Skip to content

Cart

Your cart is empty

Privacy Policy



1. Information about the collection of personal data and contact details of the controller
2. Data collection when visiting our website
3. Cookies
4. Data processing for order processing
5. Data processing when opening a customer account and for contract processing
6. Contact
7. Comment function
8. Use of your data for direct marketing
9. Contacting us for a review reminder
10. Web analysis services
11. Retargeting / Remarketing / Recommendation Advertising
12. Tools and Other
13. Rights of the data subject
14. Duration of storage of personal data

1. Information about the collection of personal data and contact details of the controller

1.1 Thank you for visiting our website. Below, we would like to inform you about how we handle your personal data when you use our website. Personal data is generally all data that can be used to identify you personally.

1.2. The person responsible for the processing of data on our website within the meaning of the General Data Protection Regulation (GDPR) is:

Harold's Leather Goods GmbH
Lämmerspieler Strasse 40-42
Obertshausen Germany
Phone: 06104/79061
Fax:06104/75049
Email: service@harolds-bags.com

1.3 The controller has appointed the following data protection officer:

Thilo Schmelz
Lämmerspieler Straße 40-42
63179 Obertshausen
Phone: 06104/79061
Email: service@harolds-bags.com

1.4. To protect the security of your data during transmission, we use state-of-the-art encryption methods (e.g., SSL or TSL) over HTTPS.

2. Data collection when visiting our website

Each time you visit our website, our system automatically records data and information that your browser transmits to our server (so-called "server log files"). The following data, which is technically necessary for us, is collected:

Our visited website

Date and time of access

Amount of data sent in bytes

Source/reference from which you came to the page

Operating system used

Browser used

IP address used (if applicable: in anonymized form)

The legal basis for processing is Art. 6 (1) (f) GDPR, based on our legitimate interest in improving the stability and maintaining the functionality of our website. The data will not be shared or used for any other purpose. The temporary storage of the IP address by the system is necessary to enable delivery of the website to the user's computer. For this purpose, the user's IP address must be stored for the duration of the session.
We reserve the right to subsequently review the server log files should concrete evidence of illegal use arise. The data will be deleted as soon as it is no longer required to achieve the purpose for which it was collected. In the case of data collected to provide the website, this is the case when the respective session ends.
If data is stored in log files, this occurs after a maximum of seven days. Longer storage is possible. In this case, the users' IP addresses are deleted or altered so that the accessing client can no longer be identified. The collection of data for providing the website and the storage of data in log files is essential for the operation of the website. Therefore, the user has no right to object.

3. Cookies

Our website uses cookies.

Cookies are text files stored on the user's device. When a user visits a website, a cookie may be stored on the user's operating system. Some functions of our website cannot be offered without the use of cookies. This requires that the browser is recognized even after changing pages. The user data collected by technically necessary cookies is not used to create user profiles. Our legitimate interest in processing personal data for the purposes stated above also lies in accordance with Art. 6 (1) (f) GDPR.

In addition, our website uses cookies that enable analysis of user browsing behavior (so-called third-party cookies). Further information on the scope, purpose, legal basis, and objection options can be found in the respective sections of the respective chapter of this privacy policy.

As a user, you have full control over the use of cookies. You can deactivate, restrict, or delete the transmission of cookies by changing the settings in your internet browser. If you deactivate cookies for our website, you may no longer be able to fully use all of the website's functions. You can prevent the transmission of Flash cookies by changing the Flash Player settings.

You can find help with the settings in your browser's help menu using the following links:
Internet Explorer: http://windows.microsoft.com/de-DE/windows-vista/Block-or-allow-cookies
Firefox: https://support.mozilla.org/de/kb/cookies-erlauben-und-ablehne
Chrome: http://support.google.com/chrome/bin/answer.py?hl=de&hlrm=en&answer=95647
Safari: https://support.apple.com/de-de/guide/safari/sfri11471/mac
Opera: https://help.opera.com/en/latest/web-preferences/#cookies
Some of the cookies used here are deleted after you close your browser (so-called session cookies). Other cookies remain on your device and allow us or our partner companies (third-party cookies) to recognize your browser the next time you visit (persistent cookies). When cookies are set, they collect and process certain user information, such as browser and location data, as well as IP address values, to an individual extent. Persistent cookies are automatically deleted after a specified period of time, which can vary depending on the cookie.


4. Data processing for order processing

4.1. If you wish to place an order in our online shop, you must provide your personal data in order to conclude the contract. We will process the data you provide to process your order.

In some cases, we work with external service providers to process your order. For this, we must share the necessary personal data.

If we commission a transport company to deliver your goods, we will pass on your data required for the delivery of the goods to the respective transport company. For the processing of payments, we will pass on your data to the commissioned credit institution as necessary. If we use payment service providers, you will also be informed of this below.
The legal basis for the transfer of your data is Art. 6 (1) (b) GDPR.

4.2. Transfer of your personal data to shipping service providers

- DHL

If the goods are delivered to you by the transport service provider DHL (Deutsche Post AG, Charles-de-Gaulle-Straße 20, 53113 Bonn), we will only pass on the recipient's name and delivery address to DHL for the purpose of delivery and to the extent necessary in accordance with Art. 6 (1) (b) GDPR. Only if you have given your express consent during the ordering process will we pass on your email address to DHL prior to delivery of the goods for the purpose of coordinating a delivery date or for delivery notification in accordance with Art. 6 (1) (a) GDPR. Your consent can be revoked at any time with future effect by contacting the above-mentioned controller or the transport service provider DHL.

- DPD

If the goods are delivered to you by the transport service provider DPD (DPD Deutschland GmbH, Wailandtstraße 1, 63741 Aschaffenburg), we will only pass on the recipient's name and delivery address to DPD for the purpose of delivery and to the extent necessary in accordance with Art. 6 (1) (b) GDPR. Only if you have given your express consent during the ordering process will we pass on your email address to DPD prior to delivery of the goods for the purpose of coordinating a delivery date or for delivery notification in accordance with Art. 6 (1) (a) GDPR. Your consent can be revoked at any time with future effect by notifying the above-mentioned controller or the transport service provider DPD.

- UPS
If the goods are delivered to you by the transport service provider UPS (United Parcel Service Deutschland Inc. & Co. OHG, Görlitzer Straße 1, 41460 Neuss), we will only pass on the name of the recipient and the delivery address to UPS for the purpose of delivery and to the extent necessary in accordance with Art. 6 (1) (b) GDPR. Only if you have given your express consent during the ordering process will we pass on your email address to UPS in accordance with Art. 6 (1) (a) GDPR prior to delivery of the goods for the purpose of coordinating a delivery date or for delivery notification. Your consent can be revoked at any time with future effect by notifying the above-mentioned controller or the transport service provider UPS.

4.3. Use of payment service providers

- Amazon Pay

When paying via Amazon Pay, payment processing is carried out by Amazon Payments Europe sca, 5 Rue Plaetis, L-2338 Luxembourg (hereinafter referred to as "Amazon Payments"). The seller will forward the information provided by the customer during the order process to Amazon Payments in accordance with Art. 6 (1) (b) GDPR solely for the purpose of payment processing and only to the extent necessary. Further information on Amazon Payments' privacy policy can be found here: https://pay.amazon.com/de/help/201751600

- Paypal
If you select the payment method PayPal, credit card via PayPal, direct debit via PayPal or - if offered - "purchase on account" or "installment payment" via PayPal, the payment will be processed via PayPal (Europe) Sarl et Cie, SCA, 22-24 Boulevard Royal, L-2449 Luxembourg (hereinafter referred to as "PayPal").
We will share your personal data with PayPal as necessary in accordance with Art. 6 (1) (b) GDPR. PayPal reserves the right to conduct a credit check for payment methods such as credit card via PayPal, direct debit via PayPal, or – if offered – "purchase on account" or "payment by installments" via PayPal.
For this purpose, your payment data may be passed on to credit agencies in accordance with Art. 6 (1) (f) GDPR due to PayPal's legitimate interest in determining your ability to pay. PayPal uses the results of the credit check regarding the statistical probability of default to decide whether to provide the respective payment method.
The credit report may contain probability values (so-called scores). To the extent that scores are included in the credit report results, they are based on a scientifically recognized mathematical-statistical procedure. Address data, among other things, is used in the calculation of the scores.
What other data PayPal collects is set out in the respective PayPal privacy policy. This can be found at: https://www.paypal.com/de/webapps/mpp/ua/privacy-full
You can object to this processing of your data at any time by sending a message to PayPal. However, PayPal may still be entitled to process your personal data if this is necessary for contractual payment processing.

- Shopify Payments
We use the payment service provider "Shopify Payments", 3rd Floor, Europa House, Harcourt Building, Harcourt Street, Dublin 2. If you choose a payment method offered by the payment service provider Shopify Payments, payment processing will be carried out by the technical service provider Stripe Payments Europe Ltd., 1 Grand Canal Street Lower, Grand Canal Dock, Dublin, Ireland, to whom we will pass on the information you provided during the ordering process, along with information about your order (name, address, account number, bank sort code, credit card number (if applicable), invoice amount, currency, and transaction number) in accordance with Art. 6 (1) (b) GDPR. Your data will be passed on exclusively for the purpose of payment processing with Stripe Payments Europe Ltd. and only to the extent necessary for this purpose. Further information on Shopify Payments' data protection can be found at the following internet address: https://www.shopify.com/legal/privacy
Data protection information about Stripe Payments Europe Ltd. can be found here: https://stripe.com/de/privacy

4.4. Google Pay
If you select the "Google Pay" payment method (a service provided by Google Ireland Limited, Gordon House, 4 Barrow St, Dublin, D04 E5W5, Ireland ("Google")), payment processing will be handled via the "Google Pay" application on your Android (at least 4.4 "KitKat") mobile device with NFC functionality. Payment will be made using one of your payment cards stored with Google Pay or a payment system verified there (e.g., PayPal). To authorize a payment via Google Pay of more than EUR 25, you must first unlock your mobile device. The information you provide when placing your order will be passed on to Google for payment processing. Google generates a unique transaction number, which is transmitted to the ordering website to verify the payment. This transaction number is merely a numeric token that does not contain any information about your data. The actual transaction is carried out between the user and the ordering website by debiting the payment method stored with Google Pay. Personal data may be processed during the described processes. In this case, the processing is carried out for the purpose of payment processing in accordance with Art. 6 (1) (b) GDPR.

Further information, especially information on how Google handles your data, can be found here:
Google Pay Terms of Use: https://payments.google.com/payments/apis-secure/u/0/get_legal_document?ldo=0&ldt=googlepaytos&ldl=de Google Privacy Policy: https://payments.google.com/payments/apis-secure/get_legal_document?ldo=0&ldt=privacynotice&ldl=de

4.5. Apple Pay
If you select the payment method "Apple Pay" (a service provided by Apple Distribution International (Apple), Hollyhill Industrial Estate, Hollyhill, Cork, Ireland), payment will be processed via the "Apple Pay" function of your iOS, watchOS, or macOS device by charging a payment card you have stored with "Apple Pay."

Your transaction is protected by the security features of your device's hardware and software. To authorize a payment, you must enter a code and verify it using your device's "Face ID" or "Touch ID" feature.

The information you provide during the ordering process, along with information about your order, is transmitted to Apple in encrypted form for the purpose of payment processing. This data is then re-encrypted by Apple and subsequently transmitted to the payment service provider of the payment card stored in Apple Pay to process the payment. This encryption ensures that only the website on which the order was placed can access the payment data.

After payment, Apple sends the device account number and a transaction-specific, dynamic security code to the store website to confirm the payment.
Personal data may be processed for the aforementioned curtains. In this case, this occurs for the purpose of payment processing in accordance with Art. 6 (1) (b) GDPR.

When you use Apple Pay on your iPhone or Apple Watch to complete a purchase made through Safari on your Mac, your Mac and the authorization device communicate over an encrypted channel on Apple's servers. Apple may process or store data, but this is done in a format that cannot be used to identify you.

Information on Apple Pay's privacy policy is available here: https://support.apple.com/de-de/HT203027

5. Data processing when opening a customer account and for contract processing

If you open a customer account with us, personal data will be collected and processed in accordance with Art. 6 (1) (b) GDPR. The scope of the data is stated in the form. The data you enter will be stored and used by us for contract processing.
You can delete your customer account at any time. This can be done by sending a message to the responsible person's address or, if offered, directly in your customer account. In this case, we will also block your data in accordance with retention periods under tax and commercial law and delete it after these periods have expired. This can only be prevented by your consent to permanent storage or by a legally permitted further use of the data on our part.

6. Contact

If you contact us via the contact form, the data entered in the input form will be transmitted to us and stored. The data collected can be found in the respective input form. If you contact us by email, only the data you enter there will be transmitted to us.
The data will be used exclusively to process the conversation and your request. The legal basis for processing the data, if the user has given their consent, is Art. 6 (1) (a) GDPR. The legal basis for processing data transmitted when sending an email is Art. 6 (1) (f) GDPR. If the email contact is aimed at concluding a contract, an additional legal basis for processing is Art. 6 (1) (b) GDPR. The data will be deleted as soon as it is no longer required to achieve the purpose for which it was collected and provided that there are no statutory retention periods to the contrary. For personal data from the input mask of the contact form and data sent by email, this is the case when the respective conversation with the user has ended. The conversation is ended when it can be inferred from the circumstances that the matter in question has been conclusively clarified. The user has the option to revoke their consent to the processing of personal data at any time. If the user contacts us by email, they can object to the storage of their personal data at any time. In such a case, the conversation cannot be continued.

7. Comment function

If you use the comment function on our website, in addition to the content of your comment, information about the time of creation and the commenter name you chose will be saved and published on the website. Your IP address will also be logged and stored.
The legal basis for storing your data is Art. 6 (1) (b) and (f) GDPR. The IP address is stored for security reasons and in the event that the data subject violates the rights of third parties or publishes illegal content through a comment. Your email address is required to contact you if a third party objects to the illegality of your published content. We reserve the right to delete comments if they are objected to as illegal by third parties.

8. Use of your data for direct marketing

8.1. Newsletter

On our website, you can subscribe to a free newsletter. When you register for the newsletter, the data you enter in the form will be transmitted to us. The only mandatory information is your email address. Any additional information you provide will be used solely for personal contact.

The legal basis for processing your data after subscribing to the newsletter is Art. 6 (1) (a) GDPR, provided the user has given their consent. We obtain this consent by sending you a confirmation email containing a confirmation link after subscribing to the newsletter. By clicking on this link, you also consent to receive the newsletter.
When you submit your newsletter registration, we save your IP address as well as the date and time of registration. This storage serves to track any possible misuse of your email address.

We use the data we collect when you register for the newsletter exclusively for the purpose of sending the newsletter.

You can cancel your newsletter subscription at any time. A link for this purpose is included in every newsletter. This also allows you to revoke your consent to the storage of personal data collected during the registration process.

8.2. Newsletter for existing customers

If you purchase goods or services on our website and provide your email address, we may subsequently use it to send you a newsletter. In such a case, the newsletter will only be used to send direct advertising for our own similar goods or services.

The legal basis for sending the newsletter following the sale of goods or services is Section 7 (3) of the German Unfair Competition Act (UWG) and Article 6 (1) (f) of the GDPR. Data processing is carried out solely on the basis of our legitimate interest in personalized direct advertising.

If you have already objected to the use of your email address for direct marketing purposes, you will not receive this newsletter. However, you can also object to the use of your email address for the purposes stated here at any time, at any time, with future effect, by sending a message to the address stated at the beginning. Upon receipt of your objection, the use of your email address for advertising purposes will be discontinued immediately.

9. Contacting us for a review reminder

Own rating reminder

After you have given your express consent in accordance with Art. 6 (1) (a) GDPR, you will receive a one-time email from us as a reminder to submit a review of your order. You can revoke your consent at any time by sending a message to the person responsible for processing your data.

10. Web analysis services

10.1. Google Universal Analytics

We use the web analysis service Google Analytics (Google Ireland Limited, Gordon House, 4 Barrow St, Dublin, D04 E5W5, Ireland) for this website.
Google Analytics uses "cookies". These are text files stored on your computer that enable analysis of your use of the website.
The information generated in this way about your use of this website (including your shortened IP address) will be transmitted to and stored by Google on servers in the United States.

We use Google Analytics with the extension "_anonymizeIp()," which anonymizes the IP address by shortening it and prevents any direct personal reference. Therefore, your IP address will be shortened by Google within member states of the European Union or in other contracting states to the Agreement on the European Economic Area. In exceptional cases, the full IP address will be transmitted to a Google server, including in the USA, and shortened there. In these exceptional cases, this processing takes place in accordance with Art. 6 (1) (f) GDPR. Our legitimate interest lies in the statistical analysis of user behavior for optimization and marketing purposes.

On our behalf, Google uses this information to evaluate your website usage, compile reports on website activity, and provide us with other services related to website activity and internet usage. Your IP address collected in this context will not be merged with other Google data.

You can prevent cookies from being saved by selecting the appropriate settings on your browser.
You can also prevent Google from collecting the data generated by the cookie and relating to your use of the website (including your IP address) and from processing this data by downloading and installing the following browser plug-in:
http://tools.google.com/dlpage/gaoptout?hl=de

Alternatively, you can set an opt-out cookie:

Deactivate Google Analytics

This opt-out cookie only works in this browser and only for this domain. If you delete your cookies in this browser, you will need to click this link again.

In the event of data transfer to Google LLC, based in the USA, Google LLC is certified for the US-European data protection agreement "Privacy Shield", which guarantees compliance with the data protection level applicable in the EU.

This website also uses Google Analytics for cross-device analysis of visitor traffic, which is carried out using a user ID. You can deactivate cross-device analysis of your usage in your customer account under "My Data," "Personal Data."

Google Privacy Policy:
https://support.google.com/analytics/answer/6004245?hl=de

10.2. Shopify Analytics

We use the web analytics service provided by Shopify (Shopify International Limited, Victoria Buildings, 2nd Floor, 1-2 Haddington Road, Dublin 4, D04 XN32, Ireland).

To safeguard our legitimate interest in statistically analyzing user behavior for optimization and marketing purposes, Shopify collects, evaluates, and stores pseudonymized visitor data, from which pseudonymized user profiles can be created and analyzed. Shopify uses cookies to recognize the browser and thus enable more precise statistical data collection. Your IP address is also collected, but is pseudonymized immediately after collection and before storage, thus preventing any personal reference.

The legal basis is Art. 6 (1) (f) GDPR.

Shopify does not associate your IP address with any other Shopify data.

To object to the collection of data and the creation of pseudonymized user profiles, as well as the setting of cookies in the future, you can generally deactivate the use of cookies on your computer by configuring your Internet browser so that no more cookies can be stored on your computer in the future or by deleting cookies that have already been stored. However, deactivating all cookies may result in some functions on our website no longer being fully available.

Shopify’s privacy policy can also be found at:
https://www.shopify.de/legal/datenschutz

11. Retargeting / Remarketing / Recommendation Advertising

Facebook Custom Audience via the pixel process

On this website, we use the "Facebook Pixel" of Facebook Inc., 1 Hacker Way, Menlo Park, CA 94025, USA ("Facebook"). With explicit consent, the behavior of users can be tracked after they have seen or clicked on a Facebook ad. This process is used to evaluate the effectiveness of Facebook ads for statistical and market research purposes and can help optimize future advertising measures. The data collected is anonymous to us, so we cannot draw any conclusions about the identity of the users. However, data is stored and processed by Facebook so that a connection to the respective user profile is possible and Facebook can use the data for its own advertising purposes, in accordance with the Facebook Data Usage Policy (https://www.facebook.com/about/privacy/).

You can allow Facebook and its partners to place advertisements on and outside of Facebook. A cookie may be stored on your device for these purposes. These processing operations only occur with the granting of express consent in accordance with Art. 6 (1) (a) GDPR. Consent to the use of the Facebook pixel may only be given by users older than 13. If you are younger, we ask you to ask your legal guardian for permission. Facebook Inc., based in the USA, is certified for the US-European data protection agreement "Privacy Shield," which guarantees compliance with the data protection level applicable in the EU. You can deactivate the use of cookies on your computer by adjusting your browser settings accordingly. However, this may result in some functions on our website no longer being fully available. You can also deactivate the use of cookies by third parties such as Facebook on the following website of the Digital Advertising Alliance: http://www.aboutads.info/choices/

12. Tools and Other

Google Web Fonts

For the uniform display of fonts, we use so-called web fonts provided by Google Ireland Limited, Gordon House, 4 Barrow St, Dublin, D04 E5W5, Ireland ("Google").
As soon as you visit our website, your browser loads the required web fonts into the browser cache.

To do this, your browser must establish a connection to Google's servers, which will then transmit your IP address to Google. In this case, your personal data may also be transferred to Google LLC's servers in the USA. Our legitimate interest within the meaning of Art. 6 (1) (f) GDPR lies in the consistent and appealing presentation of our online offerings.

If your browser does not support web fonts, a standard font from your computer will be used.

In the event of the transfer of personal data to Google LLC, USA, Google has certified itself for the US-European data protection agreement "Privacy Shield", which guarantees compliance with the data protection level applicable in the EU.

Details about Google Web Fonts can be found here:
https://developers.google.com/fonts/faq
and in Google’s privacy policy:
https://www.google.com/policies/privacy/

13. Rights of the data subject

13.1. The applicable data protection law grants you comprehensive rights as a data subject (rights to information and intervention) vis-à-vis the controller with regard to the processing of your personal data, about which we will inform you below:

- Right to information according to Art. 15 GDPR:
You can request confirmation from the controller as to whether personal data concerning you is being processed by the controller. In addition, you have the right to information about the purpose, the categories of personal data, the recipients, the planned storage period and the existence of other rights such as rectification of the data or the right to lodge a complaint with a supervisory authority, the origin of your data if it was not collected by us, the existence of automated decision-making, including profiling, and, where applicable, meaningful information about the logic involved and the scope and intended effects of such processing concerning you, as well as your right to be informed of the guarantees that exist pursuant to Art. 46 GDPR when your data is transferred to third countries.

- Right to rectification according to Art. 16 GDPR:
You have the right to have any inaccurate data concerning you rectified without delay and/or to have any incomplete data stored by us completed; the rectification or completion must be carried out without delay.

- Right to restriction of processing pursuant to Art. 18 GDPR:
You have the right to request the restriction of the processing of your personal data as long as the accuracy of your data, which you contest, is being verified, if you refuse to delete your data due to unlawful data processing and instead request the restriction of the processing of your data, if you need your data to assert, exercise or defend legal claims after we no longer need this data after the purpose has been achieved or if you have lodged an objection for reasons related to your particular situation, as long as it has not yet been determined whether our legitimate reasons outweigh yours;
If the processing of personal data concerning you has been restricted, this data – with the exception of storage – may only be processed with your consent or for the establishment, exercise, or defense of legal claims or to protect the rights of another natural or legal person or for reasons of important public interest of the Union or a Member State. If the processing has been restricted, you will be informed by the controller before the restriction is lifted.

- Right to erasure according to Art. 17 GDPR:
You have the right to request the immediate erasure of your personal data, provided the requirements of Art. 17 (1) GDPR are met. However, this right to erasure does not apply, in particular - but not exclusively - if processing is necessary to exercise the right to freedom of expression and information, to fulfill a legal obligation, for reasons of public interest, or to assert, exercise, or defend legal claims.

- Right to information according to Art. 19 GDPR:
If you have exercised your right to rectification, erasure, or restriction of processing, the controller is obligated to notify all recipients to whom your personal data has been disclosed of this rectification, erasure, or restriction of processing, unless doing so is impossible or involves disproportionate effort. You also have the right to be informed about these recipients.

- Right to data portability according to Art. 20 GDPR:
You have the right to receive your personal data provided to us in a structured, common and machine-readable format or to request that it be transmitted to another controller, where technically feasible;

- Right of revocation according to Art. 7 Para. 3 GDPR:
You have the right to object at any time to the processing of personal data concerning you based on Article 6 (1) (e) or (f) GDPR; this also applies to profiling based on these provisions.
You also have the right to revoke your consent to data protection at any time with future effect. Revoking your consent does not affect the legality of the processing carried out on the basis of your consent until the revocation.

- Right to lodge a complaint pursuant to Art. 77 GDPR:
Without prejudice to any other administrative or judicial remedy, you have the right to lodge a complaint with a supervisory authority, in particular in the Member State of your habitual residence, place of work or place of the alleged infringement if you consider that the processing of personal data concerning you infringes the GDPR.

13.2. Right of objection

You have the right to object to the processing of your data at any time with future effect if we process your data based on our overriding legitimate interest after weighing up the interests.
If you exercise this right of objection, we will stop processing your data unless there are demonstrably overriding compelling legitimate grounds that prevent termination or if further processing serves to exercise or defend legal claims.

14. Duration of storage of personal data

The length of time personal data is stored depends on statutory retention periods. After these periods have expired, we routinely delete the data if it is no longer required for the fulfillment or initiation of a contract and/or if we no longer have a legitimate interest in continuing to store it.