Privacy Policy
1. Introduction
MAGICSTRIPES GmbH ("we", "us", "our") takes the protection of your personal data very seriously. This privacy policy explains how we collect, use, store and protect your personal data when you visit our website, place an order or otherwise interact with our services. We process your personal data in accordance with the European General Data Protection Regulation (GDPR, Regulation (EU) 2016/679) and the German Federal Data Protection Act (BDSG).
2. Controller and Contact Information
The controller responsible for the processing of personal data on this website within the meaning of Art. 4(7) GDPR is:
If you have any questions about data protection or wish to exercise your rights, please contact us at the address above or via email.
3. Categories of Personal Data We Collect
Order and Customer Data
When you place an order we collect your name, billing and shipping address, email address, telephone number (optional) and the details of the products you have ordered.
Payment Data
Payment information (such as card details) is entered directly with our payment service provider and is not stored on our servers. We receive confirmation of payment and a transaction reference only.
Account Information
If you create an account, we collect your email address and a securely hashed password.
Communication Data
Any communications you send to us, including emails, contact form messages and support requests.
Technical Data
IP address, browser type and version, device type, operating system, time zone setting, referrer URL and other technical information transmitted automatically by your browser.
Usage Data
Information about how you use our website, such as pages visited, items viewed, items added to cart and interactions with the site.
4. Legal Basis for Processing
We process your personal data on the following legal bases under Art. 6 GDPR:
Contract Performance (Art. 6(1)(b) GDPR)
Processing necessary for the performance of a contract, such as creating your account, processing your order, arranging delivery and handling returns.
Legitimate Interests (Art. 6(1)(f) GDPR)
Processing necessary for our legitimate interests, such as ensuring the security of our website, preventing fraud, improving our services and sending service-related communications.
Consent (Art. 6(1)(a) GDPR)
Where you have given consent for a specific processing activity, such as newsletter subscription, analytics cookies or marketing communications. You can withdraw your consent at any time with effect for the future.
Legal Obligation (Art. 6(1)(c) GDPR)
Processing necessary to comply with legal obligations, in particular German commercial and tax law retention requirements.
5. Purposes of Data Processing
- To operate our online shop and process your orders
- To create and manage your customer account
- To handle payments, returns and refunds
- To ship products and communicate about delivery
- To provide customer support
- To send service-related and transactional emails
- To send newsletters where you have subscribed
- To improve, secure and maintain our website
- To prevent fraud and misuse
- To comply with our legal and tax obligations
6. Third-Party Services and Data Recipients
We work with carefully selected service providers that process personal data on our behalf as processors within the meaning of Art. 28 GDPR. Each of them is bound by a data processing agreement and may process data only according to our instructions.
Where we introduce additional processors in the future, this policy will be updated accordingly. Shipping carriers and tax / accounting service providers receive only the personal data strictly required to perform their service (e.g. name and shipping address for delivery).
7. Data Retention
We retain your personal data only for as long as necessary for the purposes for which it was collected, or as required by law:
- Order and invoice data: 10 years, in accordance with §147 AO and §257 HGB (German tax and commercial law).
- Account data: until you delete your account, plus any legally required retention period.
- Customer support communications: up to 3 years after resolution.
- Newsletter subscription: until you unsubscribe.
- Server / access logs: up to 30 days, then deleted or anonymised.
- Cookie consent records: up to 12 months.
After the retention period expires, data is securely deleted or anonymised.
8. Your Rights Under the GDPR
You have the following rights regarding your personal data:
Right of Access (Art. 15 GDPR)
You have the right to obtain confirmation of whether we process your personal data and to receive a copy of that data.
Right to Rectification (Art. 16 GDPR)
You have the right to request correction of inaccurate or incomplete personal data.
Right to Erasure (Art. 17 GDPR)
You have the right to request deletion of your personal data, subject to statutory retention obligations.
Right to Restriction (Art. 18 GDPR)
You have the right to request restriction of processing under certain circumstances.
Right to Data Portability (Art. 20 GDPR)
You have the right to receive your data in a structured, commonly used, machine-readable format and to transmit it to another controller.
Right to Object (Art. 21 GDPR)
You have the right to object at any time to the processing of your personal data based on legitimate interests, including profiling.
Right to Withdraw Consent (Art. 7(3) GDPR)
Where processing is based on consent, you may withdraw consent at any time with effect for the future.
To exercise any of these rights, please contact us at mail@magicstripes.com. We will respond to your request within one month.
You also have the right to lodge a complaint with a data protection supervisory authority. The competent authority for MAGICSTRIPES GmbH is:
9. Cookies and Tracking
We use cookies and similar technologies to operate our website. Strictly necessary cookies (e.g. for the shopping cart and login session) are set on the legal basis of Art. 6(1)(f) GDPR and Sec. 25(2) TTDSG. Any non-essential cookies (analytics, marketing) are only set with your prior consent, which you can withdraw at any time.
10. Data Security
We implement appropriate technical and organisational measures to protect your personal data against unauthorised access, alteration, disclosure or destruction. These measures include:
- Encryption of data in transit (TLS/HTTPS)
- Encryption of data at rest at our infrastructure provider
- Secure password hashing
- Row-level security policies in our database
- Access controls and role-based authentication
- Regular backups and monitoring
11. International Data Transfers
Some of our processors are located outside the European Economic Area (EEA), in particular in the United States. Where personal data is transferred outside the EEA, we ensure an adequate level of protection through appropriate safeguards, including EU Standard Contractual Clauses approved by the European Commission and, where applicable, certification under the EU-US Data Privacy Framework. You may request a copy of these safeguards by contacting us.
12. Children's Privacy
Our services are not directed to individuals under the age of 16. We do not knowingly collect personal data from children. If you believe that a child has provided us with personal data, please contact us and we will delete it.
13. Changes to This Privacy Policy
We may update this privacy policy from time to time to reflect changes in our practices, our processors or legal requirements. The current version, with the "Last updated" date at the top of this page, always applies.
14. Contact
If you have any questions about this privacy policy or our data protection practices, please contact us: