Privacy policy
Privacy Policy
Last updated: June 2026
With the following privacy policy, we would like to inform you about the types of your personal data we process, for what purposes, and to what extent. This privacy policy applies to all personal data processing carried out by us in connection with our services, and in particular on our website and our social media profiles.
1. Controller
dna merch | Solidarische Textilien
c/o Anton Wundrak Mantovanini
Richardstraße 60
D-12055 Berlin
info(ett)dna-merch.de
+49 (0) 177 964 37 32
Steuernummer: 16/600/00480
USt-ID-Nr.: DE 250 136 248
Legal notice: https://dnamerch.de/policies/contact-information
2. Overview of data processed
Types of data processed
- Master data (e.g. name, home address, customer number)
- Payment data (e.g. bank details, payment history)
- Contact data (e.g. email address, phone number)
- Contract data (e.g. subject matter, order history)
- Usage data (e.g. page views, click paths, time spent)
- Meta, communication and process data (e.g. IP addresses, timestamps)
- Log data (e.g. logfiles relating to logins or access times)
Categories of data subjects
- Customers and prospective customers
- Communication partners
- Website visitors
Purposes of processing
- Provision of contractual services and fulfilment of contractual obligations
- Communication and customer service
- Security measures and fraud prevention
- Direct marketing and newsletters
- Reach measurement and web analysis
- Provision and improvement of our online offering
3. Legal bases
The following is an overview of the legal bases under the GDPR on which we process personal data:
- Consent (Art. 6(1)(a) GDPR): Marketing emails, non-essential cookies (analytics, advertising, personalisation)
- Performance of contract (Art. 6(1)(b) GDPR): Order processing, payment, shipping, returns management
- Legal obligation (Art. 6(1)(c) GDPR): Retention of accounting and tax records
- Legitimate interests (Art. 6(1)(f) GDPR): Fraud prevention, service improvement, IT security
In addition to the GDPR, national data protection regulations apply in Germany, in particular the Federal Data Protection Act (Bundesdatenschutzgesetz – BDSG).
4. Security measures
We implement appropriate technical and organisational measures in accordance with legal requirements and taking into account the state of the art, to ensure a level of protection appropriate to the risk. These measures include in particular securing the confidentiality, integrity and availability of data by controlling physical and electronic access, as well as procedures for exercising data subjects' rights and responding to data security incidents.
5. International data transfers
Where we process data in a third country (outside the EU/EEA), or this occurs in the context of using third-party services, this is done only in accordance with legal requirements – in particular on the basis of standard contractual clauses (Art. 46(2)(c) GDPR) or an adequacy decision (Art. 45 GDPR).
Under the EU-US Data Privacy Framework, the European Commission has recognised the level of data protection provided by certain US companies as adequate (decision of 10 July 2023). Where relevant, we indicate this basis in the individual service descriptions below.
6. Retention and deletion
We delete personal data as soon as the underlying consent is withdrawn or there is no longer a legal basis for processing. Statutory retention obligations remain unaffected. The following general retention periods apply under German law:
- 10 years: Accounting records, invoices, annual financial statements (§ 147 AO, § 257 HGB)
- 6 years: Other business documents and correspondence (§ 147 AO, § 257 HGB)
- 3 years: Data required for handling warranty and damages claims (§§ 195, 199 BGB)
7. Rights of data subjects
You have the following rights under the GDPR (Art. 15–21 GDPR):
- Right to object: You may object at any time to the processing of your data on the basis of Art. 6(1)(f) GDPR, in particular against direct marketing.
- Right to withdraw consent: You may withdraw any consent you have given at any time with effect for the future.
- Right of access: You may request information about the data we process about you.
- Right to rectification: You may request the correction of inaccurate data.
- Right to erasure and restriction: Under certain conditions, you may request the deletion or restriction of processing of your data.
- Right to data portability: You may request your data in a structured, commonly used and machine-readable format, or request its transfer to another controller.
- Right to lodge a complaint: You have the right to lodge a complaint with the competent supervisory authority. As dna merch is based in Berlin, this is the Berlin Commissioner for Data Protection and Freedom of Information – www.datenschutz-berlin.de
8. Business services and online shop
We process customer data to handle orders, payments, shipping and returns, and to communicate with customers. Our fulfilment and returns are managed by our partner USELESS PRIDE DISTRIBUTION:
USELESS PRIDE DISTRIBUTION
4 Rue de Kourou
31240 L'Union
France
VAT: FR07952755791
R.C.S. Toulouse: 952 755 791
Data processed: master data, payment data, contact data, contract data. Legal bases: Performance of contract (Art. 6(1)(b) GDPR), Legal obligation (Art. 6(1)(c) GDPR).
9. Online platforms
We operate our shop via Shopify. In addition to this privacy policy, Shopify's own privacy policy also applies.
Shopify International Limited, Victoria Buildings, 2nd Floor, 1-2 Haddington Road, Dublin 4, D04 XN32, Ireland Privacy policy: https://www.shopify.com/legal/privacy Legal basis: Legitimate interests (Art. 6(1)(f) GDPR)
10. Payment methods
We offer the following payment methods. Payment data is processed by the respective service providers. We do not receive full account or card details, only a payment confirmation.
Shopify Payments: Payment processing via Shopify; Service provider: Shopify International Limited, Dublin, Ireland. Privacy policy: https://www.shopify.com/legal/privacy. Legal basis: Performance of contract (Art. 6(1)(b) GDPR).
Bank transfer: When paying by bank transfer, your bank details are used solely for processing the transaction and are not stored beyond this purpose. Legal basis: Performance of contract (Art. 6(1)(b) GDPR).
11. Web hosting and log files
Our online offering is hosted via Shopify. When you access our website, server log files are automatically recorded, containing information such as IP address, browser type, operating system, referring URL and time of access. This data is used to ensure security and stability and is deleted after a maximum of 30 days.
Legal basis: Legitimate interests (Art. 6(1)(f) GDPR)
12. Cookies
Cookies are small text files that store information on your device. We distinguish between the following types:
- Strictly necessary cookies: Essential for the operation of the website (shopping cart, session, security). No consent required. Retention: session-based or up to 2 years for persistent functions.
- Analytics cookies: To measure user behaviour (Google Analytics). Legal basis: Consent. Retention: up to 13 months.
- Advertising cookies: Meta Pixel for targeted advertising on Facebook and Instagram. Legal basis: Consent. Retention: up to 180 days.
- Personalisation cookies: To store your browsing preferences. Legal basis: Consent.
You can manage your cookie preferences at any time via the consent banner on our website or through your browser's privacy settings.
13. Web analytics – Google Analytics
We use Google Analytics to measure and analyse the use of our online offering on the basis of a pseudonymous user identification number. Google Analytics does not log or store individual IP addresses for EU users. All IP queries are processed on EU-based servers before traffic is forwarded for analysis.
Service provider: Google Ireland Limited, Gordon House, Barrow Street, Dublin 4, Ireland Privacy policy: https://policies.google.com/privacy Basis for third-country transfers: Data Privacy Framework (DPF) Opt-out: https://tools.google.com/dlpage/gaoptout Legal basis: Consent (Art. 6(1)(a) GDPR)
14. Newsletter
We send newsletters exclusively with your consent. You may withdraw your consent at any time by using the unsubscribe link in any newsletter or by contacting us by email. Unsubscribed email addresses are stored for up to 3 years to document prior consent.
Service provider: Shopify Email (Shopify International Limited, Dublin, Ireland) Legal basis: Consent (Art. 6(1)(a) GDPR)
15. Social media
We maintain profiles on social networks. User data may be processed outside the EU in this context.
Instagram: Meta Platforms Ireland Limited, Merrion Road, Dublin 4, Ireland. Privacy policy: https://privacycenter.instagram.com/policy/. Basis for third-country transfers: Data Privacy Framework (DPF). Legal basis: Legitimate interests (Art. 6(1)(f) GDPR).
Facebook: We are jointly responsible with Meta Platforms Ireland Limited for the collection of data from visitors to our Facebook page. We have entered into a joint controllership agreement with Meta. Data subjects' rights may be exercised directly against Meta. Privacy policy: https://www.facebook.com/privacy/policy/. Basis for third-country transfers: Data Privacy Framework (DPF). Legal basis: Legitimate interests (Art. 6(1)(f) GDPR).
16. Embedded content – YouTube
Our website contains embedded YouTube videos. When a video is played, data is transmitted to Google even if you are not logged in to YouTube.
Service provider: Google Ireland Limited, Gordon House, Barrow Street, Dublin 4, Ireland Privacy policy: https://policies.google.com/privacy Basis for third-country transfers: Data Privacy Framework (DPF) Legal basis: Consent (Art. 6(1)(a) GDPR)
17. Google Fonts
Our website uses Google Fonts, which are loaded from Google's servers. Your IP address is transmitted to Google in this process. Google states that it does not use this data to create user profiles.
Service provider: Google Ireland Limited, Gordon House, Barrow Street, Dublin 4, Ireland Privacy policy: https://policies.google.com/privacy Basis for third-country transfers: Data Privacy Framework (DPF) Legal basis: Legitimate interests (Art. 6(1)(f) GDPR)
18. Contact and enquiry management
When you contact us by email or via social media, we process your information in order to respond to your enquiry. This data is deleted once communication has concluded, unless statutory retention obligations require otherwise.
Legal bases: Performance of contract (Art. 6(1)(b) GDPR), Legitimate interests (Art. 6(1)(f) GDPR)
19. Changes and updates
We will update this privacy policy whenever changes to our data processing make this necessary. We recommend checking this policy regularly.
20. Definitions
Personal data: Any information relating to an identified or identifiable natural person. Processing: Any operation or set of operations carried out on personal data, e.g. collecting, storing, transmitting or deleting. Controller: The natural or legal person who determines the purposes and means of the processing of personal data. Consent: Any freely given, specific, informed and unambiguous indication of the data subject's agreement to the processing of their personal data for a specific purpose. Legitimate interests: Processing that is necessary for the purposes of the legitimate interests pursued by the controller or a third party, provided that the interests or fundamental rights of the data subject do not override those interests.
