Privacy Policy

1) Introduction & Contact Information of the Responsible Party

1.1
Thank you so much for stopping by – we appreciate your interest!
In this section, we’ll walk you through how your personal data is handled when you use our website.
"Personal data" refers to any information that can be used to identify you personally.

1.2
The person responsible for data processing on this website, in accordance with the General Data Protection Regulation (GDPR), is:

‍Nora Christiansen
Ulristraße 4a
86836 Untermeitingen
Germany
Email: nora@get-creative.art

The "responsible party" is the individual or legal entity who decides – alone or together with others – how and why personal data is processed.

‍

2) Data Collection When Visiting Our Website

2.1
If you're just browsing our website without registering or actively sending us information, we only collect the data your browser automatically transmits to our server – known as “server log files”.
These are necessary to display the site properly and to ensure it runs smoothly and securely.

Here’s what we automatically collect when you visit our site:

• The specific page(s) you visited
• Date and time of access
• Amount of data transferred (in bytes)
• The source or referring page from which you accessed our site
• Your browser type
• Your operating system
• Your IP address (possibly in anonymized form)

This data processing is based on our legitimate interest (Art. 6 para. 1 lit. f GDPR) in improving the stability and functionality of our website.
We do not share this data or use it for any other purpose.
However, we reserve the right to check these server logs later if there are specific indications of unlawful use.

‍

2.2
For security reasons and to protect the transmission of personal data and other confidential content (such as orders or contact requests), this website uses SSL or TLS encryption.

You’ll recognize a secure connection by the "https://" in your browser's address bar – and the little padlock symbol next to it.

‍

‍

3) Hosting & Content Delivery Network (CDN)

3.1 Webflow
We use the platform Webflow to host our website and display its content.
Provider details: Webflow, Inc., 398 11th Street, 2nd Floor, San Francisco, CA 94103, USA.

All data collected on our website is processed on Webflow's servers. We've signed a Data Processing Agreement (DPA) with Webflow to ensure your data is protected and not shared with third parties without permission.

Webflow participates in the EU-US Data Privacy Framework, which – based on the European Commission's adequacy decision – ensures that data transfers to the USA meet EU data protection standards.

‍

‍

4) Cookies

To make your experience on our website more enjoyable and to enable certain features, we use cookies – small text files that are stored on your device.

Some of these cookies are automatically deleted when you close your browser (so-called session cookies). Others stay on your device for a bit longer and help remember your settings or preferences (known as persistent cookies).
You can check your browser’s cookie settings to see how long each one is stored.

If any personal data is processed through these cookies, this happens either:

• based on Art. 6 para. 1 lit. b GDPR – to fulfill a contract,
• based on Art. 6 para. 1 lit. a GDPR – if you've given your consent, or
• based on Art. 6 para. 1 lit. f GDPR – to protect our legitimate interest in offering a smooth, user-friendly website experience.

Of course, you’re in control:
You can adjust your browser settings so that you're notified whenever cookies are being used – and decide individually whether to allow them, block them in specific cases, or disable them altogether.

Just a heads-up: if you choose to disable cookies, some features on our website might not work as intended.

‍

‍

5) Contacting Us

5.1 Review Reminder
If you've given us your explicit consent in accordance with Art. 6 para. 1 lit. a GDPR, we may use your email address once to remind you to leave a review for your order.
You can revoke your consent at any time by contacting the data controller.

5.2 Zeeg – Appointment Booking Tool
To provide a simple way for you to book appointments online, we use a service provided by:
Zeeg GmbH, Friedrichstraße 114A, 10117 Berlin, Germany

When you book a time slot, we collect your first and last name and your email address (optionally your phone number if you book a call) in accordance with Art. 6 para. 1 lit. b GDPR. These details are shared with Zeeg based on our legitimate interest in efficient scheduling and customer support (Art. 6 para. 1 lit. f GDPR).

Your data is deleted by Zeeg once the appointment has taken place or the scheduled time frame has expired.
We have a Data Processing Agreement (DPA) with Zeeg to ensure your data is protected and not passed on to unauthorized third parties.

5.3 WhatsApp Business
You can reach out to us using WhatsApp Business, operated by:
WhatsApp Ireland Limited, 4 Grand Canal Square, Grand Canal Harbour, Dublin 2, Ireland

If you contact us via WhatsApp in relation to a specific transaction (e.g. an order), we’ll use your mobile number and, if provided, your name to respond, in accordance with Art. 6 para. 1 lit. b GDPR.
We may also ask for additional info (e.g. order number, customer ID, address, email) to help process your request.

For general inquiries (about availability, services, etc.), we may process your phone number and name (if given) under Art. 6 para. 1 lit. f GDPR, based on our legitimate interest in fast and efficient communication.

Your data will only be used to reply via WhatsApp – never shared with third parties.

⚠️ Please note: WhatsApp Business gets access to the address book of the device used. Phone numbers stored there are transferred to WhatsApp servers (Meta Platforms Inc.) in the USA.
We make sure that only contacts who have actively reached out to us on WhatsApp are stored in this address book. This ensures all contacts have already given consent to WhatsApp under Art. 6 para. 1 lit. a GDPR.

For details on how WhatsApp handles your data, check their privacy policy:
👉 https://www.whatsapp.com/legal/?eea=1#privacy-policy

We also have a DPA with WhatsApp to protect your data and prevent any unauthorized sharing.
WhatsApp/Meta participates in the EU-US Data Privacy Framework, which ensures compliance with EU privacy standards.

5.4 Contact Form & Email
If you contact us (e.g. via contact form or email), personal data will be collected. The exact data depends on the form used.
We only process this data to respond to your request and manage any related technical communication.

This processing is based on our legitimate interest in replying to your inquiries (Art. 6 para. 1 lit. f GDPR).
If your request is related to a contract, Art. 6 para. 1 lit. b GDPR also applies.

Your data will be deleted once your request is resolved – unless legal retention periods apply.

‍

6) Web Analytics Services

6.1 Google Analytics 4
This website uses Google Analytics 4, a service by:
Google Ireland Limited, Gordon House, 4 Barrow St, Dublin, D04 E5W5, Ireland
to analyze how users interact with our site.

By default, Google Analytics 4 sets cookies when you visit the website. These small files are stored on your device and collect various info – including your IP address, which Google shortens by default to remove direct personal reference.

The data may be processed on servers in the US by Google LLC.

Google processes this data on our behalf to provide insights into site usage, generate activity reports, and offer additional services related to web usage.
The shortened IP address is never combined with other Google data.

All Google Analytics 4 data is stored for 2 months, then deleted.

⚠️ These processes – especially the use of cookies – only happen with your explicit consent under Art. 6 para. 1 lit. a GDPR.
If you don’t give consent, Google Analytics will not be activated during your visit.

You can revoke your consent anytime via our Cookie-Consent-Tool.

We have a DPA with Google to secure your data and prevent unauthorized sharing.
Google is part of the EU-US Data Privacy Framework.

For more info:

• https://business.safety.google/intl/de/privacy/
• https://policies.google.com/privacy?hl=de&gl=de
• https://policies.google.com/technologies/partner-sites

Demographics Feature
Google Analytics 4 may use the "demographics" feature to create anonymous stats on the age, gender, and interests of visitors. This data is collected via third-party sources and ads – and can’t be linked to specific individuals. Data is deleted after 2 months.

Google Signals
We may also use Google Signals – a feature that enables cross-device reports (if you’ve activated personalized ads and linked your devices to your Google account).
With your consent under Art. 6 para. 1 lit. a GDPR, Google can analyze how you interact with the site across different devices and provide aggregated, anonymous stats.
You can turn this off anytime by disabling personalized ads in your Google account:
👉 https://support.google.com/ads/answer/2662922?hl=de

More info on Google Signals:
👉 https://support.google.com/analytics/answer/7532985?hl=de

UserIDs
If you’ve created an account on our site and use it across devices, and if you’ve given consent for Google Analytics 4 (Art. 6 para. 1 lit. a GDPR), we may use the UserID feature to track activity across sessions and devices. Again – no personal data is visible to us.

Google LLC is part of the EU-US Data Privacy Framework, which ensures secure data transfers.

‍

6.2 Google Tag Manager
We use the Google Tag Manager, provided by:
Google Ireland Limited, Gordon House, Barrow Street, Dublin 4, Ireland

This tool helps us manage and trigger different web tools (like analytics or tracking) via one simple interface.
The Tag Manager itself does not store or access data on your device, nor does it perform any analysis.
However, your IP address may be transmitted to Google servers – including in the USA.

This processing happens only with your consent under Art. 6 para. 1 lit. a GDPR.
No consent = no Google Tag Manager during your visit. You can change your settings anytime via the Cookie-Consent-Tool.

We’ve signed a DPA with Google to ensure data protection and prevent unauthorized sharing.
Google is part of the EU-US Data Privacy Framework.

More info:

• https://business.safety.google/intl/de/privacy/
• https://policies.google.com/privacy?hl=de&gl=de

‍

7) Website Features & Tools

7.1 YouTube
Our website uses plugins to display and play videos provided by:
Google Ireland Limited, Gordon House, 4 Barrow St, Dublin, D04 E5W5, Ireland
Data may also be transferred to: Google LLC, USA

When you visit a page with a YouTube plugin, your browser connects directly to Google’s servers to load the video. This automatically transfers certain information (including your IP address) to the provider.

If you play an embedded video, YouTube may set cookies to collect data on how you use the video, generate viewing stats, or prevent abuse.

If you’re logged into your Google account at the time, YouTube may link your viewing activity to your account. Don’t want that? Simply log out before clicking play.

All this only happens if you’ve actively given consent under Art. 6 para. 1 lit. a GDPR. You can withdraw your consent at any time via our cookie settings tool.

Google is part of the EU-US Data Privacy Framework, which ensures adequate protection for data transfers to the US.

‍

7.2 Google Customer Reviews
We partner with Google Customer Reviews, operated by Google Ireland Limited.
After making a purchase, you may be invited (with your consent under Art. 6 para. 1 lit. a GDPR) to take part in a short survey about your shopping experience.

If you agree, we’ll share your email address with Google, who will then contact you for a review. Your rating may appear publicly with our Google badge, in our Merchant Center, or in Google Seller Ratings.

Some data may be transferred to Google LLC in the US.
Google is part of the EU-US Data Privacy Framework.

More details on how Google protects your data:
👉 https://business.safety.google/intl/de/privacy/

‍

7.3 Make (Celonis)
To connect and automate certain backend systems, we use the service "Make" provided by:
Celonis, Inc., One World Trade Center, 87th Floor, New York, NY 10007, USA

This helps us streamline and manage internal workflows more efficiently.
If personal data is processed, this is based on our legitimate interest in optimizing internal processes (Art. 6 para. 1 lit. f GDPR).
A DPA ensures your data is protected and not shared unlawfully.

Celonis participates in the EU-US Data Privacy Framework, guaranteeing GDPR-level data protection.

‍

7.4 Google Meet
For online meetings, webinars, and video calls, we use Google Meet, provided by Google Ireland Limited.
In some cases, data may also be processed by Google LLC, USA.

What data is processed depends on what you choose to share before or during the session – this can include name, email, IP address, device info, and of course, any video, audio or chat content you provide.

If data is needed to fulfill or prepare a contract, we process it based on Art. 6 para. 1 lit. b GDPR. Otherwise, processing is based either on your consent (Art. 6 para. 1 lit. a GDPR) or our legitimate interest in running effective online sessions (Art. 6 para. 1 lit. f GDPR).
You can withdraw your consent at any time.

We’ve signed a DPA with Google to ensure proper data protection. Google is also part of the EU-US Data Privacy Framework.

More info:
👉 https://business.safety.google/intl/de/privacy/

‍

7.5 Microsoft Teams
For video calls and webinars, we also use Microsoft Teams, provided by:
Microsoft Corporation, One Microsoft Way, Redmond, WA 98052-6399, USA

The data collected depends on what you share – e.g., login info (name, email), device details, IP address, and any audio/video/chat content you submit.

Data is processed:

• for contract-related purposes under Art. 6 para. 1 lit. b GDPR,
• with your consent (Art. 6 para. 1 lit. a GDPR),
• or based on our legitimate interest in efficient online communication (Art. 6 para. 1 lit. f GDPR).

A DPA ensures your data is handled securely.
Microsoft is part of the EU-US Data Privacy Framework.

‍

7.6 Zoom
We also use Zoom for video calls and webinars:
Zoom Video Communications Inc., 55 Almaden Blvd, Suite 600, San Jose, CA 95113, USA

Similar to the other tools, data like your name, email, IP address, and session details may be processed – including any audio/video/chat interactions.

Processing follows:

• Art. 6 para. 1 lit. b GDPR for contract fulfillment,
• Art. 6 para. 1 lit. a GDPR with your consent (which you can revoke at any time),
• and Art. 6 para. 1 lit. f GDPR for legitimate interests in running the meeting effectively.

Zoom is part of the EU-US Data Privacy Framework, and we’ve secured a DPA to protect your data.

‍

8) Cookie Consent Tool
We use a cookie consent tool to manage your preferences for all cookies and services that require consent.

When you visit our site, you'll see an interactive panel where you can accept or decline specific cookie types by ticking boxes. Only cookies you’ve agreed to will be activated.

Technically required cookies are used to store your preferences – these do not process personal data by default.
If personal data (e.g., IP address) is processed for logging or assigning cookie choices, it’s done under Art. 6 para. 1 lit. f GDPR based on our legitimate interest in legally compliant consent handling.
Additionally, Art. 6 para. 1 lit. c GDPR applies due to our legal obligation to get your consent for non-essential cookies.

Where necessary, we have a DPA in place with the consent tool provider.
You can find all relevant info and settings directly within the consent interface on our site.

‍

‍

9) Your Rights as a Data Subject
Under GDPR, you have the following rights in relation to your personal data:

• Right of access (Art. 15 GDPR)
• Right to rectification (Art. 16 GDPR)
• Right to erasure (Art. 17 GDPR)
• Right to restrict processing (Art. 18 GDPR)
• Right to be informed (Art. 19 GDPR)
• Right to data portability (Art. 20 GDPR)
• Right to withdraw consent (Art. 7 para. 3 GDPR)
• Right to lodge a complaint (Art. 77 GDPR)

‍

‍9.2 Right to Object

If we process your personal data based on our legitimate interest (Art. 6 para. 1 lit. f GDPR), you can object at any time for reasons arising from your particular situation.
If you do, we’ll stop processing your data unless we can prove compelling legitimate grounds that override your interests – or we need the data to establish, exercise or defend legal claims.

If your data is used for direct marketing, you can object at any time – and we’ll stop using your data for this purpose immediately.

‍

‍

10) How Long We Store Your Data
The storage period for personal data depends on the legal basis, purpose of processing, and (if applicable) legal retention requirements.

• If data is processed based on your consent (Art. 6 para. 1 lit. a GDPR), we keep it until you withdraw your consent.
• If data is required for a contract (Art. 6 para. 1 lit. b GDPR) and legal retention applies, we delete it after the retention period, unless we still need it for the contract or legal reasons.
• If data is processed based on legitimate interest (Art. 6 para. 1 lit. f GDPR), it stays stored until you object – unless we can show stronger legal grounds.

In all other cases, data will be deleted as soon as it’s no longer needed for the original purpose.

‍

‍