top of page

PRIVACY POLICY

 

1. Scope of this notice

This policy explains how we process personal data when you:

  • visit our website/shop,

  • create an account, place orders, request customizations (e.g., photo-based cameo bas-relief),

  • contact us (email, phone, forms), subscribe to newsletters, leave reviews, or interact with our social accounts,

  • receive order updates or after-sales support.

We provide the information required by Arts. 12–14 GDPR in a clear, structured way.

​

2. Categories of data we process

Depending on how you interact with us:

  • Master & contact data: name, billing/shipping address, email, phone.

  • Order & payment data: items, totals, order IDs, chosen payment method (actual payment data is processed by our payment providers), invoice details.

  • Customization content: images/photos (typically of pets), cameo references, engraving text, design notes, color/material choices. Please avoid uploading images containing third-party persons; if present, ensure you have their consent/rights.

  • Account & communication data: login ID, hashed password, preferences, tickets/messages.

  • Device & usage data (website): IP address, timestamps, HTTP headers, error logs; cookies/SDKs only as permitted under German law (see §10).

  • Marketing preferences: newsletter opt-in/opt-out, objection to direct marketing (Art. 21 GDPR). 

 

3. Sources

Primarily you provide data (checkout, uploads, forms). We may receive limited data from:

  • Payment services (e.g., transaction status) and carriers (delivery status),

  • Anti-fraud/security tools (signals about risky orders),

  • Public sources where you tag us or leave public reviews.

 

4. Purposes & legal bases

We process data only when a lawful basis applies (Art. 6 GDPR). Below is a summary of typical purposes:

Purpose

Examples

Legal basis

Contract & pre-contract steps

Account, cart, checkout, shipping, returns, warranties

Art. 6(1)(b) GDPR

Customization work

Creating the cameo/engraving from your uploads; proof/approval flow

Art. 6(1)(b) GDPR; your supplied content is necessary to perform the contract

Customer service

Answering emails, order status, complaints

Art. 6(1)(b) and (f) (legitimate interest in service quality)

Compliance & bookkeeping

Invoices, tax/audit retention

Art. 6(1)(c) GDPR; German retention duties (HGB §257 / AO §147)

Security & fraud prevention

Abuse/attack detection, log files

Art. 6(1)(f) GDPR (IT/security)

Marketing (with consent)

Email newsletter; non-essential cookies

Art. 6(1)(a); right to withdraw anytime

Direct marketing to existing customers

Similar products via email (where permitted)

Art. 6(1)(f) GDPR + right to object anytime(Art. 21(2)–(3))

Reference: GDPR lawful bases & right to object to direct marketing. 

 

5. Minors

Our shop is not directed to children. For information-society services, Germany applies age 16 for consent; if you are under 16, we require parental authorization when consent is the legal basis. 

 

6. Recipients & processors

We share data only as needed, under contracts that meet Art. 28 GDPR for processors, with confidentiality, security, and deletion/return obligations:

  • Hosting/CDN & IT providers: [host/CDN]; [platform/CMS].

  • Payment services: [PayPal], [Shopify Payments/Stripe] (they act as independent controllers for payment data; see their privacy policies).

  • Carriers/fulfilment: [DHL/Deutsche Post/DPD/UPS] to deliver your order and manage returns.

  • Email/SMS tools, customer support systems, consent management platform (CMP), analytics/measurement (only with prior consent for non-essential cookies).
    Where we use sub-processors, equivalent protections apply.

 

7. International transfers

If providers are located outside the EEA, transfers occur only with appropriate safeguards:

  • Adequacy decisions, including the EU–U.S. Data Privacy Framework (DPF) (Commission Decision (EU) 2023/1795, upheld by the EU General Court on 3 Sep 2025 in T-553/23 Latombe v Commission); or

  • Standard Contractual Clauses (SCCs) (Commission Decision (EU) 2021/914), plus any required supplementary measures. 

 

8. Retention

We keep personal data only as long as needed for the purpose or as required by law:

  • Orders & invoices: retained for up to 10 years under German commercial/tax law (HGB §257; AO §147).

  • Account data: for the life of the account; we delete/irreversibly pseudonymize after inactivity per our housekeeping schedule.

  • Customization files (e.g., photos, working proofs): stored for production and reorders/warranty; by default, we keep them for [e.g., 12 months] after delivery, then delete or anonymize unless legal retention applies.

  • Consent logs & CMP signals: retained to demonstrate compliance and until you withdraw or the purpose lapses. 

 

9. Cookies, device storage & consent (Germany)

  • We only place non-essential cookies/trackers (e.g., analytics, marketing) after your opt-in per Germany’s TDDDG (formerly TTDSG).

  • As of 1 April 2025, Germany’s Consent Management Ordinance (EinwV) enables recognized consent-management services; the BfDI maintains the public register and is the recognition authority. We use a [CMP name] consistent with these rules.

  • You can change or withdraw consent at any time via the “Privacy settings” link in the footer.
    (Legal background: TDDDG rename in May 2024; EinwV in force Feb 2025 publication, applicable April 2025.) 

 

10. Analytics & marketing

  • Analytics (e.g., [GA4/Wix Analytics/etc.]) only with consent; IP masking/pseudonymization where available.

  • Email marketing/newsletters only with your consent or as permitted for existing customers; you can unsubscribe anytime and you have an absolute right to object to direct marketing (Art. 21(2)–(3) GDPR). 

 

11. Customization uploads (cameo bas-relief)

  • You must hold the necessary rights to the images/text you provide (copyright, portrait/personality rights).

  • We process your uploads solely to produce your custom urn, create proofs, and handle potential reorders/warranty.

  • Please avoid uploading EXIF/location/face data unless needed; we may strip metadata where practicable.

  • With your explicit consent, we may showcase anonymized photos of the finished piece (you can withdraw consent any time).

 

12. Automated decision-making / profiling

We do not make decisions producing legal effects solely by automated means under Art. 22 GDPR. If we ever offer personalized prices or fraud scoring, we will tell you, explain the logic involved, and provide your rights (incl. to object and to request human review) before such processing occurs. 

 

13. Your rights

You have the following rights under Chapter 3 GDPR: access (Art. 15), rectification (Art. 16), erasure (Art. 17), restriction (Art. 18), portability (Art. 20), object (Art. 21), and the right to withdraw consent at any time. Marketing objections are absolute. We will respond within one month (extendable by two months in complex cases). 

How to exercise your rights: Email [privacy@…] or write to [postal address]. For security, we may need to verify identity to protect you and others.

 

14. Right to lodge a complaint

You may lodge a complaint with a data protection supervisory authority, in particular in your habitual residence, place of work, or where the alleged infringement occurred (Art. 77 GDPR). In Germany there is a federal system (BfDI and 16 Länder authorities). You can find contacts via the BfDI. 

 

15. Security

We implement appropriate technical and organizational measures (TOMs): TLS encryption in transit, access controls and least-privilege, encrypted backups, logging/monitoring, secure development practices, and vetted processors under Art. 28 GDPR (with breach notification duties). 

 

16. Data breaches

If a personal data breach occurs, we assess risk and, where required, notify the supervisory authority without undue delay and, where feasible, within 72 hours (Art. 33 GDPR). If there is high risk to you, we will also notify you without undue delay with information and guidance (Art. 34 GDPR). 

 

17. Social media & external links

If you click external links or our social profiles, their operators control subsequent processing under their policies. Please review their privacy notices before interacting.

 

18. Legal basis for keeping business records

Commercial and tax laws require us to retain certain accounting/transaction documents for up to 10 years (HGB §257; AO §147). During these periods, deletion may be restricted. 

 

19. Changes to this policy

We may update this notice to reflect changes in law or our services (e.g., new processors, features). Substantive changes will be highlighted on this page and, where appropriate, communicated by email or in-account message.

 

Cookie & Tracking Summary (Germany)

Controller: Mikimo email mikimodesignstudio1@gmail.com
CMP: [name/version] recognized under the EinwV; your consent is stored and can be withdrawn any time via “Privacy settings.”
Essential cookies (strictly necessary) run without consent to provide the site, security, and checkout.
Non-essential cookies (analytics/marketing) only with opt-in. We disclose provider, purpose, and storage time in the CMP layer, compliant with TDDDG and EinwV.

bottom of page