Privacy policy

This Privacy Policy explains the type, scope and purposes of processing personal data (hereinafter “data”) within our online offering and the websites, functions and content connected to it as well as external online presences (e.g. our social media profiles) (collectively the “Online Services”). Terms such as “processing” and “controller” are used as defined in Article 4 GDPR. 

Controller

SensoryBoost
Albert-Einstein-Straße 4, 04600 Altenburg, Germany
Email: support@sensoryboost.de
Owner: Benjamin Zeising
Imprint: https://sensoryboost.de/policies/legal-notice 

Categories of Data We Process

Customer/master data (e.g., names, addresses)
Contact data (e.g., email, phone numbers)
Content data (e.g., text entries, photographs, videos)
Usage data (e.g., pages visited, interest in content, access times)
Meta/communication data (e.g., device information, IP addresses) 

Data Subjects

Visitors and users of the Online Services (“users”). 
Purposes of Processing
Providing the Online Services, their functions and content
Handling contact requests and communication
Security measures
Reach measurement/marketing 

Key Terms (summary)

“Personal data”: information relating to an identified or identifiable natural person.
“Processing”: any operation performed on personal data.
“Pseudonymisation”: processing so that personal data can no longer be attributed to a specific data subject without additional information kept separately.
“Profiling”: automated processing to evaluate personal aspects (e.g., preferences or behaviour).
“Controller”: the party deciding purposes and means of processing.
“Processor”: party processing data on behalf of the controller. 

Legal Bases

Unless stated otherwise, we rely on: consent (Art. 6(1)(a), Art. 7 GDPR), contract/steps at request (Art. 6(1)(b)), legal obligation (Art. 6(1)(c)), and legitimate interests (Art. 6(1)(f)). Where vital interests require processing, Art. 6(1)(d) applies. 

Storage Period & Deletion

We retain personal data only as long as needed for the purpose or where legal retention applies. Typical periods:
Order data: 10 years (§ 147 AO)
Contact enquiries: 1 year after completion
Marketing & tracking data: 14 months (unless configured otherwise)
Account data: until deletion or after 3 years of inactivity
Accounting/tax data: 10 years (§ 257 HGB, § 147 AO)

Cookie/tracking data: 1 day to 24 months
After expiry, data are deleted or anonymised. 

Security Measures

We implement measures under Art. 32 GDPR (state of the art, costs, nature/scope, risks) to ensure confidentiality, integrity and availability, including access controls, input/transfer controls, and procedures for rights requests, deletion and incident response. We apply Privacy by Design/Default (Art. 25 GDPR). 

Processors & Third Parties

Where we disclose/transfer data to others (processors/third parties), this is based on legal permission, consent, legal obligation, or legitimate interests. Processor contracts are concluded under Art. 28 GDPR. 

International Data Transfers

We transfer data to third countries only if one of the following applies:

Adequacy decision (e.g., Canada, Japan; certified US companies under the EU-US Data Privacy Framework – DPF)
Standard Contractual Clauses (SCCs) under Art. 46 GDPR with additional safeguards where required
Additional measures (e.g., encryption/pseudonymisation)
Explicit consent under Art. 49(1)(a) GDPR in exceptional cases

USA & third countries: If a US recipient participates in the DPF, transfers rely on that adequacy decision; otherwise on SCCs plus safeguards. You can disable tracking/external services in cookie settings. 

1. Access Data & Hosting

You can use our website without identifying yourself. Each visit stores server log files (requested file name, IP address, date/time, data volume, requesting provider). Logs are used to ensure stable operation and improve our offering (Art. 6(1)(f) GDPR) and are deleted no later than 7 days after your visit.

For the USA: transfers rely on DPF participation or SCCs with safeguards. 

Hosting by Shopify

We use Shopify International Limited (Victoria Buildings, 2nd Floor, 1-2 Haddington Road, Dublin 4, Ireland) to host and present the shop as a processor. Data may also be processed by Shopify Inc., 150 Elgin St, Ottawa, Canada; Shopify Data Processing (USA) Inc.; Shopify Payments; or Shopify (USA) Inc. Canada benefits from an EU adequacy decision. Shopify’s privacy info: https://www.shopify.de/legal/datenschutz. 

1.1 Hosting (general)

Our hosting/website presentation services are partly provided by processors; access/form data are processed on their servers unless otherwise stated. Some providers are in countries with adequacy decisions (e.g., Canada); others in the USA/third countries (no general adequacy). Cooperation relies on SCCs; for the USA, DPF where the provider participates, otherwise SCCs plus safeguards. 

1.2 Content Delivery Network (CDN) – Cloudflare

For faster loading we use a CDN; access data are processed on regional servers by our processors. Some processing may occur outside the EU/EEA on the basis of SCCs; for US transfers, DPF (if participating) or SCCs plus safeguards. 

2. Contract Processing & Contact
2.1 Contract Fulfilment

We collect personal data necessary for orders (Art. 6(1)(b)). Required fields are marked. After completion, data are restricted and deleted after statutory retention unless you consent to further use or we are legally allowed to retain. 

2.2 Account

With your consent (Art. 6(1)(a)), we create a customer account and store data for future orders. You can delete the account at any time; then we delete related data unless further use is permitted or consented. 

2.3 Contact

For enquiries (contact form/email), we process your data to handle your request (Art. 6(1)(b)); required fields are marked. After completion, we delete data unless you consent to further use. 

2.3.1 Shopify Inbox (Live Chat)

This website uses the live chat system provided by Shopify International Ltd., Victoria Buildings, 2nd Floor, 1–2 Haddington Road, Dublin 4, D04 XN32, Ireland.

The processing of personal data transmitted via the chat takes place either pursuant to Art. 6(1)(b) GDPR because it is necessary for the initiation or performance of a contract, or pursuant to Art. 6(1)(f) GDPR on the basis of our legitimate interest in efficiently assisting visitors to our website. The following data are processed: chat content (e.g. messages, contact/order details voluntarily provided such as name, email address, order number) and metadata such as IP address, timestamps, browser/device information and, where applicable, the referrer URL. Data transmitted in this way will be deleted—subject to statutory retention obligations—once the matter in question has been conclusively resolved.

Consent-based processing only: Where non-essential cookies/tracking are used for the chat to create pseudonymous usage profiles, this will only occur with your consent (Section 25 TTDSG / Art. 6(1)(a) GDPR). Until consent is given, the chat function remains technically disabled (via the consent tool). You may withdraw your consent at any time with effect for the future via the consent tool. You can also prevent the setting of cookies through your browser settings; this may restrict the functionality of our website.

Recipients / Third-country transfers: Data are also transmitted to Shopify Inc., 150 Elgin St, Ottawa, ON K2P 1L4, Canada. In addition, data may be transferred to affiliated companies in the United States (including Shopify (USA) Inc. and Shopify Data Processing (USA) Inc.). Where a transfer to the USA occurs, it is based—if the recipient participates in the EU–US Data Privacy Framework (DPF)—on the DPF; otherwise on the EU Standard Contractual Clauses (SCCs) together with appropriate supplementary measures. For transfers to Canada, an adequacy decision by the European Commission ensures an appropriate level of data protection.

We have concluded a data processing agreement with the provider pursuant to Art. 28 GDPR, which ensures the protection of our website visitors’ data and prohibits unauthorised disclosure to third parties.

 
2.4 Shipping Notifications

If you consent during/after checkout, we pass your email/phone to the chosen carrier to announce delivery (Art. 6(1)(a)); you can withdraw consent at any time (with us or the carrier). Example: DHL Paket GmbH, Sträßchensweg 10, 53113 Bonn, Germany. 

3. Payments
3.1 Transaction Processing

Depending on the method, necessary data are passed to technical service providers (processors), banks or the chosen payment provider (Art. 6(1)(b)). Some providers collect data directly via their own pages or embedded components. Refer to each provider’s privacy policy. 

3.2 Fraud Prevention & Optimisation

We may share additional data with our processors to prevent fraud and streamline payment processes (Art. 6(1)(f)). 

3.3 Klarna (Direct Debit)

With your consent (Art. 6(1)(a)) we transmit data to Klarna Bank AB (publ), Stockholm, Sweden, for identity/credit checks. German credit agencies may be used; results inform Klarna’s decision on payment methods. You can withdraw consent with us or Klarna; some options may then be unavailable. 

3.4 Amazon Pay

Payment data are transmitted primarily to Amazon Payments Europe S.C.A., and secondarily to Amazon EU SARL, Amazon Services Europe SARL, Amazon Media EU SARL (all Luxembourg). Amazon may run credit checks using score values; see Amazon’s privacy notice for details (pay.amazon.com/de/help/201751600). Legal basis: Art. 6(1)(b). 

3.5 PayPal

For PayPal (and PayPal card/direct debit/”invoice” where offered), we transmit payment data to PayPal (Europe) S.à r.l. et Cie, Luxembourg. PayPal may conduct credit checks; see www.paypal.com/…/privacy-full and the third-parties list. Legal basis: Art. 6(1)(b). 

3.6 Shopify Payments (Apple Pay, Google Pay etc.)

Payments via Shopify Payments are technically processed by Stripe Payments Europe Ltd., Dublin. We transmit order and payment details to Stripe for processing (Art. 6(1)(b)). More info: Shopify https://www.shopify.com/legal/privacy; Stripe https://stripe.com/de/privacy. 

4. Third-Party Content & Services

We integrate third-party content/services (e.g., videos, fonts) based on our legitimate interests (analysis, optimisation, economic operation; Art. 6(1)(f)). Providers need the user IP to deliver content and may use pixel tags/web beacons and cookies to compile pseudonymous statistics/marketing profiles. Where cookies or device access are used, this occurs only after consent (§ 25 TTDSG). 

4.0 Product Reviews via “Judge.me”

Provider: Judge.me Ltd, London, UK – https://judge.me/privacy.
Data: email, name (if provided), order/product reference, review text/media, timestamp, technical metadata (e.g., IP, user agent).
Purpose/legal basis: gathering/displaying verified reviews; abuse prevention (Art. 6(1)(f)). Email review requests only with consent (Art. 6(1)(a)) or where permitted under § 7(3) UWG.
International transfers may rely on SCCs.

4.0.1 Product reviews via “Trustpilot”

We use the review platform “Trustpilot” to display and collect customer reviews. The provider is Trustpilot A/S, Pilestræde 58, 5th floor, DK-1112 Copenhagen, Denmark (“Trustpilot”).

Integration of Trustpilot widgets
Trustpilot widgets (such as star ratings or review boxes) may be embedded on our website. When you access a page that contains such a widget, a connection to Trustpilot’s servers is established. In this context, technical data such as your IP address, browser and device information, the subpages you visit, time stamps and, where applicable, cookie information may be transmitted to Trustpilot in order to display the requested content correctly.

Where cookies or comparable technologies are used in this context, this is done solely on the basis of your consent via our cookie/consent tool (Section 25 (1) TTDSG in conjunction with Art. 6 (1) (a) GDPR). The legal basis for displaying the reviews is our legitimate interest in a transparent online presence and genuine customer feedback (Art. 6 (1) (f) GDPR).

Further information on the processing of personal data by Trustpilot can be found at:
https://de.legal.trustpilot.com/for-reviewers/end-user-privacy-terms

Review invitations
If you place an order with us, we may subsequently send you an e-mail invitation to submit a review via Trustpilot. For this purpose, we transmit to Trustpilot the data required to send the invitation (name, e-mail address, order reference). These data are used solely for sending the review invitation and for verifying that a genuine purchase has taken place.

The legal basis for this is Art. 6 (1) (f) GDPR in conjunction with Section 7 (3) UWG. You can object to the use of your e-mail address for review invitations at any time.

Any further processing of a review you submit takes place under the sole responsibility of Trustpilot.

4.1 YouTube

Only after consent (two-click): Data are sent to Google only after you actively consent (Art. 6(1)(a)/§ 25 TTDSG). We embed videos from YouTube (Google). Privacy: https://www.google.com/policies/privacy/; Ads settings: https://adssettings.google.com/authenticated. 

4.2 Google (general)

EU provider: Google Ireland Limited, Dublin; possible transfer to Google LLC, USA (DPF/SCC). 

4.2.1 Google reCAPTCHA

Only after consent (two-click). EU provider as above; possible transfer to Google LLC (DPF/SCC). Privacy: https://www.google.com/policies/privacy/. 

4.2.2 Google Fonts (remote, only after consent)

If served from Google servers (USA), this occurs only after your consent (§ 25 TTDSG/Art. 6(1)(a)). US transfers rely on DPF where applicable, otherwise SCCs with safeguards. Consent can be withdrawn at any time in the tool. EU provider: Google Ireland; possible transfer to Google LLC (DPF/SCC). 

4.2.3 Google Maps

Only after consent (two-click). Maps may collect IP and location data; we have no control over subsequent processing by Google. 

4.2.4 Google Ads

Only after consent: Remarketing/conversion cookies and similar IDs are set only after consent; revocable in the tool. US transfers: DPF or SCCs. Additional details on remarketing/conversion tracking are provided in this section. 

4.2.5 Google Analytics

Used only after consent (§ 25(1) TTDSG/Art. 6(1)(a)). IP anonymisation is active. US transfers rely on SCCs or (where applicable) DPF. Storage: service-specific (e.g., GA 14 months unless configured otherwise). Opt-out plugin: http://tools.google.com/dlpage/gaoptout?hl=de. Further info: Google privacy & ads settings. 

4.2.6 Google Tag Manager

The Tag Manager itself sets no cookies and processes no personal data for its own purposes. It triggers tags (e.g., analytics/marketing) which are activated only after consent. US transfers: DPF where applicable, otherwise SCCs plus safeguards. 

4.2.7.1 Shopify Analytics

We use the integrated statistics function “Shopify Analytics” provided by Shopify International Limited, Victoria Buildings, 2nd Floor, 1–2 Haddington Road, Dublin 4, D04 XN32, Ireland (“Shopify”) in order to analyse user behaviour in our online shop and to optimise our offering from both a technical and commercial perspective.

In this context, the following data in particular are processed: pages and products viewed, click paths, shopping cart and order events, browser and device information, referrer URL, approximate location data (country/region), time stamps, as well as a pseudonymous identifier (e.g. via Shopify analytics cookies such as _shopify_s, _shopify_y, _shopify_sa_t, _shopify_sa_p).

Where non-essential cookies are set in connection with Shopify Analytics, this is done only on the basis of your express consent via our consent tool (Section 25 (1) TTDSG in conjunction with Art. 6 (1) (a) GDPR). Without such consent, analysis is limited exclusively to technically necessary data, which we process on the basis of our legitimate interest in the secure and stable provision of our shop (Art. 6 (1) (f) GDPR).

Shopify may transfer data to Shopify group companies outside the EU, in particular in Canada and the USA. For Canada, there is an adequacy decision of the European Commission. For transfers to the USA, Shopify relies on the EU–US Data Privacy Framework and, where applicable, on EU standard contractual clauses together with additional safeguards.

Further information is available in Shopify’s privacy policy at:
https://www.shopify.com/legal/privacy

4.2.7.2 Shopify Messaging / Email and SMS Marketing

We use “Shopify Messaging”, a service provided by Shopify International Limited, Victoria Buildings, 2nd Floor, 1–2 Haddington Road, Dublin 4, D04 XN32, Ireland (“Shopify”), to create, send, and analyze email and SMS marketing campaigns. This may include newsletters, product information, promotional messages, abandoned cart and checkout reminders, browse abandonment messages, and follow-up communications.

When using Shopify Messaging, the following data may be processed in particular: name, email address, phone number, customer account and contact details, marketing preferences and consent status, order and cart data, checkout data, purchased or viewed products, discount and campaign data, communication data, open, click and conversion data, unsubscribe data, as well as technical data such as IP address, device and browser information, timestamps, referrer information, and pseudonymous identifiers. Where necessary for technical operation, administrative data of shop staff or contributors may also be processed, such as user IDs, roles, permissions, and activity data within the Shopify Admin.

Email and SMS marketing is generally sent only if you have expressly consented to receiving such communications or if another legal permission applies. The legal basis is Art. 6(1)(a) GDPR. You may withdraw your consent at any time with effect for the future, for example by using the unsubscribe link in the respective message or by contacting support@sensoryboost.de. Where we use direct marketing to existing customers in legally permitted cases, the processing is based on our legitimate interest in direct marketing for our own similar goods pursuant to Art. 6(1)(f) GDPR in conjunction with Section 7(3) UWG. You may object to this use at any time.

The analysis of campaigns, in particular open rates, click-through rates, and conversion rates, is used to measure success and optimize our communication. Where cookies, pixels, or similar tracking technologies are used on our website for this purpose, this only takes place with your consent via our consent tool pursuant to Section 25(1) TTDSG in conjunction with Art. 6(1)(a) GDPR. You may withdraw your consent at any time with effect for the future via the cookie settings.

Where Shopify Network Intelligence is enabled, Shopify may securely use customer data together with other Shopify data and data from interactions with Shopify and other merchants in order to provide enhanced Shopify services. This may include improving products and personalization, improving store performance, and optimizing ad targeting. Other merchants do not receive access to your customer data.

Personal data is initially processed by Shopify International Limited in Ireland. Processing by Shopify affiliates and subprocessors, in particular in Canada, the United States, and other third countries, cannot be excluded. Canada is subject to an adequacy decision by the European Commission. Where data is transferred to the United States or other third countries, such transfer takes place, where applicable, on the basis of the EU-US Data Privacy Framework, EU Standard Contractual Clauses, or other appropriate safeguards pursuant to Art. 44 et seq. GDPR.

Further information on data processing by Shopify can be found in Shopify’s Privacy Policy at:
https://www.shopify.com/legal/privacy

Information about your privacy rights towards Shopify and opt-out options in connection with Shopify services can also be found in the Shopify Privacy Portal:
https://privacy.shopify.com

We store marketing and campaign data only for as long as necessary for the purposes stated above or as required by statutory retention obligations. If you withdraw your consent or object to direct marketing, your data will be blocked or deleted for future marketing communications, unless statutory retention obligations prevent deletion.

4.2.8 Zigpoll (Post-Purchase Survey on the Thank-You / Order Status Page)

Only with consent: After you complete an order, we display a post-purchase survey on Shopify’s Thank-You / Order Status Page using “Zigpoll Customer Surveys”. Participation is voluntary; you can ignore or close the survey at any time. Where Zigpoll uses cookies/similar identifiers or comparable technologies, the integration takes place only after your consent via our consent tool (Section 25(1) TTDSG in conjunction with Art. 6(1)(a) GDPR). You can withdraw your consent at any time with effect for the future via the cookie settings.

Provider: Argonautic Labs (Zigpoll), 400 E 67th Street, New York, NY 10065, USA.

Purpose: Collecting and evaluating feedback immediately after purchase (e.g., satisfaction/NPS, purchase reasons/attribution) to improve and optimize our offering, our shop and our customer service.

Data processed (depending on your input and the survey configuration):
- Survey content and responses (including free-text)
- If applicable, order/transaction reference (e.g., order reference, purchased products/variants, timestamps) to assign responses to the corresponding order
- Technical usage/metadata (e.g., IP address, timestamps, device/browser data, online identifiers, interaction/engagement data)
- If applicable, cookie IDs or comparable identifiers, where technically used by Zigpoll

Recipients / processing on our behalf: Zigpoll processes data as our processor (Art. 28 GDPR) and may use sub-processors (e.g., hosting/storage, security/CDN, e-mail/logging services) to provide the service.

Third-country transfer: Zigpoll is based in the USA; processing/transfer to the USA is possible. Such transfers are carried out on the basis of appropriate safeguards (in particular, the EU Standard Contractual Clauses) in accordance with Zigpoll’s agreements.

Storage period: We store survey/feedback data only for as long as necessary for the purposes stated above. We then delete or anonymize the data unless statutory retention obligations apply. After the end of the use of the service, data is deleted or returned in accordance with Zigpoll’s agreements.

Further information:
Terms / Privacy: https://www.zigpoll.com/terms-and-policies
DPA: https://www.zigpoll.com/dpa

4.3 SSL Encryption

We use HTTPS (e.g., SSL/TLS) to protect data in transit. 

Changes to this Policy
We may update this Policy to reflect legal or service changes. The updated version applies to future visits. 

4.4.1 Pandectes GDPR Compliance Cookie Consent Tool

We use a consent tool so you can choose which cookies to allow and change your choices at any time. Provider: Pandectes (Estonia). Contact: https://pandectes.io/contact-us/. 

4.4.2 Cookies & Right to Object to Direct Marketing

Cookies are small files stored on your device. We may use session and persistent cookies; third-party cookies may also be used. You can disable cookies in your browser (functionality may be limited). General opt-outs:

US: http://www.aboutads.info/choices/

EU: http://www.youronlinechoices.com/
Browser help pages (Firefox/Edge/Chrome/Opera/Safari) are linked in the original text. Opt-outs: Google Analytics, Facebook Ads, Your Online Choices. See also our cookie statement: https://sensoryboost.de/pages/cookie-erklarung. 

4.5 Meta (Facebook) Services
4.5.1 Facebook Pixel

Only after consent. Potential US transfers: DPF or SCCs. Joint controllership under Art. 26 GDPR applies to certain collection/transfer parameters (see Meta’s information). Pixel places a cookie and may create pseudonymous profiles; when logged in to Facebook, data may be combined for personalised/group-based ads. US transfers: DPF or SCCs with safeguards. 

4.5.2 Facebook Ads

Only after consent. Joint controllership limited to collection/transfer; subsequent processing by Meta is separate. We use Custom Audiences, Remarketing and Conversions as described. 

4.6 WhatsApp Business

Optional communication channel (WhatsApp Ireland Ltd.). Transfers to third countries (incl. USA) may occur under SCCs/DPF. Processing is voluntary and based on your consent (Art. 6(1)(a)); withdraw at any time. Privacy: https://www.whatsapp.com/legal/privacy-policy-eea. 

4.7 Affiliate Programme “UpPromote”

Provider: Secomapp Pte. Ltd. (Vietnam). We process affiliate data (contact, payment, marketing presence) to manage the programme (Art. 6(1)(b)) and prevent abuse (Art. 6(1)(f)). Payouts are made by us (SensoryBoost). International transfers may rely on SCCs.
Processing by SensoryBoost (affiliates): contact, payment and marketing data as needed to run the programme and pay commissions.
Processing by UpPromote: places a cookie (no personal data) to attribute sales; legitimate interests Art. 6(1)(f); if consent is required for cookies/device access, we rely on Art. 6(1)(a). Privacy: https://docs.uppromote.com/privacy-policy/privacy-policy. 

2. Disclosure to Third Parties (Summary)

We share personal data only where necessary for contract performance or with consent, e.g.:
Payment providers (PayPal, Klarna, Google Pay, Apple Pay)
Shipping providers (DHL, Deutsche Post, UPS)
Hosting/IT providers

Accounting/tax advisors
We do not sell or rent personal data. 

3. Your Rights

You have the right of access (Art. 15), rectification (Art. 16), erasure (Art. 17), restriction (Art. 18), data portability (Art. 20), and to lodge a complaint with a supervisory authority (Art. 77).
Right to object (Art. 21): You may object at any time to processing based on Art. 6(1)(e) or (f), including profiling; for marketing, you can object at any time (e.g., via support@sensoryboost.de or cookie settings). 

6. Contact

For questions or to exercise your rights, contact our Data Protection Contact:
Benjamin Zeising | SensoryBoost — support@sensoryboost.de — Subject: Data Protection

Last updated: 14 August 2025