Privacy policy

Privacy Policy

Last Updated: 23 September 2025


Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data, on the free movement of such data, and repealing Directive 95/46/EC (“General Data Protection Regulation”, GDPR).

This Privacy Policy informs you about the type, scope, and purpose of the processing of personal data (“Data”) on this website finestartmanufactory.com (hereinafter “Site”, “we”, “us” or “our”). We take the protection of your data very seriously and strictly comply with the requirements of the EU General Data Protection Regulation (GDPR) as well as the Austrian Data Protection Act (DSG).


Please read this Privacy Policy carefully.

1. General Information

The following notes give you a simple overview of what happens to your personal data when you visit this website. Personal data are all data by which you can be personally identified. For detailed information on data protection, please refer to our full Privacy Policy below this text.

Changes to this Privacy Policy

We reserve the right to update this Privacy Policy. The currently valid version will always be published on our website; in the case of material changes we will inform you appropriately (for example by email to registered customers).

Who is responsible for data collection on this website / Notice about the responsible entity

The processing of data on this website is carried out by the website operator:

Responsible under data protection laws (e.g. GDPR):
finestartmanufactory.com
Represented by: Artist Prof. Dr. Love
Address: Gentzgasse 123/5, A-1180 Vienna, Austria
Email:finestartmanufactory@gmail.com

For certain processing operations on this website there is joint responsibility with Shopify International Ltd., Victoria Buildings, 2nd Floor, 1–2 Haddington Road, Dublin 4, Ireland (Art. 26 GDPR).
The responsible entity is the natural or legal person who alone or jointly with others determines the purposes and means of the processing of personal data (e.g. names, email addresses or similar).

Hosting & Platform (Shopify)

Our online shop is operated via the Shopify platform. Provider for customers in the European Economic Area (EEA), the United Kingdom, and Switzerland is Shopify International Ltd. Parent company is Shopify Inc., 151 O’Connor Street, Ottawa, ON K2P 2L8, Canada.
Shopify processes personal data both as our processor (Art. 28 GDPR) and – for its own purposes such as fraud prevention or Shopify Payments – as its own controller.

How We Collect Your Data

Your data are collected in two ways:

    • On the one hand, you provide them to us, for example when entering data in a contact form.
    • On the other hand, other data are automatically collected by our IT systems when you visit the website. These are mainly technical data (e.g. internet browser, operating system or time of page visit). The collection of this data occurs as soon as you enter this website.

    We process personal data under the following legal bases:

    • for the performance of a contract (Art. 6(1)(b) GDPR), e.g. order, delivery, invoicing;
    • for compliance with legal obligations (Art. 6(1)(c) GDPR), e.g. tax/accounting retention;
    • on the basis of legitimate interests (Art. 6(1)(f) GDPR), e.g. fraud prevention, IT/operational security, anonymised statistics/analytics;
    • for marketing/tracking, in principle on the basis of your consent (Art. 6(1)(a) GDPR), where legally required.

    What We Use Your Data For

    Some of the data are collected to ensure the error-free provision of the website. Other data may be used to analyze your user behavior:

    • We process personal data inter alia for order fulfillment, payment processing, customer communication, fraud prevention, compliance with legal obligations as well as for marketing (with consent).
    • We use Shopify as the shop platform; Shopify and selected third-party providers (sub-processors) also process data outside the EU/EEA. Shopify has contractual and technical protective measures in place (DPA; Standard Contractual Clauses).
    • For marketing/analytics cookies (e.g. Google Analytics, Meta-Pixel, TikTok-Pixel) we obtain your explicit consent, if this is legally required.
    • You have extensive data subject rights (access, correction, deletion, restriction, data portability, withdrawal, right to complain). Details follow below.

    Which Categories of Data We Process

    Depending on your use of our website and online shop, the following categories of data may be processed:

    • Identifiers / Contact Data: name, address, email address, telephone number;
    • Order Data: purchases, billing and delivery address, payment status;
    • Payment Data: payment confirmation (we typically do not receive full credit card details — these are processed by payment service providers);
    • Communication Data: content of inquiries, support dialogues;
    • Usage Data: IP address, technical data about your device/browser, access times, cookies/tracking IDs;
    • Other required data, e.g. for credit checks or shipping.

    Specific Purposes of Processing

    We use your data, in particular, for:

    • Order fulfillment: processing of orders, delivery, returns, invoicing;
    • Payment processing together with payment service providers;
    • Customer service and communications;
    • Fulfilling legal retention obligations (commercial/tax law);
    • Security and fraud prevention (e.g. protection against payment fraud);
    • Analysis, website optimization and, with your consent, marketing / remarketing;
    • Provision and operation of the shop platform (Shopify) and related services.

    Your Rights with Respect to Your Data

    You have the right at any time to obtain information about the origin, recipients and purpose of your stored personal data at no cost. You also have the right to request correction or deletion of such data. If you have given consent to the processing of your personal data, you may withdraw that consent at any time for the future (right of withdrawal). In certain circumstances, you also have the right to request restriction of processing of your personal data. Furthermore, you have the right to lodge a complaint with the competent supervisory authority.

    You can contact us any time for this or for further questions concerning data protection.

    2. Important Notes and Mandatory Information

    Data Protection

    The operators of this Site take the protection of your personal data very seriously. We treat your personal data confidentially and in accordance with statutory data protection regulations and this Privacy Policy.

    When you use this Site, various personal data will be collected. Personal data are those data by which you can be identified. This Privacy Policy explains which data we collect and what we use them for. It also explains how and for what purpose this happens.

    We point out that data transmission on the Internet (for example through communication by e-mail) can have security vulnerabilities. Complete protection of data against access by third parties is not possible.

    Storage Duration

    Unless a more specific storage duration is stated in this Privacy Policy, your personal data will remain with us until the purpose for which they were processed no longer applies. If you make a legitimate request for erasure or withdraw your consent to data processing, your data will be deleted unless we have other legally permissible reasons for retaining your personal data (e.g. statutory tax or commercial law retention periods). In that case deletion will occur after those reasons have ceased to apply.

    • Order data: 6 years (commercial law retention)
    • Tax data (accounting records): 10 years (legal tax retention obligations)
    • Consent records: up to 3 years after withdrawal (as evidence of the lawfulness of past processing)
    • Server / log files: anonymised no later than 7 days, where technically feasible
    • Newsletter data: until withdrawal of consent

    3. General Notes on the Legal Bases for Data Processing on this Site

    If you have given consent to data processing, we process your personal data on the basis of Art. 6(1)(a) GDPR or Art. 9(2)(a) GDPR if special categories of data (per Art. 9(1) GDPR) are processed. In case of explicit consent to the transfer of personal data to third countries, the processing also occurs on the basis of Art. 49(1)(a) GDPR. If you have consented to the storage of cookies or access to information on your device (e.g. via device fingerprinting), processing also takes place on the basis of § 25(1) TTDSG. Consent can be revoked at any time. If your data are required for contract performance or for the execution of pre-contractual measures, we process them on the basis of Art. 6(1)(b) GDPR. Moreover, we process your data if required by a legal obligation under Art. 6(1)(c) GDPR. Processing may also be based on our legitimate interest under Art. 6(1)(f) GDPR. The specific legal basis in each individual case will be disclosed in the relevant sections of this Privacy Policy.

    You have the right to:

    • access the personal data concerning you;
    • correct inaccurate data;
    • erase (right to be forgotten), within legal bounds;
    • restrict processing;
    • data portability;
    • withdraw any given consent (e.g. for marketing) without stating reasons;
    • object to processing under certain circumstances;
    • lodge a complaint with the relevant supervisory authority.

    (How to exercise these rights: Please send us an email at:finestartmanufactory@gmail.com or use any provided forms in your customer account. We will handle your request in accordance with legal deadlines and may request proof of identity.)

    Technical and Organizational Measures (TOMs)

    We adopt appropriate technical and organizational measures in accordance with Art. 32 GDPR to protect personal data. These include, in particular, the encryption of transmission (e.g. via SSL/TLS), access controls, pseudonymisation where meaningful, as well as regular security audits. Shopify and many subprocessors hold additional security certifications (e.g. PCI DSS, SOC reports).

    Right to Opt-Out of Promotional E-mails

    Use of contact details published within the scope of the legal notice to send unsolicited advertising and information material is hereby objected to. The operators of the Site expressly reserve the right to take legal action in case of unsolicited sending of advertising materials, such as spam emails.

    Data of Children

    The services are not intended for use by children, and we knowingly do not collect personal data from children. If you are a parent or guardian of a child who has provided us with personal data, you may contact us using the contact details below and request deletion of that data.
    At the time this Privacy Policy comes into force, we have no actual knowledge that we share or sell personal data of persons under 18 years of age (as those terms are defined in applicable law).

    4. Data Collection on this Site

    Cookies, Tracking, Pixels, Remarketing

    Our websites use so-called “cookies.” Cookies are small data packages and cause no harm to your device. They are either stored temporarily for the duration of a session (session cookies) or permanently (persistent cookies) on your device. Session cookies are automatically deleted at the end of your visit. Persistent cookies remain until you delete them yourself or your browser automatically removes them.

    In some cases, third-party cookies may be stored on your device when you visit our site (third-party cookies). These allow us or the third party to provide certain services of the third party (e.g. to facilitate payment services).
    Cookies serve different functions or purposes. Many cookies are technically necessary, because certain website functions would not work without them (e.g. the shopping cart function or the display of videos). Other cookies serve to evaluate user behavior or display advertising.

    There is a distinction between technically necessary cookies and non-necessary cookies. Unless otherwise stated, the legal basis is, in each case, Art. 6(1)(f) GDPR by § 165 TKG. A distinction is made here between the legitimate interest of the website operator (in the case of technically necessary cookies) and consent (technically non-necessary cookies).

    Cookies that are required to carry out the electronic communication process, to provide certain functions you have requested (e.g. for the shopping cart function) or to optimise the website (e.g. cookies for measuring web audience) (necessary cookies) are stored on the basis of Art. 6(1)(f) GDPR, unless another legal basis is specified. The website operator has a legitimate interest in the storage of necessary cookies for the technically error-free and optimised provision of its services. Where consent for the storage of cookies and comparable recognition technologies has been requested, processing is carried out exclusively on the basis of this consent (Art. 6(1)(a) GDPR and § 25(1) TTDSG); consent can be revoked at any time (see Right of Withdrawal).

    You can set your browser so that you are informed about cookies being set, that cookies are only permitted in individual cases or generally refused, and that cookies are automatically deleted when you close your browser. Disabling cookies may limit functionality of this website. Insofar as cookies from third-party companies or for analysis purposes are used, we will inform you separately about this within the framework of this privacy policy and, if applicable, request your consent.

    • Essential cookies that are required for the operation of the shop (shopping cart, security) are used without consent.
    • Statistics and marketing cookies (Google Analytics, Facebook/Meta Pixel, TikTok, YouTube) are only used with your explicit consent via a consent banner (opt-in). The technical implementation allows for withdrawal and granular consent.
    • For the use of advertising/tracking tools, the respective data protection notices of the providers apply; these providers may transfer data to third countries (see section Transfers above).

    Analytics / Tracking / Pixel

    • Google Analytics / Google Ireland Ltd. (tracking, analytics, Google Ads)
    • Meta / Facebook / Instagram (Meta Platforms Ireland Ltd. / Meta Platforms, Inc.) — pixel / conversion tracking
    • TikTok Pixel / TikTok provider (TikTok Technology Limited, 10 Earlsfort Terrace, Dublin)

    Any embedding of external services (e.g. tracking pixels) results in transmission of personal data to the service provider; for marketing / targeting and analysis, explicit consent is generally required in the EU/EEA. We maintain a technically correct consent banner for marketing / tracking.

    Shop Platform

    • Shopify International Ltd. (Ireland) and Shopify Inc. (Canada / USA) — platform, hosting, subprocessor management.

    Third Countries (International Transfers) / Subprocessors / Processors

    Any transfer to countries outside the EEA / Switzerland takes place only if an adequacy decision exists (e.g. Canada for Shopify Inc.) or if suitable safeguards pursuant to Art. 46 GDPR (Standard Contractual Clauses 2021) are in place, or if an exception under Art. 49 GDPR applies. Shopify has assured that appropriate guarantees are used for all transfers. The current list of subprocessors is available here: (Shopify Subprocessors)

    Third-Party & Subprocessors

    We work with third parties (Shopify, Google, Meta, PayPal, Stripe and Shopify apps installed by us).
    If data are transmitted to recipients outside the EEA, this occurs only on the basis of suitable guarantees (e.g. EU standard contractual clauses or valid adequacy decisions). An up-to-date list of our processors and subprocessors is maintained in our Cookie / Processor-Matrix or is available upon request.

    • Shopify publishes its subprocessor list publicly and regulates transfers in its DPA. Shopify processes data via its Irish entity (Shopify International Ltd.) and transfers data to other Shopify locations and carefully selected subprocessors; this may include jurisdictions outside the EU/EEA (e.g. Canada and the USA). For such transfers Shopify employs suitable protective measures (e.g. DPA, standard contractual clauses, binding corporate rules), designed to ensure adequate protection of the data. Please review Shopify’s current subprocessor list and the jurisdictions listed. 

      (Shopify Subprocessor)

    • Your rights with respect to subprocessors / objection: Shopify provides merchants with mechanisms to be informed of changes to subprocessors; within the contractual framework a merchant may raise objections to a new subprocessor under contractually agreed conditions.

    Server Log Files

    When our website is accessed, the web server operated by Shopify automatically collects log files. These data include:

    • Browser type and version
    • Operating system used
    • Referrer URL
    • Hostname of the accessing computer
    • Time of the server request
    • IP address

    These data are processed solely for the purposes of operation, security and optimization of our website. A merging of these data with other sources does not take place as a rule. A link is only made in exceptional individual cases when a legitimate interest under Art. 6(1)(f) GDPR exists (e.g. for investigation of abuse or defense against attacks).

    Contact Form

    If you contact us via contact form, your entries in the query form including the contact data provided by you there are stored by us for the purpose of handling the inquiry and for the case of follow-up questions. We do not disclose these data without your consent.

    Processing of the data entered in the contact form is carried out on the basis of Art. 6(1)(b) GDPR, insofar as your inquiry is related to the fulfilment of a contract or required for pre-contractual measures. In all other cases it is based on our legitimate interest in the effective handling of inquiries (Art. 6(1)(f) GDPR) or on your consent (Art. 6(1)(a) GDPR) if one was requested; consent may be revoked at any time.

    The data you enter in the contact form remain with us until you ask us to delete them, withdraw your consent to storage or the purpose of data storage no longer applies (e.g. after completion of handling your inquiry). Mandatory legal provisions – particularly retention periods – remain unaffected.

    Contact via Email, Post or Telephone

    If you contact us by email, post, or telephone, your request, including all personal data resulting from it (name, request) will be stored and processed by us for the purposes of handling your concern. We do not share these data without your consent.

    Processing is on the basis of Art. 6(1)(b) GDPR insofar as your request relates to contract performance or pre-contractual steps. In all other cases it is based on our legitimate interest in effectively handling requests (Art. 6(1)(f) GDPR) or on your consent (Art. 6(1)(a) GDPR) if requested; consent may be revoked at any time.

    The data submitted via contact requests remain with us until you ask for their deletion, withdraw your consent to their storage or the purpose for which they were stored ceases (e.g. after your concern has been dealt with). Mandatory legal provisions – particularly statutory retention periods – remain unaffected.

    5. eCommerce, Payment Service Providers and Shipping Providers

    Processing of Customer and Contract Data

    We collect, process and use personal customer and contract data for the establishment, substantive arrangement and modification of our contractual relationships. We collect, process and use personal data on the use of this website (usage data) only to the extent necessary to enable the user to make use of the service or to bill for it. The legal basis for this is Art. 6(1)(b) GDPR.

    The customer data collected will be deleted after completion of the order or termination of the business relationship and after the expiry of any statutory retention periods. Statutory retention periods remain unaffected.

    Data Transmission upon Conclusion of a Contract for Online Shops, Merchants and Goods Shipment

    If you order goods from us, we transmit your personal data to the transport company entrusted with delivery as well as to the payment service provider commissioned with the payment processing. Only the data that the respective service provider needs to fulfill its task will be disclosed. The legal basis for this is Art. 6(1)(b) GDPR, which permits the processing of data for the performance of a contract or pre-contractual measures. If you have given the corresponding consent under Art. 6(1)(a) GDPR, we will pass on your email address to the transport company entrusted with the delivery so that it can inform you by email about the shipping status of your order; you can revoke this consent at any time.

    Shipping / Fulfilment:

    • DPD GmbH
    • Österreichische Post AG

    Payment Services

    We integrate payment services from third-party companies on our website. When you make a purchase from us, your payment data (e.g. name, amount of the payment, bank details, credit card number) will be processed by the payment service provider for the purpose of processing the payment. For these transactions the respective contractual and data protection provisions of the respective providers apply. The use of payment service providers is based on Art. 6(1)(b) GDPR (contract processing) and in the interest of a smooth, convenient and secure payment process (Art. 6(1)(f) GDPR). Insofar as your consent is requested for certain actions, Art. 6(1)(a) GDPR is the legal basis for data processing; consents can be revoked at any time with effect for the future.

    The following payment services / payment service providers are used on this website:

    Shopify Payments

    Provider for customers within the EU is Shopify International Ltd., Attn: Data Protection Officer,
    c/o Intertrust Ireland, 2nd Floor 1-2 Victoria Buildings, Haddington Road, Dublin 4, D04 XN32, Ireland (hereinafter “Shopify Payments”).
    Data transfer to the USA is based on the EU Commission’s Standard Contractual Clauses. Details can be found here: https://www.shopify.com/at/legal/datenschutz
    Further details can be found in Stripe’s privacy policy at the following link: https://www.shopify.com/at/legal/datenschutz

    Stripe
    Provider for customers within the EU is Stripe Payments Europe, Ltd., 1 Grand Canal Street Lower, Grand Canal Dock, Dublin, Ireland (hereinafter “Stripe”).
    Data transfer to the USA is based on the EU Commission’s Standard Contractual Clauses. Details can be found here: https://stripe.com/de/privacy
    Further details can be found in Stripe’s privacy policy at the following link: https://stripe.com/de/privacy

    Google Payments
    Provider for customers within the EU is Google Ireland Limited, Gordon House, Barrow Street, Dublin 4, Ireland (hereinafter “Google Payments”).
    Data transfer to the USA is based on the EU Commission’s Standard Contractual Clauses. Details can be found here: https://policies.google.com/privacy
    Further details can be found in Stripe’s privacy policy at the following link: https://policies.google.com/privacy

    Klarna Bank AB (publ)
    Provider for customers within the EU is Klarna Bank AB (publ), Sveavägen 46, 111 34 Stockholm, Sweden (hereinafter “Klarna”).
    Data transfer to the USA is based on the EU Commission’s Standard Contractual Clauses. Details can be found here: https://www.klarna.com/at/datenschutz/
    Further details can be found in Klarna’s privacy policy at the following link: https://www.klarna.com/at/datenschutz/

    EPS
    Provider for customers within the EU is PSA Payment Services Austria GmbH, Handelskai 92, Gate 2, 1200 Vienna (hereinafter “EPS”).
    Data transfer to the USA is based on the EU Commission’s Standard Contractual Clauses. Details can be found here: https://eps-ueberweisung.at/de/datenschutzhinweis
    Further details can be found in EPS’s privacy policy at the following link: https://eps-ueberweisung.at/de/datenschutzhinweis

    PayPal

    Provider of this payment service is PayPal (Europe) S.à.r.l. et Cie, S.C.A., 22-24 Boulevard Royal, L-2449 Luxembourg (hereinafter “PayPal”).
    Data transfer to the USA is based on the EU Commission’s Standard Contractual Clauses. Details can be found here: https://www.paypal.com/de/webapps/mpp/ua/pocpsa-full
    For details, please refer to PayPal’s privacy policy: https://www.paypal.com/de/webapps/mpp/ua/privacy-full







    If you have any questions about our privacy practices or this Privacy Policy, or if you wish to exercise any of your rights, please email us at:finestartmanufactory@gmail.com