Data protection

Privacy Policy.
How we process and protect your data at Craved.

1. Controller & Contact

Controller within the meaninng of the GDPR

Craved GbR
Saarbrücker Straße 71
66740 Saarlouis
Deutschland

E-Mail: info@craved-shop.com
(For further contact details, see Imprint)

Where this privacy policy refers to "we", "us" or "Craved" , it means this company.

Scope

This privacy policy informs you about how we process personal data when you visit our website craved-shop.com, use our online shop, place orders, communicate with us or otherwise contact us.
Our online shop is operated via the Shopify e-commerce platform. Certain data processing is therefore carried out by Shopify on our behalf or in its own responsibility (see section “Relationship to Shopify & international data transfers”).

2. Processed Data & Sources

Definitions

“Personal data” means any information relating to an identified or identifiable natural person (e.g., name, address, e-mail address, order data, IP address, user IDs).
“Processing” is any operation relating to personal data, such as collecting, storing, using, transmitting or deleting data.

Categories of personal data

Depending on the use of our services, we process in particular:

  • Master data (name, billing and delivery address, title if applicable)

  • Contact data (e-mail address, telephone number if applicable, social media handles)

  • Account data (login data, saved addresses, settings in customer account)

  • Order and contract data (ordered products, shopping cart, prices, payment and shipping method, history, returns)

  • Payment data (e.g., tokenized card or account data, transaction IDs, payment status)

  • Communication data (content and metadata of your messages to us, e.g., via e-mail, form, WhatsApp, social media)

  • Device and usage data (IP address, browser, operating system, referrer URL, pages visited, timestamps, cookie IDs)

  • Marketing and preference data (newsletter status, consents/withdrawals, interactions with campaigns).

Sources of data

We receive personal data primarily:

  • Directly from you (e.g., during orders, messages, account creation)

  • Automatically when visiting our website (e.g., via server logs, cookies and similar technologies)

  • From service providers we use to operate our shop (e.g., payment and shipping providers)

  • From third parties when you link them to our shop (e.g., wallets like Apple Pay/Google Pay, social media platforms).

3. Purposes & Legal Bases for Data Processing

Contract fulfillment & customer service

We process your data to provide our online shop, accept and process orders, handle payments, ship goods, create and manage customer accounts, answer support requests and handle warranty and other contractual claims.
Legal basis: Art. 6(1)(b) GDPR (contract fulfillment and pre-contractual measures).

Legal obligations

We process data as necessary to comply with legal obligations, e.g., from commercial, tax or product safety law (e.g., retention of invoice data, proof and information obligations, recalls).
Legal basis: Art. 6(1)(c) GDPR.

Legitimate interests

Where necessary, we also process data to protect legitimate interests, e.g.:

  • IT and network security, abuse/fraud prevention

  • Enforcement of civil claims and legal defense

  • Internal evaluations (anonymous/pseudonymized) for assortment, usability and performance optimization

  • Direct marketing for similar own products to existing customers within legal limits.
    Legal basis: Art. 6(1)(f) GDPR

Consents

For certain processing, we obtain your consent in advance, e.g., for:

  • Sending our newsletter to non-customers

  • Using non-essential cookies/tracking for statistics and marketing

  • Advertising communication via WhatsApp.
    Legal basis: Art. 6(1)(a) GDPR in conjunction with Art. 7 GDPR and § 7 UWG or § 25 TDDDG. You can withdraw given consent at any time with effect for the future.

4. Cookies & Similar Technologies

Use of cookies

Our website uses cookies and similar technologies (e.g., pixel tags, local storage) to provide basic shop functions (shopping cart, login, language settings), create usage statistics and – with your consent – display personalized content and advertising.
We set essential cookies on the basis of § 25(2) TDDDG and Art. 6(1)(f) GDPR (legitimate interest in a functional online shop). Non-essential cookies (analysis/marketing) are set only with your express consent (§ 25(1) TDDDG, Art. 6(1)(a) GDPR).

Cookie‑Consent‑Banner

On your first visit to our website, you will be asked via a consent banner for your decision on non-essential cookies. There, you can select categories, give or refuse consents and change your selection at any time via the “Cookie Settings” link in the footer.
The consent banner provides details on the respective providers, purposes, technologies, storage periods and any third-country transfers of the tools used.

5. Payment Methods & Payment Service Providers

General on payment processing

In the checkout process, you can choose from various payment methods. Depending on the selected method, we transmit certain data (e.g., name, address, order total, payment status) to the respective payment service provider.
The purpose is payment execution and fraud/abuse prevention. Legal basis: Art. 6(1)(b) GDPR (contract fulfillment), additionally Art. 6(1)(f) GDPR (legitimate interest in secure payment processing).

Card & wallet (Shopify Payments, Apple Pay, Google Pay, Shop Pay)

Credit/debit card payments and wallet payments (Apple Pay, Google Pay, Shop Pay) are processed via Shopify-integrated payment services (e.g., Shopify Payments). Shopify receives the data required for payment processing and forwards it to the respective card/wallet providers.
Further processing is the sole responsibility of the respective providers. See the privacy notices of Shopify and the payment services for details.

PayPal, Klarna & other providers

If you select PayPal, Klarna or other payment services offered in our shop, the necessary data (e.g., master data, order data, account data if applicable) are transmitted to the respective provider. They may perform identity and credit checks and process data for their own purposes.
Further information, especially on credit checks, storage periods and your rights, can be found in the privacy policies of the respective payment service providers.

6. Shipping Provider DHL

Data transfer to DHL

For shipping our goods, we exclusively use DHL Paket GmbH. For delivery of orders, we transmit to DHL in particular name, delivery address and – if necessary – your e-mail address and/or telephone number (e.g., for parcel notifications and delivery options).
Purpose: Delivery of ordered goods, shipment tracking, delivery optimization.
Legal basis: Art. 6(1)(b) GDPR (fulfillment of sales contract)..

7. Newsletter & E‑Mail‑Marketing

Subscription & content

You can subscribe to our newsletter to receive regular information on new products, promotions and offers from Craved. Subscription usually follows a double opt-in process: After entering your e-mail address, you receive a confirmation e-mail; the subscription is complete only after clicking the confirmation link.

Legal basis & with drawal

The legal basis for sending the newsletter is your consent (Art. 6(1)(a) GDPR, § 7 UWG). Logging the subscription and success measurement is based on our legitimate interest (Art. 6(1)(f) GDPR) in a legally secure, user-oriented newsletter system.
You can withdraw your consent at any time with future effect, e.g., via the unsubscribe link in every e-mail or by contacting us at the above details.

8. Communication via WhatsApp

WhatsApp Business

We offer the option to contact us via the WhatsApp messenger service (e.g., for product inquiries or order questions). Provider for users in the EEA is WhatsApp Ireland Limited, a Meta Group company.
When using WhatsApp, your phone number, profile name, message content, metadata (time, duration, recipient), device information and possibly other contact data are processed. We use WhatsApp Business and configure the app as data-minimally as possible.

Purposes & legal bases

  • To answer specific inquiries and communicate in the context of existing or emerging contractual relationships (Art. 6(1)(b) GDPR)

  • Only with your express consent for advertising information via WhatsApp (Art. 6(1)(a) GDPR, § 7 UWG).
    You can withdraw given consent at any time with future effect by informing us in the chat or blocking the chat/our number

9. Shopify & International Data Transfers

Shop operation via Shopify

Our online shop is operated on the Shopify platform (Shopify International Ltd., Ireland, and affiliates). Shopify processes personal data both on our behalf and in its own responsibility.
On our behalf, Shopify provides e.g., hosting, database, security features, payment and shipping processing, and system e-mails. This is governed by an order processing agreement pursuant to Art. 28 GDPR.

Transfers to third countries

In the context of using Shopify, payment services, hosting/CDN and communication tools, data transfers to countries outside the EU/EEA may occur (particularly to the USA and Canada).
Where an EU Commission adequacy decision exists, we rely on it. Otherwise, we use approved standard contractual clauses and take additional technical and organizational measures (e.g., encryption, pseudonymization) to ensure an appropriate protection level.

10. Storage Period & Data Security

Storage duration

We store personal data only as long as necessary for the respective purposes or as legally required. For example:

  • Order and invoice data: generally up to ten years (commercial/tax retention)

  • Customer account data: as long as the account is active; after deletion, only if legal obligations apply

  • Inquiry data: until final processing and thereafter only if legal obligations or legitimate interests (e.g., legal defense) exist.

Technical & organizational measures

We implement appropriate technical and organizational security measures to protect personal data against loss, misuse, unauthorized access, disclosure, alteration or destruction (e.g., TLS/SSL encryption, access restrictions, role and authorization concepts, regular security and functional checks).
Please use a strong password for your customer account and do not share it with third parties.

11. Your Rights & Complaints

Rights of data subjects

Subject to legal requirements, you have in particular the following rights regarding your personal data:

  • Right to information (Art. 15 GDPR)

  • Right to rectification (Art. 16 GDPR)

  • Right to erasure (Art. 17 GDPR)

  • Right to restriction of processing (Art. 18 GDPR)

  • Right to data portability (Art. 20 GDPR)

  • Right to object to certain processing (Art. 21 GDPR)

  • Right to withdraw consents (Art. 7(3) GDPR).
    To exercise your rights, contact us at any time using the above details

Right to complain to a supervisory authority

If you believe that the processing of your personal data infringes data protection law, you have the right to lodge a complaint with a supervisory authority (Art. 77 GDPR), in particular in the Member State of your habitual residence, place of work or place of the alleged infringement.

12. Changes to this Privacy Policy

Updates

We may occasionally amend this privacy policy, particularly if we introduce new services, technical or legal changes occur or we adjust our data processing processes. The current version is always available on our website at craved-shop.com.
Where legally required, we will inform you of material changes in an appropriate manner (e.g., notice on the website or by e-mail). The “Last updated” date at the beginning indicates when the last change was made.

Please also see our Imprint and General Terms and Conditions (GTC).