Privacy policy
This Privacy Policy informs you how Krützberg processes personal data when you visit our website, use our online shop, place an order, communicate with us, submit reviews or use marketing and analytics functions. It covers Shopify, Shopify Payments, PayPal, DHL, Judge.me, Shopify Messaging, as well as the use of Google Analytics, Google Ads, Meta Pixel and YouTube on the basis of a consent banner.
1. Controller
The controller responsible for the processing of personal data within the meaning of the General Data Protection Regulation (GDPR) is:
Krützberg – owner André Braun
Storchenweg 12
50829 Köln
Germany
E-mail: info@kruetzberg.de
Phone: +49 (0)176 32980420
Web: www.kruetzberg.de
A data protection officer has not been appointed. You can contact us at any time with any questions about data protection using the contact details above.
2. General information on data processing
We process personal data only insofar as this is necessary for the provision of our website, the operation of the online shop, the processing of orders, communication with you, the fulfilment of legal obligations or for legitimate business purposes.
Personal data are all information relating to an identified or identifiable natural person, for example name, address, e-mail address, telephone number, order data, payment data, IP address or usage data.
The provision of personal data is in part required for the conclusion of the contract. Without the details necessary for ordering, payment and shipping, we cannot conclude a contract or fulfil an order. In other cases, provision is voluntary, for example for newsletter sign-up, reviews, contacting us or marketing consents.
3. Legal bases of processing
Where we obtain consent for processing operations, the legal basis is Art. 6(1)(a) GDPR.
Where processing is necessary for the performance of a contract or for pre-contractual measures, the legal basis is Art. 6(1)(b) GDPR.
Where we are required to fulfil legal obligations, the legal basis is Art. 6(1)(c) GDPR.
Where processing is necessary to safeguard the legitimate interests of Krützberg or a third party, and your interests, fundamental rights and freedoms do not override them, the legal basis is Art. 6(1)(f) GDPR.
4. Hosting and shop platform: Shopify
Our online shop is operated via Shopify. For users in the European Economic Area, the provider is Shopify International Ltd., Attn: Data Protection Officer, c/o Intertrust Ireland, 2nd Floor, 1-2 Victoria Buildings, Haddington Road, Dublin 4, D04 XN32, Ireland.
Shopify provides the technical infrastructure for the online shop and, in doing so, processes in particular data arising from the visit to and use of the shop, as well as customer, order, payment, shipping and usage data. Where Shopify acts on our behalf, processing takes place on the basis of a data processing agreement.
The legal bases are Art. 6(1)(b) GDPR for contract processing and Art. 6(1)(f) GDPR for the secure, stable and efficient operation of our online shop.
Shopify may also transfer personal data to countries outside the European Economic Area, in particular to Canada and the USA. Shopify states that it uses appropriate safeguards under applicable data protection law for this purpose, in particular adequacy decisions, standard contractual clauses and/or other recognised transfer mechanisms.
5. Server log files and technical access data
You can generally visit our website without actively providing information about your person. However, when our website is accessed, technical data are automatically processed. These may include in particular:
IP address
date and time of access
pages and files accessed
referrer URL
browser type and version
operating system
amount of data transferred
requesting provider
These data are processed in order to provide the website technically, ensure system security, analyse errors and prevent misuse. The legal basis is Art. 6(1)(f) GDPR.
6. Customer account
If you create a customer account or use existing customer account functions, we process the data provided, in particular name, e-mail address, address, order history and account settings. The processing serves to manage your customer account, to simplify future orders and to display your order data.
The legal bases are Art. 6(1)(b) GDPR, where the customer account is used to carry out or prepare orders, and Art. 6(1)(f) GDPR based on our legitimate interest in user-friendly shop processing. Where individual functions are based on consent, the legal basis is Art. 6(1)(a) GDPR.
You can request the deletion of your customer account at any time, provided that no statutory retention obligations conflict with this.
7. Order processing and contract performance
When you order via our online shop, we process the data required for ordering, payment, delivery, invoicing and customer service. This includes in particular name, billing and delivery address, e-mail address, telephone number, order information, payment information, invoice data and communication data.
The processing is necessary for the conclusion and performance of the contract. The legal basis is Art. 6(1)(b) GDPR. We also process and store data relevant under tax and commercial law to fulfil legal obligations on the basis of Art. 6(1)(c) GDPR.
Your data are only passed on insofar as this is necessary to carry out the order or where there is a legal basis, in particular to payment service providers, shipping service providers, IT service providers, Shopify as the shop platform, as well as tax advisors or authorities, where necessary.
8. Shipping service providers
For shipping, we pass on the data required for this purpose to the shipping service provider used. This may include in particular name, delivery address, e-mail address, telephone number, tracking number and further details required for delivery.
We usually ship with DHL or DHL Paket GmbH, Sträßchensweg 10, 53113 Bonn, Germany, or a comparable shipping service provider.
The data are passed on for contract performance on the basis of Art. 6(1)(b) GDPR. Where we pass on your e-mail address or telephone number to the shipping service provider so that it can inform you about the shipping status or offer delivery options, this is done only insofar as it is necessary for delivery or there is a corresponding legal basis.
9. Payment processing
For payment processing, we use payment service providers. The payment data provided during the order process are transmitted to the respective selected payment service provider and processed there. The legal basis is Art. 6(1)(b) GDPR.
Via Shopify Payments, various payment methods can be offered, for example credit card (Visa, Mastercard, American Express, Maestro), Shop Pay, Apple Pay and Google Pay. Shopify Payments is processed in accordance with the Shopify Payments terms applicable to Germany by payment service providers such as Stripe Payments Europe, Ltd. or the respective responsible payment providers.
For credit card payments and other payment methods, in particular payment data, invoice data, transaction data, device information, fraud prevention data and payment status may be processed.
If you select PayPal, the data required for payment are transmitted to PayPal. The provider for users in the EU is PayPal (Europe) S.à r.l. et Cie, S.C.A., 22-24 Boulevard Royal, L-2449 Luxembourg.
Depending on the payment method chosen, additional providers may be involved, for example Apple, Google or banks/credit card companies. The respective payment provider's own privacy notices apply additionally to the processing carried out by it.
10. Contacting us
If you contact us by e-mail, telephone, contact form or via other communication channels, we process the data you provide in order to handle your request. This may include name, contact details, content of the message, order number and further information that you provide to us.
The legal basis is Art. 6(1)(b) GDPR where the request relates to a contract or pre-contractual measures. In all other cases, the legal basis is Art. 6(1)(f) GDPR based on our legitimate interest in handling requests. Where you expressly give consent, the legal basis is Art. 6(1)(a) GDPR.
11. Shopify Messaging and marketing communication
For newsletters, e-mail marketing, campaign communication and, where applicable, SMS or messaging communication, we use Shopify Messaging (in Shopify partly referred to as Shopify Email) as a Shopify-owned app or function. Processing takes place via Shopify's technical infrastructure.
The data processed may include in particular name, e-mail address, telephone number, consent status, customer and order data, segment assignments, shipping status, open and click data, as well as information about interactions with messages sent.
We send newsletters and other promotional communication in principle only with your consent. The legal basis is Art. 6(1)(a) GDPR. You can withdraw your consent at any time with effect for the future, for example via an unsubscribe link in the respective message or by contacting us.
If you purchase goods from us, we may also use your e-mail address for advertising for our own similar goods or services, provided that the statutory requirements of Section 7(3) of the German Act Against Unfair Competition (UWG) are met and you have not objected. The legal basis is Art. 6(1)(f) GDPR. You can object to this use at any time, without incurring any costs other than the transmission costs according to the basic tariffs.
12. Product reviews and review requests (Judge.me)
For product reviews and review functions, we use Judge.me. The provider is Judge.me Ltd, c/o Buckworths, 1-3 Worship Street, London EC2A 2AB, United Kingdom.
If you submit a review, we or Judge.me process the data required for this, for example name or displayed name, e-mail address, review text, review score, product reference, order reference and technical data for the prevention of misuse.
Review requests by e-mail are only made where there is a legal basis for this, in particular where your consent has been given or the statutory requirements for permissible customer communication are met. Depending on the case, the legal basis is Art. 6(1)(a), Art. 6(1)(b) or Art. 6(1)(f) GDPR.
In the event of a data transfer to the United Kingdom, the transfer may take place on the basis of the European Commission's adequacy decision for the United Kingdom, insofar as this is applicable. Otherwise, appropriate safeguards are used.
13. Cookies, local storage technologies and consent banner
Our website uses cookies and comparable technologies, for example local storage technologies, pixels or scripts. These can store information on your device or read information from your device.
We use technically necessary cookies and comparable technologies insofar as they are necessary for the operation of the shop, the shopping cart, the checkout, security, payment processing, language settings or similar basic functions. The legal basis for access to the device is Section 25(2) TDDDG. The subsequent processing of personal data takes place on the basis of Art. 6(1)(b) GDPR or Art. 6(1)(f) GDPR.
Non-necessary cookies and comparable technologies, in particular for analytics, marketing, personalisation, retargeting or embedded third-party content, we set only with your consent. The legal basis is Section 25(1) TDDDG in conjunction with Art. 6(1)(a) GDPR.
You can give, refuse or later change or withdraw your consent with effect for the future via our consent banner. You can also delete or block cookies in your browser settings. As a result, individual functions of the shop may be restricted.
14. Web analytics, marketing services and embedded content
We use the following services insofar as they are activated in the shop and, where required, your consent has been given via the consent banner. In these cases the legal basis is Art. 6(1)(a) GDPR in conjunction with Section 25(1) TDDDG.
14.1 Google Tag Manager
We use Google Tag Manager. The provider is Google Ireland Limited, Gordon House, Barrow Street, Dublin 4, Ireland. Google Tag Manager serves to manage website tags. According to Google itself, it does not set any user profiles for marketing purposes, but it can trigger other services that in turn process personal data. Tags requiring consent are only triggered after the corresponding consent.
14.2 Google Analytics
We use Google Analytics, a web analytics service of Google Ireland Limited, Gordon House, Barrow Street, Dublin 4, Ireland. Google Analytics helps us understand how visitors use our website, which pages are accessed and how the usage can be technically improved.
In doing so, in particular usage data, device information, browser information, IP addresses, referrer information, interactions on the website and approximate location information may be processed. Use takes place only with your consent. You can withdraw your consent at any time via the consent banner.
14.3 Google Ads and conversion tracking
We use Google Ads and Google conversion tracking in order to measure the effectiveness of advertisements and to display ads more relevantly. The provider is Google Ireland Limited, Gordon House, Barrow Street, Dublin 4, Ireland.
In doing so, in particular information about clicks on ads, page views, orders, device and browser data, as well as cookie or similar identifiers may be processed. Use takes place only with your consent, insofar as this is legally required.
14.4 Meta Pixel and Meta advertising services
We use the Meta Pixel and further Meta advertising services. The provider for users in Europe is Meta Platforms Ireland Limited, Merrion Road, Dublin 4, D04 X2K5, Ireland.
With the help of the Meta Pixel, we can track whether users perform certain actions on our website after clicking on an advertisement, for example a page view, add-to-cart action or purchase. In addition, target groups for advertising can be formed or existing advertising campaigns can be evaluated.
In doing so, in particular IP address, device information, browser information, referrer, pages visited, interactions, purchase events and cookie or similar identifiers may be processed. Use takes place only with your consent, insofar as this is legally required.
14.5 YouTube videos
Videos from YouTube may be embedded on our website. The provider is Google Ireland Limited, Gordon House, Barrow Street, Dublin 4, Ireland. Where possible, we use privacy-friendly embedding variants or load videos only after your active consent or interaction.
If you play a YouTube video or consent to the embedding, data may be transmitted to Google/YouTube, in particular IP address, device and browser data, the page accessed and information on video playback. Use takes place only with your consent, insofar as this is legally required.
14.6 Fonts
The fonts used to display our website are provided via Shopify's infrastructure (self-hosted). No separate connection to Google or other third parties, and no associated transfer of your IP address solely for loading fonts, takes place. The provision is part of the technical operation of our website on the basis of Art. 6(1)(f) GDPR.
15. Social media and external links
Our website may contain links to social media profiles or external websites. When you merely visit our website, no personal data are generally transmitted to these providers via simple links. Only when you click on such a link do you reach the respective provider; the privacy notices of the respective provider then apply.
Where social media plugins, embedded content or comparable functions are used, we load these only after consent or in a privacy-friendly two-click solution, insofar as this is necessary.
15.1 Our own social media presences
Krützberg maintains its own profiles on Instagram and Facebook. The Instagram profile is @_kruetzberg_. The provider of Instagram and Facebook for users in Europe is Meta Platforms Ireland Limited, Merrion Road, Dublin 4, D04 X2K5, Ireland.
When you visit our social media profiles, Meta processes personal data under its own responsibility in accordance with Meta's privacy policy. We process the messages, comments and interactions directed to us via these profiles in order to communicate with you and to present our brand. The legal basis is Art. 6(1)(f) GDPR.
For statistical evaluations of so-called page insights, joint responsibility with Meta may exist. The essential information on this is provided by Meta in its privacy and page insights notices.
16. Transfers to third countries
When using Shopify, payment service providers, analytics, marketing or app providers, personal data may be transferred to countries outside the European Union or the European Economic Area, in particular to the USA, Canada or the United Kingdom.
Where an adequacy decision of the European Commission exists for the respective third country, the transfer may take place on this basis. Where no adequacy decision exists, a transfer only takes place if appropriate safeguards exist, in particular EU standard contractual clauses, certifications under the EU-US Data Privacy Framework or other transfer mechanisms provided for by law.
17. Storage period
We store personal data only for as long as is necessary for the respective purposes or for as long as statutory retention periods exist.
We store order, invoice and accounting data within the framework of the statutory tax and commercial law retention obligations. We store communication data for as long as is necessary to handle the request and afterwards only insofar as statutory periods, interests in providing evidence or legitimate interests require this.
Data based on consent are stored in principle until the consent is withdrawn or for as long as this is necessary for the respective purpose. After the purpose ceases to apply or the statutory periods expire, the data are deleted or anonymised.
18. Your rights
Where the statutory requirements are met, you have the following rights:
right of access to the personal data we process (Art. 15 GDPR)
right to rectification of inaccurate data (Art. 16 GDPR)
right to erasure (Art. 17 GDPR)
right to restriction of processing (Art. 18 GDPR)
right to data portability (Art. 20 GDPR)
right to object to certain processing (Art. 21 GDPR)
right to withdraw a given consent with effect for the future (Art. 7(3) GDPR)
To exercise your rights, you can contact us at any time at info@kruetzberg.de.
19. Right to object under Art. 21 GDPR
Where we process personal data on the basis of Art. 6(1)(f) GDPR, you have the right to object at any time, on grounds relating to your particular situation, to such processing.
We will then no longer process the data concerned, unless we can demonstrate compelling legitimate grounds for the processing which override your interests, rights and freedoms, or the processing serves to assert, exercise or defend legal claims.
Where we process personal data for direct marketing, you can object to this processing at any time. After your objection, we will no longer use the data for direct marketing.
20. Right to lodge a complaint with a supervisory authority
Under Art. 77 GDPR, you have the right to lodge a complaint with a data protection supervisory authority if you consider that the processing of your personal data infringes the GDPR.
You can in particular contact the supervisory authority of your habitual residence, place of work or the place of the alleged infringement.
The supervisory authority responsible for Krützberg is the State Commissioner for Data Protection and Freedom of Information of North Rhine-Westphalia (Landesbeauftragte für Datenschutz und Informationsfreiheit Nordrhein-Westfalen, LDI NRW), Kavalleriestraße 2-4, 40213 Düsseldorf.
21. Automated decision-making and profiling
A decision based solely on automated processing – including profiling – which produces legal effects concerning you or similarly significantly affects you does not take place.
22. Minors
Our offer is aimed at persons of legal age. Persons under 18 years of age should not transmit any personal data to us without the consent of their legal guardians. We do not knowingly collect data from minors without corresponding consent.
23. Security
We take appropriate technical and organisational measures to protect personal data against loss, misuse, unauthorised access, alteration or disclosure. Nevertheless, no data transmission over the internet can be guaranteed to be absolutely secure.
24. Changes to this Privacy Policy
We may adapt this Privacy Policy if legal requirements, technical functions, service providers used or processing operations change. The version published on our website at the time applies.
Last updated: 7 June 2026