Privacy policy
Unless stated otherwise below, the provision of your personal data is neither legally nor contractually required, nor necessary for the conclusion of a contract. You are not obliged to provide the data. Non-provision has no consequences. This only applies insofar as no other indication is given in the processing operations below. "Personal data" is all information relating to an identified or identifiable natural person.
Server Log Files
You can visit our website without providing any personal information. Each time our website is accessed, usage data is transmitted to us or our web host/IT service provider by your internet browser and stored in log data (server log files). The data stored includes the name of the page accessed, date and time of access, IP address, data volume transferred and the requesting provider. Processing is based on Art. 6(1)(f) GDPR based on our legitimate interest in ensuring smooth operation of our website and improving our services. Your data may be transferred to third countries outside the EU, in particular to Canada and the USA. Shopify is not certified under the TADPF; this data transfer is based on contractual obligations comparable to the EU Commission's standard contractual clauses.
Contact
Controller
Please contact us if desired. The controller for data processing is: c/o IP-Management #2269, Ludwig-Erhard-Straße 18, 20459 Hamburg, Germany, +49 152 19332777, info@kratoein.com
VAT identification number pursuant to § 27a German VAT Act: DE452165256
Customer-initiated contact by email
If you proactively contact us by email, we collect your personal data (name, email address, message text) only to the extent provided by you. Processing serves to handle and respond to your enquiry. Where contact is made for pre-contractual measures or concerns an existing contract, processing is based on Art. 6(1)(b) GDPR. Otherwise, processing is based on Art. 6(1)(f) GDPR. In the latter case, you have the right to object to this processing at any time based on your particular situation. Your email address is used solely to process your enquiry. Your data is then deleted in compliance with statutory retention periods.
Customer Account / Orders
Customer account
When creating a customer account, we collect your personal data to the extent stated therein. Processing serves to improve your shopping experience and simplify order processing, based on Art. 6(1)(a) GDPR with your consent. You may withdraw your consent at any time, after which your account will be deleted.
Collection, processing and transfer of personal data for orders
When ordering, we collect and process your personal data only to the extent necessary for fulfilment and processing of your order. Processing is based on Art. 6(1)(b) GDPR. Data may be transferred to shipping companies, payment service providers and IT service providers. Data transfers are limited to the minimum necessary. Your data may be transferred to third countries outside the EU, in particular Canada and the USA. Shopify is not certified under the TADPF; this data transfer is based on the EU Commission's standard contractual clauses.
Payment Service Providers
Payment processing via Card2Crypto
If you choose to pay via our external payment service provider Card2Crypto, the data required for payment processing (e.g. order amount, currency, email address, payment ID) will be transmitted to Card2Crypto in encrypted form. Processing is carried out solely for the purpose of payment processing and fraud prevention. We do not receive sensitive payment information such as credit card numbers or bank details – only confirmation of whether the payment was successful. Further information: https://card2crypto.org/privacy
Payment processing via BTCPay Server (cryptocurrencies)
If you choose to pay with cryptocurrency, payment processing is handled via our self-operated BTCPay Server (btcpay.kratoein.com, Hostinger VPS, EU data centre). BTCPay Server is open-source software; no external payment service provider is involved. The data required for payment processing (invoice amount, order reference, payment status) is processed exclusively on our own server and is not shared with third parties. Cryptocurrency transactions are technically irreversible once sent; transaction data (wallet address, amount, timestamp) is publicly stored on the blockchain. For Monero (XMR), transaction details are not publicly visible by default due to privacy-by-default mechanisms. We receive only confirmation of payment receipt. Processing is based on Art. 6(1)(b) GDPR for contract performance. Further information: https://btcpayserver.org/privacy-policy
Cookies
Our website uses cookies. You have full control over the use of cookies via your browser settings. You may prevent the storage of cookies at any time. Note that in this case you may not be able to use all features of this website.
Cookie management help: Chrome · Firefox · Safari · Microsoft Edge
Technically necessary cookies
We use technically necessary cookies to make our service more user-friendly, effective and secure, based on § 25(2) TDDDG and Art. 6(1)(f) GDPR. You have the right to object to this processing at any time based on your particular situation.
Shopify Consent Tool (Shopify Privacy & Compliance)
We use the consent tool "Shopify Privacy & Compliance" of Shopify International Ltd. (Victoria Buildings, 2nd Floor, 1-2 Haddington Road, Dublin 4, D04 XN32, Ireland; "Shopify") to manage consent. Data may be transferred to Canada and the USA. Shopify is not certified under the TADPF; transfers are based on standard contractual clauses. Processing is based on Art. 6(1)(c) GDPR. Further information: https://www.shopify.com/legal/privacy
Analytics / Advertising Tracking
Google Analytics 4
We use Google Analytics 4 of Google Ireland Limited (Gordon House, Barrow Street, Dublin 4, Ireland; "Google") for website analysis and marketing purposes. Your IP address is shortened on our servers before transmission to Google. We also use Google Signals for cross-device tracking (only where personalised advertising is enabled in your Google account). Google is certified under the TADPF. Use is based on your consent pursuant to § 25(1) TDDDG in conjunction with Art. 6(1)(a) GDPR, which you may withdraw at any time. Further information: https://policies.google.com/privacy
Shopify Analytics
We use the analytics functions of Shopify International Ltd. as part of an order processing agreement. Shopify is not certified under the TADPF; transfers are based on standard contractual clauses. Use is based on your consent pursuant to § 25(1) TDDDG in conjunction with Art. 6(1)(a) GDPR. Further information: https://www.shopify.com/legal/privacy
Google Ads Conversion Tracking
We use Google Ads and conversion tracking of Google Ireland Limited. A conversion cookie is placed on your device when you click on a Google ad. Google is certified under the TADPF. Use is based on your consent pursuant to § 25(1) TDDDG in conjunction with Art. 6(1)(a) GDPR. Further information: https://www.google.com/policies/privacy/
Pinterest Tag
We use the Pinterest Tag of Pinterest Europe Limited (Palmerston House, 2nd Floor, Fenian Street, Dublin 2, Ireland) for targeted advertising on Pinterest. Data may be transferred to the USA; Pinterest is not certified under the TADPF; transfers are based on standard contractual clauses. Use is based on your consent pursuant to § 25(1) TDDDG in conjunction with Art. 6(1)(a) GDPR. Further information: https://policy.pinterest.com/en/privacy-policy
TikTok Pixel
We use the TikTok Pixel of TikTok Technology Limited and TikTok Information Technologies UK Limited for website analysis and targeted advertising on TikTok. TikTok is not certified under the TADPF; transfers are based on standard contractual clauses. Use is based on your consent pursuant to § 25(1) TDDDG in conjunction with Art. 6(1)(a) GDPR. Further information: https://www.tiktok.com/legal/page/eea/privacy-policy/en
Plug-ins and Miscellaneous
Google Tag Manager
We use Google Tag Manager of Google Ireland Limited to manage JavaScript and HTML tags. The Google Tag Manager itself does not store cookies or process personal data. Further information: https://www.google.com/intl/en/tagmanager/use-policy.html
Google reCAPTCHA / Invisible reCAPTCHA
We use reCAPTCHA and Invisible reCAPTCHA of Google Ireland Limited to distinguish human input from automated processing. Google is certified under the TADPF. Use is based on your consent pursuant to § 25(1) TDDDG in conjunction with Art. 6(1)(a) GDPR. Further information: https://www.google.com/recaptcha/intro/android.html
Cloudflare
We use the Cloudflare CDN of Cloudflare Inc. (101 Townsend St, San Francisco, CA 94107, USA) to optimise page loading times. Cloudflare is certified under the TADPF. Processing is based on Art. 6(1)(f) GDPR. You have the right to object to this processing at any time. Further information: https://www.cloudflare.com/privacypolicy/
Google Fonts
We use Google Fonts of Google Ireland Limited for uniform font display. A connection to Google servers is established when the page is loaded. Google is certified under the TADPF. Use is based on your consent pursuant to § 25(1) TDDDG in conjunction with Art. 6(1)(a) GDPR. Further information: https://www.google.com/policies/
Adobe Fonts
We use Adobe Fonts of Adobe Systems Software Ireland Limited (4-6 Riverwalk, Citywest Business Campus, Dublin 24, Ireland). Data may be transferred to the USA and India. Adobe is certified under the TADPF. Use is based on your consent pursuant to § 25(1) TDDDG in conjunction with Art. 6(1)(a) GDPR. Further information: https://www.adobe.com/privacy/policy.html
Google Maps
We use Google Maps of Google Ireland Limited for visual display of geographic information. Google is certified under the TADPF. Use is based on your consent pursuant to § 25(1) TDDDG in conjunction with Art. 6(1)(a) GDPR. Further information: https://www.google.com/privacypolicy.html
Algolia
We use the search function of Algolia SAS (55 Rue d'Amsterdam, 75008 Paris, France). Data may be transferred to the USA; Algolia is not certified under the TADPF; transfers are based on standard contractual clauses. Data is stored on Algolia's servers for 90 days. Use is based on your consent pursuant to § 25(1) TDDDG in conjunction with Art. 6(1)(a) GDPR. Further information: https://www.algolia.com/policies/privacy/
Pushly
We use the Pushly plug-in of WebLab GmbH (Großbeerenstraße 169-171, 12277 Berlin; "Pushly") to convert our online shop into an app. The following data is transmitted to Pushly: name, email, customer ID, order number, payment method, billing and delivery address. No further disclosure to third parties takes place. Processing is based on Art. 6(1)(f) GDPR. You have the right to object to this processing at any time. Further information: https://www.pushly.de/datenschutz
Data Subject Rights and Retention Periods
Retention period
After complete contract processing, data is initially stored for the duration of the warranty period, then in compliance with statutory – in particular tax and commercial – retention periods, and then deleted after the period has expired, unless you have consented to further processing and use.
Rights of the data subject
Subject to the legal requirements, you have the following rights under Arts. 15–20 GDPR: right to access, rectification, erasure, restriction of processing, and data portability. You also have the right to object under Art. 21(1) GDPR to processing based on Art. 6(1)(f) GDPR and to processing for direct marketing purposes.
Right to lodge a complaint with a supervisory authority
Under Art. 77 GDPR, you have the right to lodge a complaint with a supervisory authority. The competent supervisory authority for us is:
Landesbeauftragte für Datenschutz und Informationsfreiheit Nordrhein-Westfalen
Postfach 20 04 44, 40102 Düsseldorf, Germany
Tel.: +49 211 38424-0 · Email: poststelle@ldi.nrw.de
Right to object
Where personal data processing listed here is based on our legitimate interest under Art. 6(1)(f) GDPR, you have the right to object to such processing at any time with effect for the future based on grounds arising from your particular situation. After an objection, the processing of the affected data will cease unless we can demonstrate compelling legitimate grounds for the processing that override your interests, rights and freedoms.
Last updated: 20.04.2026