Privacy policy

Updated on April 1st 2026

1) Introduction and Contact Information of the Data Controller

1.1 Welcome Message

We are delighted that you are visiting our website and thank you for your interest. Below, we provide detailed information about how we handle your personal data when you use our website. Personal data refers to any information that can be used to personally identify you.

1.2 Data Controller

The data controller responsible for processing personal data on this website, in accordance with the General Data Protection Regulation (GDPR), is:

Marc Weiss website is operated under the Marc Weiss brand.

For transactions conducted through this website within the United States, including order processing, payment handling, and fulfillment, the responsible entity is:

Artego USA LLC
Florida, United States

Email: support@marcweiss.com

The data controller is the natural or legal person who determines the purposes and means of processing personal data.

Depending on the nature of your interaction with this website, personal data may be processed either by Artego USA LLC or by authorized partners responsible for handling specific inquiries or business relationships.

1.3 Scope of Data Processing

This website serves both retail customers and professional partners.

For purchases and transactions within the United States, all personal data related to orders, payments, and fulfillment is processed by Artego USA LLC.

For other interactions, including but not limited to distributor applications, salon registrations, professional inquiries, or general business communications, personal data may be processed and shared with authorized regional partners or affiliated entities responsible for the relevant market.

Such data processing is limited to what is necessary to handle the request and is carried out in accordance with applicable data protection laws.

2) Data Collection When Visiting Our Website

2.1 Data Collected During Informational Use

When you visit our website for informational purposes only (i.e., without registering or otherwise transmitting information to us), we collect only the data that your browser automatically sends to our server (so-called “server log files”). When you access our website, the following data is collected, which is technically necessary to display the website and ensure its stability and security:

  • The specific pages of our website accessed

  • Date and time of access

  • Volume of data transmitted (in bytes)

  • Source/referring URL (the page or link from which you reached our site)

  • Browser type and version

  • Operating system used

  • IP address (anonymized where possible)

This data processing is carried out pursuant to Article 6(1)(f) GDPR, based on our legitimate interest in improving the stability and functionality of our website. The data is not shared or used for any other purpose. However, we reserve the right to review server log files retrospectively if there are concrete indications of unlawful use.

Additional Notes for UK GDPR Compliance

The above data collection also complies with the requirements of the UK GDPR. The legitimate interest under UK GDPR aligns with improving website functionality and preventing misuse or malicious activity.

Additional Notes for CCPA Compliance

For California residents, this data may be classified as "electronic network activity information" under the California Consumer Privacy Act (CCPA). This data is collected solely for operational purposes and is not sold or shared with third parties.

Additional Notes for PIPEDA Compliance

In compliance with Canada’s PIPEDA, this data is collected to manage and maintain our website’s operations. Data is stored securely and only used for its intended purpose.

2.2 SSL/TLS Encryption

To ensure the security of your data during transmission and to protect personal and confidential information (e.g., orders or inquiries submitted to the controller), this website uses SSL (Secure Sockets Layer) or TLS (Transport Layer Security) encryption.

You can identify an encrypted connection by the “https://” prefix in your browser’s address bar and the lock icon displayed next to it.

Additional Notes for Compliance

This encryption ensures compliance with GDPR, UK GDPR, CCPA, and PIPEDA by safeguarding the transmission of personal data from unauthorized access.


3) Hosting & Content-Delivery-Network

Shopify Hosting

We use the hosting and content delivery services of the following provider for our website:
Shopify International Limited
Victoria Buildings, 2nd Floor, 1-2 Haddington Road, Dublin 4, D04 XN32, Ireland (“Shopify”).

Data is also transferred to:
Shopify Inc.
150 Elgin Street, Ottawa, ON K2P 1L4, Canada.

All data collected on our website is processed on the servers of Shopify. We have entered into a Data Processing Agreement (DPA) with Shopify to ensure the protection of personal data collected through our website. This agreement guarantees compliance with the General Data Protection Regulation (GDPR) and ensures that personal data is not unlawfully shared with third parties.

International Data Transfers to Canada

For data transfers to Canada, Shopify ensures an adequate level of data protection as required by GDPR, based on the adequacy decision of the European Commission.

Additional Notes for UK GDPR Compliance

Under the UK GDPR, Shopify remains compliant as the data transfers to Ireland (an EU member state) and Canada are permitted through equivalent measures, including adequacy decisions and binding agreements.

Additional Notes for CCPA Compliance

For California residents, Shopify processes personal data in accordance with the California Consumer Privacy Act (CCPA). Shopify does not sell personal data collected through our website and ensures compliance with all CCPA requirements.

Additional Notes for PIPEDA Compliance

For Canadian users, Shopify adheres to Canada’s Personal Information Protection and Electronic Documents Act (PIPEDA). Data is securely processed and stored in compliance with Canadian privacy regulations.


4) Cookies

To make your visit to our website more appealing and to enable the use of certain functionalities, we use cookies. Cookies are small text files stored on your device. Some cookies are automatically deleted after you close your browser (so-called session cookies), while others remain on your device for a predefined duration, allowing the website to save settings and preferences (so-called persistent cookies). The duration of persistent cookies can be found in your browser's cookie settings.

Where the use of cookies involves the processing of personal data, the processing is carried out based on the following legal grounds:

  • Article 6(1)(b) GDPR: If the use of cookies is necessary to perform a contract.

  • Article 6(1)(a) GDPR: If you have provided explicit consent for their use.

  • Article 6(1)(f) GDPR: If cookies are used to safeguard our legitimate interest in ensuring the optimal functionality of our website and providing a user-friendly and efficient browsing experience.

You can configure your browser to notify you when cookies are being placed, to accept or reject them individually, or to block cookies entirely for specific cases or in general. Please note that if you choose not to accept cookies, the functionality of our website may be limited.

Additional Notes for Compliance:

EU GDPR & UK GDPR:
For users in the EU and UK, non-essential cookies (such as those used for tracking or marketing purposes) will only be set with your explicit consent, provided through a cookie banner or similar consent mechanism.

California CCPA/CPRA:
For California residents, cookies that process personal data may fall under the definition of “sale” under the California Consumer Privacy Act (CCPA). In such cases, you have the right to opt out of the sale of your personal data via a clearly visible “Do Not Sell My Personal Information” link.

Canada PIPEDA:
Under Canada’s PIPEDA, cookies that collect identifiable information are considered a form of consent-based data collection. Users must be informed about the use of cookies and provided with the ability to opt out where possible.

Cookie Consent Tool

Our website uses a cookie consent tool that allows you to manage your preferences regarding the use of cookies. Only essential cookies, necessary for the operation of the website, are set by default. You can modify your preferences at any time using the consent management tool provided on our website.


5) Contacting Us

5.1 WhatsApp Business

You have the option to contact us via the messaging service WhatsApp Business, operated by WhatsApp Ireland Limited, 4 Grand Canal Square, Grand Canal Harbour, Dublin 2, Ireland. For this purpose, we use the "Business Version" of WhatsApp.

If you contact us via WhatsApp regarding a specific business transaction (e.g., a placed order), we will store and use the mobile phone number you provided on WhatsApp and, if available, your first and last name. This processing is carried out pursuant to Article 6(1)(b) GDPR, as it is necessary for the handling and response to your inquiry. Based on the same legal basis, we may request additional information (e.g., order number, customer number, address, or email address) via WhatsApp to associate your request with a specific transaction.

If you use WhatsApp to contact us with general inquiries (e.g., about our services, availability, or website), we will process the mobile phone number you use on WhatsApp and, if available, your first and last name. This processing is based on Article 6(1)(f) GDPR, as it is in our legitimate interest to provide efficient and timely responses to your inquiries.

Your data will only be used to respond to your inquiry via WhatsApp. We do not share this data with third parties.

Data Handling by WhatsApp

Please note that WhatsApp Business accesses the address book of the mobile device used for operating the WhatsApp Business account. Consequently, phone numbers saved in the address book are automatically transferred to a server operated by WhatsApp's parent company, Meta Platforms Inc., located in the United States. To mitigate this, we use a dedicated mobile device for our WhatsApp Business account, containing only the WhatsApp contact details of users who have contacted us.

This ensures that every individual whose WhatsApp contact details are saved in our address book has already agreed to WhatsApp's Terms of Use during their first use of the app on their device, including the transmission of their phone number in accordance with Article 6(1)(a) GDPR (consent). No data of individuals who do not use WhatsApp or have not contacted us via WhatsApp will be shared.

For further details on the scope and purpose of data collection, processing, and use by WhatsApp, as well as your rights and privacy settings, please refer to WhatsApp's Privacy Policy:
https://www.whatsapp.com/legal/?eea=1#privacy-policy

Data Transfers to the United States

In connection with the above processes, personal data may be transferred to servers operated by Meta Platforms Inc. in the United States. WhatsApp complies with the EU-US Data Privacy Framework, ensuring that data transfers meet the requirements of the European Commission’s adequacy decision for GDPR compliance.

We have also entered into a Data Processing Agreement (DPA) with WhatsApp to ensure that your data is protected and not unlawfully shared with third parties.

5.2 Contact Through Forms or Email

When you contact us through our contact form or via email, we process your personal data solely for the purpose of handling and responding to your inquiry. Only the data necessary for processing your request will be collected and used.

  • Legal Basis for Processing:

    • Article 6(1)(f) GDPR: Our legitimate interest in responding to your inquiry.

    • If your contact relates to a contract, Article 6(1)(b) GDPR serves as the additional legal basis for processing.

  • Data Retention:
    Your data will be deleted once it is evident that the matter has been fully resolved, provided there are no statutory retention requirements that necessitate further storage.

Additional Notes for UK GDPR Compliance

The processing of data for UK residents follows the same legal bases under the UK GDPR. Marc Weiss International ensures adequate measures to protect personal data and complies with data retention and deletion requirements.

Additional Notes for CCPA Compliance

For California residents, under the California Consumer Privacy Act (CCPA):

  • You have the right to know what personal data we collect and how it is used.

  • We do not sell your personal information shared via WhatsApp or other communication channels.

Additional Notes for PIPEDA Compliance

For Canadian residents, in compliance with PIPEDA, personal data shared through communication is handled securely, used exclusively for its intended purpose, and deleted once it is no longer necessary.


6) Comment Functionality

When you use the comment function on our website, the information you provide will be stored and published on the website. This includes:

  • Your comment text.

  • The timestamp of when your comment was created.

  • The name you chose as your commenter name.

  • Your IP address, which will be logged and stored.

Purpose of Data Processing

The storage of your IP address is necessary for security reasons and to protect against misuse. Specifically, this helps us identify users who may post unlawful content or violate the rights of third parties through their comments. Additionally, we may use your email address to contact you if a third party raises objections to your comment, claiming it is unlawful.

Legal Basis for Processing

The processing of your personal data in relation to the comment functionality is based on the following legal grounds:

  • Article 6(1)(b) GDPR: The data is processed as part of fulfilling your request to publish a comment.

  • Article 6(1)(f) GDPR: The processing is also based on our legitimate interest in protecting our website and ensuring compliance with applicable laws.

Additional Notes for UK GDPR Compliance

Under the UK GDPR, the same legal bases apply, ensuring that comments are processed securely and only for the purposes outlined above.

Additional Notes for CCPA Compliance

For residents of California, data collected as part of the comment functionality (e.g., your name, comment text, and IP address) may fall under the California Consumer Privacy Act (CCPA).

  • You have the right to request access to your data or its deletion.

  • Your data is not sold or shared with third parties unless required for legal compliance or security purposes.

Additional Notes for PIPEDA Compliance

For Canadian residents, the collection and processing of comment-related data comply with PIPEDA. Personal data is securely stored and is only used for the purposes of maintaining the integrity of the comment section and resolving disputes, if applicable.

Data Deletion

We reserve the right to delete comments flagged as unlawful or inappropriate by third parties. Your personal data associated with the comment will be retained only as long as necessary to fulfill the purposes outlined or to comply with legal retention requirements.

7) Data Processing for the Creation of a Customer Account

In accordance with Article 6(1)(b) GDPR, personal data will be collected and processed as required when you provide it to us for the creation of a customer account. The specific data required for opening a customer account is indicated in the input fields of the respective registration form on our website.

Account Deletion

You may delete your customer account at any time by sending a request to the contact details provided above. Once your account is deleted, your personal data will also be deleted, provided that:

  • All contracts associated with the account have been fully processed.

  • No legal retention periods (e.g., for tax or accounting purposes) require further storage.

  • There is no legitimate interest on our part to retain the data for other lawful purposes.

Additional Notes for UK GDPR Compliance

Under the UK GDPR, the collection and processing of data for creating and managing a customer account follows the same legal basis as stated above. Deletion processes are handled in compliance with data minimization and retention principles outlined by the UK GDPR.

Additional Notes for CCPA Compliance

For California residents, the following rights under the California Consumer Privacy Act (CCPA) apply to customer account data:

  • You have the right to know what personal data is collected and how it is used.

  • You may request deletion of your personal data at any time.

  • Your personal data will not be sold or shared with third parties, except as necessary to fulfill the terms of your contract or comply with legal obligations.

Additional Notes for PIPEDA Compliance

For Canadian residents, the processing of personal data during the creation of a customer account complies with PIPEDA. You may request access to your account data or request its deletion, subject to the same legal and contractual obligations stated above.

8) Use of Customer Data for Direct Marketing

Subscription to Our Email Newsletter

If you subscribe to our email newsletter, we will send you regular updates about our products, services, and offers. The only mandatory information required for receiving the newsletter is your email address. Providing additional information, such as your name, is optional and will only be used to personalize your communication.

We use a double opt-in procedure to ensure that you only receive our newsletter if you have explicitly confirmed your subscription. After registering, you will receive an email with a verification link. By clicking on this link, you confirm your consent to receiving the newsletter.

When you activate the confirmation link, you consent to the use of your personal data for this purpose in accordance with Article 6(1)(a) GDPR. As part of the subscription process, we also store the following data for security and accountability purposes:

  • The IP address provided by your Internet Service Provider (ISP)

  • The date and time of registration

This allows us to trace any potential misuse of your email address at a later time. All data collected during the newsletter subscription process is used solely for the purpose of sending the newsletter and will not be shared with third parties.

Unsubscribing from the Newsletter

You can unsubscribe from our newsletter at any time by clicking the unsubscribe link included in each newsletter or by contacting us directly using the contact details provided above. Upon unsubscribing, your email address will be promptly removed from our newsletter distribution list unless you have expressly consented to the continued use of your data or if we are legally permitted to retain it for another purpose, as outlined in this privacy policy.

Additional Notes for UK GDPR Compliance

Under the UK GDPR, the double opt-in process and storage of verification data ensure compliance with the requirement for explicit consent. We also follow the principle of data minimization by collecting only essential data for the newsletter subscription.

Additional Notes for California Residents (CCPA/CPRA)

For California residents, the following rights apply under the California Consumer Privacy Act (CCPA):

  • Right to Know: You have the right to know what personal data is collected and how it is used.

  • Right to Opt-Out: You may withdraw your consent for the use of your data for marketing purposes at any time.

  • Right to Delete: You can request the deletion of your data upon unsubscribing, provided it is not needed for another lawful purpose.

We do not sell your personal data to third parties.

Additional Notes for Canadian Residents (PIPEDA)

For Canadian users, we comply with PIPEDA, which requires explicit consent for the collection and use of personal information for marketing purposes. By subscribing to the newsletter, you provide this consent. You may withdraw your consent at any time by unsubscribing or contacting us directly.


9) Data Processing for Order Fulfillment

9.1 Data Processing for Delivery and Payment

To fulfill contractual obligations related to delivery and payment, we share your personal data with the transport company and payment institution engaged for the specific transaction. This data sharing is carried out pursuant to Article 6(1)(b) GDPR, as it is necessary for the performance of a contract.

If we are obligated to provide updates for goods with digital elements or digital products under the terms of a contract, we will process the contact information you provided during the order process (e.g., name, address, email address) to inform you about updates via an appropriate communication method (e.g., postal mail or email). This processing is performed in compliance with Article 6(1)(c) GDPR, to fulfill our statutory obligations. Your contact data will only be used for the purpose of delivering the required updates and will be processed strictly within the scope necessary for this purpose.

To process your order, we also work with service providers who assist us, either in whole or in part, in the execution of contractual obligations. These providers may receive personal data to the extent required for the respective service.

9.2 Data Sharing with Shipping Partners

To fulfill our contractual obligations to customers, we collaborate with external shipping partners. For the purpose of delivering goods, we share the following data with the selected shipping partner:

  • Name

  • Delivery Address

  • Phone Number (if required for the delivery process)

This data sharing is carried out solely for delivery purposes and based on Article 6(1)(b) GDPR.

Additional Notes for Compliance

EU GDPR & UK GDPR

Under the UK GDPR, the same principles and legal bases apply. Personal data is processed only to the extent necessary for fulfilling contractual obligations. We ensure that all third-party service providers comply with data protection regulations and enter into Data Processing Agreements (DPAs) to safeguard your information.

California CCPA/CPRA

For California residents, the California Consumer Privacy Act (CCPA) provides the following rights related to order processing:

  • Right to Know: You have the right to request information about the data we collect and how it is shared.

  • Right to Delete: You may request the deletion of your personal data, subject to exceptions where the data is required to fulfill a contract (e.g., delivering an order).

  • No Sale of Data: We do not sell your personal data. Data shared with shipping or payment partners is strictly for the purposes of completing your transaction.

We will provide all necessary disclosures to comply with CCPA requirements, including notifying you of data transfers when applicable.

Canada PIPEDA

For Canadian residents, under PIPEDA, personal data shared with shipping and payment service providers is limited to what is necessary for the fulfillment of the transaction. Your personal information is stored securely and only used for its intended purpose. Any additional use or disclosure will require your consent.


9.3 Disclosure of Personal Data to Shipping Service Providers

To ensure the delivery of goods, we collaborate with the following shipping service providers. Your personal data is shared with these providers as necessary, either based on your explicit consent or as required to fulfill the terms of your contract.

Deutsche Post / DHL Group

Primary Provider: Deutsche Post DHL Group (DHL Express USA)
1200 South Pine Island Road, Plantation, FL 33324, United States

  • Secondary Provider: Deutsche Post AG, Charles-de-Gaulle-Straße 20, 53113 Bonn, Germany

  • Data Shared: Email address and/or telephone number, provided you have explicitly consented to this during the ordering process (Article 6(1)(a) GDPR), to coordinate delivery schedules or provide delivery notifications.

  • If no consent is provided, only the name of the recipient and delivery address are shared for the purpose of fulfilling the delivery (Article 6(1)(b) GDPR).

  • Right to Withdraw Consent: Consent can be withdrawn at any time, effective for the future, by contacting either the Data Controller or DHL Group directly.

DHL

Primary Provider: DHL Express USA
1200 South Pine Island Road, Plantation, FL 33324, United States

  • Secondary Provider: DHL Paket GmbH, Sträßchensweg 10, 53113 Bonn, Germany

  • Data Shared: Email address and/or telephone number, provided you have explicitly consented to this during the ordering process (Article 6(1)(a) GDPR), to coordinate delivery schedules or provide delivery notifications.

  • If no consent is provided, only the name of the recipient and delivery address are shared for the purpose of fulfilling the delivery (Article 6(1)(b) GDPR).

  • Right to Withdraw Consent: Consent can be withdrawn at any time, effective for the future, by contacting either the Data Controller or DHL directly.

DPD

Primary Provider: Geodis DPD Group
7101 Executive Center Drive, Suite 333, Brentwood, TN 37027, United States

  • Secondary Provider: DPD Deutschland GmbH, Wailandtstraße 1, 63741 Aschaffenburg, Germany

  • Data Shared: Email address and/or telephone number, provided you have explicitly consented to this during the ordering process (Article 6(1)(a) GDPR), to coordinate delivery schedules or provide delivery notifications.

  • If no consent is provided, only the name of the recipient and delivery address are shared for the purpose of fulfilling the delivery (Article 6(1)(b) GDPR).

  • Right to Withdraw Consent: Consent can be withdrawn at any time, effective for the future, by contacting either the Data Controller or DPD directly.

FedEx

Primary Provider: FedEx Corporation
942 South Shady Grove Road, Memphis, TN 38120, United States

  • Secondary Provider: FedEx Express Germany GmbH, Langer Kornweg 34 k, 65451 Kelsterbach, Germany

  • Data Shared: Email address and/or telephone number, provided you have explicitly consented to this during the ordering process (Article 6(1)(a) GDPR), to coordinate delivery schedules or provide delivery notifications.

  • If no consent is provided, only the name of the recipient and delivery address are shared for the purpose of fulfilling the delivery (Article 6(1)(b) GDPR).

  • Right to Withdraw Consent: Consent can be withdrawn at any time, effective for the future, by contacting either the Data Controller or FedEx directly.

Hellmann Worldwide Logistics

Primary Provider: Hellmann Worldwide Logistics USA
10450 Doral Boulevard, Suite 400, Doral, FL 33178, United States

  • Secondary Provider: Hellmann Worldwide Logistics SE & Co. KG, Elbestraße 1, 49090 Osnabrück, Germany

  • Data Shared: Email address and/or telephone number, provided you have explicitly consented to this during the ordering process (Article 6(1)(a) GDPR), to coordinate delivery schedules or provide delivery notifications.

  • If no consent is provided, only the name of the recipient and delivery address are shared for the purpose of fulfilling the delivery (Article 6(1)(b) GDPR).

  • Right to Withdraw Consent: Consent can be withdrawn at any time, effective for the future, by contacting either the Data Controller or Hellmann directly.

TNT

Primary Provider: TNT USA Inc.
2000 Corporate Drive, Suite 400, Canonsburg, PA 15317, United States

  • Secondary Provider: TNT Express GmbH, Haberstraße 2, 53842 Troisdorf, Germany

  • Data Shared: Email address and/or telephone number, provided you have explicitly consented to this during the ordering process (Article 6(1)(a) GDPR), to coordinate delivery schedules or provide delivery notifications.

  • If no consent is provided, only the name of the recipient and delivery address are shared for the purpose of fulfilling the delivery (Article 6(1)(b) GDPR).

  • Right to Withdraw Consent: Consent can be withdrawn at any time, effective for the future, by contacting either the Data Controller or TNT directly.

UPS

Primary Provider: UPS Supply Chain Solutions
55 Glenlake Parkway NE, Atlanta, GA 30328, United States

  • Secondary Provider: United Parcel Service Deutschland Inc. & Co. OHG, Görlitzer Straße 1, 41460 Neuss, Germany

  • Data Shared: Email address and/or telephone number, provided you have explicitly consented to this during the ordering process (Article 6(1)(a) GDPR), to coordinate delivery schedules or provide delivery notifications.

  • If no consent is provided, only the name of the recipient and delivery address are shared for the purpose of fulfilling the delivery (Article 6(1)(b) GDPR).

  • Right to Withdraw Consent: Consent can be withdrawn at any time, effective for the future, by contacting either the Data Controller or UPS directly.


9.4 Payment Processing

To enable secure payment processing, we work with the following payment service providers. Depending on the payment method selected, your personal data may be shared with the relevant payment service provider to facilitate the transaction. Data shared is limited to what is necessary for processing payments and fulfilling our contractual obligations.

PayPal

Primary Provider: PayPal, Inc.
2211 North First Street, San Jose, CA 95131, United States

  • Secondary Provider: PayPal (Europe) S.a.r.l. et Cie, S.C.A., 22-24 Boulevard Royal, L-2449 Luxembourg

  • Data Shared: Name, address, payment information (e.g., bank or card details), transaction currency, transaction ID, and details about your order.

  • Legal Basis for Processing: Data is shared in accordance with Article 6(1)(b) GDPR to fulfill the payment contract. If additional verification is required (e.g., for creditworthiness checks), data may also be shared on the basis of Article 6(1)(f) GDPR, reflecting PayPal’s legitimate interest in assessing payment risks.

  • Creditworthiness Checks: For certain payment methods (e.g., invoicing or installment payments), PayPal may conduct credit checks using your provided personal information. This may involve sharing your data with external credit agencies.

  • Score Values: Credit assessments may include probabilistic (score) values derived from recognized mathematical and statistical methods.

  • Right to Object: You may object to the processing of your personal data for credit checks by contacting us or PayPal directly. However, PayPal may still process your data if required for payment processing.

For additional information on PayPal’s privacy practices, please visit: PayPal Privacy Policy.

PayPal Checkout

Primary Provider: PayPal, Inc.
2211 North First Street, San Jose, CA 95131, United States

  • Secondary Provider: PayPal (Europe) S.a.r.l. et Cie, S.C.A., 22-24 Boulevard Royal, L-2449 Luxembourg

PayPal Checkout includes PayPal-owned payment methods and other local payment providers. Depending on the payment method selected, PayPal may share your personal data with the corresponding third-party provider:

  • Apple Pay: Apple Distribution International, Hollyhill Industrial Estate, Hollyhill, Cork, Ireland

  • Google Pay: Google Ireland Limited, Gordon House, 4 Barrow St, Dublin, D04 E5W5, Ireland

  • iDeal: Currence Holding BV, Beethovenstraat 300, Amsterdam, Netherlands

  • bancontact: Bancontact Payconiq Company, Rue d'Arlon 82, 1040 Brussels, Belgium

  • blik: Polski Standard Płatności sp. z o.o., ul. Czerniakowska 87A, 00-718 Warsaw, Poland

  • eps: PSA Payment Services Austria GmbH, Handelskai 92, Gate 2, 1200 Vienna, Austria

  • MyBank: PRETA S.A.S, 40 Rue de Courcelles, F-75008 Paris, France

  • Przelewy24: PayPro SA, Kanclerska 15A, 60-326 Poznań, Poland

Legal Basis for Processing:

  • Data is shared with these providers under Article 6(1)(b) GDPR for contract performance.

  • Creditworthiness checks may be performed as per Article 6(1)(f) GDPR, based on the legitimate interest of PayPal or the local provider.

Shopify Payments

Primary Provider: Shopify Payments USA Inc.
151 O’Connor Street, Ground Floor, Ottawa, ON K2P 2L8, Canada

  • Secondary Provider: Shopify International Limited, Victoria Buildings, 1-2 Haddington Road, Dublin 4, D04 XN32, Ireland

  • Data Shared: Name, address, payment information (e.g., credit card or bank details), transaction currency, transaction ID, and order information.

  • Legal Basis for Processing: Data is shared based on Article 6(1)(b) GDPR to process payments securely and efficiently.

SOFORT

Primary Provider: SOFORT GmbH
Theresienhöhe 12, 80339 Munich, Germany

  • Data Shared: Name, address, payment information (e.g., IBAN/BIC), transaction currency, and order details.

  • Legal Basis for Processing: Data is shared under Article 6(1)(b) GDPR, as required to execute the selected payment method.

Additional Notes for Compliance

UK GDPR:

All mentioned providers comply with UK GDPR requirements. Personal data is processed and shared strictly for payment processing purposes and within legal bounds.

CCPA/CPRA:

For California residents:

  • You have the Right to Know about the data shared with payment processors.

  • You can exercise your Right to Delete data where permissible, except where the data is required for contract performance.

  • We do not sell your personal data to third parties.

PIPEDA:

For Canadian residents:

  • Personal data is handled in compliance with PIPEDA, ensuring secure processing of payment data and restricted use for authorized purposes only.


10) Web Analytics Services

Google Analytics 4

This website uses Google Analytics 4, a web analytics service provided by Google LLC, 1600 Amphitheatre Parkway, Mountain View, CA 94043, United States, and its European subsidiary, Google Ireland Limited, Gordon House, 4 Barrow St, Dublin, D04 E5W5, Ireland ("Google"). This service enables an analysis of how you use our website.

By default, Google Analytics 4 sets cookies when you visit our website. These cookies are small text files stored on your device, which collect specific information, including your IP address. Google truncates your IP address by removing the last digits to ensure it cannot directly identify you.

The information collected through cookies is transferred to Google servers and processed. Some of this data may be transferred to and processed on servers in the United States.

Google uses this information on our behalf to evaluate your website usage, compile reports on website activity, and provide additional services related to website and internet usage. The IP address transmitted by your browser via Google Analytics will not be merged with other data held by Google. Data collected via Google Analytics 4 is stored for a maximum of two months and is then deleted.

All the aforementioned processing, particularly the use of cookies on your device, is performed only after you have provided your explicit consent via Article 6(1)(a) GDPR. Without your consent, Google Analytics 4 will not be activated during your website visit.

You may withdraw your consent at any time with future effect by deactivating the service via the "Cookie Consent Tool" provided on our website.

We have entered into a Data Processing Agreement (DPA) with Google to ensure the security of the data of our website visitors and prevent unauthorized access or sharing with third parties.

For further information on Google Analytics 4, please refer to:

  • Google Privacy and Terms

  • Google Privacy Policy

  • Google Analytics on Partner Sites


Demographic Features

Google Analytics 4 includes a "Demographic Features" tool that generates statistics on the age, gender, and interests of website visitors. This is done by analyzing advertising and third-party data. These statistics help us identify target audiences for marketing purposes. The collected data cannot be attributed to an individual person and is deleted after two months.



Google Signals

This website may use Google Signals, an extension of Google Analytics 4, to create cross-device reports. If you have personalized ads activated and your devices are linked to your Google account, Google can analyze your usage across devices based on your consent under Article 6(1)(a) GDPR. This enables Google to generate database models, such as cross-device conversions.

We do not receive personal data from Google, only aggregated statistical data.

To stop cross-device analysis, you can disable "Personalized Ads" in your Google account settings. Follow the instructions here.

More information on Google Signals can be found at: Google Signals.


UserIDs

As part of Google Analytics 4, this website may use the "UserIDs" feature. If you consent to the use of Google Analytics 4 under Article 6(1)(a) GDPR, and if you create an account on this website and log in from various devices, your activities—including conversions—can be analyzed across devices.


International Data Transfers

For data transfers to the United States, Google complies with the EU-US Data Privacy Framework, which has been approved by the European Commission as providing an adequate level of data protection.


Additional Notes for Compliance

UK GDPR:

The processing of personal data by Google Analytics 4 complies with the UK GDPR. Consent is obtained before the service is activated, and users can withdraw consent at any time.

CCPA/CPRA:

For California residents:

  • Right to Know and Delete: You may request details about the data collected by Google Analytics 4 and request its deletion if it is not necessary for providing our services.

  • Right to Opt-Out of Sale: No data collected through Google Analytics 4 is sold to third parties.

PIPEDA:

For Canadian residents:

  • Google Analytics 4 complies with PIPEDA by ensuring that data is anonymized where possible and is processed only with your explicit consent.

  • Data is used solely for analytics purposes and is not shared with unauthorized third parties.


11) Website Functionalities

11.1 YouTube

This website integrates plugins for displaying and playing videos provided by Google LLC, 1600 Amphitheatre Parkway, Mountain View, CA 94043, United States, and its European subsidiary, Google Ireland Limited, Gordon House, 4 Barrow St, Dublin, D04 E5W5, Ireland.

When you access a page on our website that includes a YouTube plugin, your browser establishes a direct connection with the provider's servers to load the plugin. This involves the transmission of specific data, including your IP address, to the provider.

If playback of an embedded video is initiated through the plugin, the provider may also set cookies on your device to collect user behavior data, create playback statistics, and prevent misuse.

If you are logged into your user account with the provider during your visit, your data will be directly associated with your account when you click on a video. To prevent this, you must log out of your account before interacting with the plugin.

All aforementioned processing, particularly the setting of cookies for data collection, is performed only with your explicit consent under Article 6(1)(a) GDPR. You can withdraw your consent at any time with future effect by deactivating this service via the "Cookie Consent Tool" provided on our website.

For data transfers to the United States, Google complies with the EU-US Data Privacy Framework, which ensures adherence to European data protection standards.

Further information on Google’s privacy practices can be found at:

  • Google Privacy Policy.

11.2 Google Maps API

This website uses the Google Maps API, provided by Google LLC, 1600 Amphitheatre Parkway, Mountain View, CA 94043, United States, and its European subsidiary, Google Ireland Limited, Gordon House, 4 Barrow St, Dublin, D04 E5W5, Ireland, to validate address entries in real time during the checkout process.

The provider validates the address data entered, corrects spelling errors, and completes missing details. For ambiguous addresses, the provider suggests appropriate alternatives. To perform these functions, the data you enter is transmitted to the provider’s servers, where it is stored and processed.

Legal Basis for Processing: This processing is carried out under Article 6(1)(f) GDPR, based on our legitimate interest in ensuring accurate address collection to fulfill contractual delivery obligations and prevent issues with order processing.

The provider processes the data separately and does not merge it with other data sets. The data is deleted as soon as its status or correctness has been verified, or after a maximum of 30 days.

For data transfers to the United States, Google complies with the EU-US Data Privacy Framework.

Further information on Google’s privacy practices can be found at:

  • Google Privacy Policy.


11.3 Google reCAPTCHA

This website uses the CAPTCHA service Google reCAPTCHA, provided by Google LLC, 1600 Amphitheatre Parkway, Mountain View, CA 94043, United States, and its European subsidiary, Google Ireland Limited, Gordon House, 4 Barrow St, Dublin, D04 E5W5, Ireland, to verify whether inputs on our website (e.g., in forms) are made by a human or an automated bot.

The service evaluates various technical data (e.g., IP address, browser type, operating system, and time spent on the page) and transmits it to the provider’s servers for analysis. This process may involve the setting of cookies on your device.

Legal Basis for Processing:

  • Cookies are set only with your explicit consent under Article 6(1)(a) GDPR. You can withdraw your consent at any time via the "Cookie Consent Tool."

  • In cases where cookies are not used, the processing is based on our legitimate interest in preventing misuse and ensuring secure website operation under Article 6(1)(f) GDPR.

For data transfers to the United States, Google complies with the EU-US Data Privacy Framework, ensuring an adequate level of protection.

Further information on Google’s privacy practices can be found at:

  • Google Privacy Policy.


11.4 Google Customer Reviews (formerly Google Certified Shops Program)

We participate in the Google Customer Reviews Program, operated by Google LLC, 1600 Amphitheatre Parkway, Mountain View, CA 94043, United States, and its European subsidiary, Google Ireland Limited, Gordon House, 4 Barrow St, Dublin, D04 E5W5, Ireland.

This program allows us to collect reviews from customers who have made purchases on our website. After completing a purchase, you may be asked whether you wish to participate in an email survey conducted by Google.

If you provide your consent under Article 6(1)(a) GDPR, we will share your email address with Google, which will then send you an invitation to review your shopping experience. The feedback you provide may be aggregated with other reviews and displayed within our Google Customer Reviews badge and Google Merchant Center. It may also contribute to Google Seller Ratings.

Withdrawal of Consent: You can withdraw your consent at any time by notifying us or Google directly.

For data transfers to the United States, Google complies with the EU-US Data Privacy Framework, ensuring adherence to European data protection standards.

Further information on Google’s privacy practices can be found at:

  • Google Privacy Policy.


Compliance with Global Regulations

UK GDPR:

Processing under the aforementioned services is fully compliant with the UK GDPR. Consent is obtained prior to any data collection, and users are given the option to withdraw their consent at any time.

CCPA/CPRA:

For California residents:

  • Right to Know and Delete: You may request access to data collected by Google on our behalf or request its deletion where permissible.

  • Right to Opt-Out of Sale: None of the collected data is sold to third parties.

PIPEDA:

For Canadian residents:

  • Data collected via these services is handled in compliance with PIPEDA, ensuring data is anonymized where possible and processed only for legitimate purposes.


12) Tools and Miscellaneous

12.1 - QuickBooks Online

For our accounting purposes, we use the services of the cloud-based accounting software provided by Intuit Inc., 2700 Coast Avenue, Mountain View, CA 94043, United States.

The provider processes incoming and outgoing invoices and, if applicable, our company's bank transactions to automatically record invoices, match them to transactions, and generate financial accounting records through a semi-automated process.

If personal data is processed during this activity, the processing is based on our legitimate interest in the efficient organization and documentation of our business operations in accordance with Article 6(1)(f) GDPR.

For data transfers to the United States, Intuit complies with the EU-US Data Privacy Framework, which ensures adherence to European data protection standards.

Further information on Intuit's data protection practices can be found at:

  • Intuit Privacy Statement.

12.2 Cookie-Consent Tool

This website uses a "Cookie Consent Tool" to obtain valid user consent for cookies and cookie-based applications that require approval. The Cookie Consent Tool is displayed to users as an interactive user interface upon accessing the website. Through this interface, users can grant consent for specific cookies and/or cookie-based applications by selecting the corresponding options.

Cookies that require consent are loaded only if the user provides explicit consent via the Cookie Consent Tool. This ensures that such cookies are set on the user's device only with their permission.

The tool sets technically necessary cookies to save your cookie preferences. Personal user data is not processed by default.

If, in exceptional cases, the storage, assignment, or logging of cookie settings involves the processing of personal data (such as the IP address), such processing is carried out based on our legitimate interest in a legally compliant, user-specific, and user-friendly cookie consent management system, as per Article 6(1)(f) GDPR.

Another legal basis for processing is Article 6(1)(c) GDPR, as we are legally obligated to ensure the use of non-essential cookies depends on the user's consent.

Where necessary, we have entered into a Data Processing Agreement (DPA) with the provider to ensure the protection of our website visitors' data and prevent unauthorized access or sharing with third parties.

Further information about the Cookie Consent Tool provider and the options for configuring your preferences can be found directly within the corresponding user interface on our website.


12.3 Returns, Refunds, and Exchanges

Due to the nature of our products and for hygiene and quality assurance reasons, all sales made through the Marc Weiss website are final. We do not accept returns, exchanges, or offer refunds once an order has been placed.

We encourage customers to carefully review product descriptions, ingredients, and usage information prior to completing their purchase.

If an item arrives damaged, defective, or if there is an issue with your order, please contact our customer service team within 48 hours of delivery at [support email]. We will review the matter and work with you to determine an appropriate resolution.

Marc Weiss reserves the right to evaluate all claims regarding damaged or incorrect items.

13) Rights of the Data Subject

13.1 Under applicable data protection law, you are entitled to the following rights regarding the processing of your personal data by the data controller. The specific legal basis for each right is referenced below:

  • Right of Access pursuant to Article 15 GDPR: You have the right to obtain confirmation as to whether your personal data is being processed and, where applicable, access to the personal data and further information regarding its processing.

  • Right to Rectification pursuant to Article 16 GDPR: You have the right to request correction of inaccurate personal data or completion of incomplete personal data.

  • Right to Erasure pursuant to Article 17 GDPR: You have the right to request the deletion of your personal data, provided the conditions under GDPR are met.

  • Right to Restriction of Processing pursuant to Article 18 GDPR: You have the right to request restriction of processing under specific circumstances.

  • Right to Notification pursuant to Article 19 GDPR: If you have exercised your rights to rectification, erasure, or restriction of processing, the controller is obligated to communicate this rectification or deletion of data or restriction of processing to each recipient to whom the personal data has been disclosed, unless this proves impossible or involves disproportionate effort.

  • Right to Data Portability pursuant to Article 20 GDPR: You have the right to receive your personal data in a structured, commonly used, and machine-readable format or to request its transfer to another data controller, where technically feasible.

  • Right to Withdraw Consent pursuant to Article 7(3) GDPR: Where processing is based on your consent, you have the right to withdraw this consent at any time. The withdrawal of consent shall not affect the lawfulness of processing based on consent before its withdrawal.

  • Right to Lodge a Complaint pursuant to Article 77 GDPR: You have the right to file a complaint with a supervisory authority if you believe that the processing of your personal data violates the GDPR.


13.2 Right to Object

IF WE PROCESS YOUR PERSONAL DATA BASED ON OUR LEGITIMATE INTERESTS FOLLOWING A BALANCING OF INTERESTS, YOU HAVE THE RIGHT TO OBJECT TO THIS PROCESSING AT ANY TIME, FOR REASONS ARISING FROM YOUR PARTICULAR SITUATION, WITH EFFECT FOR THE FUTURE.

If you exercise your right to object, we will cease processing the affected personal data. However, further processing remains reserved if we can demonstrate compelling legitimate grounds for the processing that outweigh your interests, rights, and freedoms, or if the processing serves the establishment, exercise, or defense of legal claims.

If your personal data is processed by us for direct marketing purposes, you have the right to object to such processing at any time. You can exercise your right to object as described above.

If you exercise your right to object to direct marketing, we will stop processing your personal data for such purposes immediately.


14) Duration of Storage of Personal Data

The duration for which personal data is stored is determined based on the respective legal basis, the purpose of processing, and—if applicable—relevant statutory retention periods (e.g., commercial or tax-related retention periods).

  1. Data Processed on the Basis of Consent
    Personal data processed based on explicit consent pursuant to Article 6(1)(a) GDPR will be stored until you withdraw your consent.

  2. Data Processed for Contractual or Pre-Contractual Obligations
    Where statutory retention periods apply to data processed in the context of contractual or pre-contractual obligations pursuant to Article 6(1)(b) GDPR, such data will be routinely deleted after the expiration of the retention periods, provided it is no longer required for contract fulfillment or initiation and there is no legitimate interest on our part to continue storage.

  3. Data Processed Based on Legitimate Interests
    Personal data processed based on Article 6(1)(f) GDPR will be stored until you exercise your right to object pursuant to Article 21(1) GDPR, unless we can demonstrate compelling legitimate grounds for processing that override your interests, rights, and freedoms, or if the processing serves the establishment, exercise, or defense of legal claims.

  4. Data Processed for Direct Marketing Purposes
    Personal data processed for direct marketing purposes based on Article 6(1)(f) GDPR will be stored until you exercise your right to object pursuant to Article 21(2) GDPR.

  5. General Deletion Policy
    Unless otherwise specified in this privacy policy for specific processing scenarios, personal data will be deleted when it is no longer necessary for the purposes for which it was collected or otherwise processed.