Privacy Policy

erson.de

Last updated: 30 April 2026

Note: The German version of this Privacy Policy, available at erson.de/datenschutz, is exclusively legally binding. This English translation is provided solely for the convenience of international visitors.

1. Controller and Contact

The controller responsible for the processing of personal data within the meaning of the General Data Protection Regulation (GDPR) and the German Federal Data Protection Act (BDSG) is:

Erson Stanisław Pagacz ul. Lipowa 7 47-420 Kuźnia Raciborska, Poland Tax ID (NIP): 6391797134 Email: info@erson.de +48 695 995 270

For questions about the processing of your personal data or to exercise your rights, please contact us using the details above.

2. General Information on Data Processing

2.1 Scope of Processing

We generally only process the personal data of our users to the extent necessary to provide a functional website and our content and services. As a rule, processing only takes place with the user's consent or where there is a legal basis for it.

2.2 Legal Bases for Processing

We process personal data on the following legal bases:

• Art. 6(1)(a) GDPR – consent of the data subject (e.g. for newsletter, optional cookies, session replay);
• Art. 6(1)(b) GDPR – performance of a contract or pre-contractual measures (e.g. order processing, customer account);
• Art. 6(1)(c) GDPR – compliance with a legal obligation (e.g. tax retention obligations);
• Art. 6(1)(f) GDPR – legitimate interests (e.g. IT security, fraud prevention, strictly necessary cookies).

Insofar as the German Telecommunications-Telemedia-Data-Protection Act (TDDDG) applies, we obtain your consent before setting non-essential cookies and accessing information stored on your device (Section 25(1) TDDDG).

2.3 Data Erasure and Storage Period

Personal data is erased or blocked as soon as the purpose of storage no longer applies. Storage may extend beyond this where provided for by European or national legislation to which the controller is subject (e.g. commercial and tax retention periods of generally six or ten years pursuant to Section 257 of the German Commercial Code (HGB) and Section 147 of the German Fiscal Code (AO)).

3. Provision of the Website and Creation of Log Files

Each time our website is accessed, our system automatically collects data and information from the computer system of the accessing device. The following data is collected:

• IP address of the user (truncated where technically possible);
• date and time of access;
• content of the request (specific page);
• access status / HTTP status code;
• volume of data transferred;
• referrer URL;
• browser, operating system and its interface, language and version of the browser software.

Legal basis: Art. 6(1)(f) GDPR. Our legitimate interest lies in ensuring a smooth connection of the website, system security and stability, as well as for the investigation of misuse and fraud. Log files are generally automatically deleted after 14 days, unless they are required for the investigation of security-related incidents.

4. Order Processing and Customer Account

When you place an order in our online shop, we process the data required for contract performance:

• salutation, first and last name;
• billing and delivery address;
• email address, phone number (optional);
• order data (ordered products, order date, order number);
• payment data (see "Payment Service Providers" below); where applicable, tax/VAT number for business customers.

Legal basis: Art. 6(1)(b) GDPR (contract performance) and, for compliance with tax and commercial law obligations, Art. 6(1)(c) GDPR. The data is stored for the duration of the business relationship and subsequently retained for the period of statutory retention obligations (generally 10 years), after which it is deleted.

5. Payment Service Providers

We use the payment service providers listed below to process payments. When you select the relevant payment method, the data required for payment processing is transmitted directly to the payment service provider.

5.1 PayPal

Provider: PayPal (Europe) S.à r.l. et Cie, S.C.A., 22-24 Boulevard Royal, L-2449 Luxembourg.

When you select PayPal, your payment data is transmitted to PayPal. The transmission is based on Art. 6(1)(b) GDPR (contract performance) and Art. 6(1)(f) GDPR (legitimate interest in efficient payment processing). Further information can be found in PayPal's privacy policy: https://www.paypal.com/legalhub/privacy-full.

5.2 Stripe

Provider: Stripe Payments Europe, Limited (SPEL), 1 Grand Canal Street Lower, Grand Canal Dock, Dublin, Ireland.

We use Stripe to process payments by credit and debit card (Visa, Mastercard, American Express) and, where available, additional payment methods supported by Stripe (e.g. Apple Pay, Google Pay, SEPA Direct Debit, Klarna). When these payment methods are selected, the data required for payment processing (in particular name, email address, billing and where applicable delivery address, payment instrument information such as card number/token, order amount) is transmitted to Stripe. Card data is sent in encrypted form directly from the user's browser to Stripe and is not stored on our servers.

Stripe also uses the transmitted data for fraud prevention and risk assessment purposes (e.g. via Stripe Radar). For this purpose, Stripe may collect device information, IP address and behavioural patterns.

Transfer to third countries: Stripe may transfer data to its group company Stripe, Inc. in the USA. Stripe, Inc. is certified under the EU-US Data Privacy Framework, providing an adequacy decision of the EU Commission pursuant to Art. 45 GDPR. Stripe has additionally concluded Standard Contractual Clauses pursuant to Art. 46(2)(c) GDPR.

Legal basis: Art. 6(1)(b) GDPR (contract performance) and Art. 6(1)(f) GDPR (fraud prevention).

Further information: https://stripe.com/privacy.

5.3 Bank Transfer

In the case of payment by bank transfer, we receive the data customary in payment transactions (name, IBAN, payment reference, amount) from our bank. No transmission to third parties for other purposes takes place.

6. Shipping Service Providers

To deliver the goods, we forward your name and delivery address to the selected shipping service provider. We work with the following carriers: Raben, DPD, GLS. Legal basis is Art. 6(1)(b) GDPR (contract performance). Where you have consented to your email address or phone number being transmitted to the shipping service provider for parcel tracking, the legal basis is Art. 6(1)(a) GDPR.

7. Cookies and Similar Technologies

Our website uses cookies and similar technologies (e.g. local storage). Cookies are small text files stored in the browser. We distinguish between:

7.1 Strictly Necessary Cookies

These cookies are required to make the website usable, e.g. for storing the shopping cart or maintaining the login session. Legal basis: Art. 6(1)(f) GDPR in conjunction with Section 25(2) No. 2 TDDDG. These cookies cannot be deselected.

7.2 Optional Cookies (Analytics, Marketing, Comfort)

Optional cookies are only set with your express consent (opt-in via our cookie banner). Legal basis: Art. 6(1)(a) GDPR in conjunction with Section 25(1) TDDDG. You can withdraw your consent at any time with effect for the future by changing your cookie settings via the "Cookie Settings" link in the footer of our website.

7.3 Managing Your Cookie Settings

Via our cookie banner, you can accept, reject or select individual categories. You can also manage or delete cookies through your browser settings. Disabling certain cookies may result in some features of the website not being available.

8. Web and Product Analytics with PostHog

Provider: PostHog Inc., 2261 Market Street #4008, San Francisco, CA 94114, USA, with data processing in the EU via PostHog EU Cloud (Frankfurt, Germany; operated on AWS).

We use PostHog, a product and web analytics tool, to understand how our website is used, identify technical issues, and improve our offering. PostHog processes data exclusively within the EU (Frankfurt). Data may be transferred to PostHog Inc. in the USA only in individual cases for technical maintenance purposes; for such transfers, Standard Contractual Clauses pursuant to Art. 46(2)(c) GDPR are in place.

Data collected:

• IP address (truncated/anonymised by PostHog);
• device information (browser type, operating system, screen resolution);
• referrer URL and pages visited;
• click and interaction events, scroll behaviour;
• a pseudonymous user ID (cookie/local storage);
• timestamps of actions.

Session Replay:

We also use the session replay feature of PostHog. This records your interactions with the website (mouse movements, clicks, scrolling, keystrokes in non-masked fields, page changes) and stores them as a playback. We have configured PostHog so that:

• inputs in form fields are masked by default (in particular passwords, payment data and sensitive personal data);
• IP addresses are anonymised;
• recordings are used exclusively for optimisation and error analysis purposes.

Legal basis for PostHog (including session replay): Art. 6(1)(a) GDPR (consent). Session replay is only activated after your express consent via our cookie banner. You can withdraw your consent at any time with effect for the future.

Storage period: Recordings and analytics data are generally deleted or anonymised after a maximum of 12 months.

Data processing agreement: We have concluded a data processing agreement with PostHog pursuant to Art. 28 GDPR.

Further information: https://posthog.com/privacy.

9. Contact Requests

If you contact us by email, contact form or phone, the data you provide (e.g. name, email address, phone number, content of the enquiry) will be stored by us to process your enquiry and in case of follow-up questions.

Legal basis: Art. 6(1)(b) GDPR (where the request relates to contract initiation) or Art. 6(1)(f) GDPR (legitimate interest in efficient processing of enquiries). The data will be deleted as soon as it is no longer required to achieve the purpose for which it was collected, unless statutory retention obligations require otherwise.

10. Recipients and Processors

Recipients of your personal data may include:

• shipping service providers (Raben, DPD, GLS);
• payment service providers (PayPal, Stripe);
• IT and hosting service providers (e.g. cloud hosting of the website, email provider);
• web and product analytics service providers (PostHog – EU Cloud Frankfurt);
• tax advisors, auditors, accounting service providers;
• authorities, courts or legal counsel within the framework of legal obligations.

We have concluded data processing agreements pursuant to Art. 28 GDPR with all processors.

11. Transfer to Third Countries

A transfer of personal data to third countries (outside the EU/EEA) only takes place where this is necessary for contract performance, legally required, you have expressly consented, or where one of the following safeguards under Art. 44 et seq. GDPR is in place:

• adequacy decision of the EU Commission (e.g. EU-US Data Privacy Framework for certified US companies);
• EU Standard Contractual Clauses (SCC) pursuant to Art. 46(2)(c) GDPR;
• Binding Corporate Rules.

This currently applies in particular to potential transfers to Stripe, Inc. (USA – DPF-certified + SCC) and any maintenance access by PostHog Inc. (USA – SCC).

12. Your Rights as a Data Subject

You have the following rights with regard to the personal data concerning you:

• right of access (Art. 15 GDPR);
• right to rectification (Art. 16 GDPR);
• right to erasure (Art. 17 GDPR);
• right to restriction of processing (Art. 18 GDPR);
• right to data portability (Art. 20 GDPR);
• right to object to processing (Art. 21 GDPR);
• right to withdraw a given consent (Art. 7(3) GDPR) – the lawfulness of processing carried out before withdrawal remains unaffected.

To exercise your rights, an informal notice to info@erson.de is sufficient.

Right to object (Art. 21 GDPR)

You have the right to object, on grounds relating to your particular situation, at any time to the processing of personal data concerning you which is based on Art. 6(1)(e) or (f) GDPR. Where personal data is processed for direct marketing purposes, you have the right to object at any time to the processing of personal data concerning you for such marketing.

13. Right to Lodge a Complaint with a Supervisory Authority

Without prejudice to any other administrative or judicial remedy, you have the right to lodge a complaint with a supervisory authority, in particular in the Member State of your habitual residence, your place of work or the place of the alleged infringement, if you consider that the processing of personal data concerning you infringes the GDPR.

In Germany, the supervisory authority responsible for the controller is generally the data protection authority of the federal state (Bundesland) of the complainant. A list is available at: https://www.bfdi.bund.de/.

14. Data Security

We implement appropriate technical and organisational measures to protect your data against accidental or intentional manipulation, partial or complete loss, destruction or unauthorised access. The transmission of personal data takes place in encrypted form via the internet (SSL/TLS).

15. Currency and Changes to This Privacy Policy

This Privacy Policy is currently valid and was last updated on 30 April 2026. Due to the further development of our website and offerings or due to changed legal or regulatory requirements, it may become necessary to amend this Privacy Policy. The current Privacy Policy can be accessed at any time on the website at erson.de/privacy-policy.

Last updated: 30 April 2026