Privacy policy

  1. Controller and Contact Details

The controller within the meaning of the General Data Protection Regulation (GDPR) and other national data protection laws as well as other data protection provisions is:

Fürst Franz-Albrecht zu Oettingen-Spielberg

Schloßstraße 1, 86732 Oettingen i. Bay., Germany

Contact details:

Email: enquiries@f-a-o-s.com

Telephone: +49-9082-9694-49

Fax: +49-9082-9694-51

Website: https://f-a-o-s.com

  1. General Information on Data Processing

    1. Scope of the Processing of Personal Data

We generally process personal data of our users only insofar as this is necessary to provide a functional website and our content and services. The processing of personal data of our users regularly takes place only after the user’s consent. An exception applies in cases where obtaining prior consent is not possible for factual reasons and the processing of the data is permitted by legal provisions.

  1. Legal Bases for Processing

Where we obtain the data subject’s consent for processing operations of personal data, Art. 6(1)(a) GDPR serves as the legal basis.

Where the processing of personal data is necessary for the performance of a contract to which the data subject is party, Art. 6(1)(b) GDPR serves as the legal basis. This also applies to processing operations necessary for the performance of pre-contractual measures.

Where the processing of personal data is necessary for compliance with a legal obligation to which our company is subject, Art. 6(1)(c) GDPR serves as the legal basis.

Where processing is necessary for the purposes of a legitimate interest pursued by our company or by a third party and the interests or fundamental rights and freedoms of the data subject do not override that interest, Art. 6(1)(f) GDPR serves as the legal basis for the processing.

  1. Deletion of Data and Storage Periods

Storage period for contract data: The personal data collected in the course of the ordering process are stored until the expiry of statutory retention periods and then deleted unless further storage is necessary for the establishment, exercise, or defense of legal claims. The statutory retention periods are:

  •  10 years for bookkeeping records, annual financial statements and inventories (§ 147(1) No. 1 in conjunction with § 147(3) AO (German Fiscal Code); § 257(1) No. 1 in conjunction with § 257(4) HGB (German Commercial Code))

  •  8 years for accounting vouchers and invoices (§ 147(1) No. 4 in conjunction with § 147(3) AO as amended by the Fourth Bureaucracy Relief Act; § 257(1) No. 4 in conjunction with § 257(4) HGB)

  • 8 years for commercial and business letters (§ 147(1) Nos. 2, 3 in conjunction with § 147(3) AO; § 257(1) Nos. 2, 3 in conjunction with § 257(4) HGB)

The periods begin at the end of the calendar year in which the last entry was made in the commercial book, the inventory, the opening balance sheet, the annual financial statements or the management report were prepared, the commercial or business letter was received or sent, or the accounting voucher originated.

  1. SSL or TLS Encryption

This site uses SSL or TLS encryption for security reasons and to protect the transmission of personal data and other confidential content. You can recognize an encrypted connection by the character string “https://” and the padlock symbol in your browser’s address bar.

When SSL or TLS encryption is activated, the data you transmit to us cannot be read by third parties.

  1. Provision of the Website and Creation of Server Log Files

    1. Description and Scope of Data Processing

Each time our website is accessed, the system automatically collects data and information from the computer system of the accessing device. The following data is collected:

  • IP address of the requesting device

  • Date and time of access

  • Name and URL of the file retrieved

  • Website from which access occurs (referrer URL)

  • Browser used and, where applicable, the operating system of your device as well as the name of your access provider

  • Data volume transferred

  • Browser type and version

  1. Legal Basis

The legal basis for the temporary storage of the data and log files is Art. 6(1)(f) GDPR. Our legitimate interest lies in ensuring the functionality of the website, optimizing the website, and ensuring the security of our information technology systems.

  1. Purpose of Data Processing

The temporary storage of the IP address by the system is necessary to enable delivery of the website to the user’s device. For this purpose, the user’s IP address must remain stored for the duration of the session. Storage in log files occurs to ensure the functionality of the website. In addition, the data serve to optimize the website and to ensure the security of our information technology systems. No evaluation of the data for marketing purposes takes place in this context.

  1. Storage Period

The data are deleted as soon as they are no longer necessary to achieve the purpose for which they were collected. In the case of data collected to provide the website, this is the case when the respective session has ended. In the case of storage of data in log files, this is the case after no more than seven days.

  1. Objection and Removal Possibility

The collection of data for the provision of the website and the storage of data in log files is strictly necessary for the operation of the website. Consequently, there is no possibility of objection on the part of the user.

  1. Hosting and Shop System – Shopify

    1. Description and Scope of Data Processing

Our online shop is operated on the Shopify platform. The contracting party is Shopify International Limited, Victoria Buildings, 2nd Floor, 1-2 Haddington Road, Dublin 4, D04 XN32, Ireland.

Shopify provides us with the e-commerce platform through which we can offer and sell our products and services. When you visit our shop and/or place an order, Shopify processes, on our behalf, among other things, the following personal data:

  • IP address

  • Information about the browser and device used

  • First name, last name

  • Email address

  • Billing and shipping address

  • Payment information

  • Order data (products ordered, time of order, order value)

  • Where applicable, telephone number

  1. Data Storage and Server Location

Your personal data are stored by Shopify in Europe (EEA, United Kingdom and/or Switzerland). For this purpose, Shopify uses data centers of the Google Cloud Platform within Europe. Shopify may dynamically distribute data storage across multiple Google Cloud regions within Europe to ensure reliability and scalability.

Shopify’s Data Processing Addendum (DPA) is available at: https://www.shopify.com/legal/dpa

  1. International Data Transfers

Although your customer data are stored in Europe, Shopify relies on international data transfers to process this data. In particular, data may be transferred to Shopify Inc. (parent company) in Canada.

For the transfer of personal data to Canada, there is an adequacy decision by the European Commission pursuant to Art. 45 GDPR confirming an adequate level of data protection.

In addition, for data transfers to sub-processors in third countries, Shopify uses Standard Contractual Clauses (SCCs) pursuant to Art. 46(2)(c) GDPR, which have been approved by the European Commission. Shopify has concluded comprehensive data processing agreements (DPAs) with all sub-processors. Shopify is also in the approval process for Binding Corporate Rules (BCRs) with the Irish Data Protection Commission.

  1. Legal Basis

The processing of the aforementioned data by Shopify is based on Art. 6(1)(b) GDPR (performance of a contract), insofar as the processing is necessary for the execution of orders, and on Art. 6(1)(f) GDPR (legitimate interest), insofar as the processing is necessary for the provision and security of our online shop. Our legitimate interest lies in providing a functional, secure, and user-friendly online shop.

  1. Processing under a Data Processing Agreement

We have concluded a data processing agreement (Data Processing Addendum – DPA) with Shopify pursuant to Art. 28 GDPR, which ensures the compliant processing of your personal data.

Further information on data protection at Shopify can be found at: https://www.shopify.com/legal/privacy.

  1. Recipients of Personal Data

In the course of operating our online shop, personal data are disclosed to the following categories of recipients:

  • Platform provider and hosting: Shopify International Limited (Ireland) as processor, including its sub-processors (a current list of Shopify’s sub-processors can be found at: https://www.shopify.com/legal/subprocessors)

  • Payment service providers: Stripe Payments Europe, Ltd. (Ireland) as a sub-processor of Shopify; Klarna Bank AB (Sweden) as an independent controller

  • Shipping service providers: DHL Paket GmbH (Germany) as an independent controller

  • Font provider: Google LLC (USA) – integration of Google Fonts

  • Video provider: Google Ireland Limited / YouTube (Ireland/USA) – integration of YouTube videos

  • Tax advisors, auditors, attorneys within the scope of mandate-related activities

  • Tax authorities within the scope of tax obligations

Disclosure to other third parties does not take place unless we are legally obliged to do so or you have given your express consent.

  1. Cookies and Consent Management

    1. General Information on Cookies

Our website uses so-called “cookies”. Cookies are small data packages that your browser automatically creates and that are stored on your end device when you visit our site. Cookies do not cause any damage to your end device and do not contain viruses, Trojans, or other malware.

  1. Legal Basis

Insofar as cookies that are technically necessary for carrying out the electronic communication process or for providing certain functions you desire (necessary cookies) are concerned, their storage takes place on the basis of § 25(2) No. 2 TDDDG (German Telecommunications and Telemedia Data Protection Act) in conjunction with Art. 6(1)(f) GDPR. We have a legitimate interest in storing technically necessary cookies for the technically error-free and optimized provision of our services.

Insofar as cookies are set that are not technically necessary (e.g., analytics, marketing, or personalization cookies), their storage takes place exclusively on the basis of your consent pursuant to § 25(1) TDDDG (German Telecommunications and Telemedia Data Protection Act) in conjunction with Art. 6(1)(a) GDPR.

The wording of § 25 TDDDG is available at: https://www.gesetz-tdddg.de/gesetz/details/25

  1. Consent Management

The collection, management, and documentation of your cookie consent is carried out via the cookie consent banner integrated in Shopify. On your first visit to our website, you will be asked to actively consent to the use of non-necessary cookies. You can withdraw your consent at any time via the privacy settings in the footer of our website.

  1. Overview of Cookies Used

Technically necessary cookies (§ 25(2) No. 2 TDDDG):

  • _shopify_s – Shopify analytics (session) – 30 minutes

  • _shopify_y – Shopify analytics (persistent) – 1 year

  • cart_sig – assignment of the shopping cart – end of session

  • cart_ts – timestamp of the shopping cart – 14 days

  • secure_customer_sig – customer authentication – 20 years

  • _tracking_consent – storage of cookie consent – 1 year

  • _shopify_sa_t – Shopify analytics (referrer tracking) – 30 minutes

  • _shopify_sa_p – Shopify analytics (page view) – 30 minutes

  • localization – recommended country and currency – 1 year

Note: The details on storage periods may change due to updates to the Shopify platform.

  1. Payment service providers

    1. Shopify Payments (operated via Stripe)

For payment processing in our online shop, we use Shopify Payments. Shopify Payments is Shopify’s integrated payment solution, which is technically processed via the payment service provider Stripe Payments Europe, Ltd., 1 Grand Canal Street Lower, Grand Canal Dock, Dublin, D02 H210, Ireland. Stripe Payments Europe, Ltd. is used by Shopify as a technical payment processor (sub-processor) for processing credit card payments.

When paying by credit card, the payment data you enter (e.g. credit card number, cardholder, expiry date, CVC code) are transmitted to Stripe and processed there. Stripe is certified according to the Payment Card Industry Data Security Standard (PCI-DSS).

Data processed: Name, address, email address, order amount, bank details or credit card data, where applicable IP address.

Legal basis: Processing is carried out on the basis of Art. 6 para. 1 lit. b GDPR (performance of a contract) and Art. 6 para. 1 lit. c GDPR (compliance with legal obligations, in particular tax and commercial retention obligations).

Further information on data protection at Stripe can be found at: https://stripe.com/de/privacy.

  1. Klarna

For payment processing via the payment methods “invoice purchase”, “installment purchase” and/or “Sofortüberweisung”, we work with Klarna Bank AB (publ), Sveavägen 46, 111 34 Stockholm, Sweden.

In the context of payment processing, Klarna is an independent controller within the meaning of Art. 4 no. 7 GDPR. If you select a Klarna payment method during the order process, the personal data required for payment processing (first name, last name, street, house number, postal code, city, email address, telephone number, IP address as well as other data required for payment processing) are transmitted to Klarna.

Klarna may carry out a credit check based on this data. The legal basis for transmitting data to Klarna is Art. 6 para. 1 lit. b GDPR (performance of a contract) or Art. 6 para. 1 lit. a GDPR (consent), insofar as a credit check goes beyond pure payment processing.

Further information on Klarna’s data protection can be found in Klarna’s privacy policy at: https://www.klarna.com/de/datenschutz/

  1. Shipping and logistics – DHL

    1. ## 8.1.           Description and scope of data processing

For shipping the goods ordered from us, we use the shipping service provider DHL Paket GmbH, Sträßchensweg 10, 53113 Bonn, Germany.

For the purpose of delivering your order, we transmit the following personal data to DHL:

  • Recipient’s first and last name

  • Delivery address

  • Where applicable, email address (for shipping notifications)

  • Where applicable, telephone number (for delivery notifications)

The tracking numbers are manually entered by us in your order so that you can track the shipping status of your order. There is currently no automated API integration between our shop and DHL.

DHL Paket GmbH, Sträßchensweg 10, 53113 Bonn, is an independent controller within the meaning of Art. 4 no. 7 GDPR in the context of shipping processing. The transmission of data to DHL is based on Art. 6 para. 1 lit. b GDPR and is limited to the data necessary for delivery (name, delivery address, where applicable email address and/or telephone number for shipment notifications).

The transmission of data to DHL is based on Art. 6 para. 1 lit. b GDPR (performance of a contract), as shipping is necessary to fulfill the purchase contract concluded with you.

Further information on data protection at DHL can be found at: https://www.dhl.de/de/toolbar/footer/datenschutz.html.

  1. Email marketing and newsletter

    1. Description and scope of data processing

We offer you the opportunity to subscribe to our newsletter. For this purpose, we use the email marketing system integrated in Shopify (Shopify Email). If you register for our newsletter, the following data are collected:

  • Email address (mandatory field)

  • Where applicable, name (if provided in the registration form)

  • Time of registration

  • Consent record

  • Subscription preferences

  1. Double opt-in procedure

Registration for our newsletter takes place in the so-called double opt-in procedure. This means that after your registration you will receive an email in which you are asked to confirm your registration. This confirmation is necessary so that no one can register with others’ email addresses. We log the registration process (time of registration, IP address, time of confirmation) to be able to prove the registration.

  1. Data storage

Your newsletter data are stored in accordance with our shop’s data storage settings in Europe (EEA/United Kingdom/Switzerland) and processed by Shopify International Limited (Ireland). The data protection measures and data processing agreements described in section 4 apply.

  1. Legal basis

The processing of your email address for the purpose of sending the newsletter is based on your consent pursuant to Art. 6 para. 1 lit. a GDPR.

  1. Withdrawal

You can withdraw your consent to receive the newsletter at any time and unsubscribe from the newsletter. You can declare the withdrawal by clicking on the unsubscribe link provided in every newsletter email or by email to enquiries@f-a-o-s.com.

  1. External services

    1. Google Fonts (external retrieval)

Our website uses so-called Google Fonts to display fonts uniformly. The provider is Google Ireland Limited, Gordon House, Barrow Street, Dublin 4, Ireland (parent company: Google LLC, 1600 Amphitheatre Parkway, Mountain View, CA 94043, USA).

When you access our website, your browser loads the required fonts (Montserrat and Roboto) from Google servers. In doing so, your IP address is transmitted to Google’s servers. It is possible that Google transfers data to servers in the USA.

For data transfers to the USA, there is an adequacy decision by the European Commission (Trans-Atlantic Data Privacy Framework – TADPF) pursuant to Art. 45 GDPR, provided the respective recipient is certified under the TADPF. Google LLC is certified under the TADPF. In addition, Google uses Standard Contractual Clauses (SCCs) pursuant to Art. 46 para. 2 lit. c GDPR.

Legal basis: The use of Google Fonts is based on your consent pursuant to § 25 para. 1 TDDDG in conjunction with Art. 6 para. 1 lit. a GDPR, which is obtained via our cookie banner.

Further information on data protection at Google can be found at: https://policies.google.com/privacy. 

  1. YouTube (embedded videos)

We embed videos from YouTube on our website. The provider is Google Ireland Limited, Gordon House, Barrow Street, Dublin 4, Ireland (parent company: Google LLC, 1600 Amphitheatre Parkway, Mountain View, CA 94043, USA).

We use YouTube in the extended privacy mode. According to YouTube, this mode ensures that YouTube does not store information about visitors to this website before they watch the video. However, the extended privacy mode does not necessarily exclude the transfer of data to YouTube partners. Thus, YouTube – regardless of whether you watch a video – establishes a connection to the Google DoubleClick network.

As soon as you start a YouTube video on our website, a connection to YouTube’s servers is established. In doing so, the YouTube server is informed which of our pages you have visited. If you are logged into your YouTube account, you enable YouTube to assign your browsing behavior directly to your personal profile. You can prevent this by logging out of your YouTube account.

Furthermore, after starting a video, YouTube may store various cookies on your device or use comparable recognition technologies (e.g. device fingerprinting). In this way, YouTube may obtain information about visitors to this website. This information is used, among other things, to compile video statistics, improve user-friendliness and prevent fraud attempts.

For data transfers to the USA, the safeguards mentioned in section 10.1 apply (TADPF certification, SCCs).

Legal basis: The embedding of YouTube videos is based on your consent pursuant to § 25 para. 1 TDDDG in conjunction with Art. 6 para. 1 lit. a GDPR. Consent is obtained via our cookie banner and/or a two-click solution.

Further information on data protection at YouTube/Google can be found at: https://policies.google.com/privacy.

  1. Rights of data subjects

As a data subject, you have the following rights:

  1. Right of access (Art. 15 GDPR)

You have the right to obtain from us confirmation as to whether personal data concerning you are being processed. If this is the case, you have a right of access to such personal data and to the information listed in detail in Art. 15 GDPR.

  1. Right to rectification (Art. 16 GDPR)

You have the right to obtain without undue delay the rectification of inaccurate personal data concerning you and, where applicable, the completion of incomplete data.

  1. Right to erasure (Art. 17 GDPR)

You have the right to obtain the erasure of personal data concerning you without undue delay where one of the grounds listed in Art. 17 GDPR applies and processing is not necessary.

  1. Right to restriction of processing (Art. 18 GDPR)

You have the right to obtain restriction of processing where one of the conditions listed in Art. 18 GDPR applies.

  1. Right to data portability (Art. 20 GDPR)

You have the right to receive the personal data concerning you which you have provided to us in a structured, commonly used and machine-readable format, and you have the right to transmit those data to another controller without hindrance.

  1. Right to object (Art. 21 GDPR)

You have the right to object, on grounds relating to your particular situation, at any time to processing of personal data concerning you which is based on Art. 6 para. 1 lit. e or f GDPR. We will then no longer process the personal data unless we can demonstrate compelling legitimate grounds for the processing which override your interests, rights and freedoms, or the processing is for the establishment, exercise or defense of legal claims.

Where personal data are processed for direct marketing purposes, you have the right to object at any time to processing of personal data concerning you for such marketing.

  1. Right to withdraw consent under data protection law (Art. 7 para. 3 GDPR)

You have the right to withdraw your declaration of consent under data protection law at any time. The withdrawal of consent does not affect the lawfulness of processing based on consent before its withdrawal.

  1. Right to lodge a complaint with a supervisory authority (Art. 77 GDPR)

Without prejudice to any other administrative or judicial remedy, you have the right to lodge a complaint with a supervisory authority if you consider that the processing of personal data concerning you infringes the GDPR.

The supervisory authority responsible for us is:

Bayerisches Landesamt für Datenschutzaufsicht (BayLDA)

Promenade 18, 91522 Ansbach, Germany

Telephone: +49 (0) 981 180093-0

Fax: +49 (0) 981 180093-800

Email: poststelle@lda.bayern.de

Website: https://www.lda.bayern.de

  1. Contact

    1. By email

      1. Contact is possible via the email address provided on our website. In this case, the personal data transmitted with the email are stored. The data are used exclusively for processing the conversation.

      2. The legal basis for processing the data is Art. 6 para. 1 lit. f GDPR. If the email contact aims at the conclusion of a contract, the additional legal basis for processing is Art. 6 para. 1 lit. b GDPR.

      3. The data are erased as soon as they are no longer necessary to achieve the purpose for which they were collected. For personal data transmitted by email, this is the case when the respective conversation with the user has ended. The conversation is deemed ended when it can be inferred from the circumstances that the matter in question has been conclusively clarified and no statutory retention obligations preclude erasure.

    2. Via contact form

      1. A contact form is available on our website for electronic contact. If a user takes advantage of this option, the data entered in the input mask are transmitted to us and stored. The respective mandatory fields are evident from the contact form.

      2. The legal basis for processing the data is, if the user has given consent, Art. 6 para. 1 lit. a GDPR. If the contact serves the performance of a contract or the implementation of pre-contractual measures, the additional legal basis is Art. 6 para. 1 lit. b GDPR.

  2. Customer account

    1. On our website, you have the option to register for a customer account by providing personal data. The following data are collected: name, email address, password (encrypted). After registration, you will receive a password-protected customer account through which you can view your order history and manage your stored data.

    2. The legal basis for processing the registration data is Art. 6 para. 1 lit. b GDPR (performance of a contract) or Art. 6 para. 1 lit. a GDPR (consent).

    3. The data are erased as soon as the customer account on our website is deleted, unless statutory retention obligations preclude erasure.

  3. Obligation to provide personal data

The provision of personal data is partly required by law (e.g. tax regulations) or may also result from contractual provisions. For the conclusion of a purchase contract, it is necessary that you provide us with the personal data required for this purpose. Without the provision of this data, we cannot conclude the contract with you.

  1. Automated decision-making / profiling

Automated decision-making, including profiling pursuant to Art. 22 paras. 1 and 4 GDPR, does not take place.

  1. Currency and amendment of this privacy policy

This privacy policy is current as of: 27.02.2026.

Due to the further development of our website or the implementation of new technologies, it may be necessary to amend this privacy policy. We reserve the right to change the privacy policy at any time with effect for the future. We recommend that you read the current privacy policy again from time to time.