Skip to content

Vanen Miniatures

Privacy Policy

Draft. The German version is legally authoritative.

We process only data needed for operation, contract fulfilment and security. At launch there is no analytics, no marketing pixel and no embedded Instagram widget.

Controller

Katharina Schneider, Hauptstraße 129c, 61440 Oberursel, email info@vanen-miniatures.com.

Hosting and logs

When the website is accessed, the host processes technical server data such as IP address, timestamp and requested resource. The legal basis is Art. 6 (1) f GDPR.

Language gate

The root page may read the browser language to redirect to /de/ or /en/. This information is not stored permanently.

Payments and Stripe

Payments use Stripe-hosted Checkout and portal pages. Payment card data never touches our server. Stripe processes payment and invoice data for contract fulfilment. Processing may also take place outside the EU (including the USA); it is safeguarded by the EU-US Data Privacy Framework or EU standard contractual clauses.

Magic link, session and entitlements

For login we process the email address, short-lived hashed login tokens, a technically required HMAC session cookie and a local entitlement cache with Stripe customer ID, email and purchase status. The session cookie is technically required; therefore no cookie banner is used.

Downloads and storage

Downloads are served through a protected PHP endpoint. Session, entitlement and download key are checked. Real storage paths are not exposed to the browser.

Contact, emails and invoices

When you contact us, we process your message and sender address. Transaction and magic-link emails use the final mail host […]. Invoice data is processed by Stripe and retained according to statutory retention periods.

Image-to-STL orders

If you use the “Image → STL” offer, we process the image you upload and your email address in order to create an individual STL file from it. For production we pass the necessary data to the person commissioned with the modelling. We deliver the finished file by email. The legal basis is Art. 6 (1) b GDPR (contract fulfilment).

Retention period

Login tokens are deleted after they expire, and the entitlement cache is cleared after a subscription ends. Invoice and accounting data is stored for the duration of the statutory retention periods (generally ten years). Otherwise we delete personal data as soon as the processing purpose no longer applies and no retention obligation stands in the way.

Data subject rights

You have rights to access, rectification, erasure, restriction, data portability and objection, plus the right to complain to a supervisory authority.