Privacy policy

1) Controller and contact

Controller in the sense of the GDPR:
Martina Kuhlmann, Sole Trader (Retail Merchant)
Am Holze 14, 30900 Wedemark, Germany
E-Mail: hallo@efs-mk.de
Phone: +49 (0) 5131 – 7018030

This website uses SSL/TLS encryption (https:// + lock icon).

2) Hosting and platform (Shopify)

Our online store is operated on the platform of Shopify International Ltd., 2nd Floor, Victoria Buildings, 1–2 Haddington Road, Dublin 4, D04 XN32, Ireland. Parent company: Shopify Inc., 151 O’Connor Street, Ground floor, Ottawa, ON, K2P 2L8, Canada.

When you visit our website, Shopify automatically collects technical access data (server logs) to ensure stability and security. This includes the requested page, timestamp, referrer URL, browser, operating system, and IP address (anonymized where configured).
Legal basis: Art. 6(1)(f) GDPR.
International transfers: Shopify may process data in Canada and the USA. Safeguards: adequacy decision for Canada (Art. 45 GDPR) and EU Standard Contractual Clauses with supplementary measures (Art. 46 GDPR).

3) Cookies and consent

We use cookies and similar technologies.

  • Necessary cookies: cart, checkout, login, security. Legal basis: Art. 6(1)(f) GDPR.

  • All other cookies (analytics, marketing, social media, embedded content): only with your consent (Art. 6(1)(a) GDPR).

Consent is managed via the Shopify cookie banner. You can adjust settings at any time.

4) Contact

If you contact us by e-mail, form, or phone, we process your data to answer your request.
Legal basis: Art. 6(1)(f) GDPR; for pre-contractual/contractual requests Art. 6(1)(b) GDPR.
Data is deleted when your request is completed, unless legal retention applies.

5) Customer accounts and orders

When you create a customer account or place an order, we process your master data, contact details, delivery addresses, order and payment data, communication data, and – where applicable – design/personalization content.
Legal basis: Art. 6(1)(b) GDPR (contract performance) and Art. 6(1)(c) GDPR (statutory obligations).

Recipients / processing roles:

  • Shopify (commerce platform and order management)

  • Printify, Inc. (Fulfillment partner / processor) – receives required data (name, address, product details, designs, shipping info) to produce and deliver your order; Printify may use sub-processors (production and logistics partners).

  • Carriers / logistics companies (e.g. DHL, UPS, DPD) for delivery and notifications.

  • Payment providers (see below).

  • IT/hosting service providers, tax advisor where applicable.

International transfers: Depending on the production and delivery location, data may be transmitted to countries outside the EU/EEA. Safeguards: adequacy decisions (Art. 45 GDPR) or Standard Contractual Clauses (Art. 46 GDPR).

Retention: Contract and tax data are stored for 6 or 10 years as required by law.

6) Payments (Shopify Payments)

We use Shopify Payments for payment processing. Provider: Shopify International Ltd., Dublin, Ireland; parent company Shopify Inc., Ottawa, Canada.

Through Shopify Payments you can pay via credit/debit cards (Visa, Mastercard, American Express, Maestro, UnionPay), accelerated checkouts (Shop Pay, Apple Pay, Google Pay), and local payment methods (e.g. Klarna, Bancontact, iDEAL, TWINT).

Payment data (e.g. card details, billing address, device and transaction data) are processed directly by Shopify and the involved payment networks. We only receive transaction status information (success/failure, payment ID, amount).

Legal basis: Art. 6(1)(b) GDPR (contract performance).
Security: PCI-DSS Level 1, 3-D Secure, encryption, fraud protection.
International transfers: Shopify may process payment data in Canada/USA. Safeguards: adequacy decision (Canada) and EU Standard Contractual Clauses (USA).

7) Shipping

To deliver your order, we transfer name, address, and – if necessary – contact details to logistics companies and Printify’s production partners.
Legal basis: Art. 6(1)(b) GDPR.

8) Your rights

You have the following rights under the GDPR:

  • Access (Art. 15)

  • Rectification (Art. 16)

  • Erasure (Art. 17)

  • Restriction of processing (Art. 18)

  • Data portability (Art. 20)

  • Withdrawal of consent (Art. 7(3))

  • Objection to processing based on legitimate interests (Art. 21)

You also have the right to lodge a complaint with the competent supervisory authority:

Die Landesbeauftragte für den Datenschutz Niedersachsen (LfD Niedersachsen)
Prinzenstraße 5, 30159 Hannover, Germany
https://lfd.niedersachsen.de

9) Storage periods

We store personal data only as long as necessary for the stated purposes or as required by law. Contract and tax data: 6 or 10 years (statutory retention). Data based on consent: until withdrawn. Technical logs: [insert, e.g., 7–14 days].

10) Updates

We may update this privacy policy when services, legal requirements, or processes change.