Privacy Notice

Last updated: 2026-04-04

This privacy notice is prepared for GDPR Article 13/14 transparency requirements. Replace all placeholders before production use.

1. Controller

REPLACE_WITH_LEGAL_ENTITY_NAME

REPLACE_WITH_STREET_AND_NUMBER, REPLACE_WITH_POSTAL_CODE REPLACE_WITH_CITY, Austria

Email: REPLACE_WITH_PRIVACY_CONTACT_EMAIL

Phone: REPLACE_WITH_CONTACT_PHONE

Postal address: REPLACE_WITH_PRIVACY_CONTACT_POSTAL_ADDRESS

DPO contact: REPLACE_WITH_DPO_CONTACT_OR_N_A

2. Categories of Personal Data

Account data: email address and password hash.

Authentication and security data: sign-in attempts, normalized identifier, user-agent string, response latency, success/failure outcome.

Order and checkout data: delivery name, phone, address, purchased items, order amounts, currency, checkout session identifiers, and customer email.

Communication data: password reset and transactional email delivery metadata.

Technical data: strictly necessary `Authentication` cookie and cart information in browser local storage.

3. Purposes and Legal Bases (GDPR Art. 6)

Contract performance (Art. 6(1)(b)): account login, order placement, checkout completion, and order management.

Legal obligation (Art. 6(1)(c)): accounting and tax record retention.

Legitimate interests (Art. 6(1)(f)): fraud prevention, account security, abuse monitoring, and service reliability.

Consent (Art. 6(1)(a)): only where optional tracking or marketing cookies are used.

4. Recipients and Processors

Payments: Stripe

Transactional email delivery: Resend

Hosting/infrastructure: REPLACE_WITH_HOSTING_PROVIDER

Data is shared with processors only to the extent required for service delivery and under data-processing terms.

5. International Transfers

If personal data is transferred outside the EEA, we rely on an applicable transfer mechanism (for example, adequacy decisions or Standard Contractual Clauses) and supplementary safeguards where required.

6. Retention Periods

Account data: Until account deletion request, then restricted/deleted unless retention is required by law.

Order data: At least 7 years for tax/accounting obligations under Austrian law, plus any longer period required for legal claims.

Security logs: Maximum 12 months, unless a longer period is required for security incident investigation.

Password reset tokens: Until used or expired, then deleted as part of periodic cleanup.

Technical logs: Up to 30 days unless needed longer for security and abuse prevention.

7. Data Subject Rights

You may request access, rectification, erasure, restriction, data portability, and object to processing where applicable. You may also withdraw consent at any time for consent-based processing.

To exercise rights, contact: REPLACE_WITH_PRIVACY_CONTACT_EMAIL

You can lodge a complaint with the Austrian Data Protection Authority: Datenschutzbehoerde (DSB) - Beschwerde.

8. Cookies and Similar Technologies

We currently use a strictly necessary authentication cookie and local storage for shopping-cart functionality.

If optional analytics or marketing cookies are introduced, this notice and the consent mechanism must be updated before activation.

9. Legal Sources Used for This Template

GDPR transparency requirements: Regulation (EU) 2016/679, Articles 12-14.

Practical privacy notice structure: GDPR.eu privacy notice guide.

Austrian imprint obligations: USP Austria.

Company details are also available at /impressum.