Privacy Policy

Effective Date: October 1, 2025

Last Updated: October 1, 2025

1. Data Controller Information

Company: The New Ways
Legal Form: Sole Proprietorship
Address: Karl Marx Strasse 149
Email: privacy@thenewways.eu

Commercial Register: [Registration details]
VAT ID: [EU VAT number]

Data Protection:
Email: datasecurity@thenewways.eu

2. Scope and Application

This Privacy Policy explains how The New Ways ("we," "us," "Company") processes personal data when you use our online retail services, visit our website www.thenewways.eu, or interact with our business.

This policy applies to all personal data processing activities in accordance with:

  • General Data Protection Regulation (GDPR) - EU 2016/679

  • ePrivacy Directive (2002/58/EC)

  • German Federal Data Protection Act (BDSG) - [adapt for your jurisdiction]

  • Other applicable national data protection laws

3. Personal Data We Collect

3.1 Data You Provide Directly

Account Registration and Orders:

  • Personal identification: Name, surname, title

  • Contact information: Email address, phone number, postal address

  • Payment information: Credit card details, billing address, payment history

  • Account credentials: Username, password (encrypted)

  • Communication preferences: Newsletter subscriptions, marketing consent

Customer Service and Communications:

  • Correspondence records: Support tickets, emails, chat logs

  • Feedback and reviews: Product reviews, satisfaction surveys

  • Returns and warranty claims: Reason for return, condition assessment

3.2 Data Automatically Collected

Technical Data:

  • Device information: IP address, browser type and version, operating system

  • Usage data: Pages visited, time spent, click patterns, referral source

  • Cookies and tracking technologies: Session IDs, preference settings, analytics data

  • Location data: Country/region based on IP address (not precise location)

Transaction Data:

  • Order history: Products purchased, quantities, prices, dates

  • Payment processing: Transaction IDs, payment status, refund records

  • Delivery information: Shipping addresses, delivery preferences, tracking data

3.3 Data from Third Parties

  • Payment processors: Transaction confirmations, fraud prevention data

  • Delivery services: Shipping updates, delivery confirmations

  • Social media platforms: Profile information if you connect social accounts

  • Marketing partners: Aggregated demographic and interest data (anonymized)

4. Legal Basis and Purposes for Data Processing

4.1 Contract Performance (Article 6(1)(b) GDPR)

We process your data to fulfill our contractual obligations:

Purpose: Order processing and fulfillment
Data: Contact details, payment information, delivery address, order history
Retention: 10 years (German commercial and tax law requirements)

Purpose: Customer account management
Data: Account credentials, profile information, preferences
Retention: Until account deletion or 3 years of inactivity

Purpose: Customer service and support
Data: Communication records, order details, return requests
Retention: 3 years after last interaction

4.2 Legal Obligation (Article 6(1)(c) GDPR)

We process data to comply with legal requirements:

Purpose: Accounting and tax obligations
Data: Invoice data, payment records, VAT calculations
Retention: 10 years (German tax law - adapt for your jurisdiction)

Purpose: Consumer protection compliance
Data: Warranty claims, product safety records, recall information
Retention: 2 years minimum (EU Consumer Rights Directive)

4.3 Legitimate Interest (Article 6(1)(f) GDPR)

We process data based on our legitimate business interests:

Purpose: Fraud prevention and security
Data: IP addresses, device fingerprints, transaction patterns
Retention: 2 years after incident or longer if legally required

Purpose: Website analytics and improvement
Data: Usage statistics, performance metrics, user behavior
Retention: 26 months (Google Analytics default)

Purpose: Product recommendations and personalization
Data: Purchase history, browsing behavior, product preferences
Retention: 3 years or until withdrawal of consent

4.4 Consent (Article 6(1)(a) GDPR)

For processing requiring explicit consent:

Purpose: Marketing communications and newsletters
Data: Email address, communication preferences, engagement metrics
Retention: Until consent withdrawal or 3 years of inactivity

Purpose: Non-essential cookies and tracking
Data: Behavioral data, advertising preferences, cross-site tracking
Retention: As specified in cookie settings (typically 13 months)

5. Data Sharing and Recipients

5.1 Essential Service Providers

Payment Processors:

  • Companies: [List payment providers, e.g., Stripe, PayPal, etc.]

  • Data shared: Payment information, transaction details, billing address

  • Purpose: Payment processing, fraud prevention

  • Legal basis: Contract performance

Shipping and Logistics:

  • Companies: [List shipping partners, e.g., DHL, UPS, etc.]

  • Data shared: Delivery address, contact details, order contents

  • Purpose: Order fulfillment and delivery

  • Legal basis: Contract performance

Technology Service Providers:

  • Companies: [List providers, e.g., AWS, Google Cloud, etc.]

  • Data shared: All data categories (as data processors)

  • Purpose: Website hosting, database management, analytics

  • Legal basis: Contract performance and legitimate interest

5.2 Marketing and Analytics Partners

Analytics Services:

  • Google Analytics: Usage data, device information, aggregated behavior

  • [Other analytics tools]: [Specify data shared]

  • Purpose: Website optimization, user experience improvement

  • Legal basis: Consent (via cookie consent)

Marketing Platforms (with consent only):

  • Email service providers: [e.g., Mailchimp, Klaviyo]

  • Advertising networks: [e.g., Facebook Ads, Google Ads]

  • Purpose: Targeted marketing, newsletter distribution

  • Legal basis: Consent

5.3 Legal and Regulatory Authorities

We may share data with authorities when:

  • Required by law or court order

  • Necessary to protect our legal rights

  • Required for tax and accounting obligations

  • Needed for product safety recalls or investigations

5.4 Business Transfers

In case of merger, acquisition, or business sale, personal data may be transferred to the new entity with appropriate safeguards and customer notification.

6. International Data Transfers

6.1 Third Country Transfers

Some service providers may be located outside the EU/EEA:

United States:

  • Google (Analytics): EU-US Data Privacy Framework

  • [Other US providers]: Standard Contractual Clauses (SCCs)

Other Countries:

  • [Specify countries]: [Specify transfer mechanisms]

6.2 Safeguards

All international transfers use appropriate safeguards:

  • Adequacy decisions by the European Commission

  • Standard Contractual Clauses (SCCs)

  • Binding Corporate Rules (BCRs)

  • EU-US Data Privacy Framework (where applicable)

7. Data Retention Periods

  1. Order and invoice data
    10 years
    Legal obligation (tax law)

  2. Customer account data
    Until account deletion + 30 days
    Contract performance

  3. Payment transaction records
    10 years
    Legal obligation

  4. Customer service communications
    3 years
    Legitimate interest Marketing consent and data Until withdrawal + 3 years

  5. Consent Website
    analytics data - 26 months / Consent Security and fraud logs - 2 years
    Legitimate interest

  6. Product warranty data
    2 years minimum
    Legal obligation

Deletion Process: Data is automatically deleted when retention periods expire, except where longer retention is legally required.

8. Your Data Protection Rights

8.1 Right of Access (Article 15 GDPR)

You can request information about personal data we process, including:

  • Confirmation of processing

  • Purposes and legal basis

  • Data categories and recipients

  • Retention periods

  • Copy of your personal data

How to exercise: Email privacy@thenewways.eu or use our data request form

8.2 Right to Rectification (Article 16 GDPR)

You can request correction of inaccurate or incomplete personal data.

How to exercise: Update your account settings or contact customer service

8.3 Right to Erasure/Right to be Forgotten (Article 17 GDPR)

You can request deletion of personal data when:

  • Data is no longer necessary for original purpose

  • You withdraw consent and no other legal basis exists

  • Data was unlawfully processed

  • Deletion is required for legal compliance

Limitations: We may retain data for legal obligations or legitimate interests

8.4 Right to Restrict Processing (Article 18 GDPR)

You can request processing limitation when:

  • You contest data accuracy

  • Processing is unlawful but you prefer restriction over deletion

  • We no longer need the data but you need it for legal claims

8.5 Right to Data Portability (Article 20 GDPR)

You can receive your data in a structured, machine-readable format and transfer it to another controller.

Scope: Data processed based on consent or contract, in automated systems

8.6 Right to Object (Article 21 GDPR)

You can object to processing based on legitimate interest or direct marketing at any time.

Direct Marketing: Absolute right - we must stop immediately
Other Processing: We must stop unless compelling legitimate grounds override your interests

8.7 Rights Related to Automated Decision-Making (Article 22 GDPR)

You have the right not to be subject to purely automated decision-making with significant effects.

Our Use: We use automated systems for fraud detection and product recommendations but with human review for significant decisions.

8.8 Right to Withdraw Consent

Where processing is based on consent, you can withdraw it at any time:

  • Marketing emails: Unsubscribe link in emails

  • Cookie consent: Cookie settings on website

  • Account consent: Account settings or deletion request

9. Cookies and Tracking Technologies

9.1 Cookie Types and Purposes

Strictly Necessary Cookies:

  • Session management and security

  • Shopping cart functionality

  • Payment processing

  • Load balancing

  • No consent required

Performance and Analytics Cookies:

  • Website performance monitoring

  • User behavior analysis

  • A/B testing

  • Error tracking

  • Consent required

Functional Cookies:

  • Language preferences

  • Region settings

  • Accessibility features

  • Personalized content

  • Consent required

Marketing Cookies:

  • Cross-site tracking

  • Personalized advertising

  • Social media integration

  • Conversion tracking

  • Consent required

9.2 Cookie Management

You can control cookies through:

  • Our cookie consent banner

  • Browser settings

  • Opt-out tools for specific services

  • Third-party cookie management tools

Cookie Settings: [Link to cookie preference center]

9.3 Third-Party Cookies

Our website may include cookies from:

  • Google Analytics and Google Ads

  • Social media platforms (Facebook, Instagram, etc.)

  • Payment processors

  • Customer support chat tools

Each third party has its own privacy policy governing their data use.

10. Data Security Measures

10.1 Technical Measures

  • SSL/TLS encryption for all data transmission

  • Data encryption at rest using industry-standard algorithms

  • Regular security updates and patches

  • Access controls and authentication systems

  • Automated backup systems with encryption

  • Firewall and intrusion detection systems

10.2 Organizational Measures

  • Data protection impact assessments (DPIAs)

  • Regular staff training on data protection

  • Data processing agreements with all processors

  • Incident response procedures

  • Regular security audits and penetration testing

  • Clean desk and clear screen policies

10.3 Data Breach Notification

In case of a personal data breach:

  • Supervisory authority notification within 72 hours

  • Individual notification if high risk to rights and freedoms

  • Documentation of all breaches and response measures

11. Children's Privacy

Our services are not directed to children under 16 years of age. We do not knowingly collect personal data from children under 16. If we become aware of such collection, we will delete the data immediately and prevent further access.

Parental Rights: Parents can request deletion of their child's data and prevent further collection.

12. Data Protection Officer and Contact

Data Protection Officer:
Email:datasecurity@thenewways.eu

Privacy Contact:
privacy@thenewways.eu

Response Time: We respond to privacy requests within 30 days (may be extended by 60 days for complex requests).

13. Supervisory Authority and Complaints

You have the right to lodge a complaint with a data protection supervisory authority:

For Germany:
Federal Commissioner for Data Protection and Freedom of Information (BfDI)
Graurheindorfer Str. 153
53117 Bonn, Germany
Email: poststelle@bfdi.bund.de
Phone: +49 228 997799-0

For your location: Contact your national data protection authority

EU Data Protection Authorities: https://edpb.europa.eu/about-edpb/about-edpb/members_en

14. Changes to This Privacy Policy

14.1 Updates and Modifications

We may update this Privacy Policy to reflect:

  • Changes in our data processing practices

  • Legal or regulatory requirements

  • New features or services

  • Feedback from users or authorities

14.2 Notification of Changes

Material Changes: 30 days advance notice via email and website banner
Minor Changes: Website notification and updated "Last Updated" date
Continued Use: Constitutes acceptance of changes

14.3 Version History

Previous versions of this policy are archived and available upon request.

15. Specific Provisions for Different User Types

15.1 Business Customers (B2B)

Additional data processing may include:

  • Company information and VAT details

  • Authorized representatives and signatories

  • Purchase agreements and contract terms

  • Credit assessments and payment terms

15.2 Guest Customers

For users without accounts:

  • Minimal data collection (name, email, delivery address)

  • Order data retained for warranty and tax purposes

  • No marketing unless separate consent provided

  • Limited retention periods

15.3 Newsletter Subscribers

For users who subscribe to marketing:

  • Double opt-in confirmation required

  • Engagement tracking and preferences

  • Segmentation based on interests and behavior

  • Easy unsubscribe process

16. Legal Compliance Statement

This Privacy Policy complies with:

  • General Data Protection Regulation (GDPR) EU 2016/679

  • ePrivacy Directive 2002/58/EC and national implementations

  • German Federal Data Protection Act (BDSG) - [adapt for your jurisdiction]

  • Consumer Rights Directive 2011/83/EU

  • Digital Services Act (DSA) EU 2022/2065

  • Other applicable national and international data protection laws

Last Review Date: [INSERT DATE]
Next Scheduled Review: [INSERT DATE]
Policy Version: 1.0

Contact for Privacy Questions: [privacy@yourcompany.com]