Privacy Policy

Last updated: 04/05/2026

Table of Contents

1. Controller
2. Personal data we process
3. Visiting our website and server log files
4. Shopify and technical shop infrastructure
5. Cloudflare
6. Cookies, pixels, local storage and similar technologies
7. Necessary technologies
8. Consent-based technologies
9. Cookie Consent Tool
10. Contact requests and customer support
11. Shopify Inbox
12. Customer account
13. Hook One Tap Social Login and Google Sign-In
14. Orders and contract processing
15. Payment providers
16. Fulfilment, warehouse and shipping
17. Picqer
18. Mirakl Connect
19. Newsletter and email marketing / Mailchimp
20. Direct marketing to existing customers
21. Google Analytics 4
22. Google Tag Manager
23. Google Ads Conversion Tracking and Remarketing
24. Meta Pixel / Facebook Pixel
25. TikTok Pixel
26. Twitter/X Conversion Tracking
27. Facebook and Pinterest social plugins
28. YouTube videos
29. Judge.me reviews
30. UpPromote Affiliate
31. Cozy Country Redirect
32. Tools not currently used
33. International data transfers
34. Legal obligations and record keeping
35. Data retention
36. Your rights
37. Right to object
38. Withdrawal of consent
39. DACH-specific notes
40. Updates to this Privacy Policy

This Privacy Policy explains how GTI GmbH, Königsallee 92a, 40212 Düsseldorf, Germany, email: info@maxler.com, phone: +49 211 54039788, processes personal data when you use our website, online shop, customer account, checkout, marketing features, customer support, affiliate features and related services.

This Privacy Policy is drafted for use in the DACH market. The main legal basis is the EU General Data Protection Regulation (“GDPR”) and, for Germany, the German Telecommunications Digital Services Data Protection Act (“TDDDG”). For Austria and Switzerland, additional local privacy and cookie rules may apply.

1. Controller

The controller responsible for the processing of personal data is:

GTI GmbH
Königsallee 92a
40212 Düsseldorf
Germany
Email: info@maxler.com
Phone: +49 211 54039788

2. Personal data we process

Depending on how you use our website and shop, we may process the following categories of personal data:

Category	Examples
Technical data	IP address, device data, browser, operating system, log files, access time
Contact data	Name, email address, phone number, billing address, delivery address
Account data	Login details, customer account information, order history
Order data	Products ordered, order number, delivery status, return data
Payment data	Payment method, payment status, transaction information
Marketing data	Newsletter consent, campaign interactions, advertising identifiers
Tracking data	Cookie IDs, pixel IDs, conversion events, website behaviour
Support data	Chat messages, support requests, communication history
Review data	Product review, rating, name, email address, order reference
Affiliate data	Referral links, coupon codes, attribution data, commission data

3. Visiting our website and server log files

When you visit our website, we automatically process technical data that is necessary to display the website securely and correctly.

This may include:

• IP address;
• date and time of access;
• browser type and version;
• operating system;
• referrer URL;
• pages visited;
• amount of data transferred.

Legal basis: Art. 6(1)(f) GDPR.

Our legitimate interest is the secure, stable and functional operation of the website.

Server log files are stored only for as long as necessary for security and technical purposes, unless longer storage is required for legal claims, fraud prevention or security investigations.

4. Shopify and technical shop infrastructure

Our online shop is operated using Shopify and related Shopify services.

Shopify may process data required for:

• website and shop operation;
• product pages;
• shopping cart;
• checkout;
• customer account;
• payment processing;
• fraud prevention;
• order management;
• technical security.

Legal basis:

• Art. 6(1)(b) GDPR for checkout, orders and contract processing;
• Art. 6(1)(f) GDPR for secure and efficient shop operation;
• Art. 6(1)(c) GDPR where legal obligations apply.

Depending on Shopify’s processing setup, data may be processed in the EU, Canada, the United States or other countries.

5. Cloudflare

We use Cloudflare for content delivery, performance optimisation, security, DDoS protection and stable website delivery.

Cloudflare may process IP addresses, device data, log data and security-related access information.

Legal basis: Art. 6(1)(f) GDPR.

Our legitimate interest is secure, fast and stable website delivery.

Where Cloudflare transfers data outside the EU/EEA, we rely on appropriate safeguards such as an adequacy decision, the EU-US Data Privacy Framework where applicable, or Standard Contractual Clauses. The European Commission adopted the EU-US Data Privacy Framework adequacy decision on 10 July 2023, but it applies only to certified US recipients. EUR-Lex

6. Cookies, pixels, local storage and similar technologies

We use cookies, pixels, tags, local storage and similar technologies.

Some technologies are technically necessary for the website and shop. Others are used only with your consent, especially analytics, marketing, retargeting, affiliate tracking, social plugins and embedded media.

Under German TDDDG and EU ePrivacy rules, consent may be required not only for cookies, but also for access to or storage of information on a user’s device through pixels, local storage, SDKs or similar technologies. The EDPB published final Guidelines 2/2023 on the technical scope of Art. 5(3) ePrivacy Directive on 16 October 2024. European Data Protection Board

7. Necessary technologies

Necessary technologies may be used for:

• shopping cart;
• checkout;
• login;
• security;
• fraud prevention;
• country and language settings;
• cookie consent preferences;
• technical shop operation.

Legal basis: Art. 6(1)(b) GDPR, Art. 6(1)(f) GDPR and TDDDG where applicable.

8. Consent-based technologies

We use the following categories only after consent:

• analytics;
• marketing pixels;
• retargeting;
• advertising conversion tracking;
• affiliate tracking where not strictly necessary;
• social plugins;
• embedded videos.

Legal basis: Art. 6(1)(a) GDPR and consent under TDDDG where required.

You can withdraw or change your consent at any time through the cookie settings on our website.

9. Cookie Consent Tool

We use a cookie consent tool to manage consent for non-essential cookies, pixels and similar technologies.

The tool may process:

• consent status;
• timestamp;
• selected preferences;
• technical device data;
• IP address, where required for documentation;
• consent ID.

Legal basis:

• Art. 6(1)(c) GDPR for compliance and documentation;
• Art. 6(1)(f) GDPR for legally compliant consent management.

Our cookie banner offers a “Decline” option at the first layer and uses equal button design for accepting and declining non-essential technologies.

If the native Shopify consent banner does not keep sufficient consent logs for audit purposes, we may use a third-party consent management platform.

10. Contact requests and customer support

If you contact us by email, contact form, chat or another support channel, we process the data you provide to handle your request.

Legal basis:

• Art. 6(1)(b) GDPR if your request relates to an order or contract;
• Art. 6(1)(f) GDPR for general customer communication;
• Art. 6(1)(c) GDPR if legal obligations apply.

11. Shopify Inbox

We use Shopify Inbox for customer support chat and customer communication.

Shopify Inbox may process your name, email address, chat messages, order information, device data and technical communication data.

Legal basis:

• Art. 6(1)(b) GDPR for order-related support;
• Art. 6(1)(f) GDPR for efficient customer service.

Please do not send sensitive personal data through the chat.

12. Customer account

If you create a customer account, we process the data required for account creation, login, order history and account management.

Legal basis: Art. 6(1)(b) GDPR.

You may request deletion of your customer account at any time. We will delete the account unless legal retention obligations or legitimate interests require further storage.

13. Hook One Tap Social Login and Google Sign-In

We use Hook One Tap Social Login and may offer login via Google Sign-In.

If you use social login, the relevant provider may transmit account information to us, such as name, email address, profile ID or authentication token.

Legal basis:

• Art. 6(1)(a) GDPR for optional social login;
• Art. 6(1)(b) GDPR for creating and managing your customer account after login.

Google or other login providers may process your data independently under their own privacy policies.

14. Orders and contract processing

When you place an order, we process the data necessary to fulfil the contract.

This includes:

• name;
• billing address;
• delivery address;
• email address;
• phone number, if provided;
• order details;
• payment status;
• delivery information;
• invoice data.

Legal basis: Art. 6(1)(b) GDPR.

We also process order and invoice data to comply with tax, accounting and commercial law obligations.

Legal basis: Art. 6(1)(c) GDPR.

15. Payment providers

We use payment providers to process payments securely.

Depending on the selected payment method, data may be processed by:

• Apple Pay;
• Google Pay;
• PayPal Checkout.

Payment providers may process payment data, billing data, transaction data, fraud prevention data and device data.

Legal basis:

• Art. 6(1)(b) GDPR for payment processing;
• Art. 6(1)(f) GDPR for fraud prevention and payment security;
• Art. 6(1)(c) GDPR for legal obligations.

Payment providers may act as independent controllers for parts of their processing.

16. Fulfilment, warehouse and shipping

To deliver your order, we share necessary order and delivery data with fulfilment, warehouse and shipping providers.

We use Verzendbazen for fulfilment, shipping and logistics support.

Verzendbazen may process:

• name;
• delivery address;
• email address;
• phone number, if provided;
• order number;
• ordered products;
• shipping status;
• return information.

Legal basis: Art. 6(1)(b) GDPR.

Where Verzendbazen acts as our service provider, we process data on the basis of a data processing agreement.

17. Picqer

We use Picqer for warehouse, order and fulfilment management.

Picqer may process order data, customer data, delivery address, product data, stock data and fulfilment status.

Legal basis:

• Art. 6(1)(b) GDPR for order fulfilment;
• Art. 6(1)(f) GDPR for efficient warehouse and logistics management.

18. Mirakl Connect

We use Mirakl Connect in connection with marketplace, platform or partner integrations.

Mirakl may process business contact data, order data, product data, marketplace transaction data, delivery status and communication data.

Legal basis:

• Art. 6(1)(b) GDPR where processing is necessary for marketplace orders;
• Art. 6(1)(f) GDPR for marketplace operations and partner management.

19. Newsletter and email marketing / Mailchimp

If you subscribe to our newsletter, we process your email address and, where applicable, your name, consent timestamp, IP address and subscription preferences.

We use Mailchimp to send newsletters and manage email marketing.

Legal basis for newsletter subscription: Art. 6(1)(a) GDPR.

For Germany, we generally use a double opt-in process to document newsletter consent.

Newsletter tracking, such as open tracking and click tracking, is used only where legally valid consent has been obtained.

You can unsubscribe at any time through the unsubscribe link in each newsletter or by contacting us.

20. Direct marketing to existing customers

Where legally permitted, we may send marketing emails to existing customers for similar products or services.

Legal basis may be Art. 6(1)(f) GDPR together with applicable German direct marketing rules.

You may object to direct marketing at any time without incurring costs other than transmission costs according to basic tariffs.

21. Google Analytics 4

We use Google Analytics 4 to analyse website usage, improve our shop and measure performance.

Google Analytics may process:

• device data;
• browser data;
• IP address;
• page views;
• events;
• approximate location;
• interactions;
• conversion data.

Google Analytics is used only with your consent.

Legal basis: Art. 6(1)(a) GDPR.

Google may process data in the United States. Transfers may be based on the EU-US Data Privacy Framework where applicable or Standard Contractual Clauses where required.

22. Google Tag Manager

We use Google Tag Manager to manage website tags.

Google Tag Manager helps us load and control other tools. It does not itself create analytics profiles for us, but it may process technical data such as IP address when loaded.

Where Google Tag Manager is used to manage consent-based tags, those tags are loaded only after consent.

Legal basis:

• Art. 6(1)(f) GDPR for technical tag management where strictly necessary;
• Art. 6(1)(a) GDPR where Tag Manager is used in connection with consent-based analytics or marketing tags.

23. Google Ads Conversion Tracking and Remarketing

We use Google Ads for conversion tracking and remarketing.

Google Ads may process:

• ad clicks;
• website visits;
• conversions;
• products viewed;
• purchases;
• device and browser data.

Google Ads is used only with your consent.

Legal basis: Art. 6(1)(a) GDPR.

We do not use Google Customer Match.

24. Meta Pixel / Facebook Pixel

We use Meta Pixel / Facebook Pixel to measure conversions, improve ads and create remarketing audiences.

Meta may process:

• pixel ID;
• IP address;
• browser data;
• device data;
• page views;
• purchase events;
• cart events;
• conversion events;
• hashed customer data where advanced matching is enabled.

Meta Pixel is used only with your consent.

Legal basis: Art. 6(1)(a) GDPR.

Where required, we enter into Meta’s applicable controller or joint controller terms.

25. TikTok Pixel

We use TikTok Pixel for conversion tracking, ad measurement and retargeting.

TikTok may process technical data, event data, device data, browser data and conversion data.

TikTok Pixel is used only with your consent.

Legal basis: Art. 6(1)(a) GDPR.

26. Twitter/X Conversion Tracking

We use Twitter/X Conversion Tracking to measure the performance of advertising campaigns and conversions.

Twitter/X may process device data, browser data, ad interaction data, conversion events and website behaviour.

Twitter/X Conversion Tracking is used only with your consent.

Legal basis: Art. 6(1)(a) GDPR.

Provider details should be checked before publication against the current X/Twitter legal entity and applicable data transfer terms.

27. Facebook and Pinterest social plugins

We use social plugins from Facebook and Pinterest.

Where possible, social plugins are integrated through a two-click or consent-based solution. This means that data is not transmitted to the provider until you activate the plugin or give consent.

Legal basis: Art. 6(1)(a) GDPR.

If you are logged into the relevant social network, the provider may associate your interaction with your account.

28. YouTube videos

We embed YouTube videos on our website.

YouTube videos are loaded only after your consent, unless embedded in a privacy-friendly mode that does not trigger consent-relevant access before activation.

Legal basis: Art. 6(1)(a) GDPR.

Google/YouTube may process IP address, device data, playback data, interaction data and cookie or similar identifiers.

29. Judge.me reviews

We use Judge.me to collect and display customer reviews.

Judge.me may process:

• name;
• email address;
• order number;
• product purchased;
• review content;
• rating;
• photos, if uploaded;
• IP address;
• review metadata.

Legal basis:

• Art. 6(1)(a) GDPR if you voluntarily submit a review;
• Art. 6(1)(f) GDPR for displaying verified reviews and improving customer trust;
• Art. 6(1)(b) GDPR where review communication is connected to a purchase process and legally permitted.

If review request emails are sent, we ensure that they are covered by consent or another legally valid basis under German marketing rules.

30. UpPromote Affiliate

We use UpPromote Affiliate to manage affiliate, referral or partner marketing.

UpPromote may process:

• affiliate name and contact details;
• referral links;
• coupon codes;
• attribution data;
• order data linked to referrals;
• commission data;
• tracking identifiers.

Legal basis:

• Art. 6(1)(b) GDPR for affiliate contract management;
• Art. 6(1)(f) GDPR for referral attribution and fraud prevention;
• Art. 6(1)(a) GDPR where affiliate tracking on user devices requires consent.

Affiliate tracking that is not strictly necessary is activated only after consent.

31. Cozy Country Redirect

We use Cozy Country Redirect to show country-specific shop versions, language options, currency options or regional redirects.

The tool may process:

• IP address;
• approximate location;
• browser language;
• device data;
• selected country/language settings.

Legal basis:

• Art. 6(1)(f) GDPR for user-friendly localisation and correct regional shop display;
• Art. 6(1)(b) GDPR where localisation is necessary for contract or checkout information.

Where cookies or similar technologies are used for non-essential purposes, consent may be required.

32. Tools not currently used

According to our current setup, the following tools are not used:

• Odoo;
• Stripe;
• Hotjar;
• Google Customer Match;
• LinkedIn Insight Tag;
• Microsoft Advertising / UET;
• Snap Pixel;
• reCAPTCHA;
• Gravity Forms.

If these tools are activated in the future, this Privacy Policy and the cookie consent settings must be updated before activation.

33. International data transfers

Some providers may process data outside the EU/EEA, especially in the United States.

Where data is transferred to third countries, we rely on one or more of the following safeguards:

• adequacy decision;
• EU-US Data Privacy Framework where the recipient is certified;
• Standard Contractual Clauses;
• additional technical and organisational safeguards;
• consent where required.

The EU-US Data Privacy Framework applies only to participating certified US organisations. dataprivacyframework.gov

34. Legal obligations and record keeping

We process certain personal data to comply with legal obligations, especially commercial, tax, accounting, consumer protection and legal defence obligations.

Legal basis: Art. 6(1)(c) GDPR.

35. Data retention

We store personal data only for as long as necessary for the relevant purpose.

Data type	Typical retention
Server logs	Short-term, unless security investigation requires longer
Customer account	Until deletion request, unless legal retention applies
Orders and invoices	Usually 6–10 years under German commercial/tax rules
Newsletter consent	Until withdrawal plus documentation period
Cookie consent logs	As long as needed to prove consent
Support requests	As long as needed to handle the request and legal defence
Analytics data	According to tool settings
Affiliate records	Contract term plus accounting/legal retention periods

36. Your rights

You have the following rights under GDPR:

• right of access, Art. 15 GDPR;
• right to rectification, Art. 16 GDPR;
• right to erasure, Art. 17 GDPR;
• right to restriction of processing, Art. 18 GDPR;
• right to data portability, Art. 20 GDPR;
• right to object, Art. 21 GDPR;
• right to withdraw consent, Art. 7(3) GDPR;
• right to lodge a complaint with a supervisory authority, Art. 77 GDPR.

You may contact us at: info@maxler.com

The competent supervisory authority for GTI GmbH in Düsseldorf, Germany is generally the data protection authority of North Rhine-Westphalia.

37. Right to object

If we process your personal data based on legitimate interests under Art. 6(1)(f) GDPR, you may object to this processing at any time on grounds relating to your particular situation.

If we process your personal data for direct marketing, you may object at any time without giving reasons.

After your objection, we will stop processing your data for direct marketing.

38. Withdrawal of consent

Where processing is based on consent, you may withdraw your consent at any time with effect for the future.

You can withdraw cookie and tracking consent through the cookie settings on our website.

You can withdraw newsletter consent through the unsubscribe link in each email.

39. DACH-specific notes

Germany

For Germany, this Privacy Policy is based on the GDPR, the German Federal Data Protection Act where applicable, and the TDDDG for cookies, pixels, local storage and similar technologies.

For Germany, non-essential analytics, marketing, retargeting and social media tracking should not load before valid consent.

Austria

For Austria, the GDPR also applies. Cookie and tracking rules are additionally governed by Austrian telecommunications rules, especially for storage of or access to information on user devices. Consent is generally required for non-essential cookies and similar technologies.

Switzerland

For Switzerland, the Swiss Federal Act on Data Protection may apply in addition. The revised Swiss FADP has applied since 1 September 2023. Federal Office of SMEs

Swiss users may have rights under Swiss data protection law, including rights to information, access, correction and, where applicable, deletion or restriction.

40. Updates to this Privacy Policy

We may update this Privacy Policy if our website, tools, providers, legal requirements or processing activities change.

The current version is available on our website.