Privacy Policy

Last updated: 2026-05-27

1. Introduction and Responsible Party

The responsible party for data processing on this website in the sense of the General Data Protection Regulation (GDPR) is:

Kaufweise UG (haftungsbeschränkt)
Neidenburgerstraße 43
45897 Gelsenkirchen
Germany
Telephone: +49 162 1801588
E-Mail: hallo@kaufweise.de

We take the protection of your personal data very seriously. We handle your personal data confidentially and in accordance with applicable data protection regulations and this privacy policy.

A company data protection officer is not required pursuant to § 38 BDSG (German Federal Data Protection Act) because the legal threshold (typically 20 persons permanently engaged in automated data processing) is not met.

2. Hosting and E-Mail Traffic

External Hosting via Shopify (Website & Shop)

This website is hosted with the service provider Shopify International Limited, 2nd Floor, Victoria Buildings, 1–2 Haddington Road, Dublin 4, D04 XN32, Ireland. The parent company is Shopify Inc., 151 O'Connor Street, Ground Floor, Ottawa, Ontario K2P 2L8, Canada. All website data is stored on Shopify's servers.

For data transfers to third countries, Shopify relies on the following protection mechanisms:

  • Canada: European Commission adequacy decision (Decision 2002/2/EC for commercial organizations, still valid)
  • USA: EU-US Data Privacy Framework (European Commission adequacy decision C(2023) 4745 of July 10, 2023)
  • Additionally: Standard Contractual Clauses (SCC) pursuant to Commission Implementing Decision (EU) 2021/914

A data processing agreement (DPA) pursuant to Art. 28 GDPR exists with Shopify. Legal basis: Art. 6 (1)(f) GDPR (legitimate interest in reliable provision of our online shop). Further information: shopify.com/legal/privacy.

E-Mail Hosting via All-Inkl

Our e-mail communication is conducted via the servers of ALL-INKL.COM – Neue Medien Münnich, Hauptstraße 68, 02742 Friedersdorf, Germany.
When you send us an e-mail, your e-mail address, the subject line, and the content of your message are stored on All-Inkl's servers in Germany. Legal basis: Art. 6 (1)(f) GDPR (legitimate interest in efficient communication) or Art. 6 (1)(b) GDPR (pre-contractual measures). A data processing agreement (DPA) exists with All-Inkl pursuant to Art. 28 GDPR.

3. Cookies, Tracking & Consent Management

Our website uses cookies and similar technologies (e.g., localStorage). These are small text files that your web browser stores on your device.

Legal Basis (TDDDG & GDPR)

Storage and reading of information on your device is only permitted pursuant to § 25 TDDDG (German Telecommunications-Digital-Services-Data-Protection Act):

  • Technically Necessary Cookies: Storage permitted pursuant to § 25 (2) No. 2 TDDDG (strictly necessary for the service you explicitly requested, e.g., shopping cart, login, language setting, consent status). Legal basis for subsequent processing: Art. 6 (1)(f) GDPR.
  • Analytics & Marketing Cookies (GA4, Google Ads, Meta Pixel, TikTok Pixel, Trustami): Storage only with your explicit consent pursuant to § 25 (1) TDDDG. Legal basis for subsequent processing: Art. 6 (1)(a) GDPR. You can withdraw your consent at any time with future effect via the consent banner (Art. 7 (3) GDPR).

Server Log Files

The website provider automatically collects information in so-called server log files transmitted by your browser: IP address, browser type and version, operating system, referrer URL, hostname, time of server request. No linking with other data sources occurs.

Legal basis: Art. 6 (1)(f) GDPR. Legitimate Interest: Ensuring technical functionality, protection against attacks (DDoS, brute-force), clarification of abuse cases. Your interests are protected through short storage duration and no linking with identity data. Storage duration: maximum 7 days.

4. Contact and Communication

Contact via E-Mail or Form

When you contact us via e-mail or contact form, your information (name, e-mail address, message content) is stored for processing your inquiry and for follow-up questions. Legal basis: Art. 6 (1)(b) GDPR for contract-related inquiries, otherwise Art. 6 (1)(f) GDPR (legitimate interest in responding to customer inquiries). Storage duration: until your inquiry is fully resolved, at most until expiration of statutory retention periods (typically 6 years for business correspondence pursuant to § 257 HGB - German Commercial Code).

WhatsApp Business

We offer customer support via WhatsApp Business, a service of WhatsApp Ireland Limited, 4 Grand Canal Square, Grand Canal Harbour, Dublin 2, Ireland (group company Meta Platforms Ireland Limited; parent company Meta Platforms Inc., USA). We use WhatsApp Business exclusively when you actively initiate contact.

Processed Data: Your mobile number, message text and attachments, metadata (timestamp, online status). We do not have access to your address book and do not use WhatsApp for advertising purposes.

Joint Controllership (Art. 26 GDPR): For the provision of the WhatsApp infrastructure and processing of metadata, joint controllership exists between us and Meta Platforms Ireland Limited. We use WhatsApp exclusively for customer support; Meta processes metadata independently of our instructions for service provision. You may exercise your data subject rights with both us and Meta.

Third-Country Transfer: Metadata may be processed on servers in the USA. Meta Platforms Inc. is certified under the EU-US Data Privacy Framework.

Legal basis: Art. 6 (1)(b) GDPR (performance of pre-contractual and contractual measures / customer support) or Art. 6 (1)(f) GDPR. WhatsApp Privacy Policy: whatsapp.com/legal/privacy-policy-eea.

5. Order Processing, Shipping and Inventory Management

Inventory Management (Billbee)

We use the inventory management and order processing platform of Billbee GmbH, Paulinenweg 3, 51149 Cologne, Germany.

Processed Data: Customer name, address, e-mail, telephone number, order data (products, prices, quantity), payment method (not: payment data itself).

Sub-processors: Billbee obtains hosting and infrastructure services from sub-processors (particularly data centers in the EU). Billbee provides a current list of sub-processors as part of the data processing agreement.

Legal basis: Art. 6 (1)(b) GDPR (contract performance). A data processing agreement (DPA) exists with Billbee pursuant to Art. 28 GDPR. Storage duration: for the duration of the business relationship and statutory retention periods (typically 10 years pursuant to § 147 AO - German Fiscal Code, § 257 HGB). Privacy Policy: billbee.io/datenschutz.

Shipping Service Providers (DHL, Hermes & Co.)

To deliver your order, we share your address data with the respective logistics service provider (Art. 6 (1)(b) GDPR). For international shipments (e.g., via kaufweise.com or kaufweise.nl), address data may also be transmitted to partner service providers in the destination country; these are subject to the respective national data protection law.

Shipment Notification: Your e-mail address for shipment notification by the shipping service provider is only shared if you explicitly consented in the checkout (Art. 6 (1)(a) GDPR). You may withdraw this consent at any time.

6. Payment Service Providers

We integrate payment services (including PayPal, Klarna, Shopify Payments). Your payment data is shared for payment processing (Art. 6 (1)(b) GDPR). The respective privacy policies can be found on the providers' websites. Storage duration: in accordance with commercial and tax law requirements (typically 6 or 10 years pursuant to § 257 HGB, § 147 AO).

7. Social Media (Social Media Profiles)

We maintain publicly accessible profiles in social networks. When you visit these profiles, personal data is collected by the operators of the networks (e.g., via cookies). We receive statistical data from the operators about the use of our profiles (so-called "Insights"). This creates joint controllership in the sense of Art. 26 GDPR. Legal basis for our processing: Art. 6 (1)(f) GDPR (legitimate interest in public presentation and reach).

  • Instagram: Meta Platforms Ireland Ltd., Dublin, Ireland. Privacy Policy.
  • TikTok: TikTok Technology Limited, Dublin, Ireland. Privacy Policy.

8. Analytics Tools, Advertising & Trustami

Customer Reviews (Trustami)

We use the review widget of Trustami GmbH, Berlin, Germany. When you access the widget, your IP address is transmitted to Trustami. Trustami stores IP addresses exclusively for abuse prevention and shortens/anonymizes them after a short time.

Legal basis: Art. 6 (1)(a) GDPR (consent via consent banner). A data processing agreement (DPA) exists with Trustami pursuant to Art. 28 GDPR. Privacy Policy: trustami.com/de/datenschutz.

Google Analytics 4 & Google Ads (incl. Conversion Tracking)

We use Google Analytics 4 and Google Ads from Google Ireland Ltd., Gordon House, Barrow Street, Dublin 4, Ireland (parent company Google LLC, USA). Cookies and similar technologies for reach measurement and conversion tracking are only set after your consent.

Processed Data: Pseudonymous user ID, IP address (truncated), device information, visited pages, interactions, conversions. We do not personally identify you.

Storage Duration: Event data in GA4: up to 14 months (in our configuration). Conversion data in Google Ads: according to Google's specifications up to 13 months for attribution.

Third-Country Transfer: Data transmission to the USA is based on the EU-US Data Privacy Framework and additionally on Standard Contractual Clauses (SCC). Legal basis: § 25 (1) TDDDG in conjunction with Art. 6 (1)(a) GDPR. Privacy Policy: policies.google.com/privacy.

TikTok Pixel

We use the TikTok Pixel from TikTok Technology Limited, 10 Earlsfort Terrace, Dublin 2, Ireland, to measure advertising success on TikTok.

Third-Country Transfer (Important Notice): Data may be transferred to TikTok group companies outside the EU, in particular also to ByteDance Ltd. (People's Republic of China) and TikTok Inc. (USA). For the USA, TikTok relies on the EU-US Data Privacy Framework and Standard Contractual Clauses. For the People's Republic of China there is no adequacy decision; TikTok relies here on Standard Contractual Clauses and supplementary technical and organizational measures. Complete protection against government access in the third country cannot be guaranteed. By activating the TikTok Pixel in the consent banner, you explicitly consent to this third-country transfer (Art. 49 (1)(a) GDPR).

Legal basis: § 25 (1) TDDDG in conjunction with Art. 6 (1)(a) GDPR and Art. 49 (1)(a) GDPR. Privacy Policy: tiktok.com/legal.

Meta Pixel

We use the Meta Pixel from Meta Platforms Ireland Ltd., Dublin, Ireland, to measure advertising success on Facebook and Instagram. Legal basis: § 25 (1) TDDDG in conjunction with Art. 6 (1)(a) GDPR. USA transfers are based on the EU-US Data Privacy Framework and Standard Contractual Clauses. Privacy Policy: facebook.com/privacy/policy.

9. Accounting (lexoffice)

We use the accounting software lexoffice from Haufe-Lexware GmbH & Co. KG, Munzinger Straße 9, 79111 Freiburg, Germany.

Processed Data: Invoicing and business data (customer name, address, order amount, payment information).

Sub-processors: lexoffice obtains cloud infrastructure and banking interfaces from sub-processors named in the data processing agreement. Hosting is performed in the EU.

Legal basis: Art. 6 (1)(c) GDPR (fulfillment of commercial and tax obligations). A data processing agreement (DPA) exists with Haufe-Lexware pursuant to Art. 28 GDPR. Storage duration: pursuant to § 147 AO up to 10 years.

10. Automated Decision-Making and Profiling

Fully automated decision-making in the sense of Art. 22 GDPR with legal effect or significant impairment does not take place. In particular, all users receive the same prices and have the same access to our product range.

When consent is activated, marketing services (Google, Meta, TikTok) create pseudonymous interest profiles based on your browsing and clicking behavior, which are used for audience building for advertising. These profiles have no impact on contract conclusion or terms. You can object to this at any time via the consent banner (Art. 7 (3), Art. 21 GDPR).

11. Storage Duration (Overview)

Personal data is generally stored only as long as necessary for the respective purposes or statutory retention obligations require:

  • Order data / Contract data: up to 10 years (§ 147 AO, § 257 HGB)
  • Contact inquiries without contract reference: until resolution, at most 6 years as business correspondence
  • Server log files: maximum 7 days
  • Consent protocols: until withdrawal, then 3 more years for proof obligation
  • Analytics/Marketing tracking: according to duration specified in consent banner (typically 14 months)

12. Your Rights under GDPR

You have the following rights against the responsible party:

  • Right of Access (Art. 15 GDPR): to the personal data stored about you
  • Right to Rectification (Art. 16 GDPR): if data is incorrect or incomplete
  • Right to Erasure (Art. 17 GDPR, "Right to be Forgotten")
  • Right to Restrict Processing (Art. 18 GDPR)
  • Data Portability (Art. 20 GDPR): in structured, commonly used and machine-readable format
  • Right to Object (Art. 21 GDPR): against processing based on legitimate interests, particularly for direct marketing
  • Withdrawal of Consent (Art. 7 (3) GDPR): at any time with future effect. The lawfulness of processing until withdrawal remains unaffected.

To exercise your rights, a simple notification to hallo@kaufweise.de suffices. We will process your request within one month of receipt (Art. 12 (3) GDPR); for complex requests, the period may be extended by two additional months. Information is generally provided free of charge.

Right to Lodge a Complaint with a Supervisory Authority (Art. 77 GDPR)

Without prejudice to other legal remedies, you have the right to lodge a complaint with a data protection authority. The competent authority for us is:

State Commissioner for Data Protection and Freedom of Information North Rhine-Westphalia (LDI NRW)
Kavalleriestraße 2–4
40213 Düsseldorf
Telephone: +49 211 38424-0
E-Mail: poststelle@ldi.nrw.de
Web: www.ldi.nrw.de

13. Data Security

We employ technical and organizational measures to protect your data against manipulation, loss, and unauthorized access. Our website uses TLS encryption (recognizable by the lock symbol in your browser's address bar). Our security measures are continuously adapted in accordance with technological developments.

14. Currency and Amendment of this Privacy Policy

This privacy policy is currently valid and dated 2026-05-27. Due to further development of our website or changes in statutory requirements, it may become necessary to amend this privacy policy. The current version can be accessed on this page at any time.