Privacy Policy

We process personal data only to the extent necessary for providing a functional website, our content and services. Personal data is processed regularly only with the consent of the user or in cases where processing is permitted by law.

Data Subjects

Visitors and users of our website, customers, prospects, business partners and newsletter subscribers.

Types of Data Processed

• Master data (name, company, address)
• Contact data (email, phone)
• Contract data (orders, payments, delivery addresses)
• Usage data (pages visited, access times, interactions)
• Meta/communication data (IP addresses, device information, browser type)
• Payment data (account details, credit card data – only at the payment service provider)

Purposes of Processing

• Provision of the website and ensuring its functionality
• Processing and fulfilment of orders (contract performance)
• Customer service and responding to enquiries
• Analysis and optimisation of our online offerings
• Sending newsletters (with consent only)
• Advertising and remarketing (with consent only)
• Compliance with statutory retention obligations
• Security and fraud prevention

We process personal data exclusively on the basis of a statutory legal ground:

Web Hosting

Our website is hosted by a professional hosting provider in Germany. When you access our website, technical access data is automatically collected and stored in server log files (see Section 6).

Legal basis: Art. 6(1)(f) GDPR (legitimate interest in a stable and secure provision of the website). A Data Processing Agreement (DPA) pursuant to Art. 28 GDPR has been concluded with the hosting provider.

Cloudflare (CDN & Security)

We use the Content Delivery Network and security services of Cloudflare, Inc., 101 Townsend St., San Francisco, CA 94107, USA. Cloudflare routes traffic through a globally distributed server network to optimise loading times and protect our website against attacks (DDoS protection). In this process, access data (including your IP address) is routed through Cloudflare servers.

Legal basis: Art. 6(1)(f) GDPR (legitimate interest in security and performance). A DPA has been concluded with Cloudflare. For data transfers to the USA, see Section 16.

Further information: Cloudflare Privacy Policy.

For security reasons and to protect the transmission of confidential content, our website uses SSL or TLS encryption. You can recognise an encrypted connection by the browser address bar changing from “http://” to “https://” and by the padlock icon in your browser bar.

When SSL/TLS encryption is activated, the data you transmit to us cannot be read by third parties.

Our hosting provider automatically collects and stores information in so-called server log files, which your browser automatically transmits to us. These are:

• Browser type and version
• Operating system used
• Referrer URL (the previously visited page)
• Host name of the accessing computer
• IP address (anonymised where applicable)
• Date and time of the server request

This data cannot be attributed to specific individuals. This data is not merged with other data sources. We reserve the right to review this data retrospectively if concrete indications of unlawful use come to our attention.

Legal basis: Art. 6(1)(f) GDPR (legitimate interest in ensuring error-free operation and IT security).

Retention period: Log files are automatically deleted after no more than 14 days.

Our website uses cookies and comparable technologies. Cookies are small text files that are stored on your terminal device.

Technically Necessary Cookies

Some cookies are strictly necessary for the operation of the website (e.g. session cookies, shopping cart cookies, CSRF tokens, cookie consent settings). These are set on the basis of § 25(2) TDDDG in conjunction with Art. 6(1)(f) GDPR without your consent.

Analytics and Marketing Cookies

Cookies that are not strictly necessary (e.g. for web analytics, remarketing, personalisation) are only set with your express prior consent. The legal basis is § 25(1) TDDDG in conjunction with Art. 6(1)(a) GDPR.

Cookie Consent Banner

When you first visit our website, a cookie consent banner is displayed, through which you can actively consent to or reject the use of non-essential cookies. The option to reject is designed to be equivalent to the option to accept. Your consent decision is stored as a cookie on your terminal device. You can revoke your consent at any time with future effect via the cookie settings.

Overview of Cookies Used

We process our customers' data to enable them to select, purchase or order the chosen products and related services, and to ensure payment and delivery.

Data Processed

• Master data (name, company, address, VAT ID where applicable)
• Contact data (email, phone)
• Contract data (order contents, order time, price)
• Payment data (selected payment method – payment data itself only at the payment service provider)
• Shipping address and delivery data

Legal basis: Art. 6(1)(b) GDPR (contract performance and pre-contractual measures); Art. 6(1)(c) GDPR (tax and commercial law retention obligations).

Disclosure to Third Parties

For contract fulfilment, we share your data with the following recipients to the extent necessary:

• Shipping service providers (e.g. DHL, UPS, DPD) – name, address, email/phone where applicable for delivery notifications
• Payment service providers – see Section 9
• ERP system (orgaMAX/Deltra) – for accounting purposes
• Tax advisor – for fulfilment of tax obligations

Your data will not be disclosed to third parties for advertising purposes without your express consent.

For payment processing, we use external payment service providers. The payment data you enter during the order process is collected and processed directly by the respective payment service provider.

Stripe

Provider: Stripe Payments Europe, Ltd., 1 Grand Canal Street Lower, Grand Canal Dock, Dublin, D02 H210, Ireland (parent company: Stripe, Inc., USA).

When you select a payment method processed by Stripe (e.g. credit card), your payment data is transmitted directly to Stripe and processed there. Stripe uses its own cookies for payment processing and fraud detection (see Section 7). Stripe is certified under the EU-U.S. Data Privacy Framework.

Legal basis: Art. 6(1)(b) GDPR (contract performance); § 25(2) TDDDG (technically necessary cookies for payment processing). A DPA pursuant to Art. 28 GDPR has been concluded.

Privacy Policy: stripe.com/privacy.

PayPal

Provider: PayPal (Europe) S.à r.l. et Cie, S.C.A., 22-24 Boulevard Royal, L-2449 Luxembourg.

When you select PayPal as your payment method, your payment data is transmitted to PayPal.

Legal basis: Art. 6(1)(b) GDPR (contract performance).

Privacy Policy: paypal.com/privacy.

Bank Transfer (Prepayment)

When paying by bank transfer, we process your transfer data (IBAN, BIC, account holder) exclusively for the purpose of matching incoming payments.

Legal basis: Art. 6(1)(b) GDPR (contract performance).

Invoice

When paying by invoice, we process your order data and, where applicable, creditworthiness information (see also § 13 of our General Terms and Conditions). Invoicing is carried out via our ERP system.

Legal basis: Art. 6(1)(b) GDPR (contract performance); Art. 6(1)(f) GDPR (legitimate interest in credit assessment for purchases on account).

When you contact us by contact form, email, phone or by any other means, we process the data you provide (name, email address, message content and any other voluntarily provided information) to handle your enquiry.

Legal basis: Art. 6(1)(b) GDPR (where the enquiry relates to a contract) or Art. 6(1)(f) GDPR (legitimate interest in responding to your enquiry).

Retention period: Data collected in the course of a contact request is deleted as soon as it is no longer required for the purpose for which it was collected and no statutory retention obligations apply.

You have the option of creating a customer account on our website. The data entered during registration (name, email, company, address, password in hashed form) is stored.

Legal basis: Art. 6(1)(b) GDPR (contract performance and pre-contractual measures); Art. 6(1)(a) GDPR (consent through registration).

You can request deletion of your customer account at any time by contacting us. Processing of data stored up to the point of deletion remains unaffected. Statutory retention obligations (e.g. for order data) continue to apply.

If you wish to receive the newsletter offered on the website, we require your email address as well as information that allows us to verify that you are the owner of the email address provided (double opt-in procedure). No additional data is collected, or only on a voluntary basis.

Newsletter Service Provider

Distribution is handled by: rapidmail GmbH, Wentzingerstrasse 21, 79106 Freiburg, Germany. A DPA pursuant to Art. 28 GDPR has been concluded. Your data is processed on rapidmail servers in Germany.

Privacy Policy: rapidmail.de/datensicherheit.

Legal basis: Art. 6(1)(a) GDPR (consent). For existing customers, § 7(3) UWG (advertising for similar goods and services).

Performance Measurement

The newsletter contains tracking pixels to measure open and click-through rates. This information is evaluated exclusively on a statistical and non-personal basis and serves to optimise the newsletter.

Google Analytics 4

We use Google Analytics 4, a web analytics service provided by Google Ireland Limited, Gordon House, Barrow Street, Dublin 4, Ireland (“Google”). Google Analytics uses cookies and comparable recognition technologies to analyse the usage behaviour of our website.

Google Analytics is activated only with your prior consent. Without consent, no tracking takes place.

The information generated by cookies about your use of this website is generally transferred to a Google server in the USA and stored there. We use IP anonymisation, so that your IP address is truncated by Google within Member States of the EU or other contracting states of the Agreement on the European Economic Area beforehand.

Further information: Google Privacy Policy | Google Analytics Opt-Out Browser Add-on.

Google Ads & Conversion Tracking

We use Google Ads, an online advertising programme by Google. As part of Google Ads, we use conversion tracking. After clicking on an advertisement placed by Google, a conversion tracking cookie is set. This cookie expires after 90 days and is not used for personal identification.

If the user visits certain pages of our website and the cookie has not yet expired, Google and we can recognise that the user clicked on the advertisement and was redirected to that page.

Google Remarketing

We use the Google remarketing function to display interest-based advertising on third-party websites. Google analyses your usage behaviour on our website in order to subsequently target you with relevant advertising on other websites. According to Google, pseudonymisation is used in the context of remarketing.

Legal basis: § 25(1) TDDDG in conjunction with Art. 6(1)(a) GDPR (consent). Google Ads and remarketing are only activated after your express consent in the cookie consent banner.

You can deactivate interest-based advertising via the Google Ads Settings.

Google Fonts (Local)

Our website uses so-called Web Fonts from Google for the uniform display of typefaces. The Google Fonts are installed locally on our server. No connection to Google servers is established as a result.

Google Maps

We may embed maps from Google Maps. Provider: Google Ireland Limited. When you access a page containing Google Maps, a connection to Google servers is established. Google Maps is only loaded after your prior consent (two-click solution).

Legal basis: Art. 6(1)(a) GDPR (consent).

YouTube (Enhanced Privacy Mode)

We may embed videos from YouTube. Provider: Google Ireland Limited. We use YouTube in enhanced privacy mode. According to YouTube, no information about website visitors is stored in this mode before the video is viewed. Embedding is done via a two-click solution (prior consent).

Legal basis: Art. 6(1)(a) GDPR (consent).

Google reCAPTCHA

We may use “Google reCAPTCHA” to protect against abusive automated access. Provider: Google Ireland Limited. reCAPTCHA analyses the behaviour of website visitors based on various characteristics (e.g. IP address, time spent on site, mouse movements).

Legal basis: Art. 6(1)(f) GDPR (legitimate interest in security and protection against spam/abuse).

Insofar as we use services from providers based outside the EU/EEA (particularly the USA), personal data may be transferred to third countries.

EU-U.S. Data Privacy Framework (DPF)

For data transfers to the USA, we primarily rely on the adequacy decision of the European Commission pursuant to Art. 45 GDPR regarding the EU-U.S. Data Privacy Framework. The US providers we use are certified under the DPF:

• Google LLC – DPF certified
• Cloudflare, Inc. – DPF certified
• Stripe, Inc. – DPF certified

Additional Safeguards

• Conclusion of Standard Contractual Clauses (SCC) with all US providers as additional protection
• Conducting Transfer Impact Assessments (TIA)
• IP anonymisation for Google Analytics
• Data minimisation: only data strictly necessary for the service is shared
• Encryption of all data transfers (TLS)

We store personal data only for as long as is necessary for the respective processing purpose or as required by statutory retention periods.

After expiry of the respective retention period, data is routinely deleted or anonymised, unless it is still required for contract performance or initiation.

As a data subject, you have the following rights under the GDPR. To exercise your rights, you may contact us at any time (contact details in Section 1).

Without prejudice to any other administrative or judicial remedy, you have the right to lodge a complaint with a supervisory authority if you believe that the processing of your personal data infringes the GDPR (Art. 77 GDPR).

We reserve the right to amend this privacy policy to ensure it always complies with current legal requirements or to implement changes to our services or data processing. The updated privacy policy will apply to your subsequent visits.

Material changes will be communicated separately where required.

Last updated: April 2026