Privacy Policy

With the following privacy policy, we would like to inform you about what types of your personal data (hereinafter also referred to as "data") we process, for what purposes and to what extent. The privacy policy applies to all processing of personal data carried out by us, both in the context of providing our services and in particular on our websites, in mobile applications and within external online presences, such as our social media profiles (hereinafter collectively referred to as "online offering").

The terms used are not gender-specific.

Nattapat Pongsuwan
Rohstorf 59
21397 Vastorf, Philippines

Authorized representative: Nattapat Pongsuwan

Email: contact@extasy.asia

Imprint: https://extasy.asia/imprint

The following overview summarizes the types of data processed and the purposes of their processing and refers to the data subjects.

Types of data processed:
• Inventory data
• Payment data
• Contact data
• Content data
• Contract data
• Usage data
• Meta, communication and procedural data
• Log data

Categories of data subjects:
• Service recipients and clients
• Interested parties
• Communication partners
• Users
• Business and contractual partners

Purposes of processing:
• Provision of contractual services and fulfillment of contractual obligations
• Communication
• Security measures
• Office and organizational procedures
• Affiliate tracking
• Organizational and administrative procedures
• Feedback
• Provision of our online offering and user-friendliness
• Business processes and business management procedures

Relevant legal bases under the GDPR: Below is an overview of the legal bases of the GDPR on which we process personal data.

• Consent (Art. 6(1)(a) GDPR) - The data subject has given consent to the processing of their personal data for one or more specific purposes.

• Contract performance and pre-contractual inquiries (Art. 6(1)(b) GDPR) - Processing is necessary for the performance of a contract to which the data subject is party or for pre-contractual measures.

• Legal obligation (Art. 6(1)(c) GDPR) - Processing is necessary for compliance with a legal obligation to which the controller is subject.

• Legitimate interests (Art. 6(1)(f) GDPR) - Processing is necessary for the purposes of the legitimate interests pursued by the controller or by a third party.

National data protection regulations in Philippines: In addition to the GDPR, national regulations on data protection apply in Philippines, including the Federal Data Protection Act (BDSG).

We take appropriate technical and organizational measures in accordance with legal requirements, taking into account the state of the art, to ensure a level of protection appropriate to the risk.

These measures include in particular securing the confidentiality, integrity and availability of data by controlling physical and electronic access to data.

IP address shortening: Where IP addresses are processed and processing of a complete IP address is not necessary, the IP address is shortened (also known as "IP masking").

Securing online connections through TLS/SSL encryption technology (HTTPS): To protect user data from unauthorized access, we use TLS/SSL encryption technology.

In the course of our processing of personal data, it may happen that data is transferred to or disclosed to other bodies, companies, legally independent organizational units or persons. Recipients of this data may include, for example, service providers entrusted with IT tasks. In such cases, we observe the legal requirements and conclude appropriate contracts.

Data processing in third countries: If we transfer data to a third country, this is always done in accordance with legal requirements.

For data transfers to the USA, we primarily rely on the Data Privacy Framework (DPF), which was recognized as a secure legal framework by an adequacy decision of the EU Commission on July 10, 2023. We have also concluded Standard Contractual Clauses with the respective providers.

More information about the DPF can be found at https://www.dataprivacyframework.gov/

We delete personal data in accordance with legal provisions as soon as the underlying consents are revoked or there are no further legal grounds for processing.

Retention periods under German law:
• 10 years - Books, records, annual financial statements (§ 147 AO, § 257 HGB)
• 8 years - Accounting documents, invoices
• 6 years - Other business documents
• 3 years - Data for warranty and damage claims (§§ 195, 199 BGB)

As a data subject, you have various rights under the GDPR (Art. 15 to 21 GDPR):

• Right to object: Object to processing at any time
• Right to withdraw consent: Withdraw given consents at any time
• Right of access: Request confirmation and information about processed data
• Right to rectification: Completion or correction of inaccurate data
• Right to erasure and restriction: Request deletion or restriction of processing
• Right to data portability: Receive data in a structured format
• Right to lodge a complaint: Right to lodge a complaint with a supervisory authority

We process data of our contractual and business partners in the context of contractual and comparable legal relationships.

Types of data processed: Inventory data, payment data, contact data, contract data.

Purposes: Provision of contractual services, communication, organizational and administrative procedures.

Legal bases: Contract performance (Art. 6(1)(b) GDPR), Legal obligation (Art. 6(1)(c) GDPR), Legitimate interests (Art. 6(1)(f) GDPR).

Provision of software and platform services: We process user data to provide our contractual services and based on legitimate interests to ensure the security of our offering and to develop it further.

We offer efficient and secure payment options and use payment service providers for this purpose. Payment transactions are carried out exclusively via encrypted connections.

We do not receive any account or credit card information, only information confirming or denying payment.

Payment service providers used:
• Apple Pay - Apple Inc., USA - Privacy Policy
• Google Pay - Google Ireland Limited, Ireland - Privacy Policy
• Klarna - Klarna Bank AB, Sweden - Privacy Policy
• Mastercard - Mastercard Europe SA, Belgium - Privacy Policy
• Stripe - Stripe, Inc., USA (DPF-certified) - Privacy Policy
• Visa - Visa Europe Services Inc., UK - Privacy Policy

The term "cookies" refers to functions that store and read information on users' devices. We use cookies in accordance with legal requirements.

Storage duration:
• Temporary cookies (session cookies): Deleted after closing the browser
• Permanent cookies: Remain stored for up to two years

Cookie settings: Own consent solution ("Extasy Cookie Manager") – Settings at https://extasy.asia/privacy#cookies

Legal bases: Legitimate interests (Art. 6(1)(f) GDPR), Consent (Art. 6(1)(a) GDPR).

Users can create a user account. The data processed includes in particular login information (username, password, email address).

Special features:
• Registration with pseudonyms: Users may use pseudonyms as usernames
• Profiles are public: User profiles are publicly visible
• Visibility settings: Users can determine the visibility of their profiles
• Two-factor authentication: Additional security layer for your user account
• Deletion after termination: Data is deleted after termination
• No retention obligation: Users should back up their data before termination

Legal bases: Contract performance (Art. 6(1)(b) GDPR), Legitimate interests (Art. 6(1)(f) GDPR).

When contacting us, the information provided by the inquiring persons is processed insofar as this is necessary to answer the contact inquiries.

Types of data processed: Contact data, content data, meta/communication data.

Legal bases: Legitimate interests (Art. 6(1)(f) GDPR), Contract performance (Art. 6(1)(b) GDPR).

We integrate functional and content elements into our online offering that are obtained from the servers of their respective providers.

Google Fonts (obtained from Google server): Obtaining fonts for the purpose of technically secure, maintenance-free and efficient use. The provider is informed of the user's IP address so that the fonts can be made available in the browser. According to Google, IP addresses are neither logged nor stored.

Service provider: Google Ireland Limited, Gordon House, Barrow Street, Dublin 4, Ireland
Website: https://fonts.google.com/
Privacy Policy: https://policies.google.com/privacy
Basis for third country transfer: Data Privacy Framework (DPF)
More information: https://developers.google.com/fonts/faq/privacy

We ask you to regularly inform yourself about the content of our privacy policy. We adapt the privacy policy as soon as changes in the data processing carried out by us make this necessary. We will inform you as soon as the changes require your cooperation (e.g. consent) or other individual notification.

Affiliate tracking: Logging of links with which linking websites refer users to offers.

Inventory data: Essential information for the identification and management of contractual partners, user accounts and profiles.

Content data: Information generated in the course of creating, editing and publishing content.

Contact data: Information that enables communication with persons or organizations.

Meta, communication and procedural data: Information about how data is processed, transmitted and managed.

Usage data: Information that captures how users interact with digital products.

Personal data: All information relating to an identified or identifiable natural person.

Log data: Information about events or activities that have been logged in a system.

Controller: The natural or legal person who decides on the purposes and means of processing personal data.

Processing: Any operation in connection with personal data.

Contract data: Specific information relating to the formalization of an agreement.

Payment data: All information required for the processing of payment transactions.