Privacy policy
Privacy notice in accordance with Art. 13 GDPR
Name and address of the data controller
The responsible entity within the meaning of the General Data Protection Regulation (GDPR) and other data protection regulations is:
Sabrina Gatzlaff - Atelier für Kunst
c/o IP-Management #3964
Ludwig-Erhard-Str. 18
20459 Hamburg
E-mail: hi@sabrinaartstudio.de
Phone: +4915258111418
General information on data processing
Legal basis for the processing of personal data
In accordance with Art. 13 GDPR, we inform you of the legal basis of our data processing. If the legal basis is not specified in the privacy notice, the following applies:
The legal basis for obtaining consent is Art. 6 para. 1 lit. a i.V.m. Art. 7 GDPR. The legal basis for processing for the fulfilment of our services and implementation of contractual measures as well as for answering enquiries is Art. 6 para. 1 lit. b GDPR. The legal basis for processing for the fulfilment of our legal obligations is Art. 6 para. 1 lit. c GDPR. If the processing of your data is necessary to safeguard a legitimate interest of our company or a third party and if the interests, fundamental rights and freedoms of the data subject do not outweigh the former interest, Art. 6 para. 1 lit. f GDPR serves as the legal basis for the processing. In the event that vital interests of the data subject or another natural person require the processing of personal data, Art. 6 para. 1 lit. d GDPR serves as the legal basis.
Data deletion and storage duration
We adhere to the principles of data minimisation in accordance with Art. 5 para. 1 lit. c GDPR and storage limitation in accordance with Art. 5 para. 1 lit. e GDPR. We only store your personal data for as long as is necessary to achieve the purposes stated here or as provided for by the retention periods stipulated by law. After the respective purpose no longer applies or after these retention periods have expired, the corresponding data will be deleted as quickly as possible.
External links
This website may contain links to third party websites or to other websites within our accountability. If you follow a link to a website outside our accountability, please note that these websites have their own data protection information. We assume no accountability or liability for these third-party websites and their privacy notices. Therefore, before using these websites, please check whether you agree with their privacy policies.
You can recognise external links either by the fact that they are displayed in a different colour from the rest of the text or underlined. Your cursor will show you external links when you move it over such a link. Only when you click on an external link will your personal data be transferred to the destination of the link. In particular, the operator of the other website will receive your IP address, the time at which you clicked on the link, the page on which you clicked on the link and other information that you can find in the privacy notices of the respective provider.
Please also note that individual links may lead to a data transfer outside the European Economic Area. This could give foreign authorities access to your data. You may not have any legal remedies against this data access. If you do not want your personal data to be transferred to the link destination or even exposed to unwanted access by foreign authorities, please do not click on any links.
Rights of the data subject
As a data subject within the meaning of the GDPR, you have the opportunity to assert various rights. The data subject rights arising from the GDPR are the right of access (Article 15), the right to rectification (Article 16), the right to erasure (Article 17), the right to restriction of processing (Article 18), the right to object (Article 21), the right to lodge a complaint with a supervisor authority and the right to data portability (Article 20).
Right of cancellation:
Some data processing can only take place with your express consent. You have the option to revoke your consent at any time. However, this does not affect the legality of data processing up to the point of revocation.
Right of objection:
If the processing is based on Art. 6 para. 1 lit. e or f GDPR, you as the data subject may object to the processing of your personal data at any time for reasons arising from your particular situation. You also have this right in the case of profiling based on these provisions within the meaning of Art. 4(4) GDPR. Unless we can demonstrate a legitimate interest in the processing that outweighs your interests, rights and freedoms or the processing serves the assertion, exercise or defence of legal claims, we will refrain from processing your data after the objection has been made.
If personal data is processed for direct marketing purposes, you have the right to object at any time. The same applies to profiling in connection with direct advertising. Here too, we will no longer process personal data as soon as you object.
Right to lodge a complaint with a supervisor authority:
If you believe that the processing of personal data concerning you infringes the GDPR, you have the right to lodge a complaint with a supervisor authority, in particular in the member state of your place of residence, your place of work or the place of the alleged infringement, without prejudice to any other administrative or judicial remedy.
Right to data portability:
If your data is processed automatically on the basis of consent or fulfilment of a contract, you have the right to receive this data in a structured, commonly used and machine-readable format. You also have the right to request the transfer and provision of the data to another data controller, insofar as this is technically feasible.
Right of access, rectification and erasure:
You have the right to obtain information about your processed personal data with regard to the purpose of data processing, the categories, the recipients and the duration of storage. If you have any questions on this topic or other topics relating to personal data, you can of course contact us using the contact options provided in the legal notice.
Right to restriction of processing:
You can request the restriction of the processing of your personal data at any time. To do so, you must fulfil one of the following requirements:
- You dispute the accuracy of the personal data. You have the right to request a restriction of processing for the duration of the verification of accuracy.
- If the processing is unlawful, you can request the restriction of the use of the data as an alternative to erasure.
- If we no longer need your personal data for the purposes of processing, but you need the data for the assertion, exercise or defence of legal claims, you can request the restriction of processing as an alternative to erasure.
- If you object to the processing pursuant to Art. 21 (1) GDPR, your interests and ours will be weighed up. Until this balancing has taken place, you have the right to request the restriction of processing.
Restriction of processing means that, with the exception of storage, personal data may only be processed with your consent or for the establishment, exercise or defence of legal claims or for the protection of the rights of another natural person or legal entity or for reasons of important public interest of the Union or of a Member State.
Provision of the website (web host)
Our website is hosted by:
Shopify International Ltd.
2nd Floor 1 and 2 Victoria Buildings, Haddington Road, Dublin 4, D04 XN32
Ireland
When you visit our website, we automatically collect and store information in so-called server log files. Your browser automatically transmits this information to our server or to the server of our hosting company.
These are:
- IP address of the website visitor's end device
- Device used
- Host name of the accessing computer
- Operating system of the visitor
- Browser type and version
- Name of the retrieved file
- Time of the server request
- Amount of data
- Information on whether the retrieval of the data was successful
This data is not merged with other data sources.
Instead of operating this website on our own server, we can also have it operated on the server of an external service provider (hosting company), which we have named above in this case. The personal data collected by this website will then be stored on the hosting company's servers. In addition to the data mentioned above, the web host also stores contact requests, contact data, names, website access data, meta and communication data, contract data and other data generated via a website for us, for example.
The legal basis for the processing of this data is Art. 6 para. 1 lit. f GDPR. Our legitimate interest is the technically error-free presentation and optimisation of this website. If the website is accessed in order to enter into contractual negotiations with us or to conclude a contract, another legal basis is Art. 6 para. 1 lit. b GDPR. In the event that we have commissioned a hosting company, there is a data processor contract with this service provider.
Use of local storage items, session storage items and cookies
Our website uses local storage items, session storage items and/or cookies. Local storage is a mechanism that enables the storage of data within the browser on your end device. This data usually contains user preferences, such as the "day" or "night" mode of a website, and is retained until you delete the data manually. Session storage is very similar to local storage, whereas the storage duration only lasts during the current session, i.e. until the current tab is closed. The session storage items are then deleted from your end device. Cookies are information that a web server (server that provides web content) stores on your end device in order to be able to identify this end device. They are either stored temporarily for the duration of a session (session cookies) and deleted at the end of your visit to a website or permanently (permanent cookies) on your end device until you delete them yourself or they are automatically deleted by your web browser.
These objects may also be stored on your device by third-party companies when you visit our website (third-party requests). This enables us as the operator and you as a visitor to this website to utilise certain third-party services that are installed on this website. Examples of this include the processing of payment services or the display of videos.
These mechanisms can be used in a variety of ways. They can improve the functionality of a website, control shopping basket functions, increase the security and convenience of website use and carry out analyses of visitor flows and behaviour. Depending on the individual functions, these must be categorised under data protection law. If they are necessary for the operation of the website and intended to provide certain functions (shopping basket function) or serve to optimise the website (e.g. cookies to measure visitor behaviour), they are used on the basis of Art. 6 para. 1 lit. f GDPR. As the website operator, we have a legitimate interest in the storage of local storage items, session storage items and cookies for the technically error-free and optimised provision of our services. In all other cases, local storage items, session storage items and cookies are only stored with your express consent (Art. 6 para. 1 lit. a GDPR).
If local storage items, session storage or cookies are used by third-party companies or for analysis purposes, we will inform you about this separately as part of this privacy notice. Your required consent will be requested and can be revoked at any time.
Use of external services
External services are used on our website. External services are services from third-party providers that are used on our website. This can be done for various reasons, for example for embedding videos or for the security of the website. When using these services, personal data is also passed on to the respective providers of these external services. If we do not have a legitimate interest in the use of these services, we will obtain your consent as a visitor to our website, which can be revoked at any time, before using them (Art. 6 para. 1 lit. a GDPR).
Analytics
We process personal data of website visitors to analyse user behaviour. By analysing the data obtained, we are able to compile information about the use of the individual components of our website. This enables us to increase the user-friendliness of our website. The analysis tools used can be used, for example, to create user profiles for the display of targeted or interest-based advertising messages, to recognise our website visitors the next time they visit our website, to measure their click/scroll behaviour, their downloads, to create heat maps, to recognise page views, to measure the duration of visits or bounce rates and to trace the origin of website visitors (city, country, which page the visitor comes from). The analysis tools help us to improve our market research and marketing activities.
Processing will only take place if you consent to this data processing (via our consent banner on the website). The legal basis for this processing is consent (Art. 6 para. 1 lit. a GDPR). Without your consent, data processing in the manner described above will not take place. If you revoke your consent (e.g. via the consent banner or other options provided on this website), we will terminate this data processing. This does not affect the lawfulness of processing carried out up to the point of withdrawal.
Shopify Analytics
We use the Shopify Analytics service on our website. The provider of the service is Shopify International Ltd, 2nd Floor 1 and 2 Victoria Buildings, Haddington Road, Dublin 4, D04 XN32, Ireland.
The use of the service may result in data being transferred to a third country (Canada). The European Commission has confirmed an adequate level of data protection for the country by means of an adequacy decision.
Further information can be found in the provider's data protection information at the following URL: https://www.shopify.com/legal/privacy?shpxid=1c1444d0-C70E-43BB-AD1E-BB3774A7C8C0.
Webshop
We offer you our products and/or services via our web shop. As part of the sale of products and/or services, we collect, process and use your personal data (e.g. your name, your contact details, but also access times, device information or your IP address) to handle the purchase and payment process.
We base this processing on a legitimate interest (Art. 6 para. 1 lit. f GDPR).
Our legitimate interest lies in the error-free presentation and optimisation of our web shop.
Shopify
We use the Shopify service on our website. The provider of the service is Shopify International Ltd, 2nd Floor 1 and 2 Victoria Buildings, Haddington Road, Dublin 4, D04 XN32, Ireland.
The use of the service may result in data being transferred to a third country (Canada). The European Commission has confirmed an adequate level of data protection for the country by means of an adequacy decision.
Further information can be found in the provider's data protection information at the following URL: https://www.shopify.com/legal/privacy?shpxid=1c1444d0-C70E-43BB-AD1E-BB3774A7C8C0.
Consent Management
To comply with data protection requirements, we use a consent management tool on our website. We use this tool to obtain the necessary consent for the setting of cookies or the use of external services. The consents are stored.
The processing is necessary for compliance with a legal obligation to which the data controller (website operator) is subject. Art. 6 para. 1 lit. c GDPR is therefore used as the legal basis for processing.
GDPR Legal Cookie by Shopify
We use the GDPR Legal Cookie by Shopify service on our website. The provider of the service is beeclever GmbH, Friedrich-Mohr-Straße 1, 56070 Koblenz, Germany.
When you enter our website, a connection is established to the servers of the provider beeclever. The provider beeclever receives personal data in this way, such as the browser used, the IP address and a time stamp. A cookie is then stored in your browser in order to be able to assign the consent you have given or revoke it. The data collected in this way is stored until you ask us to delete it, delete the cookie yourself or the purpose for storing the data no longer applies. Mandatory statutory retention obligations remain unaffected. You can find details at: https://apps.shopify.com/gdpr-legal-cookie.
Contact form
You have the option of contacting us via a contact form on our website. In particular, your contact details are required to contact us via this form.
The legal basis for this is the processing for the performance of a contract or pre-contractual measures pursuant to Art. 6 para. 1 lit. b GDPR. There may also be a legitimate interest in maintaining business relationships or responding to your enquiry for other reasons.
The legal basis for the processing of your data in this case would be Art. 6 para. 1 lit. f GDPR.
The data will be deleted when we have finally answered your enquiry and there are no other retention obligations to the contrary.
Contact by telephone or e-mail
We have provided a telephone number and email address on our website in accordance with legal requirements. The data transmitted via these channels is automatically stored by us in order to process corresponding enquiries or to be able to contact the person making the enquiry. We will not pass this data on to third parties without consent.
If contact is made by telephone or via our e-mail address for pre-contractual or contractual purposes, the processing of personal data is based on the legal basis of Art. 6 para. 1 lit. b GDPR. For all other forms of contact on your part, the processing of personal data by us is based on our legitimate interest pursuant to Art. 6 para. 1 lit. f GDPR.
Presence on Instagram
Social networks process extensive amounts of your personal data. When you visit our profiles, your IP address and other information about the devices you use are processed, which makes it possible to assign IP addresses to individual users. We have no influence over this data processing. We would like to point out that you use our profiles on social networks and their functions at your own accountability. Details on data processing can be found in the operator's privacy policy.
We have a profile on Instagram. The provider of this service is Meta Platforms Ireland Limited, 4 Grand Canal Square, Grand Canal Harbour, Dublin 2, Ireland.
Detailed information on the handling of personal data can be found in Instagram's privacy policy: https://help.instagram.com/519522125107875.
The purpose of our profiles on social media platforms is to increase our online presence and thus raise our profile. Therefore, the legal basis is legitimate interest pursuant to Art. 6 para. 1 lit. f GDPR. Furthermore, with regard to the processing activities by the social networks, reference must be made to their own legal bases (e.g. consent pursuant to Art. 6 para. 1 lit. a GDPR), which you can find in the respective privacy policy.
In principle, we are jointly accountable with the social media platform for the data processing operations triggered when you visit our profile. You can therefore assert your data subject rights in accordance with Art. 15 et seq. of the GDPR against the social media platform as well as against us. However, we would like to point out that we have no influence on data processing by the social media platform.
Registration on the website
Visitors have the option of registering on our website. This requires the provision of personal data. Registration makes it possible to offer services or content that require specific information about you. This personal data is processed and stored exclusively for the use of the corresponding service or offer. The purpose of the processing is the fulfilment of pre-contractual services, the performance of a contract or customer care.
In principle, this data is stored for the period during which you are registered on our website. Data may be stored for longer if this is required by law.
The processing operations described above in this subsection are based on the legal basis of consent (Art. 6 para. 1 lit. a GDPR). The data subject has consented to the processing of their personal data with their voluntary, explicit and prior consent. We proceed in the same way if data subjects withdraw their consent.
If registration on the website is necessary in order to process contract-related content, we rely on the legal basis for the fulfilment of a contract pursuant to Art. 6 para. 1 lit. b GDPR.
hCaptcha
We use hCaptcha (hereinafter referred to as "hCaptcha") on this website. The provider is Intuition Machines, Inc, 2211 Selig Drive, Los Angeles, CA 90026, USA (hereinafter referred to as "IMI").
The purpose of hCaptcha is to check whether the data input on this website (e.g. in a contact form) is made by a human or by an automated programme. For this purpose, hCaptcha analyses the behaviour of the website visitor based on various characteristics.
This analysis begins automatically as soon as the website visitor enters a website with activated hCaptcha. To analyse this, hCaptcha evaluates various information (e.g. IP address, time spent on the website by the website visitor or mouse movements made by the user). The data collected during the analysis is forwarded to IMI. If hCaptcha is used in "invisible mode", the analyses run completely in the background. Website visitors are not informed that an analysis is taking place.
The data is stored and analysed on the basis of Art. 6 para. 1 lit. f GDPR. The website operator has a legitimate interest in protecting its website from abusive automated spying and SPAM. Data processing is based on standard contractual clauses contained in the Data Processing Addendum to IMI's General Terms and Conditions or the data processing contracts.
Further information on hCaptcha can be found in the privacy policy and terms of use at the following links: https://www.hcaptcha.com/privacy and https://hcaptcha.com/terms.
The provider is certified in accordance with the EU-U.S. Data Privacy Framework and therefore offers an appropriate level of data protection.
Newsletter
If you would like to receive the newsletter offered on the website, we require an e-mail address from you as well as information that allows us to verify that you are the owner of the e-mail address provided and that you agree to receive the newsletter. No other data is collected, or only on a voluntary basis. We use this data exclusively for sending the requested information and do not pass it on to third parties.
The data entered in the newsletter registration form is processed exclusively on the basis of your consent (Art. 6 para. 1 lit. a GDPR). You can revoke your consent to the storage of the data, the e-mail address and its use for sending the newsletter at any time, for example via the "unsubscribe" link in the newsletter. The legality of the data processing operations that have already taken place remains unaffected by the cancellation.
The data you provide us with for the purpose of subscribing to the newsletter will be stored by us or the newsletter service provider until you unsubscribe from the newsletter and deleted from the newsletter distribution list after you unsubscribe from the newsletter or after the purpose no longer applies. We reserve the right to delete or block e-mail addresses from our newsletter distribution list at our own discretion within the scope of our legitimate interest pursuant to Art. 6 para. 1 lit. f GDPR.
Data stored by us for other purposes remains unaffected by this.
After you unsubscribe from the newsletter distribution list, your e-mail address may be stored by us or the newsletter service provider in a blacklist if this is necessary to prevent future mailings. The data from the blacklist will only be used for this purpose and will not be merged with other data. This serves both your interest and our interest in complying with the legal requirements when sending newsletters (legitimate interest within the meaning of Art. 6 para. 1 lit. f GDPR). Storage in the blacklist is not limited in time. You can object to the storage if your interests outweigh our legitimate interest.
Sending newsletters to existing customers
If you order goods or services from us and enter your e-mail address, this e-mail address may subsequently be used by us to send you newsletters, provided we inform you of this in advance. In such a case, only direct advertising for our own similar goods or services will be sent via the newsletter. You can cancel the sending of this newsletter at any time. There is a corresponding link in every newsletter for this purpose. In this case, the legal basis for sending the newsletter is Art. 6 para. 1 lit. f GDPR in conjunction with Section 7 para. 3 UWG.
After you unsubscribe from the newsletter distribution list, we may store your e-mail address in a blacklist to prevent future mailings to you. The data from the blacklist will only be used for this purpose and will not be merged with other data. This serves both your interest and our interest in complying with the legal requirements when sending newsletters (legitimate interest within the meaning of Art. 6 para. 1 lit. f GDPR). Storage in the blacklist is not limited in time. You can object to the storage if your interests outweigh our legitimate interest.
eCommerce
Processing of customer and contract data
We collect, process and use personal customer and contract data to establish, organise the content of and amend our contractual relationships. We collect, process and use personal data about the use of this website (usage data) only to the extent necessary to enable or charge the user for the use of the service. The legal basis for this is Art. 6 para. 1 lit. b GDPR.
The customer data collected will be deleted after completion of the order or termination of the business relationship and expiry of any existing statutory retention periods. Statutory retention periods remain unaffected.
Data transmission upon conclusion of a contract for online shops, retailers and dispatch of goods
If you order goods from us, we will pass on your personal data to the transport company entrusted with the delivery and to the payment service provider commissioned to process the payment. Only the data required by the respective service provider to fulfil its task will be disclosed. The legal basis for this is Art. 6 para. 1 lit. b GDPR, which permits the processing of data for the fulfilment of a contract or pre-contractual measures. If you have given your consent in accordance with Art. 6 para. 1 lit. a GDPR, we will pass on your e-mail address to the transport company entrusted with the delivery so that it can inform you by e-mail about the dispatch status of your order; you can revoke your consent at any time.
Credit checks
In the case of a purchase on account or another payment method where we make advance payments, we may carry out a credit check (scoring). For this purpose, we transmit the data you enter (e.g. name, address, age or bank details) to a credit agency. The probability of a payment default is determined on the basis of this data. If the risk of non-payment is too high, we may refuse the type of payment in question.
The credit check is carried out on the basis of the performance of a contract (Art. 6 para. 1 lit. b GDPR) and to avoid payment defaults (legitimate interest pursuant to Art. 6 para. 1 lit. f GDPR). If consent has been obtained, the credit check is carried out on the basis of this consent (Art. 6 para. 1 lit. GDPR); consent can be revoked at any time.
Lexware LexOffice
We use Lexoffice. The provider is Haufe-Lexware GmbH & Co KG, a company of Haufe Group SE, Munzinger Straße 9, 79111 Freiburg, Germany.
We use Lexoffice as an accounting application to fulfil all tax and accounting requirements as efficiently and effectively as possible. We therefore base the processing on Art. 6 para. 1 lit. c GDPR.
Details on data processing can be found in Lexoffice's privacy policy: https://www.lexoffice.de/datenschutz/
Payment service provider
We integrate the payment services of a company specialising in these services on our website. When you make a purchase from us, your payment details (e.g. name, payment amount, account details, credit card number) are transmitted to our payment service provider and processed by them for the purpose of payment processing. The contractual and privacy policy of the provider we have selected applies to these transactions.
The respective contractual and privacy policies of the respective providers apply to this processing. The payment service providers are used on the basis of Art. 6 para. 1 lit. b GDPR (contract processing) and in the interest of a smooth, convenient and secure payment process (Art. 6 para. 1 lit. f GDPR)
PayPal
The provider of this payment service is PayPal (Europe) S.à.r.l. et Cie, S.C.A., 22-24 Boulevard Royal, L-2449 Luxembourg (hereinafter referred to as "PayPal").
Data transfer to the USA is based on the standard contractual clauses of the EU Commission. You can find details here: https://www.paypal.com/de/webapps/mpp/ua/pocpsa-full.
For details, please refer to PayPal's privacy policy: https://www.paypal.com/de/webapps/mpp/ua/privacy-full.
Shopify Payment
The provider of this payment service in the EU is Shopify International Limited, 2nd Floor Victoria Buildings, 1-2 Haddington Road, Dublin 4, D04 XN32, Ireland (hereinafter referred to as "Shopify Payment").
Details can be found in Shopify Payment's privacy policy: https://www.shopify.de/legal/datenschutz.
Status: 27.01.2025