Privacy Policy

Data Controller

The controller responsible for data processing on this website is:

Carnival Store GmbH
Untere Wiesenstraße 1
32120 Hiddenhausen, Germany
Managing Director: Ilker KABADAYI
Email: info@carnivalstore.de
Phone: +49 176 4717 8423
Commercial Register: District Court of Bad Oeynhausen HRB 18675
VAT ID: DE310480783

Data Protection Officer

For data protection inquiries, please contact us at:

Email: privacy@carnivalstore.de
Subject Line: “Data Protection Inquiry”

Hosting Information

Server Location: Germany (European Union)
Data Processing: All personal data is processed and stored within the European Union
Backup Systems: Secure, encrypted backup systems with restricted access

We process your personal data based on the following legal grounds under GDPR Article 6:

Contract Performance (Art. 6(1)(b) GDPR)

• Processing and fulfilling your orders
• Payment processing and verification
• Delivering products and services
• Managing your customer account
• Providing customer support and service
• Handling returns, exchanges, and warranty claims
• Shipment tracking and delivery coordination

Legal Obligation (Art. 6(1)(c) GDPR)

• Tax and accounting requirements (German AO, HGB)
• Commercial law compliance and record keeping
• Anti-money laundering and fraud prevention
• Product safety and liability requirements
• Regulatory reporting obligations

Legitimate Interests (Art. 6(1)(f) GDPR)

• Website security and fraud prevention
• System performance optimization and maintenance
• Business development and service improvement
• Direct marketing to existing customers (with right to object)
• Legal claims and dispute resolution
• Data quality management and cleanup

Consent (Art. 6(1)(a) GDPR)

• Email marketing and promotional communications
• Optional cookies and tracking technologies
• Newsletter subscriptions and preferences
• Personalized advertising and content
• Optional analytics and user experience features

Special Categories of Personal Data (Art. 9 GDPR)

We do not generally process special categories of personal data (such as health data, biometric data, religious beliefs, etc.). If this becomes necessary in specific cases, we will obtain your explicit consent in advance and inform you of the specific purpose and legal basis.

Automated Data Collection

Our website automatically collects certain data through:

• Server Logs: Access logs including IP addresses, timestamps, and requested resources
• Cookies and Similar Technologies: Session management, preferences, and website functionality
• Security Systems: Monitoring for suspicious activities and potential threats
• Performance Monitoring: Website speed, error tracking, and optimization data

E-Commerce Operations

• Order Management: Processing orders through our e-commerce system
• Payment Processing: Secure transaction handling via certified payment providers
• Inventory Management: Product availability tracking and stock management
• Shipping Coordination: Integration with shipping providers for delivery management
• Multi-Currency Support: Price display in appropriate currencies based on location
• Order Tracking: Shipment tracking and delivery status updates

Customer Service & Communication

• Support Services: Handling customer inquiries and technical support requests
• Automated Communications: Order confirmations, shipping notifications, and account updates
• Account Management: User account maintenance and preference management
• Return Processing: Managing product returns, exchanges, and refund requests
• Quality Assurance: Monitoring and improving service quality

Website Functionality & Performance

• Performance Optimization: Caching systems and speed optimization technologies
• Database Management: Regular maintenance and optimization of data storage
• Security Monitoring: Threat detection, prevention, and incident response
• Content Optimization: Image and media optimization for faster loading
• Backup Management: Automated backup systems for data protection and recovery

Marketing & Analytics (with appropriate consent)

• Email Marketing: Newsletter campaigns and promotional communications
• Website Analytics: User behavior analysis and website performance tracking
• Advertising Campaigns: Targeted advertising and remarketing activities
• Search Engine Optimization: Content optimization for better search visibility
• Product Promotion: Product listing optimization and promotional campaigns

International Operations

• Multi-Language Support: Content delivery in multiple languages
• Regional Compliance: Adaptation to local regulations and requirements
• Currency Management: Real-time currency conversion and price display
• Cross-Border Commerce: International shipping and customs integration

Essential Service Providers

We work with carefully selected service providers to deliver our services:

Hosting & Infrastructure

• Server Location: Germany (European Union)
• Purpose: Website hosting, data storage, technical infrastructure
• Protection: German data protection laws, GDPR compliance

Payment Processing

• Payment Gateways: Certified payment processors for secure transactions
• Security Standards: PCI DSS compliance, tokenization, encryption
• Data Minimization: Only necessary payment data is processed

Shipping & Logistics

• Delivery Partners: Professional shipping companies for order fulfillment
• Tracking Services: Real-time package tracking and delivery confirmation
• Geographic Coverage: EU and international shipping capabilities

Communication Services

• Email Services: Professional email delivery for transactional and marketing communications
• Customer Support: Help desk and communication tools for customer service
• Notification Systems: Order updates, shipping notifications, and account alerts

Analytics & Marketing (with consent)

• Website Analytics: Usage analysis and performance monitoring tools
• Marketing Platforms: Email marketing and customer relationship management
• Advertising Networks: Targeted advertising and remarketing services

Transfers Outside the European Union

When necessary for service delivery, we may transfer personal data outside the EU with appropriate safeguards:

Protection Mechanisms

• Standard Contractual Clauses (SCCs): EU-approved contractual terms ensuring data protection
• Adequacy Decisions: Transfers to countries recognized as providing adequate protection
• Technical Safeguards: Encryption, access controls, and data minimization
• Additional Guarantees: Extra contractual and technical protections where needed

Primary EU Operations

• Core Infrastructure: All primary systems hosted within Germany/EU
• Customer Data: Personal information stored and processed in EU
• Business Operations: Management and administration within EU jurisdiction

Your Rights Regarding Transfers

• Right to information about transfer safeguards
• Right to obtain copies of protection measures
• Right to object to specific transfers
• Right to withdraw consent where applicable

Automated Data Management

• Scheduled Deletion: Automated systems remove data when retention periods expire
• Data Minimization: Regular review and removal of unnecessary data
• Backup Management: Automatic cleanup of old backup files
• Consent Tracking: Automated monitoring of consent withdrawal and expiration

Manual Data Deletion Requests

• Account Deletion: Complete removal of customer account and associated data
• Selective Deletion: Removal of specific data categories upon request
• Right to be Forgotten: Comprehensive data erasure where legally permissible
• Processing Time: Deletion requests processed within 30 days

How to Exercise Your Rights

Online Self-Service Options

• Account Dashboard: Access, update, and download your personal data
• Privacy Settings: Manage consent preferences and data processing options
• Communication Preferences: Control marketing communications and notifications
• Cookie Management: Adjust cookie settings and tracking preferences

Direct Contact for Complex Requests

• Email: privacy@carnivalstore.de
• Subject: “GDPR Rights Request – [specify your request]”
• Include: Your name, registered email address, and detailed request description
• Verification: We may request additional information to verify your identity for security purposes

Response Timeframes

• Standard Requests: Response within one month of receiving your request
• Complex or Multiple Requests: May be extended by two additional months with prior notification
• Data Portability: Data export typically available within 48 hours
• Urgent Security Issues: Immediate response for security-related concerns

Automated Rights Management Tools

• Data Export Tool: Generate comprehensive reports of your personal data
• Account Deletion: Self-service complete account and data removal
• Consent Manager: Real-time consent withdrawal and preference updates
• Communication Controls: Instant unsubscribe and preference management

No Cost for Rights Requests

Exercising your GDPR rights is free of charge. We may only charge a reasonable fee if requests are manifestly unfounded, excessive, or repetitive.

Cookie Management and Consent

We use a professional cookie consent management system to comply with GDPR and German TTDSG (Telecommunications-Telemedia Data Protection Act). You have full control over your cookie preferences.

Essential Cookies We Use

E-Commerce Functionality

• Shopping Cart: Maintains cart contents during your session
• User Sessions: Manages your login status and account access
• Security: Protects against fraud and unauthorized access
• Form Data: Remembers information during checkout process

Website Performance

• Caching: Improves page loading speed and performance
• Load Balancing: Distributes traffic for optimal performance
• Error Tracking: Identifies and resolves technical issues

Optional Tracking (Requires Consent)

Analytics and Insights

• Usage Analytics: Understanding how visitors use our website
• Performance Monitoring: Tracking website speed and functionality
• User Journey Analysis: Improving user experience and navigation

Marketing and Personalization

• Targeted Advertising: Showing relevant ads based on interests
• Remarketing: Re-engaging visitors with personalized content
• Conversion Tracking: Measuring effectiveness of marketing campaigns

Managing Your Cookie Preferences

• Cookie Banner: Initial consent collection with detailed options
• Preference Center: Granular control over cookie categories
• Easy Withdrawal: Change or withdraw consent at any time
• Browser Controls: Additional control through browser settings

Third-Party Cookies

With your consent, we may allow third-party services to set cookies for:

• Payment Processing: Secure transaction handling
• Social Media Integration: Social sharing and engagement features
• Customer Support: Live chat and help desk functionality
• Content Delivery: Optimized content and media delivery

Technical Security Measures

• Data Encryption: SSL/TLS encryption for all data transmission and storage
• Access Controls: Multi-factor authentication and role-based access systems
• Security Monitoring: 24/7 threat detection and automated response systems
• Regular Updates: Automated security patches and system updates
• Backup Security: Encrypted, geographically distributed backup systems
• Network Security: Firewall protection and intrusion prevention systems

Organizational Security Measures

• Staff Training: Regular security awareness and data protection training
• Access Management: Strict control over who can access personal data
• Data Processing Agreements: Comprehensive contracts with all service providers
• Security Audits: Regular internal and external security assessments
• Incident Response: Documented procedures for security incidents and data breaches
• Privacy by Design: Data protection considerations built into all systems

Data Protection Measures

• Data Minimization: Collecting only necessary personal data
• Purpose Limitation: Using data only for specified, legitimate purposes
• Storage Limitation: Automatic deletion when retention periods expire
• Pseudonymization: Replacing identifying information where possible
• Access Logging: Detailed logs of all data access and modifications

Payment Security

• PCI DSS Compliance: Meeting highest payment card industry standards
• Tokenization: Credit card data replaced with secure tokens
• No Storage: Payment details never stored on our servers
• Fraud Detection: Real-time transaction monitoring and risk assessment
• Secure Gateways: Certified payment processors with bank-level security

Infrastructure Security

• German Data Centers: Secure facilities with physical access controls
• Redundancy: Multiple backup systems and failover protection
• Monitoring: Continuous system health and security monitoring
• Compliance: Meeting EU and German security standards

Age Restrictions and Protection

Our services are designed for adults and are not directed to children under 16 years of age (the minimum age for digital consent under GDPR). We are committed to protecting children’s privacy and do not knowingly collect personal data from minors without appropriate consent.

Parental Consent Requirements

• Under 16: Explicit parental or guardian consent required for any data processing
• Verification: Age verification mechanisms implemented during registration
• Restricted Access: Certain features and communications restricted for younger users
• Enhanced Protection: Additional safeguards for any data involving minors

If We Discover Underage Data Collection

If we become aware that we have collected personal data from a child under 16 without appropriate consent:

• Immediate suspension of data processing
• Prompt deletion of collected information
• Notification to parents or guardians where possible
• Review and strengthening of age verification measures

Parental Rights and Controls

Parents and guardians have enhanced rights regarding their child’s data:

• Access Rights: Review all personal information collected about their child
• Deletion Rights: Request immediate deletion of their child’s data
• Objection Rights: Stop any further collection or processing
• Portability Rights: Receive their child’s data in a portable format
• Rectification Rights: Correct any inaccurate information

Reporting and Contact

If you believe we have inadvertently collected information from a child under 16, or if you are a parent/guardian seeking to exercise rights regarding your child’s data, please contact us immediately:

• Email: privacy@carnivalstore.de
• Subject: “Child Privacy Concern”
• Priority: Highest priority response within 24 hours

Limited Automated Processing

We use automated processing for specific, limited purposes to improve your experience and ensure service quality. All automated decisions are designed to benefit you and comply with GDPR requirements.

E-Commerce Automation

• Order Processing: Automated order confirmation, payment verification, and fulfillment initiation
• Inventory Management: Real-time stock updates and availability notifications
• Pricing: Currency conversion and regional pricing adjustments
• Shipping: Automated shipping cost calculation and carrier selection
• Customer Communications: Automated order confirmations and delivery notifications

Security and Fraud Prevention

• Risk Assessment: Automated screening for potentially fraudulent transactions
• Security Monitoring: Automated detection of suspicious login attempts or activities
• Spam Prevention: Automated filtering of spam and malicious content
• Account Protection: Automated security measures for account safety

Personalization and Recommendations (with consent)

• Product Suggestions: Recommendations based on browsing and purchase history
• Content Personalization: Customized website experience based on preferences
• Marketing Targeting: Personalized promotional content and offers
• User Experience: Interface optimization based on usage patterns

Profiling Activities

We engage in limited profiling for legitimate business purposes:

• Purchase Behavior: Analysis of buying patterns to improve product offerings
• Geographic Preferences: Location-based customization of content and services
• Usage Analytics: Understanding how customers interact with our website
• Customer Segmentation: Grouping customers for improved service delivery

No Solely Automated Legal Decisions

We do not make decisions based solely on automated processing that produce legal effects or significantly affect you, including:

• Credit assessments or financial evaluations
• Employment or contractor decisions
• Insurance coverage determinations
• Legal proceedings or contract modifications
• Account termination or service suspension

Your Rights Regarding Automated Processing

• Right to Human Intervention: Request human review of automated decisions
• Right to Explanation: Understand the logic and significance of automated processing
• Right to Challenge: Contest the outcome of automated decisions
• Right to Opt-Out: Object to automated decision-making processes
• Right to Express Views: Provide input on automated decisions affecting you

Withdrawal of Consent

Where we process your personal data based on your consent, you have the absolute right to withdraw that consent at any time. Withdrawal is always free and does not affect the lawfulness of processing conducted before withdrawal.

Easy Withdrawal Methods

Marketing Communications

• Unsubscribe Links: One-click unsubscribe in every marketing email
• Account Preferences: Update all communication preferences in your account dashboard
• Email Preferences: Granular control over different types of communications
• Customer Service: Contact support for immediate processing of withdrawal requests

Cookie and Tracking Consent

• Cookie Banner: Modify preferences through the website cookie consent banner
• Privacy Settings: Dedicated cookie management page with detailed controls
• Browser Settings: Use browser privacy controls to block cookies
• Global Opt-Out: Single click to disable all non-essential tracking

Analytics and Profiling

• Analytics Opt-Out: Disable website analytics and behavior tracking
• Personalization Controls: Turn off personalized content and recommendations
• Advertising Opt-Out: Stop personalized advertising and remarketing
• Data Processing: Limit automated profiling and decision-making

Effect of Withdrawal

When you withdraw consent, we will:

• Immediate Action: Stop the specific processing based on withdrawn consent
• System Updates: Update all relevant systems and databases
• Third-Party Notification: Inform relevant service providers of your withdrawal
• Audit Trail: Maintain records of consent withdrawal for compliance purposes
• Ongoing Respect: Ensure withdrawn consent is permanently respected

Services That Continue

Withdrawal of consent does not affect processing that is:

• Contractually Necessary: Essential for providing services you’ve purchased
• Legally Required: Mandated by law (tax records, transaction logs)
• Legitimate Interests: Based on overriding legitimate interests (security, fraud prevention)
• Public Interest: Required for public health, safety, or legal compliance

No Negative Consequences

Withdrawing consent will never result in:

• Penalties or charges for withdrawal
• Worse service quality or treatment
• Loss of access to purchased products or services
• Discrimination or negative treatment

Your Right to File Complaints

You have the fundamental right to lodge a complaint with a data protection supervisory authority if you believe we have violated your data protection rights. This right is free of charge and does not require legal representation.

German Data Protection Authorities

Federal Level Authority

The Federal Commissioner for Data Protection and Freedom of Information (BfDI)
Graurheindorfer Straße 153
53117 Bonn, Germany
Phone: +49 228 997799-0
Email: poststelle@bfdi.bund.de
Website: www.bfdi.bund.de

State Level Authority (North Rhine-Westphalia)

State Commissioner for Data Protection and Freedom of Information NRW
Kavalleriestraße 2-4
40213 Düsseldorf, Germany
Phone: +49 211 38424-0
Email: poststelle@ldi.nrw.de
Website: www.ldi.nrw.de
Online Complaint Form: Available on their website

European Data Protection Authorities

If you are located in another EU Member State, you can contact your local data protection authority. A complete directory is available at:

European Data Protection Board: https://edpb.europa.eu/about-edpb/about-edpb/members_en

Before Filing a Complaint

We encourage you to contact us directly first to resolve any data protection concerns quickly and efficiently:

• Email: privacy@carnivalstore.de
• Subject: “Data Protection Complaint”
• Response Time: We aim to resolve complaints within 30 days
• Escalation: Complex issues may be escalated to management

Information for Your Complaint

When filing a complaint with a supervisory authority, include:

• Detailed Description: Clear explanation of the alleged data protection violation
• Direct Contact Evidence: Documentation of any attempts to resolve the issue with us
• Supporting Documents: Relevant emails, screenshots, or correspondence
• Personal Information: Your contact details and preferred communication method
• Desired Outcome: What resolution you are seeking
• Timeline: When the alleged violation occurred

Investigation Process

When you file a complaint:

• Acknowledgment: The authority will confirm receipt of your complaint
• Assessment: Initial review to determine if the complaint is within their jurisdiction
• Investigation: Formal investigation if the complaint is admissible
• Our Response: We will cooperate fully with any official investigation
• Resolution: You will be informed of the outcome and any corrective measures
• Appeal Rights: Right to appeal decisions through administrative or judicial channels

International Complaints

For cross-border data protection issues involving multiple EU countries:

• Lead Authority: Usually the authority in the country where the main establishment is located
• Cooperation: Authorities work together through the consistency mechanism
• One-Stop-Shop: Single point of contact for multinational complaints

Policy Updates and Revisions

We may update this Privacy Policy from time to time to reflect changes in our data processing practices, legal requirements, technology, or business operations. We are committed to maintaining transparency about any changes that affect your privacy rights.

Types of Changes

Minor Administrative Changes

• Contact Information: Updates to email addresses, phone numbers, or office locations
• Clarifications: Language improvements for better understanding
• Technical Updates: Minor technical corrections or formatting improvements
• Link Updates: Changes to external links or references

Significant Changes

• New Processing Purposes: Additional reasons for collecting or using personal data
• Data Sharing: New third-party partners or service providers
• International Transfers: Changes to cross-border data transfer arrangements
• Retention Periods: Modifications to how long we keep personal data
• Your Rights: Changes affecting how you can exercise your privacy rights

Major Changes Requiring New Consent

• Fundamental Purpose Changes: Completely new uses of personal data
• New Sensitive Data: Collection of special categories of personal data
• Automated Decision-Making: Introduction of new automated processing with legal effects
• Expanded Profiling: Significant expansion of profiling activities

How We Notify You

For Minor Changes

• Updated policy posted on our website
• Revision date updated in the policy header
• Brief notice in website footer or account dashboard

For Significant Changes

• Email Notification: Direct email to all registered customers
• Website Notice: Prominent banner on our website for 30 days
• Account Dashboard: Notification in your customer account
• Social Media: Announcements on our official social media channels

For Major Changes Requiring Consent

• Active Consent Request: Pop-up or dedicated page requiring explicit consent
• Detailed Explanation: Clear description of what’s changing and why
• Opt-Out Options: Clear choices to decline new processing
• Service Impact: Explanation of how declining affects your access to services

Version Control and History

• Version Numbers: Each policy revision receives a unique version number
• Change Log: Detailed record of what changed in each version
• Previous Versions: Historical versions available upon request
• Effective Dates: Clear dating of when each version takes effect

Your Response Options

When we notify you of changes, you can:

• Accept Changes: Continue using our services under the new terms
• Request Clarification: Contact us for explanation of specific changes
• Exercise Rights: Update your preferences or withdraw consent
• Object to Changes: Opt out of new processing activities where legally possible
• Close Account: Request account deletion if you disagree with fundamental changes

If you wish to delete your customer account and the personal data stored with it, please send us a request by email. At the moment, account deletion is performed by an administrator.

How to request deletion

• Email: privacy@carnivalstore.de
• Subject: “Account Deletion Request”
• Please include: your full name, the email address used for your account, and (optionally) recent order numbers to help us verify your identity.

What happens next

• We verify your identity and confirm your request.
• Your account and personal data will be erased within 30 days.
• Newsletter/marketing consents are revoked immediately.

You can also contact us via our general address info@carnivalstore.de. For faster processing, please use privacy@carnivalstore.de.