Privacy Policy
Last updated: June 5, 2026
1. Data Controller
2. Data We Collect and Processing Purposes
2.1 Order Data
When you place an order, we process the following data:
- Contact information: Name, email address, phone number
- Shipping address: Street, postal code, city, country
- Billing address: Street, postal code, city, country (if different)
- Order information: Product details, quantities, prices
- Transaction data: Order number, order date, payment status
Legal basis: Art. 6(1)(b) GDPR (contract fulfillment) Retention period: 10 years (pursuant to § 147 AO - German tax retention requirements)
2.2 Customer Account (optional)
If you create a customer account:
- Login credentials: Email address, encrypted password
- Profile information: Order history, saved addresses
- Preferences: Language and currency settings
Legal basis: Art. 6(1)(b) GDPR (contract fulfillment) Retention period: Until you delete your account
2.3 Shopping Cart Data
We store your shopping cart locally in your browser (LocalStorage) and on our server using an anonymous session ID. This allows you to access your cart across devices.
Legal basis: Art. 6(1)(f) GDPR (legitimate interest in user convenience) Retention period: 30 days or until order completion
2.4 Website Analytics (Umami)
We use Umami Analytics to optimize our website. Umami is a privacy-friendly analytics solution that:
- Uses no cookies
- Collects no personal data
- Anonymizes IP addresses (not stored)
- Is GDPR compliant
Collected data (anonymized):
- Page views and visited URLs
- Referrer (where you came from)
- Device type (desktop/mobile)
- Browser and operating system
- Country (derived from IP, then discarded)
- Region, currency and language preference (anonymous session context)
- Product interactions (viewed products, selected colors, cart additions and removals, category filters)
- Promo code usage (code entered and whether it was accepted)
- Purchase completions (item count, total and currency — no personal details)
Legal basis: Art. 6(1)(f) GDPR (legitimate interest) Retention period: 24 months (aggregated data) Provider: Umami Software, Inc., USA (https://umami.is) — data transfer based on Standard Contractual Clauses (SCCs)
2.5 Contact Inquiries
When you contact us via email or contact form:
- Communication data: Email address, name, message content
- Metadata: Timestamp of inquiry
Legal basis: Art. 6(1)(f) GDPR (legitimate interest in customer service) Retention period: Until final processing of your inquiry, maximum 3 years
3. Third-Party Services
3.1 Payment Processing (Stripe)
For payment processing, we use Stripe, a certified PCI-DSS Level 1 Service Provider.
Transmitted data:
- Payment information (credit card data is transmitted directly to Stripe, not through our server)
- Billing address
- Email address
- Order amount
Purpose: Secure payment processing, fraud prevention Legal basis: Art. 6(1)(b) GDPR (contract fulfillment) Privacy Policy: https://stripe.com/privacy Data Processing Agreement (DPA): https://stripe.com/legal/dpa
Stripe may set cookies for fraud prevention. See Stripe’s privacy policy for more information.
3.2 Hosting (Railway)
Our website and database are hosted on Railway infrastructure.
Server location: European Union (Amsterdam, Netherlands) Transmitted data: All website data (orders, customer accounts, cart) Legal basis: Art. 6(1)(f) GDPR (legitimate interest in reliable hosting) Privacy Policy: https://railway.app/legal/privacy
As data remains within the EU, no additional safeguards for international data transfers are required.
3.3 E-commerce Platform (Medusa.js)
We use Medusa.js as our e-commerce backend. Medusa runs on our own Railway infrastructure – no data is transmitted to third parties.
Purpose: Product management, order processing, cart functionality Legal basis: Art. 6(1)(b) GDPR (contract fulfillment)
4. Cookies
4.1 Essential Cookies
We use the following technically necessary cookies:
| Cookie Name | Purpose | Retention Period |
|---|---|---|
cart_id | Stores your cart ID | 30 days |
region_id | Stores your currency/language preference | 1 year |
Legal basis: Art. 6(1)(f) GDPR (technically necessary for service provision)
4.2 Stripe Cookies (optional)
Stripe may set cookies for fraud prevention. These are only active when you initiate the payment process.
Cookie names: __stripe_mid, __stripe_sid Purpose: Fraud protection Retention period: 1 year (mid), 30 minutes (sid) Legal basis: Art. 6(1)(f) GDPR (legitimate interest in security)
You can disable cookies in your browser settings. Please note this may limit website functionality.
5. Data Security
We implement technical and organizational measures to protect your data:
- SSL/TLS encryption for all data transmissions
- Encrypted storage of sensitive data in the database
- Access restrictions for authorized personnel
- Regular security updates and backups
- PCI-DSS compliant payment processing via Stripe
6. Your Rights Under GDPR
You have the following rights regarding your personal data:
6.1 Right to Access (Art. 15 GDPR)
You can request information about the data we process.
6.2 Right to Rectification (Art. 16 GDPR)
You can request correction of inaccurate data.
6.3 Right to Erasure (Art. 17 GDPR)
You can request deletion of your data, provided there are no legal retention obligations.
6.4 Right to Restriction (Art. 18 GDPR)
You can request restriction of processing.
6.5 Right to Data Portability (Art. 20 GDPR)
You can receive your data in a structured, machine-readable format.
6.6 Right to Object (Art. 21 GDPR)
You can object to processing based on legitimate interests.
6.7 Right to Lodge a Complaint
You have the right to lodge a complaint with a data protection supervisory authority:
Competent authority (Germany): The State Commissioner for Data Protection and Freedom of Information of your federal state List: https://www.bfdi.bund.de/DE/Service/Anschriften/Laender/Laender-node.html
7. Withdrawal of Consent
If you have given us consent for data processing (e.g., for newsletters), you can withdraw it at any time with effect for the future.
8. Contact for Privacy Inquiries
For questions about data protection or to exercise your rights, please contact us:
We will respond to your inquiry within 30 days.
9. Changes to This Privacy Policy
We reserve the right to update this privacy policy to reflect changes in legal requirements or our services. The current version will always be available on this page.