Free carbon-neutral shipping over €40 — the ritual, delivered.
MAGICSTRIPES
Search
Legal

Privacy Policy

Last updated: July 2026

1. Introduction

MAGICSTRIPES GmbH ("we", "us", "our") takes the protection of your personal data very seriously. This privacy policy explains how we collect, use, store and protect your personal data when you visit our website, place an order or otherwise interact with our services. We process your personal data in accordance with the European General Data Protection Regulation (GDPR, Regulation (EU) 2016/679) and the German Federal Data Protection Act (BDSG).

2. Controller and Contact Information

The controller responsible for the processing of personal data on this website within the meaning of Art. 4(7) GDPR is:

MAGICSTRIPES GmbH
An der Alster 6
20099 Hamburg, Germany
Registered at the Handelsregister of the Amtsgericht Hamburg under register number HRB 131733. VAT identification number: DE294635597. Registration number acc. Packaging Act (VerpackG): DE2276947423961.

If you have any questions about data protection or wish to exercise your rights, please contact us at the address above or via email.

3. Categories of Personal Data We Collect

Order and Customer Data

When you place an order we collect your name, billing and shipping address, email address, telephone number (optional) and the details of the products you have ordered.

Payment Data

Payment information (such as card details) is entered directly with our payment service provider and is not stored on our servers. We receive confirmation of payment and a transaction reference only.

Account Information

If you create an account, we collect your email address and a securely hashed password.

Communication Data

Any communications you send to us, including emails, contact form messages and support requests.

Technical Data

IP address, browser type and version, device type, operating system, time zone setting, referrer URL and other technical information transmitted automatically by your browser.

Usage Data

Information about how you use our website, such as pages visited, items viewed, items added to cart and interactions with the site.

4. Legal Basis for Processing

We process your personal data on the following legal bases under Art. 6 GDPR:

Contract Performance (Art. 6(1)(b) GDPR)

Processing necessary for the performance of a contract, such as creating your account, processing your order, arranging delivery and handling returns.

Legitimate Interests (Art. 6(1)(f) GDPR)

Processing necessary for our legitimate interests, such as ensuring the security of our website, preventing fraud, improving our services and sending service-related communications.

Consent (Art. 6(1)(a) GDPR)

Where you have given consent for a specific processing activity, such as newsletter subscription, analytics cookies or marketing communications. You can withdraw your consent at any time with effect for the future.

Legal Obligation (Art. 6(1)(c) GDPR)

Processing necessary to comply with legal obligations, in particular German commercial and tax law retention requirements.

5. Purposes of Data Processing

  • To operate our online shop and process your orders
  • To create and manage your customer account
  • To handle payments, returns and refunds
  • To ship products and communicate about delivery
  • To provide customer support
  • To send service-related and transactional emails
  • To send newsletters where you have subscribed
  • To improve, secure and maintain our website
  • To prevent fraud and misuse
  • To comply with our legal and tax obligations

6. Third-Party Services and Data Recipients

We work with carefully selected service providers that process personal data on our behalf as processors within the meaning of Art. 28 GDPR. Each of them is bound by a data processing agreement and may process data only according to our instructions.

Lovable (Lovable GmbH / Lovable Technologies)
Purpose: Website hosting, deployment and web-application platform
Location: EU / USA
Safeguards: Data Processing Agreement, EU Standard Contractual Clauses
Privacy Policy →
Supabase (Supabase, Inc.)
Purpose: Backend infrastructure, database, authentication and file storage for the shop
Location: EU (Frankfurt, Germany) / USA
Safeguards: Data Processing Agreement, EU Standard Contractual Clauses, EU data region
Privacy Policy →
Resend (Resend, Inc.)
Purpose: Delivery of transactional emails (order confirmations, shipping notifications, account emails)
Location: USA / EU
Safeguards: Data Processing Agreement, EU Standard Contractual Clauses
Privacy Policy →
Stripe (Stripe Payments Europe, Ltd.)
Purpose: Payment processing for orders (credit / debit card and other payment methods)
Location: Ireland / USA
Safeguards: EU-US Data Privacy Framework, EU Standard Contractual Clauses
Privacy Policy →

Where we introduce additional processors in the future, this policy will be updated accordingly. Shipping carriers and tax / accounting service providers receive only the personal data strictly required to perform their service (e.g. name and shipping address for delivery).

7. Data Retention

We retain your personal data only for as long as necessary for the purposes for which it was collected, or as required by law:

  • Order and invoice data: 10 years, in accordance with §147 AO and §257 HGB (German tax and commercial law).
  • Account data: until you delete your account, plus any legally required retention period.
  • Customer support communications: up to 3 years after resolution.
  • Newsletter subscription: until you unsubscribe.
  • Server / access logs: up to 30 days, then deleted or anonymised.
  • Cookie consent records: up to 12 months.

After the retention period expires, data is securely deleted or anonymised.

8. Your Rights Under the GDPR

You have the following rights regarding your personal data:

Right of Access (Art. 15 GDPR)

You have the right to obtain confirmation of whether we process your personal data and to receive a copy of that data.

Right to Rectification (Art. 16 GDPR)

You have the right to request correction of inaccurate or incomplete personal data.

Right to Erasure (Art. 17 GDPR)

You have the right to request deletion of your personal data, subject to statutory retention obligations.

Right to Restriction (Art. 18 GDPR)

You have the right to request restriction of processing under certain circumstances.

Right to Data Portability (Art. 20 GDPR)

You have the right to receive your data in a structured, commonly used, machine-readable format and to transmit it to another controller.

Right to Object (Art. 21 GDPR)

You have the right to object at any time to the processing of your personal data based on legitimate interests, including profiling.

Right to Withdraw Consent (Art. 7(3) GDPR)

Where processing is based on consent, you may withdraw consent at any time with effect for the future.

To exercise any of these rights, please contact us at mail@magicstripes.com. We will respond to your request within one month.

You also have the right to lodge a complaint with a data protection supervisory authority. The competent authority for MAGICSTRIPES GmbH is:

Der Hamburgische Beauftragte für Datenschutz und Informationsfreiheit
Ludwig-Erhard-Str. 22, 7. OG
20459 Hamburg, Germany

9. Cookies and Tracking

We use cookies and similar technologies to operate our website. Strictly necessary cookies (e.g. for the shopping cart and login session) are set on the legal basis of Art. 6(1)(f) GDPR and Sec. 25(2) TTDSG. Any non-essential cookies (analytics, marketing) are only set with your prior consent, which you can withdraw at any time.

10. Data Security

We implement appropriate technical and organisational measures to protect your personal data against unauthorised access, alteration, disclosure or destruction. These measures include:

  • Encryption of data in transit (TLS/HTTPS)
  • Encryption of data at rest at our infrastructure provider
  • Secure password hashing
  • Row-level security policies in our database
  • Access controls and role-based authentication
  • Regular backups and monitoring

11. International Data Transfers

Some of our processors are located outside the European Economic Area (EEA), in particular in the United States. Where personal data is transferred outside the EEA, we ensure an adequate level of protection through appropriate safeguards, including EU Standard Contractual Clauses approved by the European Commission and, where applicable, certification under the EU-US Data Privacy Framework. You may request a copy of these safeguards by contacting us.

12. Children's Privacy

Our services are not directed to individuals under the age of 16. We do not knowingly collect personal data from children. If you believe that a child has provided us with personal data, please contact us and we will delete it.

13. Changes to This Privacy Policy

We may update this privacy policy from time to time to reflect changes in our practices, our processors or legal requirements. The current version, with the "Last updated" date at the top of this page, always applies.

14. Contact

If you have any questions about this privacy policy or our data protection practices, please contact us:

MAGICSTRIPES GmbH
An der Alster 6
20099 Hamburg, Germany