Privacy policy

––––––––––––––––––––
Privacy Policy
––––––––––––––––––––

1) Introduction and Contact Details of the Data Controller
1.1 We are pleased that you are visiting our website and thank you for your interest. Below, we inform you about the handling of your personal data when using our website. Personal data is any data that can be used to personally identify you.

1.2 The data controller for this website within the meaning of the General Data Protection Regulation (GDPR) is Sarangua Sergelen, Loestr. 23, 53113 Bonn, Germany, Tel.: +4915129102135, Fax: +4922842283329, E-mail: info@filles-de-steppe.com. The controller responsible for processing personal data is the natural or legal person who, alone or jointly with others, determines the purposes and means of the processing of personal data.

2) Data Collection When You Visit Our Website

2.1 When you use our website for purely informational purposes, i.e., if you do not register or otherwise provide us with information, we only collect data that your browser transmits to the website server (so-called "server log files"). When you access our website, we collect the following data, which is technically necessary for us to display the website to you:

- The website you visited
- Date and time of access
- Amount of data sent in bytes
- Source/referrer from which you accessed the page
- Browser used
- Operating system used
- IP address used (possibly in anonymized form)
This processing is carried out in accordance with Article 6(1)(f) GDPR based on our legitimate interest in improving the stability and functionality of our website. Your data will not be shared or used for any other purpose. However, we reserve the right to review server log files retrospectively should there be concrete indications of unlawful use.

2.2 This website uses SSL/TLS encryption for security reasons and to protect the transmission of personal data and other confidential content (e.g., orders or inquiries to us). You can recognize an encrypted connection by the "https://" prefix and the padlock icon in your browser's address bar.

3) Hosting & Content Delivery Network
3.1 Shopify
We use the system of the following provider to host our website and display its content: Shopify International Limited, Victoria Buildings, 2nd Floor, 1-2 Haddington Road, Dublin 4, D04 XN32, Ireland ("Shopify").

Data is also transferred to: Shopify Inc., 150 Elgin St, Ottawa, ON K2P 1L4, Canada.

All data collected on our website is processed on the provider's servers. We have concluded a data processing agreement with the provider, which ensures the protection of our website visitors' data and prohibits unauthorized disclosure to third parties.

In the case of data transfers to Canada, an adequate level of data protection is guaranteed by an adequacy decision of the European Commission.

3.2 Cloudflare
We use a Content Delivery Network (CDN) from the following provider: Cloudflare Inc., 101 Townsend St., San Francisco, CA 94107, USA.

This service enables us to deliver large media files such as graphics, page content, or scripts more quickly via a network of regionally distributed servers. The processing is carried out to protect our legitimate interest in improving the stability and functionality of our website pursuant to Art. 6 para. 1 lit. f GDPR. We have concluded a data processing agreement with the provider, which ensures the protection of our website visitors' data and prohibits unauthorized disclosure to third parties.

For data transfers to the USA, the provider has joined the EU-US Data Privacy Framework, which, based on an adequacy decision by the European Commission, ensures compliance with the European level of data protection.

4) Cookies
To make visiting our website attractive and to enable the use of certain functions, we use cookies, which are small text files that are stored on your device. Some of these cookies are automatically deleted after you close your browser (so-called "session cookies"), while others remain on your device for a longer period and allow us to save website settings (so-called "persistent cookies"). In the latter case, you can find the storage duration in your web browser's cookie settings.

If any of the cookies we use also process personal data, this processing is carried out in accordance with Article 6(1)(b) GDPR for the performance of the contract, in accordance with Article 6(1)(a) GDPR in the case of consent, or in accordance with Article 6(1)(f) GDPR for the purposes of our legitimate interests.

Article 6(1)(f) GDPR to safeguard our legitimate interests in ensuring the best possible website functionality and a user-friendly and effective website experience.

You can configure your browser to notify you when cookies are set and decide whether to accept them individually, or to block cookies in certain cases or entirely.

Please note that if you do not accept cookies, the functionality of our website may be limited.

5) Contacting Us
5.1 WhatsApp Business

We offer you the option of contacting us via the WhatsApp messaging service provided by WhatsApp Ireland Limited, 4 Grand Canal Square, Grand Canal Harbour, Dublin 2, Ireland. We use the "Business version" of WhatsApp for this purpose.

If you contact us via WhatsApp regarding a specific transaction (for example, an order you have placed), we will store and use the mobile phone number you use with WhatsApp, as well as your first and last name (if provided), in accordance with Article 6(1)(b) GDPR to process and respond to your inquiry. Based on the same legal basis, we may ask you via WhatsApp to provide further data (order number, customer number, address, or email address) in order to assign your inquiry to a specific process.

If you use our WhatsApp contact for general inquiries (e.g., regarding our range of services, availability, or our website), we store and use the mobile phone number you use with WhatsApp, as well as—if provided—your first and last name, in accordance with Article 6 Paragraph 1 Letter f GDPR, based on our legitimate interest in efficiently and promptly providing the requested information.

Your data will always only be used to answer your inquiry via WhatsApp. It will not be shared with third parties.

Please note that WhatsApp Business accesses the address book of the mobile device we use for this purpose and automatically transfers phone numbers stored in the address book to a server of its parent company, Meta Platforms Inc., in the USA. For the operation of our WhatsApp Business account, we use a mobile device whose address book contains only the WhatsApp contact details of users who have actually contacted us via WhatsApp.

This ensures that every person whose WhatsApp contact details are stored in our address book has already consented to the transfer of their WhatsApp phone number from the address books of their chat contacts, in accordance with Article 6 Paragraph 1 Letter a of the GDPR, by accepting the WhatsApp Terms of Service upon first using the app on their device. The transfer of data from users who do not use WhatsApp and/or have not contacted us via WhatsApp is therefore excluded.

For information on the purpose and scope of data collection and the further processing and use of data by WhatsApp, as well as your related rights and settings options for protecting your privacy, please refer to WhatsApp's privacy policy: https://www.whatsapp.com/legal/?eea=1#privacy-policy

The processing described above may involve data transfers to servers of Meta Platforms Inc. in the USA.

5.2 When you contact us (e.g., via contact form or email), personal data is processed – solely for the purpose of processing and responding to your inquiry and only to the extent necessary for this purpose.

The legal basis for processing this data is our legitimate interest in responding to your inquiry pursuant to Art. 6 para. 1 lit. f GDPR. If your contact is aimed at a contract, the additional legal basis for processing is Art. 6 para. 1 lit. b GDPR. Your data will be deleted when it is clear from the circumstances that the matter has been resolved and provided that no statutory retention obligations apply.

6) Comment Function

When you use the comment function on this website, in addition to your comment, the time of its creation and your chosen username will be stored and published on this website. Furthermore, your IP address will be logged and stored. This storage of the IP address is for security reasons and in case the person concerned violates the rights of third parties or posts illegal content through a comment. We need your email address to contact you.

to take action if a third party objects to your published content as unlawful.

The legal basis for storing your data is Art. 6 para. 1 lit. b and f GDPR. We reserve the right to delete comments if they are objected to as unlawful by third parties.

7) Data processing when opening a customer account

In accordance with Art. 6 para. 1 lit. b GDPR, personal data will continue to be collected and processed to the extent necessary if you provide it to us when opening a customer account. You can find out which data is required for account opening in the input fields of the corresponding form on our website.

You can delete your customer account at any time by sending a message to the data controller's address listed above. After your customer account is deleted, your data will be deleted provided that all contracts concluded through it have been fully processed, no statutory retention periods apply, and we have no legitimate interest in continuing to store the data.

8) Use of Customer Data for Direct Marketing
Subscription to our Email Newsletter

When you subscribe to our email newsletter, we will regularly send you information about our offers. The only mandatory information required for sending the newsletter is your email address. Providing further information is voluntary and is used to personalize our communications with you. We use the so-called double opt-in procedure for sending the newsletter. This ensures that you only receive newsletters after you have expressly confirmed your consent to receive them by clicking a verification link sent to the specified email address.

By activating the confirmation link, you give us your consent to use your personal data in accordance with Art. 6 Para. 1 lit. a GDPR. We store your IP address, which is registered by your Internet Service Provider (ISP), as well as the date and time of registration, in order to be able to trace any potential misuse of your email address at a later date. The data we collect when you subscribe to the newsletter is used strictly for the intended purpose.

You can unsubscribe from the newsletter at any time via the link provided in the newsletter or by sending a corresponding message to the data controller named above. After unsubscribing, your email address will be immediately deleted from our newsletter mailing list, unless you have expressly consented to further use of your data or we reserve the right to use your data for other purposes permitted by law, about which we inform you in this privacy policy.

9) Data Processing for Order Fulfillment

9.1 To the extent necessary for processing your order for delivery and payment purposes, the personal data we collect will be shared with the commissioned shipping company and the commissioned bank in accordance with Article 6(1)(b) GDPR.

9) Data Processing for Order Fulfillment

If we owe you updates for goods with digital elements or for digital products based on a corresponding contract, we process the contact details you provided when placing your order (name, address, email address) in order to personally inform you about upcoming updates within the legally prescribed period, in accordance with our legal information obligations pursuant to Art. 6 para. 1 lit. c GDPR, via a suitable communication channel (e.g., by post or email). Your contact details will be used strictly for the purpose of notifying you about updates we owe you and will only be processed by us to the extent necessary for the respective information.

To process your order, we also work with the following service provider(s), who support us in whole or in part in fulfilling concluded contracts. Certain personal data will be transferred to these service providers in accordance with the following information.

9.2 Transfer of Personal Data to Shipping Service Providers

- Deutsche Post
We use the following provider as our shipping service provider: Deutsche Post AG, Charles-de-Gaulle-Straße 20, 53113 Bonn, Germany

We will forward your email address and/or telephone number to the provider before delivery of the goods in accordance with Art. 6 Para. 1 lit. a GDPR for the purpose of coordinating a delivery date or announcing the delivery, provided you have given your express consent during the ordering process. Otherwise, for the purpose of delivery in accordance with Art. 6 Para. 1 lit. b GDPR, we will only forward the recipient's name and delivery address to the provider. This transfer only takes place to the extent necessary for the delivery of the goods. In this case, prior coordination of the delivery date with the provider is required.

Prior notification is not possible.

Your consent can be withdrawn at any time with effect for the future by contacting the data controller named above or the provider.

- DHL
We use the following provider as our transport service provider: DHL Paket GmbH, Sträßchensweg 10, 53113 Bonn, Germany

We will forward your email address and/or telephone number to the provider before delivery of the goods in accordance with Art. 6 Para. 1 lit. a GDPR for the purpose of coordinating a delivery date or announcing the delivery, provided you have given your express consent during the ordering process. Otherwise, for the purpose of delivery in accordance with Art. 6 Para. 1 lit. b GDPR, we will only forward the recipient's name and delivery address to the provider. This data is only shared to the extent necessary for the delivery of the goods. In this case, prior coordination of the delivery date with the provider or delivery notification is not possible.

Your consent can be withdrawn at any time with effect for the future by contacting the data controller named above or the provider.

- DHL Express
We use the following shipping provider: DHL Express Germany GmbH, Heinrich-Brüning-Str. 5, 53113 Bonn, Germany

We will forward your email address and/or telephone number to the provider before delivery of the goods in accordance with Art. 6 Para. 1 lit. a GDPR for the purpose of coordinating a delivery date or announcing the delivery, provided you have given your express consent during the ordering process. Otherwise, for the purpose of delivery in accordance with Art. 6 Para. 1 lit. b GDPR, we will only forward the recipient's name and delivery address to the provider. This data is only shared to the extent necessary for the delivery of the goods. In this case, prior coordination of the delivery date with the provider or delivery notification is not possible.

You can withdraw your consent at any time with effect for the future by contacting the data controller named above or the provider.

9.3 Use of Payment Service Providers

- Apple Pay
If you choose the "Apple Pay" payment method from Apple Distribution International (Apple), Hollyhill Industrial Estate, Hollyhill, Cork, Ireland, payment processing is handled via the "Apple Pay" function of your iOS, watchOS, or macOS device by charging a payment card stored in "Apple Pay." Apple Pay uses security features integrated into your device's hardware and software to protect your transactions. Authorizing a payment requires entering a code you previously set and verifying your identity using your device's "Face ID" or "Touch ID" function.

For payment processing purposes, the information you provide during the ordering process, along with information about your order, is transmitted to Apple in encrypted form. Apple then re-encrypts this data with a developer-specific key before transmitting it to the payment service provider of the payment card stored in Apple Pay to complete the payment. Encryption ensures that only the website where the purchase was made can access the payment information. After the payment is processed, Apple sends your device account number and a transaction-specific, dynamic security code to the originating website to confirm the payment success.

If personal data is processed during the described transfers, this processing is carried out exclusively for the purpose of payment processing in accordance with Article 6(1)(b) GDPR.

Apple retains anonymized transaction data, including the approximate purchase amount, the approximate date and time, and whether the transaction was successfully completed. Anonymization completely eliminates any possibility of identifying you personally. Apple uses the anonymized data to improve Apple Pay and other Apple products and services.

When you use Apple Pay on your iPhone or Apple Watch to complete a purchase you made via Safari on your Mac, your Mac and the authorizing device communicate via an encrypted channel on Apple's servers. Apple does not process or store any of this information in a format that could identify you. You can disable the ability to use Apple Pay on your Mac in your iPhone's settings. Go to "Wallet & Apple Pay" and turn off "Allow Payments on Mac."

For more information about Apple Pay privacy, please visit the following web address: https://support.apple.com/de-de/HT203027

- Google Pay
If you have chosen the "Google Pay" payment method from Google Ireland Limited, Gordon H

If you choose to pay via Google Pay, 4 Barrow St, Dublin, D04 E5W5, Ireland (“Google”), payment processing will be handled through the “Google Pay” application on your mobile device, which must be running at least Android 4.4 (“KitKat”) and have NFC capability. This will be done by charging a payment card stored in Google Pay or a payment system verified there (e.g., PayPal). To authorize a payment via Google Pay exceeding €25, you must first unlock your mobile device using your chosen verification method (such as facial recognition, password, fingerprint, or pattern).

For payment processing purposes, the information you provide during the ordering process, along with information about your order, will be transmitted to Google. Google will then transmit your payment information stored in Google Pay, in the form of a unique transaction number, to the originating website, which is used to verify the successful payment. This transaction number contains no information about the actual payment details of your payment method stored in Google Pay. Instead, it is created and transmitted as a unique numerical token. For all transactions via Google Pay, Google acts solely as an intermediary for processing the payment. The transaction is executed exclusively between you and the originating website by debiting the payment method stored in Google Pay.

If personal data is processed during the described transmissions, this processing is carried out exclusively for the purpose of payment processing in accordance with Article 6(1)(b) GDPR.

Google reserves the right to collect, store, and analyze certain transaction-specific information for each transaction made via Google Pay. This includes the date, time, and amount of the transaction, the merchant's location and description, a description of the purchased goods or services provided by the merchant, photos you attached to the transaction, the name and email address of the seller and buyer (or sender and recipient), the payment method used, your description of the reason for the transaction, and, if applicable, the offer associated with the transaction.

Google reserves the right to collect, store, and analyze certain transaction-specific information for each transaction made via Google Pay. According to Google, this processing is carried out exclusively in accordance with Article 6(1)(f) GDPR on the basis of the legitimate interest in proper accounting, the verification of transaction data, and the optimization and maintenance of the Google Pay service.

Google also reserves the right to combine the processed transaction data with other information that Google collects and stores when you use other Google services.

You can find the Google Pay Terms of Service here:

https://payments.google.com/payments/apis-secure/u/0/get_legal_document?ldo=0&ldt=googlepaytos&ldl=de

Further information on data protection at Google Pay can be found at the following web address:

https://payments.google.com/payments/apis-secure/get_legal_document?ldo=0&ldt=privacynotice&ldl=de

- PayPal
This website offers one or more online payment methods from the following provider: PayPal (Europe) S.a.r.l. et Cie, S.C.A., 22-24 Boulevard Royal, L-2449 Luxembourg

If you select a payment method from the provider where you pay in advance, your payment details provided during the ordering process (including name, address, bank and payment card information, currency, and transaction number) as well as information about the contents of your order will be transmitted to them in accordance with Article 6 Paragraph 1 Letter b GDPR. In this case, your data will be transmitted exclusively for the purpose of payment processing with the provider and only to the extent necessary for this purpose.

If you select a payment method where we pay in advance, you will also be asked to provide certain personal data during the ordering process (first and last name, street, house number, postal code, city, date of birth, email address, telephone number, and, if applicable, details of an alternative payment method).

In order to protect our legitimate interest in assessing your creditworthiness in such cases, we forward this data to the provider for the purpose of a credit check in accordance with Article 6(1)(f) GDPR. Based on the personal data you provided, as well as other data (such as shopping cart contents, invoice amount, order history, and payment history), the provider checks whether the payment option you selected can be granted with regard to payment and/or default risks.

The credit report may contain probability values (so-called score values). If score values are included in the credit report, they are based on a scientifically recognized mathematical-statistical method. In the calculation of the score values,Address data is among the information collected, but is not the only data processed.

You can object to this processing of your data at any time by contacting us or the provider. However, the provider may still be entitled to process your personal data if this is necessary for processing payments in accordance with the contract.

- Shopify Payments
One or more online payment methods from the following provider are available on this website: Shopify International Limited, Victoria Buildings, 1-2 Haddington Road, Dublin 4, D04 XN32, Ireland.

If you select a payment method from the provider that requires you to pay in advance (such as credit card payment), your payment data provided during the ordering process (including name, address, bank and payment card information, currency, and transaction number) as well as information about the contents of your order will be transmitted to the provider in accordance with Art. 6 Para. 1 lit. b GDPR. In this case, your data will be transmitted exclusively for the purpose of payment processing with the provider and only to the extent necessary for this purpose.

Shopify Payments 10) Web Analytics Services
Shopify Analytics

This website uses the web analytics service provided by: Shopify International Limited, Victoria Buildings, 2nd Floor, 1-2 Haddington Road, Dublin 4, D04 XN32, Ireland

Data is also transferred to: Shopify Inc., 150 Elgin St, Ottawa, ON K2P 1L4, Canada

Using cookies and/or similar technologies (tracking pixels, web beacons, algorithms for reading device and browser information), the service collects and stores pseudonymized visitor data, including information about the device used, such as the IP address and browser information, in order to evaluate it for statistical analysis of user behavior on our website and to create pseudonymized user profiles. Among other things, this allows for the evaluation of movement patterns (so-called heatmaps), which show the duration of page visits as well as interactions with page content (e.g., text input, scrolling, clicks, and mouse-overs). Pseudonymization fundamentally precludes direct identification of individuals. Your personal data will not be combined with other personally identifiable information collected through other means.

All processing described above, in particular the reading or storage of information on your device, will only be carried out if you have given us your explicit consent in accordance with Article 6(1)(a) GDPR. You can revoke your consent at any time with effect for the future by deactivating this service in the "Cookie Consent Tool" provided on the website.

We have concluded a data processing agreement with the provider, which protects the data of our website visitors and prohibits its transfer to third parties.

In the case of data transfers to Canada, an adequate level of data protection is ensured by an adequacy decision of the European Commission.

11) Tools and Other Services
11.1 - Lexware Office
For our accounting, we use the cloud-based accounting software service of the following provider: Haufe-Lexware GmbH & Co. KG, Munzinger Straße 9, 79111 Freiburg, Germany

We process incoming and outgoing invoices, as well as, where applicable, our company's bank transactions, in order to automatically record invoices, match them to transactions, and generate financial accounting records in a semi-automated process.

If personal data is also processed in this context, the processing is based on our legitimate interest in the efficient organization and documentation of our business transactions in accordance with Art. 6 Para. 1 lit. f GDPR.

11.2 Cookie Consent Tool

This website uses a so-called "cookie consent tool" to obtain effective user consent for cookies and cookie-based applications that require consent. The "cookie consent tool" is displayed to you as an interactive user interface when you visit the site, where you can grant consent for specific cookies and/or cookie-based applications by ticking boxes. By using this tool, all cookies/services requiring consent are only loaded if you grant the corresponding consent by ticking the relevant boxes. This ensures that such cookies are only placed on your device if you have given your consent.

The tool uses technically necessary cookies to save your cookie preferences. No personal user data is processed in this process.

If, in individual cases, personal data (such as the IP address) is processed for the purpose of storing, assigning, or logging cookie settings, this is done in accordance with Article 6 Paragraph 1 Letter f GDPR based on our legitimate interest in a legally compliant and secure user experience.

GDPR-compliant, user-specific, and user-friendly cookie consent management, and thus a legally compliant design of our website.

A further legal basis for processing is Article 6(1)(c) GDPR. As the data controller, we are legally obligated to make the use of cookies that are not technically necessary dependent on the respective user's consent.

Where necessary, we have concluded a data processing agreement with the provider, which ensures the protection of our website visitors' data and prohibits unauthorized disclosure to third parties.

Further information about the operator and the settings options of the cookie consent tool can be found directly in the corresponding user interface on our website.

12) Rights of the Data Subject
12.1 The applicable data protection law grants you the following rights as a data subject (rights of access and intervention) with regard to the processing of your personal data by us as the data controller, whereby reference is made to the aforementioned legal basis for the respective requirements for exercising these rights:

- Right of access pursuant to Article 15 GDPR;

- Right to rectification pursuant to Article 16 GDPR;

- Right to erasure pursuant to Article 17 GDPR;

- Right to restriction of processing pursuant to Article 18 GDPR;

- Right to be informed pursuant to Article 19 GDPR;

- Right to data portability pursuant to Article 20 GDPR;

- Right to withdraw consent pursuant to Article 7(3) GDPR;

- Right to lodge a complaint pursuant to Article 77 GDPR.

12.2 Right to object
If we process your personal data based on our overriding legitimate interest as part of a balancing of interests, you have the right to object to this processing at any time, on grounds relating to your particular situation, with effect for the future. If you exercise your right to object, we will cease processing the data in question. However, further processing remains possible if we can demonstrate compelling legitimate grounds for the processing which override your interests, fundamental rights and freedoms, or if the processing serves the purpose of establishing, exercising or defending legal claims.

If you exercise your right to object, we will cease processing the data in question. If we process your personal data for direct marketing purposes, you have the right to object to the processing of your personal data for such marketing at any time. You can exercise your right to object as described above.

If you exercise your right to object, we will cease processing the data in question for direct marketing purposes.

13) Duration of Storage of Personal Data
The duration of storage of personal data is determined by the respective legal basis, the purpose of processing, and – where applicable – the respective statutory retention period (e.g., commercial and tax law retention periods).

When processing personal data based on explicit consent pursuant to Article 6(1)(a) GDPR, the data in question will be stored until you withdraw your consent.

If statutory retention periods exist for data processed in connection with contractual or quasi-contractual obligations based on Article 6(1)(b) GDPR, this data will be routinely deleted after the retention periods have expired, unless it is still required for the performance of a contract or for taking steps prior to entering into a contract and/or we have a legitimate interest in its continued storage.

When processing personal data based on Article 6(1)(f) GDPR, this data will be stored until you exercise your right to object pursuant to Article 21(1) GDPR, unless we can demonstrate compelling legitimate grounds for the processing which override your interests, rights and freedoms, or the processing serves the purpose of establishing, exercising or defending legal claims.

When processing personal data for direct marketing purposes based on Article 6(1)(f) GDPR, this data will be stored until you exercise your right to object pursuant to Article 21(2) GDPR.

Unless otherwise specified in this privacy policy regarding specific processing situations, stored personal data will be deleted when it is no longer necessary for the purposes for which it was collected or otherwise processed.

Copyright notice: This privacy policy was created by the specialist lawyers of the IT Law Firm and is protected by copyright (https://www.it-recht-kanzlei.de).

Last updated: March 10, 2026, 7:21:33 PM