EN

Privacy policy.

PLACEHOLDER — replace with reviewed legal texts (lawyer) before go-live.

Controller

TODO Furéllea GmbH
TODO Beispielstraße 1
TODO 12345 Musterstadt
Deutschland
kontakt@furellea.local

Purposes of processing

We process your data only insofar as it is necessary for the following purposes:

  • Performance of the contract (reservation, delivery)
  • Payment processing
  • Shipping and logistics
  • Issuance and verification of certificates of authenticity
  • Fraud prevention (anonymised scan data)
  • Virtual try-on and AI preview — processing of photos you upload, exclusively on the basis of your explicit consent (Art. 6(1)(a), where applicable Art. 9(2)(a) GDPR)

Processors

As part of the processing, we work together with the following processors (Art. 28 GDPR):

  • Stripe Payments Europe Ltd. — Payment processing, card and wallet payments
  • PayPal (Europe) S.à r.l. — PayPal payments
  • Email service provider — delivery of transactional emails (order, certificate and enquiry notifications)
  • Hosting provider — operation and storage of the platform within the EU
  • AI service providers for virtual try-on and preview generation — Google Ireland Ltd. / Google LLC (Gemini), FASHN AI Inc. Photos you upload are transmitted to these providers for image generation; for providers based in the USA this constitutes a third-country transfer (Art. 44 et seq. GDPR, safeguarded via EU standard contractual clauses or the EU-US Data Privacy Framework)

This list must be reconciled with the providers actually used before go-live — see docs/operations/data-processors.md.

Your rights

You have the following rights at any time:

  • Access to stored data — Export data
  • Rectification of inaccurate data
  • Erasure (right to be forgotten) — Delete account
  • Restriction of processing
  • Data portability
  • Complaint to a supervisory authority

Cookies & tracking

We use technically necessary cookies for the shopping cart and login. Payment providers (Stripe, PayPal) may set additional cookies — we only enable these with your explicit consent.

Retention of scan events

We store scan events of your certificate of authenticity with a hashed IP and device fingerprint for 5 years, and thereafter in aggregated form. The purpose is fraud prevention (see docs/security.md §12.6).