Privacy policy
Privacy Policy for the Online Shop of LEFTLANE GmbH
This privacy policy explains which personal data is collected on our website and for which purposes it is used.
I. Name and Address of the Controller
The controller within the meaning of the General Data Protection Regulation (“GDPR”) and other national data protection laws of the Member States as well as other data protection regulations is:
LEFTLANE GmbHWolnhofen 6a
85084 Reichertshofen
Germany
Email: support@leftlane-shop.de
Website: www.leftlane-shop.de
II. General Information on Data Processing on Our Website
1. Description and scope of the processing of personal data
The processing of personal data of our users is carried out only to the extent necessary to provide our website, its content, and services. Where required by law, processing will only take place with the consent of the user. Exceptions apply where processing is otherwise permitted by statutory provisions.
2. Legal basis for the processing of personal data
Where processing is based on consent, we rely on Art. 6 (1) (a) GDPR or, for special categories of data, Art. 9 (2) (a) GDPR. If processing is necessary for the performance of a contract or pre-contractual measures, Art. 6 (1) (b) GDPR applies. We also process personal data where necessary to comply with a legal obligation pursuant to Art. 6 (1) (c) GDPR. Where processing is necessary for the purposes of legitimate interests pursued by us or a third party and these are not overridden by your interests or fundamental rights and freedoms, Art. 6 (1) (f) GDPR applies. The specific legal basis for each processing activity is indicated in the relevant sections below.
3. Duration of storage and deletion
We store personal data only as long as legally permissible. Unless a specific retention period is stated for a given processing activity, data are deleted (or blocked) once the purpose of storage no longer applies. Further storage may occur where required by EU or national legislation applicable to us. Data will also be deleted (or blocked) when a statutory retention period expires, unless further storage is necessary for contract performance or other legal reasons.
4. Transfers of personal data outside the EU/EEA
When using third-party services or applications, processing may occur in third countries outside the European Union (EU) or the European Economic Area (EEA). The European Commission has issued adequacy decisions under Art. 45 (1) GDPR for certain countries confirming an adequate level of data protection under specific conditions. The list of current adequacy decisions can be found at: https://commission.europa.eu/.../adequacy-decisions_en. For example, the adequacy decision for the United States applies only if the US recipient is certified under the EU-US Data Privacy Framework. Where no adequacy decision exists, we generally conclude Standard Contractual Clauses with providers and, where required, implement additional safeguards (e.g., encryption and contractual guarantees) to ensure an adequate level of protection. We indicate the legal basis for any third-country transfer in the relevant provider sections below.
III. Data Processing for Website Provision and Logfiles
1. Description and scope
Each time our website is accessed, our system automatically collects data and information from the user’s device. This includes in particular:
- IP address
- Date and time of access
- Pages visited
- Amount of data transferred (bytes)
- Source/referrer from which the user reached our website
- Browser type and version
- Operating system
- Internet service provider
These data are also stored in logfiles. They are not stored together with other personal data.
For hosting and storage we use the system of Shopify International Limited under a data processing agreement. Further details are provided in Section IX.
2. Purpose
Temporary storage of the IP address is necessary to deliver the website to the user’s device. Logfiles are used to ensure the functionality of the website, for technical optimization, stability checks, and to ensure the security of our IT systems.
3. Legal basis
Art. 6 (1) (f) GDPR (legitimate interests). Our legitimate interest follows from the purposes stated above and is not overridden by the interests or fundamental rights and freedoms of the data subjects.
4. Duration of storage and deletion
Data collected for website provision are deleted when the respective session ends. Logfiles are deleted after seven days at the latest. If stored for longer, IP addresses are deleted or anonymized so that the device can no longer be identified.
5. Right to object
As the processing of the above data is technically necessary for operating the website, there is no possibility to object.
IV. Cookies and Data Processing via Cookies
1. Description and scope
We use cookies when providing our website. Cookies are data stored in the browser/on the user’s device. Cookies may be temporary (“session cookies”) or persistent. We use necessary cookies (e.g., to maintain sessions or security). The following data may be stored and transmitted:
- Items in a shopping cart
- Login information
We also use cookies for statistics/analytics and marketing. Details are provided in Section VIII and in our Cookie Consent Manager.
When you visit our website, you are informed about the use of statistics and marketing cookies and asked to provide consent via our Cookie Consent Manager (see Section V). There you will also find information on each cookie (name, purpose, storage duration).
2. Purpose
Necessary cookies enable basic website functions (e.g., session continuity, security). Some features cannot be provided without cookies. Statistics and marketing cookies help us analyze website usage and improve our content and offers.
3. Legal basis
Statistics/marketing cookies: Art. 6 (1) (a) GDPR (consent).
Necessary cookies within the meaning of Section 25 (2) TTDSG: Art. 6 (1) (f) GDPR (legitimate interests).
4. Duration of storage and deletion
Storage duration depends on the cookie type and your browser settings. You can disable or restrict cookies in your browser and delete stored cookies at any time. Session cookies are deleted when you end your visit; persistent cookies remain until deleted by you or automatically by the browser. Details are available in the Cookie Consent Manager.
5. Right to withdraw/opt-out
- You may withdraw your consent to statistics and marketing cookies at any time with effect for the future via our Cookie Consent Manager.
- You may also install browser plugins that prevent data collection and processing by specific cookies.
- Marketing cookies can additionally be managed via industry tools such as aboutads.info/choices (USA) or youronlinechoices.com/uk/your-ad-choices (EU).
V. Consent Management Service (Cookie Consent Manager)
1. Description and scope
We use the consent management service “GDPR Legal Cookie” by iubenda s.r.l., Via San Raffaele 1, 20121 Milan, Italy. When our website is accessed, the service records opt-in/opt-out events, referrer URL, user agent, user settings, consent ID, time of consent, consent type, template version, and banner language.
The provider acts as a processor under a data processing agreement. Privacy information: https://gdpr-legal-cookie.myshopify.com/, /pages/datenschutzerklarung.
2. Purpose
Managing and storing consents to comply with legal obligations, including documenting withdrawals.
3. Legal basis
Art. 6 (1) (c) GDPR (legal obligation to document consent).
4. Duration of storage
Consent data (granted and withdrawn) are stored for three years and then deleted.
5. Objection
Collection and storage are legally required for website operation; there is no right to object.
VI. Newsletter Subscription
1. Description and scope
Users can subscribe to our free newsletter by providing data that allows us to verify consent (first name, last name, email). We also store the IP address and date/time of registration. Double opt-in is required.
Provider: Soundest Ltd. (Omnisend), Unit A3, Gateway Tower, 32 Western Gateway, London E16 1YL, United Kingdom. Privacy: https://www.omnisend.com/privacy/.
We analyze opening and click rates via tracking links/files to improve content and tailor offers. This can be linked to on-site behavior.
2. Purpose
To verify ownership of the email address, send the newsletter, prevent misuse, and optimize our communications.
3. Legal basis
Art. 6 (1) (a) GDPR (consent) for subscription and analytics; use of the provider also relies on Art. 6 (1) (f) GDPR (legitimate interests in effective newsletter delivery).
4. Duration of storage
Data are stored while the subscription exists and until consent is withdrawn. Other registration data are generally deleted after seven days.
5. Withdrawal and objection
You may unsubscribe at any time via the link in each newsletter. This also withdraws consent to related tracking. Partial withdrawal of tracking only is not possible.
6. Transfers outside the EU/EEA
For the UK, an EU adequacy decision ensures an adequate level of protection.
VII. Email Contact
1. Description and scope
If you contact us by email, we process the transmitted personal data and your request. No transfer to third parties takes place; data are used solely to handle your inquiry.
2. Purpose
To process your contact and handle your request.
3. Legal basis
Art. 6 (1) (b) GDPR if related to a contract; otherwise Art. 6 (1) (f) GDPR (legitimate interests).
4. Duration of storage
Data are deleted when your request has been resolved and the conversation concluded, unless contract or legal obligations require longer storage.
5. Objection
You may object to storage/processing at any time. Where processing is based on consent, further conversation cannot continue. All personal data stored in this context will then be deleted.
VIII. Web Analytics and Marketing
Google Analytics
Provider: Google Ireland Limited, Gordon House, Barrow Street, Dublin, D04 E5W5, Ireland. Cookies may be used. IP addresses are generally processed within the EU/EEA and anonymized via _anonymizeIp(); only in exceptional cases is the full IP sent to Google LLC in the USA and shortened there. We have a data processing agreement with Google. Terms: www.google.com/analytics/terms/de.html, Privacy: www.google.de/intl/de/policies/privacy. Data retained up to 14 months.
Legal basis: Art. 6 (1) (a) GDPR (consent). You can withdraw consent via the Cookie Consent Manager, use browser settings, or install the browser add-on: https://tools.google.com/dlpage/gaoptout.
Google Tag Manager
We use Google Tag Manager to manage tags. The tool may set cookies and trigger other tags that may collect data, but it does not access those data. Info: https://www.google.com/analytics/tag-manager/use-policy/.
Google Ads (incl. Conversion Tracking)
Provider: Google Ireland Limited. If you click a Google ad, a conversion cookie is set on your device to measure effectiveness. We receive only aggregated statistics, not user identification. Privacy: https://www.google.de/policies/privacy/, Ads services: privacy.google.com/businesses/adsservices. Cookies typically expire after 30 days (some Analytics-related after 3 months). Legal basis: Art. 6 (1) (a) GDPR (consent). Opt-out options include withdrawing consent, adjusting browser settings, www.google.de/settings/ads, or industry tools like youradchoices.com.
Meta (Facebook) & TikTok Pixel
Providers: Meta Platforms Ireland Ltd., 4 Grand Canal Square, Dublin 2, Ireland (data processing terms, privacy policy) and TikTok Technology Limited, 10 Earlsfort Terrace, Dublin, D02 T380, Ireland (ads privacy, EEA privacy). Technologies (cookies/pixels) record device/browser info (including possibly IP or user IDs) to measure conversions (e.g., purchases, leads, product views). Legal basis: Art. 6 (1) (a) GDPR (consent). Opt-out options include withdrawing consent via our Cookie Consent Manager, adjusting Facebook ad preferences at facebook.com/adpreferences, browser settings, or industry tools.
IX. Online Shop / Orders and Payments
1. Description and scope
We provide an online shop with the option to create a customer account or order as a guest. Data processed during account creation and ordering include: name, address, email address, and payment information.
For identity/credit checks (depending on chosen payment method), additional data (e.g., date of birth, phone number) may be requested by the payment provider.
2. Purpose
To enable purchases via our website and to conclude and fulfill distance contracts. Data may be transmitted to online payment providers for identity and credit checks.
3. Legal basis
Art. 6 (1) (b) GDPR (contract performance). For creditworthiness checks: Art. 6 (1) (f) GDPR (legitimate interests in assessing payment ability).
4. Duration of storage
Data are stored at least for the duration of the contractual relationship and any warranty periods; statutory limitation periods apply.
5. Objection and deletion
You can cancel the order process at any time and/or delete your account. You can also amend stored data in your account or by contacting us. Early deletion may be limited by contractual or statutory obligations.
6. Disclosure to third parties
For order processing we may transfer data to third parties only to the extent necessary and, where required, with your consent. We have concluded data processing agreements with all service providers.
a) Shop system provider
Shopify International Ltd., Victoria Buildings, 1–2 Haddington Road, Dublin, D04 XN32, Ireland (“Shopify”). Shopify may transfer data to affiliates, including Shopify Inc., 150 Elgin St, Ottawa, ON K2P 1L4, Canada; Shopify Data Processing (USA) Inc.; Shopify Payments (USA) Inc.; or Shopify (USA) Inc. Transfers to Canada are covered by an EU adequacy decision. Transfers to the USA rely on Standard Contractual Clauses. Privacy: https://www.shopify.com/de/legal/datenschutz.
b) Content Delivery Network
Cloudflare, Inc., 101 Townsend St, San Francisco, CA 94107, USA. Used to deliver large assets via distributed servers to improve stability and functionality (Art. 6 (1) (f) GDPR). Cloudflare is certified under the EU-US Data Privacy Framework. Privacy: https://www.cloudflare.com/de-de/privacypolicy/.
c) Payment service providers
For payments we may transmit: first/last name, email, address, bank/card details, transaction number/currency, and order info. Depending on payment method, additional data (e.g., date of birth, phone) may be requested for identity/credit checks.
- Klarna Bank AB, Sveavägen 46, 11134 Stockholm, Sweden – Privacy: https://cdn.klarna.com/.../privacy
- PayPal (Europe) S.à r.l. et Cie, S.C.A., 22–24 Boulevard Royal, L-2449 Luxembourg – Privacy: https://www.paypal.com/en/webapps/mpp/ua/privacy-full
- Apple Distribution International, Hollyhill Industrial Estate, Hollyhill, Cork, Ireland (“Apple Pay”) – Privacy: https://support.apple.com/de-de/HT203027
- Google Ireland Limited, Gordon House, 4 Barrow St, Dublin, D04 E5W5, Ireland (“Google Pay”) – Info: https://support.google.com/googlepay/answer/9039712
You can select the payment service provider during checkout. Where required, the provider will obtain your consent under Art. 6 (1) (a) GDPR.
d) Other service providers
For creating delivery notes, shipping labels, invoices, and for inventory planning, we may transmit data to ERP/merchandise management systems and payment gateways where necessary for order fulfillment.
X. Social Media Presences
Our website contains simple links to social networks (e.g., Instagram, YouTube). We do not use social plugins. When you click a link, you are redirected to the respective platform, where that provider’s privacy policy applies.
XI. Rights of the Data Subject
Where your personal data are processed, you are a data subject under the GDPR and have the following rights:
- Right of access (Art. 15 GDPR)
- Right to rectification (Art. 16 GDPR)
- Right to erasure (Art. 17 GDPR)
- Right to restriction of processing (Art. 18 GDPR)
- Right to notification (Art. 19 GDPR)
- Right to data portability (Art. 20 GDPR)
- Right to object (Art. 21 GDPR)
- Right to withdraw consent (Art. 7 (3) GDPR)
- Right to lodge a complaint with a supervisory authority (Art. 77 GDPR)
The supervisory authority with which a complaint is lodged will inform you of the status and results of the complaint, including the possibility of a judicial remedy pursuant to Art. 78 GDPR.
Status of this Privacy Policy: December 7, 2023
