Privacy Policy – ROXXLYN

At Roxxlyn Design GmbH, privacy is not just a legal obligation—it’s a core value of our brand. We believe that a seamless shopping experience should never come at the cost of your personal data.

That’s why we do not use tracking or marketing cookies. Unlike most websites, we don’t follow you around the internet or collect unnecessary information. Instead, we focus on what matters: a private, secure, and transparent shopping experience.

To better understand how our website is used—without compromising your privacy—we rely on Matomo Analytics (self-hosted, 100% cookieless). All data is processed exclusively on our own servers located in Germany, ensuring full compliance with the General Data Protection Regulation (GDPR) and the German Telecommunications-Telemedia Data Protection Act (TTDSG).

Privacy Policy
Effective Date: June 3, 2025 (V012025)

1. Controller and Data Protection Officer

Controller:
Roxxlyn Design GmbH
Lenßenstraße 35
41239 Mönchengladbach, Germany
Phone: +49 (0)30 20169208
Email: info@roxxlyn.com

Data Protection Officer (DPO):
Mrs. Tanja Plaßmann
Email: datenschutz@roxxlyn.com

2. Overview of Processing Purposes and Legal Bases

We collect and process personal data only when there is a valid legal basis. For each processing activity below, we specify:

the purpose;
the categories of personal data involved;
the legal basis under Article 6(1) GDPR;
any recipients; and
the retention period.

2.1. Contact Form Inquiries

Purpose: To respond to questions, provide support, and follow up on your request.
Data Collected: Full name, email address, phone number (optional), message details.
Legal Basis: Article 6(1)(b) GDPR (necessary for pre-contractual measures or contract performance). If you explicitly consent to retain your inquiry beyond what is strictly necessary to respond, that processing is based on Article 6(1)(a) GDPR (consent).
Recipients: Internal customer-support team only; no external recipients unless you explicitly request a referral or a legal obligation arises.
Retention: Up to 24 months after resolution. Thereafter, all associated personal data is permanently deleted by our ticketing system’s automated purge.

2.2. Order Processing and Contract Fulfillment

Purpose: To process orders, deliver goods/services, issue invoices, and comply with accounting and tax obligations.
Data Collected:
- Customer identification: full name, billing address, shipping address, email, phone number.
- Payment data: payment transaction IDs (collected by the payment processor).
- Order history and invoice details.
Legal Basis: Article 6(1)(b) GDPR (necessary for contract performance).
Recipients:
- Payment Processors:
  - PayPal (Europe) S.à r.l. et Cie, S.C.A., 22–24 Boulevard Royal, L-2449 Luxembourg (EU).
  - Stripe Payments Europe Ltd., 1 Grand Canal Street Lower, Dublin 2, Ireland (EU).
- Shipping/Logistics Providers:
  - UPS Deutschland S.à r.l. & Co. OHG, Daimlerstraße 4–6, 85774 Unterföhring, Germany (EU).
  - FedEx Express Germany GmbH, Sengelmannstraße 3, 45473 Mülheim an der Ruhr, Germany (EU).
  - Deutsche Post AG, Charles-de-Gaulle-Straße 20, 53113 Bonn, Germany (EU).
- Hosting Provider: Netcup GmbH (Managed Server), Oskar-Messter-Straße 33–35, 85737 Ismaning, Germany (EU).
Retention:
- Order records and invoices: 10 years (per German Commercial Code HGB § 257 and Fiscal Code AO § 147). After 10 years, records are encrypted and then securely overwritten.
- Payment transaction metadata (transaction IDs only) is stored alongside order records and deleted together after 10 years.

2.3. Server Log Files (Technical and Usage Data)

Purpose: System maintenance, security monitoring, intrusion and fraud detection, troubleshooting.
Data Collected: Date/time (UTC), partially anonymized IP address (last octet removed), requested URL, HTTP status code, browser type/version, operating system, device type, referring URL (if any).
Legal Basis: Article 6(1)(f) GDPR (legitimate interest in ensuring network and information security).
Recipients: Internal IT/security team only; no external sharing.
Retention: Stored in encrypted form for a maximum of 30 days. An automated job runs daily at 02:00 AM CET to overwrite and delete logs older than 30 days.

2.4. Web Analytics (Matomo, Cookieless, Self-Hosted)

Purpose: To analyze website usage, improve performance and user experience, and detect technical issues.
Data Collected: Aggregated metrics—number of visits, page views, average session duration, basic device/browser categorization. IP addresses are truncated by removing the last octet before processing. No cookies or user identifiers are stored.
Legal Basis: Article 6(1)(f) GDPR (legitimate interest in optimizing website performance while preserving visitor privacy).
Recipients: Internal analytics team; data remains on our German-hosted Matomo instance (no third-party service).
Opt-Out: Visitors may opt out permanently by clicking the following iframe:
Opt-out complete; your visits to this website will not be recorded by the Web Analytics tool. Note that if you clear your cookies, delete the opt-out cookie, or if you change computers or Web browsers, you will need to perform the opt-out procedure again.
You may choose to prevent this website from aggregating and analyzing the actions you take here. Doing so will protect your privacy, but will also prevent the owner from learning from your actions and creating a better experience for you and other users.
You are not opted out. Uncheck this box to opt-out.
The tracking opt-out feature requires cookies to be enabled.

3. Data Categories, Recipients, and Third-Country Transfers

3.1. Categories of Personal Data Collected

Identification Data: Name, billing/shipping address, email address, phone number.
Technical Usage Data: Partially anonymized IP address, device/browser/OS information, HTTP request details.
Transaction Data: Payment transaction IDs (only stored as metadata; full payment credentials are collected directly by the payment processor).
Support Inquiry Data: Message content and subject.
Aggregated Analytics Data: Visit counts, page views, session durations, device/browser classification (all anonymized).

3.2. Recipients and Subprocessors

Internal Recipients: Customer-support team, IT/security team, finance/accounting team, analytics team.
External Recipients (Contract Fulfillment Only):
- PayPal (Europe) S.à r.l. et Cie, S.C.A., 22–24 Boulevard Royal, L-2449 Luxembourg (EU).
- Stripe Payments Europe Ltd., 1 Grand Canal Street Lower, Dublin 2, Ireland (EU).
- UPS Deutschland S.à r.l. & Co. OHG, Daimlerstraße 4–6, 85774 Unterföhring, Germany (EU).
- FedEx Express Germany GmbH, Sengelmannstraße 3, 45473 Mülheim an der Ruhr, Germany (EU).
- Deutsche Post AG, Charles-de-Gaulle-Straße 20, 53113 Bonn, Germany (EU).
- Netcup GmbH (Managed Server), Oskar-Messter-Straße 33–35, 85737 Ismaning, Germany (EU).

3.3. No Third-Country Transfers

We confirm that no personal data collected on this website is transferred to any country outside the European Economic Area (EEA). All subprocessors listed above are located within the EEA.

4. Data Storage, Security Measures, and Retention

4.1. Server and Infrastructure Security

Server Location: Germany, operated by Netcup GmbH (Managed Server) under our direct control.
Encryption in Transit: All data exchanged between your browser and our servers is encrypted using TLS 1.2 or higher (HTTPS).
Encryption at Rest: Databases and backups are encrypted with AES-256 or equivalent.
Access Control: Only authorized personnel may access production systems. Access requires multi-factor authentication, strong passwords, and role-based permissions.
Backups & Redundancy:
- Daily encrypted backups stored off-site within the EU.
- Backups are encrypted at rest and in transit.
- Backup retention follows the same schedule as primary data (see retention table below).

4.2. Retention Periods and Deletion Procedures

Data Category	Retention Period	Deletion Procedure
Server log files (technical usage data)	30 days	Automated overwrite & permanent deletion daily at 02:00 AM CET.
Contact form & support inquiries	Up to 24 months after resolution	Deleted via ticketing system’s automated purge.
Order records & invoices	10 years (HGB § 257, AO § 147)	After 10 years, encrypted and securely overwritten.
Payment metadata (transaction IDs only)	10 years (with order records)	Purged together with order records after 10 years.
Aggregated analytics data (Matomo)	12 months	Irreversible deletion after retention period.

5. Cookies & ePrivacy Compliance

We use only essential cookies required for core website functionality. No marketing, tracking, or third-party cookies are ever set.

5.1. List of Essential Cookies

Cookie Name	Purpose	Retention	Type
`wordpress_test_cookie`	Checks whether your browser accepts cookies (required for login).	Session (deleted on browser close)	HTTP, Secure, SameSite=Lax
`wordpress_logged_in_[hash]`	Stores login status for users in the WordPress backend (including shop account logins).	2 days (indicated by “hash”) or until logout	HTTP, Secure, SameSite=Lax
`wp-settings-[UID]`	Stores user preferences (e.g., admin view) in WordPress.	1 year	HTTP, Secure, SameSite=Lax
`wp-settings-time-[UID]`	Stores the timestamp for `wp-settings-[UID]` to determine when settings need refreshing.	1 year	HTTP, Secure, SameSite=Lax
`woocommerce_cart_hash`	Tracks whether the cart contents have changed (used to derive cart data from the session).	Session (until browser is closed) or until checkout is completed	HTTP, Secure, SameSite=Lax
`woocommerce_items_in_cart`	Indicates whether any items are currently in the cart (boolean).	Session (deleted when browser is closed)	HTTP, Secure, SameSite=Lax
`wp_woocommerce_session_[hash]`	Sets a unique session ID for cart data stored in the database.	2 days (WooCommerce default)	HTTP, Secure, SameSite=Lax

5.2. ePrivacy Notice and Consent

By continuing to use this website, you consent to the placement of these essential cookies.
If you disable essential cookies in your browser settings, certain features (e.g., login, shopping cart, language selection) may not function properly.

5.3. How to Disable Cookies Manually

Chrome: Settings → Privacy & security → Cookies and other site data → Manage and delete cookies.
Firefox: Preferences → Privacy & Security → Cookies and Site Data → Manage Data.
Edge: Settings → Cookies and site permissions → Manage and delete cookies and site data.

5.4. Future Non-Essential Cookies (Opt-In Only)

Should we introduce any non-essential cookies (e.g., marketing, advanced analytics), we will display a prominent cookie banner and will not place such cookies unless you explicitly click “Accept.”

6. Web Analytics (Matomo, Cookieless, Self-Hosted)

We operate a self-hosted Matomo instance on our German servers, configured to be entirely cookieless and privacy-focused.

No Cookies: Matomo does not set any cookies.
IP Anonymization: The last octet of each visitor’s IP address is removed before any data processing.
Data Collected: Aggregated statistics only—total visits, page views, session duration, basic device and browser grouping. No user identifiers or individual profiles are created.
Purpose: To monitor and improve website performance, detect technical issues, and enhance user experience.
Legal Basis: Article 6(1)(f) GDPR (legitimate interest in optimal service delivery).
No Data Sharing: All analytics data resides on our German servers; no data is sent to any external third parties.
Opt-Out: Visitors may opt out permanently via this iframe:
Opt-out complete; your visits to this website will not be recorded by the Web Analytics tool. Note that if you clear your cookies, delete the opt-out cookie, or if you change computers or Web browsers, you will need to perform the opt-out procedure again.
You may choose to prevent this website from aggregating and analyzing the actions you take here. Doing so will protect your privacy, but will also prevent the owner from learning from your actions and creating a better experience for you and other users.
You are not opted out. Uncheck this box to opt-out.
The tracking opt-out feature requires cookies to be enabled.
Retention: Aggregated analytics data is stored for 12 months and then irreversibly deleted.

7. Contacting Us and Contract Processing

If you contact us via contact form, email, or phone, we store the information provided to process your request. This data is not shared with third parties, unless necessary for contract fulfillment or required by law.

If you place an order with us, we process your personal data for:

Order processing
Invoicing
Delivery

This data may be shared with:

Payment providers (e.g., PayPal, credit card companies)
Shipping companies (e.g., UPS, FedEx, Deutsche Post)

8. Social Media – Static Links Only

Our website contains links to our social media profiles (e.g., Facebook, X, Pinterest, TikTok). These are static links, meaning:

No data is automatically transferred when visiting our website.
Data is only transmitted if you actively click a link to visit the respective platform.

For details on how these platforms process your data, please refer to their privacy policies:

Facebook: https://www.facebook.com/privacy/policy
X (formerly Twitter): https://twitter.com/privacy
Pinterest: https://policy.pinterest.com/en/privacy-policy
TikTok: https://www.tiktok.com/legal/privacy-policy

9. Your Rights Under GDPR

You have the following rights regarding your personal data:

Access to your stored data (Article 15 GDPR)
Correction or Deletion of incorrect or unnecessary data (Articles 16 & 17 GDPR)
Restriction of Processing, where legally applicable (Article 18 GDPR)
Objection to Data Processing, where legally applicable (Article 21 GDPR)
Data Portability, where applicable (Article 20 GDPR)
Right to Withdraw Consent, if processing is based on consent (Article 7(3) GDPR)
Right to Lodge a Complaint with a supervisory authority (Article 77 GDPR)

To exercise these rights, contact us at info@roxxlyn.com. Include sufficient information to verify your identity (e.g., copy of ID with sensitive data redacted). There is no fee for exercising your rights. We will respond within 30 days. If necessary, we may extend by up to two additional months, but will notify you within one month of receipt, per Articles 12(3) & 12(4) GDPR.

10. Complaint to Supervisory Authority

If you believe our processing of your personal data violates applicable law, you may lodge a complaint with the competent data protection authority. For Germany:

Berliner Beauftragte für Datenschutz und Informationsfreiheit
Friedrichstraße 219
10969 Berlin, Germany
Phone: +49 30 13889 0
Email: mailbox@datenschutz-berlin.de

11. Data Breach Notification

In the event of a personal data breach likely to result in a high risk to your rights and freedoms, we will:

Notify the relevant supervisory authority within 72 hours of becoming aware of the breach (Article 33 GDPR), unless the breach is unlikely to result in a risk.
Notify you without undue delay if the breach is likely to result in a high risk to your rights and freedoms (Article 34 GDPR), providing you with reasonable information about the nature of the breach, its likely consequences, and measures taken to mitigate risks.

12. Changes to This Privacy Policy

We may update this Privacy Policy to reflect changes in legal requirements or our services. The “Effective Date” at the top indicates the last revision. If we make material changes, we will notify all registered users by email at least 14 days before those changes take effect. We encourage you to review this page periodically.

13. Additional Notes

If we introduce any non-essential cookies or third-party tracking tools (e.g., marketing, profiling), we will request your explicit opt-in consent before activation.
This Privacy Policy is governed by German law and applicable EU data protection regulations.
End of Privacy Policy