Privacy Policy
Protecting your personal data matters to us. Below you can read which data we process when you visit this website and place an order, for what purpose and on what legal basis.
1. Controller
The controller responsible for data processing on this website within the meaning of the General Data Protection Regulation (GDPR) is:
Tamara Krapp (MAK-ART), Hauptstr. 26, 51465 Bergisch Gladbach, Deutschland — phone: +49 2202 1860373, e-mail: [email protected]
We are not legally required to appoint a data protection officer, as the conditions of § 38 BDSG are not met. For any privacy-related question you can reach us directly using the contact details above.
2. General Information on Data Processing
We process personal data only to the extent necessary to provide a functional website, our content and services, and to fulfil your order. Personal data is any information relating to you as an identified or identifiable person.
Every processing operation relies on one of the following legal bases:
- Art. 6(1)(a) GDPR — your consent, for example for session recordings or back-in-stock notifications.
- Art. 6(1)(b) GDPR — performance of a contract or pre-contractual measures, for example order, payment and shipping.
- Art. 6(1)(c) GDPR — compliance with legal obligations, for example tax retention duties.
- Art. 6(1)(f) GDPR — our legitimate interests, for example security, abuse prevention and statistical analysis of website use.
3. Hosting and Server Log Files
We operate this website and the underlying shop system on a server we rent from active 1 GmbH, Kritenbarg 66, 22391 Hamburg, Deutschland. The server is located in a data centre in Frankfurt am Main, Germany. A data processing agreement pursuant to Art. 28 GDPR is in place with the provider.
On every request the server automatically records data transmitted by your browser:
- IP address of the requesting device
- date and time of access
- name and URL of the file retrieved
- volume of data transferred
- notification of whether the retrieval succeeded
- the browser used, including version and operating system
This data is technically necessary to deliver the website, ensure its stability and security, and defend against attacks. The legal basis is Art. 6(1)(f) GDPR. We keep the log files only as long as necessary for these purposes.
4. Delivery via Cloudflare
We use the content delivery network of Cloudflare, Inc., 101 Townsend St., San Francisco, CA 94107, USA, represented in the European Union by Cloudflare Germany GmbH, c/o Design Offices München Atlas, Rosenheimer Straße 143C, 81671 München. Requests to our pages therefore pass through Cloudflare servers, which cache content and fend off attacks. We also store product images, files you upload and our invoice PDFs in Cloudflare’s R2 object storage.
To protect our contact form against automated submissions we also use Cloudflare Turnstile. Turnstile evaluates technical characteristics of your browser and your IP address to distinguish humans from machines; a click or image puzzle is generally not required.
Your IP address may be processed and transferred to the USA in the process. Cloudflare is certified under the EU-US Data Privacy Framework; standard contractual clauses apply in addition. The legal basis is our legitimate interest in the secure, stable and fast delivery of our content (Art. 6(1)(f) GDPR).
5. Orders and Contract Processing
When you place an order with us, we process the data required for the contract:
- first and last name
- billing and delivery address
- e-mail address
- payment data and order and payment history
- for personalised products, your customisation details and any uploaded image files
We use customisation details and uploaded images solely to make your product. They are not published and not used for advertising.
The legal basis is Art. 6(1)(b) GDPR. We store this data for the duration of the statutory retention and warranty periods and delete it thereafter, unless a statutory retention obligation requires otherwise.
6. Payment Processing via Stripe
We process payments through Stripe Payments Europe, Ltd., 1 Grand Canal Street Lower, Grand Canal Dock, Dublin, D02 H210, Irland. Depending on the payment method you choose, your name, billing address, e-mail address, order total and payment data are transmitted to Stripe.
We never receive your full card or bank details — you enter them directly with Stripe, where they are also processed. We only learn whether a payment was successful.
The legal basis is Art. 6(1)(b) GDPR. Stripe also processes part of the data as its own controller, for example for fraud prevention and to meet its own regulatory obligations; details are set out in Stripe’s privacy policy.
7. Shipping
To deliver your order we pass your name and delivery address to the shipping provider engaged. We currently ship with DHL Paket GmbH, Sträßchensweg 10, 53113 Bonn and Hermes Germany GmbH, Essener Straße 89, 22419 Hamburg.
We do not pass on your e-mail address in the process. We send the shipping confirmation with the tracking number ourselves.
The legal basis is Art. 6(1)(b) GDPR.
8. Invoices
For every order we automatically generate an invoice in PDF format. It contains your name, your billing address, the items ordered and the invoice amount.
We store the invoice PDFs in a non-public area of our object storage. Access is possible only via time-limited, signed links.
Invoices are subject to the statutory retention period of ten years (§ 147 AO, § 257 HGB). The legal basis is Art. 6(1)(c) GDPR. A deletion request can therefore only extend to this data once that period has elapsed.
9. E-mail Delivery via Resend
We send transactional e-mails — order confirmation, shipping notification, invoice, review invitation, back-in-stock notification, cart reminder and replies to contact enquiries — through Resend, Inc., 2261 Market Street #5039, San Francisco, CA 94114, USA.
In the process your e-mail address and the content of the respective message are transferred to the USA. Resend is certified under the EU-US Data Privacy Framework; the transfer therefore relies on the European Commission’s adequacy decision pursuant to Art. 45 GDPR. We have agreed standard contractual clauses in addition.
The legal basis is Art. 6(1)(b) GDPR for contract-related messages and Art. 6(1)(f) GDPR for answering your enquiries.
10. Customer Account
You can create a customer account. We then store your e-mail address, an encrypted password, your name and address details and your order history so that you can view orders and reuse addresses.
A customer account is optional — you can equally order with us as a guest.
The legal basis is Art. 6(1)(b) GDPR. You can have your account deleted at any time. Order and invoice data remain unaffected to the extent statutory retention periods apply.
11. Sign in with Google
Alternatively you can sign in with your Google account. This is optional; an equivalent registration by e-mail and password is available to you.
If you choose this option, you are redirected to Google and sign in there. We receive your e-mail address, your name and an identifier for your Google account from Google — but not your password.
The provider is Google Ireland Limited, Gordon House, Barrow Street, Dublin 4, Irland. A transfer to Google LLC in the USA may occur; Google is certified under the EU-US Data Privacy Framework.
The legal basis is your consent, given by choosing this sign-in method (Art. 6(1)(a) GDPR), together with Art. 6(1)(b) GDPR for the subsequent operation of your customer account.
12. Wishlist
Without signing in, we store your wishlist solely in your browser’s local storage. This data does not leave your device and is not visible to us.
When you sign in, we migrate a wishlist previously stored locally into your customer account so that it is available on all your devices. It is then held on our server, linked to your account.
The legal basis is Art. 6(1)(f) GDPR — our and your interest in a convenient save-for-later feature. You can remove entries at any time.
13. Product Reviews
Some time after shipping we invite you by e-mail to review the product you bought. The link contains a signed, time-limited token. This ensures that only actual buyers can leave a review — invented reviews are ruled out this way.
We publish the review itself, the star rating, the date and the name you provide; you may use a pseudonym here. Your e-mail address is not published. We check every review before publication.
You may optionally upload photos with your review. Photos of rejected reviews are deleted automatically. Uploaded images for which no review was submitted are deleted after seven days at the latest.
The legal basis for sending the invitation is Art. 6(1)(f) GDPR, and for publication your consent, given when you submit the review (Art. 6(1)(a) GDPR). You can request deletion of your review at any time.
14. Back-in-Stock Notification
If an item is sold out, you can ask to be notified by e-mail as soon as it is back in stock.
We use a double opt-in procedure for this: after you sign up, you receive a confirmation e-mail; the sign-up only becomes effective once you confirm.
We delete unconfirmed sign-ups after seven days. We delete confirmed sign-ups immediately after the notification has been sent, and in any case no later than six months after sign-up.
The legal basis is your consent (Art. 6(1)(a) GDPR), which you can withdraw at any time with effect for the future.
15. Cart Reminder
If you leave your cart without completing the order, we send you a reminder exactly once, after 24 hours.
This only happens if you have expressly agreed to it beforehand. The reminder contains no discount, no deadline and no countdown — it is not meant to pressure you, only to remind you of a cart you may have forgotten.
The legal basis is your consent (Art. 6(1)(a) GDPR). You can withdraw it at any time with effect for the future.
16. Contact Form
When you write to us via the contact form, we process your name, your e-mail address and the content of your message in order to answer the enquiry.
To guard against automated submissions we use a form field invisible to you (a honeypot) and Cloudflare Turnstile; details are in the Cloudflare section.
The legal basis is Art. 6(1)(b) GDPR where your enquiry serves to initiate or perform a contract, otherwise Art. 6(1)(f) GDPR. We delete the enquiry once it has been dealt with conclusively and no retention obligations apply.
17. Product Search
For the product search we use the search software MeiliSearch. Your search terms are processed to show you relevant results.
We run MeiliSearch ourselves on our server in Germany; search queries are not transmitted to third parties. The legal basis is Art. 6(1)(f) GDPR.
18. Reach Measurement with Umami
We use the analytics software Umami, which we run ourselves on our server in Germany. Umami works without cookies, without cross-device recognition and without building profiles across websites. IP addresses are not stored.
We record page views, the approximate region of origin, the device type and the referring page, as well as anonymous interaction events — for example clicks on buttons, search queries and cart and checkout actions.
The legal basis is our legitimate interest in statistical analysis to improve our offering (Art. 6(1)(f) GDPR). As no information is accessed on your device in the process, consent under § 25 TDDDG is not required.
19. Session Recording and Heatmaps (with consent only)
If you chose “Accept all” in the cookie banner, Umami additionally records your session: mouse movements, clicks, scrolling and page changes. From this we create heatmaps to identify weak spots in the shop.
Entries in form fields are masked and not recorded. Checkout, customer account, order confirmation and the review form are entirely excluded from recording. The data is processed solely on our server in Germany and not passed to third parties.
The legal basis is your consent (Art. 6(1)(a) GDPR, § 25(1) TDDDG).
You can withdraw your consent at any time with effect for the future: open “Cookie settings” in the footer and choose “Necessary only”. Recording then ends from your next page view.
20. Cookies and Local Storage
We use only technically necessary cookies and local storage in your browser:
- Cart identifier — so your cart is preserved as you move between pages.
- Language choice — so the site appears in the language you selected.
- Session and sign-in data — so you stay signed in to your customer account.
- Cookie decision — so we do not ask you again on every visit.
- Cookies from Stripe during checkout — to process the payment and prevent fraud.
Without signing in, we store your wishlist in your browser’s local storage. Our reach measurement sets no cookies.
No consent is required for technically necessary cookies under § 25(2) TDDDG. Anything beyond that — notably session recording — happens only with your consent. You can change your decision at any time in the footer under “Cookie settings”.
21. Retention Periods
We store personal data only for as long as necessary for the respective purpose or as required by statutory retention periods:
- Order and invoice data: ten years (§ 147 AO, § 257 HGB).
- Customer account: until you delete it.
- Uploaded image files for personalised products: for the duration of the statutory retention and warranty periods, after which they are deleted.
- Back-in-stock sign-ups: seven days if unconfirmed; otherwise until the notification is sent, at most six months.
- Contact enquiries: until conclusively dealt with, unless a retention obligation applies.
22. Your Rights
As a data subject you have the following rights:
- access to the personal data stored about you (Art. 15 GDPR)
- rectification of inaccurate data (Art. 16 GDPR)
- erasure of your data (Art. 17 GDPR)
- restriction of processing (Art. 18 GDPR)
- data portability (Art. 20 GDPR)
- withdrawal of consent given, with effect for the future (Art. 7(3) GDPR)
An informal message is enough to exercise these rights, sent to [email protected]
23. Right to Object
You have the right to object at any time, on grounds relating to your particular situation, to the processing of your personal data carried out on the basis of our legitimate interests under Art. 6(1)(f) GDPR. If you object, we will no longer process your data unless we can demonstrate compelling legitimate grounds that override your interests, rights and freedoms, or the processing serves to assert, exercise or defend legal claims (Art. 21 GDPR).
24. Right to Lodge a Complaint with a Supervisory Authority
Without prejudice to any other remedy, you have the right to lodge a complaint with a data protection supervisory authority, in particular in the Member State of your residence, place of work or the place of the alleged infringement (Art. 77 GDPR). The authority responsible for us is:
Landesbeauftragte für Datenschutz und Informationsfreiheit Nordrhein-Westfalen, Kavalleriestraße 2–4, 40213 Düsseldorf
25. No Automated Decision-Making
We do not use automated decision-making or profiling within the meaning of Art. 22 GDPR. In particular, there is no automated credit check and no personalised pricing — all visitors see the same prices.
26. Data Security
This website uses TLS encryption throughout. You can recognise it by the “https://” in your browser’s address bar. Transmitted data cannot be read by third parties as a result.
We embed fonts exclusively from our own server. No connection is made to Google Fonts or any other external font service.
27. Changes to This Privacy Policy
We adapt this policy when the legal situation or our offering changes — for example when new features are added. The current version applies to each of your visits.
Last updated: 18 July 2026