Privacy Policy

 

Privacy Policy — Berlin Chainstitch

Introduction Berlin Chainstitch (“we”, “our”, “us”) operates vintage chainstitch embroidery services in Berlin. This Privacy Policy explains how we collect, use, disclose, and protect personal data in connection with our website, customer relations, orders, marketing, and other business activities. We process personal data in accordance with the EU General Data Protection Regulation (GDPR) and German data protection law (BDSG).

Controller for processing of personal data under this policy: Tuesday Bassen, Wolliner Strasse 51 UG, Berlin, Germany 10435 Email: hallochen@berlinchainstitch.com

Personal data we collect We collect and process personal data necessary for the provision of our services and legitimate business purposes:

  • Contact data: name, email address, postal address, phone number.

  • Account data: user name, password (hashed), profile information.

  • Order and transactional data: order history, products/services ordered, delivery address, billing information, payment confirmations, invoices.

  • Payment data: payment card details are processed by third-party payment processors; we receive transaction references and confirmations but do not store full card details unless explicitly stated.

  • Communications data: customer service correspondence, emails, messages, notes.

  • Marketing preferences and consents: opt-ins/opt-outs for newsletters and marketing communications.

  • Technical data: IP address, device information, browser type and version, operating system, referring URL, pages visited, timestamps and other server log data.

  • Cookies and tracking data: cookie identifiers and similar tracking technologies used to improve the website and for analytics.

  • Photo and design files: images, logos, and design files you upload for custom embroidery.

  • Special categories: we do not generally process special categories of personal data (sensitive data). If such data is provided, we will only process it where necessary and lawful (e.g., explicit consent).

Purposes and legal bases for processing We process personal data for the following purposes and legal bases:

  • Performance of a contract (Art. 6(1)(b) GDPR): processing orders, delivering products/services, managing payments, issuing invoices and customer support.

  • Legal obligations (Art. 6(1)(c) GDPR): compliance with tax, accounting, and other statutory obligations.

  • Legitimate interests (Art. 6(1)(f) GDPR): improving and securing our services and website, fraud prevention, direct marketing by email where permitted, analytics, and enforcing our terms. We balance these interests against individual rights.

  • Consent (Art. 6(1)(a) GDPR): where we rely on consent (e.g., subscribing to newsletters, non-essential cookies), you may withdraw consent at any time.

  • Vital interests or public interest: only if strictly necessary and in accordance with law.

Cookies and similar technologies We use cookies and tracking technologies to provide essential website functions, improve site performance, analyze usage, and, where consented, for marketing. You can control or delete cookies through your browser settings. For non-essential cookies we will obtain consent where required.

Third-party services and disclosures We use trusted third-party service providers to operate our business. These may include:

  • Payment processors and financial institutions for payment handling.

  • Hosting and cloud providers for website and data storage.

  • Email and messaging providers for communications and marketing.

  • Shipping and logistics providers to deliver orders.

  • Analytics and advertising providers for website performance and marketing.

We disclose only the personal data necessary for these providers to perform their services. We apply data processing agreements and, where applicable, Standard Contractual Clauses to protect transfers outside the EU/EEA. We do not sell personal data.

International transfers Personal data may be processed or stored outside the EU/EEA. Where we transfer data to countries without an adequacy decision, we ensure appropriate safeguards such as Standard Contractual Clauses, binding corporate rules, or other lawful mechanisms.

Data retention We retain personal data only as long as necessary for the purposes set out in this policy and to comply with legal obligations (for example, accounting and tax records are typically retained for 10 years under German law). After that, data is deleted or anonymized.

Data subject rights Under the GDPR, you have the following rights:

  • Right of access: request confirmation whether we process your personal data and obtain a copy.

  • Right to rectification: correct inaccurate or incomplete data.

  • Right to erasure ("right to be forgotten"): request deletion where legal grounds permit.

  • Right to restriction of processing: request limitation of processing in certain circumstances.

  • Right to data portability: receive personal data you provided in a structured