top of page

Privacy policy

Data protection declaration of Sacherei e.U. ("SHAMAMA-Energy"; "we"), Altenbergerstraße 189, 4203 Altenberg near Linz, Austria, for the website ("Website").


In the following, we provide you with comprehensive information on the extent to which we process your data and what rights you have in this respect. The protection of your privacy is of great concern to us and we would like to inform you accordingly about your rights and possibilities in order to promote a trustful business relationship in the long term. Our data protection practice is in accordance with the Basic Data Protection Regulation of the European Union ("DSGVO") in conjunction with the Austrian Data Protection Amendment Act 2018 ("DSG"), the Telecommunications Act (TKG) and other relevant legal provisions.


As a matter of principle, data protection regulations must always be observed when personal data is processed. For the scope of this data protection declaration, the terminology of the DSGVO is used. This means that the "processing" of personal data essentially includes any handling of the same. Insofar as the data processed by us can be related to human beings and - even if only via third parties, in an overview or by means of additional knowledge - you can be identified as a person (in particular by finding out your full name), this is always personal data.


The present data protection declaration refers exclusively to the listed website. If you are redirected to other websites via links on our website, please inform yourself directly on the target page about the respective handling of your data. We cannot assume any responsibility or liability for the content of third party websites that are linked via our website.


1. data processing when using our website

When you visit our website, we collect the following data: IP address.


You can visit our website without having to provide personal information. Only certain access data (your IP address and other meta data concerning your surfing behaviour, e.g. date/time of access, requesting provider) are processed when you access our website. This data processing is carried out for the purpose of traceability of visitors as well as for the purpose of security and improvement of the quality of our offer and is based on Art 6 para. 1 lit f DSGVO (predominant legitimate interests, namely achieving the purposes just mentioned). However, this information does not allow us to draw conclusions about your person. As a mere website visitor you can inform yourself about our offers and activities without obligation.


2. data processing, if you become our customer and want to purchase products

If you have decided to use our offer, you will have to provide certain information for the contract processing. For this purpose it is necessary that you create a customer account with us. Before purchasing a product, you must or can therefore provide the following personal data, which we will subsequently process:


first name, last name


e-mail address

Postal address

Date of birth

Company (optional)

Phone number (optional)

This information is required by us in order to be able to fulfill contracts concluded with us (Art. 6 para. 1 lit b DSGVO), as well as after the order has been processed, especially in the event of withdrawal and warranty claims. We therefore also store the data, whereby we only retain it for as long as we reasonably deem necessary to achieve the purpose of fulfilling the contract and as permitted by applicable law. In any case, we store the personal data for as long as statutory storage obligations exist or the limitation periods for potential legal claims have not yet expired. As far as the storage of the data is no longer necessary for the purposes of the original collection (or within the scope of a legally permissible change of purpose) and no legal provisions oppose this, we will arrange for the deletion of the data.

In order to fulfill contracts with our customers, we use contract processors who process personal data on our behalf. Our processors are contractually bound to our data protection practices and will treat your personal data as strictly confidential. Under no circumstances will they transfer your data to third parties without your express consent or use it for purposes other than to fulfill their obligations to Shamama and in accordance with our express instructions.


The processors are in particular the transport company DPD Direct Parcel Distribution Austria GmbH, Arbeitergasse 46, 2333 Leopoldsdorf, Austria, and Österreichische Post Aktiengesellschaft, Rochusplatz 1, 1030 Vienna, which we use for the delivery of the products. In this context, we only transfer to the company those data that are required for the processing of the product shipment (full name and postal address). The company will only process this data in accordance with the provisions of the DSGVO.


3. payments

If you decide to purchase products in our webshop, you or we may need to engage a payment service provider (also an order processor) to process the transaction. In doing so, certain (personal) (payment) data will be transmitted, the storage and processing of which we have largely no influence on. The transmission is again exclusively for the purpose of fulfilling the contract concluded with us. In some cases, the selected payment service providers also collect this data themselves, especially if you (have to) open an account there. In this respect, the data protection declaration of the respective provider applies; our data protection declaration is only intended to provide you with information about which recipients may receive your payment data.


When selecting the payment method:


Credit card (American Express, Diners Club, Mastercard, Visa)

EPS bank transfer




you will be redirected - depending on your selection - to the respective website of the provider. Any data that you have already entered in the ordering process (name, total amount of the order) will then be transmitted to this provider so that payment can be made.


4. data processing of minors / children

As far as the data processing of persons under the age of sixteen (16) is concerned, the DSGVO places increased demands in connection with the necessary consent of their respective legal representatives. The products offered on our website are, in accordance with the relevant Austrian regulations for the protection of minors, not accessible to persons of this age group. Shamama takes these requirements into account by requesting the date of birth of the customer when creating a customer account. If, for any reason, data of minors or children is processed, a deletion can be requested at any time (see also point 5 c).

5. rights of data subjects

A major concern of data protection law is to grant you certain disposition possibilities regarding your personal data even after a data processing has already started. For this purpose, there are a number of rights of data subjects, which we will comply with upon your request without delay, but in principle within one (1) month at the latest. To exercise your rights, please contact us at the following e-mail address: In detail, the following rights are provided:


If you exercise your right to information and there are no legal restrictions to the contrary, we will provide you with comprehensive information about our processing of your data. To this end, we will provide you with (i) copies of the data (e-mails, database extracts, etc.), as well as information on (ii) specifically processed data, (iii) processing purposes, (iv) categories of processed data, (v) recipients, (vi) the storage period or criteria for determining it, (vii) the origin of the data and (viii) further information depending on the individual case. Please note, however, that we are unable to provide any documents that could affect the rights of other persons.


With the right of rectification, you can request that we correct data that is incorrectly recorded, has become incorrect or (for the purpose of the processing in question) is incomplete. Your request will then be examined, and the data processing concerned may be restricted for the duration of the examination upon request.


The right to (data) deletion can be exercised (i) in the absence of necessity with regard to the purpose of processing, (ii) in the event of revocation of a consent granted by you, (iii) in the event of a specific objection, insofar as the data processing concerned is based on the legitimate interests of SHAMAMA, (iv) in the event of unlawful data processing, (v) in the event of a legal obligation to delete, and (vi) in the event of data processing of minors under the age of 16.


An accompanying right to restriction, after the exercise of which the data concerned may only be stored, exists (only) in special cases. In addition to the possibility of restriction for the duration of the examination of data corrections, (i) the illegal data processing (if no deletion is requested) and (ii) the duration of the examination of a special objection request are covered.


Furthermore, you have a fundamental right to object to data processing at any time. However, this only applies if the processing is based on the legitimate interests of Shamama.


A right to data transferability, after the exercise of which the data concerned must be received in a structured, common and machine-readable format and this data must be transferred to another responsible party.


You can also exercise your right of appeal to the supervisory authority (see point 10).


Please also note that we may not be able to comply with your request due to compelling reasons for processing worthy of protection (weighing up of interests) or processing due to the assertion, exercise or defense of legal claims (on our part). The same applies in the case of excessive requests, whereby a fee may be charged here as well as in the case of obviously unfounded requests.


6. data security; data deletion

SHAMAMA takes all appropriate technical and organizational measures to ensure that only those personal data are processed by default, the processing of which is absolutely necessary for the business purpose. The measures taken by SHAMAMA concern both the quantity of data collected, the scope of processing, as well as their retention period and accessibility. By means of these measures, SHAMA ensures that personal data is made available by presetting only to a strictly limited and necessary number of persons. Under no circumstances will other persons be granted access to personal data without the express consent of the person concerned. SHAMAMA also uses various protection mechanisms (backups, encryption) to secure the website and other systems. This is intended to protect your (personal) data in the best possible way against loss or theft, destruction, unauthorized access, modification and distribution.


In accordance with the provisions of the DSGVO, all (personal) data collected by us via the website will only be stored for as long as it is required in view of the legal reason for processing, unless longer-term storage is required by law. We comply with our obligation to delete data on the basis of our specific internal company deletion concept, whereby we can provide more detailed information on request.


All employees of SHAMAMA have been adequately informed about all applicable data protection regulations, internal data protection rules and data security measures and are required to keep secret all information entrusted or made available to them in the course of their professional activities. In doing so, the provisions of the DSGVO are strictly adhered to and personal data is only made available to individual employees to the extent necessary in view of the purpose of data collection and our obligations arising from it. Insofar as SHAMAMA uses contract processors, these are also obliged to comply with all applicable data protection regulations on the basis of specific framework agreements. In addition, they are strictly bound by our guidelines in terms of the type and scope of the handling of your (personal) data.


7. data transfer

For the purposes explained in this privacy policy, we will transfer your (personal) data to recipients in the following categories:


Within our organization, your data will be disclosed to those entities or employees who need to know your data in order to fulfill their contractual or legal obligations or as a result of data processing activities that are based on our legitimate interests.


In addition, (external) processors commissioned by us receive your data if they need the data to perform their respective services (whereby one access possibility to personal data is sufficient). All processors are contractually obligated to treat your data confidentially and to process it only within the scope of providing their services. This includes the following categories of recipients:



Customer Management

Product Management


Shipping & Transport

hosting provider

payment provider


We always have an up-to-date list of our recipient categories with regard to data transmissions and processors.


Some of the above-mentioned recipients are located outside the EU or process your (personal) data there. However, we take measures to ensure that all recipients have an adequate level of data protection. To this end, we conclude standard contractual clauses, for example, which can be transferred on request. Alternatively, we use providers that are certified in accordance with the EU-US Privacy Shield and for this reason have an adequate level of data protection in accordance with the DSGVO (in accordance with the European Commission's adequacy decision).


If we use contract processors, they are bound by our data protection practices as mentioned above and will treat your personal data as strictly confidential. Under no circumstances will they transfer your data to third parties without your express consent or use them for purposes other than those intended for the fulfilment of their obligations to SHAMAMA and on the basis of our express instructions.


8. Cookies

Wir verwenden sog. Cookies, kleine Textdateien, die beim Zugriff auf unsere Website auf Ihrem Computer gespeichert werden. Sie helfen uns dabei, unser Angebot nutzerfreundlicher, attraktiver und sicherer zu gestalten. Vielfach handelt es sich um „Sitzungs-Cookies“, welche ohne Ihr Zutun wieder gelöscht werden, sobald Sie Ihre aktuelle Browser-Sitzung beenden. Andere Cookies (bspw zur Speicherung Ihrer Spracheinstellung) bleiben über einen längeren Zeitraum bzw bis Sie diese manuell entfernen erhalten. Cookies enthalten grds keine personenbezogenen Daten.


Die meisten Browser akzeptieren Cookies automatisch. Sie haben jedoch die Möglichkeit, Ihre Browser-Einstellungen anzupassen, sodass Cookies entweder generell abgelehnt oder nur bestimmte Arten zugelassen werden (zB Beschränkung der Verweigerung auf Drittanbieter-Cookies). Sollten Sie die Cookie-Einstellungen Ihres Browsers ändern, kann unsere Website allerdings ggf nicht mehr in vollem Umfang genutzt werden. Die Einstellungsmöglichkeiten für die gängigsten Browser finden Sie unter folgenden Links:


Internet Explorer™:






9. google analytics

Our website uses Universal Analytics, the new generation web analytics tool Google Analytics from Google LLC, 1600 Amphitheatre Parkway, Mountain View, CA 94043, USA ("Google"). This enables a comprehensive analysis of the use of the website by the customer. When visiting the website, you will be given a specific user ID, which enables activities to be assigned across devices (computer, smartphone, tablet, etc.) (user-based tracking). However, this requires you to register or log on to our website. The stored User-ID is used exclusively as a pseudonym. If the website is only visited as a guest, you will only be assigned one client ID; if you use different terminals, one will be generated anew each time. Tracking on our website is done by the tracking code analytics.js (Java Script). The data is organized in so-called dimensions, which are made up of measured values. In this context, we process your data on the basis of our predominantly legitimate interest in creating easy-to-use website access statistics in a cost-efficient manner (Art 6 para. 1 lit f DSGVO).


By using the software, a cookie is set (for the client ID) which is stored on your computer. The information generated by the cookie about your use of this website is usually transferred to a Google server in the USA and stored there. However, due to the activation of IP anonymization on this website, your IP address will be shortened by Google within member states of the European Union or in other states which are parties to the Agreement on the European Economic Area before. Only in exceptional cases will the full IP address be transferred to a Google server in the USA and shortened there. Google will use this information for the purpose of evaluating your use of the website, compiling reports on website activity for us and providing other services relating to website activity and internet usage. The IP address transmitted by your browser within the framework of Google Analytics is not combined with other data from Google.


Google is a participant in the EU-US Privacy Shield, which obliges the company to comply with the agreement and to maintain a level of data protection that complies with European data protection standards on a permanent basis. The Privacy Shield certification can be viewed at With the procedure described under point 8, you can prevent the storage of cookies by setting your browser software accordingly (possibly limited to third-party cookies). Alternatively, you can also click here to set an opt-out cookie, which will be stored on your end device and will also prevent the collection of your data by Google Analytics. However, if you delete your stored cookies, this step will be necessary again. We would like to point out, however, that you may then not be able to use all functions of the website to their full extent. Google Analytics, however, collects certain user interaction data even without cookies and transfers them to a Google server in the USA. You can prevent the collection of data relating to your use of the website (including your IP address) and its processing by Google by downloading and installing the browser plug-in available at the following link:


Further information on data protection in connection with Google Analytics and your options in this regard can be found at


10. right of appeal

If you believe that we have violated applicable data protection laws in processing your data, you have the right to file a complaint with the Austrian data protection authority. The requirements for such a complaint are governed by § 24ff DSG. However, we request that you contact us beforehand in order to clarify any questions or problems. The contact details of the data protection authority are as follows:


Austrian Data Protection Authority

Wickenburggasse 8

1080 Vienna



Phone: +43 1 52 152-0



11. contact for data protection questions, messages, requests

Please use the following contact address for questions, messages or requests concerning data protection:


Sacherei e.U. / SHAMAMA Energy 

Mag. Madeleine Dumhart

Altenbergerstraße 189

4203 Altenberg near Linz 



Phone: +43 732 776 348



bottom of page