Privacy Policy

1. Data Controller

Kothagudem K&B UG (haftungsbeschränkt)
Märkisches Allee 312
12687 Berlin
E-Mail: datenschutz@aahaar.de

2. Types of Data Processed

When you use our online shop, we process the following personal data:

  • Contact data: Name, email address, phone number, delivery address
  • Order data: Order history, shopping cart contents, order status
  • Payment data: Payment references (full payment processing is handled by Stripe)
  • Technical data: IP address, browser type, operating system, access time

3. Purposes of Processing

  • Execution and fulfilment of orders
  • Customer service and communication
  • Compliance with statutory retention and documentation obligations
  • Improvement of our services and user experience

4. Legal Bases for Processing

  • Art. 6(1)(b) GDPRProcessing for the performance of a contract (order fulfilment, customer account)
  • Art. 6(1)(c) GDPRProcessing for compliance with legal obligations (tax retention requirements)
  • Art. 6(1)(a) GDPRProcessing based on your consent (marketing emails, Google Analytics)
  • Art. 6(1)(f) GDPRProcessing based on legitimate interests (security, fraud prevention)

5. Processors and Data Transfers

5.1 Hetzner Online GmbH

Our online shop and its database are hosted on servers of Hetzner Online GmbH, Industriestr. 25, 91710 Gunzenhausen, Germany. All personal data (customer data, order data, authentication data) is stored on servers within the European Union. A data processing agreement pursuant to Art. 28 GDPR is in place.

5.2 Stripe Payments Europe Ltd.

Payment processing is handled by Stripe Payments Europe Ltd., based in Dublin, Ireland. Stripe processes payment data on the basis of Standard Contractual Clauses pursuant to Art. 46(2)(c) GDPR. A data processing agreement is in place.

5.3 Zoho Corporation B.V.

For sending transactional emails (order confirmations, shipping notifications, delivery notifications) we use the email service of Zoho Corporation B.V., Hoogoorddreef 15, 1101 BA Amsterdam, Netherlands. These emails may contain personal data such as name, email address and order information. A data processing agreement is in place.

5.4 Google Ireland Limited

For website analytics we use Google Analytics 4 (Google Ireland Limited, Gordon House, Barrow Street, Dublin 4, Ireland). A data processing agreement is in place. Data transfers to the USA are based on the EU-US Data Privacy Framework.

Additionally, we offer the option to sign in via Google OAuth. In this process, your email address and name are transmitted from Google to us in order to create your customer account. Legal basis: Art. 6(1)(b) GDPR (performance of a contract).

5.5 Brevo (Sendinblue GmbH)

For sending marketing emails (newsletters, offers, product recommendations) we use Brevo (Sendinblue GmbH, Köpenicker Str. 126, 10179 Berlin, Germany). Brevo processes your email address, name and data relating to open and click analytics. Processing is based on your consent (Art. 6(1)(a) GDPR). You may withdraw your consent at any time, e.g. via the unsubscribe link in each email. A data processing agreement pursuant to Art. 28 GDPR is in place.

6. Cookies and Tracking

6.1 Strictly Necessary Cookies

We use session cookies for authentication (Supabase Auth). These cookies are necessary for the operation of the online shop and cannot be disabled. Legal basis: Art. 6(1)(b) GDPR, § 25(2) No. 2 TTDSG.

6.2 Google Analytics 4

With your consent, we use Google Analytics 4, a web analytics service provided by Google Ireland Limited, Gordon House, Barrow Street, Dublin 4, Ireland. Google Analytics uses cookies and similar technologies to collect and analyse information about your use of our website.

The data collected (e.g. IP address, pages visited, time spent) is transmitted to Google servers in the USA. We have enabled IP anonymisation. Google is certified under the EU-US Data Privacy Framework.

Legal basis: Art. 6(1)(a) GDPR, § 25(1) TTDSG (consent). You can withdraw your consent at any time via our cookie banner or disable Google Analytics using the Google Analytics Opt-out Browser Add-on .

7. Data Storage and Deletion

  • Order data: 10 years in accordance with commercial and tax law retention obligations (§ 257 HGB, § 147 AO)
  • Customer account data: Until account deletion or upon deletion request by the customer
  • Technical access data: Maximum 30 days

8. Your Rights (GDPR Art. 15–22)

You have the right to:

  • Access (Art. 15 GDPR) — information about the personal data we store about you
  • Rectification (Art. 16 GDPR) — correction of inaccurate data
  • Erasure (Art. 17 GDPR) — deletion of your data, provided no retention obligations apply
  • Restriction of processing (Art. 18 GDPR)
  • Data portability (Art. 20 GDPR) — receive your data in a machine-readable format
  • Objection (Art. 21 GDPR) — object to the processing of your data

9. Right to Lodge a Complaint

You have the right to lodge a complaint with the competent supervisory authority:

Berlin Commissioner for Data Protection and Freedom of Information
Alt-Moabit 59-61, 10555 Berlin
E-Mail: mailbox@datenschutz-berlin.de

10. Contact for Data Protection Enquiries

For questions regarding data protection, please contact:
datenschutz@aahaar.de