Privacy Policy

Controller

YouAWA Brammerau 1 24793 Brammer Info@youawa.de

Data we process

When you visit our website, technical data (e.g. IP address, browser, date/time) is automatically processed by our hosting provider. When you use the contact form, you transmit your name, email and message — solely for handling your enquiry.

Cookies & local storage

We use only technically necessary local storage in your browser (e.g. language preference, cart). No tracking or marketing cookies are set.

Hosting & delivery (Cloudflare)

This website is delivered via the infrastructure of Cloudflare, Inc. (101 Townsend St, San Francisco, CA 94107, USA). Technical access data (IP address, date/time, requested URL, referrer, user agent) is processed on each request. Purpose: secure and performant delivery of the website, protection against attacks (DDoS, bots), error analysis. Legal basis: Art. 6(1)(f) GDPR (legitimate interest in a secure, stable website). Retention: server logs are typically deleted or anonymised after no more than 30 days. Data processing agreement: a DPA pursuant to Art. 28 GDPR is in place with Cloudflare. Transfers to the US are based on EU Standard Contractual Clauses and — where applicable — the EU-US Data Privacy Framework. More: https://www.cloudflare.com/privacypolicy/

Backend & database (Lovable Cloud)

For functions such as the contact form, shop launch newsletter sign-up and internal administration we use Lovable Cloud, a backend platform operated by Lovable and built on Supabase (Supabase Inc.). Data is processed in EU data centres. Data processed: for contact requests name, email, message; for newsletter sign-up email address and timestamp; technical access and security data. Purpose: processing enquiries, sending shop-launch notifications, authentication of the admin area, database storage. Legal basis: Art. 6(1)(b) GDPR (pre-contractual measures) for enquiries, Art. 6(1)(a) GDPR (consent) for newsletter sign-up, Art. 6(1)(f) GDPR (legitimate interest) for operation and security. Retention: contact requests are deleted once processed and no legal retention obligations apply. Newsletter data is stored until consent is withdrawn. Data processing agreement: DPAs pursuant to Art. 28 GDPR are in place with the providers. More: https://lovable.dev/privacy and https://supabase.com/privacy

Contact form & newsletter

When you write to us via the contact form or sign up for shop-launch notifications, your details (name, email, message where applicable) are processed to handle the enquiry or send the requested information. Legal basis: Art. 6(1)(b) GDPR for contract-related enquiries, Art. 6(1)(a) GDPR for the voluntary newsletter sign-up. Consent can be withdrawn at any time with effect for the future by emailing Info@youawa.de. Retention: until completion of the enquiry or withdrawal of consent.

Order processing (Shopify)

Orders are processed via Shopify (Shopify International Limited, Victoria Buildings, 1–2 Haddington Road, Dublin 4, D04 XN32, Ireland). Data required for contract execution (name, delivery address, email, order and payment data) is transmitted to Shopify. Purpose: order processing, payment, shipping and customer service. Legal basis: Art. 6(1)(b) GDPR (performance of contract) and Art. 6(1)(c) GDPR (legal retention obligations). Retention: as long as required for contract execution, at least for the duration of statutory commercial and tax retention periods (typically 6–10 years). Data processing agreement: a DPA pursuant to Art. 28 GDPR is in place with Shopify. Transfers to third countries (notably the US) are safeguarded by EU Standard Contractual Clauses. More: https://www.shopify.com/legal/privacy

Transfers to third countries

Some of the services we use (in particular Cloudflare, Shopify) may transfer personal data to third countries, notably the USA. An adequate level of data protection is ensured by EU Standard Contractual Clauses (Art. 46(2)(c) GDPR) and — where applicable — by certification under the EU-US Data Privacy Framework.

Overview of processors

To operate this website and our services we use the following processors under Art. 28 GDPR. Data processing agreements (DPAs) are in place with all providers. Details on data categories, retention and third-country transfers are described in the dedicated sections above.

• Cloudflare, Inc. (USA) — hosting infrastructure, content delivery network (CDN), DDoS/bot protection, TLS termination and delivery of the website. Data processed: in particular IP address, timestamps, request headers and technical connection data. Purpose: secure, reliable and performant operation of the website. Legal basis: Art. 6(1)(f) GDPR (legitimate interest in a secure and functioning web presence). Third-country transfer: USA, safeguarded via EU Standard Contractual Clauses (Module 2/3, available at https://www.cloudflare.com/cloudflare-customer-scc/) within the Cloudflare DPA (https://www.cloudflare.com/cloudflare-customer-dpa/) and — where applicable — certification under the EU-US Data Privacy Framework (https://www.dataprivacyframework.gov/s/participant-search/participant-detail?id=a2zt0000000GnZKAA0). Supplementary measures: TLS encryption in transit, access controls, documented transfer impact assessment by the provider. • Lovable GmbH (DE/EU) — "Lovable Cloud" platform including hosting of the application logic, backend functions and management of form and newsletter data. Data processed: contact form content, newsletter sign-up data, technical log data. Purposes and legal bases: (i) technical operation of the application — Art. 6(1)(f) GDPR (legitimate interest in running the site); (ii) handling of contact requests — Art. 6(1)(b) GDPR (pre-contractual measures) or (f) GDPR (responding to general enquiries); (iii) newsletter / shop-launch notification — Art. 6(1)(a) GDPR (consent). DPA: data processing agreement under Art. 28 GDPR with Lovable GmbH (https://lovable.dev/dpa). Processing primarily within the EU; sub-processors listed below. • Supabase Inc. (USA, processing in EU data centres) — database, authentication and storage as sub-processor of Lovable Cloud. Data processed: stored contact requests, newsletter subscriptions, admin credentials. Purposes and legal bases: (i) storage of contact requests — Art. 6(1)(b) or (f) GDPR; (ii) storage of newsletter sign-ups — Art. 6(1)(a) GDPR; (iii) authentication of admin accounts and technical operation — Art. 6(1)(f) GDPR. DPA: https://supabase.com/legal/dpa; EU Standard Contractual Clauses integrated (annex to the DPA, https://supabase.com/legal/sccs). Region: EU (Frankfurt); intra-group transfers to the USA are safeguarded via the SCCs and supplementary measures (encryption at-rest and in-transit, granular role/access management, logging). • Resend, Inc. (USA) — delivery of transactional emails via the subdomain notify.www.youawa.de. Currently only the following emails are sent: (1) automatic acknowledgement and content copy to the address provided in the contact form; (2) double opt-in confirmation link after sign-up for the shop-launch notification; (3) one-time welcome/confirmation email after successful double opt-in. Data processed: recipient email address, content of the respective email, delivery metadata (message ID, delivery status, timestamps). Purposes and legal bases: (i) acknowledgement and content copy for contact requests — Art. 6(1)(f) GDPR (legitimate interest in transparency and traceability of the user's own request); for contract-related enquiries additionally Art. 6(1)(b) GDPR (pre-contractual measure); (ii) double opt-in email for the shop-launch notification — Art. 6(1)(a) GDPR (consent) in conjunction with Art. 6(1)(c) GDPR (obligation to demonstrate consent under Art. 7(1) GDPR); (iii) welcome/confirmation email after DOI — Art. 6(1)(a) GDPR (execution of the consent given); (iv) reliable delivery and abuse prevention (e.g. suppression lists) — Art. 6(1)(f) GDPR. DPA: https://resend.com/legal/dpa; third-country transfer USA, safeguarded via EU Standard Contractual Clauses (annex to the DPA, https://resend.com/legal/sccs). Supplementary measures: TLS encryption, short retention of delivery logs, suppression lists for abuse prevention. • Shopify International Limited (Ireland; group affiliation with Shopify Inc., Canada/USA) — shop system, checkout, payment processing and shipping administration for the online shop. Data processed: order data, billing and shipping address, payment information (via the payment provider), order-related communication. Purposes and legal bases: (i) performance of the purchase contract — Art. 6(1)(b) GDPR; (ii) compliance with commercial and tax retention obligations (in particular Sec. 257 HGB, Sec. 147 AO) — Art. 6(1)(c) GDPR; (iii) fraud prevention and secure order processing — Art. 6(1)(f) GDPR. DPA: https://www.shopify.com/legal/dpa; third-country transfer (Canada: EU Commission adequacy decision under Art. 45 GDPR; USA: EU Standard Contractual Clauses integrated in the DPA, https://www.shopify.com/legal/scc). Supplementary measures: PCI-DSS certification of the provider, tokenisation of payment data, encryption in transit and at-rest. In addition, we currently do not use classic tracking, analytics or CRM services (e.g. Google Analytics, Meta Pixel, HubSpot, Mailchimp). Should this change, we will update this overview accordingly and — where required — obtain your consent beforehand.

Mandatory imprint / commercial register information

Our imprint publishes information that is legally required under Sec. 5 DDG (formerly Sec. 5 TMG) and Sec. 18 MStV, including the name and address of the management, contact details and the commercial register number (HRB 27894 KI, local court of Kiel). The legal basis for this processing and publication is Art. 6(1)(c) GDPR (compliance with a legal obligation) and Art. 6(1)(f) GDPR (legitimate interest in transparency and accessibility). Information entered in the commercial register is additionally available to the public via the joint German register portal (handelsregister.de); we have no influence on that publication. Mandatory imprint data cannot be erased as long as the statutory disclosure obligation applies.

Eingesetzte Tracking-, Analytics- und CRM-Tools

Your rights

You have the right to information (Art. 15 GDPR), rectification (Art. 16), erasure (Art. 17), restriction of processing (Art. 18), data portability (Art. 20) and the right to object (Art. 21 GDPR) at any time. Consent can be withdrawn with effect for the future (Art. 7(3) GDPR). You also have the right to lodge a complaint with a supervisory authority (e.g. the Independent State Centre for Data Protection Schleswig-Holstein). Please contact us informally at Info@youawa.de.