Controller expertpal UG (haftungsbeschränkt) – Nettelbeckstr. 15, 40477 Düsseldorf, Germany Managing Director: Illya Konovalov – E-mail: [email protected] Scope: This policy applies to replitoy.com, related sub-pages, our presences on third-party marketplaces (e.g., Etsy) to the extent described, and our online services/SaaS tools. Effective date: 15 October 2025.

1. Legal Bases & Principles

We process personal data in accordance with the GDPR and BDSG based on:

• Art. 6(1)(b) GDPR (contract/steps prior to entering a contract), e.g., orders, production of personalised items, customer account, support.
• Art. 6(1)(a) GDPR (consent), e.g., newsletter, optional cookies/analytics/marketing, portfolio permissions.
• Art. 6(1)(c) GDPR (legal obligations), e.g., statutory retention, consumer information.
• Art. 6(1)(f) GDPR (legitimate interests), e.g., IT security, fraud prevention, website performance/metrics. We apply appropriate technical and organisational measures (Art. 32 GDPR). No automated decision-making within Art. 22; no profiling producing legal effects.

2. Categories of Data

Identity/contact data; order/payment/shipping data; media provided for personalisation (photos/logos/texts) for stylised, artistic portrayal (no 1:1 likeness); website usage/server logs; SaaS account/telemetry where required.

3. Purposes

Contract performance & production (incl. optional proofs/corrections); payment & shipping; customer service; IT operation & security; legal obligations; marketing (newsletter, § 7(3) UWG for similar products); SaaS operation (“as is/available”).

4. Source of Data

Directly from you; from marketplaces (e.g., Etsy) for order fulfilment—marketplaces act as independent controllers under their own policies.

5. Marketplaces (e.g., Etsy)

We receive only the data necessary for fulfilment from the marketplace; we process it under Art. 6(1)(b) GDPR. Please also review the marketplace’s own privacy information.

6. Images, Identifiable Persons & Minors

We process your photos/logos/texts solely to create personalised, stylised products (contract basis). For minors, ensure parental/guardian consent. We do not publish your original photos showing identifiable persons without consent. We may present photos of the finished product per our Terms; where persons would be identifiable, we obtain consent first. Consent may be withdrawn at any time (e-mail to [email protected]).

7. Recipients & Processors

We use service providers where necessary (purpose-limited, data minimised), including hosting/IT/CDN, e-mail/newsletter/consent management, payment (Stripe), logistics (e.g., DHL/DPD/UPS), analytics (Google Analytics; consent-based), YouTube embedding, and customer support tools. Depending on role, providers act as processors (Art. 28 GDPR) or independent controllers (e.g., Stripe, Google).

8. International Transfers

Where data is transferred to third countries outside the EEA, we rely on appropriate safeguards (notably EU Standard Contractual Clauses) and additional measures or, where applicable, consent. Details available on request.

9. Payments via Stripe

EEA provider: Stripe Technology Europe Limited, Dublin, Ireland. Purpose: payment processing (cards and other methods), risk checks & fraud prevention, legal obligations. Data: payment/transaction data, name, e-mail, billing/shipping address, IP, device/browser info, 3-D Secure data where applicable. Full card data is processed only by Stripe; we receive masked data (e.g., last four digits), status, tokens/IDs. Role: Stripe largely acts as an independent controller. Legal bases: Art. 6(1)(b), (f), and (c) GDPR. Transfers: possible intra-group transfers incl. to the USA with SCCs and additional measures. Technically necessary cookies may be set for secure payment flows.

10. Cookies, Consent & Third-Party Services

Consent management. On first visit we request consent for optional cookies/services; you can change/withdraw consent at any time.

Google Analytics (with consent). Measures page views/interactions using pseudonymous IDs; IP anonymisation is enabled; retention as configured (e.g., 14 months) or as shown in the consent tool; possible third-country transfers under SCCs. You can withdraw consent any time in the consent tool.

YouTube embeds. We use YouTube in enhanced privacy mode where possible. Cookies/tracking by YouTube/Google only after your active start or based on your consent, depending on implementation. Possible third-country transfers under SCCs. On playback, YouTube/Google may process device/usage and (if logged in) account data under their policies.

Strictly necessary cookies. For core functions/security (e.g., cart, session, CSRF, consent storage) under Art. 6(1)(f) or (b) GDPR.

11. Online Services / SaaS (“as is”)

We may provide SaaS/software. We process only data necessary for account, operation, security, and support (Art. 6(1)(b)/(f); possibly (a) for optional features). Separate/additional Terms apply (prevail in case of conflict). For B2B processing on your behalf, we enter into an Art. 28 GDPR DPA.

12. Server Logs & Security

Server logs (IP, time stamp, URL, referrer, user-agent) are processed for IT security, abuse prevention, error analysis under Art. 6(1)(f) GDPR, and are deleted/anonymised typically after 7–30 days.

13. Newsletter & Direct Marketing

Newsletter only via double opt-in (Art. 6(1)(a) GDPR). Unsubscribe at any time via link or e-mail. Existing customers: e-mail marketing for similar products per § 7(3) UWG (Art. 6(1)(f) GDPR); you can object at any time.

14. Social Media (Links, not auto-plugins)

We may link to Instagram/Meta, LinkedIn, X (formerly Twitter), YouTube. No data is transmitted to these providers unless you click the link. Any third-party tracking on our site occurs only with your consent.

15. Retention & Deletion

Contract/tax data: typically 6–10 years; communications: until the case is closed; personalisation media: until fulfilment + reasonable buffer (e.g., for rework), then deletion/anonymisation; portfolio media only with consent until withdrawal; cookies/IDs per their lifetimes and your consent settings.

16. Obligation to Provide Data

Certain data is required for contract fulfilment; without it, we cannot provide services. Optional features (newsletter, optional cookies) are not mandatory.

17. Your Rights

You have rights of access, rectification, erasure, restriction, data portability, objection (esp. to direct marketing), and withdrawal of consent. You may lodge a complaint with a supervisory authority, e.g., LDI NRW, Germany. Contact us at [email protected]. We respond within statutory deadlines.

18. Future Hardware (ElectroG/WEEE/BattG – privacy aspect)

If we introduce electrical/electronic products (e.g., a sensor-equipped bottle holder), we will provide separate ElectroG/WEEE/BattG notices. For returns/service we may process contact/device data under Art. 6(1)(b)/(c)/(f) GDPR.

19. Updates

We will update this policy when laws, services, or processes change. The current version is available at replitoy.com/privacy.