Handwrite logoHandwrite.

Legal

Privacy Policy

Your privacy is important to us.

Drafting note: This policy is structurally ready but still contains named placeholders for the provider identity, address, DPO status, supervisory authority, processor-list location, and retention specifics. Fill every [PLACEHOLDER] before relying on this text in production.

Effective date: [EFFECTIVE_DATE]

This Privacy Policy explains how Handwrite processes personal data when you use https://handwrite.shopofluba.de (the "Site"), create an account, place an order, receive service communications, or otherwise interact with our handwritten stationery services (the "Services").

Controller

[LEGAL_PROVIDER_NAME]
[LEGAL_STREET_ADDRESS]
[LEGAL_POSTCODE_CITY_COUNTRY]
Email: [LEGAL_EMAIL]
[DPO_CONTACT_OR_NOT_APPLICABLE]

For some business-customer use cases, especially where a customer uploads recipient lists and determines the recipients, message content, and mailing purpose, Handwrite may also process recipient data on that customer's behalf under a separate data-processing agreement. See "Recipient data supplied by customers" below.

Categories of personal data

Account and authentication data

Depending on how you sign in, we may process:

  • your name;
  • your email address;
  • your authentication method, such as Google sign-in or email magic link;
  • your profile image, if supplied by the sign-in provider;
  • language preference; and
  • session and account identifiers required to keep you logged in securely.

Order and fulfilment data

When you configure or place an order, we may process:

  • billing details and shipping details;
  • recipient names and postal addresses;
  • uploaded CSV recipient lists;
  • message content and personalisation fields;
  • design, handwriting, fulfilment, and order-preference selections;
  • guest-order email addresses;
  • order locale, order history, status events, and support actions tied to the order; and
  • production artefacts needed to render, write, package, and dispatch the physical order.

Payment and transaction data

Payments are processed by our payment provider. We do not store full payment-card details. We do receive payment-related metadata, such as:

  • payment status;
  • transaction, checkout-session, and payment-intent identifiers;
  • billing details supplied to the payment provider;
  • shipping details returned from checkout where relevant to fulfilment; and
  • invoice, tax, and accounting records.

Technical, security, and usage data

When you use the Site, we may process:

  • IP address;
  • browser, device, and user-agent information;
  • timestamps, route access, and event logs;
  • security and rate-limiting signals;
  • cookie, session, and browser-storage identifiers; and
  • analytics and marketing signals, including campaign attribution parameters, but only where consent is required and has been given.

Support and communications data

If you contact us, we may process the contents of your message, attachments, email metadata, and the order or account context necessary to respond.

Business contact and prospect data

If we contact business prospects or respond to business enquiries, we may process business contact details such as name, role, organisation, business email, postal address, campaign context, and communication history. This includes physical business-development mail where legally permissible.

Purposes and legal bases

We process personal data only where a valid legal basis exists. The main bases are:

PurposeExamplesLegal basis
Account creation and sign-inGoogle login, email magic link, session handling, language preferenceArt. 6(1)(b) GDPR
Order handling and fulfilmentcheckout, rendering, production, dispatch, order updates, supportArt. 6(1)(b) GDPR
Payment, invoicing, and accounting compliancepayment confirmation, records, tax and bookkeeping obligationsArt. 6(1)(b) and Art. 6(1)(c) GDPR
Security and abuse preventionlogging, fraud checks, rate limits, troubleshootingArt. 6(1)(f) GDPR
Consent managementremembering and applying cookie / marketing preferencesArt. 6(1)(c) and/or Art. 6(1)(f) GDPR, as applicable
Optional analytics or marketing technologiesGoogle tags and similar tools, where enabledArt. 6(1)(a) GDPR
Business development and B2B contactresponding to enquiries, relevant business outreach, physical prospect mailArt. 6(1)(f) GDPR

Where we rely on legitimate interests under Art. 6(1)(f) GDPR, those interests generally include securing the Site, preventing abuse, maintaining platform stability, improving the reliability and usability of the service, responding to business enquiries, and presenting relevant business services to professional contacts. You may object to processing based on legitimate interests at any time as described below.

Recipients and categories of recipients

We share personal data only where necessary for the purposes above, including with the following categories of recipients:

  • Payment providers, currently including Stripe, for checkout, payment confirmation, invoice, and related transaction handling.
  • Email and transactional communications providers, currently including Resend, for sign-in links and service emails.
  • Authentication providers, such as Google, where you choose that sign-in method.
  • Analytics / tag providers, such as Google Tag Manager and associated Google measurement or marketing services, but only where the relevant consent has been given.
  • Hosting, infrastructure, database, storage, logging, and security providers that support operation of the Site.
  • Shipping and logistics providers, such as Deutsche Post / DHL or another carrier used for dispatch.
  • Professional advisers, auditors, authorities, or courts, where disclosure is legally required or reasonably necessary to establish, exercise, or defend legal claims.

A current processor or subprocessor list is [PROCESSOR_LIST_URL_OR_ON_REQUEST].

International transfers

Some service providers may process data outside the EU / EEA. Where that happens, we rely on an approved transfer mechanism under the GDPR, such as an adequacy decision or the European Commission's Standard Contractual Clauses, together with supplementary measures where appropriate.

Storage periods

We keep personal data only for as long as necessary for the purpose for which it was collected, unless a longer retention period is required by law.

In practice, this means:

  • account data is retained for as long as the account remains active and thereafter only as needed for security, support, dispute handling, or legal retention;
  • order, invoice, and tax-relevant transaction records are retained for the statutory periods required under applicable commercial and tax law;
  • recipient and fulfilment data is retained for as long as needed to produce, dispatch, support, and document the order, and thereafter only as long as required for audit, dispute, or legal compliance purposes;
  • uploaded CSV files and production working files are retained for [RECIPIENT_DATA_RETENTION_PERIOD];
  • support communications are retained for [SUPPORT_RETENTION_PERIOD];
  • server, security, and rate-limit logs are retained for [LOG_RETENTION_PERIOD]; and
  • consent records are retained for as long as needed to demonstrate and enforce the user's choices.

Your rights

Subject to the conditions of applicable law, you may request:

  • access to your personal data;
  • rectification of inaccurate data;
  • deletion of data;
  • restriction of processing;
  • data portability;
  • objection to processing based on legitimate interests; and
  • withdrawal of consent at any time for processing based on consent.

You can send such requests to: [LEGAL_EMAIL]

We will generally respond without undue delay and, in principle, within one month of receiving the request, subject to the rules of the GDPR.

You also have the right to lodge a complaint with a supervisory authority. You may contact the authority in the country of your habitual residence, your place of work, or the place of the alleged infringement. The competent authority for Handwrite is expected to be [DATA_PROTECTION_AUTHORITY].

Cookies, local storage, and similar technologies

We use technologies that are necessary to operate the Site as well as optional technologies that depend on consent.

Essential technologies

These are used for functions such as:

  • authentication and session management;
  • language preference and locale routing;
  • security and rate-limiting;
  • checkout continuity and order handling; and
  • remembering that you have made a consent choice.

Optional analytics and marketing technologies

Where required by law, optional analytics and marketing technologies are activated only after consent. You can manage those choices through the consent banner or cookie-preferences controls.

Consent choices may be stored in browser storage, including local storage, so your preferences can be remembered and applied.

If you give marketing consent, we may store a first-party attribution cookie (hw_attr) for up to 30 days. It can contain campaign parameters such as UTM tags, advertising click identifiers, referrer, landing path, Google Analytics client ID, and the capture time. When you start checkout, we may store the attribution record and the consent snapshot with the order.

After Stripe confirms payment, we may send a server-side purchase event to Google Analytics through the Google Analytics Measurement Protocol. If marketing consent was not given, the event is sent, where configured, only as a consentless measurement ping without campaign attribution or advertising click identifiers.

Recipient data supplied by customers

If you upload or otherwise provide personal data relating to third-party recipients, you are responsible for ensuring that you are entitled to provide that data and instruct us to process it for fulfilment.

For self-serve orders, Handwrite processes recipient data as needed to fulfil the order, handle support, keep required records, prevent abuse, and defend legal claims. For business-customer campaigns where you determine the recipients, message content, and mailing purpose, you may be the controller of that recipient data and Handwrite may act as your processor for production and dispatch. Where a processor arrangement is required, a separate data-processing agreement must be agreed before the campaign.

Automated decision-making

We do not use your personal data for solely automated decision-making that produces legal effects or similarly significant effects on you within the meaning of Art. 22 GDPR.

Security

We implement reasonable technical and organisational measures designed to protect personal data against accidental or unlawful destruction, loss, alteration, unauthorised disclosure, or unauthorised access. No system is completely risk-free, and we cannot guarantee absolute security.

Children

The Services are not directed to children. We do not knowingly collect personal data from children in violation of applicable law.

Changes to this Privacy Policy

We may update this Privacy Policy from time to time to reflect legal, technical, or operational changes. The updated version will be posted on this page with a revised effective date.

Contact

[LEGAL_PROVIDER_NAME]
[LEGAL_STREET_ADDRESS]
[LEGAL_POSTCODE_CITY_COUNTRY]
Email: [LEGAL_EMAIL]

Privacy Policy | Handwrite