PRIVACY POLICY

On the Protection of Your Trails

Every Traveller leaves a trace in the morning dew as they wander through the Thicket. This parchment shall inform you about which of your trails are locked under magic and for what purpose, who is allowed to look into that magic, and for how long the spell is cast. 

 

Last updated: June 6, 2026

0. INTRODUCTION

We attach great importance to the protection of your personal data. We process your data exclusively on the basis of legal provisions (GDPR, TKG 2021). In this privacy policy, we inform you about the most important aspects of data processing in the context of our website.

 

1. INFORMATION ABOUT THE CONTROLLER

The controller within the meaning of the GDPR for data processing on this website is:

Mystical Yarnling Tales e.U.
Owner: DI Barbara Pletzer
Breitenleer Straße 270/3/6
1220 Vienna, Austria
E-mail: contact@myyatales.com

 

2. HOSTING THE ONLINE SHOP (SHOPIFY)

Our website and online shop are hosted on Shopify's servers. The provider is Shopify International Limited, 2nd Floor, Victoria Buildings, 1-2 Haddington Road, Dublin 4, D04 XN32, Ireland (hereinafter "Shopify").

  • Purpose: Provision of the online shop, IT security, and optimisation of loading times.
  • Legal basis: Legitimate interest pursuant to Art. 6(1)(f) GDPR (technically error-free online presence).
  • Third-country transfers: Within the framework of hosting and platform operation, personal data may be transmitted to affiliated companies and subprocessors of Shopify. This may also involve transfers to third countries; security is ensured through the transfer mechanisms and guarantees provided by Shopify. Shopify processes data worldwide. In the case of a transfer to the parent company Shopify Inc. in Canada, there is an adequacy decision by the European Commission. In the case of a transfer to the USA, Shopify relies on the EU-US Data Privacy Framework or on standard contractual clauses of the European Commission.
  • Storage duration: Server log files and connection data that Shopify automatically records when you visit the page are stored for a maximum of 30 days for security reasons and then automatically deleted.
  • Necessity: The provision of the website and shop functions is necessary for visiting our website; without this processing, the use of the online shop is not possible or only possible to a limited extent.

 

3. SHOPIFY AS A PLATFORM & SPECIAL PROCESSING

Our website and online shop are operated via Shopify. Shopify processes personal data as part of the provision and improvement of the platform and to ensure security and functionality.

To the extent that Shopify uses so-called enhanced features or cross-platform security and analysis functions, Shopify may analyse data from interactions with our shop as well as with other merchants and with Shopify itself. For this processing, Shopify is independently responsible.

Data subject rights regarding this processing can be asserted directly via the Shopify Privacy Portal. Further information on processing by Shopify can be found in the Shopify Consumer Privacy Policy.

 

4. USE OF COOKIES & CONSENT MANAGEMENT (SHOPIFY)

Our website uses so-called cookies. These are small text files that are stored on your device with the help of the browser. They do not cause any damage.

We use the integrated Shopify cookie banner (Consent Management Platform) to obtain and document your data protection consent for setting non-essential cookies.

We divide the cookies used into two categories:

  • Technically necessary cookies (mandatory for functionality): These cookies are absolutely necessary for the functioning of the online shop. They enable core functions such as storing items in the shopping cart, securing the checkout process, recognising customer logins, or storing your cookie preferences themselves. Some of these cookies are deleted after your browser session ends (session cookies), while others remain on your device for a defined period to recognise your browser on your next visit.

Legal basis: Legitimate interest pursuant to Art. 6(1)(f) GDPR as well as § 165(3) TKG 2021, to make our online presence functional and user-friendly.

  • Analysis and marketing cookies (not mandatory for functionality):
    These cookies help us to analyse shopping behaviour in our shop anonymously (e.g., which pages are visited most frequently or whether errors occur). They are loaded only when you actively click "Accept" or "Allow" in the cookie banner. The storage duration varies depending on the cookie and purpose (e.g., for the duration of the session or up to one year).

Legal basis: Your express consent pursuant to Art. 6(1)(a) GDPR.

Detailed cookie list and storage duration:

You can view the complete, technically detailed list of all cookies set by the platform, their exact functionality, categorisation, and the exact storage duration (lifespan on your device) at any time in Shopify's official guidelines: Shopify Cookie Policy.

Technically necessary "session cookies" are deleted when you close your browser. Long-term cookies (e.g., for storing your cookie preferences) remain between 1 day and maximum 1 year on your device, unless you delete them manually in your browser beforehand. You can find the exact lifespan of each individual cookie in the Shopify Cookie Policy.

Revocation and deactivation:

You can revoke your once-granted consent at any time with effect for the future. To do so, simply delete the cookies in your internet browser settings and reload our website, or click on the Cookie preferences button in the footer – the Shopify cookie banner will then open again. When generally deactivating cookies via your browser, the functionality of our online shop may be severely restricted.

Necessity:

The provision of technically necessary cookies is necessary for operating our website and using essential shop functions. If you deactivate these cookies, individual shop functions, in particular shopping cart, checkout, and login, may no longer function properly.

Analysis and marketing cookies are set only after your consent. Non-granting or revocation of consent has no disadvantages for merely visiting the website, but may restrict the function of certain analysis or marketing functions.

 

5. DATA PROCESSING FOR ORDERS & DIGITAL DOWNLOADS 

When you order goods or digital content (downloads) in our online shop, we process the data you enter (name, billing and shipping address, e-mail address, payment data, as well as shopping cart and order data).

  • Purpose: Contract fulfilment, provision of digital content for download, and communication regarding order status.
  • Legal basis: Contract fulfilment or pre-contractual measures pursuant to Art. 6(1)(b) GDPR.
  • Storage duration: We store this data until the expiration of statutory retention obligations (in Austria 7 years pursuant to § 132 BAO for tax-related receipts).
  • Provision obligation: The provision of data necessary for order processing and shipping or the provision of digital content is necessary for the conclusion and performance of the contract. Without this information, an order or the provision of the digital download is not possible.
  • Recipients: Recipients of the data may include, in addition to us, especially the service providers we use for hosting, shop platform, accounting, and payment processing.

 

6. CONTACT VIA FORM OR E-MAIL

When you contact us via contact form or e-mail, we process your information only for processing the inquiry and in case of follow-up questions. The provision of this data is voluntary; without name and e-mail address, we generally cannot meaningfully answer your inquiry.

  • Purpose: Answering customer inquiries and pre-contractual communication.
  • Legal basis: Contract fulfilment or pre-contractual measures pursuant to Art. 6(1)(b) GDPR or legitimate interest pursuant to Art. 6(1)(f) GDPR (efficient processing of inquiries).
  • Storage duration: We store your inquiry data for the duration of processing. They will be deleted at the latest 6 months after final answering, unless this results in a contract (order) and no statutory retention obligations require longer storage.
  • Order processing: Since the contact form technically runs via Shopify, this data is also processed on Shopify's servers (see point 2 "Hosting").
  • Recipients: Recipients of this data are exclusively us and technically necessary service providers, in particular Shopify as operator of the contact form and Proton Mail as our used e-mail service. Disclosure to other third parties does not occur, unless required to fulfil legal obligations.

 

7. ACCOUNTING AND ORDER PROCESSING (BILLBEE)

For automated processing of our orders and proper accounting, we use the ERP system from Billbee. The provider is Billbee GmbH, Paul-Gerhardt-Straße 6, 32756 Detmold, Germany.

  • Purpose: Automated order processing, creation of invoices, and tax documentation.
  • Legal basis: Contract fulfilment (Art. 6(1)(b) GDPR) as well as fulfilment of legal obligations (Art. 6(1)(c) GDPR).
  • Order processing: We have concluded a contract for order processing (AVV) with Billbee GmbH. This ensures that your data is processed in a data protection-compliant manner and exclusively according to our instructions.
  • Storage duration (very important for Austria): Since this data flows into accounting and invoicing, we are legally obligated to keep these documents for 7 years pursuant to § 132 BAO (Federal Fiscal Code). The period begins at the end of the calendar year in which the invoice was issued.
  • Recipients: Recipients of the data are in addition to us especially Billbee as order processor as well as – as far as necessary for accounting – tax advisors, tax authorities, and other legally prescribed bodies.
  • Necessity: The provision of data necessary for accounting is required for contract conclusion and legally compliant processing; without this data, proper accounting is not possible.

 

8. PAYMENT SERVICE PROVIDERS

For processing payments, the data required for this purpose is transmitted to the commissioned payment service providers. The legal basis for this is contract fulfilment (Art. 6(1)(b) GDPR). Depending on which payment method you choose in the checkout, this affects the following providers:

  • Credit Card / Debit Card & Mobile Payment (Shop Pay, Apple Pay, Google Pay): These payments are processed via the integrated service Shopify Payments. Technical processing is carried out by Stripe Payments Europe Ltd., 1 Grand Canal Street Lower, Grand Canal Dock, Dublin, Ireland.
  • PayPal: When selecting this payment method, your payment data is transmitted to PayPal (Europe) S.à r.l. et Cie, S.C.A., 22-24 Boulevard Royal, L-2449 Luxembourg.
  • Klarna (Sofort / Pay Now): When paying via Klarna, your data is transmitted to Klarna Bank AB (publ), Sveavägen 46, 111 34 Stockholm, Sweden for identity and credit check.
  • eps transfer: When using the eps procedure, you will be redirected to the online banking system of your Austrian bank. Data processing is carried out via STUZZA Studiengesellschaft für Zusammenarbeit im Zahlungsverkehr GmbH, Jakov-Lind-Straße 4/Top 5, 1020 Vienna as well as your bank.

Storage duration: We ourselves do not store complete credit card or bank data, but only receive the payment confirmation. The payment data is stored by the service providers themselves according to their own statutory retention periods for financial transactions (usually also between 7 and 10 years).

Necessity: Depending on the chosen payment method, the data required for payment processing is transmitted to the selected payment service provider. This processing is necessary for conducting the payment and thus for contract fulfilment. The provision of payment data is necessary for conducting the payment; without this information, the desired payment method cannot be used.

Recipients can in particular be Shopify Payments/Stripe, PayPal, Klarna, STUZZA as well as the respective credit institution of the customer.

 

9. NEWSLETTER VIA SHOPIFY (WITH DOUBLE-OPT-IN)

When you register for our newsletter, we use your e-mail address to send you regular information about our products. The dispatch is carried out directly via the integrated newsletter function of Shopify. In the process, it is recorded which links in the emails are clicked on, in order to measure the reach and success of our newsletter. For subscribing to the newsletter, only the e-mail address is required; further information is voluntary.

  • Purpose: Direct marketing, customer loyalty and the statistical analysis of clicks to optimize our services.
  • Legal basis: Your consent pursuant to Art. 6(1)(a) GDPR as well as § 174 TKG 2021.
  • Double-Opt-In procedure: To prevent abuse, we use the double-opt-in procedure. After registration, you will receive a confirmation e-mail. Only when you click the link contained therein is your registration active.
  • Revocation: Consent to receive the newsletter is voluntary and can be revoked at any time with effect for the future (e.g., via the "unsubscribe" link in every newsletter). By unsubscribing from the newsletter, you also withdraw your consent to the analysis of click rates. The lawfulness of processing up to the revocation remains unaffected.
  • Storage duration: Your data for newsletter dispatch remains stored as long as your subscription is active. As soon as you unsubscribe (revocation of consent), your data will be immediately deleted from the active newsletter distribution list. For documentation of the double-opt-in and proof of consent/opt-out, we store the protocol data of registration and unsubscription. The storage duration is oriented to the requirements of proof and limitation/retention periods.

 

10. SHIPPING SERVICE PROVIDERS

To the extent that physical goods are shipped in the future, the data required for delivery may be transmitted to shipping service providers, in particular Österreichische Post, DPD, and GLS. This is done exclusively for the purpose of delivery and tracking as well as for contract fulfilment.

The data processed in this context is limited to the information necessary for delivery, in particular name, shipping address, and – as necessary – e-mail address or phone number for delivery coordination.

 

11. YOUR RIGHTS AS A DATA SUBJECT

You essentially have the following rights regarding your data stored with us:

  • Right to information (Art. 15 GDPR)
  • Right to rectification (Art. 16 GDPR)
  • Right to erasure ("right to be forgotten") (Art. 17 GDPR)
  • Right to restriction of processing (Art. 18 GDPR)
  • Right to data portability (Art. 20 GDPR)
  • Right to object (Art. 21 GDPR)

If you believe that the processing of your data violates data protection law, you can complain to us (contact@myyatales.com) or to the competent supervisory authority. In Austria, this is the:

Austrian Data Protection Authority (DSB)
Barichgasse 40-42
1030 Vienna
E-mail: dsb@dsb.gv.at