Privacy Policy

Persons Responsible

Hilo Latino is operated jointly by:

Overview of Processing

Types of data processed

• Inventory data (e.g. name, address)
• Payment data (e.g. billing address, transaction records)
• Contact data (e.g. email, telephone)
• Content data (e.g. messages sent via contact form)
• Contract data (e.g. order details, purchase history)
• Usage data (e.g. pages viewed, interactions with our online shop)
• Meta, communication, and process data (e.g. IP addresses, timestamps)
• Log data

Categories of data subjects

• Customers and buyers
• Prospective customers and website visitors
• Communication partners
• Newsletter subscribers
• Business and contractual partners

Purposes of processing

• Provision of contractual services (order fulfilment, shipping, invoicing)
• Processing of payments
• Communication and customer service
• Security measures
• Reach measurement and conversion tracking
• Marketing and newsletter distribution
• Provision of our online shop and its user-friendliness
• Information technology infrastructure
• Compliance with legal retention obligations

Relevant Legal Bases

Relevant legal bases under the GDPR:

• Consent (Art. 6 para. 1 sentence 1 lit. a) GDPR) — The data subject has given consent to the processing of their personal data for one or more specific purposes.
• Contract fulfilment and pre-contractual enquiries (Art. 6 para. 1 sentence 1 lit. b) GDPR) — Processing is necessary for the performance of a contract or pre-contractual steps.
• Legal obligation (Art. 6 para. 1 sentence 1 lit. c) GDPR) — Processing is necessary for compliance with a legal obligation (e.g. tax and accounting).
• Legitimate interests (Art. 6 para. 1 sentence 1 lit. f) GDPR) — Processing is necessary for the legitimate interests pursued by the controller.

National data protection regulations in Germany: in addition to the GDPR, the Federal Data Protection Act (BDSG) applies.

Security Measures

We take appropriate technical and organisational measures in accordance with legal requirements, taking into account the state of the art, implementation costs, and the nature, scope, circumstances, and purposes of processing.

The measures include safeguarding the confidentiality, integrity, and availability of data by controlling physical and electronic access to the data. We use TLS/SSL encryption technology (HTTPS) to protect user data transmitted via our online shop from unauthorised access.

Transmission of Personal Data

As part of our processing of personal data, it may be transmitted to other bodies, companies, or persons. The recipients of this data may include:

• Payment service providers (for processing transactions)
• Shipping and logistics providers (for order fulfilment)
• Our hosting provider (Shopify)
• Email service providers (for transactional and marketing emails)
• Tax advisors and auditors (to meet legal obligations)
• IT service providers

In all cases, we observe legal requirements and conclude corresponding data processing agreements where required.

International Data Transfers

If we process data in a third country (outside the EU/EEA), this only takes place in accordance with legal requirements. Where the level of data protection has been recognised by means of an adequacy decision (Art. 45 GDPR), this serves as the basis. Otherwise, data transfers only take place when the level of data protection is ensured through Standard Contractual Clauses (Art. 46 para. 2 lit. c) GDPR), express consent, or contractual necessity (Art. 49 para. 1 GDPR).

As part of the EU-US Data Privacy Framework (DPF), the European Commission has recognised the level of data protection for certified US companies as adequate. The list is available at dataprivacyframework.gov.

Storage and Deletion

We delete personal data as soon as the underlying consent is revoked or there is no further legal basis for processing. Exceptions exist where legal obligations require longer storage.

Retention periods under German law

• 10 years — books, records, accounting documents, invoices (§ 147 AO, § 14b UStG, § 257 HGB)
• 6 years — other business documents and documents with tax significance (§ 147 AO, § 257 HGB)
• 3 years — data required for potential warranty and compensation claims (§§ 195, 199 BGB)

Rights of the Data Subjects

As a data subject, you are entitled to various rights under the GDPR (Art. 15 to 21):

• Right to object at any time to processing based on Art. 6 para. 1 lit. e) or f) GDPR, including profiling. If data is processed for direct marketing, you have the right to object at any time.
• Right to withdraw consent at any time.
• Right of access to confirmation and information about data concerning you.
• Right to rectification of inaccurate data.
• Right to erasure and restriction of processing.
• Right to data portability in a structured, commonly used, machine-readable format.
• Right to complain to a supervisory authority, in particular in the Member State of your habitual residence.

Business Services

We process data of our customers and business partners in the context of contractual and comparable legal relationships — for order fulfilment, shipping, invoicing, warranty, and associated communication.

Provision of the Online Offer and Web Hosting

We process users' data to provide our online shop. The IP address is necessary to transmit content and functions to the user's browser.

Shopify (hosting provider)

Shopify provides the e-commerce platform including hosting, payment infrastructure, and order management.

Access data and log files

Access to our online shop is logged in server log files including IP address, time of access, data volume transferred, browser type, operating system, and referrer URL. Log files are stored for a maximum of 30 days and then deleted, unless further storage is required for evidentiary purposes.

Use of Cookies

Cookies are small text files that store information on end devices. We use cookies to ensure the functionality, security, and convenience of our online shop, and to analyse visitor flows.

Consent: We obtain prior consent where required by law. Consent is not required where storage is absolutely necessary to provide the service expressly requested.

Storage period: Session cookies are deleted after you leave our shop. Permanent cookies remain stored for up to 2 years unless otherwise specified.

Revocation and opt-out: Users can revoke consent at any time through their browser's privacy settings or through our cookie consent banner.

Contact and Enquiry Management

When contacting us by email, contact form, or social media, the data is processed to the extent necessary to answer your enquiry and take any requested measures.

Newsletter and Electronic Communications

We send newsletters with the consent of the recipients. Our newsletters contain information about our products, collections, artisan stories, and promotional offers.

Registration: Subscription takes place via a double opt-in procedure. After registering, you will receive a confirmation email. This confirmation is necessary so that no one can register with third-party email addresses.

Deletion: We may store unsubscribed email addresses for up to three years on the basis of our legitimate interests to provide proof of prior consent.

Payment Processing

To process payments, we use payment service providers that handle your payment data securely:

• Shopify Payments — Shopify International Limited, Dublin, Ireland. Privacy Policy
• PayPal — PayPal (Europe) S.à r.l. et Cie, S.C.A., Luxembourg. Privacy Policy
• Klarna — Klarna Bank AB, Stockholm, Sweden. Privacy Policy

Data processed may include inventory data, bank details, contract data, and transaction data.

Web Analysis, Monitoring and Optimisation

Web analysis evaluates the flow of visitors to our online shop. Profiles are created based on pseudonymous data. IP addresses are stored but subject to IP masking (pseudonymisation by shortening). No clear user data is stored in this context.

Shopify Analytics

Shopify provides built-in analytics to measure shop performance, track conversions, and analyse customer behaviour.

Google Analytics

We use Google Analytics to measure and analyse the use of our online shop on the basis of a pseudonymous user identification number. This identification number does not contain unique data such as names or email addresses.

Google Analytics does not log or store individual IP addresses for EU users. For EU traffic, IP address data is used exclusively to derive geolocalisation data (city, continent, country, region) before it is immediately deleted.

Google Tag Manager

Google Tag Manager enables us to manage website tags centrally. It does not create user profiles or store cookies with user profiles, and does not carry out independent analyses. However, the IP address is transmitted to Google for technical reasons.

Online Marketing

We process personal data for online marketing, including the presentation of advertising based on user interests and the measurement of effectiveness. User profiles are created and stored in cookies. IP addresses are stored but subject to IP masking. No clear user data is stored — only pseudonyms.

Opt-out:

• Europe: youronlinechoices.eu
• USA: aboutads.info/choices
• Cross-territory: optout.aboutads.info

Google Ads and conversion measurement

We use Google Ads to place advertising within Google's network so it is displayed to presumed interested users. We measure conversion — whether users have interacted with adverts and used our offers. We only receive anonymous information, no personal information about individual users.

Meta Pixel (Facebook and Instagram advertising)

We use the Meta Pixel ("Facebook Pixel") to track conversions from Meta advertising, build custom audiences for retargeting, and optimise advertising campaigns on Facebook and Instagram. The Meta Pixel enables us to follow user actions after they have clicked on a Meta advert.

The Meta Pixel may collect IP address, browser and device data, visited pages, and interactions with our shop. This data is transmitted to Meta, which may use it to create user profiles and display targeted advertising.

Presence in Social Networks

We maintain online presences within social networks (e.g. Instagram) to communicate with users and offer information about our brand. User data may be processed outside the European Union, which may result in risks for users because enforcement of user rights could be more difficult.

User data within social networks is generally processed for market research and advertising purposes. Data subject rights can be most effectively asserted with the providers themselves, as only they have access to user data.

Instagram

Plug-ins and Embedded Functions

We incorporate functional and content elements from third-party providers — graphics, videos, fonts. Integration requires that the third-party processes the IP address of the user to deliver the content.

Google Fonts (loaded from Google servers)

Fonts and icons are loaded from Google's servers to provide consistent typography. The provider is informed of the user's IP address so that the fonts can be made available in the browser. Technical data (language settings, screen resolution, operating system) are also transmitted.

Change and Update

We ask you to inform yourself regularly about the content of our privacy policy. We will adapt the privacy policy as soon as changes to the data processing we carry out make this necessary. We will inform you as soon as changes require your cooperation (e.g. consent) or other individual notification.

Definitions of Terms

This section provides an overview of terms used in this privacy policy. Where defined by law, their legal definitions apply.

Inventory data

Information necessary for identification and administration of contractual partners — names, contact information, customer IDs.

Contact data

Information that enables communication — telephone numbers, postal addresses, email addresses.

Content data

Information generated in the course of creating messages, reviews, or contributions.

Contract data

Specific information relating to the formalisation of an agreement — order details, product selection, terms.

Payment data

Information required to process payment transactions — billing address, transaction records.

Usage data

Information capturing how users interact with our online shop — pages visited, dwell time, click paths.

Meta, communication and process data

Information about how data is processed and transmitted — IP addresses, timestamps, identification numbers.

Log data

Information about events or activities logged on a system.

Personal data

Any information relating to an identified or identifiable natural person (Art. 4 No. 1 GDPR).

Controller

The natural or legal person who, alone or jointly with others, determines the purposes and means of processing personal data.

Processing

Any operation performed on personal data (Art. 4 No. 2 GDPR).

Reach measurement

Analysis of visitor flows to an online offering.

Tracking

Tracing user behaviour across multiple online offers.

Conversion measurement

Determining the effectiveness of marketing measures by tracking user actions.

IP masking

Pseudonymisation of the IP address by shortening it.

Target group formation (custom audiences)

Determining target groups for advertising purposes based on user interests.