Welcome to our online shop

Trusted Shops: Simply shop safely

We offer transparency and security with Trusted Shops

Privacy Policy

As of October 15, 2025

Note: This privacy policy describes the processing of personal data in our online shop. It includes, among other things, hosting, order/payment and shipping processing, analysis/marketing (Google Analytics 4, Google Ads, Tag Manager, Meta/TikTok/LinkedIn/Pinterest/Microsoft Ads), consent banners, newsletter tracking, reCAPTCHA, social media, transfers to third countries, and data subject rights.

Controller (Art. 4 No. 7 GDPR)

Daniel Schweighöfer
Heinrich-Wieland-Str. 21
55218 Ingelheim am Rhein, Germany
Email: info@schweighoefer-tortechnik.de
Telephone: +49 6132 436 846 1

1. Principles, purposes, legal basis

We process personal data in accordance with the GDPR/BDSG for the following purposes and legal bases:

  • Contract/initiation (Art. 6 para. 1 lit. b): Orders, returns, warranty, support.
  • Consent (Art. 6 para. 1 lit. a): non-essential cookies/tracking, newsletter tracking, marketing pixels, external content.
  • Legitimate interest (Art. 6 para. 1 lit. f): IT security, prevention of misuse/fraud, economic operation, reach measurement in pseudonymization.
  • Legal obligations (Art. 6 para. 1 lit. c): tax/commercial law retention, documentation obligations (e.g. consent logs).

Storage durations depend on the purpose/deadlines (see 10 ).

2. Website Provisioning, Log Files & Security

When you visit our pages, data such as IP address, time, requested URL/file, referrer, user agent/browser, operating system, status codes and data volume are processed server-side.

Purposes: technical delivery, stability, troubleshooting, IT security (firewalls, WAF, rate limiting, DDoS protection). Legal basis: Art. 6 para. 1 lit. f GDPR. Storage period: typically 7–30 days, longer in case of security incidents.

3. Hosting, Shop Platform, CDN & Tag Manager

3.1 Shop platform/hosting (e.g. Shopify)

We use a shop platform with hosting, database, and backups to operate the online store. All data generated in the shop (forms, checkout, customer account) as well as log data are processed. We have a data processing agreement (DPA) with the provider. Data may be transferred to third countries (e.g., Canada/USA); see section 13 for appropriate safeguards.

3.2 CDN/Performance

For fast and secure delivery, we use Content Delivery Networks (CDNs). This involves processing access data (including IP addresses). Legal basis: Art. 6 para. 1 lit. f GDPR.

3.3 Google Tag Manager

The Tag Manager manages scripts/pixels. It does not set tracking cookies itself; subsequently loaded tags may (depending on your consent). Legal basis: Art. 6 para. 1 lit. a (for non-essential tags) or lit. f (purely technical control).

4. Cookies & Consent Management

We use necessary cookies (e.g. shopping cart, checkout, security) without consent and optional cookies/pixels (analysis, marketing) only after consent.

  • Legal basis: Section 25 TTDSG, Art. 6 para. 1 lit. a GDPR (optional technologies), Art. 6 para. 1 lit. c (proof), lit. f (technically necessary).
  • Consent Management Platform (CMP): Logging of consents (time, scope, consent ID, device/browser; IP in abbreviated/pseudonymous form).
  • Revocation: possible at any time via cookie settings (footer). Rejection may limit functionality.

5. Customer account, orders & communication

5.1 Customer account (optional)

Processing of master data, login data (hashed), order history, address book. Legal basis: Art. 6 para. 1 lit. b/f.

5.2 Order/Contract

Processing of master data, delivery/billing address, email, telephone, items, prices, payment and shipping information, returns/warranty. Legal basis: Art. 6 para. 1 lit. b; retention in accordance with the German Commercial Code (HGB) and the German Fiscal Code (AO).

5.3 Communication

Inquiries via form/email/phone/chat (support systems) including ticket/log data. Legal basis: Art. 6 para. 1 lit. b (inquiries), lit. f (quality assurance).

6. Payments, Fraud Prevention & Debt Collection

6.1 Payment services (depending on selection)

  • Shopify Payments/Stripe
  • PayPal
  • Klarna (Pay Later/Installment Purchase/Instant)
  • Giropay
  • SEPA Direct Debit/Bank Transfer
  • Apple Pay / Google Pay
  • Mollie (if applicable)

Data processed: Payer ID, transaction data, masked card data/IBAN, risk scores. Legal basis: Art. 6 para. 1 lit. b; own fraud prevention Art. 6 para. 1 lit. f. Payment services operate partly independently (own privacy policies).

6.2 Fraud prevention/Risk assessment

Risk assessments (e.g., device fingerprinting, patterns, blacklists) to prevent misuse. Legal basis: Art. 6 para. 1 lit. f.

6.3 Debt Collection

In case of delay: Data transfer to Merk: Lawyers GbR Anja & Hans-Jürgen Merk, Gustav-Pfarrius-Str. 1-3, 55543 Bad Kreuznach . Legal basis: Art. 6 para. 1 lit. b/f.

7. Shipping processing & drop shipping

To fulfill the contract, we transmit necessary data (name, address, email/phone for notifications) to shipping/logistics partners; in drop shipping, also to manufacturers/wholesalers (as shipping service providers).

Service providers include: GLS Germany, UPS Germany, Hermes Germany, DHL Paket, Bos Dynamics, DPD Germany.

Notification (email/SMS/phone) only with consent (Art. 6 para. 1 lit. a), revocable.

8. Newsletters, direct marketing & promotions

8.1 Newsletter (double opt-in)

Data: Email address (required), optional name/segment. Legal basis: Art. 6 para. 1 lit. a; revocation at any time via unsubscribe link.

8.2 Newsletter tracking (optional)

Web beacons/tracking pixels for opens/clicks with individual IDs. Legal basis: Art. 6 para. 1 lit. a; consent can be withdrawn at any time.

8.3 Customer retention

Email advertising for similar products of our own pursuant to Section 7 Paragraph 3 of the German Unfair Competition Act (UWG); objection at any time. Legal basis: Article 6 Paragraph 1 Letter f.

8.4 Competitions/Promotions

Processing according to terms and conditions of the promotion; purpose: execution/notification/dispatch; deletion after completion/deadlines.

9. Analysis, marketing pixels, A/B testing & reCAPTCHA

Important: All non-essential technologies will only be loaded after consent has been given (Consent Mode, if supported).

9.1 Google Analytics 4

Data: Page views/events, interactions, shortened IP address, device/browser, referrer, possibly user ID (pseudonymous), possibly Google Signals (if activated). Legal basis: Art. 6 para. 1 lit. a; data processing agreement with Google; storage periods (e.g., 2/14 months) configured.

9.2 Google Ads (Conversion/Remarketing) & Conversion Linker

Measurement of conversions, campaign attribution, remarketing audiences. Legal basis: Art. 6 para. 1 lit. a.

9.3 Google Tag Manager

Controls tags; does not use tracking cookies itself. Legal basis: Art. 6 para. 1 lit. a/f.

9.4 Meta Pixels (Facebook/Instagram)

Conversion measurement, custom audiences/lookalike audiences, and potentially extended matching (hashed data). Joint controllership may apply (Art. 26 GDPR). Legal basis: Art. 6 para. 1 lit. a.

9.5 TikTok Pixel, LinkedIn Insight Tag, Pinterest Tag, Microsoft Ads (Bing UET)

Similar purposes: Conversion tracking, retargeting, audience targeting. Legal basis: Art. 6 para. 1 lit. a.

9.6 Hotjar/Microsoft Clarity & A/B Testing

Heatmaps, click paths, session replays, A/B tests; IP masking, suppression of sensitive fields. Legal basis: Art. 6 para. 1 lit. a.

9.7 Google reCAPTCHA

Protection against spam/bot abuse; collects, among other things, mouse movements, IP address, browser/device information. Legal basis: Art. 6 para. 1 lit. f.

10. Storage duration & deletion

  • Order/contract data: statutory retention period (usually 6–10 years, AO/HGB).
  • Customer account: until deletion/deactivation; legal obligations remain unaffected.
  • Contact/Support: id R. 12–36 months (unless longer obligations apply).
  • Newsletter: until revoked; proof of opt-in for up to 3 years after last dispatch.
  • Tracking/Marketing: according to tool settings (e.g. GA4 2–14 months) or revocation.
  • Log files/security: id R. 7–30 days.

11. Social media presence

We maintain company profiles on Twitter, Instagram, YouTube, Pinterest, LinkedIn, and Xing. When visiting these platforms, their respective privacy policies also apply. In some cases, there is joint controllership (Art. 26 GDPR, e.g., meta fan pages/LinkedIn Insights). Legal bases: Art. 6 para. 1 lit. f (public relations), Art. 6 para. 1 lit. a (advertising/tracking consent on the platforms).

12. Recipients & Categories

  • Internal positions: Sales, Support, Accounting, IT, Marketing (Need-to-know).
  • Data processors: Hosting, CDN, Email/SMS delivery, Ticketing/CRM, Payment/Shipping service provider, Newsletter tool, CMP, Analytics/Marketing, Monitoring.
  • Third parties: Payment services (some with their own responsible parties), authorities in legal cases, debt collection agencies/lawyers.

Data processing agreements (DPAs) including technical and organizational measures (TOMs) exist with data processors.

13. Transfers to third countries (Art. 44 et seq. GDPR)

For processing outside the EU/EEA (e.g., USA, Canada, UK), we ensure an adequate level of data protection through:

  • Adequacy decisions (e.g. USA via EU-US DPF, provided the provider is certified),
  • EU Standard Contractual Clauses (SCCs) and, if necessary, additional measures (encryption/pseudonymization/data minimization).

Risk warning: Despite guarantees, the level of protection may be lower (due to potential access by authorities). We may obtain consent in individual cases via the CMP in accordance with Art. 49 para. 1 lit. a GDPR.

14. Mandatory information, minors, profiling

  • Required information: Required at checkout; without this information, no contract can be concluded.
  • Minors: This offer is aimed at persons aged 16 and over.
  • Automated decisions: none; marketing profiling (segmentation/retargeting) only with consent.

15. Your rights & complaint

  • Information (Art. 15), rectification (Art. 16), erasure (Art. 17), restriction (Art. 18), data portability (Art. 20).
  • You have the right to object (Art. 21) to processing based on Art. 6 para. 1 lit. f and to direct marketing at any time.
  • Revocation of consents given (Art. 7) with effect for the future.
  • Complaint to a supervisory authority (Art. 77), e.g.: The State Commissioner for Data Protection and Freedom of Information Rhineland-Palatinate (LfDI RLP), Hintere Bleiche 34, 55116 Mainz, Germany.

16. Contact for data protection concerns

For information, correction/deletion, restriction of processing, data portability, objections or revocations, please contact us using the contact details above. For clear identification, please provide appropriate information (e.g., order or customer number).

Data Protection Officer: Not currently appointed; no legal obligation to do so. We will update this statement if anything changes.

17. Changes to this declaration

We update this privacy policy in the event of legal changes, new services, or internal process changes. The version published here, dated as indicated above, is authoritative.

Annex A – Services Deployed

Only keep active/maintain the services you actually use. Deactivate all others in the shop backend/CMP or delete them here.

  • Shop platform/hosting: Shopify (Shopify International Ltd., Shopify Inc.) – AV/SCC/DPF; Purposes: Shop, checkout, database, email.
  • CDN/Performance: e.g. B. Cloudflare/Fastly/Akamai – WAF/DDoS/CDN (Art. 6 Para. 1 lit. f).
  • CMP (Consent Banner): e.g. Usercentrics, Cookiebot, Shopify-CMP – logging of consents (§ 25 TTDSG, Art. 6 para. 1 lit. a/c/f).
  • Analytics/Marketing: Google Analytics 4 (IP anonymization, signals optional); Google Ads/Conversion/Remarketing + Conversion Linker; Google Tag Manager; Meta Pixel (advanced matching optional); TikTok Pixel; LinkedIn Insight Tag; Pinterest Tag; Microsoft Ads (Bing UET); Hotjar/Microsoft Clarity (session replays/heatmaps); A/B testing (e.g., Optimizely/VWO). Legal basis: Art. 6 para. 1 lit. a.
  • Spam/bot protection: Google reCAPTCHA (Art. 6 para. 1 lit. f).
  • Email/newsletter tool: e.g. Klaviyo/Mailchimp/Brevo – double opt-in; tracking only with consent (Art. 6 para. 1 lit. a/b).
  • Payments: Shopify Payments/Stripe, PayPal, Klarna, Giropay, Mollie, Apple Pay, Google Pay – Art. 6 para. 1 lit. b (partly separate controllers).
  • Shipping/Logistics: GLS, UPS, Hermes, DHL, Bos Dynamics, DPD; Drop shipping between manufacturer and wholesaler – Art. 6 para. 1 lit. b; Notification only with consent.
  • Customer service/Helpdesk: e.g. Zendesk/Gorgias/Intercom – Art. 6 para. 1 lit. b/f.
  • Error/Performance: e.g. Sentry/New Relic – Pseudonymous Telemetry (Art. 6 para. 1 lit. f).

Annex B – Cookie/Technology Categories (Example for CMP)

  • Essential: Shopping cart, checkout, CSRF, security, consent log.
  • Functional features: language, watchlists, customer account convenience.
  • Statistics: GA4, internal analytics (only with consent).
  • Marketing: Ads pixel (Google/Meta/TikTok/LinkedIn/Pinterest/Microsoft), remarketing (only with consent).
  • Support: Chat widgets/feedback tools (only with consent).


Cookie settings: Manage preferences

Legal basis: GDPR, BDSG, TTDSG. This template does not constitute legal advice.

Back to top