Privacy Policy

of K-Solutions GmbH (“RAW Looks”, “we”, “us”, “our”)
Last updated: November 2025

1. Who Is Responsible and How Can You Contact Us?

Controller under data protection law (Art. 4(7) GDPR):

K-Solutions GmbH
Industriestraße 33e
81245 Munich
Germany
Email: [email protected]

For any questions about this Privacy Policy or to exercise your data protection rights, you can contact us at the email address above at any time.

If we exceptionally process data as a joint controller together with another party or as a processor for someone else, we will explain that in the relevant section below.

2. Summary of Key Points

This Privacy Policy explains how we collect, process, store and use personal data when you visit our website, create an account, subscribe to newsletters, interact with brands/products, or click affiliate links.

It applies to all visitors and users globally, as long as we control the processing of their data.

Key highlights:

You can generally use RAW Looks without creating an account; some services (e.g. wishlists, follow functions, recommendations) require registration and certain mandatory details.
We use cookies and similar technologies; you can give or withdraw consent at any time in our Privacy / Cookie Settings (Consent Management Platform – “CMP”).
We process data for contract performance, based on your consent, to comply with legal obligations, and on the basis of our legitimate interests (e.g. security, analytics, marketing).
We use service providers and, where applicable, tools such as web analytics, A/B testing, Hotjar-style user behaviour analysis, Google/Meta advertising tools and affiliate networks. These may involve international transfers with appropriate safeguards (e.g. EU Standard Contractual Clauses).
We keep your data only as long as necessary or legally required.
We do not knowingly process personal data of children under 16.
You have comprehensive GDPR rights (access, rectification, erasure, restriction, portability, objection, consent withdrawal, complaint).

3. What Information Do We Collect?

3.1 Data you provide to us

We collect personal data that you actively provide, for example when you:
visit and use our website,
register a user account,
subscribe to newsletters,
like/follow brands or products,
enter competitions or promotions,
contact us by email or using a contact form.

Depending on the specific feature, this may include:

Username
Email address
Password (stored only in hashed form)
User settings and preferences (e.g. favourite brands, liked stores)
Communication content and metadata (support requests, enquiries)

Mandatory information is marked as such (for example with “*”). Without this data, we cannot provide the corresponding service or process your request.

3.2 Data collected automatically (server logs, usage data)

When you visit our website purely for information (i.e. without registering or otherwise sending data), we automatically collect certain data that your browser transmits to our servers:

IP address
Date and time of the request
Time zone difference to GMT
Requested URL / page
HTTP status code / access status
Amount of data transferred
Referring URL (previous page)
Browser type, language and version
Operating system and device information

This information is stored temporarily in server log files for security reasons (e.g. to investigate misuse or attacks) and for troubleshooting. We normally keep server logs for a maximum of 7–10 days and then delete or anonymise them. If logs are needed as evidence in an individual case, we retain them until the incident has been fully clarified.

Legal basis: Art. 6(1)(f) GDPR (legitimate interest in secure, stable operation and detection of misuse).

3.3 Affiliate tracking data

As an affiliate platform we track, when you click on product links:

click IDs and referral IDs,
partner and campaign identifiers,
pseudonymous session identifiers,
aggregated conversion data (for example that a purchase occurred at a partner shop – we do not see full order details).

We use this to measure the success of our partners’ offers and calculate commissions.

Legal basis: Art. 6(1)(f) GDPR (legitimate interest in operating our affiliate-based business model).

3.4 Newsletter and communication data

If you choose to create a customer account:

we process the registration details (for example email, password, optional name),
your login history (IP and timestamps) to prevent misuse,
your settings, preferences and stored favourites.

Legal basis: Art. 6(1)(b) GDPR (contract performance); Art. 6(1)(f) GDPR (legitimate interest in preventing abuse and proving registration).

Note: RAW Looks does not currently process payment data because all purchases take place exclusively on partner sites. If this changes in future, we will update this Privacy Policy with detailed information on payment service providers and legal bases.

3.5 Customer account data

If you choose to create a customer account:

we process the registration details (email, password, username),
your login history (IP and timestamps) to prevent misuse,
your settings, preferences and stored favourites.

Legal basis: Art. 6(1)(b) GDPR (contract performance); Art. 6(1)(f) GDPR (legitimate interest in preventing abuse and proving registration).

3.6 Contact forms and email enquiries

If you contact us by email or via a contact form, we process:

your email address,
your name and other details if provided,
content of your message,
technical metadata (for example time and IP in case of abuse prevention).

We use this solely to handle your enquiry and any follow-up questions.

Legal basis: Art. 6(1)(b) GDPR (pre-contractual or contractual communications) or Art. 6(1)(f) GDPR (legitimate interest in effective communication), depending on the context.

4. For What Purposes and on What Legal Bases Do We Process Your Data?

We process your data for the following main purposes. For each purpose we state the legal basis and, where applicable, our legitimate interests:

Provision and operation of our website and Platform (including basic functions, navigation, load balancing, and display of content)
Legal basis: Art. 6(1)(b) GDPR (contract performance) where you are a registered user, otherwise Art. 6(1)(f) GDPR (legitimate interest in providing a secure and functional online offering).
Creating and managing user accounts and customer relationships (registration, login, wishlists, follows/likes, product notifications, competitions)
Legal basis: Art. 6(1)(b) GDPR (contract performance).
Personalising content and recommendations (for example showing products and brands that match your preferences)
Legal basis: Art. 6(1)(f) GDPR. Legitimate interest: providing a relevant, user-friendly and efficient service by adapting our offering to your interests.
Web analytics, reach measurement and market research (for example page statistics, traffic analysis, A/B tests)
Legal basis: Art. 6(1)(a) GDPR where tools require consent; otherwise Art. 6(1)(f) GDPR. Legitimate interest: understanding how our services are used so we can improve them.
Interest-based advertising and affiliate marketing (for example via tracking pixels, retargeting, conversion measurement, partner programmes)
Legal basis: Art. 6(1)(a) GDPR (consent). Our interest: monetising our Platform while showing users relevant advertising and partner offers.
Direct marketing for our own and partners’ products and services (for example newsletters, product recommendations by email, onsite banners)
Legal basis: Art. 6(1)(a) GDPR (consent) where required; Art. 6(1)(f) GDPR (legitimate interest in lawful direct marketing) where permitted by competition law.
Use of social plugins, share functions and social logins
Legal basis: Art. 6(1)(a) GDPR (your activation or consent) or Art. 6(1)(f) GDPR. Legitimate interest: enabling convenient sharing and login options that users request.
Ensuring IT security and detection of faults, misuse or attacks (including logging, monitoring and analysis of suspicious behaviour)
Legal basis: Art. 6(1)(c) GDPR (legal obligations regarding data security) and Art. 6(1)(f) GDPR. Legitimate interest: protecting our systems, safeguarding data and enforcing our rights.
Compliance with legal obligations (for example tax and accounting rules, commercial retention obligations, regulatory requests)
Legal basis: Art. 6(1)(c) GDPR.
Assertion, exercise or defence of legal claims (for example preservation of evidence, correspondence with legal counsel, court proceedings)
Legal basis: Art. 6(1)(f) GDPR. Legitimate interest: enforcing or defending legal claims.

You can request more detail about our legitimate interest balancing tests using the contact details in section 1.

5. Cookies and Other Tracking Technologies

5.1 What are cookies and similar technologies?

Cookies are small text files stored on your device by your browser. We also use comparable technologies (for example local storage, pixels, tags, SDKs).

Cookies may be:

session cookies – deleted when you close your browser,
persistent cookies – stored for a defined period or until you delete them.

5.2 Which categories of cookies do we use?

We use the following categories:

Strictly necessary cookies
Required for technical operation and basic features (for example login sessions, remembering cookie choices).
Legal basis: Art. 6(1)(f) GDPR (legitimate interest in a functional website).
Functional cookies
Remember settings and preferences (for example language, filters).
Legal basis: Art. 6(1)(a) GDPR (consent) or Art. 6(1)(f) GDPR, depending on the specific cookie.
Analytics and performance cookies
Measure usage and help us understand how visitors interact with our site (for example Google Analytics or comparable tools).
Legal basis: usually Art. 6(1)(a) GDPR (consent).
Marketing, retargeting and affiliate cookies
Support interest-based advertising and affiliate commission tracking (for example Google Ads, Meta Pixel, affiliate network tags).
Legal basis: Art. 6(1)(a) GDPR (consent).

5.3 CMP and withdrawing cookie consent

All non-essential cookies are controlled via our Consent Management Platform (CMP), accessible via “Privacy Settings” or a similar link/footer entry.

You can:

give or deny consent for each cookie category, and
withdraw consent at any time with effect for the future by changing your settings in the CMP.

You can also delete cookies in your browser at any time. If you block all cookies, some functions of our site may no longer be available.

6. Web Analytics and Online Marketing Tools

Important: the tools listed in this section represent typical solutions (for example Google Analytics, Google Ads, Hotjar-style behaviour analysis, Meta Pixel). Exactly which tools we use at any given time and their providers are shown in your CMP / Privacy Settings.

6.1 Web analytics (for example Google Analytics)

We may use analytics tools to evaluate how our site is used and to improve it (reach measurement and behavioural analysis).

Such tools typically:

use cookies or similar technologies,
collect pseudonymous data (for example truncated IP, click behaviour, page views),
store data for a defined period (for example up to 24 months),
apply IP anonymisation so full IP addresses are not stored.

Analytics data may be processed on servers outside the EU, especially in the USA. In that case we rely on EU Standard Contractual Clauses and additional safeguards.

Legal basis: your consent (Art. 6(1)(a) GDPR), obtained through the CMP. If you do not grant consent, analytics tools are not used. You can withdraw consent at any time via our CMP / Privacy Settings.

6.2 Advertising and conversion tracking (for example Google Ads, Meta Pixel)

We may run online campaigns using external advertising networks, such as:

Google Ads / Google Ad Manager,
Meta (Facebook/Instagram) advertising tools and pixel,
other advertising networks.

These tools may create pseudonymous usage profiles to deliver targeted advertising and measure conversions (for example whether someone completed a purchase at a partner after seeing our ad). We usually see only aggregated statistics, not your full profile.

Where these tools involve transfers to third countries (especially the USA), we use EU Standard Contractual Clauses and additional safeguards.

Legal basis: your consent (Art. 6(1)(a) GDPR). Without consent, we do not use these tools. You can withdraw consent at any time via our CMP / Privacy Settings.

6.3 Behaviour analytics (for example Hotjar-style tools)

We may use user behaviour analysis tools to understand how visitors interact (for example clicks, mouse movements, scroll depth, heatmaps).

These tools:

use cookies or similar technologies,
collect pseudonymous data (for example truncated IP, device type, browser, visited pages, time spent),
help us optimise usability and design.

Data is usually stored for a limited time (for example up to 365 days) and then deleted or anonymised.

Legal basis: your consent (Art. 6(1)(a) GDPR). No tracking occurs without your consent, and you can withdraw consent at any time via the CMP.

7. Social Plugins and Social Logins

7.1 Social plugins and share buttons

Our site may include buttons or widgets for social networks (for example Facebook, Instagram, X/Twitter, Pinterest). They allow you to share content or follow us directly from the page.

To protect your privacy, these plugins may be implemented in a way that they only send data once you actively click them.

Legal basis: Art. 6(1)(a) GDPR (your explicit action/click) or Art. 6(1)(f) GDPR (legitimate interest in providing social features), depending on implementation.

7.2 Social logins (for example Facebook, Google)

Instead of direct registration, you may log in using an existing account with, for example:

Meta (Facebook),
Google,
other supported providers (as we may offer from time to time).

When you choose this option, you are redirected to the provider’s login page and grant us access to certain personal data (for example email address, public profile data). We then use that information to create or log into your RAW Looks account.

Legal basis: Art. 6(1)(b) GDPR (contract performance – login and account management) and, where applicable, Art. 6(1)(f) GDPR (convenient registration and prevention of abuse).

Data received via social login is treated in the same way as data from direct registration. If you disconnect the social login or delete your account, we remove this linkage subject to retention requirements.

8. International Data Transfers

We may transfer personal data to recipients outside the European Economic Area (EEA), particularly where:

service providers (processors) are based in such countries (for example US-based hosting, analytics, email services), or
advertising and analytics tools use servers in those regions, or
affiliate networks or partner shops are located there.

Where no EU adequacy decision exists, we ensure an adequate level of protection using:

EU Standard Contractual Clauses (Art. 46(2)(c) GDPR), and
where necessary, additional technical and organisational security measures.

You can request a copy of the relevant safeguards using the contact details in section 1.

9. Data Recipients Within RAW Looks and External Parties

9.1 Internal recipients

Within K-Solutions GmbH, only those departments and persons have access to your data who need it for the purposes described (for example product, marketing, tech, support, accounting).

9.2 External recipients

We may share data with:

Service providers (processors) operating our infrastructure, platform and tools (hosting providers, email services, analytics tools, CMP providers and similar). These are bound by contracts and may process data only on our instructions.
Advertising and analytics partners, as explained in section 6, with whom we may have data processing agreements or who act as independent controllers.
Affiliate networks and partner shops, usually only in pseudonymous form for commission tracking.
Public bodies (courts, tax authorities, law enforcement) where we are legally obliged to disclose data.
Auditors and legal advisors, where necessary for audits or enforcement and defence of legal claims.

10. How Long Do We Keep Your Information?

Where possible, we state specific retention periods in the sections above. Otherwise, we apply these principles:

We keep your personal data only as long as it is necessary for the purposes for which it was collected.
When the data is no longer required (for example because contractual obligations are fulfilled and no overriding interests exist), we delete or anonymise it, unless a legal obligation requires further storage.
Legal retention periods under commercial and tax law can be 2–10 years.
Claims under civil law may require us to store data for the duration of applicable limitation periods (typically up to 3 years, in some cases longer).

Data that is subject to retention obligations is blocked and processed only for those obligations.

11. Do We Collect Information From Minors?

Our services are not directed at children under 16. We do not knowingly collect personal data from minors. If we become aware that a child has provided personal data, we will delete it without undue delay.

12. Are You Obliged to Provide Personal Data?

You are not legally required to provide your personal data to us. However, some data is necessary to:

use our website without errors (for example basic technical data),
register and log into an account,
receive newsletters,
benefit from personalised functions.

If you do not provide the necessary data, the corresponding features may not be available.

13. Do We Use Automated Decision-Making or Profiling?

We do not use automated decision-making in the sense of Art. 22 GDPR that produces legal effects concerning you or similarly significantly affects you.

We may use profiling in the context of:

interest-based advertising,
personalising content and recommendations,
web analytics and marketing tools.

This is always limited to the purposes described (for example showing products or ads likely to interest you) and based on your consent or our legitimate interests as explained above.

14. Your Data Protection Rights

You have the following rights under the GDPR:

Right of access (Art. 15 GDPR) – obtain information about the data we hold about you.
Right to rectification (Art. 16 GDPR) – correct inaccurate or incomplete data.
Right to erasure (Art. 17 GDPR) – request deletion of your data under certain conditions.
Right to restriction of processing (Art. 18 GDPR).
Right to data portability (Art. 20 GDPR) – receive your data in a structured, commonly used and machine-readable format and have it transmitted to another controller.
Right to withdraw consent (Art. 7(3) GDPR) – at any time with effect for the future.
Right to object (Art. 21 GDPR) –
You may object at any time to processing based on our legitimate interests, on grounds relating to your particular situation.
You also have the right to object at any time to processing of your data for direct marketing; in that case we will stop using your data for this purpose.
Right to lodge a complaint (Art. 77 GDPR) – with a supervisory authority. You may contact any competent authority, for example the data protection authority of your place of residence. For us, the competent authority is typically the Bavarian State Office for Data Protection Supervision (BayLDA).

To exercise your rights, please contact us using the details in section 1.

15. Controls for Do-Not-Track Features

Some browsers provide a “Do-Not-Track” (DNT) feature. There is currently no standardised interpretation of these signals. We therefore do not respond to DNT signals at this time. If a standard is adopted in the future, we will update this section.

16. If We Provide an App: App Stores and Deleting the App

If we offer a mobile app and you download it via an app store (for example Apple App Store, Google Play), the app store operator processes personal data under its own responsibility (for example your store account, device ID, purchase data). We have no control over that processing; please refer to the app store’s own privacy notice.

If you delete our app from your device, local data stored by the app is removed. Server-side data remains stored as described in this Privacy Policy and will be deleted once the relevant retention periods expire or you delete your account.

17. Security Measures

We implement appropriate technical and organisational measures to protect your data against accidental or unlawful destruction, loss, alteration, unauthorised disclosure or access. These may include:

SSL/TLS encryption,
strict access control and role-based permissions,
secure data centres,
regular security updates and audits,
pseudonymisation and encryption of certain data.

No system is 100% secure, but we continuously improve our security practices.

18. Changes to This Privacy Policy

We may update this Privacy Policy from time to time, for example if our processing changes or legal requirements are updated.

The current version is always available on our website. If we make material changes, we may inform you by email or via an in-product notification.

19. How Can You Review, Update or Delete the Data We Collect From You?