Privacy Policy

Malstrom — Last updated: [Jan2026]

1. Controller

The controller responsible for the processing of your personal data under the General Data Protection Regulation (GDPR) is:

Malstrom — Julius Hintzen (sole proprietorship) c/o IP-Management #5354, Ludwig-Erhard-Str. 18, 20459 Hamburg, Germany Email: support@malstrom.eu

We have not appointed a Data Protection Officer, as we are not legally required to do so. For any privacy request, please use the contact details above.

Our store runs on the Shopify platform (Shopify International Ltd., Dublin, Ireland), which acts as our processor for the operation of the store.

2. Secure Transmission

Our website uses TLS/SSL encryption, which you can recognise by the padlock symbol in your browser and the "https://" prefix in the address bar.

3. Access Data / Server Log Files

When you visit our website for purely informational purposes, our hosting infrastructure automatically processes technical data such as the page accessed, date and time, data volume transferred, referrer URL, browser type and version, operating system and IP address. This is necessary to deliver the website, ensure stability and security and detect misuse.

Legal basis: Art. 6 (1)(f) GDPR (legitimate interest). This data is not used to create user profiles.

4. Cookies and Similar Technologies

We use cookies and comparable technologies to operate the store, remember your preferences and — with your consent — to analyse usage and display relevant advertising. These technologies are largely provided through our platform provider, Shopify.

The storage of, and access to, information on your device is governed by § 25 TDDDG (German Telecommunications Digital Services Data Protection Act):

• Strictly necessary cookies (e.g. shopping cart, login session) require no consent (§ 25 (2) TDDDG).
• All other cookies and technologies (functional, analytics, marketing) are used only with your consent (§ 25 (1) TDDDG), which you give via our cookie banner and can withdraw at any time with effect for the future.

The subsequent processing of any personal data collected is based on Art. 6 (1)(a) GDPR (consent) or, for strictly necessary processing, Art. 6 (1)(b) or (f) GDPR. You can review and change your choices at any time via the cookie settings in our store.

5. Transfers to Third Countries

Some of our service providers are based in or process data in third countries, in particular the USA. Where a recipient is certified under the EU-US Data Privacy Framework, transfers are based on the European Commission's adequacy decision of 10 July 2023 (Art. 45 GDPR). Otherwise, transfers are safeguarded by the EU Standard Contractual Clauses (Art. 46 GDPR) together with appropriate additional measures.

6. Customer Accounts and Order Processing

When you create an account or place an order, we process your name, billing and shipping address, email address, telephone number (if provided), and order and payment information, in order to perform the contract.

Legal basis: Art. 6 (1)(b) GDPR. After completion of the contract, we retain this data only for the duration of statutory retention obligations (see Section 12).

7. Contacting Us

If you contact us by email, we process the data you provide (name, email address, content of your message) to handle your request.

Legal basis: Art. 6 (1)(b) GDPR where related to a contract, otherwise Art. 6 (1)(f) GDPR (legitimate interest in responding). We delete this data once it is no longer needed and no retention obligation applies.

8. Payment Processing

Depending on the payment method you choose, your payment data is transmitted to the relevant payment service provider, which processes it under its own responsibility to handle the payment (Art. 6 (1)(b) GDPR):

• Shopify Payments — Shopify International Ltd., Dublin, Ireland
• PayPal — PayPal (Europe) S.à r.l. et Cie, S.C.A., Luxembourg
• Klarna / SOFORT — Klarna Bank AB, Sweden / SOFORT GmbH, Germany
• Stripe — Stripe Payments Europe Ltd., Dublin, Ireland

Some providers may carry out identity or credit checks, which can involve automated evaluation, where this is necessary to decide on the payment method. Details are set out in each provider's own privacy policy, which is made available during checkout.

9. Email and SMS Marketing (Klaviyo)

If you subscribe to our newsletter or SMS marketing, we process your email address and/or phone number, together with the IP address and timestamp of your sign-up, to send you promotional messages. We use a double opt-in procedure. You can unsubscribe at any time via the link in each email or by replying "STOP" to an SMS.

Legal basis: Art. 6 (1)(a) GDPR (consent); for email advertising, § 7 (2) no. 2 UWG. We process this through Klaviyo (Klaviyo, Inc., 125 Summer Street, Floor 7, Boston, MA 02111, USA; EU representative: European Data Protection Office (EDPO)), with whom we have concluded a data processing agreement. Klaviyo may also set cookies for on-site tracking where you have consented; the resulting processing is based on Art. 6 (1)(a) GDPR and § 25 (1) TDDDG. Transfers to the USA are safeguarded as described in Section 5 (Klaviyo is certified under the EU-US Data Privacy Framework).

10. Web Analytics and Marketing

We use the following tools only with your consent (Art. 6 (1)(a) GDPR; § 25 (1) TDDDG), which you can withdraw at any time via the cookie settings:

• Google Analytics 4 (Google Ireland Ltd.) — to analyse the use of our website. Google Analytics 4 does not log or store full IP addresses; the IP address is used only transiently to derive approximate location. Data may be transferred to Google LLC, USA (see Section 5).
• Meta Pixel (Meta Platforms Ireland Ltd.) — to measure conversions and create audiences for advertising. For the collection and transmission of data via the pixel, we and Meta act as joint controllers (Art. 26 GDPR); Meta's subsequent processing is carried out under its own responsibility. Data may be transferred to Meta Platforms, Inc., USA (see Section 5).
• Microsoft Clarity (Microsoft Ireland Operations Ltd., One Microsoft Place, South County Business Park, Leopardstown, Dublin 18, Ireland) — to analyse how visitors use our website through heatmaps and session recordings (mouse movement, scrolling, clicks). Clarity is loaded only after you have given consent and does not start recording before then. Form-field content is masked by default. Data may be transferred to Microsoft Corporation, USA (see Section 5).

11. Your Rights

You have the right to: access (Art. 15), rectification (Art. 16), erasure (Art. 17), restriction of processing (Art. 18), data portability (Art. 20), and to object to processing (Art. 21) GDPR. Where processing is based on consent, you may withdraw it at any time with effect for the future (Art. 7 (3) GDPR), without affecting the lawfulness of prior processing.

Right to object (Art. 21 GDPR): Where we process your data on the basis of legitimate interests, you have the right to object on grounds relating to your particular situation. You may object to direct marketing at any time, without giving reasons.

You also have the right to lodge a complaint with a supervisory authority (Art. 77 GDPR). The authority competent for us is:

Der Hamburgische Beauftragte für Datenschutz und Informationsfreiheit Ludwig-Erhard-Str. 22, 20459 Hamburg, Germany

You may also contact the supervisory authority in your country of residence or workplace.

12. Retention

We retain personal data only as long as necessary for the relevant purpose or as required by statutory retention periods, in particular under German commercial and tax law (§ 257 HGB, § 147 AO): generally 8 years for accounting vouchers and invoices, 10 years for annual financial statements and accounting records, and 6 years for commercial and business correspondence. Data processed on the basis of consent is retained until you withdraw consent; data processed for direct marketing until you object. Once the purpose ceases and no retention obligation applies, the data is deleted or anonymised.

13. Minors

Our store is not directed at children. We do not knowingly process the personal data of persons under the age where consent for information-society services is valid (16 years in Germany) without the consent of a parent or guardian.

14. Changes to This Policy

We may update this Privacy Policy to reflect changes in our processing or in the legal framework. The current version is always available on this page.