Data protection is a matter of trust and I would like to give you the assurance that your data is in good hands with me. The protection and legally compliant collection, processing and use of your data is an important concern for me. This policy explains how your personal information is collected, used and disclosed by Rina Golan.

It also tells you how you can access and update your personal information, which in turn allows you to make certain choices about the use of your personal information.

Who is responsible for www.rinagolan.co?
Rina Golan responsible within the meaning of the European General Data Protection Regulation (GDPR) and the UK’s Data

Protection Act (DPA) for data processing is:

Rina Golan

Bishops Cottage, The Batch,
Priddy, Wells, BA5 3BD,
United Kingdom
In the following,Rina Golan.

You can reach me at info@rinagolan.co or at my above-mentioned by email at info@rinagolan.co When you use our website Each time you visit www.rinagolan.co, I collect the technical access data that your browser automatically transmits to my server in the course of page requests. The access data includes the following

information in particular:
• Date and time of access;
• Address of the pages called up and the requesting pages;
• Content of the request (addresses and names of the requested files);

• Information on the browser or app used and the operating system (versions, language settings);

• Online identifiers (e.g. IP address, device identifiers, session IDs);

• Error messages, if applicable (if the requested content cannot be displayed); and

• the page you previously visited from which you accessed a page of www.rinagolan.co via a link.

During your visit, your access data is automatically stored in the server log files of our server and then anonymised by shortening or deleting your IP address. It is then no longer possible to draw any direct conclusions about you on the basis of the server log files.
In addition, during your visit to www.rinagolan.co, I record information that you actively provide to me by using the functions provided. For example, we find out which products you are interested in when you save an item to your wish list or use the search function.

Cookies:

I use a variety of cookies. These can be cookies set by me (“Rina Golan cookies”) and cookies from third-party providers. A cookie is a standardised text file that is stored by your browser for a period of validity determined in advance by the respective provider. Cookies enable the local storage of information such as language settings, shopping basket contents and temporary identification features,
which can be retrieved on subsequent website visits in order to reload the corresponding settings. You can view and delete the cookies used in the security settings of your browser. You can configure your browser settings according to your wishes and thus, for example, reject the acceptance of cookies from third-party providers or reject all cookies. Please note that in this case, you may not be able to use all the functions of our website. For further information on the Cookies we use, please refer to our Cookie Policy. For more general information on cookies, please visit All About Cookies.

When you register for a Rina Golan customer account In order to shop in our Rina Golan Online Shop, you need a personal Rina Golan customer account.

Registering in Rina Golan Online Shop makes it easier for you to shop with me in the future and provides you with a personalised and simple shopping experience. For example, your address and payment methods will be preselected for your next order. The customer account also allows us to store your data (e.g. order data and lists the products you have previously purchased).
You can delete your Rina Golan customer account and the data stored in it at any time. To do so, simply send us an informal message, e.g. by e-mail to info@rinagolan.co

Please note: The deletion of your customer account does not automatically extend to the order transactions and the personal data stored for them. When you order something I record which products you order. I also store data that is directly related to the processing of your orders.
Order data includes in particular:

• Details of the products ordered, such as item numbers and size.
• E-mail address
• Invoice and delivery address
• Payment data
• Order numbers
If you have made a purchase of goods and services from me, I am entitled to send you information about our own similar goods and services via the e-mail address sent when you made the purchase. You can object to this use of your e-mail address at any time.

When you contact me

If you contact me via the contact form on my website, by e-mail, by phone or by any other means, I will collect the communication data

that arises in the process. Depending on which channel you use to contact me, this may include, for example, your contact details (such as your email address or phone number) and the content of your message to me. I only record phone conversations with my
Customer Service if you have expressly consented to this (e.g. for training or quality purposes).

I also use social networks such as Facebook, YouTube and Instagram to communicate with our customers. Please note that I have no influence on the terms of use of the social networks and their data processing practices. Please, therefore, check carefully what personal data you share with us via the social networks.

If you subscribe to Rina Golan newsletter Insofar as you have registered for my newsletter, I store the data you have provided for this purpose for the purpose of compiling and sending the newsletter.

The newsletter is sent by e-mail. You will only receive the newsletter after registering for the newsletter. In order to meet the requirements of the GDPR and the DPA, I use the so-called DOI procedure (“double opt-in”). If you register for our newsletter, you
will receive a confirmation e-mail to the electronic mailbox named by you in the input field. This e-mail contains a confirmation link
which you must click on. Only after completing this step, you have successfully registered for the newsletter. To carry out the
procedure, the IP address, date and time of registration are stored. This is to prevent misuse. The data is passed on to our dispatch
service provider in order to deliver the newsletter to you. The legal basis for data processing is your consent. Existing customers may receive newsletters from us who have not given explicit consent. My legitimate interest is to inform our existing customers about my products through promotional e-mails and thus to maintain contact with these customers. I will only process your data for as long as is necessary to fulfil the purpose for which it was collected and for as long as there are no legal or official retention obligations that prevent us from deleting it.

My newsletters are sent via the dispatch service provider MailChimp. The data processing is carried out by The Rocket
Science Group LLC. The e-mail addresses of our newsletter recipients, as well as their other data described in these notes, are
stored on MailChimp’s servers. MailChimp uses this information to send and evaluate the newsletter on my behalf. MailChimp does not use the data of our newsletter recipients and does not pass them on
to third parties. The newsletters contain a so-called “tracking pixel”, i.e. a pixel-sized file that is retrieved from the MailChimp server
when the newsletter is opened. In the course of this retrieval, information such as information about your system, your IP address
and the time of the retrieval are collected. The statistical surveys also include the determination of whether the newsletters are
opened, how often they are opened and which links are clicked. For technical reasons, this information can be assigned to the individual newsletter recipients, but it is neither our nor MailChimp’s intention to observe individual users.

Your personal data will be stored until you unsubscribe from the
newsletter and, after unsubscribing from the newsletter distribution
list, may be stored in a blacklist to prevent future mailings. The data
from the blacklist will only be used for this purpose and will not be
merged with other data. The data will be permanently deleted if you
submit a deletion request to us. For this purpose, please contact

our data protection officer.

You have the possibility to revoke your consent at any time. To do
so, please contact me. If you have any questions regarding data
security at MailChimp, you must contact MailChimp.

Blog and Profile Data

Within the Blog you may be able to display certain personal
information, share certain details, engage with others, exchange
knowledge and insights, post and view relevant comment.
Comment and data is publicly viewable. You have choices about the
information on your comment. You don’t have to provide additional
information on your comment; however, profile information helps

Review all before use/change details from Se Sa to RG!

you to get more from our Services. It’s your choice whether to
include sensitive information in your comment and to make that
sensitive information public. Please do not post or add personal
data in your comment that you would not want to be available.
For what purposes does Rina Golan use my data?
When you visit www.rinagolan.co, I process the access data, server
log files and cookies that arise in the process in order to provide
you with the content and functions you have called up and to
ensure the stability and security of our IT systems and databases.
If you use www.rinagolan.co with your Rina Golan customer

account, the legal basis is the performance of contract and/ or pre-
contractual measures.

If you use www.rinagolan.co without logging in, the legal basis is

our legitimate interest.
Contract fulfilment

I process your data for the performance of contracts concluded with
you and for the provision of services at your request. The purposes
are primarily based on the specific content of the contract or the
purpose of the services you have requested. The legal basis for this

data processing is the performance of contract and/ or pre-
contractual measures.

Customer service and communication in the context of

existing customer relationships

I process your data to carry out our customer service. This includes,

for example:

• Processing of your concerns and enquiries
• Non-commercial communication with you
The legal basis for this data processing is the performance of

contract and/ or pre-contractual measures.

Review all before use/change details from Se Sa to RG!

Payment processing

Depending on which payment method has been agreed, I pass on
the data required for payment processing (e.g. direct debit or credit
card data) to the payment service provider commissioned with the
payment. In some cases, the payment service providers also collect
this data themselves on their own responsibility. In this respect, the
privacy policy of the respective payment service provider
applies.The transfer of your data to the external payment service

providers is based on the performance of contract.

My payment service provider for payments by credit card is Stripe,
510 Townsend Street San Francisco, CA 94103 United States. So
that you do not have to re-enter your card details each time you
make a purchase by credit card, your cards are stored in encrypted
form for 36 months on our behalf by Stripe. The legal basis for this
is our legitimate interest in making future purchases easier for you.
For this purpose, Stripe provides me with an individual pseudo card
number for your deposited credit card for each credit card you use,
which only takes the last 3 digits of your real credit card number.
This enables me to offer you payment with your last credit card
used during the next payment process by entering the last 3 digits
of your real card number without saving your real credit card data or
having to transfer them to me again from Stripe during the payment
process. You then only have to enter the check digit which is
transmitted to Stripe. This procedure increases the protection of
your credit card data, which can remain under lock and key at
Stripe during the entire process. This fulfils the requirements of the

cross-industry regulatory standards in payment transactions (PCI-
DSS regulations). If you then select the credit card for payment, I

only transmit the pseudo card number and the check digit in
encrypted form to Stripe and Stripe then recognises which credit
card number stored in the system is to be charged on the basis of

the pseudo card number.

If you decide to pay by credit card in the check-out process, a two-
stage risk or authentication check is carried out by your credit card

company. For this purpose, the following data will be transmitted to

the credit card company in a first step:

Review all before use/change details from Se Sa to RG!

• Your name (title, first name, surname)
• your address
• If you have a different delivery address,
• Your e-mail address.
If the transmitted data show deviations that could indicate an
increased risk, a second level of verification is carried out, in which
an additional interaction of the cardholder is required (request for a

second factor).

Stripe is commissioned as our processor for the technical control of
payment transactions including the implementation of customer

authentication. Further recipients are the banks involved -the card-
issuing bank – the issuer – and my bank as the credit card-
accepting bank – the acquirer.

The data is transferred for the following purposes and is based on

the following legal grounds:
a) Execution of the contract
b) Obligation for customer authentication
c) Prevention of card misuse

Internal market research, optimisation and further
development of our offer and service

I use your access data and the data you provide (e.g. master data,
order data, returns data) for internal statistical and market research
purposes. Before doing so, we pseudonymise or anonymise your
data, e.g. by replacing your name and other data suitable for

identification by random data.

This allows me to determine, for example, which pages and
products of our shop are particularly popular, which devices our
customers generally use or from which regions our website is
accessed. This information helps me to continuously optimise our
existing offer and to develop new functions and services.

Review all before use/change details from Se Sa to RG!

The legal basis for this data processing is our legitimate interest.
Insofar as you have consented to me processing your data for
certain purposes, the legal basis is your consent.

Google Analytics

My website uses the web analysis service Google Analytics, which
is offered by Google LLC, 1600 Amphitheatre Parkway, Mountain
View, CA 94043, USA (“Google”). Google Analytics uses cookies
valid for 14 months to collect your access data when you visit our
website. The access data is compiled by Google on our behalf into
pseudonymous usage profiles and transferred to a Google server in
the USA. Before this, your IP address is anonymised. I, therefore
unable to determine which usage profiles belong to a particular
user. On the basis of the data collected by Google, I can therefore
neither identify you nor determine how you use our website. In the
exceptional event that personal data is transferred to the USA, I
have agreed standard contractual clauses with Google.
Google will use the information obtained through the cookies on my
behalf to evaluate the use of our website, to compile reports on
website activities and to provide us with further services related to
website and internet use. You can also find more information on this

in the Google Analytics privacy policy.

Facebook

For marketing purposes, my website use so-called conversion and
retargeting tags (also “Facebook pixel”) of the social network
Facebook, a service of Facebook Inc., 1601 Willow Road, Menlo
Park, California 94025, USA (“Facebook”). I use Facebook Pixel to
analyse the general use of our websites and to track the
effectiveness of Facebook advertising (“conversion”). In addition, I
use the Facebook pixel to play you individualised advertising
messages based on your interest in our products (“retargeting”). For
this purpose, Facebook processes data that the service collects via

cookies and similar technologies on our websites.

The data collected in this context may be transferred by Facebook
to a server in the USA for analysis and stored there. In the event

Review all before use/change details from Se Sa to RG!

that personal data is transferred to the USA, Facebook has
submitted to the controller-to-controller standard contractual

clauses.

If you are a Facebook member and have allowed Facebook to do
so via your account privacy settings, Facebook may also link the
information collected about your visit to us to your member account
and use it to target Facebook ads. You can view and change the
privacy settings of your Facebook profile at any time.

Sharing your Data

In principle, I only pass on your data if:
• you have given your express consent;
• the disclosure is necessary for the assertion, exercise or
defence of legal claims and there is no reason to assume that
you have an overriding legitimate interest in not having your

data disclosed;

• I legally obliged to disclose your data;
• the disclosure is legally permissible and necessary for the
performance of contractual relationships with you; or for the
performance of pre-contractual measures taken at your

request.

Some of the data processing described in this privacy policy may be
carried out on our behalf by external service providers. In addition
to the service providers mentioned in this privacy policy, this may
include, in particular, data centres that store and maintain my
website and databases, IT service providers that maintain my

systems, and consulting companies.

If I pass on data to my service providers, they may only use the
data to fulfil their tasks. Processing of your data by the
commissioned service providers takes place within the framework
of commissioned processing in accordance with the GDPR and the
DPA. These service providers have been carefully selected and

Review all before use/change details from Se Sa to RG!

commissioned by me. They are contractually bound to my
instructions, have suitable technical and organisational measures in

place to protect the rights of the data subjects.

If I transfer your data beyond the scope of this privacy policy to a
service provider based in a country outside the United Kingdom or
the European Economic Area, we will inform you separately about
this circumstance, if applicable, and on which specific guarantees

the data transfer is based.
How long will my data be stored?

Unless otherwise stated in this privacy policy, I will only store your
data for as long as is necessary to fulfil our contractual or legal
obligations or the purposes for which the data was originally
collected or I have a legitimate interest in continuing to store it.
In all other cases, I delete your personal data with the exception of
such data that we must continue to hold in order to comply with
statutory retention periods. However, in these cases I will restrict
processing, i.e. your data will only be used to comply with legal

obligations.

If you cancel or delete your Rina Golan customer account, I will
delete all data stored about you there. If complete deletion of your
data is not possible or not necessary for legal reasons, the data in
question will be restricted for further processing. As a rule, your
order and payment data and, if applicable, further data are subject
to statutory retention obligations. I therefore obliged to retain this

data for up to six years.

Even if your data is not subject to a statutory retention obligation, I
may refrain from deleting it in cases permitted by law and instead
block it. This applies in particular in cases where we may still need
the data in question for the further processing of the contract or for
legal prosecution or legal defence. In this respect, the statutory
limitation periods are decisive for the duration of the blocking.

Your Rights

Review all before use/change details from Se Sa to RG!

You have a number of ‘Data Subject Rights’ below is some
information on what they are and how you can exercise them. There
is more information on each right on the Information Commissioners
(ICO) website and you can simply follow the links provided to learn

more.

• The right to be informed
• The right of access
• The right to rectification
• The right to erasure
• The right to restrict processing
• The right to data portability
• The right to object
Where the processing of your personal information is based on
consent, you have the right to withdraw that consent without

detriment at any time by contacting us.

The above rights may be limited in some circumstances, for
example, if fulfilling your request would reveal personal information
about another person, if you ask us to delete information which I am
required to have by law, or if I have compelling legitimate interests
to keep it. I will let you know if that is the case and will then only use
your information for these purposes. You may also be unable to
continue using my services if you want me to stop processing your

personal information.

I encourage you to get in touch if you have any concerns with how I
collect or use your personal information. You do however also have
the right to lodge a complaint directly with the ICO, their contact

details can be found on their website.

Please direct all requests for information, requests for information or

objections to data processing to me.

Data security

I maintain appropriate technical measures to ensure data security,
in particular to protect your data from risks during data

Review all before use/change details from Se Sa to RG!

transmissions and from unauthorised access by third parties. These
measures are adapted to the current state of the art. To secure the
personal data you enter on our website, I use Transport Layer
Security (TLS), which encrypts the information you enter.

No automated decision-making

I do not use automated decision-making including profiling.

Scope of this privacy policy

This privacy policy only applies to the content on my website and
the data processing on the servers I use. It does not cover such
content and websites of third parties to which our offer merely links.
This applies, for example, to social networks such as Facebook,
YouTube and Instagram. The processing of your personal data via
these social networks is carried out by the respective operator of
the network without us having any influence on this processing.
This also applies to your personal data that you provide to me via
such a platform, for example by writing to our profile on the
respective social network. Information on how I handle your
personal data and protect it on these platforms can be found in the
privacy policy of the respective platform. However, if I store your
personal data that you have communicated to us via a social
network or that I receive from a social network on our own servers
and use it for the purpose of processing your enquiry or request or
for other purposes, our explanations above in this privacy policy will

of course apply in this respect.
Social Media Sharing

My website contains links to social networks such as Facebook,
Instagram and YouTube you access the parts of our website that
contain such links, no personal data is transmitted to the operators
of these social networks. Only when you click on the link and
thereby visit the social network in question does the operator of the
visited network receive personal data relating to you. For more
information about the data processing that takes place when you
visit a social network and the person responsible for this , please

Review all before use/change details from Se Sa to RG!

refer to the web site of the respective social network and the above

linked Privacy Policies.

Data processing via our online presence in social networks
I maintain online presences in various social networks, currently
Facebook, Instagram and YouTube. With regard to the data
processing that takes place on the occasion of visiting these online
presences, the respective operator of the social network and I may

be joint controllers..

My website contains links to these social networks, which are
clearly marked by the respective logo. When you call up the parts of
our website that contain such links, no personal data is transmitted
to the operators of these social networks. Only when you click on
the link and thereby visit the social network in question does the
operator of the visited network receive personal data relating to you.
For more information about the data processing that takes place
when you visit a social network and the person responsible for this,
please refer to the web site of the respective social network and the

above linked Privacy Policies.

The processing of your personal data on the occasion of your visit
to my online presences is based on our legitimate interests in
effective user information and communication with users. I would
like to point out that data processing will take place outside the UK
or the EEA, namely in particular on servers located in the USA. This
may result in risks for users because, for example, it could make it

more difficult to enforce users’ rights.

With regard to requests for information and the assertion of other
data subject rights, I point out that these should be asserted directly
with the operators if possible. Only the operators have access to
their users’ data and can provide information directly and take

appropriate measures.
Do Not Track

Do Not Track is a privacy preference you can set in most browsers.
We support Do Not Track because we believe that you should have

Review all before use/change details from Se Sa to RG!

genuine control over how your info gets used and our site responds

to Do Not Track requests.
Do Not Sell My Personal Information

We do not sell information that directly identifies you, like your

name, address or phone records.

Direct marketing

From time to time I may use the personal information I collect from
you to identify particular products offers which I believe may be of
interest to you. I may contact you to let you know about these
products and services and how they may benefit you.
You may give me your consent in a number of ways including by
selecting a box on a form where we seek your permission to send
you marketing information, or sometimes your consent is implied
from your interactions or relationship with me. Where your consent
is implied, it is on the basis that you would have a reasonable
expectation of receiving a marketing communication based on your

interactions or relationship with me.

Direct Marketing from generally takes the form of e-mail but may
also include other less traditional or emerging channels. These
forms of contact will be managed by Rina Golan, or by my
contracted service providers. Every directly addressed marketing
form sent or made by me or on my behalf should include a means
by which customers may unsubscribe (or opt out) of receiving
similar marketing in the future. You can ask us to remove or amend
any previous consent you provided by contacting me.

Hosting

The services for hosting and displaying the website are partly
provided by our service provider Google as part of processing on
my behalf. Unless otherwise explained in this privacy policy, all
access data and all data collected in forms provided for this
purpose on this website are processed on their servers. If you have
any questions about our service providers and the basis of my

Review all before use/change details from Se Sa to RG!

relationship with them, please contact them as described in this

privacy policy.
Content Delivery Network

For the purpose of a shorter loading time, I use a so-called Content
Delivery Network (“CDN”) for some offers. With this service,
content, e.g. large media files, are delivered via regionally
distributed servers of external CDN service providers. Therefore,
access data is processed on the servers of the service providers.
My service provider WordPress works for me within the framework
of order processing. If you have any questions about our service
providers and the basis of my cooperation with them, please use

the contact option described in this privacy policy.

Data Breaches/Notification

Databases or data sets that include Personal Data may be
breached inadvertently or through wrongful intrusion. Upon
becoming aware of a data breach, Rina Golan will notify all affected
individuals whose Personal Data may have been compromised, and
the notice will be accompanied by a description of action being
taken to reconcile any damage as a result of the data breach.
Notices will be provided as expeditiously as possible after which the

breach was discovered.
Confirmation of Confidentiality

All company employees must maintain the confidentiality of
Personal Data as well as company proprietary data to which they
may have access and understand that that such Personal Data is to
be restricted to only those with a business need to know.
Employees with ongoing access to such data will sign
acknowledgement reminders annually attesting to their
understanding of my business requirement.
Changes to this privacy policy

I occasionally update this privacy policy, for example when I adapt
my website or when legal or regulatory requirements change. I will
document material changes in this privacy policy and, where

necessary, obtain my customers’ consent.