Last updated 18-March-2019
- ALL THE DETAILS
- General Information
- Individual processing operations
- Creditworthiness and Scoring
- Payment service provider
- Statistics and Analysis
- Google services
- EU-US Privacy Shield
- For California Residents
This summary provides a short explanation of the policy and is not legally binding.
We firmly believe in our customers' right to privacy, and we respect that right by adhering to the concept of Fair Information Practices.
How we collect your information
We collect your information when you complete our online forms, purchase our products online, and interact with our community. We track that information using cookies. We record all of the discussions we have with you on the phone. The information we collect includes name, address (if you place an order), email address, IP address, phone number, and location (if you add it to your profile).
What we do with it
Who we share it with
We share your details with selected business partners which may include:
- the cloud service providers that help us store your information and send you email
- Google and Facebook to give us insight into how people are using our site and understand how to improve our visibility
- payment service providers that process your payment information on our behalf
- shipping carriers and software companies that help us ship your order
- lawyers representing us in the event of a legal claim
- lawful requests by public authorities, including to meet national security, regulatory or law enforcement requirements
ALL THE DETAILS
As the data controller, we have prepared this data protection declaration to inform you about the type, scope and purpose of the processing of personal data in connection with our website, in accordance with the provisions of Regulation (EU) 2016/679 (General Data Protection Regulation - GDPR).
“Personal data” means any information relating to an identified or identifiable natural person. An identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or by reference to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person;
“Processing” means any operation or set of operations which is performed on personal data or on sets of personal data, whether by automated means or not, such as collecting, recording, organizing, structuring, storing, adapting or altering, retrieving, consulting, use, disclosing by transmission, disseminating or otherwise making available, aligning or combining, restricting, erasing or destroying;
“Controller” means the natural or legal person, public authority, agency or other body which, alone or jointly with others, determines the purposes and methods of the processing of personal data; where the purposes and methods of such processing are determined by Union or Member State law, the controller or where the specific criteria for its nomination may be provided for by Union or Member State law;
“Recipient” means a natural or legal person, public authority, agency or another body, to which the personal data is disclosed, whether a third party or not. However, public authorities which may receive personal data as part of a particular inquiry in accordance with Union or Member State law shall not be regarded as recipients; these public authorities shall process this data in accordance with the applicable data protection rules according to the purposes of the processing;
1330 Monterey Street
San Luis Obispo, California 93401
Tel. +1 805-464-0573
Fax +1 805-456-0741
Contact details of the company privacy officer
Privacy Officer, iFixit
1330 Monterey Street
San Luis Obispo, California 93401
Tel. +1 805-464-0573
Fax +1 805-456-0741
We process personal data on the basis of at least one of the following legal bases:
- The data subject has given consent to the processing of his or her personal data for one or more specific purposes (Art. 6 para. 1 sentence 1 lit. a GDPR);
- Performance of a contract with the data subject or for the implementation of pre-contractual measures taken at the request of the data subject (Art. 6 para. 1 sentence 1 lit. b GDPR);
- Compliance with a legal obligation to which we are subject (Art. 6 para. 1 S. 1 lit. c GDPR);
- Protection of our legitimate interests or those of a third party (Art. 6 para. 1 sentence 1 lit. f GDPR)
The following information refers to the legal basis of the individual processing steps contained in this data protection declaration.
Forwarding of data to recipients
We forward personal data to recipients (contractors or other third parties) only to the required extent and only under one of the following conditions:
- The data subject has consented to the transfer;
- The transfer is for the fulfillment of contractual obligations or pre-contractual measures on the initiative of the data subject;
- We are legally obliged to make the transfer;
- The transfer is made on the basis of our legitimate interests or those of a third party.
The transfer of personal data to a country or an international organization outside the European Union (EU) or the European Economic Area (EEA) is subject to legal or contractual permissions only in accordance with the conditions of Art. 44 ff. GDPR. This means, that for the country concerned, there is an adequacy resolution of the EU Commission according to Art. 45 GDPR, there are suitable guarantees for data protection according to Art. 46 GDPR or there are binding internal data protection regulations according to Art. 47 GDPR.
Rights of data subjects
As a data subject, you have the following rights:
- According to Art. 15 GDPR, you can request information about your personal data processed by us. Furthermore, you can request information about the purposes of the processing, the categories of processed personal data, the recipients or categories of recipients to whom your data has been or will be disclosed, the planned period for which the personal data will be stored or the criteria for determining that period, the origin of your data, if this data was not collected from you, the existence of automated decision-making including profiling and, where appropriate, meaningful information on its details such as logic, scope and effects, the existence of a right to rectification or erasure of data concerning you, the right to restrict processing or to object to such processing, the right to lodge a complaint with a supervisory authority. Finally, you have a right to know whether personal data has been transferred to a third country or to an international organization and, if so, the appropriate safeguards relating to the transfer;
- According to Art. 16 GDPR, you can demand the immediate rectification of incorrect personal data or the completion of your personal data stored with us;
- According to Art. 17 GDPR, you can request the deletion of your personal data stored with us, unless the processing is necessary for exercising the right to freedom of expression and information, for compliance with a legal obligation, for reasons of public interest or for the establishment, exercise or defense of legal claims;
- According to Art. 18 GDPR, you can demand the restriction of the processing of your personal data if the accuracy of the data is contested by you, the processing is unlawful but you oppose the erasure of it and we no longer need the data, you need the data which is no longer needed by us for the establishment, exercise or defense of legal claims, or you have objected to the processing in accordance with Art. 21 GDPR, pending the verification of whether our legitimate grounds for data processing outweigh your interest;
- According to Art. 20 GDPR, you may request the transfer of your personal data that you have provided to us in a structured, commonly used and machine-readable format or transfer it to another data controller;
- According to Art. 21 GDPR, you may object to the processing of your personal data if there are grounds for doing so which relate to your particular situation or if you object to processing for direct marketing purposes and the legal basis for processing the personal data are legitimate interests in accordance with Art. 6 para. 1 sentence 1 lit. f GDPR;
- According to art. 7 para. 3 GDPR, you can withdraw your consent to us at any time. As a result, we will no longer be permitted to continue processing the data that was based on this consent in the future;
- According to Art. 77 GDPR, you can lodge a complaint with a supervisory authority. As a rule, you can contact the supervisory authority of the place of your habitual residence, place of work or our registered office.
If you wish to assert the above-mentioned data subject rights, you can contact us or our data protection officer at any time using the contact details above.
Erasure and restriction of personal data
Unless otherwise provided for in this data protection declaration for individual cases, personal data will be erased if this data is no longer necessary for the purposes for which it was collected or was in any other way processed and if there are no legal obligations that require us to keep it. We will also erase your personal data processed by us upon request, in accordance with Art. 17 GDPR if the conditions described therein are met. If personal data is required for other legally permissible purposes, the data will not be erased, but its processing will be restricted in accordance with Art. 18 GDPR. In the event of a restriction, the data will not be processed for other purposes. This applies, for example, to personal data that we must keep for commercial or tax reasons.
We use session cookies to recognize that you have already visited individual pages of our website. These cookies also provide certain functionalities. Session cookies are deleted after you leave our website.
In addition, we also use temporary cookies, which are stored on your device for a specified period of time, to optimize user-friendliness and the statistical evaluation of the use of our website. If you visit our website again to use our services, these cookies will automatically recognize that you have already visited us before and what entries and settings you have made, so you do not have to enter them again.
The data processed by cookies is required for the above-mentioned purposes in order to protect our legitimate interests which result from processing the data and the legitimate interests of third parties in accordance with Art. 6 para. 1 sentence 1 lit. f GDPR.
Individual processing operations
In order to make our website available to you, we use the services of hosting companies, such as the provision of web servers, storage space, database services, security services and maintenance services.
While doing so, we or our hosting providers process our website users’ personal data on the basis of our legitimate interests in providing efficient and secure access to our website in accordance with Art. 6 para. 1 lit. f GDPR.
Access data and log files
When you visit our website or its individual pages, your device’s browser automatically sends information to our website server. This information is stored in log files by us or by our hosting provider.
The following information is stored:
- The IP address of the requesting computer,
- The date and time of access,
- The name and URL of the requested file,
- The website from which our site was accessed (referrer URL),
- The browser being used and, if applicable, the type of operating system your computer uses and the name of your access provider.
This data is processed for the following purposes:
- The provision of our website, including all of its features and contents
- To ensure a smooth connection to our website
- To ensure the comfortable use of our website
- To ensure system security and stability
- For anonymized statistical evaluation of user access
- To optimize our website
- For forwarding to law enforcement authorities in the event of unlawful interference or an attack on our systems
- For additional administrative purposes.
The legal basis for data processing is Art. 6 para. 1 sentence 1 lit. f GDPR. Our legitimate interest is based on the above-described purposes for data collection. Under no circumstances do we use the data we collect for the purpose of drawing conclusions about a person.
If you use the contact form, you will be asked to provide your name and email address so we can contact you personally. Additional information can be provided voluntarily. In accordance with Art. 6 para. 1 sentence 1 lit. a GDPR, data processing for the purpose of contacting us and responding to your request is based on your voluntary consent. All personal data collected in connection with the contact form will be deleted after responding to your request, unless it is necessary to store this data for the documentation of other processes (for example, for the subsequent conclusion of a contract).
If you would like to receive our newsletter, we need to have your name and email address. In accordance with Art. 6 para. 1 sentence 1 lit. a GDPR, data processing for the purpose of sending the newsletter is based on your voluntary consent which is granted via the double opt-in procedure. Your email address will be used and stored for this purpose until you withdraw your consent or unsubscribe from the newsletter. You can unsubscribe at any time, for example, by using the link at the end of each newsletter. You can also send your withdrawal/unsubscribe request at any time to the email address indicated under Clause I.
We send our newsletters with a web beacon. A web beacon is a miniature graphic embedded in the newsletter’s HTML format which enables us to analyze reader behavior. In this context, we store whether and at what time a newsletter was opened by you and which of the links contained in the newsletter were accessed by you. We use this data to create statistical evaluations of the success or failure of a marketing campaign in order to optimize newsletter distribution and to better match the content of future newsletters to your interests. The collected data will not be transferred to third parties and will be deleted after the statistical evaluation.
We are not currently accepting nor storing applications from EU residents.
Comments and contributions
If you leave comments or other contributions on our website, your email and IP address will be stored on the basis of our legitimate interests within the meaning of Art. 6 para. 1 lit. f GDPR. You can provide further information voluntarily. The purpose of storing your email address is to contact you regarding your comment or contribution, to forward any complaints you may have and, if necessary, to ask you to comment. You will not be able to use the comments function without entering your email address. The email address you provide will be saved but will not be published along with your comment.
Our legitimate interest in retrieving and storing your email address is for security reasons, for example, in the event that someone leaves illegal content (for example, insults) in comments and contributions. In this case, we ourselves could be prosecuted for the comment or contribution and therefore, we have a legitimate interest in storing your IP address. This collected personal data will only be passed on to the prosecution authorities in cases of criminal investigations. Personal information will not be transferred to any other third parties.
The iFixit Community and Registration
iFixit USA and iFixit EUROPE use a shared system for the administration of community accounts in order to make it easier for users to access the shared website of the iFixit Community. The provider is www.ifixit.com; San Luis Obispo, CA 93401, United States. It is not possible to register with the iFixit Community without your data being transferred to the USA. However, you can order goods in the EU store as a guest without registering with the community. When you register with the iFixit Community, you will be redirected to the iFixit USA website. The data transfer to iFixit USA is based on the EU standard contractual clauses (Set II). Information about these guarantees is available here. iFixit EUROPE and iFixit USA are jointly responsible for processing personal data. iFixit EUROPE complies with all obligations regarding the exercise of the rights of data subjects. In accordance with Art. 6 Para. 1 S. 1 lit. f GDPR, data is processed on the basis of our legitimate interest in the provision of the services on our website.
You can register on our website by entering your name, address, telephone number and email address. In accordance with Art. 6 para. 1 sentence 1 lit. a GDPR, registration is voluntary and is based on your voluntary consent. The transmission of any other personal data is determined by the respective input mask used for the registration. The collected personal data is used for the purposes of offering our services as well as to contact you in order to provide you with information regarding our services and your registration. You can view your personal data and make changes to this data via your personal user access. Your data will be stored until you delete your user account or instruct us to delete your data. If we are obliged to store your personal data due to legal, commercial and tax-related retention periods, the processing of your personal data will be restricted accordingly until the expiry of the retention periods and this data will then be deleted.
When you register on our website or use your user account, we store your IP address and the time of your use of our website. In accordance with Art. 6 Para. 1 S. 1 lit. f GDPR, data is processed on the basis of our legitimate interest in the provision of the services on our website. Storage of your data is also in your interest in order to protect you from misuse and other unauthorized use. Your data will not be transferred to third parties, unless it is necessary to fulfil contractual obligations in accordance with Art. 6 para. 1 lit. b GDPR or for the pursuit of any claims to which we are entitled or if there is a legal obligation according to art. 6 para. 1 lit. c GDPR. IP addresses are anonymized.
In connection with and for the purpose of implementing pre-contractual measures and fulfilling contractual obligations via our website taken at the request of the data subject, we process the data subject’s personal data in order to perform the contract. This data includes:
- The contractual partner’s data, such as, name, address and contact data, any alternate delivery addresses or invoice addresses or alternate recipients and, if necessary, the contractual partner’s date of birth;
- Contract data, such as the subject matter and duration of the contract, customer category;
- Payment data, such as bank details, credit card data, payment history.
The legal basis for data processing is Art. 6 para. 1 sentence 1 lit. b GDPR.
The data will only be transferred to third parties to the extent that this is necessary in order to implement pre-contractual measures and to fulfil contractual obligations, such as to banks, payment service providers, credit card companies for processing payment and to shipping providers for the shipping of goods.
Creditworthiness and Scoring
Automated decision-making (credit assessment)
Based on Art. 6 para. 1 lit. b and lit. f GDPR, we perform a credit assessment of customers prior to the conclusion of the contract for the purpose and on the basis of our legitimate interest in checking creditworthiness and minimizing payment defaults. This is done if purchase order, money order, credit card or direct debit is selected as the payment method. For this purpose, the customer’s name, address, IP, and partial credit card will be transmitted to: Signifyd, Inc., 2540 N. First Street, Suite 300, San Jose, CA 95131. The credit assessment involves the use of probability values (score values), whose calculation includes address data. The calculation of these scoring values is based on a scientifically recognized mathematical-statistical procedure. Additional information on how Signifyd handles your personal data can be found in the Signifyd European Data, Privacy and Security Policy. In case of insufficient creditworthiness, purchase order, money order, credit card or direct debit will not be accepted as a payment method. If you do not agree to the data transfer, please use another method of payment.
Payment service provider
PayPal acts as an online payment service provider and trustee and offers buyer and seller protection services. When paying via PayPal, credit card via PayPal, direct debit via PayPal or - if offered - purchase on account via PayPal, your name, email address, purchased products, invoice amount, as well as your invoice and delivery address will be transferred to PayPal as part of payment processing. When using the following payment methods: credit card via PayPal, direct debit via PayPal or - if offered - purchase on account via PayPal, PayPal may conduct a credit check in order to check your creditworthiness and to minimize payment defaults before deciding to approve the payment process. The credit assessment involves the use of probability values (score values), whose calculation includes address data. The calculation of these scoring values is based on a scientifically recognized mathematical-statistical procedure. In case of insufficient creditworthiness PayPal can refuse the chosen payment method. The legal basis for processing is Art. 6 para. 1 lit. b GDPR.
If you do not agree with the data transmission, or if you believe that your creditworthiness is not suitable for the chosen method of payment, please use another method of payment. Additional information on how PayPal handles your personal information can be found in PayPal’s data protection declaration.
Statistics and Analysis
We use the “Facebook pixel” on our website. The provider is Facebook, Inc., 1 Hacker Way, Menlo Park, CA 94025, USA. Facebook Ireland Ltd., 4 Grand Canal Square, Grand Canal Harbour, Dublin 2, Ireland, is responsible for processing the personal data of persons in the EU.
Facebook has joined the EU/US Privacy Shield Agreement, thereby committing itself to complying with European data protection standards and thus has fulfilled the EU requirements for legitimizing the transfer of personal data to the USA. Information on Facebook’s commitment can be found here.
The use of this technology enables Facebook to assign visitors to our website to specific groups (for example, visitors to our website according to the areas of interest we have sent to Facebook - the “custom audiences”) for the display of specific advertisements and to thus be able to recognize these groups. This ensures that these users are only shown advertisements that match their interests and that inconveniences caused by inappropriate advertising are avoided. By using the Facebook pixel, we can also monitor the effectiveness of our Facebook advertisements for statistical purposes and track whether and how a user has used our services after clicking on an advertisement.
Additional information about the Facebook pixel and how it works can be found here. Detailed information on how Facebook processes the data it collects and general information about Facebook advertisements can be found in Facebook’s data protection declaration. In your Facebook, account under the heading “Settings,” you can object to the collection of your data via the Facebook pixel and its use for displaying specific advertisements. Information on these settings can be found here (login necessary).
The use of the Facebook Pixel helps us to appropriately advertise our products and services without inconveniencing the recipients of this advertising with inappropriate advertising. The legal basis for the use of the Facebook pixel is our legitimate interests and the legitimate interests of third parties in these purposes, in accordance with Art. 6 para. 1 lit. f GDPR.
Provider of the following Google services is Google LLC, 1600 Amphitheatre Parkway, Mountain View, CA 94043, USA (hereinafter, “Google”).
The legal basis for the use of the following Google services is our legitimate interests in accordance with Art. 6 para. 1 lit. f GDPR.
Google has joined the EU/US Privacy Shield Agreement, thereby committing itself to complying with European data protection standards and thus has fulfilled the EU requirements for legitimizing the transfer of personal data to the USA. Information on Google’s commitment can be found here.
Additional information on how Google handles your personal data can be found in Google’s data protection declaration. Information on how Google uses data for advertising purposes, information about setting options and how to object to the use of your data for advertising purposes can be found on these Google pages: How we use data from websites or apps where our services are used, advertising, Settings for advertising, and Ads Settings.
Google Analytics demographic features
This website uses the “demographic features” function as part of Google Analytics. This function allows us to generate reports that contain information about the age, gender and interests of our site visitors. This data comes from Google’s interest-based advertising and from visitor data from third-party providers. This data cannot be assigned to a specific person. The legal basis for the use of the following Google services is our legitimate interest in optimizing and optimally marketing our website in accordance with Art. 6 para. 1 lit. f GDPR.
You can disable this feature at any time by using your Google account’s ad preferences or opt-out of having Google Analytics collect your information, as described in the “object to data collection” section.
Google Analytics Remarketing
Google AdWords with conversion tracking
Google Web Fonts
This website uses external fonts from Google, web fonts, to display fonts. In order to do this, your browser loads the required web font into the browser cache when you access the web page. If your browser does not support this function, your computer will use a standard font to display the website. This service collects your IP address, which of our web pages you have visited and, if applicable, other data Google needs for the provision of the web fonts. The information collected about your use of this website is stored on a server in the USA. This information may also be transferred to third parties if this is required by law or if third parties process this data on our behalf or on the behalf of Google.
EU-US Privacy Shield
What, Why, Who Else and You
The data processed, the purposes of data processing, third parties with whom we may share customer data, and your rights are all discussed above. Please scroll up to read again.
You may choose to opt out of having your personal information disclosed to a non-agent third party, or used for a purpose that is materially different from the purpose(s) for which it was originally collected or subsequently authorized. To exercise this choice, contact the privacy officer listed above.
Liability for Transfers
If we receive personal data subject to our certification under the Privacy Shield and then transfer it to a third-party service provider acting as an agent on our behalf, we have certain liability under the Privacy Shield if both (i) the agent processes the personal data in a manner inconsistent with the Privacy Shield and (ii) we are responsible for the event giving rise to the damage.
Questions or Complaints
If you are a resident of a European country participating in the Privacy Shield and you believe we maintain your personal data within the scope of this Privacy Shield certification, you may direct any questions or complaints concerning our Privacy Shield compliance to our privacy officer using the contact information provided above.
In compliance with the Privacy Shield Principles, we commit to resolving complaints about our collection or use of your personal information. We also commit to cooperating with the EU data protection authorities (DPAs) under the EU-US Privacy Shield Framework, and to complying with the advice given by the EU DPAs under the Framework with regard to personal data transferred from the EU. The independent dispute resolution body designated to address complaints and provide appropriate recourse free of charge to the individual is the panel established by DPAs.
You may also be able to invoke binding arbitration for unresolved complaints, but prior to initiating such arbitration, a resident of a European country participating in the Privacy Shield must first: (1) contact us and afford us the opportunity to resolve the issue; and (2) contact the U.S. Department of Commerce (either directly or through a European Data Protection Authority), affording the Department of Commerce time to attempt to resolve the issue. If you invoke binding arbitration, each party will be responsible for its own attorney’s fees. Please note that, pursuant to the Privacy Shield, the arbitrator may only impose individual-specific, non-monetary, equitable relief necessary to remedy any violation of the Privacy Shield Principles with respect to the resident.
US FTC Enforcement
Our Privacy Shield compliance is subject to the investigatory and enforcement powers of the US Federal Trade Commission.
For California Residents
Your California Privacy Rights
As noted above, we do not share your information for direct marketing purposes. But our lawyer said we need to tell you that California Civil Code Section 1798.83 permits users of our website who are California residents to request and obtain from us a list of what personal information (if any) we have shared with third parties or corporate affiliates for those entities’ direct marketing purposes in the preceding calendar year, and the names and addresses of those third parties. Requests may be made only once a year and are free of charge.
If you are a California resident and would like a copy of this notice, please submit a written request to the following address: iFixit, Attn: Privacy Agent, 1330 Monterey St, CA 93401. For all requests, you must put the statement “California Privacy Rights Notice” in the body of your request, as well as your name, street address, city, state, and zip code. You also need to attest to the fact that you are a California resident and provide a current California address for our response. Please note that we will not accept requests via telephone, email or facsimile, and we are not responsible for notices that are not labeled or sent properly, or that do not contain complete information.
California Do Not Track Disclosures
California Business & Professions Code Section 22575(b) (as amended effective January 1, 2014) provides that California residents are entitled to know how a website operator responds to “Do Not Track” (DNT) browser settings. DNT is a feature offered by some browsers which, when enabled, sends a signal to websites to request that your browsing is not tracked, such as by third party ad networks, social networks and analytic companies. We do not currently take actions to respond to DNT signals because a uniform technological standard has not yet been developed. We continue to review new technologies and may adopt a DNT standard once one is created. For information about DNT, visit All About DNT.