Privacy Policy

How we handle your data, in plain terms and the legal detail behind it.

Effective from 1 July 2026 · Version 2.0

This Privacy Policy explains how Fischer & Hasenohr GbR, Brandhorst 3, 24214 Noer, Germany ("Flavio's", "we", "us") processes your personal data when you visit flavios.store, place an order, contact us, or interact with our marketing.

We've tried to keep this readable. The legal terminology required by the EU General Data Protection Regulation (GDPR) is here, but every section starts with what it actually means.

In one paragraph

We collect only the data we need to run a marketplace and serve our customers. We don't sell data, ever. Because the brands on Flavio's are the legal sellers, we pass your order details to the relevant Brand so it can ship to you and issue your invoice — for that order, the Brand is an independent controller of your data. We also share data with payment providers to process payments and with the technical services that make the site work. You have the right to know what we hold, to correct it, and to ask us to delete it.

01. Who is responsible

Data controller for the Platform within the meaning of Art. 4(7) GDPR:

Fischer & Hasenohr GbR
Brandhorst 3, 24214 Noer, Germany
Phone: +49 151 296 671 10
Email: hello@flavios.store

Flavio's operates the marketplace and acts as a commercial agent in the name of the brands that sell through it (the "Brands"). We are the controller for your use of the Platform, your account, payment handling, customer service, and marketing. When you buy a product, the relevant Brand is the seller and becomes an independent controller of the order data it needs to fulfil the sale and meet its own legal obligations (such as issuing your invoice and retaining it for tax purposes). Each Brand's own privacy information governs its processing as a seller.

For a small organisation like ours, no Data Protection Officer is legally required. For any privacy-related question, write to hello@flavios.store; one of the partners will respond personally, and will help you reach the relevant Brand where its processing is concerned.

02. What we collect, and why

We process different types of data depending on what you do on our site. Here's the overview:

Activity Data we process Why Legal basis
Browsing the site IP address, browser type, device, pages visited, referrer, timestamp Make the site work, prevent abuse, basic analytics Art. 6(1)(f) GDPR — legitimate interest
Placing an order Name, billing & shipping address, email, phone (optional), order details, payment data Conclude and process your contract with the Brand, arrange shipping, send confirmations Art. 6(1)(b) GDPR — contract performance
Creating an account Email, password (hashed), order history Faster checkout, order tracking Art. 6(1)(b) GDPR — contract performance
Newsletter signup Email, signup date, opt-in confirmation Send editorial updates and product news Art. 6(1)(a) GDPR — your consent
Customer service Name, email, message content, related order data Answer your question, liaise with the Brand on your behalf Art. 6(1)(b) or (f) GDPR
Marketing & ads Cookies, pseudonymous identifiers, browsing & purchase behaviour Show relevant content; measure campaigns Art. 6(1)(a) GDPR — your consent (cookie banner)

03. Cookies and tracking

When you first visit flavios.store, you'll see a cookie banner. We distinguish between three categories:

Strictly necessary

Without these, the site doesn't work — they handle session state, your shopping basket, login status, and security. These are set automatically; no consent is required (Art. 6(1)(f) GDPR, § 25(2) TTDSG).

Functional

These remember preferences like your language or country. We only set them with your consent.

Analytics & marketing

These help us understand how the site is used and serve relevant ads. We only set them with your consent. Specifically, when consented, we may use:

  • Shopify Analytics — site usage, conversion measurement (operated by Shopify Inc., Canada).
  • Meta Pixel (Facebook/Instagram) — campaign measurement, audience building (operated by Meta Platforms Ireland Ltd., Ireland; data may also be processed by Meta Platforms Inc., USA).
  • Google Ads & Analytics — campaign measurement, audience building (operated by Google Ireland Ltd., Ireland; data may also be processed by Google LLC, USA).
  • Klaviyo — newsletter and customer email analytics (operated by Klaviyo Inc., USA).

You can withdraw your consent at any time by clicking the cookie settings link in the footer of our site. Withdrawal does not affect the lawfulness of processing carried out before.

04. Who receives your data

We share your data only with parties who need it to provide a service to us, or — in the case of the Brand — to sell and ship your order to you. Never for third-party marketing purposes, unless you have separately consented.

Recipient Role Purpose Where
The relevant Brand Seller / independent controller Concluding and fulfilling your contract of sale, shipping, invoicing, statutory retention EU, UK, sometimes other countries depending on the Brand
Shopify Inc. Processor Marketplace hosting, checkout, order management Canada / EU / USA
Shipturtle Processor Routing order data to the correct Brand, payout coordination EU / India
Stripe Payments Europe Ltd. Payment processor Card payment processing and payout splitting to Brands Ireland / EU
PayPal (Europe) S.à r.l. Payment processor PayPal payment processing Luxembourg / EU
Klarna Bank AB Payment processor Klarna payment processing Sweden / EU
Carriers (DHL, DPD, UPS, etc.) Processor (of the Brand) Delivery EU and beyond
Klaviyo Inc. Processor Email delivery and analytics USA
Tax authorities, payment compliance providers Recipient Statutory tax and reporting obligations EU

Where data is transferred outside the EU/EEA, we rely on the European Commission's Standard Contractual Clauses (Art. 46(2)(c) GDPR) or, where applicable, on adequacy decisions (e.g. the EU–US Data Privacy Framework for certified US providers).

05. How long we keep data

  • Order and invoice data — 10 years, as required by German tax law (§ 147 AO). Note that the Brand, as seller, keeps its own copy under the same obligation.
  • Customer accounts — until you delete the account; inactive accounts may be deleted after 3 years.
  • Newsletter subscriptions — until you unsubscribe; consent records are kept for 3 years afterwards as proof of compliance.
  • Customer service emails — 3 years from last contact, unless related to an open matter.
  • Cookie / tracking data — see the cookie settings for individual retention periods (typically 30 days to 24 months).
  • Server logs — 14 days, unless needed for security investigations.

We delete or anonymise data once the purpose has been fulfilled and no statutory retention period applies.

06. Your rights

Under the GDPR you have the following rights regarding your personal data:

  • Right of access (Art. 15) — to know what data we hold about you.
  • Right to rectification (Art. 16) — to correct inaccurate data.
  • Right to erasure (Art. 17) — to have your data deleted, where no overriding legal obligation requires retention.
  • Right to restrict processing (Art. 18) — to limit how we use your data.
  • Right to data portability (Art. 20) — to receive your data in a machine-readable format and transfer it elsewhere.
  • Right to object (Art. 21) — to processing based on legitimate interest, including for direct marketing.
  • Right to withdraw consent (Art. 7(3)) — at any time, without affecting the lawfulness of processing before withdrawal.

To exercise any of these rights, write to hello@flavios.store. We aim to respond within five working days; the legal maximum is one month (Art. 12(3) GDPR). Where a right concerns data the Brand holds as seller, we will forward your request to the relevant Brand and support you.

Right to lodge a complaint

If you believe we have mishandled your data, you can lodge a complaint with a supervisory authority. The competent authority for Schleswig-Holstein is: Unabhängiges Landeszentrum für Datenschutz (ULD), Holstenstraße 98, 24103 Kiel — datenschutzzentrum.de.

07. Newsletter

If you sign up for our newsletter, we use double opt-in: you'll receive a confirmation email with a link, and your subscription is only active once you click it. We log the date, time, and IP of both signup and confirmation as proof of consent.

You can unsubscribe at any time using the link at the bottom of every newsletter email, or by writing to us. After unsubscribing, we keep a record of your previous consent for three years as evidence of compliant processing.

08. Social media

We have profiles on Instagram and similar platforms. When you visit our profile, the platform may set cookies and process data about you according to its own privacy policy. We have no control over this processing. We process the data we receive from these platforms (your username, your messages to us, basic engagement data) to respond and to evaluate the reach of our content.

If you contact us via a platform's direct messaging, that conversation is processed on our behalf by that platform, in addition to any role we have as a controller.

09. Site security

We use TLS/SSL encryption (HTTPS) for all data transmitted between your browser and our servers. Our infrastructure is hosted by Shopify, which maintains security certifications including PCI-DSS Level 1 for payment processing. We do not store payment card details on our own systems.

10. Children's privacy

Our Platform is not directed at children under 16. We do not knowingly collect personal data from children. If you believe a child has provided us with data, please contact us so we can delete it.

11. Changes to this Policy

We may update this Privacy Policy as our practices, the law, or our service providers change. The version in force at any time is the version posted on this page; substantial changes will be communicated to you in advance, where reasonably possible.