Data protection statement

This data protection document details the extent, type, and purpose of processing personal data undertaken by Flying Fox XXL online shops:


Flying Fox XXL GmbH

Hütten 39
A-5771 Leogang


Telephone: +43-6583-8219
Fax: +43-6583-8219-33
Director: Kornel Grundner




Types of data processed:


- Stock data (e.g. name, address)
- Contact details (e.g. e-mail, telephone number)
- Content data (e.g. text entries, photographs, videos)
- User data (e.g. visited websites, content of interest, access time)
- Meta/communication data (e.g. device information, IP address)
- Range measurement/marketing
- Contract data (e.g. contract object, duration, customer category)
- Payment information (e.g. bank details, payment history)
- Information about customers, interested parties and business partners regarding service provision
- Contractual services, service and customer care, marketing, advertising and market research

Categories of people concerned

Customers, visitors, and other users of the online service (later in this document referred to as “user”).

Purpose of data processing

- Provision of online services, functions, and content
- Replying to contact enquiries and communication with users
- Contractual fulfilment
- Security measures

Terms used

 “Personal data” includes all information that refers to an identified or identifiable person (later referred to as “person concerned”). By identifiable we mean a person who can be identified either directly or indirectly by means of an identifier such as name, ID number, address details, online identification method (e.g. cookie) or by any specific distinguishing information that may be associated with the physical, physiological, genetic, psychological, economic, cultural, or social identity of a particular person.

“Processing” describes any act of processing connected with the aforementioned personal data either with or without the aid of automation. The term is broad and covers practically any type of working with data.

“Pseudonymisation" refers to processing personal data in such a way that the personal data or the correlation of additional information may no longer be connected with a specific person in as much as this additional information is saved in a special way using technical and organisational methods that guarantee that the personal data will not be assigned to an identified or identifiable individual person.

“Profiling” is any type of automatic processing of personal data involving the use of this personal data to refer to certain personal aspects of an individual to assess, analyse, or predict information such as employment, economic situation, health, personal preferences, interests, reliability, behaviour, place of residence, or change of address.

“Person responsible” refers to the individual or legal person, authority, establishment or other who either alone or together with a third party makes decisions concerning the purposes and means of the processing of personal data.

“Processor” refers to an individual or legal person, authority, establishment or other involved in the processing of personal data and contract of the person responsible.


Statutory foundations

In accordance with DSGVO article 13, detailed here are the statutory foundations of our data processing. In cases where the statutory foundations are not mentioned in the data protection document, the following applies: the legal basis for the collection of consent is DSGVO article 6 para. 1 lit. a and DSGVO article 7, the legal basis for data processing to fulfil our services and carry out contractual procedures or reply to enquiries is DSGVO article 6 para. 1 lit. b, the legal basis for data processing in order to fulfil our legal obligations is DSGVO article 6 para. 1 lit. c, and the legal basis for data processing in order to guard our legitmate interests is DSGVO article 6 Abs. 1 lit. f.


Security measures

According to DSGVO article 32 concerning the standard of technology, implementation costs and type, extent, circumstances, and purposes of data-processing and the various possibilities of occurrence and level of risks for the rights and freedom of individuals, we implement appropriate technical and organisational measures in order to guarantee a level of protection that is commensurate with the risk.

Collaboration with external processors and third parties

In as much as we pass on the processing of data to other parties and businesses (external processors and third parties), or allow them access to data, this only occurs with legal consent as a basis (e.g. when conveying data to a 3rd party such as a payment processor, for fulfilment of the contract, DSGVO article 6 Abs. 1 lit. b applies), with your consent and if made necessary by any legal obligation or as a basis of our legitimate prevailing interests (e.g. in using appointees, web hosters etc.).

In as much as third parties are concerned with the processing of personal data, a so-called “data-processing contract" is set up, with DSGVO article 28 as a basis.

Transfer of data to other countries

If we process data in a third country (i.e. a country outside the European Union (EU) or European Economic Area (EWR) or if this  occurs in the framework of the implementation of the services of 3rd parties or the release or conveyance of data to a 3rd party) this only takes place if the data has been processed by us in a lawful way. Subject to legal or contractual permission, we process or get data processed in another country only if the requirements of DSGVO article 44 ff. have been met. That is to say processing only takes place for example with the basis of particular guarantees such as officially recognised establishment of a level of data protection in accordance with EU levels (e.g. the “Privacy Shield" for the USA) or in accordance with specially recognised contractural obligations (so-called “standard contract clauses").

Rights of affected persons

You have the right to demand confirmation of whether certain data is processed and the right to information about this data and other information together with copies of the data in accordance with DSGVO article 15.

In accordance with DSGVO article 16 you have the right to demand completion of data affecting yourself or correction of any incorrect data.

In accordance with DSGVO article 17, you have the right to demand that data concerning yourself is deleted immediately, or alternatively to demand a limitation in the processing of data, in accordance with DSGVO article 18.

In accordance with DSGVO article 20 you have the right to demand to retain data concerning yourself that you have provided to us and pass it on to other responsible persons.

You can exercise these rights by writing an e-mail to

In addition, in accordance with. DSGVO article 77 DSGVO, you are entitled to submit a complaint to the Austrian data protection authorities (Hohenstaufgasse 3, 1010 Wien,

Right of cancellation

You have the right to rescind any consent given in accordance with DSGVO article 7 Abs. 3 which may have future consequences.

Right of objection

You may at any time object to future processing of data concerning yourself in accordance with DSGVO article 21. This objection may in particular affect processing of data for the purpose of direct advertising.

Cookies and the right of objection to direct advertising

By “cookies" we refer to small data packages that are stored on users' computers. These cookies may store a variety of information. A cookie has the primary function of storing a user's details (e.g. the device on which the cookie is stored) during, or also after accessing a website. Temporary cookies, otherwise known as “session cookies" or “transient cookies" are cookies which are deleted when a user leaves a website and closes his browser. Such cookies may for example contain information about the content of a shopping basket in an online shop or the login status. “Permanent" or “persistent" cookies are cookies which remain stored after quitting a browser. These may for example store details of login status which a user may call several days later. Such cookies may also contain information about user interests which may be used for range measurement or marketing purposes. “Third-party cookies" are cookies which are offered by 3rd parties to the person responsible for running the website (if only cookies of the responsible person are concerned, these are referred to as “first party cookies").
We may implement temporary and permanent cookies, explained within the framework of our data protection document. If users do not wish cookies to be stored on their computers, they should choose the appropriate option in the browser system settings in order to deactivate them. Stored cookies can be deleted in the browser system settings. Deactivating cookies may lead to impeded functions of the website.


Deletion of data

Data processed by us is deleted or limited in its processing in accordance with DSGVO articles 17 and 18.
Where it has not been expressly stated in this data protection document, any data stored by us is deleted as soon as it is not required to serve its purpose any more, inasmuch as its deletion does not contravene legal requirements. If data is not deleted because its retention is required for other legal purposes, its processing is appropriately limited. This means the data is blocked and not processed for other purposes. This applies for example to data which has to be retained for tax or business reasons.


The legal requirements in Austria are that certain data is stored for 7 years in accordance with § 132 para. 1 BAO (accounting documentation, invoices/receipts, account information, bills, business papers, income and expenditure calculation, etc.)

Order processes in the online shop and customer accounts

We use customer data in order to process orders in our online shop and to enable us to provide customers with the selection and order of chosen products and services, together with payment and order procedures.

The data processed contains stock data, communication data, contract data, payment data, and persons affected by this data processing are our customers, interested parties, and certain business partners. Data processing occurs for the purposes of providing contractual services within the framework of the online shop, payment, ordering, and customer service. We implement the use of session cookies in order to store details of what is contained in the shopping basket, and permanent cookies to store details of the login status.

This data processing is in accordance with the requirements of DSGVO article 6 para.1 lit. b (order procedures) and c (legally required archiving). These are necessary specific details in order to fulfil contractual obligations. Data is only released to third parties in order to enable delivery, payment, or to fulfil legal obligations of legal advisers and authorities. Data is only passed on to 3rd countries if this is necessary in order to fulfil the contract (e.g. to satisfy customer wishes concerning delivery or payment).

Users may choose to use a user account in which they can view their orders. As part of the registration process, the user must share required compulsory details. These user accounts are not public and cannot be indexed by search engines. If a user cancels their user account, any data regarding the user account is deleted, provided that its retention is not required to abide by business or tax laws in accordance with DSGVO article 6 para. 1 lit. c. Customer account details remain until their deletion and are then archived if required by law. It is up to the user to secure their data if cancellation occurs prior to the end of the contract.

As part of the registration and reregistration process and to be able to make use of our online services, we store your IP address and the time of any user access. This storage process occurs on the basis of our legitimate prevailing interests and also in the interests of the user to protect from misuse and unauthorised use. This data is in principle not conveyed to 3rd parties, unless deemed necessary in pursuance of our claims or there is a legal requirement in accordance with DSGVO article 6 para. 1 lit. c.

External payment service providers

We use external payment service providers whereby users use their platforms to carry out payment transactions with us e.g.
Paypal (,
Klarna (, Skrill (, 
Giropay (, 
Visa (, 
Mastercard ( de/datenschutz.html), 
American Express (
In order to fulfil contractual obligations, we use payment service providers in accordance with DSGVO article 6 para. 1 lit. b. We also use external payment service providers in our own interests in accordance with DSGVO article 6 para. 1 lit. f. DSGVO in order to offer our users a more effective and more secure payment process.

Data processed by these payment service providers includes stock data such as for example name and address, bank details such as bank account numbers and credit card numbers, passwords, TANs, checksums and the contract amounts and recipient details. These details are necessary in order to carry out transactions. Data submitted is processed by the payment service provider and stored by them. This means we do not receive any bank or credit card details, we only receive information about confirmation or negative outcome of a payment. Under certain circumstances data may be passed on to credit agencies by the payment service provider. This would be for the purposes of checking identity or to carry out a credit check. Please refer to the terms and conditions and data protection policies of the payment service provider in question.

For payment transactions, the business terms and conditions and data protection information of the appropriate payment service provider apply. These are available from their websites or from the transaction applications. Please also refer to them for further information about implementing any objection, information, or other rights.

Administration, financial accounting, office organisation, contact administration

We process data as part of the process of administration and organisation of our business, keeping financial accounts, and adhering to legal obligations, such as for example archiving. We therefore process the same data which we process in order to fulfil our contractual services. The legal basis for this data processing is DSGVO article 6 para. 1 lit. c., DSGVO article 6 para. 1 lit. f.. This processing affects customers, interested parties, business partners, and website visitors. Its purpose and our interest in the processing is in administration, financial bookkeeping, office organisation, and archiving of data, i.e. procedures necessary to run our business, fulfil our duties, and provide our services. Deletion of data in regard to contractual services and contractual communication affects the details given for these processes.

In doing so we publish or transfer data to our financial administration, advisers such as tax advisers or auditors and other payment service providers or charges offices.

In addition, for our own business interests we store details of delivery services, organisers, and other business partners, e.g. for the purpose of future contact. In principle we store this information containing various business data on a permanent basis.


Registration function


Users can set up a user account. In the registration process, the necessary obligatory information entered is displayed to the user and processed in accordance with DSGVO article 6 para. 1 lit. for the purpose of setting up a user account. The data processed contains in particular login information (name, password, and e-mail address). The data submitted for registration is used for the purposes of implementation of the user account.

Users may be provided with information by e-mail that is relevant for their user account such as for example technical changes. If users have cancelled their user account, data concerning the user account is deleted, unless it is required by a legal obligation to retain it. It is up to the user to secure their data in the case of cancellation prior to the end of the contract. We are entitled to delete user information irretrievably during the duration of the contract.

In fulfilling the registration process and in implementation of a user account, we store the IP address and time of access of the corresponding user. This storage is in our legitimate interests as well as for the protection of the user from misuse or other unauthorised use. In principle, this data is not transferred to 3rd parties, except if it is required in pursuance of demands or a legal requirement dictates it in accordance with DSGVO article 6 para. 1 lit. c. The IP addresses are anonymised or deleted after 7 days.

Produced using by RA Dr. Thomas Schwenke