Privacy policy

A. Contact Details of the Website Owner

This page explains what happens to personal information when you use this website. Personal information means anything that can be traced back to you as an individual.

The person legally responsible for deciding how your data is used is Ayleen Suess, Hofmühlstraße 19, 83043 Bad Aibling, Germany, reachable by phone at 004915753658220 or by email at ayleen.freelance@gmail.com. Under data protection law, this person is referred to as the controller — the one who decides why and how personal data gets processed.

B. What Gets Collected Just From Browsing

If you only look around this website without creating an account or filling in any form, the only data collected is what your browser automatically sends to the web server. This typically includes: the address of the page you visited, the date and time of your visit, how much data was transferred, where you came from (for example, a search engine or another website), which browser and operating system you are using, and your IP address (which may be shortened to remove the last digits).

This data is used solely to keep the website running properly and to maintain its stability. It is not shared with anyone or used for any other purpose. We do reserve the right to look back at these logs if we have specific reason to suspect something illegal happened.

This website uses encrypted connections (SSL/TLS). When the address bar shows https:// and a padlock symbol, your connection to the site is protected.

C. Where the Website Is Hosted and How Content Gets Delivered

Shopify. The website runs on the platform of Shopify International Limited, Victoria Buildings, 2nd floor, 1-2 Haddington Road, Dublin 4, D04 XN32, Ireland. Data may also pass through servers operated by Shopify Inc., 150 Elgin St, Ottawa, ON K2P 1L4, Canada. Everything collected on this site is processed on Shopify's infrastructure. A data processing contract is in place with Shopify, binding them to protect visitor data and preventing them from passing it to others without authorisation. For transfers to Canada, the European Commission has formally recognised Canada as providing adequate data protection.

Cloudflare. To speed up the delivery of images, scripts, and other large files, this website uses the content delivery network of Cloudflare Inc., 101 Townsend St, San Francisco, CA 94107, USA. The purpose is to improve load times and website stability, which is a legitimate operational interest under Art. 6(1)(f) GDPR. A data processing agreement is in place. Cloudflare participates in the EU-US Data Privacy Framework, meaning US-bound transfers meet European data protection standards under an adequacy decision.

Fastly. A second content delivery network is provided by Fastly Inc., 475 Brannan St. #300, San Francisco, CA 94107, USA, for the same purpose as Cloudflare above. The same legal basis applies. A data processing agreement is in place, and Fastly also participates in the EU-US Data Privacy Framework.

D. Cookies

This website uses cookies — small text files placed on your device. Some cookies disappear as soon as you close your browser (session cookies). Others stay on your device for a set period and remember your preferences (persistent cookies). You can check how long persistent cookies last by looking at your browser's cookie settings.

When cookies process personal data, the legal basis is one of the following depending on the situation: your consent (Art. 6(1)(a) GDPR), the need to carry out a purchase contract with you (Art. 6(1)(b) GDPR), or our legitimate interest in running a functional and user-friendly website (Art. 6(1)(f) GDPR).

Your browser can be set to alert you before any cookie is placed, and you can choose to block some or all cookies. Be aware that doing so may stop parts of this website from working correctly.

E. Review Reminders and Getting in Touch

Judge.me. When you make a purchase, you may receive a follow-up email asking you to leave a review. This service is operated by Judge.me Ltd., c/o Buckworths, 2nd Floor, 1-3 Worship Street, London, England, EC2A 2AB, UK. Your email address and relevant order details are passed to them only if you have given your explicit consent (Art. 6(1)(a) GDPR). You can withdraw that consent at any time, either by contacting us or directly through the provider. A data processing contract is in place. The European Commission has issued an adequacy decision covering data transfers to the provider's location.

Trustpilot. A review reminder service is also provided by Trustpilot A/S, Pilestræde 58, 1112 Copenhagen, Denmark. The same conditions apply: your email address and relevant customer data are shared only with your explicit consent (Art. 6(1)(a) GDPR), and you can withdraw consent at any time. A data processing contract is in place.

Messages sent to us directly. If you send us a message, whether through a contact form or by email, we store what you write in order to respond to you. Contact forms collect only what is shown on the form itself. The legal basis for using this data is our legitimate interest in replying to enquiries (Art. 6(1)(f) GDPR). If your message relates to placing an order or entering a contract, Art. 6(1)(b) GDPR also applies. Once your enquiry has been fully handled, your message data is deleted unless we are legally required to keep it longer.

F. Customer Accounts and Order Processing

If you create an account on this website, we collect and store the information you provide for that purpose. The form itself shows which fields are required. You can delete your account at any time by contacting us. Once deleted, all related data is removed as long as no open orders remain, no legal retention periods apply, and we have no other legitimate reason to keep it. The legal basis is Art. 6(1)(b) GDPR.

G. Marketing Emails

Newsletter sign-up. If you subscribe to our newsletter, we will use your email address to send regular updates about our products and offers. Only your email address is required. Any other details you provide are optional and used to personalise messages. We use a double opt-in process: after you enter your email, we send a confirmation message with a link you must click before the subscription activates. This protects against unauthorised sign-ups. We also record your IP address, the date, and the time of sign-up in case we ever need to investigate misuse. Newsletter data is used solely for sending the newsletter. You can unsubscribe at any time using the link in any newsletter or by contacting us directly. Your email address will be removed from the list immediately upon unsubscribing, unless you have separately agreed to other uses.

Existing customers. If you have purchased from us, we may send you emails about similar products without asking for separate consent. This is permitted under Section 7(3) of the German Act Against Unfair Competition and processed on the basis of our legitimate interest in direct marketing (Art. 6(1)(f) GDPR). If you told us at the time of purchase that you did not want marketing emails, we will not send them. You can opt out at any time by contacting us; no costs beyond standard transmission rates apply. We will stop immediately upon receiving your objection.

Klaviyo. Newsletters are sent using the platform of Klaviyo Inc., 125 Summer Street, Floor 6, Boston, MA 02110, USA. We share your registration data with Klaviyo so they can send emails on our behalf, on the basis of our legitimate interest in effective newsletter delivery (Art. 6(1)(f) GDPR). With your separate consent (Art. 6(1)(a) GDPR), Klaviyo may also track how emails perform, using tracking pixels and web beacons to measure open rates and interactions. Device data such as IP address, browser type, and operating system may be collected in this process but is not linked to other records. You can withdraw your consent to tracking at any time. A data processing agreement is in place with Klaviyo. Klaviyo participates in the EU-US Data Privacy Framework.

H. Sharing Data to Fulfil Orders

General. When an order is placed, we share necessary personal data with the shipping company and the payment processor handling your transaction, as required to complete the purchase (Art. 6(1)(b) GDPR). If a contract requires us to notify you about updates to digital goods or products containing digital elements, we will use the contact details you provided to inform you personally within the legally required timeframe (Art. 6(1)(c) GDPR).

Shipping. Your name and delivery address are passed to whichever shipping partner handles your parcel. Nothing more than what is needed for delivery is shared.

DSers. Order management is supported by Bowers Enterprises, LLC, 109 Cloister Drive, Peachtree City, GA 30269, USA (operating as DSers). Name, address, and other relevant details are shared for the purpose of processing orders (Art. 6(1)(b) GDPR). DSers also supports bookkeeping functions by processing incoming and outgoing invoices and, where applicable, bank transactions in a semi-automated workflow. The legal basis for any personal data processed in that context is our legitimate interest in efficient business administration (Art. 6(1)(f) GDPR). Data transfers to the USA rely on standard contractual clauses approved by the European Commission.

Delivery companies. Your email address and/or phone number may be shared with the delivery company before dispatch if you have consented to receiving delivery notifications or arranging a delivery time (Art. 6(1)(a) GDPR). Without that consent, only your name and delivery address are shared (Art. 6(1)(b) GDPR). Consent can be withdrawn at any time. The following carriers may be used: Deutsche Post AG (DHL), Charles-de-Gaulle-Straße 20, 53113 Bonn, Germany; DPD Deutschland GmbH, Wailandtstraße 1, 63741 Aschaffenburg, Germany; FedEx Express Germany GmbH, Langer Kornweg 34k, 65451 Kelsterbach, Germany; United Parcel Service Deutschland Inc. & Co. OHG (UPS), Görlitzer Straße 1, 41460 Neuss, Germany.

Payment processors. The following payment options may be available at checkout:

Apple Pay. Operated by Apple Distribution International, Hollyhill Industrial Estate, Hollyhill, Cork, Ireland. When you pay with Apple Pay, your order information is sent to Apple in encrypted form. Apple re-encrypts it with a developer key before forwarding it to the card provider. Only the shop can access the underlying payment data. After payment, Apple sends your device account number and a one-time security code to confirm the transaction. Apple retains only anonymised transaction data (approximate amount, approximate date and time, and whether the transaction completed) for its own product improvement purposes. No personal data is retained by Apple in identifiable form. When using Apple Pay through Safari on a Mac, communication between the Mac and the authorising device is encrypted and handled through Apple's servers without Apple storing anything personally identifiable. You can turn off Apple Pay for Mac in your iPhone's Wallet & Apple Pay settings. More information: https://support.apple.com/en-gb/HT203027. The legal basis is Art. 6(1)(b) GDPR.

Google Pay. Operated by Google Ireland Limited, Gordon House, 4 Barrow St, Dublin, D04 E5W5, Ireland. Your order details are sent to Google, which responds with a unique transaction token — not your actual payment details — to verify the payment. Google acts as an intermediary only; the actual transaction happens between you and the shop. Google may collect transaction data including date, time, amount, merchant details, and the payment method used. Google processes this for its own legitimate interests in maintaining and improving Google Pay (Art. 6(1)(f) GDPR). Google may combine this with other data from its services. Terms and privacy information: https://payments.google.com. The legal basis for our processing is Art. 6(1)(b) GDPR.

PayPal. Operated by PayPal (Europe) S.a.r.l. et Cie, S.C.A., 22-24 Boulevard Royal, L-2449 Luxembourg. Your payment and order details are passed to PayPal to process the transaction (Art. 6(1)(b) GDPR). For deferred payment methods such as invoice or instalment plans, PayPal may carry out a credit check using the information you provided, sharing data with credit reference agencies on the basis of its legitimate interest in assessing payment risk (Art. 6(1)(f) GDPR). The result may include a score value based on a recognised statistical method that takes address data into account among other factors. You can object to this at any time by contacting us or PayPal, though PayPal may still process data where necessary to complete the transaction.

PayPal Checkout. This shop uses PayPal Checkout, which covers PayPal's own payment methods and third-party local payment options. For credit card, direct debit, and Pay Later via PayPal, PayPal may also conduct creditworthiness checks in the same way described above. Where the invoice payment option is selected, payment data is first sent to PayPal and then forwarded to Ratepay GmbH, Franklinstraße 28-29, 10587 Berlin, which performs its own identity and credit check. The list of credit agencies Ratepay may use is at https://www.ratepay.com/legal-payment-creditagencies/. Local third-party payment methods routed through PayPal Checkout include: Apple Pay, Google Pay, Klarna (Klarna Bank AB, Sveavägen 46, 11134 Stockholm, Sweden), iDeal (Currence Holding BV, Beethovenstraat 300, Amsterdam, Netherlands), Bancontact (Bancontact Payconiq Company, Rue d'Arlon 82, 1040 Brussels, Belgium), BLIK (Polski Standard Płatności sp. z o.o., ul. Czerniakowska 87A, 00-718 Warsaw, Poland), EPS (PSA Payment Services Austria GmbH, Handelskai 92, Gate 2, 1200 Vienna, Austria), MyBank (PRETA S.A.S, 40 Rue de Courcelles, F-75008 Paris, France), and Przelewy24 (PayPro SA, Kanclerska 15A, 60-326 Poznań, Poland). PayPal's privacy policy: https://www.paypal.com/de/legalhub/paypal/privacy-full?locale.x=en_DE.

Shopify Payments. Operated by Shopify International Limited, Victoria Buildings, 1-2 Haddington Road, Dublin 4, D04 XN32, Ireland. Payment data including name, address, card details, currency, and transaction number are passed to Shopify to process the payment (Art. 6(1)(b) GDPR). Only what is necessary for the transaction is shared.

Stripe. Operated by Stripe Payments Europe Ltd., 1 Grand Canal Street Lower, Grand Canal Dock, Dublin, Ireland. The same applies as for Shopify Payments above.

Cancelling a subscription online. Customers who have taken out a paid subscription through this website can cancel it electronically using a dedicated button. Clicking the button leads to a confirmation page where you can give details about your cancellation, confirm your identity, and submit the cancellation digitally. Data collected in that process is used only to handle the cancellation correctly (Art. 6(1)(b) GDPR) and to send you a written confirmation of the cancellation and its effective date (Art. 6(1)(b) and (c) GDPR). Providing this option is a legal requirement for online subscription contracts.

I. Tracking and Website Measurement Tools

Google Analytics 4. This website uses Google Analytics 4, a service of Google Ireland Limited, Gordon House, 4 Barrow St, Dublin, D04 E5W5, Ireland. It works by placing cookies on your device to record how the site is used. Your IP address is collected but automatically shortened within the EU and EEA so that it cannot identify you directly. The shortened IP is never combined with other Google data. Google uses this information to prepare reports on website activity and usage patterns on our behalf. Data collected is kept for two months before being deleted. Google Analytics 4 can also generate statistics on age, gender, and interests using third-party data and interest-based advertising signals, but these demographic statistics cannot be linked to any individual. This demographic data is also deleted after two months. All of this only happens with your explicit consent (Art. 6(1)(a) GDPR). Without it, Analytics does not run. You can withdraw consent at any time using the cookie consent tool on this site. Data may transfer to Google LLC servers in the USA; Google participates in the EU-US Data Privacy Framework. More information: https://policies.google.com/privacy and https://business.safety.google/privacy/.

Google Signals. As an add-on to Analytics 4, Google Signals may be used to track behaviour across different devices. This only happens if you have personalised ads turned on in your Google account and you are logged in on the devices you use. The result is cross-device statistics that show, for example, which device saw an ad first and which device completed a purchase. We receive only compiled statistics from Google, not personal data. To turn off personalised ads in your Google account: https://support.google.com/ads/answer/2662922?hl=de. This also relies on your consent to Analytics 4.

UserIDs. Also as an Analytics 4 extension, individual user IDs may be assigned to logged-in account holders, allowing cross-device behaviour to be tracked. This only applies if you have a registered account, are logged in across multiple devices, and have consented to Analytics 4. The resulting data shows things like which device first encountered an ad and which completed the associated action.

Google Tag Manager. This website uses Google Tag Manager, operated by Google Ireland Limited, Gordon House, Barrow Street, Dublin 4, Ireland. Tag Manager acts as a management layer that controls when and how various tracking tools load. It does not itself place cookies or collect data independently. However, it does transmit your IP address to Google when a page loads, and that data may reach Google LLC servers in the USA. All of this requires your consent (Art. 6(1)(a) GDPR) and can be turned off via the cookie consent tool. A data processing agreement is in place. Google participates in the EU-US Data Privacy Framework. More information: https://business.safety.google/privacy/.

Hotjar. Visitor behaviour analysis is conducted using Hotjar, operated by Hotjar Ltd, Level 2, St Julians Business Centre, 3, Elia Zammit Street, St Julians STJ 1000, Malta. The service uses cookies and similar tools to build pseudonymised visitor profiles based on things like IP address and browser type. It can also generate heatmaps showing where visitors scroll, click, and hover on pages. The pseudonymisation process means these records cannot be directly linked to you. Your data is not combined with any other sources. This only runs with your consent (Art. 6(1)(a) GDPR) and can be disabled in the cookie consent tool. A data processing agreement is in place.

Shopify Analytics. The built-in analytics service of Shopify International Limited, Victoria Buildings, 2nd Floor, 1-2 Haddington Road, Dublin 4, D04 XN32, Ireland is also used, with data potentially also passing through Shopify Inc. in Canada. Like Hotjar, it creates pseudonymised visitor profiles using cookies and comparable technologies, including heatmap-type analysis. The same consent requirement and opt-out apply. A data processing agreement is in place, and Canada is covered by an EU adequacy decision.

J. Advertising and Retargeting

Meta Pixel (extended matching). We use the Meta Pixel service of Meta Platforms Ireland Limited, 4 Grand Canal Square, Dublin 2, Ireland, with extended data matching enabled. When you click on one of our ads on Facebook or Instagram and land on this website, a URL parameter is added to the address. A cookie picks up that parameter and, during certain activities on the site such as completing a purchase, logging in, or registering, it also collects specific customer data such as your email address. That data is then sent to Meta. We use this to make our ads more relevant to people likely to be interested in what we sell, to build Custom Audiences, and to measure how well our advertising converts. Extended matching helps us connect more ad clicks to completed purchases than the standard pixel can. Meta may use all of this data for its own advertising purposes across Facebook and Instagram and beyond, as described in Meta's data policy at https://www.facebook.com/about/privacy/. This only happens with your consent (Art. 6(1)(a) GDPR), withdrawable at any time via the cookie consent tool. A data processing agreement is in place. Data may reach Meta Platforms Inc. servers in the USA; Meta participates in the EU-US Data Privacy Framework.

Google Ads and conversion tracking. We run advertising through Google Ads and use conversion tracking provided by Google Ireland Limited, Gordon House, 4 Barrow St, Dublin, D04 E5W5, Ireland. When someone clicks one of our Google ads, a conversion tracking cookie is placed on their device. If that person then completes a purchase or other target action on our website within the cookie's validity window (typically 30 days), the cookie tells us that the ad worked. Each advertiser gets unique cookies, so there is no cross-advertiser tracking. The aggregated statistics we receive tell us how many users clicked an ad and completed an action, but not who those individuals were. This only runs with your consent (Art. 6(1)(a) GDPR). You can also permanently opt out by installing the Google opt-out browser plug-in at https://www.google.com/settings/ads/plugin?hl=en. To serve ads to people who have already interacted with us, we also use Google's customer match feature. This means we upload encrypted lists of contact data (primarily email addresses and phone numbers) to Google, which uses a one-way algorithm to match them to existing Google accounts. Google never sees the raw data. This enables personalised ads across Google's services for matched accounts. This upload only happens with your explicit consent (Art. 6(1)(a) GDPR). More information on customer match privacy: https://support.google.com/google-ads/answer/6334160?hl=en. Data may transfer to the USA; Google participates in the EU-US Data Privacy Framework.

TikTok Pixel. If you arrive at this website after clicking a TikTok ad, we may track whether you completed a target action using the conversion pixel of TikTok Technology Limited, 10 Earlsfort Terrace, Dublin, D02 T380, Ireland. This works by reading device and browser information including your IP address via tracking technologies. The resulting data is used to create statistics about how visitors from TikTok behave on the site, helping us improve our ads. This only runs with your consent (Art. 6(1)(a) GDPR) and can be turned off via the cookie consent tool. A data processing agreement is in place.

K. Other Tools Used on This Site

Google Fonts. To display text in a consistent way across different devices, this website loads fonts from Google Ireland Limited, Gordon House, 4 Barrow St, Dublin, D04 E5W5, Ireland, with data also potentially passing to Google LLC in the USA. When a page loads, your browser connects directly to Google's servers and your IP address is transmitted in that process. This only happens with your consent (Art. 6(1)(a) GDPR), and can be disabled via the cookie consent tool. If your browser does not support the web fonts, a system default font is used instead. Google participates in the EU-US Data Privacy Framework. More information: https://business.safety.google/privacy/.

Lexware Office. Our accounting is handled using the cloud software of Haufe-Lexware GmbH & Co. KG, Munzinger Straße 9, 79111 Freiburg, Germany. The software processes incoming and outgoing invoices and, where applicable, bank transactions, to automatically record and reconcile them into financial accounts in a partly automated process. Any personal data processed in that context is handled on the basis of our legitimate interest in running an organised and properly documented business (Art. 6(1)(f) GDPR).

Cookie consent tool. A cookie consent tool is used to collect and manage your consent for cookies and similar technologies before they are activated. It appears when you first visit the site and lets you choose which categories of cookies you accept by ticking boxes. Only cookies you have agreed to are activated. The tool itself stores your preferences using technically necessary cookies. In most cases, no personal data is processed by the tool. Where an IP address is recorded to log or assign consent settings, this is done on the basis of our legitimate interest in managing consents in a legally sound and user-specific way (Art. 6(1)(f) GDPR), as well as our legal obligation to make non-essential cookies conditional on consent (Art. 6(1)(c) GDPR). Settings and further information are available directly in the consent interface on this website.

L. Your Rights Over Your Data

Under GDPR, you have the following rights regarding personal data we hold about you:

Right to know what we hold (Art. 15 GDPR). Right to have inaccurate data corrected (Art. 16 GDPR). Right to have data deleted in certain circumstances (Art. 17 GDPR). Right to have processing restricted in certain circumstances (Art. 18 GDPR). Right to be told who your data was shared with when we corrected or deleted it (Art. 19 GDPR). Right to receive your data in a portable format (Art. 20 GDPR). Right to withdraw any consent you have given, at any time (Art. 7(3) GDPR). Right to complain to a data protection authority (Art. 77 GDPR).

RIGHT TO OBJECT. WHERE WE PROCESS YOUR PERSONAL DATA ON THE BASIS OF A LEGITIMATE INTEREST (ART. 6(1)(F) GDPR), YOU CAN OBJECT TO THAT PROCESSING AT ANY TIME IF YOU HAVE GROUNDS RELATING TO YOUR PARTICULAR SITUATION. IF YOU DO, WE WILL STOP UNLESS WE CAN SHOW COMPELLING LEGITIMATE GROUNDS FOR CONTINUING THAT OVERRIDE YOUR INTERESTS, RIGHTS, AND FREEDOMS, OR UNLESS THE PROCESSING IS NEEDED TO ESTABLISH, EXERCISE, OR DEFEND LEGAL CLAIMS.

WHERE YOUR DATA IS USED FOR DIRECT MARKETING, YOU CAN OBJECT AT ANY TIME WITHOUT GIVING ANY REASON. WE WILL STOP USING YOUR DATA FOR THAT PURPOSE IMMEDIATELY UPON RECEIVING YOUR OBJECTION.

M. How Long We Keep Your Data

How long we hold personal data depends on why we collected it, what law applies, and whether any mandatory retention periods exist such as those under tax or commercial law.

Data collected on the basis of your consent (Art. 6(1)(a) GDPR) is kept until you withdraw that consent.

Data collected to carry out a contract (Art. 6(1)(b) GDPR) is kept for as long as the contract requires, and then deleted when the relevant statutory retention periods expire and when we no longer have any legitimate need to retain it.

Data processed on the basis of legitimate interest (Art. 6(1)(f) GDPR) is kept until you object under Art. 21(1) GDPR, unless we can demonstrate compelling grounds for continuing, or the data is needed for legal proceedings.

Data used for direct marketing on the basis of legitimate interest (Art. 6(1)(f) GDPR) is kept until you exercise your right to object under Art. 21(2) GDPR.

In all other cases, personal data is deleted as soon as the purpose for which it was collected no longer applies.