Privacy Policy
1) Introduction and Controller Contact
1.1 Thank you for visiting our website and for your interest. The following explains how we process your personal data when you use our website. Personal data is any information that can identify you as an individual.
1.2 The controller under the GDPR is: Sahara Wave GbR, Waldwegstraße 48, 94354 Haselbach, Germany, Tel.: +49 160 1890233, E-mail: saharawave1@gmail.com. The controller is the natural or legal person who determines the purposes and means of processing personal data alone or jointly with others.
2) Data Collection When Visiting Our Website
2.1 If you use our website for information only (no registration or submission of information), we only collect the data your browser transmits to our server (server log files):
- Visited page/URL
- Date and time of access
- Amount of data sent (bytes)
- Referrer source
- Browser
- Operating system
- IP address (possibly anonymised)
Processing is based on Art. 6(1)(f) GDPR (our legitimate interest in stability and functionality). No transfer or other use takes place. However, we reserve the right to check server log files later if there are concrete indications of unlawful use.
2.2 For security and to protect the transmission of personal data and other confidential content, this site uses SSL/TLS encryption. You can recognise an encrypted connection by “https://” and the lock icon in your browser.
3) Hosting & Content Delivery Network
Shopify
We host our website and serve content via: Shopify International Limited, Victoria Buildings, 1–2 Haddington Road, Dublin 4, D04 XN32, Ireland (“Shopify”). Data may also be transferred to: Shopify Inc., 150 Elgin St, Ottawa, ON K2P 1L4, Canada.
All data collected on our website is processed on Shopify’s servers. We have a data processing agreement in place. For transfers to Canada, an EU adequacy decision ensures an appropriate level of data protection.
4) Cookies
We use cookies to make our site attractive and enable certain functions. Some are session cookies (deleted after the browser is closed), others are persistent cookies (store settings for longer). The duration is shown in your browser’s cookie settings.
Where cookies process personal data, the legal basis is Art. 6(1)(b) GDPR (contract), Art. 6(1)(a) GDPR (consent), or Art. 6(1)(f) GDPR (legitimate interests in best possible functionality and user-friendly experience).
You can configure your browser to inform you about cookie placement, to accept cookies on a case-by-case basis, or to refuse cookies. If you do not accept cookies, our site’s functionality may be limited.
5) Contact
When you contact us (e.g., via form or e-mail), we process your data solely to handle and respond to your inquiry (Art. 6(1)(f) GDPR; if contract-related, Art. 6(1)(b) GDPR). We delete the data once your request is resolved unless retention duties apply.
6) Customer Account
When you open a customer account, we process the required data (see the respective form) pursuant to Art. 6(1)(b) GDPR. You can request deletion at any time. After account deletion, data is erased once all contracts are fulfilled, retention periods have expired, and no legitimate interests remain.
7) Use of Customer Data for Direct Marketing
Newsletter Sign-Up
If you subscribe to our newsletter, we send regular information about our offers. Only your e-mail address is required; other details are optional for personalisation. We use a double opt-in. By confirming the link, you consent (Art. 6(1)(a) GDPR). We log IP, date and time to evidence consent. You can unsubscribe at any time; we will then delete your e-mail address unless you consent to further use or we are otherwise permitted by law.
8) Data Processing for Order Fulfilment
8.1 Where necessary for delivery and payment, we transfer personal data to the shipping company and payment institution (Art. 6(1)(b) GDPR). Where we owe updates for digital elements/products, we use your contact details to inform you (Art. 6(1)(c) GDPR).
We also work with service providers that support us in fulfilling contracts; certain personal data may be shared as necessary.
8.2 Transfer to Shipping Providers
Depending on your order and destination, we may share data with: Deutsche Post, DHL, DHL Express (incl. Austria), DHL Freight, DPD, Hermes, Österreichische Post, Post CH, UPS. If you consent during checkout, we may share your e-mail and/or phone for delivery scheduling/notification (Art. 6(1)(a) GDPR). Otherwise, we share only name and address for delivery (Art. 6(1)(b) GDPR). Consent can be withdrawn at any time.
8.3 Use of Payment Service Providers
Depending on the method chosen, we may transfer payment data to: Amazon Pay, Apple Pay, Bancontact, Google Pay, GoPay, iDEAL, Klarna, Mangopay, Masterpayment, PayPal / PayPal Checkout (incl. Ratepay, local methods like Apple Pay, Google Pay, iDEAL, Bancontact, BLIK, eps, MyBank, Przelewy24), Revolut Pay, Shopify Payments, Stripe, VR Payment.
Legal bases: Art. 6(1)(b) GDPR (payment processing); for methods involving provider pre-financing or risk checks, Art. 6(1)(f) GDPR (legitimate interest in creditworthiness checks). Providers may consult credit agencies (see their privacy notices). You may object at any time; providers may still process data where necessary for payment.
9) Web Analytics
Google (Universal) Analytics (without cookies)
We use Google (Universal) Analytics (Google Ireland Limited) without cookies. A browser Local Storage ID enables analytics; your IP is truncated. Data may be transferred to Google LLC (USA). Retention: 2 months.
Processing takes place only with your consent (Art. 6(1)(a) GDPR). You can withdraw consent at any time (e.g., via our consent tool). Browser opt-out: tools.google.com/dlpage/gaoptout.
Features: Demographics, Google Signals (cross-device, if enabled in your Google account), and User-IDs (if you have an account on our site). More info: Google Privacy, Partner sites. Google participates in the EU-US Data Privacy Framework.
10) Retargeting / Remarketing & Conversion Tracking
10.1 Google Marketing Platform (GMP)
We use GMP (Google Ireland Limited) for ad delivery and measurement. Cookies may prevent repeated ads and measure conversions. Data may be transferred to the USA (EU-US DPF). Processing based on your consent (Art. 6(1)(a) GDPR), revocable anytime via our consent tool. Details: business.safety.google/privacy.
10.2 TikTok Pixel
Provider: TikTok Technology Limited, Dublin. Cookies or similar tech (pixels, beacons, HTTP requests) measure ad conversions and website actions after ad clicks. Processing only with your consent (Art. 6(1)(a) GDPR). We have a DPA with TikTok.
11) Site Functionality
11.1 Google Translate
To display automated translations via API, your browser connects to Google and may set cookies. Processing only with your consent (Art. 6(1)(a) GDPR). Google participates in the EU-US DPF. More: business.safety.google/privacy.
11.2 ShopSync for Shopify
We use the ShopSync app (ShopSync LLC, USA) to sync Mailchimp with Shopify (opt-outs and new contacts after contracts). Legal bases: Art. 6(1)(f) GDPR for list hygiene; Art. 6(1)(a) GDPR for adding post-purchase contacts where consented. Data is transmitted via SSL and not stored by ShopSync; servers are hosted on AWS (USA).
More info: shop-sync.com/privacy-policy
12) Cookie-Consent Tool
We use a consent tool to obtain valid consent for cookies/services. Only consented services load. Technically necessary cookies store your preferences. If personal data is processed for storage/logging, this is based on Art. 6(1)(f) GDPR (our legitimate interest in compliant consent management) and Art. 6(1)(c) GDPR (legal obligation).
13) Your Rights
13.1 You have the following rights under the GDPR: access (Art. 15), rectification (Art. 16), erasure (Art. 17), restriction (Art. 18), notification (Art. 19), data portability (Art. 20), withdrawal of consent (Art. 7(3)), complaint to a supervisory authority (Art. 77).
13.2 Right to Object
If we process your data based on legitimate interests (Art. 6(1)(f) GDPR), you may object at any time on grounds relating to your particular situation. If you object, we will stop processing unless we can demonstrate compelling legitimate grounds or the processing serves the establishment, exercise or defence of legal claims.
If we process your data for direct marketing, you may object at any time; we will then stop processing for such purposes.
14) Retention
Retention depends on the legal basis, purpose of processing and statutory retention periods. If processing is based on consent, we store data until you withdraw consent. For contractual data, statutory retention periods apply; afterwards, data is deleted unless needed for performance, pre-contractual measures or legitimate interests. Where processing is based on Art. 6(1)(f), we store data until you object, unless overriding grounds apply. Otherwise, data is deleted when no longer necessary for its purpose.
Last updated: 24.10.2025, 18:33:51