PRIVACY POLICY
Last updated: 18.07.6
2. General Information
We process personal data only where this is necessary to provide our website, process orders, communicate with customers, comply with legal obligations or pursue legitimate business interests.
Depending on how you use our website, we may process the following categories of data:
• name and contact details;
• billing and delivery addresses;
• email address and telephone number;
• order, payment and transaction information;
• customer account information;
• communications and customer-service requests;
• IP address, device, browser and server-log information;
• cookie identifiers and consent preferences;
• usage, analytics and advertising data, where consent has been given.
3. Website Access and Server Logs
When you visit our website, our hosting provider may automatically process technical data such as your IP address, browser type, operating system, referring URL, date and time of access and requested files.
This processing is necessary to provide the website securely and reliably and to detect technical faults or misuse.
Legal basis: Article 6(1)(f) GDPR.
Server logs are normally deleted after [7/14/30] days unless longer storage is required to investigate a security incident or comply with a legal obligation.
4. Orders and Contract Performance
When you place an order, we process the information required to conclude and perform the contract. This may include your name, contact details, billing and delivery addresses, selected products, order history and payment status.
Legal basis: Article 6(1)(b) GDPR.
Where data must be retained for tax, accounting or commercial-law purposes, the legal basis is Article 6(1)(c) GDPR.
Required contractual information must be provided. Without it, we may be unable to process or deliver your order.
5. Customer Accounts
If customer accounts are available, we process registration details, login information, saved addresses and order history to provide the account.
Legal basis: Article 6(1)(b) GDPR.
You may request deletion of your customer account at any time. Statutory retention obligations remain unaffected.
6. Payments
Payment information is processed by the payment provider selected during checkout. Depending on the available payment methods, recipients may include:
• PayPal: PayPal (Europe) S.à r.l. et Cie, S.C.A.;
• Klarna: Klarna Bank AB (publ);
• Apple Pay: Apple distribution entities applicable to your location;
• Visa and Mastercard: the relevant banks, card networks and payment processors;
• [SHOPIFY PAYMENTS / OTHER PAYMENT PROVIDERS].
Payment providers may act as independent controllers for parts of their processing. Their respective privacy notices provide further information.
The legal basis for transmitting payment and transaction information is Article 6(1)(b) GDPR. Fraud-prevention processing may also be based on Article 6(1)(f) GDPR.
We do not receive complete card numbers unless explicitly stated otherwise.
7. Shipping and Fulfilment
To deliver your order, we transmit the necessary recipient, address and order information to our fulfilment partners and shipping providers, such as:
[NAME ALL FULFILMENT PROVIDERS]
[DHL / DPD / UPS / HERMES / OTHER]
Legal basis: Article 6(1)(b) GDPR.
Where delivery notifications are offered, your email address or telephone number is transmitted only where required for delivery or where you have provided the necessary consent.
8. Contact and Customer Service
If you contact us by email, contact form, telephone or social media, we process the information contained in your enquiry.
Where your enquiry concerns an order or a potential contract, the legal basis is Article 6(1)(b) GDPR. For other enquiries, the legal basis is Article 6(1)(f) GDPR, based on our legitimate interest in responding to communications.
We delete enquiries when they are no longer required, subject to statutory retention obligations.
9. Newsletter and Promotional Emails
We send newsletters and promotional emails only where permitted by law.
Where you subscribe to our newsletter, processing is based on your consent under Article 6(1)(a) GDPR. We may use a double-opt-in process and retain evidence of consent.
You may unsubscribe at any time by using the unsubscribe link in an email or by contacting us. Withdrawal does not affect processing carried out before withdrawal.
Newsletter provider:
[NAME, ADDRESS AND PRIVACY-POLICY LINK]
Existing customers may receive advertising for similar products where legally permitted. You may object at any time without incurring costs other than basic transmission costs.
10. Cookies and Similar Technologies
We use technically necessary cookies and similar technologies to provide essential functions such as the shopping cart, checkout, security and consent management.
Non-essential analytics, personalisation and advertising technologies are activated only after obtaining consent where required.
Legal bases:
• technically necessary storage or access: Section 25(2) TDDDG and Article 6(1)(b) or (f) GDPR;
• analytics, personalisation or advertising: your consent under Section 25(1) TDDDG and Article 6(1)(a) GDPR.
Withdrawal does not affect prior lawful processing.
11. Analytics and Advertising
We use the following analytics or advertising services only if listed here and, where required, after obtaining consent:
[GOOGLE ANALYTICS]
[META PIXEL]
[TIKTOK PIXEL]
[PINTEREST TAG]
[GOOGLE ADS]
[OTHER SERVICES]
12. Shop and Hosting Platform
Our online shop is operated using:
SHOPIFY
The provider processes hosting, device, customer, checkout and transaction information on our behalf or, for certain processing, as an independent controller.
Legal bases are Article 6(1)(b), (c) and (f) GDPR and, where consent is required, Article 6(1)(a) GDPR.
13. Recipients and Processors
We disclose personal data only where necessary. Recipients may include:
• hosting and ecommerce providers;
• payment providers and banks;
• fulfilment and shipping providers;
• IT, customer-service and email providers;
• analytics and advertising providers used with valid consent;
• tax advisers, auditors, legal advisers and public authorities;
• fraud-prevention and security providers.
Processors acting on our instructions are contractually bound in accordance with Article 28 GDPR.
14. International Data Transfers
Some providers may process data outside the European Economic Area.
Where no adequacy decision exists, transfers are based on appropriate safeguards, such as the European Commission’s Standard Contractual Clauses, together with supplementary safeguards where required.
Further details may be requested using the contact information above.
15. Retention
We retain personal data only for as long as required for the relevant purpose.
Order and accounting data may be retained for statutory commercial and tax retention periods. Consent data may be retained for as long as necessary to demonstrate compliance. Data required for legal claims may be retained until the relevant limitation period has expired.
After the applicable period, data is deleted or anonymised unless further storage is legally required.
16. Your Rights
Subject to the statutory conditions, you have the right to:
• access your personal data under Article 15 GDPR;
• rectify inaccurate data under Article 16 GDPR;
• request erasure under Article 17 GDPR;
• restrict processing under Article 18 GDPR;
• receive portable data under Article 20 GDPR;
• object to processing under Article 21 GDPR;
• withdraw consent at any time under Article 7(3) GDPR;
• lodge a complaint with a data protection authority under Article 77 GDPR.
RIGHT TO OBJECT
Where we process personal data on the basis of legitimate interests, you may object on grounds relating to your particular situation.
Where personal data is processed for direct marketing, you may object at any time. We will then stop processing the data for direct marketing.
18. Automated Decision-Making
We do not use solely automated decision-making producing legal or similarly significant effects unless this is expressly disclosed during the relevant process.
Payment or fraud-prevention providers may conduct their own automated risk assessments. Please refer to their privacy notices.
19. Security
We use appropriate technical and organisational measures to protect personal data against accidental or unlawful loss, alteration, disclosure or access.
Internet transmission can nevertheless not be guaranteed to be completely secure.
20. Changes to this Privacy Policy
We may update this Privacy Policy where our processing activities or legal requirements change. The current version is available on this website.