Privacy Policy

Last updated: 26 May 2026

1. Who we are

OROSENDA is an online jewellery boutique operated by Shirley Pouillard, Brüderstrasse 24a, 13595 Berlin, Germany. Contact: info@orosenda.com. (Controller within the meaning of Art. 4(7) GDPR.)

2. What data we collect

When you place an order or create an account, we collect:

• Name, email address, delivery address, phone number
• Payment information (processed securely by Shopify Payments / Stripe — we never store card details)
• Order history and communication history

When you browse our store, we may collect (subject to your cookie consent):

• IP address, browser type, device type, pages visited, time spent, referring site
• Marketing identifiers (e.g. Meta click ID, Google client ID) — only after your consent

3. Why we collect it

• To process and fulfil your orders
• To send order confirmations and shipping updates
• To respond to customer service enquiries
• To improve our website and product offer (only after analytics consent)
• To send marketing emails and show personalised ads (only after consent)

4. Legal basis (GDPR)

• Contract performance (Art. 6(1)(b) GDPR) — for order processing, customer support, shipping
• Legal obligation (Art. 6(1)(c) GDPR) — for tax and accounting record retention (§ 257 HGB, § 147 AO)
• Legitimate interests (Art. 6(1)(f) GDPR) — for fraud prevention and shop security only
• Consent (Art. 6(1)(a) GDPR) — for analytics cookies, marketing cookies, retargeting pixels, and marketing emails. You can withdraw consent at any time without affecting the lawfulness of prior processing.

5. Who we share your data with (processors and recipients)

5.1 Shopify Inc.

Our shop platform. Shopify Inc., 151 O'Connor Street, Ground floor, Ottawa, ON, K2P 2L8, Canada. Data processed under a Data Processing Agreement pursuant to Art. 28 GDPR. Some processing takes place in the United States and Canada under the EU Standard Contractual Clauses.

5.2 Shopify Payments / Stripe

Payment processing. Stripe Payments Europe Ltd. (Ireland) for European transactions, with onward processing by Stripe Inc. (USA). Card data is processed directly by the payment processor under PCI-DSS Level 1 — OROSENDA never sees or stores your card number.

5.3 DHL (and other carriers)

Deutsche Post AG / DHL for shipping. Name, address, and phone number transmitted only for parcel delivery.

5.4 Klaviyo

Email marketing platform. Klaviyo Inc., 125 Summer Street, Boston, MA 02111, USA. Legal basis: your consent (Art. 6(1)(a) GDPR) when you subscribe to our newsletter or check the marketing opt-in at checkout. Klaviyo is certified under the EU-US Data Privacy Framework. Data retained until you unsubscribe (one-click link in every email). You can withdraw consent at any time by emailing info@orosenda.com.

5.5 Meta Pixel (Facebook / Instagram)

Marketing and conversion tracking. Meta Platforms Ireland Limited, 4 Grand Canal Square, Dublin 2, Ireland, with onward processing by Meta Platforms, Inc. (USA). Pixel + Conversions API used to measure ad performance and show retargeted ads. Legal basis: your consent (Art. 6(1)(a) GDPR + § 25 Abs. 1 TTDSG). Only loaded after you click "Accept" in our cookie banner. US transfer based on the EU-US Data Privacy Framework. You can withdraw consent at any time via the cookie settings link in the footer or via your Meta ad preferences.

5.6 Google Analytics 4

Website analytics. Google Ireland Limited, Gordon House, Barrow Street, Dublin 4, Ireland, with onward processing by Google LLC (USA). We use GA4 with IP anonymisation enabled. Legal basis: your consent (Art. 6(1)(a) GDPR + § 25 Abs. 1 TTDSG). Only loaded after you click "Accept" in our cookie banner. US transfer based on the EU-US Data Privacy Framework. You can opt out at any time via the cookie settings link in the footer.

5.7 Third-country transfers

Some of our processors (Shopify Inc. in Canada, Stripe Inc., Klaviyo Inc., Meta Platforms Inc., Google LLC in the USA) process data outside the European Economic Area. Transfers are based on (a) the European Commission's adequacy decision for the EU-US Data Privacy Framework where applicable, and (b) the EU Standard Contractual Clauses (SCCs, Art. 46 GDPR) supplemented by additional safeguards. You can request a copy of the relevant SCCs by emailing info@orosenda.com.

We do not sell your personal data to third parties.

6. How long we keep your data

• Order data and invoices: 10 years (§ 257 HGB, § 147 AO)
• Customer account data: until you request deletion
• Marketing consent (newsletter, cookies): until you unsubscribe or withdraw consent
• Customer service correspondence: 3 years after last contact
• Analytics data: 14 months (GA4 default) or until you withdraw consent

7. Your rights (GDPR)

You have the right to: access your data (Art. 15), correct inaccurate data (Art. 16), request deletion (Art. 17), restrict processing (Art. 18), data portability (Art. 20), object to processing (Art. 21), and withdraw consent at any time (Art. 7(3)). To exercise any right, email info@orosenda.com. You also have the right to lodge a complaint with the supervisory authority: Berliner Beauftragte für Datenschutz und Informationsfreiheit, Friedrichstraße 219, 10969 Berlin, mailbox@datenschutz-berlin.de.

8. Cookies & tracking

We use essential cookies (required for the shop and checkout to function — no consent needed) and optional cookies for analytics and marketing. Non-essential cookies (analytics, marketing, retargeting pixels including Meta Pixel and Google Analytics) load only after you grant consent via our cookie banner. You can withdraw consent at any time via the "Cookie settings" link in the footer of every page. Browser-based opt-outs are not a substitute for consent under § 25 TTDSG.

9. Contact

info@orosenda.com | OROSENDA, Brüderstrasse 24a, 13595 Berlin, Germany