1. Arrow left iconBack to Home Page

Privacy Policy

1. Controller

Max Welhöner, Paul-Lincke-Ufer 33, 10999 Berlin, Germany Email: mail@maxwel.xyz

No Data Protection Officer is required (sole proprietor below the threshold of § 38 BDSG).

2. What data is processed

2.1 Website visits

For reach measurement Umami is used, a privacy-friendly analytics tool running on the provider's own server infrastructure. It collects anonymised accesses, pages viewed, referring websites, device type, and screen size. No cookies are set, no IP addresses are stored.

Legal basis: Art. 6 (1) (f) GDPR (legitimate interest in secure and statistically meaningful operation of the site).

2.2 Orders

For shop orders, the following is processed: name, billing and shipping address, email, order contents and — depending on the product — the details required for production. Payment data (card, bank account) goes directly to the payment provider (see 3.2); the provider never receives it.

Legal basis: Art. 6 (1) (b) GDPR (purchase contract) and (c) (tax retention).

3. Recipients of the data

3.1 Hosting and email

  • Hetzner Online GmbH (Gunzenhausen, Germany) — servers and hosting in German data centers
  • IONOS SE (Montabaur, Germany) — cloud services and server infrastructure

Data processing agreements pursuant to Art. 28 GDPR are in place with both providers. Email dispatch (transactional and support communication) runs on the provider's own mail server within this infrastructure — no external SMTP provider is used.

3.2 Payment processing

Payments are processed by Stripe Payments Europe, Ltd. (Dublin, Ireland). Stripe offers cards, SEPA, iDEAL, PayPal, Klarna, Apple Pay, and Google Pay as payment methods. Stripe processes payment data as an independent controller for fraud prevention and card-network compliance. Stripe Tax is used to calculate VAT per delivery country; billing and shipping address are transmitted to Stripe for that purpose. Details: stripe.com/privacy.

3.3 Fulfillment partners (on-demand production)

Most products are manufactured only after the order and shipped directly to the customer by specialised providers. Depending on the product, name, shipping address, order contents and — for photo products — uploaded images are transmitted to one of the following partners:

  • Shirtee Cloud GmbH (Cologne, Germany) — apparel
  • Posterflow GmbH (Germany) — posters and wall art
  • CDClick Srl (Italy) — CDs, DVDs, vinyl
  • theprintspace Ltd. (London, United Kingdom) — fine art prints

Legal basis: Art. 6 (1) (b) GDPR (contract performance). Transfer to the United Kingdom is covered by the EU adequacy decision (Art. 45 GDPR).

4. Retention periods

  • Technical logs: 7 days
  • Email communication: 3 years from last contact
  • Invoice and order data: 10 years (§ 147 AO — German tax law)

5. Cookies and local storage

The provider does not set cookies where possible and generally limits itself to technically necessary cookies (e.g. cart, authentication, language). These are required for the function requested by the user and are set without separate consent.

Where cookies or comparable technologies beyond the technically necessary are used, they are only activated after consent has been given via a cookie banner (§ 25 TTDSG in conjunction with Art. 6 (1) (a) GDPR). The banner discloses purpose, services involved, and storage duration; consent can be withdrawn at any time with effect for the future.

Third-party tracking, advertising, or profiling services — in particular ad networks, cross-site pixels, and behaviour-based analytics involving personal data — are not used.

Navigation behaviour and preferences may additionally be stored in the browser's local storage; that data never leaves the browser.

6. Data subject rights

Data subjects have the right to:

  • Access the data stored about them (Art. 15 GDPR)
  • Rectification of inaccurate data (Art. 16 GDPR)
  • Erasure, as long as no retention obligation applies (Art. 17 GDPR)
  • Restriction of processing (Art. 18 GDPR)
  • Data portability in a commonly used format (Art. 20 GDPR)
  • Objection to processing for reasons arising from the particular situation (Art. 21 GDPR)

Requests by email to mail@maxwel.xyz. Processing usually takes place within 30 days.

7. Right to lodge a complaint

Data subjects may lodge a complaint with a data protection supervisory authority at any time. The authority competent here is:

Berlin Commissioner for Data Protection and Freedom of Information Friedrichstr. 219, 10969 Berlin, Germany datenschutz-berlin.de