Privacy Policy

1. Introduction & Scope

Dermaelio.de is operated by MXC Commerce GmbH, a company based near Munich, Germany, offering beauty and aesthetic products directly to end‑consumers across the European Union. This Privacy Policy applies to all personal data processing activities in connection with:

  1. Website visits: Browsing, product searches, adding items to cart, account registration.

  2. Order placement and fulfillment: Submitting orders, payments, shipping, returns.

  3. Customer service: Inquiries via contact form, live chat, email or phone.

  4. Marketing interactions: Newsletter sign‑up, promotional campaigns, surveys.

It does not cover any data collected through offline channels (e.g. in‑person events) unless expressly referenced. If we intend to process your data for new purposes outside this scope, we will notify you separately and, where required, obtain your consent.

 

 

2. Definitions

To ensure clarity, the following terms are used as defined by the EU General Data Protection Regulation (GDPR):

  • Personal Data: Any information relating to an identified or identifiable natural person. For us, this includes your name, postal address, email, telephone number, payment details, and any other information you provide when shopping.

  • Processing: Any operation performed on personal data, including collection, recording, organization, storage, adaptation, retrieval, consultation, use, disclosure, erasure or destruction.

  • Controller: The entity that determines the purposes and means of processing personal data. MXC Commerce GmbH is the sole controller for all data collected via dermaelio.de.

  • Processor: A natural or legal person who processes personal data on behalf of the controller (e.g. Shopify, payment gateways, logistics partners).

  • Data Subject: You, the consumer whose personal data is processed when you visit or shop on our website.

  • Consent: Any freely given, specific, informed and unambiguous indication of your wishes by which you signify agreement to the processing of your personal data.

 

 

3. Data Controller & EU Representative

3.1 Controller Details

Under Article 4(7) GDPR, the data controller responsible for processing your personal data is:
 MXC Commerce GmbH
 Josef‑Kistler‑Straße 9
 82110 Germering (near Munich), Germany
 Email: info@dermaelio.de

3.2 EU Representative

Because we are established in the EU, we are not required to designate an external EU representative under Article 27 GDPR. All inquiries concerning your data‐protection rights, complaints or requests should be directed to the contact above.

 

 

4. Fundamental Principles of Processing

We commit to the six core principles set out in Article 5 GDPR for all personal data handling:

  1. Lawfulness, fairness & transparency

    • We process data only when there is a lawful basis: contract necessity (e.g. to fulfill your order), compliance with legal obligations, our legitimate interests (e.g. site security, fraud prevention), or your consent (e.g. marketing communications).

    • We inform you in clear, accessible language about what data we collect and why.

  2. Purpose limitation

    • Data is collected for specified, explicit purposes (e.g., order processing, shipment tracking, customer support, marketing with your opt‑in) and not further processed in a way incompatible with those purposes.

  3. Data minimisation

    • We collect only the personal data that is adequate, relevant and limited to what is necessary in relation to each purpose (for example, we ask only for the minimum payment details required to complete a purchase).

  4. Accuracy

    • We take reasonable steps to keep personal data accurate and up‑to‑date. You can review and correct your account information at any time via your user dashboard or by contacting us.

  5. Storage limitation

    • We retain personal data only as long as necessary to fulfill the purposes outlined in this Policy, or to comply with legal obligations (for example, accounting and tax records are kept for up to ten years under German law).

  6. Integrity & confidentiality

    • We implement appropriate technical and organizational measures—such as SSL/TLS encryption, firewalls, access controls and regular security reviews—to safeguard personal data against unauthorized or unlawful processing and against accidental loss, destruction or damage.

5. Categories of Personal Data We Collect

5.1 Customer‑Provided Data

We collect the personal information you provide when creating an account or placing an order, including your name, email address, billing and shipping addresses, telephone number, date of birth (where required for age verification), and payment card or bank details.

5.2 Transaction Data

Whenever you make a purchase, we record details of the products ordered, transaction amounts, date and time of purchase, payment method, order status and associated invoice numbers.

5.3 Technical & Usage Data

We automatically collect your IP address, device type, browser version, operating system, referral URLs, pages viewed, and click‑stream data via cookies and similar technologies to secure our site and analyze user behavior.

5.4 Marketing Data

If you opt in, we record your newsletter subscription status, email open and click‑through rates, and responses to surveys or promotional campaigns.

5.5 Sensitive Personal Data

We do not intentionally collect special‑category data (e.g., health or biometric information) unless you voluntarily provide it (for example, when seeking tailored advice), in which case we process it only with your explicit consent.

 

 

6. Legal Bases for Processing

6.1 Contractual Necessity (Art. 6 (1)(b) GDPR)

Processing your order, payment and shipping data is necessary to perform the contract you enter when you purchase our products.

6.2 Legal Obligation (Art. 6 (1)(c) GDPR)

We retain transaction records and invoices to comply with EU and German tax, accounting and commercial retention requirements.

6.3 Legitimate Interests (Art. 6 (1)(f) GDPR)

We process technical and usage data to prevent fraud, ensure network and information security, and optimize our website’s performance, provided such processing does not override your privacy rights.

6.4 Consent (Art. 6 (1)(a) GDPR)

We process your email for marketing and non‑essential cookies only if you have given us clear, informed consent (e.g., by ticking an opt‑in checkbox).

 

 

7. Processing Activities by Data Category

7.1 Hosting & Infrastructure

All customer and order data are hosted on Shopify’s servers in the EU, with backups in Canada under an EU adequacy decision. Shopify acts as our processor under a GDPR‑compliant Data Processing Agreement.

7.2 Payment Processing

When you pay, we share necessary payment details (such as card number, expiry date) with third‑party payment gateways (e.g., Klarna, Stripe) solely to authorize and capture payments.

7.3 Shipping & Logistics

To deliver your orders, we transmit your shipping address, contact number and order details to logistics partners like DHL and UPS.

7.4 Analytics & Cookies

We and our analytics providers (e.g., Google Analytics, Shopify Analytics) use cookies and pixel tags to measure site traffic, user journeys and feature performance. Data is pseudonymized or aggregated wherever possible.

7.5 Marketing & CRM

With your permission, we integrate with email marketing platforms (e.g., Klaviyo, Mailchimp) to send you personalized promotions, product recommendations and transactional emails.

 

 

8. Data Retention Periods

  • Account & Order Data: Retained for up to ten years to comply with German commercial and tax laws.

  • Transaction Records & Invoices: Preserved for ten years in accordance with statutory retention periods.

  • Usage & Technical Data: Stored for up to 24 months to support fraud detection, security analysis and website optimization.

  • Marketing Data: Retained until you withdraw consent or unsubscribe, after which it is deleted or anonymized.

  • Customer Support Communications: Kept for up to three years to ensure consistent service and resolve potential disputes.

9. Your Rights as a Data Subject

Under the EU General Data Protection Regulation (GDPR), you have the following rights with respect to your personal data:

  • Right of Access
     You may request confirmation as to whether we process your personal data, and if so, receive a copy of the data and information about the processing purposes, categories of data, recipients, retention periods and your other rights.

  • Right to Rectification
     If any of your personal data is inaccurate or incomplete, you may request that we correct or complete it without undue delay.

  • Right to Erasure (“Right to be Forgotten”)
     You may request deletion of your personal data when it is no longer necessary for the purposes for which it was collected, or if you have withdrawn consent, or the data has been unlawfully processed, unless retention is required by law.

  • Right to Restrict Processing
     You may ask us to suspend processing of your personal data when you contest its accuracy, the processing is unlawful, we no longer need it for the original purpose, or you have objected to processing based on legitimate interests.

  • Right to Data Portability
     Where processing is based on consent or contract and uses automated means, you may request a structured, commonly used and machine‑readable copy of your personal data, and ask us to transmit it to another controller.

  • Right to Object
     You may object to processing based on our legitimate interests (e.g. site security, analytics) at any time; if you do so, we will cease that processing unless we demonstrate compelling legitimate grounds or need it for legal claims.

  • Right to Withdraw Consent
     Where processing is based on consent (e.g. for marketing communications or non‑essential cookies), you may withdraw that consent at any time. Withdrawal will not affect processing carried out prior to withdrawal.

  • Right to Lodge a Complaint
     If you believe our processing infringes GDPR, you may file a complaint with the competent supervisory authority in your EU Member State, such as the Bavarian Data Protection Authority.

 

 

10. How to Exercise Your Rights

To exercise any of the rights above, please follow these steps:

  1. Contact Us
     Send a clear request by email to info@dermaelio.de or by mail to MXC Commerce GmbH, Josef‑Kistler‑Straße 9, 82110 Germering, Germany.

  2. Verification
     We may require reasonable proof of your identity (e.g. a copy of an ID or a declaration) to ensure we do not disclose or alter another person’s data.

  3. Response Time
     We will acknowledge receipt of your request within one week and respond in full within one month of receiving all necessary information. In complex cases, this period may be extended by two further months, but we will inform you of any extension within the first month.

  4. No Fees
     We do not charge a fee unless requests are manifestly unfounded or excessive. In such cases, we may charge a reasonable fee or refuse to comply, informing you of the reasons.

 

 

11. Complaint and Appeals Process

  • Internal Review
     If you are dissatisfied with our response to your request or complaint, you may ask for an internal review by sending an email detailing the issue to info@dermaelio.de.

  • Supervisory Authority
     You have the right to lodge a complaint with your local data protection authority. For customers in Germany, this is the Bavarian Data Protection Authority (BayLDA). Contact details are available at https://www.lda.bayern.de.

 

 

12. International Data Transfers

  • Within the EU/EEA
     Data transfers between EU/EEA countries are governed by GDPR and do not require additional safeguards.

  • Transfers to Third Countries
     Some of our service providers (e.g. Shopify backups in Canada) process data outside the EU/EEA. In such cases, transfers are based on an EU adequacy decision (e.g. Canada) or Standard Contractual Clauses approved by the European Commission. You can request a copy of these safeguards at info@dermaelio.de.

 

 

13. Security Measures and Breach Notification

  • Technical Measures
     We use industry‑standard SSL/TLS encryption for data in transit, firewalls, network monitoring, intrusion detection systems and access controls to protect personal data.

  • Organizational Measures
     Access to personal data is limited to authorized personnel on a need‑to‑know basis, and we conduct regular staff training on data protection.

  • Data Breach Response
     In the unlikely event of a personal data breach, we have an incident response plan. We will notify the competent supervisory authority within 72 hours of becoming aware of the breach, unless the breach is unlikely to result in a risk to data subjects. If the breach poses a high risk to your rights and freedoms, we will also inform you without undue delay, describing the nature of the breach, likely consequences and remedial measures taken.

14. Cookies and Tracking Technologies

We use cookies and similar technologies (e.g., web beacons, pixel tags, local storage) to enhance your browsing and shopping experience on dermaelio.de. Cookies fall into the following categories:

  • Essential Cookies
     These are strictly necessary to enable core site functionality such as shopping-cart operations, secure areas access, and form submissions. Without these, the site cannot function properly.

  • Performance & Analytics Cookies
     These cookies collect anonymized information about how you use our site—pages visited, time spent, navigation paths—and help us identify and fix errors, optimize performance, and understand customer preferences.

  • Functionality Cookies
     They allow us to remember choices you make (e.g., language, region, saved items) and provide enhanced, personalized features.

  • Marketing & Advertising Cookies
     With your consent, we and our trusted partners may place cookies to deliver relevant ads, measure campaign effectiveness, and tailor offers based on browsing behavior and past purchases.

Cookies are set by both dermaelio.de (first‑party) and third‑party services (e.g., Google Analytics, Shopify Analytics, marketing platforms). Each cookie has a defined lifespan—from session cookies, which expire when you close your browser, to persistent cookies, which may remain for months or years.

 

 

15. Consent Management

Before placing any non‑essential cookies (performance, functionality, marketing), we obtain your clear, affirmative consent via our cookie banner. You can:

  1. Accept All Cookies – agree to the use of all categories.

  2. Customize Settings – enable or disable specific cookie categories.

  3. Reject All Non‑Essential Cookies – allow only essential cookies required for basic site operation.

Your consent choices are stored in a cookie and remembered on subsequent visits. You may withdraw or modify your consent at any time via the “Cookie Settings” link in our site footer. Changes take effect immediately but will not affect processing already completed under your prior consent.

 

 

16. Profiling and Automated Decision‑Making

We do not engage in automated decision‑making that produces legal or similarly significant effects (e.g., credit scoring, eligibility determinations). However, we may use profiling techniques—such as segmenting users by browsing patterns or purchase history—to:

  • Recommend products and promotions tailored to your interests

  • Send personalized email marketing offers

  • Optimize website layout and content for different customer segments

Such profiling is based on your browsing and transaction data and requires your opt‑in consent where needed. You have the right to object to profiling and to request human review of any automated profiling activity. To exercise this right, contact us at info@dermaelio.de.

 

 

17. Managing Cookie Preferences and Opt‑Outs

You can manage or disable cookies through the following methods:

  • In‑Site Cookie Settings
     Click the “Cookie Settings” link at the bottom of any page to revisit our consent banner and adjust your preferences.

  • Browser Controls
     Most browsers allow you to view, delete or block cookies via settings or preferences. Note that disabling essential cookies may impair site functionality.

  • Do‑Not‑Track (DNT)
     While we do not currently respond to DNT signals, you may still use browser or third‑party tools to limit tracking.

  • Third‑Party Opt‑Outs
     For advertising cookies served by external networks (e.g., Google Ads, Facebook Pixel), you can opt out via network‑specific opt‑out pages, such as the Google Ads Settings and the Digital Advertising Alliance (DAA) Consumer Choice Page.

By managing your cookie preferences, you retain full control over your data. If you need assistance or have questions about cookies and tracking, please reach out to info@dermaelio.de.

18. Legal Boilerplate

This Privacy Policy and any disputes arising out of or relating to it shall be governed by and construed in accordance with the laws of Germany. Any legal action or proceeding arising under or relating to this Policy shall be brought exclusively in the competent courts in Munich, Germany.

No waiver by us of any breach or default under this Privacy Policy shall be deemed a waiver of any subsequent breach or default. If any provision of this Policy is held to be invalid or unenforceable, the remaining provisions shall remain in full force and effect.

 

 

19. Contact Information

If you have any questions, concerns or requests regarding this Privacy Policy or the handling of your personal data, please contact us:

Data Controller & Contact Point
 MXC Commerce GmbH
 Josef‑Kistler‑Straße 9
 82110 Germering (near Munich), Germany
 Email: info@dermaelio.de
 Phone: +49 89 123 4567

For data‑protection matters specifically, you may also address inquiries to our Data Protection Officer at the same email address.

 

 

20. Revision History

Version

Effective Date

Changes Made

1.0

July 17, 2025

Initial release of full five‑part Privacy Policy.

We review and, if necessary, update this Policy at least once every 12 months or whenever there is a change in our data‑processing activities or relevant legal requirements. The effective date above reflects the current version.

 

 

21. Glossary of Key Terms

  • Personal Data: Information relating to an identified or identifiable natural person.

  • Processing: Any operation performed on personal data, such as collection, storage, use, disclosure or deletion.

  • Controller: The entity that determines why and how personal data is processed.

  • Processor: A third party that processes data on behalf of the Controller.

  • Consent: A freely given, specific, informed and unambiguous indication of your wishes by which you agree to the processing of your personal data.

  • Contractual Necessity: Processing required to perform a contract to which you are a party.

  • Legitimate Interests: Processing based on our legitimate business needs, provided it does not override your rights and freedoms.

  • Data Subject: You, the individual whose personal data is collected and processed.

  • GDPR: The EU General Data Protection Regulation (Regulation 2016/679), which governs the protection of personal data in the EU.