Privacy Policy

1) Introduction and Contact Details of the Controller

1.1 We are pleased that you are visiting our website and thank you for your interest. In the following, we inform you about how we handle your personal data when you use our website. Personal data means all data with which you can be personally identified.

1.2 The controller responsible for data processing on this website within the meaning of the General Data Protection Regulation (GDPR) is:

Nora Plötner
tofree-design
Alt-Wilkendorf 20
15345 Altlandsberg, Germany
Tel.: +491706140693
 E-mail: kontakt@tofree-design.de

The controller is the natural or legal person who, alone or jointly with others, determines the purposes and means of the processing of personal data.

 
2) Data Collection When Visiting Our Website

2.1 Server Log Files

When you use our website for informational purposes only (i.e., without registering or otherwise transmitting information), we collect only the data that your browser transmits to our server (“server log files”). When you access our website, we collect the following data, which is technically necessary to display the website:

  • Website visited

  • Date and time of access

  • Amount of data sent (bytes)

  • Source/referrer from which you reached the page

  • Browser used

  • Operating system used

  • IP address used (possibly anonymized)

Processing is carried out pursuant to Art. 6(1)(f) GDPR based on our legitimate interest in improving the stability and functionality of our website. Data is neither shared nor used in any other way. However, we reserve the right to check server log files retrospectively if there are concrete indications of unlawful use.

2.2 SSL/TLS Encryption

For security reasons and to protect the transmission of personal data and other confidential content (e.g., orders or inquiries), this website uses SSL or TLS encryption. You can recognize an encrypted connection by the “https://” prefix and the lock symbol in your browser bar.

 
3) Cookies

To make your visit to our website attractive and to enable certain functions, we use cookies—small text files stored on your device. Some cookies are deleted after closing the browser (“session cookies”), while others remain stored longer (“persistent cookies”).

If personal data is processed through cookies, processing is based on:

  • Art. 6(1)(b) GDPR (contract performance),

  • Art. 6(1)(a) GDPR (consent), or

  • Art. 6(1)(f) GDPR (legitimate interest in optimal website functionality).

You can configure your browser to be informed about cookie placement, decide individually, or exclude cookies entirely. If cookies are not accepted, website functionality may be limited.

 
4) Contacting Us

4.1 Review Reminder

Based on your explicit consent under Art. 6(1)(a) GDPR, we use your email address once to remind you to submit a review of your order. You may withdraw consent at any time by contacting the controller.

4.2 WhatsApp Business

We offer visitors the option to contact us via WhatsApp (WhatsApp Ireland Limited, Dublin, Ireland). We use the WhatsApp Business version.

If you contact us regarding a specific order, we process your WhatsApp phone number and—if provided—your name under Art. 6(1)(b) GDPR to handle your request. For general inquiries, processing is based on Art. 6(1)(f) GDPR (legitimate interest in efficient communication).

WhatsApp Business accesses the address book of the device used and transfers stored numbers to Meta Platforms Inc. (USA). To avoid unauthorized transfers, we store only contacts who have contacted us via WhatsApp.

For WhatsApp’s privacy policy, see: https://www.whatsapp.com/legal/?eea=1

Transfers to the USA are covered by the EU–US Data Privacy Framework.

4.3 Contact Form / Email

If you contact us via form or email, we process your data solely to handle your request. Processing is based on Art. 6(1)(f) GDPR (legitimate interest). If the request aims at a contract, Art. 6(1)(b) GDPR applies. Data is deleted once the matter is resolved unless legal retention obligations apply.

 
5) Data Processing When Opening a Customer Account

Under Art. 6(1)(b) GDPR, we process personal data necessary for opening a customer account. Required data is shown in the form. You may delete your account at any time. Data is deleted once all contracts are fulfilled and no legal retention periods or legitimate interests remain.

 
6) Data Processing for Order Handling

6.1 Uploading Image Files

If you upload image files for product personalization, we process them solely to create the personalized product. Files are transmitted securely and deleted automatically after order completion. If third‑party service providers are involved, this is explicitly stated.

6.2 Sending Image Files via Email

Same as above, but via email transmission.

6.3 Transfer to Shipping and Payment Providers

Where necessary for contract fulfillment, we transfer personal data to shipping companies and payment institutions under Art. 6(1)(b) GDPR.

If we owe updates for digital elements, we use your contact data under Art. 6(1)(c) GDPR to inform you.

6.4 Shipping Providers

Deutsche Post AG DHL Paket GmbH Data is transferred either based on consent (Art. 6(1)(a) GDPR) or necessity (Art. 6(1)(b) GDPR).

6.5 Payment Providers

Includes:

  • Apple Pay

  • Google Pay

  • PayPal

  • Stripe

Each provider receives only the data necessary for payment processing under Art. 6(1)(b) GDPR. For methods involving credit checks, processing may occur under Art. 6(1)(f) GDPR (legitimate interest in assessing creditworthiness).

 
7) Web Analytics – Google Analytics 4

This website uses Google Analytics 4 (Google Ireland Limited). Cookies may be set, and IP addresses are anonymized. Data may be transferred to Google LLC (USA). Processing occurs only with your consent under Art. 6(1)(a) GDPR.

Data retention: 2 months.

Additional features:

  • Demographics

  • Google Signals

  • UserIDs

Transfers to the USA are covered by the EU–US Data Privacy Framework.

 
8) Website Functionalities

8.1 Google Customer Reviews

If you consent (Art. 6(1)(a) GDPR), your email address may be shared with Google to request a review. Data may be transferred to the USA under the EU–US Data Privacy Framework.

8.2 Online Job Applications (Form)

8.3 Job Applications via Email

All application data is processed under Art. 6(1)(b) GDPR or §26 BDSG. Sensitive data may be processed under Art. 9(2)(b) or (h) GDPR. If not selected, data is deleted after 6 months.

 
9) Cookie Consent Tool

We use a consent tool to manage cookie permissions. Technically necessary cookies store your preferences. Processing may occur under Art. 6(1)(f) GDPR and Art. 6(1)(c) GDPR.

 
10) Rights of the Data Subject

You have the following rights under GDPR:

  • Right of access (Art. 15)

  • Rectification (Art. 16)

  • Erasure (Art. 17)

  • Restriction (Art. 18)

  • Notification (Art. 19)

  • Data portability (Art. 20)

  • Withdrawal of consent (Art. 7(3))

  • Complaint to a supervisory authority (Art. 77)

Right to Object (Art. 21 GDPR)

You may object at any time to processing based on legitimate interests or for direct marketing.

 
11) Storage Duration

Storage duration depends on legal bases, purpose, and statutory retention periods. Data is deleted when no longer necessary unless retention obligations or legitimate interests apply.

Shopping Basket