Privacy Policy

1. Controller

The controller responsible for data processing on this website is:

Wisteria GmbH
Hechtstr. 43
82266 Inning, Germany
Phone: +49 160 94403341
Email: info@puzzlepotato.com

2. Accessing our website (server log files)

Each time our website is accessed, your browser automatically transmits information to our server, which is temporarily stored in a log file. The following is recorded:

• the website accessed and the time of access
• the volume of data transferred in bytes
• the website previously visited (referrer)
• the browser and operating system used
• the IP address (anonymised where applicable)

This processing is based on Art. 6 (1) (f) GDPR. Our legitimate interest lies in ensuring a smooth connection, comfortable use of the website, and the evaluation of system security and stability.

3. Cookies

We use only strictly necessary cookies that are required to operate the shop — in particular to manage your session and shopping cart. These cookies contain no tracking or marketing functions. The legal basis is Art. 6 (1) (b) and (f) GDPR; no consent is required for them. We currently do not use any analytics or marketing cookies.

4. Customer account and registration

You can create a customer account with us. The data collected for this (e.g. name, email address, billing and delivery address) is processed to perform the contract and manage your account on the basis of Art. 6 (1) (b) GDPR. You can have your customer account deleted at any time by contacting us.

For business customers (B2B) we additionally process the VAT identification number to assess tax liability. Sign-in to the customer account is passwordless via a one-time code sent by email.

5. Order processing

To process your order we process the order, billing and delivery data you provide. The legal basis is Art. 6 (1) (b) GDPR (performance of a contract). Where statutory retention obligations apply (e.g. under commercial and tax law), we store the relevant data on the basis of Art. 6 (1) (c) GDPR for the duration of those periods (generally up to ten years).

6. Disclosure to shipping service providers

To deliver the ordered goods, we pass on your delivery data to the shipping company commissioned with the delivery, insofar as this is necessary for the delivery. The legal basis is Art. 6 (1) (b) GDPR. Depending on the order, this may be one of the following companies:

• DHL / Deutsche Post AG
• DPD Deutschland GmbH
• United Parcel Service Deutschland S.à r.l. & Co. OHG (UPS)
• General Logistics Systems Germany GmbH & Co. OHG (GLS)
• Hermes Germany GmbH

7. Payment processing

Card payment via Stripe

When paying by credit card or comparable means of payment, processing is carried out by Stripe Payments Europe, Ltd., 1 Grand Canal Street Lower, Grand Canal Dock, Dublin, Ireland. The data required for the payment is transmitted directly to Stripe. The legal basis is Art. 6 (1) (b) GDPR. Further information can be found in Stripe's privacy policy.

Payment via PayPal

When paying via PayPal, processing is carried out by PayPal (Europe) S.à r.l. et Cie, S.C.A., 22-24 Boulevard Royal, 2449 Luxembourg. The payment data is transmitted directly to PayPal. The legal basis is Art. 6 (1) (b) GDPR. PayPal's privacy terms additionally apply.

Payment by bank transfer (prepayment)

When paying by bank transfer, we process the data required to reconcile the payment. No data is passed on to a payment service provider in this case; the payment is made via your bank.

8. Invoicing, accounting and archiving

To fulfil our tax and commercial-law obligations, we process order and invoice data in our accounting and tax system (DATEV format) and archive invoices in an audit-proof manner. Archiving is carried out in encrypted form on storage operated by us or on our behalf (Nextcloud). The legal basis is Art. 6 (1) (c) GDPR in conjunction with statutory retention obligations.

9. Order management and inventory (ERP)

To process orders, manage stock and inventory, and control shipping, we use an enterprise resource planning system (LingXing). The order and delivery data required for this is transmitted to that system. The legal basis is Art. 6 (1) (b) and (f) GDPR (performance of a contract and efficient order processing).

10. Email dispatch (transactional emails)

As part of order processing we send transaction-related emails (e.g. sign-in codes, order and shipping confirmations, invoices). The legal basis is Art. 6 (1) (b) GDPR.

11. Contacting us

If you contact us by email or via a contact form, we process the data you provide in order to handle your enquiry. The legal basis is Art. 6 (1) (b) GDPR (where the enquiry relates to a contract) or Art. 6 (1) (f) GDPR. The data is deleted once your enquiry has been conclusively dealt with, provided no retention obligations prevent this.

12. Hosting

Our website and the associated systems are hosted by a provider within the European Union. A data processing agreement pursuant to Art. 28 GDPR is in place with the provider. Processing is carried out to provide our online offering on the basis of Art. 6 (1) (f) GDPR.

13. Your rights

Under the GDPR you have the following rights:

• access to the data stored about you (Art. 15 GDPR)
• rectification of inaccurate data (Art. 16 GDPR)
• erasure of your data (Art. 17 GDPR)
• restriction of processing (Art. 18 GDPR)
• data portability (Art. 20 GDPR)
• objection to processing (Art. 21 GDPR)
• withdrawal of a given consent with effect for the future (Art. 7 (3) GDPR)

To exercise your rights, an informal message to the contact details above is sufficient.

14. Right to lodge a complaint with a supervisory authority

You have the right to lodge a complaint with a data protection supervisory authority about our processing of your personal data (Art. 77 GDPR). The authority responsible for us is the Bavarian State Office for Data Protection Supervision (BayLDA).