to send you push notifications in our app.

Braze processes the following personal data for this purpose, among other things: your IP address, device-related data such as device type, model, operating system, browser type and version, usage-related information such as usage time, first name, email hash, Braze SDK and message interaction data, installation ID, device ID.

The legal basis for the processing of your personal data is Art. 6 (1) a) GDPR in conjunction with § 165 (3) TKG 2021. You can withdraw your consent at any time with future effect. The easiest way to do this is via our cookie consent manager.

Further information on Braze's compliance with data protection can be found here: https://www.braze.com/privacy/.

8. DATA PROCESSING FOR PARTICIPATION IN COMPETITIONS

If you participate in competitions, we only process the data that is necessary for the execution of the competitions (Art. 6 para. 1 b) GDPR). This includes, in particular, your name, email address and, if applicable, your delivery address. Please note the respective data protection information in the conditions of participation for the respective competition.

We store the personal data collected in the context of competitions for the duration of the competition and its processing. After complete processing, the data will be deleted unless there are legal obligations to retain it (see point VIII).

9. DATA PROCESSING WHEN USING SOCIAL MEDIA FAN PAGES

Westwing is active and present on social networks and platforms in order to communicate with interested parties and users and to inform them about further offers from Westwing. Below, we provide an overview of the processing and use of your personal data when you visit our social media accounts:

9.1. FACEBOOK AND INSTAGRAM

We operate fan pages on the social networks "Facebook" and "Instagram" in joint responsibility with Meta Platforms Ireland Ltd., 4 Grand Canal Square, Grand Canal H Harbour, Dublin 2, Ireland, in order to communicate with followers (such as our customers and interested parties) and to provide information about our products, competitions and other promotions.

With the help of Meta statistics on the use of our fan pages (e.g. information on the number of visitors, names, interactions such as likes and comments, as well as summarised demographic and other information or statistics; "Insights data"), we receive information about how our "fan page" is used, what interests the visitors to our "fan pages" have and which topics and content are particularly popular, so that we can optimise our "fan page content" and adapt it to our users' interests. The insights data only contains statistical, depersonalised information about visitors to the fan page, which cannot be traced back to a specific person. You can find more information about the type and scope of these statistics in the Meta page statistics information. Further information on the respective responsibilities and the processing of your data by Meta can be found at: https://www.facebook.com/legal/terms/information_about_page_insights_data, https://help.instagram.com/1533933820244654.

Please note that we have no influence on the data processing carried out by Meta on its own responsibility in accordance with the terms of use of Facebook and Instagram. However, we would like to point out that when you visit the fan pages, data about your usage behaviour is transferred to Meta by Facebook/Instagram and the fan pages. Meta itself processes your personal data to compile the aforementioned statistics and for its own market research and advertising purposes. We have no access to this data.

Insofar as we receive your personal data when operating the fan pages, you are entitled to the rights set out in this privacy policy. If you wish to assert your rights against Facebook, you can also contact Facebook directly. We will be happy to assist you in asserting your rights to the extent possible and will forward your requests to Meta.

The legal basis for this data processing is Art. 6 para. 1 f) GDPR based on our aforementioned legitimate interest in providing you with our Facebook fan pages for marketing and advertising purposes.

You can find more information on this in Meta's privacy policy at: https://de-de.facebook.com/policy.php/.

9.2. YOUTUBE

We use plugins from the YouTube platform to embed our own videos and make them publicly accessible. YouTube is a service provided by a third party not affiliated with us, namely YouTube LLC, operated by Google Ireland Limited, Gordon House, Barrow Street, Dublin 4, Ireland ("Google").

As soon as you access our YouTube channel, your browser establishes a connection to YouTube and transfers information. YouTube content is only integrated in what is known as "extended data protection mode". This is provided by YouTube itself and, according to its own information, ensures that YouTube user information (e.g. cookies) is only stored on the device when the video(s) are played. When you access the videos in question, your IP address, unique identifiers, the type and settings of your browser, the type and settings of your device, the operating system, information about the mobile network such as the name of the mobile service provider and the telephone number, and the version number of the app are transmitted to YouTube . YouTube also collects data about how your apps, browsers and devices interact with its own services. This is because the sharing of data with YouTube partners is not necessarily excluded by the enhanced privacy mode. YouTube establishes a connection to the Google DoubleClick network regardless of whether you watch a video or not. The data transmitted includes your IP address, crash reports, system activity, and the date, time, and referral URL of your request. In addition, YouTube collects data about your activities (e.g. terms you search for, videos you watch, etc.). All data collected about you via our YouTube channel is processed by YouTube. According to YouTube, this information is used, among other things, to compile video statistics, improve user-friendliness and prevent abusive behaviour. YouTube also uses cookies to collect information about user behaviour. The storage of these cookies can be prevented by appropriate browser settings and extensions. If you are logged into your YouTube account, you enable YouTube to associate your browsing behaviour directly with your personal profile. You can prevent this by logging out of your YouTube account before activating the play button.

In addition, we occasionally embed videos stored on YouTube directly on our website using so-called "plugins". When these are embedded, content from the YouTube website is displayed in parts of a browser window. However, the YouTube videos are only accessed by clicking on them separately. This technique is also known as "framing". When you access a (sub)page of our website on which YouTube videos are integrated in this form, a connection to the YouTube servers is established and the content is displayed on the website by means of a message to your browser. We have no influence on the scope and content of the data that is transmitted to YouTube and, if applicable, other YouTube partners when the plugin is activated. Among other things, the YouTube server is informed which of our pages you have visited.

The legal basis for the processing of your data is your consent, Art. 6 para. 1 sentence 1 a) GDPR in conjunction with § 165 para. 3 TKG 2021. This means that we do not use this service unless you have consented to its use. You can withdraw your consent at any time with future effect, most easily via our cookie consent manager.

For more information about the information YouTube receives and how it is used, please refer to YouTube's privacy policy at: https://policies.google.com/privacy.

9.3. TIKTOK

We publish short video clips (known as "Reels") on the TikTok platform and in the TikTok app to promote our products and our online shop. When you visit the TikTok website or app, TikTok Inc., 10100 Venice Blvd., Culver City, CA 90232, USA ("TikTok") collects and processes your personal data.

TikTok makes a certain portion of this data available to TikTok profile owners in anonymised and aggregated form. This includes the number of new followers and demographic data such as gender and country, without reference to identifiable individuals. Westwing is therefore unable to identify visitors to the TikTok profile. As the owner of this profile, Westwing also receives anonymised statistical data (so-called "insights data") from TikTok. No conclusions about individual visitors can be drawn from this data. The data contained in the statistics is used by us exclusively for the analysis of user behaviour, so that we can better tailor our TikTok profile and our offer to the needs and interests of visitors.

The use of the data transmitted to us by TikTok is based on our legitimate interest pursuant to Art. 6 para. 1 f) GDPR in performing data analyses and statistical recording of the use of our TikTok profile, in optimising our offering for you, in marketing our posts and videos on our website, and in continuously improving and managing our offering and our products.

Further information on data processing by TikTok can be found in TikTok's privacy policy at: https://www.tiktok.com/legal/privacy-policy?lang=de.

9.4. PINTEREST

We operate a Westwing account on the Pinterest platform and in the Pinterest app, where we publish inspiration on home and living topics and advertise our products. Pinterest Inc., 808 Brannan Street, San Francisco, CA 94103, USA ("Pinterest") is responsible for the Pinterest services.

When you register for an account, Pinterest processes the data you provide, such as your name, email address, telephone number, photos, pins and comments. In addition, Pinterest collects and processes your IP address, which is used to approximate your location if you choose to share your exact location, as well as other Internet and electronic network activity (including which "pins" you click on, which "boards" you create, and what text you add in a comment or description).

The legal basis for this data processing is Art. 6 para. 1 f) GDPR based on our legitimate interest in providing you with our Pinterest platform for marketing and advertising purposes.

For more information, please visit https://policy.pinterest.com/en/privacy-policy.

10. DATA PROCESSING WHEN BOOKING OUR DESIGN SERVICES

Via our website, you have the option of booking the Westwing Design Service via the "Design Service"/"Start your project" tab and having us individually furnish your home. You can choose between our Basic, Premium and Deluxe service packages.

When you make a booking, we process the following personal data so we can get in touch with you and your designer to start working on your concept: first name, last name, email address, phone number, and any other project-related info you give us.

You can also book a customised furnishing concept for your company (e.g. office, café, hotel) via the "Design Service" / "Business Customer Service" tab. The following personal data may be processed via your pre-registration for our business customer service: first name, last name, email address, telephone number.

The legal basis for this is Article 6(1)(b) GDPR (performance of a contract) or Article 6(1)(f) GDPR (balancing of interests based on our interest in processing enquiries from users of our website).

As part of our design service, we also offer you the option of creating a 360-degree view of your flat or house using the Homestyler visualisation tool. For the technical provision of this service, your IP address will be transmitted to the servers of our cooperation partner Homestyler Hong Kong Ltd. (hereinafter "Homestyler") located in the EU or the USA.

The legal basis for this processing is your express consent in accordance with Art. 6 para. 1 a) GDPR.

As the registered office of our data processor Homestlyer is located in Hong Kong, your data will be transferred to a third country in accordance with the GDPR. The legal basis for this is the standard contractual clauses of the European Commission pursuant to Art. 46 (2) c) GDPR.

Your data will be processed exclusively to enable the use of the 360-degree view. No further use or permanent storage will take place.

You can revoke your consent at any time with future effect. In this case, however, you will no longer be able to use the 360-degree view on your device.

We store your personal data for the duration of the contractual relationship and beyond in accordance with the statutory retention obligations under German law (including tax and commercial law retention obligations under Sections 147 AO, 257 HGB, and beyond that, as long as they are relevant to the tax authorities in pending proceedings).

11. DATA PROCESSING BY SHOPIFY

To provide our online shop and process your payments, we work with the service provider Shopify International Limited, Victoria Buildings 1-2, Haddington Road, Dublin 4, D04 XN32, Ireland ("Shopify"). Shopify enables us to operate our online shop via Shopify's cloud computing infrastructure and also processes payments for us.

Your relevant data may be transferred to servers of Shopify Inc. in the USA and/or Canada and stored there. The legal basis for this is the EU Standard Contractual Clauses pursuant to Art. 46 GDPR.

Shopify is used to provide our online shop and to process your payments. The legal basis for this is therefore our legitimate interest within the meaning of Art. 6 para. 1 f) GDPR or the performance of your contract within the meaning of Art. 6 para. 1 b) GDPR.

Shopify acts as our processor or controller, depending on the processing activity.

Further information on data processing and information on data protection by Shopify can be found at https://www.shopify.com/legal/privacy.

12. PERSONIO

As part of the application process, we process your personal data in order to review your application and carry out the selection process. This includes, in particular: assessing your suitability, inviting you to interviews and conducting them, and sending you any offers or rejections. This processing is carried out by our People & Culture team and by the relevant employees in the specialist department.

The legal basis for data processing is Art. 6 (1) f) GDPR (legitimate interest in selecting suitable applicants).

We obtain your data either from publicly available sources (e.g., LinkedIn), through third-party recommendations, or directly from you via our application portal or external applicant platforms.

To carry out the application process, we use the personnel management tool Personio, provided by Personio SE & Co. KG, Seidlstraße 3, 80335 Munich, to which your data is transferred for this purpose.

Your data will only be stored for as long as is necessary to make a decision about your application or as required by statutory retention periods. Your data will be deleted at the latest when there is no further purpose for storing it.

If you agree, we will be happy to keep your documents for a longer period of time so that we can consider you for future vacancies. Please let us know if you would like us to do so.

X. COOKIES AND SIMILAR TECHNOLOGIES

We use so-called "cookies" and similar technologies (such as "web beacons", "pixels" and "tags") on our website and in our app.

Web beacons are small GIF files that can be hidden in other graphics, emails or similar. Web beacons can identify your computer and evaluate your user behaviour on , such as your response to advertising campaigns. The information collected by web beacons cannot be used to identify you.

Cookies are small text files that are transferred from an Internet server to your browser and stored on your hard drive. There are so-called "session cookies", which are deleted as soon as you close your browser, and so-called "persistent cookies", which are stored on your device for a longer period of time or indefinitely. A cookie contains a characteristic string of characters that enables your browser to be uniquely identified when you visit the website again. This helps us to personalise our offering, make it more user-friendly, effective and secure, and enable certain functions to be provided.

You can decide which cookies you want to allow at any time by clicking on the "Cookie settings" button in our cookie consent manager. This does not include strictly necessary cookies, which ensure essential functions of the website and our app.

Cookie settings

A basic distinction is made between four different cookie categories:

1. STRICTLY NECESSARY COOKIES

Strictly necessary cookies enable basic functions and are required for the proper functioning of the website and our app. They are used, for example, to process orders or to enable you, as a registered user, to remain logged in when accessing various subpages of our website and our app. In addition, thanks to these cookies, you do not have to re-enter your login details every time you visit a new page.

The legal basis for the use of strictly necessary cookies on our website and in our app is our legitimate interest in the technically flawless and user-friendly provision of our website and our app (Art. 6 para. 1 f) GDPR). The use of strictly necessary cookies is possible without your prior consent and is legally permissible.

If you do not want your device to be recognised on your next visit, you can also refuse the use of such cookies by changing the settings in your browser to "Reject cookies". You will find the respective procedure in the operating instructions for your browser. If you have set your browser accordingly, you will be informed about the setting of cookies and can only allow cookies in individual cases or exclude the acceptance of cookies for certain cases or in general. It is also possible to activate the automatic deletion of cookies when you close your browser.

If you refuse to accept certain cookies, this may result in restrictions on the use of some areas of our website and our app.

2. FUNCTIONAL COOKIES

Functional cookies enable us to store information you have already provided (such as your registered name) and offer you improved and personalised features. If you do not allow these cookies, some of these services may not function properly.

The relevant data processing is carried out on the basis of your consent in accordance with Art. 6 (1) a) GDPR in conjunction with § 165 (3) TKG 2021. You can revoke your consent at any time with future effect, most easily via the cookie consent manager.

3. PERFORMANCE COOKIES

Performance cookies enable us to count visits and traffic sources so that we can measure and improve the performance of our website. The data collected by these cookies allows us to understand, among other things, which areas are most popular, which are least used and how visitors move around our website. All information collected by these cookies is aggregated and cannot be easily traced back to you.

Data processing is based on your consent in accordance with Art. 6 para. 1 a) GDPR in conjunction with § 165 para. 3 TKG 2021. You can revoke your consent at any time with future effect, most easily via the cookie consent manager.

4. MARKETING COOKIES AND SIMILAR TECHNOLOGIES

Marketing cookies and similar technologies (e.g. "pixels") enable us to display personalised and therefore relevant advertising content to you and to measure the effectiveness of our advertising measures.

Marketing cookies and similar technologies are not only used on our website, but also on other (advertising) partner sites ("third-party cookies"). This so-called "retargeting" serves to place relevant advertising on other websites and to analyse the relevant target groups for the products and services.

Data processing is carried out on the basis of your consent in accordance with Art. 6 para. 1 a) GDPR in conjunction with § 165 para. 3 TKG 2021. You can revoke your consent at any time with future effect, most easily via the cookie consent manager. If you do not allow these cookies, you will see less advertising that is relevant to you.

5. DETAILS ABOUT THE COOKIES WE USE

5.1. NECESSARY COOKIES

5.1.1. GOOGLE RECAPTCHA

We use the "Google reCAPTCHA" service, which is provided for persons in the European Economic Area and Switzerland by Google Ireland Limited, Gordon House, Barrow Street, Dublin 4, Ireland ("Google").

This service helps us distinguish whether an entry has been made by a natural person or abusively by machine or automated processing.

When using the service, your IP address and any other data required by Google for the reCAPTCHA service will be transmitted to Google.

This data is processed on the basis of our legitimate interest in exercising our responsibility on the Internet and preventing misuse and spam (Art. 6 para. 1 f) GDPR). The storage of information and access to information on your end device is absolutely necessary and is therefore carried out in accordance with § 165 para. 3 TKG 2021.

Further information on Google reCAPTCHA and Google's privacy policy can be found at: https://www.google.com/intl/de/policies/privacy/.

5.1.2. ONE TRUST

We work with the service provider OneTrust, LLC, 1350 Spring St NW, Atlanta, GA 30309 ("OneTrust") to obtain and manage your consent. This is done via our cookie consent manager or cookie banner, which appears when you first visit our website or app and informs you about data processing, specifically cookies and other technologies on our website and in our app, and allows you to reject or accept the use of individual cookies and other technologies.

You can also call up the cookie banner again and change your selection. In addition, the cookie banner appears when you visit our website and our app if you have disabled the storage of cookies or if the cookies from OneTrust have been deleted or have expired.

Specifically, your consent or revocation, your IP address, information about your browser and your device at the time of your visit are transferred to OneTrust and information is stored on your device.

The relevant legal basis is Art. 6 (1) f) GDPR, as we have a legitimate interest in complying with the legally required documentation of your cookie consent and cookie management. A further legal basis is Section 165 (3) TKG 2021.

The data in question may be transferred to OneTrust servers in the USA and stored there. The legal basis for this is the adequacy decision of the European Commission of 10 July 2023 (known as the Data Privacy Framework) in accordance with Art. 45 GDPR.

5.2. FUNCTIONAL COOKIES

5.2.1. VIMEO PLUGINS

We use, among other things, the "Vimeo" service provided by Vimeo LLC, 555 West 18th Street, New York 10011, USA ("Vimeo") to embed videos.

Vimeo uses so-called "plugins" for this purpose. When you visit a website equipped with such a plugin, a connection to the Vimeo servers is established and information about which of our websites you have visited is transmitted. If you are logged in to Vimeo at the same time, Vimeo will assign this information to your personal user account. When you use the plugin, e.g. by clicking on the start button of a video, this information is also assigned to your user account.

The data in question may be transferred to Vimeo servers in the USA and stored there. The legal basis for this is the adequacy decision of the European Commission of 10 July 2023 (known as the Data Privacy Framework) in accordance with Art. 45 GDPR or Art. 49(1)(a) GDPR in conjunction with your consent.

Further information on data processing and information on data protection by Vimeo can be found at https://vimeo.com/privacy.

5.2.2. ALGOLIA

We use the "Algolia" service provided by Algolia SAS, 55 Rue d'Amsterdam, 75008 Paris, France ("Algolia") to search and index content on our website and app. For this purpose, your IP address and your search queries are forwarded to Algolia's server.

Algolia also generates reports for us with corresponding evaluations and search analyses.

In this regard, Algolia helps us to improve the findability of our offers, the search experience and the satisfaction of our customers.

The legal basis for the processing of your data is your consent, Art. 6 para. 1 a) GDPR. You can revoke your consent at any time with future effect, the easiest way to do this is via our Cookie Consent Manager.

Further information can be found in Algolia's privacy policy: https://www.algolia.com/policies/privacy.

5.3. PERFORMANCE COOKIES, IN PARTICULAR GOOGLE ANALYTICS WITH CONVERSION TRACKING

We use the "Google Analytics" service, a web analytics service provided by Google, which sets pixels and performance cookies, among other things, to store information on your device.

This enables us to assign data, sessions and interactions across multiple devices to a pseudonymous user ID, allowing us to analyse your usage behaviour across devices and improve our website and app for you and make them more interesting. For this purpose, we also receive statistics from Google about your use of our website and app.

Google Analytics 4 also uses artificial intelligence to automatically analyse and enrich the data. This is primarily done to make predictions about the future behaviour of website and app visitors based on structured event data (e.g. predicted revenue, purchase probability and churn probability). These predicted values can also be used for forecast target groups. For more details, please visit: https://support.google.com/analytics/answer/9846734?hl=de

Furthermore, Google Analytics 4 models conversions if there is not enough data available to optimise the data analysis. For more details, please visit: https://support.google.com/analytics/answer/10710245?hl=de.

Google Analytics 4 does not log or store individual IP addresses. However, Google Analytics 4 provides rough geographical location data by deriving the following metadata from IP addresses: city (and the derived latitude and longitude of the city), continent, country, region, subcontinent (and ID-based equivalents). For EU traffic, IP address data is used exclusively for deriving geolocation data before being deleted immediately. It is not logged, is not accessible and is not used for any other purpose.

The data in question may be transferred to Google servers in the USA and stored there. The legal basis for this is the adequacy decision of the European Commission of 10 July 2023 (known as the Data Privacy Framework) in accordance with Art. 45 GDPR or Art. 49 para. 1 a) GDPR in conjunction with your consent. Due to the activation of IP anonymisation on this website, your IP address will be truncated before transmission to the USA or to EU member states or EEA signatory states. Only in exceptional cases will your full IP address be transmitted to a Google server in the USA and truncated there. The IP address transmitted by your browser within the scope of Google Analytics will not be merged with other data from Google.

You can also prevent the collection of your data (including your IP address) and the processing of this data by Google by downloading and installing the browser plugin available at the following link: http://tools.google.com/dlpage/gaoptout?hl=de. An opt-out cookie will be set to prevent future collection of your data when you visit this website. The opt-out cookie is only valid in this browser and only for our website and is stored on your device. If you delete the cookies in this browser, you will have to set the opt-out cookie again.

Further details on data processing by Google Analytics with conversion tracking can be found at: http://www.google.com/analytics/terms/de.html, http://www.google.com/intl/de/analytics/learn/privacy.html, and http://www.google.de/intl/de/policies/privacy.

5.4. MARKETING COOKIES AND SIMILAR TECHNOLOGIES

5.4.1. CUSTOM AUDIENCE / META PIXEL

We use "Custom Audiences" with the so-called "pixel function" ("Meta Pixel") and the "server-side conversion API" on our website, which is operated for visitors outside the USA and Canada by Meta Platforms Ireland Limited, 4 Grand Canal Square, Grand Canal Harbour, Dublin 2, Ireland ("Meta").

This allows us to display interest-based advertising when you visit social networks such as Facebook and Instagram, or other Meta apps and websites, and to track the effectiveness of our advertising. Through the Meta Pixel integrated into our website, your browser automatically establishes a connection to Meta's servers for the purpose of extended matching of the integrated Meta Pixel. This provides Meta with information, for example, that you have clicked on a specific advertisement or product on our website, which in turn enables us to display advertisements based on your interests on our website or on other websites.

If you are registered with a Meta service, Meta can associate your website visit with your account, as your personal data in the form of your email address and IP address is transmitted to Meta by us in hashed form via the pixel and is partially enriched with existing tracking data. The country in which you are located is also transmitted. Even if you are not registered with Facebook or Instagram or are not logged in, it is possible that Meta may obtain your aforementioned personal data and use it to create a profile.

The data in question may be transferred to servers of Meta Platforms, Inc. in the USA and stored there. The legal basis for this is the adequacy decision of the European Commission of 10 July 2023 (so-called Data Privacy Framework) in accordance with Art. 45 GDPR or Art. 49 para. 1 a) GDPR in conjunction with your consent.

The legal basis for the processing of your data is your consent, Art. 6 para. 1 a) GDPR in conjunction with § 165 para. 3 TKG 2021. This means that we do not use these services unless you have consented to the use of Facebook Custom Audiences or Pixel. You can withdraw your consent at any time with future effect, most easily via our consent manager. Furthermore, if you are logged into your Facebook account, you can also object to data processing at the following link: https://www.facebook.com/adpreferences/ad_settings/?entry_product=account_settings_menu

Further information, in particular on the joint responsibility of us and Meta and on the purpose and scope of data processing by Meta, as well as the settings options for protecting your privacy, can be found in Facebook's privacy policy: https://www.facebook.com/about/privacy/.

5.4.2. PINTEREST TAG

In order to further optimise our Pinterest campaigns and measure their success, we use the "Pinterest Tag" service provided by the social network "Pinterest", which is offered to visitors from the European Economic Area by Pinterest Europe Ltd., Palmerston House, 2nd Floor, Fenian Street, Dublin 2, Ireland ("Pinterest").

We use Pinterest Tag in conjunction with the "server-side conversion API" to display our Pinterest advertisements only to Pinterest users who have shown an interest in our offer. At the same time, this ensures that the content of our advertisements is highly likely to match the interests of the respective user. We can also track the behaviour of Pinterest users who have clicked on one of our ads. To do this, Pinterest processes data that the service collects via cookies, web beacons and similar storage technologies on our websites and in our app.

When using the service, the following information is processed: device information (e.g. type, brand), operating system used (e.g. iOS 11), IP address of the device used, time of access to our offer, type and content of the campaign and the response to the respective campaign (e.g. clicking a button) as well as the device identifiers consisting of individual characteristics of your end device. We can also use these device identifiers to recognise your end device on the website. The data collected in this way is anonymous to us and does not allow any conclusions to be drawn about your identity. If you log into your Pinterest account after visiting our website or visit our website while logged in, it is possible that this data will be stored and processed by Pinterest, which we would like to inform you about here. Pinterest may link this data to your Pinterest account and also use it for its own advertising purposes.

The data in question may be transferred to servers of Pinterest, Inc. in the USA and stored there. The legal basis for this is the so-called EU standard contractual clauses in conjunction with your consent.

For information on the purpose and scope of data processing and the settings options for protecting your privacy, please refer to the Pinterest privacy policy, which you can access via the following link: https://policy.pinterest.com/de/privacy-policy.

5.4.3. MICROSOFT BING ADS

On our website, we use the conversion tracking service "Microsoft Bing Ads" provided by Microsoft Corporation, One Microsoft Way, Redmond, WA 98052-6399, USA.

Microsoft Bing Ads places a cookie on your computer if you have accessed our website via a Microsoft Bing advertisement. This enables us to recognise that you have clicked on an advertisement and been redirected to our website. This helps us to understand how effective a particular advertisement is. However, we only receive information about the total number of users who clicked on a Bing ad and were then redirected to our website. No information about the identity of the user is disclosed.

The data in question may be transferred to Microsoft servers in the USA and stored there. The legal basis for this is the adequacy decision of the European Commission of 10 July 2023 (known as the Data Privacy Framework) in accordance with Art. 45 GDPR or Art. 49(1)(a) GDPR in conjunction with your consent.

Further information on data processing and the cookies used by Bing Ads can be found at: https://privacy.microsoft.com/de-de/privacystatement.

5.4.4. GOOGLE ADS (FORMERLY ADWORDS) AND CONVERSION TRACKING

We use the services "Google Ads" and "Google Conversion Tracking", which are offered to persons from the European Economic Area and Switzerland by Google Ireland Limited, Gordon House, Barrow Street, Dublin 4, Ireland ("Google").

This enables us to display Google Ads that take your interests and location into account.

When you click on a Google ad, a cookie is temporarily stored on your computer, which allows us to recognise that you clicked on the ad and were redirected to this page.

With the help of the conversion statistics created on this basis, we learn the total number of users who clicked on the ad and were redirected to a page tagged with a conversion tracking tag. However, we do not receive any information that can be used to personally identify users.

If you use a Google account, Google may link your web and app browsing history to your Google account, depending on the settings in your Google account, and use information from your Google account to personalise ads on . If you do not want this association with your Google account, you must log out of Google before visiting our website. You can also prevent the setting of these cookies by adjusting your browser software settings or on the Google website.

The relevant data may be transferred to Google servers in the USA and stored there. The legal basis for this is the adequacy decision of the European Commission of 10 July 2023 (known as the Data Privacy Framework) in accordance with Art. 45 GDPR or Art. 49 (1) a) GDPR in conjunction with your consent.

Further information on Google Ads and conversion tracking as well as Google's privacy policy can be found at: https://www.google.com/privacy/ads and https://policies.google.com/privacy.

5.4.5. GOOGLE DYNAMIC REMARKETING

We also use the remarketing function "Google Dynamic Remarketing". This service is used to present you with interest-based advertisements on other websites after you have visited our website. The ads are based on the products and services you clicked on during your last visit to our website. For this purpose, Google uses cookies that are temporarily stored in your browser. Google only stores information such as your web request, IP address, browser type, browser language, date and time of your request.

If you use a Google account, Google may link your web and app browsing history to your Google account and use information from your Google account to personalise ads, depending on the settings in your Google account. If you do not want this association with your Google account, you must log out of Google before visiting our website. You can also prevent the setting of these cookies by adjusting your browser software or on the Google website.

Further information on Google Dynamic Retargeting and Google's privacy policy can be found at: https://www.google.com/privacy/ads and https://policies.google.com/privacy.

5.4.6. GOOGLE AD MANAGER (FORMERLY DOUBLECLICK)

We also use "Google Ad Manager" (formerly "Doubleclick"). This service uses cookies, pixels and other technologies to present you with interest-based advertisements based on previous visits to our or other websites. It also enables us to track the success of our advertising campaigns. According to its own statements, Google also processes the relevant data to optimise its own products and services.

Further information about Google Ad Manager and Google's privacy policy can be found at: https://www.google.com/privacy/ads and https://policies.google.com/privacy.

5.4.7. YOUTUBE IN ENHANCED DATA PROTECTION MODE

We use YouTube LLC, 901 Cherry Ave., San Bruno, CA 94066, USA ("YouTube"), among others, to embed videos on our website. When you visit our website with videos embedded via YouTube, your browser establishes a direct connection to YouTube's servers in order to display the content to you. The content accessed may be recorded by your browser. If you are logged into your YouTube account, YouTube can associate your usage behaviour with your personal profile. You can prevent this by logging out of your YouTube account before visiting our website.

The data in question may be transferred to YouTube servers in the USA and stored there. The legal basis for this is the adequacy decision of the European Commission of 10 July 2023 (known as the Data Privacy Framework) in accordance with Art. 45 GDPR or Art. 49(1)(a) GDPR in conjunction with your consent.

Further information on data processing by YouTube can be found in YouTube's privacy policy at: https://policies.google.com/privacy?hl=de&gl=en.

5.4.8. SEGMENT

We also use the "Segment" service provided by Segment Inc., 101 15th St San Francisco, CA 94103, USA ("Segment").

Segment collects and stores data from you that can be used to create usage profiles using pseudonyms. These usage profiles are used to analyse your usage behaviour and are evaluated to improve our offer for you. Cookies may be used for this purpose, which enable recognition when you visit our website again. The pseudonymised usage profiles are not merged with personal data about the bearer of the pseudonym.

The data in question may be transferred to Segment's servers in the USA and stored there. The legal basis for this is the EU Standard Contractual Clauses in conjunction with your consent.

Further information can be found in Segment's privacy policy: https://segment.com/docs/legal/privacy/.

5.4.9. HOTJAR

We use the web analytics service "Hotjar" provided by Hotjar Limited, Dragonara Road, Paceville St. Julian's STJ 3141, Malta ("Hotjar").

Hotjar uses cookies and other technologies to analyse and evaluate your usage behaviour and your interactions with our website. This helps us to optimise your user experience on our website by gaining a better understanding of our users' experiences on our website (e.g. clicks, scrolls, mouse movements).

Your IP address is shortened before the usage statistics are evaluated so that no direct conclusions can be drawn about your identity.

Further information can be found in the "About Hotjar" section at https://help.hotjar.com/hc/en-us/categories/115001323967-About-Hotja.

5.4.10. BRAZE

We use the web analytics service "Braze" provided by Braze, Inc, 318 West 39th Street, 5th Floor, New York, New York 10018, USA ("Braze") to communicate with you on our website and in our app and to understand the function and use of our mobile content on your device. For this purpose, we display pop-up windows with an interaction option, for example.

Braze is also used to send push notifications in our app and on our website.

Furthermore, we use Braze to send you personalised promotions and information about our products tailored to your interests.

We also use Braze to inform you about items you have left in your shopping cart.

The relevant data may be transferred to Braze servers in the USA and stored there. The legal basis for this is the adequacy decision of the European Commission of 10 July 2023 (known as the Data Privacy Framework) in accordance with Art. 45 GDPR or Art. 49 (1) a) GDPR in conjunction with your consent.

Further information on Braze's compliance with data protection can be found here: https://www.braze.com/privacy/.

5.4.11. CRITEO

We also use the remarketing tool "Criteo" from Criteo, SA, 32 Rue Blanche, 75009 Paris, France, on our website and in our app to show you personalised advertisements for products that may be of interest to you based on the products you have clicked on our website or in our app. For this purpose, the aforementioned data about your previous browsing behaviour is linked by Criteo to a unique identifier, such as an identification cookie or other similar technology (e.g. mobile advertising IDs and non-cookie-based technologies).

Criteo and Westwing act as joint controllers within the meaning of Art. 26 GDPR.

The legal basis for data protection is your consent in accordance with Art. 6 para. 1 a) GDPR in conjunction with § 165 para. 3 TKG 2021. You can revoke this consent at any time with future effect – most easily via our Cookie Consent Manager or at the following link: https://www.criteo.com/de/privacy/disable-criteo-services-on-internet-browsers/.

If Criteo transfers personal data to countries outside the EU or EEA, this is done in accordance with Criteo on the basis of an adequacy decision by the European Commission pursuant to Art. 45 of the GDPR or on the basis of appropriate data protection safeguards pursuant to Art. 46 GDPR, for example the conclusion of the EU standard contractual clauses.

Further information on how Criteo processes your data can be found here: https://www.criteo.com/de/privacy

5.4.12. KLEAR

We use the influencer marketing service "Klear" provided by Meltwater Deutschland GmbH, Jannowitz Centre, Brückenstrasse 6, 10179 Berlin. This enables us to set up influencer marketing programmes and to measure and analyse influencer campaigns. Klear uses cookies to track the success of campaigns on our website.

The analyses created in this way help us, among other things, to search for influencers on social networks by region, language, industry, hashtag and previous collaborations, and to make data-driven decisions about our influencer marketing strategy.

Further information is available here: https://klear.com/legal/cookies; https://klear.com/legal/privacy-notice-for-influencers.

5.4.13. GOOGLE CUSTOMER MATCH

We also use Google's "Google Customer Match" service, which enables us to display interest-based advertising to visitors to our website based on their previous browsing behaviour on our website and third-party websites, as well as in apps and emails.

The legal basis for the processing of your data is your consent, Art. 6 para. 1 a) GDPR in conjunction with § 165 para. 3 TKG 2021. This means that we do not use this service unless you have consented to its use. You can withdraw your consent at any time with future effect, most easily via our cookie consent manager. If you wish to prevent interest-based advertising by Google Customer Match, you can also opt out via the following websites: http://www.networkadvertising.org/choices/; http://www.youronlinechoices.com/

Further information on Google's compliance with data protection can be found here: https://support.google.com/google-ads/answer/6334160?sjid=2821624592503930728-EU

5.4.14. LEAD FORENSICS

We also use a B2B tool for sales and marketing from Lead Forensics, UK Headquarters, Communication House, 26 York Street, London, W1U 6PZ, UK ("Lead Forensics").

Lead Forensics uses a tracking code to identify companies that visit our website based on their business IP addresses. The Lead Forensics tracking code only collects information that is readily available to the public. The information in question is not used to personally identify individual visitors. The IP addresses that are collected are anonymised immediately after storage.

Lead Forensics does not provide us with the IP addresses. It only provides us with information about which companies have visited our website, as well as the date and duration of their visit. This information enables us to analyse the use of our website and, if necessary, to contact these companies.

The information generated by the Lead Forensics tracking code is transmitted to Lead Forensics' servers in the United Kingdom, where it is processed and stored. The legal basis for this is the European Commission's adequacy decision of 10 July 2023 (known as the Data Privacy Framework) in accordance with Art. 45 GDPR and Art. 49(1)(a) GDPR in conjunction with your consent.

The legal basis for the processing of your data is your consent, Art. 6 para. 1 a) GDPR in conjunction with § 165 para. 3 TKG 2021. This means that we do not use this service unless you have consented to its use. You can withdraw your consent at any time with future effect, most easily via our cookie consent manager. To unsubscribe from tracking, you can also use the following link: https://optout.leadforensics.com/?clientID=786109.

5.4.15. TIKTOK ADS

We use the "TikTok Ads" service provided by TikTok Inc, 10100 Venice Blvd, Culver City, CA 90232, USA ("TikTok"), which enables us to display interest-based advertising to visitors to our website based on their previous browsing behaviour on our website and on third-party websites, as well as in apps and emails.

When you visit our website, a pixel is set to establish a connection to TikTok's servers, and personal data such as your IP address, pages visited and interactions may be logged.

The corresponding data may also be transferred to TikTok servers in the USA and stored there. The legal basis for this is the EU Standard Contractual Clauses in conjunction with your consent.

The legal basis for the processing of your data is your consent, in accordance with Art. 6 para. 1 a) GDPR. This means that we only use this service if you have given us your consent. You can revoke your consent at any time with future effect, most easily via our cookie consent manager.

Further information can be found here: https://ads.tiktok.com/help/article/app-retargeting?lang=en; https://www.tiktok.com/legal/page/eea/privacy-policy/en.

5.4.16. CLARITY

We use the analytics tool Microsoft Clarity, a service provided by Microsoft Corporation, One Microsoft Way, Redmond, WA 98052-6399, USA. Clarity helps us understand how visitors interact with our checkout process (e.g. feature usage, error messages, and items in the cart) to identify technical issues and improve the user experience.

Clarity records user interactions in anonymized form, with any personal data (PII) automatically masked before processing. The information may be transmitted to and processed by Microsoft on our behalf.

The use of Microsoft Clarity is based on your consent in accordance with Art. 6(1)(a) GDPR. You can withdraw your consent at any time with effect for the future.

As part of the use of Clarity, data may be transferred to the United States. The legal basis for this transfer is the U.S. Data Privacy Framework, to which Microsoft is certified. Where this framework does not apply, the transfer is based on the Standard Contractual Clauses (Art. 46(2)(c) GDPR) to ensure an adequate level of data protection.

For more information on how Microsoft processes data, please refer to the Microsoft Privacy Statement: https://www.microsoft.com/de-de/privacy

XI. TECHNICAL AND ORGANISATIONAL MEASURES FOR DATA SECURITY

We have taken technical and organisational security measures to protect your personal data against loss, destruction, manipulation and unauthorised access by third parties, as well as to ensure an appropriate level of protection and to safeguard your personal rights.

For example, we encrypt your personal data, including confidential content such as your contact requests, before it is transmitted, and all our employees and service providers and processors working on our behalf have undertaken to comply with the applicable data protection regulations and data protection laws.

We regularly check that our numerous security measures are state of the art.

XII. YOUR RIGHTS

In accordance with the statutory provisions on data protection, you have the following rights at any time with regard to your personal data. You can find more detailed information about your rights at: https://www.dsb.gv.at/rechte-der-betroffenen.

1. RIGHT TO INFORMATION

You have the right to request information about the personal data we process about you and a copy of this data.

2. RIGHT TO CORRECTION

You have the right to request the correction of inaccurate data and, taking into account the purposes of the processing, the completion of incomplete data.

3. RIGHT TO ERASURE

You have the right to request the erasure of your data if the following reasons apply:

The data is no longer necessary for the purposes for which it was collected or otherwise processed,
You withdraw your consent on which the processing is based and there is no other legal basis for the processing,
You object to the processing and there are no overriding legitimate interests for the processing,
the personal data in question has been processed unlawfully,
or the erasure of your personal data is necessary for compliance with a legal obligation in Union or Member State law.

Please note that there may be reasons that prevent immediate deletion, e.g. in the case of statutory retention obligations. Regardless of your exercise of your right to erasure, we will delete your data immediately and completely if it is no longer necessary for the respective purpose of processing and there are no legal or contractual retention obligations to the contrary.

4. RIGHT TO RESTRICT PROCESSING

You also have the right to request the restriction of the processing of your data if:

the accuracy of your personal data is disputed by you, for a period enabling us to verify the accuracy of your personal data;
the processing is unlawful and you oppose the erasure of your personal data and request the restriction of the use of your personal data instead;
we no longer need the personal data for the purposes of processing, but you require it for the assertion, exercise or defence of legal claims, or
you have objected to the processing pursuant to Art. 21 (1) GDPR, as long as it is not yet clear whether our legitimate interests outweigh yours.

5. RIGHT TO DATA PORTABILITY

You have the right, where the legal requirements are met, to receive the data provided in a structured, commonly used and machine-readable format and to transmit this data to another controller or, where technically feasible, to have it transmitted by Westwing.

6. RIGHT TO COMPLAIN TO THE COMPETENT DATA PROTECTION AUTHORITY

You also have the right to lodge a complaint with the competent data protection supervisory authority. To exercise this right, please contact us by email at: service@westwing.de.

7. RIGHT TO OBJECT

Insofar as the processing of your personal data is based on our legitimate interest pursuant to Art. 6 para. 1 sentence f) GDPR, you also have the right to object to the processing of your personal data for reasons arising from your particular situation, e.g. by email to: service@westwing.de. We will then no longer process your personal data for these purposes, unless our legitimate interest outweighs your interests in individual cases.

8. RIGHT OF WITHDRAWAL

If the processing of your personal data is based on your consent in accordance with Art. 6 para. 1 a) GDPR, you have the right to withdraw your consent at any time with effect for the future, e.g. by email to service@westwing.de.

If you wish to exercise any of the above rights, you can also contact our external data protection officer at any time by email at anfrage@projekt29.de.

9. COMPETENT AUTHORITY

The competent supervisory authority is the Austrian Data Protection Authority, Barichgasse 40-42, 1030 Vienna (https://www.dsb.gv.at/).

XIII. CHANGES TO THIS DATA PROTECTION DECLARATION

We reserve the right to change this privacy policy if necessary, e.g. due to the use of new services or technologies. If fundamental changes are made, we will announce them on our website or by email.

Status: August 2025