Privacy Policy

1. General Information

This Privacy Policy explains how we process personal data when you visit or use this website, purchase goods, subscribe to our newsletter, contact us, use payment services, or interact with cookies, analytics and similar technologies.

Personal data means any information relating to an identified or identifiable natural person.

The processing of personal data is carried out in accordance with the General Data Protection Regulation (“GDPR”), the German Federal Data Protection Act (“BDSG”), the German Telecommunications Digital Services Data Protection Act (“TDDDG”, formerly TTDSG), and other applicable EU and German data-protection and digital legislation. The TDDDG replaced the former TTDSG terminology in Germany and continues to regulate, among other things, access to and storage of information on users’ devices, including cookies and similar technologies.

2. Controller

The controller responsible for this website is:

Aleksandar Fürer und Marika Hellmund GbR
Aleksandar Fürer
Wilhelm Reuter Weg 5
61381 Friedrichsdorf
Germany

Email: aleks@apn-gallery.com

The controller determines the purposes and means of processing personal data alone or, where applicable, jointly with others.

3. Data Protection Officer

A data protection officer has not been appointed. You may contact us directly using the contact details above.

4. General Legal Bases for Processing

We process personal data only where a legal basis applies. Depending on the processing activity, this may include:

  • Art. 6(1)(a) GDPR – Consent, for example for newsletter subscriptions, non-essential cookies, analytics or marketing technologies.

  • Art. 6(1)(b) GDPR – Contract performance or pre-contractual measures, for example when processing orders, payments, delivery information or customer enquiries relating to a purchase.

  • Art. 6(1)(c) GDPR – Legal obligation, for example tax, accounting, commercial-law or statutory retention obligations.

  • Art. 6(1)(f) GDPR – Legitimate interests, for example secure website operation, fraud prevention, basic technical logging, defence of legal claims, or business communication, provided your interests or fundamental rights do not override those interests.

Where we store information on your device or access information already stored on your device, for example through cookies, pixels, local storage or similar technologies, we also comply with Section 25 TDDDG. Non-essential technologies require prior consent unless they are strictly necessary for providing a service expressly requested by you.

5. Website Access and Server Log Files

When you access our website, technical data may automatically be processed by our web server or hosting provider. This may include:

  • IP address

  • Date and time of access

  • Browser type and version

  • Operating system

  • Referrer URL

  • Pages accessed

  • Amount of data transferred

  • Access status or error messages

This processing is necessary to provide the website, ensure technical stability, detect misuse, and maintain IT security.

Legal basis: Art. 6(1)(f) GDPR.
Legitimate interest: secure, stable and functional website operation.
Retention period: 3 years.
Recipients: hosting provider, IT service providers and, where necessary, security service providers acting as processors.

6. SSL / TLS Encryption

This website uses TLS encryption to protect data transmitted through the website. You can recognise an encrypted connection by “https://” in the browser address bar and the lock symbol in your browser.

7. Orders, Purchases and Contract Processing

If you place an order or purchase goods through our website, we process the data necessary to handle the order, payment, delivery, customer service, returns, warranty claims and statutory obligations.

This may include:

  • First and last name

  • Billing and delivery address

  • Email address

  • Telephone number, where required

  • Order details

  • Payment method and payment status

  • Delivery and shipment information

  • Customer communication

  • Tax and invoice data

We disclose personal data to third parties only where necessary for contract performance, payment processing, delivery, legal compliance or where you have consented.

Recipients may include:

  • Payment service providers

  • Banks or financial institutions

  • Shipping and logistics providers

  • IT, hosting and e-commerce service providers

  • Tax advisers, auditors, legal advisers and public authorities where legally required

Legal basis: Art. 6(1)(b) GDPR for order and contract processing; Art. 6(1)(c) GDPR for statutory obligations; Art. 6(1)(f) GDPR for fraud prevention, legal defence and efficient business administration.

Retention period: Contract, invoice, payment and accounting-related data are retained for the statutory periods applicable under German commercial and tax law. As a general rule, commercial and business letters are retained for six years and accounting or tax-relevant records for up to ten years, unless longer retention is required in individual cases.

8. Payment Services

8.1 PayPal

If you choose PayPal as a payment method, payment-related personal data will be transmitted to:

PayPal (Europe) S.à r.l. et Cie, S.C.A.
22–24 Boulevard Royal
L-2449 Luxembourg

The data transmitted may include your name, email address, billing address, delivery address, order details, payment amount and other information required to process the payment.

PayPal may process personal data as an independent controller for its own payment, fraud prevention, compliance and risk-management purposes. Please refer to PayPal’s own privacy information for details.

Legal basis: Art. 6(1)(b) GDPR for payment processing; Art. 6(1)(f) GDPR for fraud prevention and payment security; Art. 6(1)(c) GDPR where legal obligations apply.

9. Contact Requests

If you contact us by email, contact form, telephone or other communication channels, we process the information you provide in order to respond to your request.

This may include:

  • Name

  • Email address

  • Telephone number

  • Message content

  • Order or customer number, where applicable

  • Metadata of the communication

Legal basis: Art. 6(1)(b) GDPR where the request relates to a contract or pre-contractual measures; otherwise Art. 6(1)(f) GDPR based on our legitimate interest in responding to enquiries.

Retention period: Contact requests are retained for as long as necessary to handle the enquiry and any follow-up communication. Where the communication qualifies as business correspondence or is relevant for contractual, tax or legal purposes, statutory retention periods may apply.

10. Newsletter

You may subscribe to our newsletter. To do so, we require at least your email address. Additional information may be provided voluntarily.

We use a double opt-in procedure where you receive an email asking you to confirm your subscription. This helps us verify that the email address belongs to you and document your consent.

We process the following data for newsletter subscriptions:

  • Email address

  • Date and time of subscription

  • Date and time of confirmation

  • IP address used for registration and confirmation

  • Consent status

  • Optional information voluntarily provided

Purpose: sending newsletters and documenting consent.
Legal basis: Art. 6(1)(a) GDPR for sending newsletters; Art. 6(1)(f) GDPR for documenting consent and defending against claims.
Withdrawal: You may unsubscribe at any time via the unsubscribe link in each newsletter or by contacting us directly. Withdrawal does not affect the lawfulness of processing carried out before withdrawal.
Retention period: Newsletter data is stored until you unsubscribe or withdraw consent. Evidence of consent may be retained for a reasonable limitation period to demonstrate compliance.

Newsletter service provider: Squarespace
Role of provider: Processor
Third-country transfer: None

11. Cookies and Similar Technologies

Our website uses cookies and similar technologies. These may include cookies, pixels, tags, scripts, local storage, software development kits or other technologies that store information on your device or access information already stored on your device.

Cookies may be:

  • Session cookies, which are deleted after the browser session ends.

  • Persistent cookies, which remain on your device until they expire or are deleted.

  • First-party cookies, set by us.

  • Third-party cookies, set by external providers.

Under Section 25 TDDDG, storing or accessing information on a user’s device generally requires consent unless the technology is strictly necessary to provide a service expressly requested by the user. The ePrivacy rules apply broadly to technologies beyond traditional cookies, including comparable tracking technologies. [securiti.ai][fieldfisher.com]

11.1 Strictly Necessary Cookies

These cookies and technologies are required for the website to function, for example:

  • Shopping cart

  • Checkout

  • Login or session management

  • Security functions

  • Consent preference storage

  • Load balancing

Legal basis for device access: Section 25(2) TDDDG.
Legal basis for personal-data processing: Art. 6(1)(b) GDPR where required for requested services or Art. 6(1)(f) GDPR for secure and functional website operation.

11.2 Non-Essential Cookies and Technologies

We use non-essential cookies and technologies only with your prior consent. These may include:

  • Analytics

  • Marketing

  • Personalisation

  • Embedded third-party content

  • Tracking pixels or similar identifiers

Legal basis for device access: Section 25(1) TDDDG.
Legal basis for personal-data processing: Art. 6(1)(a) GDPR.

You can withdraw or change your consent at any time via the cookie settings link in the footer.

The consent banner must provide clear information, genuine choice, granular options and the ability to withdraw consent as easily as it was given. Consent must be freely given, specific, informed and unambiguous under GDPR standards. 

12. Google Analytics

We use Google Analytics, a web analytics service provided by:

Google Ireland Limited
Gordon House
Barrow Street
Dublin 4
Ireland

Google Analytics helps us understand how visitors use our website, for example which pages are visited, how long users stay, which devices are used and how users interact with the website. Google Analytics may use cookies and similar technologies.

We use Google Analytics only after you have given consent through our consent management tool.

Legal basis for device access: Section 25(1) TDDDG.
Legal basis for personal-data processing: Art. 6(1)(a) GDPR.

Data processed may include:

  • Online identifiers

  • Cookie identifiers

  • IP address, shortened or otherwise configured depending on settings

  • Device and browser information

  • Referrer URL

  • Pages visited

  • Interaction and usage data

  • Approximate location data

  • Time and duration of visit

Google may process data on servers outside the European Economic Area, including in the United States.

Where personal data is transferred to the United States, transfers may rely on an adequacy decision where the recipient is certified under the EU–US Data Privacy Framework. The European Commission adopted the adequacy decision for the EU–US Data Privacy Framework on 10 July 2023, allowing transfers to certified US companies; where no adequacy decision or certification applies, appropriate safeguards such as EU Standard Contractual Clauses must be used.

Retention period: [TO BE CONFIRMED BY COMPANY – e.g. Google Analytics data retention setting: X months].
Google Analytics configuration: [TO BE CONFIRMED BY COMPANY – e.g. IP anonymisation, Google Signals, User-ID, ads personalisation, consent mode].
Processor / controller role: [TO BE CONFIRMED BY COMPANY based on Google Analytics configuration and contracts].

You can withdraw consent at any time through the cookie settings link in the footer.

13. Analytics, Profiling, Automated Decision-Making and AI-Based Tools

We do not use website analytics to make decisions that produce legal effects concerning you or similarly significantly affect you within the meaning of Art. 22 GDPR.

We do not currently use AI-based systems for automated decision-making, credit scoring, dynamic pricing, eligibility decisions, or other decisions with legal or similarly significant effects.

If we use AI-based tools for analytics, personalisation, customer support, fraud prevention or profiling in the future, we will assess the relevant obligations under the GDPR and the EU AI Act and update this Privacy Policy accordingly.

The EU AI Act entered into force in 2024 and applies gradually, with prohibitions on certain AI practices applying from 2 February 2025, rules for general-purpose AI from 2 August 2025, and many high-risk AI obligations applying from 2 August 2026. The AI Act does not replace the GDPR; both regimes may apply where AI systems process personal data. 

14. Processors and Service Providers

We use external service providers where necessary to operate the website, process orders, send newsletters, provide analytics, manage payments, host systems, provide IT support or fulfil legal obligations.

Where service providers process personal data on our behalf, we conclude data processing agreements under Art. 28 GDPR and require appropriate technical and organisational measures.

Processors may include:

  • Hosting providers

  • E-commerce platform providers

  • Newsletter providers

  • IT support providers

  • Consent management providers

  • Analytics providers

  • Payment and logistics integration providers

Controller obligations include selecting processors carefully, documenting processing arrangements and periodically reviewing processor compliance. Recent EDPB guidance emphasises that controllers remain responsible for ensuring appropriate processor and sub-processor oversight.

15. Joint Controllers

In some cases, processing may be carried out jointly with another controller, for example where third-party platforms, analytics tools, social plugins or payment providers jointly determine purposes and means of processing.

Where joint controllership applies, we will conclude an arrangement under Art. 26 GDPR and make the essence of that arrangement available where required.

Joint controller arrangements: N/A

16. International Data Transfers

Some service providers may process personal data outside the European Economic Area.

Where we transfer personal data to countries outside the EEA, we ensure that one of the following safeguards applies:

  • An adequacy decision by the European Commission, for example for recipients certified under the EU–US Data Privacy Framework where applicable.

  • EU Standard Contractual Clauses under Art. 46 GDPR.

  • Additional technical, contractual or organisational safeguards where required.

  • Another valid transfer mechanism under Chapter V GDPR.

The EU–US Data Privacy Framework currently permits transfers to certified US organisations on the basis of the European Commission’s adequacy decision. The framework remains subject to regulatory monitoring and possible legal developments, so transfer mechanisms should be reviewed periodically.

Third-country recipients and transfer mechanisms: None

17. Data Retention and Deletion

We retain personal data only for as long as necessary for the purposes for which it was collected, unless legal obligations or legitimate interests require longer retention.

Retention criteria include:

  • Duration of the contractual relationship

  • Completion of orders, deliveries, payments and returns

  • Newsletter subscription period

  • Consent status

  • Statutory commercial and tax retention periods

  • Limitation periods for legal claims

  • IT security requirements

  • Evidence and accountability obligations under data-protection law

Where statutory retention obligations apply, data is restricted and retained only for those purposes. Once the retention period expires, data is deleted or anonymised unless further retention is legally permitted or required.

German commercial and tax law generally requires certain business records to be retained for six or ten years depending on the document category.

18. Your Rights

You have the following rights under the GDPR:

  • Right of access under Art. 15 GDPR

  • Right to rectification under Art. 16 GDPR

  • Right to erasure under Art. 17 GDPR

  • Right to restriction of processing under Art. 18 GDPR

  • Right to data portability under Art. 20 GDPR

  • Right to object under Art. 21 GDPR

  • Right to withdraw consent at any time under Art. 7(3) GDPR

  • Right not to be subject to automated decision-making under Art. 22 GDPR, where applicable

  • Right to lodge a complaint with a supervisory authority under Art. 77 GDPR

These rights are part of the transparency and data-subject-rights framework required under the GDPR. 

To exercise your rights, please contact us at:

Email: aleks@apn-gallery.com

We may need to verify your identity before responding to your request.

19. Right to Object

Where we process personal data on the basis of Art. 6(1)(f) GDPR, you have the right to object at any time on grounds relating to your particular situation.

If you object, we will no longer process your personal data unless we can demonstrate compelling legitimate grounds that override your interests, rights and freedoms, or the processing serves the establishment, exercise or defence of legal claims.

If your personal data is processed for direct marketing purposes, you have the right to object at any time. If you object to direct marketing, your personal data will no longer be processed for that purpose.

20. Withdrawal of Consent

Where processing is based on consent, you may withdraw your consent at any time with effect for the future.

This applies in particular to:

  • Newsletter subscriptions

  • Non-essential cookies

  • Analytics technologies

  • Marketing technologies

  • Optional personalisation features

Withdrawal does not affect the lawfulness of processing carried out before withdrawal.

You can withdraw cookie consent through the cookie settings link in the footer.

21. Obligation to Provide Personal Data

You are not legally required to provide personal data when merely visiting the website.

However, certain data is required to:

  • Place an order

  • Process payment

  • Deliver goods

  • Respond to enquiries

  • Send newsletters

  • Comply with legal obligations

If you do not provide required data, we may be unable to provide the relevant service or conclude the contract.

22. Supervisory Authority

You have the right to lodge a complaint with a data-protection supervisory authority.

For a controller established in Friedrichsdorf, Hesse, the competent supervisory authority is generally:

Der Hessische Beauftragte für Datenschutz und Informationsfreiheit (HBDI)
Website: https://datenschutz.hessen.de/

You may also lodge a complaint with a supervisory authority in the EU Member State of your habitual residence, place of work or place of the alleged infringement. The GDPR allows complaints to be submitted to a competent supervisory authority where the person resides, works or where the alleged infringement occurred.

23. Security Measures

We use appropriate technical and organisational measures to protect personal data against accidental or unlawful destruction, loss, alteration, unauthorised disclosure or access.

Measures may include:

  • SSL / TLS encryption

  • Access controls

  • Secure hosting

  • User and permission management

  • Backups

  • Logging and monitoring

  • Processor due diligence

  • Data minimisation

  • Retention and deletion procedures

Security measures are reviewed and adjusted where necessary.

24. Updates to this Privacy Policy

We may update this Privacy Policy where necessary, for example due to legal changes, technical changes, new services, new providers or changes in processing activities.

Current version: V4 09.05.2026