Privacy policy
Privacy Policy
Last updated: 10 June 2026
This privacy policy explains how we process personal data when you use our website and online shop, and informs you about your rights under the EU General Data Protection Regulation (GDPR) and the German Federal Data Protection Act (BDSG). As we offer our products worldwide, this policy contains additional information at the end for users in Switzerland, the United Kingdom, the USA (including California) and other regions.
1. Controller
The controller within the meaning of the GDPR and other data protection provisions is:
Poudreuce GmbH
Borsigstraße 7
30916 Isernhagen
Germany
Represented by the Managing Director: Cem Polat
Register court: Amtsgericht Hannover (Local Court of Hannover)
Registration number: HRB 228044
VAT ID: DE450425835
Email (data protection): partners@poudreuce.com
Email (customer service): support@poudreuce.com
Phone: to follow shortly
Website: www.poudreuce.com
Data Protection Officer
We are not legally required to appoint a data protection officer and have not appointed one. For any questions regarding data protection or to exercise your rights, please contact us using the details above.
2. General Information on Data Processing
2.1 Definition of personal data
Personal data means any information relating to an identified or identifiable natural person (e.g. name, address, email address, IP address). Anonymised data that does not allow any conclusions to be drawn about your identity is not considered personal data.
2.2 Legal bases for processing – overview
Where we obtain your consent for processing operations, Art. 6(1)(a) GDPR serves as the legal basis. For processing necessary to perform a contract or to take pre-contractual steps, Art. 6(1)(b) GDPR applies. Processing required to comply with a legal obligation is based on Art. 6(1)(c) GDPR. Where processing is necessary to safeguard our legitimate interests or those of a third party, and your interests, fundamental rights and freedoms do not override these, Art. 6(1)(f) GDPR serves as the legal basis.
The storage of cookies and access to information on your device — unless strictly necessary — is based on your consent pursuant to Section 25(1) TDDDG (German Digital Services Data Protection Act); strictly necessary storage and access operations are based on Section 25(2) TDDDG.
3. Hosting and Provision of the Website (Shopify)
Our website and online shop are operated on the Shopify e-commerce platform. The provider is Shopify International Limited (Victoria Buildings, 2nd Floor, 1–2 Haddington Road, Dublin 4, D04 XN32, Ireland) and Shopify Inc. (151 O'Connor Street, Ground floor, Ottawa, Ontario, K2P 2L8, Canada).
Shopify collects and processes personal data on our behalf in connection with access to and use of our shop (in particular order, customer, payment and usage data as well as server log data). In addition, Shopify uses certain data as a controller in its own right to provide, secure and improve the platform. For details, please see Shopify's privacy policy: https://www.shopify.com/legal/privacy/consumers
Legal basis: Art. 6(1)(b) GDPR (initiation and performance of a contract) and Art. 6(1)(f) GDPR (legitimate interest in a secure and efficient provision of our online offering). We have concluded a data processing agreement with Shopify pursuant to Art. 28 GDPR.
Server log files
Each time the website is accessed, information is automatically collected and stored in server log files. This includes in particular: IP address, date and time of access, page/file accessed, volume of data transferred, notification of successful retrieval, browser type and version, operating system, and the previously visited page (referrer). This data is technically necessary for the operation, security and stability of the website.
Legal basis: Art. 6(1)(f) GDPR (legitimate interest in error-free and secure provision of the website and in defending against attacks).
4. Cookies and Consent Management
Our website uses cookies and comparable technologies (e.g. pixels, local storage). Cookies are small text files stored on your device. Some cookies are technically necessary to provide core functions (e.g. shopping cart, login, security and consent functions). Other cookies are used for analytics, additional functionality, or marketing and tracking purposes.
For cookies and technologies that are not technically necessary, we obtain your consent via the Shopify cookie consent banner before they are set or triggered. You can access and change or withdraw your settings at any time with effect for the future via the consent banner or the cookie settings on our website. A detailed overview of the cookies and technologies used can be found in the consent tool on our website.
Legal basis: for technically necessary cookies, Section 25(2) TDDDG in conjunction with Art. 6(1)(f) GDPR; for all other cookies and technologies, your consent pursuant to Section 25(1) TDDDG in conjunction with Art. 6(1)(a) GDPR.
5. What Data We Process
Depending on how you use our services, we process the following categories of personal data:
- Contact data: name, billing and delivery address, email address, phone number.
- Contract and order data: items ordered, configurations, order number, order history, returns and cancellations.
- Payment data: payment method, payment status, and payment information processed via the payment service provider (full card details are processed exclusively by the payment service provider and are not stored by us).
- Credit and risk data: information on creditworthiness provided by payment service providers or credit agencies in the context of certain payment methods, including score values.
- Fraud and security check data: e.g. device and transaction characteristics used to detect abusive activity.
- Account data: username, password (encrypted), account settings.
- Communication data: the content of your enquiries to our customer service.
- Data for international deliveries: information required for export, import and customs clearance (e.g. identification or tax numbers where required by the country of destination).
- Usage and device data: IP address, device and browser information, interactions with the website, cookie IDs.
6. Purposes of Processing in Detail
6.1 Contract performance and orders
To process your order, we process your contact, contract and payment data. This includes performing the purchase contract, processing payments, shipping, invoicing, and handling returns, exchanges and warranty claims.
Legal basis: Art. 6(1)(b) GDPR. Where retention is required for tax and commercial law purposes, additionally Art. 6(1)(c) GDPR.
6.2 Customer account
You can create a customer account with us. In doing so, we process the data you provide in order to enable you to manage your orders, addresses and settings. You can delete your account at any time.
Legal basis: Art. 6(1)(b) GDPR or Art. 6(1)(a) GDPR where the account is created voluntarily.
6.3 Payment processing
We use external payment service providers to process payments. Depending on the payment method you choose, the data required for this is transmitted to the respective provider. The services used include in particular Shopify Payments (including Shop Pay), Klarna, PayPal, Apple Pay, Google Pay, as well as card payments (Visa, Mastercard, American Express) and EPS. The payment service providers are partly independently responsible for the data they process; for details, please refer to their privacy notices.
Legal basis: Art. 6(1)(b) GDPR (contract performance) and Art. 6(1)(f) GDPR (fraud prevention and secure payment processing).
6.4 Credit assessment for certain payment methods
When you select certain payment methods – in particular purchase on account or instalment payment, for example via Klarna – the payment service provider may carry out an identity and credit assessment before the contract is concluded. For this purpose, the required data (e.g. name, address, date of birth, order and payment data) is transmitted to credit agencies, and the payment service provider receives information on creditworthiness, including probability (score) values based on mathematical-statistical methods. The check serves to protect against payment defaults and to enable the payment method you have chosen. The respective payment service provider is generally independently responsible for this; the credit agencies used and further details can be found in its privacy notices.
Legal basis: Art. 6(1)(b) GDPR (performance of the contract and pre-contractual measures) and Art. 6(1)(f) GDPR (legitimate interest in protection against payment defaults).
6.5 Security and fraud prevention
We process personal data in order to protect your account and our systems, ensure a secure payment and shopping experience, and detect, investigate and prevent possible fraudulent, abusive or unlawful activities. This includes in particular checking orders for indications of payment fraud, identity misuse, automated orders or misuse of discount codes. Shopify and the payment service providers used may also carry out risk assessments for this purpose.
Legal basis: Art. 6(1)(f) GDPR (legitimate interest in security and fraud prevention) and Art. 6(1)(c) GDPR, insofar as legal obligations exist.
6.6 Shipping and logistics
To deliver your order, we pass on the necessary address and, where applicable, contact data to the commissioned shipping and logistics company (e.g. parcel services as well as forwarding agents for the delivery of large furniture items). For forwarding deliveries, transmission of your telephone number or email address to the logistics company may be necessary for scheduling.
Legal basis: Art. 6(1)(b) GDPR.
6.7 International deliveries and customs clearance
For deliveries to countries outside the European Union, we or the commissioned shipping and logistics company pass on the data required for export, import and customs clearance – in particular name, delivery address, contact data, information on the goods and, where applicable, required identification or tax numbers – to transport and logistics service providers, customs agents and customs and tax authorities in the country of destination. This may involve a transfer to third countries (see Section 12).
Legal basis: Art. 6(1)(b) GDPR (contract performance) and Art. 6(1)(c) GDPR (compliance with customs and import law obligations).
6.8 Customer service and communication
When you contact us, we process the information you provide in order to handle your request.
Legal basis: Art. 6(1)(b) GDPR for contract-related enquiries, otherwise Art. 6(1)(f) GDPR (efficient handling of enquiries).
6.9 Reviews
Where you submit product reviews, we process the data provided for this purpose in order to publish the review.
Legal basis: Art. 6(1)(a) GDPR (consent) or Art. 6(1)(f) GDPR.
6.10 Configurator
When you use our product configurator, we store and process the customer data you provide as well as the configuration options you select (your individual product combination). This serves to display and store the configuration result, make it available to you again where required, and enable you to place an order on this basis.
Legal basis: Art. 6(1)(b) GDPR (performance of pre-contractual measures and contract performance). Where you use the configurator without a specific intention to purchase, we base the processing on Art. 6(1)(f) GDPR (legitimate interest in providing and improving this function).
7. Newsletter and Email Marketing
If you subscribe to our newsletter, we process your email address and, where applicable, other data you voluntarily provide, in order to send you information about products, collections and offers. For distribution, we use Klaviyo (Klaviyo, Inc., 125 Summer Street, Boston, MA 02110, USA) and Shopify Email.
Subscription takes place via the double opt-in procedure: after you subscribe, you will receive an email asking you to confirm. We only send the newsletter after confirmation. We log the subscription in order to be able to demonstrate the sign-up process (in particular the time of subscription and confirmation as well as the IP address). We also measure whether and how newsletters are opened and which links are clicked, in order to optimise the newsletter.
You can unsubscribe at any time via the unsubscribe link in every email or by contacting us. Unsubscribing withdraws your consent.
Legal basis: Art. 6(1)(a) GDPR (consent). We have a data processing agreement with Klaviyo pursuant to Art. 28 GDPR.
8. Web Analytics
8.1 Shopify Analytics
We use the analytics functions integrated into the Shopify platform to evaluate the use of our shop and to improve our offering.
Legal basis: Art. 6(1)(a) GDPR (consent via the consent banner), unless technically necessary; otherwise Art. 6(1)(f) GDPR.
8.2 Google Analytics 4
We use Google Analytics 4, a web analytics service provided by Google Ireland Limited (Gordon House, Barrow Street, Dublin 4, Ireland). Google Analytics uses cookies and similar technologies to analyse the use of the website (e.g. pages visited, time spent, approximate location, device). The information collected may be transferred to Google servers, including in the USA. IP addresses are truncated by Google Analytics 4 and are not permanently stored.
Legal basis: Art. 6(1)(a) GDPR in conjunction with Section 25(1) TDDDG (consent). You can withdraw your consent at any time via the cookie settings.
9. Advertising and Tracking Pixels
To market our products and to display interest-based advertising, we use the following services and pixels — exclusively with your consent. In doing so, information about your usage behaviour (e.g. pages visited, products added to the cart or purchased) is collected and transmitted to the respective providers, who may also use it across devices and websites for advertising and reach measurement purposes. A transfer to the USA is possible in this context.
- Meta Pixel (Meta Platforms Ireland Limited, 4 Grand Canal Square, Dublin 2, Ireland) – for advertising on Facebook and Instagram.
- TikTok Pixel (TikTok Technology Limited, 10 Earlsfort Terrace, Dublin 2, Ireland) – for advertising on TikTok.
- Google Ads (Google Ireland Limited) – for advertising and conversion measurement within the Google advertising network.
- Pinterest Tag (Pinterest Europe Ltd., Palmerston House, 2nd Floor, Fenian Street, Dublin 2, Ireland) – for advertising on Pinterest.
These services may combine your data with other data held by the providers. With regard to joint controllership and further processing, the privacy notices of the respective providers apply.
Legal basis: Art. 6(1)(a) GDPR in conjunction with Section 25(1) TDDDG (consent). You can withdraw your consent at any time with effect for the future via the cookie settings.
10. Social Media Presence
We maintain our own profiles on social networks, including Instagram, TikTok, Facebook (Meta) and Pinterest. When you visit these profiles or interact with them, the respective providers process your data in accordance with their own privacy policies. When you access our profiles, there is, in part, joint controllership pursuant to Art. 26 GDPR between us and the respective provider with regard to the processing of statistical and interaction data.
Legal basis: Art. 6(1)(f) GDPR (legitimate interest in external presentation and communication). We have only limited influence over the data processing carried out by the platform operators.
11. Recipients and Processors
Within our company, only those departments that require your data to fulfil the purposes described above have access to it. In addition, we pass on data to the following categories of recipients:
- hosting and platform providers (Shopify),
- payment service providers and – for certain payment methods – credit agencies,
- shipping and logistics companies, customs agents, and customs and tax authorities in the country of destination,
- providers of analytics and marketing services,
- IT, hosting and email service providers,
- where necessary, debt collection service providers, legal and tax advisors, as well as authorities and courts within the framework of legal obligations.
Where these service providers process data on our behalf, we have concluded data processing agreements with them pursuant to Art. 28 GDPR. Disclosure to authorities or courts only takes place within the framework of legal obligations.
12. Transfers to Third Countries
As we offer our products worldwide and use service providers based or with servers outside the EU/EEA — in particular in the USA — your personal data may be transferred to third countries. This concerns in particular hosting, analytics, marketing and payment services as well as the handling of international deliveries.
Where an adequacy decision of the EU Commission exists (such as the EU-US Data Privacy Framework for correspondingly certified US companies), the transfer is carried out on this basis. In all other cases, we base the transfer on appropriate safeguards, in particular the Standard Contractual Clauses of the EU Commission pursuant to Art. 46(2)(c) GDPR, supplemented where necessary by additional protective measures, or on your explicit consent pursuant to Art. 49(1)(a) GDPR. When handling international deliveries, a transfer to authorities of the country of destination may also be necessary for contract performance or due to legal requirements (Art. 49(1)(b) and (e) GDPR). You can request a copy of the safeguards using the contact details above.
Please note that third countries such as the USA may not have a level of data protection comparable to EU law, and access by government authorities cannot be ruled out.
13. Retention Period
We process and store your personal data only for as long as is necessary for the respective purposes or as long as statutory retention obligations exist. After that, the data is deleted.
- Order and contract data is stored for the duration of the business relationship and within statutory retention periods.
- Statutory retention periods apply to documents relevant under tax and commercial law (accounting records generally 8 years, other business documents and commercial letters generally 6 years, pursuant to Section 257 HGB and Section 147 AO).
- Customer account data is stored until the account is deleted.
- Data for fraud and credit assessment is stored only for as long as necessary for the respective purpose or to comply with legal obligations.
- For consent-based processing (e.g. newsletter, marketing), we store the data until consent is withdrawn.
14. Your Rights
You have the following rights with regard to your personal data:
- Access (Art. 15 GDPR) to the data stored about you.
- Rectification (Art. 16 GDPR) of inaccurate or incomplete data.
- Erasure (Art. 17 GDPR), provided no statutory retention obligations prevent this.
- Restriction of processing (Art. 18 GDPR).
- Data portability (Art. 20 GDPR).
- Withdrawal of consent (Art. 7(3) GDPR) with effect for the future; the lawfulness of processing carried out up to the point of withdrawal remains unaffected.
- Lodging a complaint with a supervisory authority (Art. 77 GDPR).
Right to object (Art. 21 GDPR)
You have the right, on grounds relating to your particular situation, to object at any time to the processing of your personal data carried out on the basis of Art. 6(1)(f) GDPR. Where we process your data for direct marketing purposes, you have the right to object to this processing at any time; following an objection, we will no longer process your data for direct marketing purposes.
Competent supervisory authority
The supervisory authority responsible for us is:
The State Commissioner for Data Protection of Lower Saxony (Die Landesbeauftragte für den Datenschutz Niedersachsen)
Prinzenstraße 5, 30159 Hannover, Germany
Notwithstanding this, you may also contact the supervisory authority of your usual place of residence.
15. Obligation to Provide Data
The provision of certain personal data is necessary for the conclusion and performance of a contract (e.g. name, delivery and billing address, payment data and – for international deliveries – any information required under customs law). Without this information, we cannot conclude or perform the contract. All other information (e.g. newsletter subscription) is provided voluntarily.
16. Automated Decisions, Credit Scoring and Profiling
We ourselves do not carry out any solely automated decision-making producing legal effects or similarly significant effects within the meaning of Art. 22 GDPR. Where you select a payment method for which the payment service provider (e.g. Klarna) carries out a credit or risk assessment, that provider may, within its own responsibility, use automated procedures including scoring and decide on this basis whether to offer the respective payment method. The respective payment service provider informs you about the logic, the significance and your related rights in its privacy notices.
To display interest-based advertising, we create usage profiles exclusively on the basis of your consent (see Section 9); these have no legal effect on you.
17. Data Security
We take appropriate technical and organisational measures to protect your data against unauthorised access, loss or manipulation, in particular encrypted data transmission (TLS/SSL). Please note that no security measure can guarantee complete protection.
18. Children's Data
Our services are not directed at children. We do not knowingly collect personal data from persons who are minors under the law applicable to them (in Germany generally persons under 16 years of age). If we become aware that a child has provided us with personal data without the required consent of a parent or guardian, we will delete this data. Parents or guardians can contact us using the contact details above.
19. Special Information for Users in Switzerland
Where the Swiss Federal Act on Data Protection (revFADP) applies, the above provisions apply accordingly, with the following modifications: the term "personal data" corresponds to "personal data" within the meaning of the revFADP. Instead of the competent EU supervisory authority, you may contact the Federal Data Protection and Information Commissioner (FDPIC), Feldeggweg 1, 3003 Bern, Switzerland. For transfers of data abroad, we rely on the safeguards recognised under the revFADP.
20. Special Information for Users in the United Kingdom
Where the UK GDPR and the Data Protection Act 2018 apply, the above rights apply accordingly. The competent supervisory authority is the Information Commissioner's Office (ICO), Wycliffe House, Water Lane, Wilmslow, Cheshire, SK9 5AF, United Kingdom. We base transfers of data out of the United Kingdom on the transfer mechanisms recognised there (in particular the UK International Data Transfer Agreement / Addendum).
21. Special Information for Users in the USA (including California)
This information applies additionally to residents of US states with applicable data protection laws, in particular California (California Consumer Privacy Act as amended by the California Privacy Rights Act, "CCPA/CPRA") as well as comparable laws of other states (e.g. Virginia, Colorado, Connecticut, Utah, Texas).
Categories of personal information. We collect the categories listed in Section 5, including identifiers (e.g. name, address, email), commercial and transaction data, internet or network activity (e.g. interactions with the website), and approximate location data.
"Sale" and "Sharing". We do not sell your personal information for money in the traditional sense. However, through the use of advertising and tracking services (see Section 9), data may be shared for targeted or cross-context behavioural advertising, which qualifies as a "sale" or "sharing" under California law. You can opt out by rejecting non-essential cookies and advertising services via our consent banner, or by using a Global Privacy Control (GPC) signal of your browser, which we treat as an opt-out.
Your rights. Subject to applicable law, you have the right to (i) know which personal information we collect, use and disclose, (ii) access this data, (iii) request its deletion, (iv) request its correction, (v) opt out of the "sale"/"sharing", and (vi) limit the use of sensitive personal information. We will not discriminate against you for exercising these rights.
Exercising your rights. You can exercise your rights using the contact details above. You may designate an authorised agent; we may require identity verification to process a request. If we deny a request, you may appeal in accordance with applicable law.
22. Information for Users in Other Countries
Depending on your place of residence, you may have additional or different rights under local law. Where a national data protection law applicable to you deviates from the GDPR, we observe the respective mandatory requirements. For requests regarding your rights, please contact us using the contact details above.
23. Validity and Amendment of this Privacy Policy
This privacy policy is currently valid and dated as stated above. We reserve the right to amend it in order to adapt it to changes in the legal situation or to changes in our services and data processing. The current version is available on this website at any time.
