This is a demo store. Orders will not be processed or fulfilled.

Privacy Policy

Emporiqa GmbH respects your privacy and processes personal data in line with the EU General Data Protection Regulation (Regulation (EU) 2016/679, "GDPR"), the German Federal Data Protection Act (BDSG) and the ePrivacy Directive 2002/58/EC. This notice explains what we collect, why, how long we keep it and what rights you have.

Data controller

The data controller responsible for your personal data is:

Emporiqa GmbH
Friedrichstrasse 200, 10117 Berlin, Germany
VAT: DE123456789 | Commercial register: HRB 234567 B (Amtsgericht Berlin-Charlottenburg)
Managing director: Anna Schmidt
Email: [email protected]

Data Protection Officer

Our Data Protection Officer (DPO) can be contacted directly at [email protected] or in writing at the registered-office address above, marked "FAO: Data Protection Officer".

Categories of personal data we collect

  • Identity data: first and last name, salutation, date of birth (where age verification is required)
  • Contact data: billing and shipping addresses, email address, phone number
  • Account data: username, securely hashed password, language and currency preferences
  • Transaction data: orders, invoices, returns, payment method tokens (we never store full card numbers)
  • Technical data: IP address (anonymised for analytics), browser type and version, device identifiers, time-zone settings, operating system
  • Usage data: pages visited, products viewed, wishlist contents, abandoned carts
  • Marketing data: communication preferences, consent records

Sources of data

We collect most personal data directly from you. We may also receive data from third parties, in particular: payment service providers (transaction outcomes, fraud-prevention scores), shipping carriers (delivery status), and our identity-verification partner for the Student Discount programme (verification result only — never your raw documents).

Lawful bases and purposes

PurposeLawful basis (Art. 6 GDPR)Processing and delivering your ordersContract performance (Art. 6(1)(b))Invoicing, accounting, tax and customsLegal obligation (Art. 6(1)(c))Fraud prevention and account securityLegitimate interest (Art. 6(1)(f))Customer support and warranty handlingContract / Legitimate interestMarketing emails and personalised offersConsent (Art. 6(1)(a)) — withdrawable at any timeAnalytics and service improvementConsent / Legitimate interest

Children's data (Art. 8 GDPR)

Our Services are not intended for children. We require users to have legal capacity to enter into a binding contract under the law of their residence, and consent for information-society services is obtained in line with the age threshold set by the relevant member state (16 in Germany, lower in some others). We do not knowingly process personal data from children below those thresholds.

Automated decision-making and profiling (Art. 22 GDPR)

We do not subject you to decisions based solely on automated processing, including profiling, that produce legal or similarly significant effects on you. Where automated checks are used at checkout for fraud prevention, results that may affect your order are reviewed by a human before any final action, and you may contest the outcome by writing to [email protected]. If we ever introduce fully automated decision-making with legal or similarly significant effects, we will notify you in advance and provide opt-out and human-review mechanisms.

Retention periods

  • Order, invoice and tax records: 10 years (HGB §257 / AO §147 statutory accounting retention)
  • Account data: kept while the account is active; erased on deletion request, subject to legally required transaction records
  • Marketing preferences: until you withdraw consent
  • Server logs and security data: up to 12 months
  • Customer support tickets: 36 months after closure

Recipients and sub-processors

We share data only with carefully selected processors who act on our instructions under a Data Processing Agreement. Current categories include (examples are illustrative):

  • Payments: such as Stripe (card processing, EU/EEA processing entities)
  • Shipping carriers: such as DHL, DPD, UPS, GLS and national post
  • Analytics: such as Google Analytics 4 with IP anonymisation and EU data residency
  • Transactional email: such as Sendgrid (Twilio)
  • Hosting and cloud infrastructure: EU-region providers
  • Customer support tooling, fraud prevention and accounting software

An up-to-date sub-processor list is available on request from [email protected].

International transfers

We strive to keep data within the EU/EEA. Where transfers to third countries are necessary, we rely on Standard Contractual Clauses (SCCs) approved by the European Commission, supplementary safeguards such as encryption and pseudonymisation, and transfer impact assessments. Where currently relevant, transfers may also rely on adequacy decisions.

Cookies and similar technologies

Our website uses essential cookies (required for the cart, login and security) and, with your consent under the ePrivacy Directive 2002/58/EC, analytics and marketing cookies. You can review and change your preferences at any time via the Cookie settings link in the footer.

Your rights as a data subject

  • Right of access (Art. 15) — request a copy of the data we hold
  • Right to rectification (Art. 16) — correct inaccurate or incomplete data
  • Right to erasure (Art. 17) — request deletion ("right to be forgotten")
  • Right to restriction (Art. 18) — limit how we process your data
  • Right to data portability (Art. 20) — receive your data in a machine-readable format
  • Right to object (Art. 21) — object to processing based on legitimate interest, including profiling
  • Right not to be subject to automated decisions (Art. 22) — see section above
  • Right to withdraw consent at any time without affecting prior lawful processing

To exercise any of these rights, write to [email protected] or our DPO at [email protected]. We respond within one month, free of charge, in line with GDPR Article 12.

Right to lodge a complaint

You may lodge a complaint with our competent supervisory authority:

Berliner Beauftragte fur Datenschutz und Informationsfreiheit (Berlin Commissioner for Data Protection and Freedom of Information)
Friedrichstrasse 219, 10969 Berlin, Germany
https://www.datenschutz-berlin.de/

You may also lodge a complaint with the supervisory authority of your habitual residence, place of work or place of the alleged infringement.

Security and breach notification

We use TLS 1.2+ for all data in transit, AES-256 encryption at rest, hardware-backed key management, regular penetration testing and a least-privilege access model for our staff. In the event of a personal-data breach likely to result in a risk to the rights and freedoms of natural persons, we notify the competent supervisory authority within 72 hours (Art. 33 GDPR) and the affected data subjects without undue delay where the risk is high (Art. 34 GDPR).