Privacy policy

Controller (Art. 4(7) GDPR):

Luscaro

Laurenz Maximilian Ruf

Gerichtsweg 116

52355 Düren

Email: service@luscaro.de

Data Protection Officer: Not required by law. Please contact the controller for all data protection matters.

1. What data we process

• Order & account data: name, addresses, email, phone, ordered items, delivery & billing details.

• Payment data: processed by payment providers (e.g., Stripe, PayPal, Klarna); we receive confirmation/status, not full card details.

• Technical data: IP address, device/browser info, cookies, log files.

• Marketing & analytics (if enabled): Shopify Analytics, Google Analytics, Meta (Facebook) Pixel, email marketing (consent-based).

• Customer support: your messages, returns, warranty claims.

2. Purposes & legal bases (Art. 6(1) GDPR)

• Contract & pre-contract measures (Art. 6(1)(b)): order processing, payments, delivery, customer service.

• Legal obligations (Art. 6(1)(c)): tax, commercial retention, consumer protection.

• Legitimate interests (Art. 6(1)(f)): security, fraud prevention, improvement of services, direct marketing to existing customers (§ 7(3) UWG).

• Direct marketing without consent is limited to existing customers and only for similar products.

• Consent (Art. 6(1)(a)): newsletters, cookies/analytics/marketing (via cookie banner), optional account creation. You can withdraw consent anytime with effect for the future.

• Where Google Analytics is used, IP addresses are anonymized before processing.

3. Recipients & processors (Art. 28 GDPR)

• Shopify (host/platform) – Shopify International Ltd. / Shopify Inc.

• Payment services – Stripe Payments Europe Ltd.; PayPal (Europe) S.à r.l.; Klarna Bank AB; and similar providers you select.

• Logistics & carriers – e.g., DHL/DPD/UPS and fulfillment partners.

• IT & marketing tools – email service provider, analytics/ads (if enabled), cookie consent tool.
  With all processors we maintain data-processing agreements.

• Cookie consent is managed via a consent management platform (CMP), which records and documents consents in compliance with Art. 7 GDPR.

4. International transfers (Art. 44 et seq. GDPR)

Data may be processed outside the EU/EEA (e.g., Canada/USA). We rely on adequacy decisions (e.g., Canada) or Standard Contractual Clauses with supplementary measures. Copies of safeguards are available upon request (where not restricted by confidentiality).

5. Storage periods

We keep personal data only as long as necessary for the purposes above and statutory duties. Typical retention: commercial/tax records 6–10 years; contract data up to the end of limitation periods; marketing data until you object or withdraw consent.

6. Your rights (Art. 15–22 GDPR)

You may request access, rectification, erasure, restriction, data portability, and object to processing (Art. 21). You can withdraw consent at any time.
You also have the right to lodge a complaint with a supervisory authority, in particular in the Member State of your residence, workplace, or the place of the alleged infringement. In Germany, see Bundesbeauftragter für den Datenschutz und die Informationsfreiheit (BfDI) or your state authority.

Competent supervisory authority:

Landesbeauftragte für Datenschutz und Informationsfreiheit Nordrhein-Westfalen (LDI NRW)

Kavalleriestraße 2-4

40213

Düsseldorf

Germany

7. Obligation to provide data

Providing order data is necessary for concluding a contract; without it, we cannot process your purchase.

When using Klarna as a payment method, Klarna acts as an independent controller for its own risk and payment assessment in accordance with its privacy policy.

8. Automated decision-making / profiling

We do not use automated decision-making producing legal effects. Standard analytics/ads segmentation may occur with your consent.

9. Contact

For privacy requests, contact service@luscaro.de.

Last updated: 09.12.2025