Privacy policy

 

1) Controller

The controller responsible for data processing within the meaning of the General Data Protection Regulation (GDPR) is:

formavit Inh. Anil Winkler Heinrichstraße 168 64287 Darmstadt Germany Email: winkler@formavit.de Website: www.formavit.de

2) General Information on Legal Bases

We process personal data primarily on the following legal bases:

  • Art. 6(1)(b) GDPR (contract/initiation): e.g. orders, delivery, customer service
  • Art. 6(1)(c) GDPR (legal obligation): e.g. tax and commercial law retention requirements
  • Art. 6(1)(f) GDPR (legitimate interest): e.g. IT security, abuse prevention, technical provision, enforcement of legal claims
  • Art. 6(1)(a) GDPR (consent): e.g. web analytics, conversion tracking, remarketing, marketing

3) Cookies & Consent Management (TDDDG)

We use cookies and similar technologies to operate our online shop, enable features, and — where you have given your consent — to measure reach and conduct marketing.

Technically necessary cookies/technologies (e.g. shopping cart, language settings, checkout security) are required for the operation of the shop and are used to the extent permitted by law.

For analytics and marketing technologies (e.g. Google Analytics, conversion tracking, remarketing), we obtain your prior consent.

Legal bases:

  • Access to your device (cookies/similar technologies), where not technically necessary: § 25(1) TDDDG (consent)
  • Subsequent processing of personal data: Art. 6(1)(a) GDPR (consent)

Consent tool (initially): We currently use Shopify's "Customer Privacy" function (consent management). Through this, you can grant, decline, or revoke consent at any time with effect for the future.

(If a different tool such as Cookiebot is used later, this section will be updated accordingly.)

4) Hosting & Shop System (Shopify)

Our online shop is operated via Shopify. Shopify processes personal data as part of the shop operation (e.g. order and usage data) and may use sub-processors for this purpose.

Data processed (typically): Master data (name, address), contact data (email), order data (items, quantities, prices), payment/transaction data (depending on payment method), IP address, device/browser data, log data, communication/form data (e.g. contact form).

Purposes: Shop operation, contract processing, customer service, fraud prevention/IT security.

Legal bases: Art. 6(1)(b), (c) and (f) GDPR.

5) Orders, Customer Account, Communication

When you place an order or use a customer account, we process the necessary data for contract performance (Art. 6(1)(b) GDPR) and to fulfil legal obligations (Art. 6(1)(c) GDPR).

When you contact us by email, we process your information to handle the enquiry (Art. 6(1)(b) GDPR where contract-related, otherwise Art. 6(1)(f) GDPR — legitimate interest in communication).

6) Contact Forms / Support Requests (Shopify) and Forwarding to Google Workspace

When you contact us via a contact form (e.g. Shopify contact page), enquiry forms in the shop, or in the context of support communication, we process the information you provide (e.g. name, email address, phone number, order number, subject/message text, and any attachments) in order to process and respond to your enquiry.

Recipients / data flows: The data is generally processed in the Shopify backend and may — depending on the configuration — be forwarded to our email address. We use Google Workspace for email communication. As a result, communication data (e.g. email content and metadata) is processed via this service.

Purposes: Processing and responding to enquiries, customer service, abuse/spam prevention, documentation of communication.

Legal bases:

  • Art. 6(1)(b) GDPR (contract/initiation), where your enquiry is directed at this
  • Otherwise Art. 6(1)(f) GDPR (legitimate interest in efficient communication and support)
  • Where applicable, Art. 6(1)(c) GDPR (legal obligations)

Note: Please do not submit special categories of personal data (e.g. health data) via the contact form.

7) Payment Processing

We use payment service providers for payment processing. Depending on the payment method chosen, these may include in particular:

  • Shopify Payments (including card payments)
  • PayPal
  • Stripe
  • Klarna

Data (typically): Name, billing data, transaction data, payment data/tokens, fraud/risk data where applicable.

Purposes: Payment processing, fraud prevention, risk assessments where applicable.

Legal basis: Art. 6(1)(b) GDPR; additionally Art. 6(1)(f) GDPR (fraud prevention).

Note: Depending on the payment method, payment service providers may (in part) be independent controllers under data protection law. Their respective privacy notices also apply.

8) Shipping & Logistics

For delivery, we transmit the necessary data to shipping and logistics service providers (e.g. DHL, UPS, DPD, and freight carriers).

Data: Name, delivery address, email/phone where applicable (e.g. delivery notifications), shipment data.

Legal basis: Art. 6(1)(b) GDPR.

9) Web Analytics & Online Marketing (Consent-Based)

Where you have given your consent, we use technologies for reach measurement, advertising success measurement (conversion), and interest-based advertising (remarketing). Without consent, these technologies are not used, or only to the extent permitted by law.

Legal bases: Art. 6(1)(a) GDPR (consent) and § 25(1) TDDDG (device access).

9.1 Google (Google & YouTube Channel) With consent, we use Google services, in particular:

  • Google Analytics 4 (web analytics)
  • Google Ads Conversion Tracking (measuring advertising success)
  • Google Ads Remarketing (interest-based advertising / retargeting)

9.2 Google Merchant Center We use Google Merchant Center to provide product data (e.g. title, price, availability, images, product URLs) for display in Google services. This primarily involves product/shop data. Personal data may only be processed in connection with advertising/tracking functions if you have consented to this (e.g. conversion measurement/remarketing).

Legal bases:

  • Product presentation/feed management: Art. 6(1)(f) GDPR (legitimate interest in marketing/sales)
  • Tracking/remarketing: Art. 6(1)(a) GDPR in conjunction with § 25(1) TDDDG (consent)

9.3 Meta (Facebook & Instagram App) With consent, we use the Facebook & Instagram app or Meta technologies (e.g. Meta Pixel and, depending on configuration, server-side event transmission) to measure campaign success and serve advertising.

9.4 Microsoft (Microsoft Channel) With consent, we use Microsoft Advertising technologies (e.g. UET Tag) for conversion measurement and, where applicable, remarketing.

9.5 Pinterest If we use Pinterest technologies (e.g. Pinterest Tag) and you have given your consent, we use these for conversion measurement and, where applicable, interest-based advertising.

10) Withdrawal of Consent

You may withdraw a given consent at any time via the cookie settings (consent tool) with effect for the future.

11) Recipients / Categories of Recipients

Recipients of your data may include in particular:

  • Shopify (shop operation/hosting, including form data)
  • Google Workspace (email communication)
  • Payment service providers (Shopify Payments, PayPal, Stripe, Klarna)
  • Shipping/logistics service providers (DHL/UPS/DPD/freight carrier)
  • Analytics/marketing providers (Google; Meta; Microsoft; optionally Pinterest) — each only after consent

12) Third-Country Transfers

Depending on the service providers used, data may be transferred to third countries (e.g. outside the EU/EEA, in particular the USA). Where required, such transfers are made on the basis of appropriate safeguards (e.g. EU Standard Contractual Clauses) and/or other permissible mechanisms in accordance with the agreements with the respective providers.

13) Retention Period

We store personal data only for as long as necessary for the respective purposes. In addition, we store data in accordance with statutory retention obligations (in particular tax and commercial law obligations). Thereafter, the data is deleted or its processing is restricted.

14) Your Rights

Subject to the applicable legal requirements, you have the following rights:

  • Right of access (Art. 15 GDPR)
  • Right to rectification (Art. 16 GDPR)
  • Right to erasure (Art. 17 GDPR)
  • Right to restriction of processing (Art. 18 GDPR)
  • Right to data portability (Art. 20 GDPR)
  • Right to object (Art. 21 GDPR)
  • Right to withdraw given consent (Art. 7(3) GDPR)

15) Right to Lodge a Complaint with a Supervisory Authority

You have the right to lodge a complaint with a data protection supervisory authority. The competent authority in Hesse is the Hessian Commissioner for Data Protection and Freedom of Information.

16) Obligation to Provide Data

As part of the ordering process, you must provide the data required for contract performance (e.g. delivery and payment). Without this data, it is generally not possible to conclude or process a contract.

17) Automated Decision-Making / Profiling

Automated decision-making within the meaning of Art. 22 GDPR does not generally take place on our part.

Note: Payment service providers may use automated processes as part of their procedures (e.g. risk assessment); their respective information applies in this regard.

18) Status and Changes

Status: 13 February 2026

We may update this privacy policy if technical processes, services used, or the legal situation change.