.jpg){kind=small}
Privacy Policy
Last updated: 4/18/2026
PRIVACY POLICY
1. Controller and Contact
Controller within the meaning of the GDPR:
Hatice Kuzyurt e.U. with small business regulation Wiener Neustädter Straße 102 2601 Sollenau, Austria
Company register number: not available (sole trader with small business regulation) VAT number: not available (sole trader with small business regulation)
Phone: +43 69010187207 (Tel. available 14:00–18:00) E-Mail: [email protected] Website: https://kuzgen.com Imprint: https://kuzgen.com/impressum
Managing Director/Owner: Hatice Kuzyurt
2. Data Protection Officer
The appointment of a data protection officer is not legally required for our company. For data protection inquiries, please contact the controller named above directly.
3. Overview of Processing Activities
Based on our data architecture, we process personal data in the following areas:
| Area | Categories of Data Concerned |
|---|---|
| User Account & Registration | Name, email, phone, password (hashed), region, language settings |
| Address Management | First/last name, company, address, phone |
| Order Processing | Order, payment, shipping data, IP address, T&C acceptance |
| Payment Transactions | Payment method, payment intent IDs |
| Shopping Cart | Product selection, session ID |
| Wishlist | Product preferences |
| Product Reviews | Review text, title, rating, verification status |
| Newsletter | Email, language preference, subscription status |
| Email Campaigns | Open and click behaviour |
| Contact Requests | Name, email, message, IP address |
| Service Requests | Refund/warranty data, uploaded images |
| Coupons | Usage behaviour per customer |
| Cookies | Cookie preferences, consent version and timestamp |
4. Legal Bases for Processing (Art. 6 GDPR)
We process personal data exclusively on the basis of the following legal bases:
a) Consent – Art. 6(1)(a) GDPR
- Newsletter subscription
- Cookie settings (non-essential cookies)
- Email marketing campaigns
- Product reviews (voluntary submission)
b) Contract Performance – Art. 6(1)(b) GDPR
- Registration and management of the user account
- Order processing and delivery
- Payment processing
- Shopping cart functionality
- Refund and warranty processing
- Address management
c) Legal Obligation – Art. 6(1)(c) GDPR
- Tax and commercial law retention obligations (BAO, UGB)
- T&C acceptance documentation (proof obligations)
- Invoicing
d) Legitimate Interest – Art. 6(1)(f) GDPR
- IP address recording for fraud prevention in orders
- IP address recording in contact forms (abuse protection)
- Order status history (quality assurance)
- Internal statistics and business optimisation
- IT security and system integrity
5. User Account and Registration
5.1 Data Collected
During registration and use of your user account, we process:
| Data | Purpose | Required/Voluntary |
|---|---|---|
| Email address | Account login, communication | Required |
| Password (as hash) | Authentication | Required |
| First name, last name | Personalisation, salutation | Required |
| Phone number | Contact for delivery questions | Voluntary |
| Region | Tax calculation, shipping options | Automatic |
| Preferred language | Language setting of the interface | Automatic/Choice |
| Last login time | Account security | Automatic |
| Cookie preferences | Consent management | Required (legal) |
| Cookie consent version | Proof obligation | Automatic |
| Cookie consent timestamp | Proof obligation | Automatic |
5.2 Authentication (Auth.js)
For user authentication we use the framework Auth.js in conjunction with Supabase Auth. The processing of your personal data in the context of login takes place primarily within our web application.
When using Google Social Login, the following data is transmitted from the provider to us:
- Name
- Email address
- Profile picture (URL)
- Unique user ID of the provider
This data is stored to create and manage your user account with us.
The following are processed:
- Email address
- Hashed password
- Authentication tokens (session cookies)
- Login metadata
This data is stored in our own database on a virtual private server (VPS) of Hetzner Online GmbH within the EU.
5.3 Email Delivery and Verification (Resend)
For sending emails to verify your email address (emailVerified), to reset your password or for order documents, we use the service Resend.
Provider: Resend Labs Inc., 226 Lowell St, Wilmington, MA 01887, USA Privacy information: https://resend.com/privacy Transfer: Standard Contractual Clauses (SCC)
5.4 Retention Period
Account data is stored for the duration of the business relationship and permanently removed within 30 days after deletion of the account, provided no statutory retention obligations apply.
6. Address Data
6.1 Data Collected
For delivery and invoicing purposes, we process:
- First name and last name
- Company name (optional)
- Street and house number
- Address supplement / apartment (optional)
- City, state, postal code
- Country
- Phone number (optional)
- Designation as default address
6.2 Purpose and Legal Basis
Processing is carried out for contract performance (Art. 6(1)(b) GDPR) – specifically for the shipment of ordered goods and invoicing.
6.3 Multiple Addresses
You can store multiple addresses in your account and set a default address. Addresses that are no longer needed can be deleted by you at any time, provided they are not linked to open or archived orders.
7. Order Processing
7.1 Data Collected in the Order Process
For each order, we process:
| Data | Purpose |
|---|---|
| Order number | Unique identification |
| Billing address (reference) | Invoicing |
| Delivery address (reference) | Goods shipment |
| Order items (product, variant, quantity, price) | Subject matter of the contract |
| Subtotal, shipping costs, taxes, discounts, total amount | Price calculation |
| Order status, payment status, fulfilment status | Order tracking |
| Payment method | Payment processing |
| Payment intent ID | Payment assignment via payment service provider |
| Shipping method, tracking number, shipping service provider | Delivery tracking |
| Coupon reference | Discount application |
| Customer notes | Notes requested by the customer |
| IP address | Fraud prevention |
| T&C acceptance (version and timestamp) | Legal proof obligation |
7.2 IP Address for Orders
We store your IP address during order processes on the basis of our legitimate interest (Art. 6(1)(f) GDPR) for fraud prevention and investigation. The IP address is deleted 6 months after the order is completed, provided no fraud case exists.
7.3 T&C Acceptance Documentation
We document your consent to our General Terms and Conditions, including the accepted version. This serves to fulfil our legal proof obligations (Art. 6(1)(c) GDPR).
7.4 Order Status History
Changes to the order status are logged with a timestamp, status value, optional comment and the executing employee. This serves quality assurance and traceability (legitimate interest, Art. 6(1)(f) GDPR).
7.5 Administrative Notes
Internal notes (adminNotes) are only visible to authorised employees and serve for efficient order processing. They do not contain data that is passed on to you as a customer, unless expressly required.
7.6 Retention Period
Order data is retained for 7 years (§ 132 BAO, § 212 UGB) from the end of the calendar year of the order in accordance with Austrian tax and commercial law retention obligations.
8. Payment Processing
8.1 Payment Service Provider
For payment processing we use the following service provider:
Stripe Payments Europe, Ltd. 1 Grand Canal Street Lower, Grand Canal Dock, Dublin, D02 H210, Ireland Privacy information: https://stripe.com/at/privacy
Payment in the webshop can be made via the following payment methods: Credit card, Klarna, Apple Pay, instant bank transfer, Google Pay, Amazon Pay, Cartes Bancaires, Samsung Pay, Bancontact, BLIK, EPS, TWINT.
8.2 Data Processed
We transmit to the payment service provider:
- Order amount and currency
- Payment method
- Your reference ID assigned by the payment service provider
We ourselves do not store or process complete credit card numbers, bank details or other sensitive payment instruments. We only store a payment intent ID to assign the payment.
8.3 Legal Basis
Contract performance (Art. 6(1)(b) GDPR).
9. Shopping Cart and Session Tracking
9.1 How It Works
Our shopping cart stores the products, variants and quantities you have selected. This occurs:
- For logged-in users: Linked to your user ID (stored server-side)
- For non-logged-in users: Not available
9.2 Session ID
The session ID is a technically necessary identifier that assigns your browser session to a server-side shopping cart. It does not contain personal data, but enables a pseudonymous assignment.
9.3 Legal Basis
- Logged-in users: Contract performance (Art. 6(1)(b) GDPR)
- Non-logged-in users: Not applicable. Since no guest checkout is offered, no processing takes place here.
9.4 Retention Period
Shopping carts of logged-in users remain until manual deletion or account closure.
10. Wishlist
10.1 How It Works
Logged-in users can save products to a personal wishlist. The product reference and the time of adding are stored.
10.2 Legal Basis
Contract performance (Art. 6(1)(b) GDPR) as part of the account service that you actively use.
11. Product Reviews
11.1 Data Collected
When submitting a product review, we process:
- Rating (stars/rating)
- Title of the review
- Comment text
- Verification status (whether a purchase has taken place)
- Approval status (moderation)
- "Helpful" counter
11.2 Public Visibility
After approval by moderation, your review is displayed publicly on the product page. The following is displayed: First name and the first letter of the last name (for example: "Maximilian K.").
11.3 Legal Basis
Consent (Art. 6(1)(a) GDPR). You can withdraw your review at any time by contacting us.
11.4 Verified Purchases
The field isVerified indicates whether the reviewer actually purchased the product through our shop. This serves transparency and consumer protection.
12. Newsletter
12.1 Registration and Double Opt-In
We offer an email newsletter. Registration is carried out via a double opt-in procedure:
- You enter your email address
- You receive a confirmation email
- Only after clicking on the confirmation link will you be added to the mailing list
12.2 Data Collected
| Data | Purpose |
|---|---|
| Email address | Newsletter delivery |
| Activity status | Management of the subscription |
| Registration timestamp | Proof of consent |
| Unsubscribe timestamp | Documentation |
| Preferred language | Language selection of the newsletter |
| User reference (if logged in) | Account link |
12.3 Unsubscription
Every newsletter contains an unsubscribe link. Unsubscription is possible at any time and takes effect immediately. We use personalised unsubscribe tokens (UnsubscribeToken) with limited validity to ensure the security of the unsubscription process.
12.4 Legal Basis
Consent (Art. 6(1)(a) GDPR). Consent can be revoked at any time with effect for the future.
12.5 Newsletter Service Provider
For the sending and management of our newsletter we use the service provider Resend.
Provider: Resend Labs Inc., 226 Lowell St, Wilmington, MA 01887, USA Privacy information: https://resend.com/privacy Transfer: Standard Contractual Clauses (SCC)
13. Email Campaigns and Tracking
13.1 Email Campaigns
We occasionally send email campaigns to newsletter subscribers. We collect:
| Data | Purpose |
|---|---|
| Campaign name and content | Management |
| Recipient list | Target group segmentation |
| Send timestamp | Documentation |
| Target group | Relevance enhancement |
| Number of opens | Success measurement |
| Number of clicks | Success measurement |
| Send count | Statistics |
13.2 Email Tracking (Opens and Clicks)
Our email campaigns may contain tracking technologies:
- Open tracking: Embedded counting pixels (1x1 pixel images) that trigger a server request when the email is opened
- Click tracking: Redirection of links via our server to record clicks
For each recipient, we log in the email log (EmailLog):
- Recipient email
- Subject
- Delivery status and error messages
- Open timestamp
- Click timestamp
13.3 Legal Basis for Email Tracking
Consent (Art. 6(1)(a) GDPR), granted in the context of newsletter registration.
13.4 Objection to Tracking
You can object to email tracking by:
- Deactivating the loading of external images in your email program
- Unsubscribing from the newsletter
- Contacting us directly at [email protected]
14. Email System (Internal Communication)
14.1 Scope
Our internal email system processes the following data for business communication with customers:
- Sender and recipient email addresses (including CC, BCC)
- Subject and message content (text and HTML)
- Priority and folder assignment
- Thread and reference IDs (for conversation histories)
- Send and receive timestamps
- Email attachments (file name, type, size, URL)
14.2 Email Drafts
Unsent email drafts are stored server-side and may contain recipients, subject and content.
14.3 Legal Basis
- Customer communication in the context of existing contracts: Contract performance (Art. 6(1)(b) GDPR)
- Documentation: Legitimate interest (Art. 6(1)(f) GDPR)
15. Contact
15.1 Contact Form
When using our contact form, we process:
| Data | Purpose |
|---|---|
| Name | Salutation and assignment |
| Email address | Answering your inquiry |
| Subject | Categorisation |
| Message | Processing your concern |
| User reference (if logged in) | Account link |
| IP address | Abuse protection |
| Read/archived status | Internal management |
15.2 IP Address for Contact Requests
Your IP address is stored for abuse prevention (legitimate interest, Art. 6(1)(f) GDPR) and deleted after 30 days.
15.3 Legal Basis
- For pre-contractual inquiries: Contract initiation (Art. 6(1)(b) GDPR)
- For general inquiries: Legitimate interest (Art. 6(1)(f) GDPR)
15.4 Retention Period
Contact requests are deleted 3 years after final processing, provided no further retention obligations apply.
16. Refund and Warranty Requests
16.1 Refund Requests
For refund requests, we process:
- Order reference
- Reason for refund
- Detailed description
- Refund amount
- Uploaded images (as proof)
- Status and administrative notes
- Resolution timestamp
16.2 Warranty Requests
For warranty requests, we process:
- Order reference
- Description of the problem
- Uploaded photos
- Preferred solution
- Actual solution
- Status and administrative notes
16.3 Communication on Service Requests
Via our ContactRequest system, messages can be exchanged regarding ongoing refund and warranty cases, including uploaded files and images.
16.4 File Uploads
Uploaded files (RequestUpload) are stored securely and are only accessible to the requester and authorised employees.
Storage location of files: Hetzner Online GmbH server location Germany / EU
16.5 Legal Basis
Contract performance (Art. 6(1)(b) GDPR) and legal obligation (Art. 6(1)(c) GDPR) in the context of statutory warranty (§§ 922 ff ABGB) and distance selling law (§ 11 ff FAGG).
16.6 Retention Period
Service requests are retained for 3 years after completion (based on the general limitation period pursuant to § 1489 ABGB).
17. Coupons and Discount Promotions
17.1 Data Collected
When using coupons, we process:
- Assignment of coupons to eligible customers (
CouponCustomer) - Usage history per customer and order (
CouponCustomerUsage)
17.2 Purpose
- Ensuring correct redemption
- Preventing multiple use
- Traceability for accounting purposes
17.3 Legal Basis
Contract performance (Art. 6(1)(b) GDPR).
18. Cookies and Consent Management
18.1 Cookie Consent Management
We use a cookie consent system that stores your settings as follows:
| Data | Purpose |
|---|---|
| Cookie preferences | Your chosen cookie categories |
| Consent version | Assignment to the valid cookie policy |
| Consent timestamp | Proof of consent |
18.2 Categories of Cookies
a) Technically necessary cookies (no opt-in required)
| Cookie | Purpose | Retention period |
|---|---|---|
| session | Authentication token (session status) | 7 days |
| sb-access-token | Authentication | Session |
| sb-refresh-token | Session renewal | Persistent |
| cookie-consent | Storage of your cookie settings | 12 months |
b) Functional cookies (opt-in)
| Cookie | Purpose | Retention period |
|---|---|---|
| lang | Remembering preferred language | 12 months |
c) Analysis cookies (opt-in)
| Cookie | Provider | Purpose | Retention period |
|---|---|---|---|
| _ga, _gid | Google Analytics | Usage analysis | 2 years / 24h |
| _ga_XXXXXX | Google Analytics | Session maintenance | 2 years |
18.3 Changing Cookie Settings
You can change or revoke your cookie settings at any time via the "Cookie Settings" link in the footer of our website.
18.4 Legal Basis
- Technically necessary cookies: Legitimate interest (Art. 6(1)(f) GDPR) or § 165(3) TKG 2021
- All other cookies: Consent (Art. 6(1)(a) GDPR, § 165(1) TKG 2021)
19. Hosting and Technical Infrastructure
19.1 Web Hosting
Provider: Hetzner Online GmbH Address: Industriestr. 25, 91710 Gunzenhausen, Germany Server location: Germany (EU) Privacy information: https://www.hetzner.com/de/legal/privacy-policy/
19.2 Database Hosting
Our database is hosted at:
Provider: Hetzner Online GmbH Address: Industriestr. 25, 91710 Gunzenhausen, Germany Server location: Germany (EU) Privacy information: https://www.hetzner.com/de/legal/privacy-policy/
19.3 File Storage (Images, Uploads)
Uploaded files and product images are stored at:
Provider: Hetzner Online GmbH Address: Industriestr. 25, 91710 Gunzenhausen, Germany Server location: Germany (EU) Privacy information: https://www.hetzner.com/de/legal/privacy-policy/
19.4 Content Delivery Network (CDN)
We use a CDN to accelerate delivery:
CDN provider: Cloudflare, Inc. Address: 101 Townsend Street, San Francisco, CA 94107, USA Privacy information: https://www.cloudflare.com/privacypolicy/
19.5 Server Log Files
Every time our website is accessed, the following data is automatically recorded in server log files:
- Page/file accessed
- Date and time of access
- Amount of data transferred
- Notification of successful retrieval
- Browser type and version
- Operating system of the user
- Referrer URL (previously visited page)
- IP address (anonymised or complete)
- Requesting provider
Legal basis: Legitimate interest (Art. 6(1)(f) GDPR) in ensuring technical operation and IT security.
Retention period: Server log files are automatically deleted after 30 days.
20. Web Analysis and Tracking
20.1 Google Analytics
We use Google Analytics to analyse the use of our website.
Provider: Google Ireland Limited, Gordon House, Barrow Street, Dublin 4, Ireland Data processed: IP address (anonymised), usage data (e.g. pages visited, time spent), browser information, device data IP anonymisation: Yes (activated by default in Google Analytics 4) Server location: USA/Ireland Privacy information: https://policies.google.com/privacy Legal basis: Consent (Art. 6(1)(a) GDPR) Opt-out: Via the cookie banner or the browser add-on to deactivate Google Analytics: https://tools.google.com/dlpage/gaoptout
Data processing agreement: Concluded IP anonymisation: Activated Demographic features: Deactivated Google Signals: Deactivated Data retention period in GA: 14 months
20.2 Google Maps (Geocoding API)
We use the Google Maps Geocoding API to validate address data during checkout. This serves to ensure correct delivery.
Provider: Google Ireland Limited, Gordon House, Barrow Street, Dublin 4, Ireland Data transmitted: Address data Legal basis: Legitimate interest (Art. 6(1)(f) GDPR) Privacy information: https://policies.google.com/privacy
21. Social Media
21.1 Social Media Links
Our website contains links to our profiles on the following
social networks (stored in socialMediaLinks):
All available social media links are available in the footer.
These are simple links (no social media plugins or embedded content). When you click on a link, you will be redirected to the respective platform. Data processing by the platform operator only takes place there.
22. Data Transmission to Third Parties
22.1 Categories of Recipients
We transmit personal data to the following categories of recipients:
| Recipient | Purpose | Legal basis |
|---|---|---|
| Payment service provider (Stripe) | Payment processing | Contract performance |
| Shipping service provider | Goods shipment | Contract performance |
| Hosting provider (Hetzner) | Operation of the website & database | Legitimate interest |
| Email delivery service (Resend) | Newsletter, transactional emails | Consent / Contract performance |
| Authentication (Google) | Social login | Consent / Contract performance |
| Address validation (Google) | Error prevention in checkout | Legitimate interest |
22.2 Shipping Service Providers
For goods shipment we use the shipping services of our logistics partner or provider. In this context, your data (name, delivery address) is passed on to the transport companies commissioned by the provider (e.g. Austrian Post, DPD, DHL or comparable services) for the purpose of delivery and, if applicable, shipment tracking.
Data transmitted: Name, delivery address, phone number if applicable, tracking number
22.3 Data Processing Agreements
We have concluded data processing agreements in accordance with Art. 28 GDPR with all service providers who process personal data on our behalf.
23. Data Transfers to Third Countries
23.1 Overview
| Service | Headquarters | Transfer mechanism |
|---|---|---|
| Resend | USA | Standard Contractual Clauses (SCC) |
| Stripe | USA/Ireland | EU-US Data Privacy Framework / SCC |
| Google Analytics | USA | EU-US Data Privacy Framework / SCC |
| Hetzner | Germany | No transfer (EU hosting) |
23.2 Protective Measures
For data transfers to third countries without an adequacy decision, we use the following protective measures:
- Standard Contractual Clauses (SCC) of the European Commission
- Supplementary technical measures (encryption, pseudonymisation)
- Transfer Impact Assessments (TIA)
24. Retention Periods – General Overview
| Type of data | Retention period | Basis |
|---|---|---|
| User account | Until deletion by user + 30 days | Contract performance |
| Order data | 7 years from end of year | § 132 BAO, § 212 UGB |
| Invoice data | 7 years from end of year | § 132 BAO |
| Payment references | 7 years from end of year | § 132 BAO |
| Newsletter consent (proof) | 3 years after unsubscription | Proof obligation |
| Newsletter data (active) | Until revocation | Consent |
| Contact requests | 3 years after processing | Legitimate interest |
| Service requests | 3 years after completion | Limitation period |
| Product reviews | Until revocation | Consent |
| Shopping cart (session/DB) | Until manual deletion | Contract performance |
| IP addresses (orders) | 6 months | Legitimate interest |
| IP addresses (contact form) | 30 days | Legitimate interest |
| Server log files | 30 days | Legitimate interest |
| Cookie consent proof | 3 years | Proof obligation |
| Email campaign logs | 12 months | Consent |
| Uploaded files (service) | 3 years after case closure | Contract performance |
25. Data Security
We use extensive technical and organisational measures (TOMs) to protect your personal data, including:
- Encryption: Transport encryption (TLS/SSL) for all data transmissions; encryption of data at rest in the database
- Password security: Passwords are stored exclusively as cryptographic hashes (
passwordHash), never in plain text. Hashing method used: bcrypt (cost factor 12) - Access control: Role-based authorisation concept (
rolefield), principle of minimal rights - Data backup: Regular automated backups
- Monitoring: Monitoring of system integrity and availability
- Employee training: Regular awareness raising for data protection
26. Your Rights as a Data Subject
Under the GDPR, you have the following rights:
26.1 Right of Access (Art. 15 GDPR)
You have the right to obtain information about the personal data we process, including purposes of processing, categories, recipients and retention periods.
26.2 Right to Rectification (Art. 16 GDPR)
You have the right to have inaccurate or incomplete data corrected.
26.3 Right to Erasure (Art. 17 GDPR)
You have the right to request the deletion of your data, provided no statutory retention obligations or other exceptions apply.
26.4 Right to Restriction of Processing (Art. 18 GDPR)
You have the right to request restriction of the processing of your data, e.g. if you dispute its accuracy.
26.5 Right to Data Portability (Art. 20 GDPR)
You have the right to receive the data concerning you in a structured, commonly used and machine-readable format or to request its transmission to another controller.
26.6 Right to Object (Art. 21 GDPR)
You have the right to object at any time to the processing of your personal data carried out on the basis of Art. 6(1)(f) GDPR (legitimate interest). We will then no longer process your data unless we can demonstrate compelling legitimate grounds that override your interests, rights and freedoms.
If your personal data is processed for direct marketing purposes, you have the right to object at any time. The data will then no longer be processed for this purpose.
26.7 Right to Withdraw Consent (Art. 7(3) GDPR)
Where processing is based on your consent, you can withdraw it at any time with effect for the future, without affecting the lawfulness of the processing carried out up to that point.
26.8 Exercising Your Rights
To exercise your rights, please contact:
Email: [email protected] Post: Hatice Kuzyurt e.U. Wiener Neustädter Straße 102, 2601 Sollenau, Austria
We will respond to your request within one month of receipt. In complex cases, this period may be extended by a further two months, of which we will inform you.
27. Right to Lodge a Complaint with the Supervisory Authority
You have the right to lodge a complaint with the competent data protection supervisory authority:
Austrian Data Protection Authority Barichgasse 40-42 1030 Vienna Austria
Phone: +43 1 52 152-0 Email: [email protected] Website: https://www.dsb.gv.at
28. Automated Decision-Making and Profiling
No automated decision-making including profiling pursuant to Art. 22 GDPR takes place that has legal effect on you or similarly significantly affects you.
29. Protection of Minors
Our offer is directed at persons who have reached the age of 18. We do not knowingly collect personal data from children under the age of 18. Should we determine that data from minors has been collected without the consent of a legal guardian, this will be deleted immediately.
30. Changes to this Privacy Policy
We reserve the right to adapt this privacy policy as necessary, in particular in the event of changes to our data processing procedures, legal requirements or regulatory specifications. The current version is available on our website at all times.
As of: 24.02.2026
Version: 1.0