6) Data Processing for Order Fulfillment

6.1 Submission of Image Files for Order Processing via Email
On our website, we offer customers the opportunity to request product personalization by submitting image files via email. The submitted image is used as a template for personalizing the selected product.
Customers can send one or more image files from their device's storage to us via the email address provided on the website. We collect, store, and use these submitted files solely for the purpose of creating the personalized product as described in our website's service description. If the submitted image files are forwarded to specific service providers for the purpose of creating and processing the order, you will be explicitly informed in the following paragraphs. No further transmission will occur. If the submitted files or digital images contain personal data (especially images of identifiable persons), all processing operations mentioned above are carried out solely for the purpose of fulfilling your online order in accordance with Art. 6(1)(b) GDPR. After the order has been fully processed, the submitted image files will be automatically and completely deleted.

6.2 Transmission of Data for Shipping and Payment Purposes
To the extent necessary for contract fulfillment for shipping and payment purposes, the personal data we collect will be shared with the commissioned shipping company and the authorized financial institution in accordance with Art. 6(1)(b) GDPR.
If we owe you updates for goods with digital elements or for digital products based on a corresponding contract, we will process the contact details you provided during the order process (name, address, email address) to inform you personally via suitable communication methods (e.g., by mail or email) about upcoming updates within the legally required period, in accordance with our legal information obligations pursuant to Art. 6(1)(c) GDPR. Your contact details will be used strictly for the purpose of informing you about the updates we owe you and will only be processed by us to the extent necessary for this information.
To process your order, we also work with the service provider(s) listed below, who support us in full or in part in the execution of concluded contracts. Certain personal data will be transmitted to these service providers as detailed below.

6.3 Use of Payment Service Providers (Payment Services)
- PayPal
On this website, one or more online payment methods from the following provider are available: PayPal (Europe) S.a.r.l. et Cie, S.C.A., 22-24 Boulevard Royal, L-2449 Luxembourg.
When you select a payment method from this provider where you pay in advance, the payment data you provide during the order process (including name, address, bank and card information, currency, and transaction number) and information about the content of your order will be transmitted to the provider in accordance with Art. 6(1)(b) GDPR. The transmission of your data in this case is solely for the purpose of processing payment with the provider and only to the extent necessary for this purpose.
If you select a payment method where we provide services in advance, you will also be asked during the order process to provide certain personal data (first and last name, street, house number, postal code, city, date of birth, email address, phone number, and possibly data related to an alternative payment method).
To safeguard our legitimate interest in assessing your creditworthiness, this data will be transmitted to the provider for a credit check in accordance with Art. 6(1)(f) GDPR. The provider will assess, based on the personal data you provide as well as other data (such as shopping cart, invoice amount, order history, payment experiences), whether the payment method you selected can be granted concerning payment and/or default risks.
The credit report may include probability values (so-called score values). If score values are included in the result of the credit report, they are based on a scientifically recognized mathematical-statistical procedure. The calculation of score values may include, but is not limited to, address data.
You can object to the processing of your data at any time by notifying us or the provider. However, the provider may still be entitled to process your personal data if necessary to process payment in accordance with the contract.

- Shopify Payments
On this website, one or more online payment methods from the following provider are available: Shopify International Limited, Victoria Buildings, 1-2 Haddington Road, Dublin 4, D04 XN32, Ireland.
When you select a payment method from this provider where you pay in advance (such as credit card payment), the payment data you provide during the order process (including name, address, bank and card information, currency, and transaction number) and information about the content of your order will be transmitted to the provider in accordance with Art. 6(1)(b) GDPR. The transmission of your data in this case is solely for the purpose of processing payment with the provider and only to the extent necessary for this purpose.

7) Site Functionalities

7.1 Facebook Plugins
Our website uses plugins from the social network provided by the following company: Meta Platforms Ireland Ltd., 4 Grand Canal Square, Grand Canal Harbour, Dublin 2, Ireland.
These plugins allow direct interaction with content on the social network.
To enhance the protection of your data when visiting our website, the plugins are initially deactivated and integrated into the page using a so-called "2-click" or "Shariff" solution.
This integration ensures that no connection to the provider's servers is established when a page of our website containing such plugins is accessed.
Only when you activate the plugins and thereby give your consent to data transmission in accordance with Art. 6(1)(a) GDPR, will your browser establish a direct connection to the provider's servers. At this point, regardless of whether you are logged into an existing user profile, certain information about your device (including your IP address), browser, and browsing history will be transmitted to the provider and possibly further processed there.
If you are logged into an existing user profile on the provider’s social network, information about interactions performed via the plugins will also be published there and shown to your contacts.
You can revoke your consent at any time by deactivating the plugin again by clicking on it. However, the revocation will not affect data that has already been transferred to the provider.
Data may also be transmitted to: Meta Platforms Inc., USA.
We have entered into a data processing agreement with the provider to ensure the protection of our website visitors' data and to prevent unauthorized disclosure to third parties.
For data transfers to the USA, the provider has joined the EU-US Data Privacy Framework, which ensures compliance with European data protection standards based on an adequacy decision by the European Commission.

7.2 Instagram Plugins
Our website uses plugins from the social network provided by the following company: Meta Platforms Ireland Ltd., 4 Grand Canal Square, Grand Canal Harbour, Dublin 2, Ireland.
These plugins allow direct interaction with content on the social network.
To enhance the protection of your data when visiting our website, the plugins are initially deactivated and integrated into the page using a so-called "2-click" or "Shariff" solution.
This integration ensures that no connection to the provider's servers is established when a page of our website containing such plugins is accessed.
Only when you activate the plugins and thereby give your consent to data transmission in accordance with Art. 6(1)(a) GDPR, will your browser establish a direct connection to the provider's servers. At this point, regardless of whether you are logged into an existing user profile, certain information about your device (including your IP address), browser, and browsing history will be transmitted to the provider and possibly further processed there.

If you are logged into an existing user profile on the provider’s social network, information about interactions performed via the plugins will also be published there and shown to your contacts.
You can revoke your consent at any time by deactivating the plugin again by clicking on it. However, the revocation will not affect data that has already been transferred to the provider.
Data may also be transmitted to: Meta Platforms Inc., USA.
We have entered into a data processing agreement with the provider to ensure the protection of our website visitors' data and to prevent unauthorized disclosure to third parties.
For data transfers to the USA, the provider has joined the EU-US Data Privacy Framework, which ensures compliance with European data protection standards based on an adequacy decision by the European Commission.

8) Rights of the Data Subject

8.1 Under the applicable data protection law, you have the following rights regarding the processing of your personal data by the data controller (rights of access and intervention). The specific conditions for exercising these rights are referenced in the legal basis mentioned:

• Right of access according to Art. 15 GDPR;
• Right to rectification according to Art. 16 GDPR;
• Right to erasure according to Art. 17 GDPR;
• Right to restriction of processing according to Art. 18 GDPR;
• Right to notification according to Art. 19 GDPR;
• Right to data portability according to Art. 20 GDPR;
• Right to withdraw consent according to Art. 7(3) GDPR;
• Right to lodge a complaint according to Art. 77 GDPR.

8.2 Right to Object

IF WE PROCESS YOUR PERSONAL DATA BASED ON OUR PREDOMINANT LEGITIMATE INTEREST IN THE CONTEXT OF A BALANCING OF INTERESTS, YOU HAVE THE RIGHT TO OBJECT TO THIS PROCESSING AT ANY TIME FOR REASONS ARISING FROM YOUR PARTICULAR SITUATION, WITH EFFECT FOR THE FUTURE.

IF YOU EXERCISE YOUR RIGHT TO OBJECT, WE WILL CEASE PROCESSING THE AFFECTED DATA. HOWEVER, FURTHER PROCESSING IS RESERVED IF WE CAN DEMONSTRATE COMPELLING LEGITIMATE GROUNDS FOR THE PROCESSING THAT OVERRIDE YOUR INTERESTS, RIGHTS, AND FREEDOMS, OR IF THE PROCESSING IS FOR THE ESTABLISHMENT, EXERCISE, OR DEFENSE OF LEGAL CLAIMS.

IF YOUR PERSONAL DATA IS PROCESSED BY US FOR DIRECT MARKETING PURPOSES, YOU HAVE THE RIGHT TO OBJECT AT ANY TIME TO THE PROCESSING OF PERSONAL DATA CONCERNING YOU FOR SUCH MARKETING PURPOSES. YOU CAN EXERCISE THE RIGHT TO OBJECT AS DESCRIBED ABOVE.

IF YOU EXERCISE YOUR RIGHT TO OBJECT, WE WILL STOP PROCESSING THE AFFECTED DATA FOR DIRECT MARKETING PURPOSES.

9) Duration of Storage of Personal Data

The duration of the storage of personal data is determined based on the applicable legal basis, the purpose of the processing, and—if relevant—based on the statutory retention periods (e.g., commercial and tax-related retention periods).

When processing personal data based on explicit consent according to Art. 6(1)(a) GDPR, the data concerned will be stored until you withdraw your consent.

If statutory retention periods apply to data processed within the framework of contractual or quasi-contractual obligations on the basis of Art. 6(1)(b) GDPR, such data will be routinely deleted after the retention periods have expired, provided that the data is no longer necessary for contract fulfillment or initiation and/or if there is no legitimate interest on our part in continuing to store it.

When processing personal data based on Art. 6(1)(f) GDPR, such data will be stored until you exercise your right to object according to Art. 21(1) GDPR unless we can demonstrate compelling legitimate grounds for the processing that override your interests, rights, and freedoms, or the processing is for the establishment, exercise, or defense of legal claims.

When processing personal data for direct marketing purposes based on Art. 6(1)(f) GDPR, such data will be stored until you exercise your right to object according to Art. 21(2) GDPR.

Unless otherwise specified in the other information in this declaration regarding specific processing situations, stored personal data will be deleted when it is no longer necessary for the purposes for which it was collected or otherwise processed.