1. Data Controller
TERRA NATURA UG (limited liability)
c/o Jatex Natur & Technik Handels-GmbH
Jakob-Klar-Strasse 4, 80796 Munich, Germany
Phone: +49 89 8099 1519
Email: shop@terranatura.de

We operate the online shop www.terranatura.de (hereinafter referred to as “Website”).

Data Protection Officer: Currently not appointed, as there is no legal obligation under Art. 37 GDPR. For any questions, please contact us using the contact details above.

2. General Information on Data Processing
We process personal data in accordance with the General Data Protection Regulation (GDPR), the German Telecommunications-Telemedia Data Protection Act (TTDSG), and all other applicable legal provisions.
Personal data means any information relating to an identified or identifiable natural person. “Processing” includes any operation performed on personal data such as collection, storage, use, or transmission.

3. Hosting & Technical Infrastructure (Shopify)
Our Website is hosted on the Shopify platform. Shopify International Ltd., 2-4 Sir John Rogerson’s Quay, Dublin 2, Ireland, provides the shop system and hosting as our processor. Sub-processors within the Shopify group in Canada (EU Commission adequacy decision) and the USA may be used. For data transfers to the USA, Shopify uses EU Standard Contractual Clauses (SCCs).

4. Data Processing When Visiting the Website
When you visit our Website, we process data to ensure it is provided properly and securely. This includes your IP address, date and time of access, files accessed, referrer URL, and user agent. The legal basis is our legitimate interest in a technically error-free and secure presentation of our services (Art. 6(1)(f) GDPR). The data is stored for 30 days and then anonymized. There is no merging with other data sources.

5. Cookies & Consent Management
We use cookies and similar technologies. Technically necessary cookies are set without your consent in accordance with § 25(2) No. 2 TTDSG. We only set analytics and marketing cookies with your prior consent via our consent banner (“Cookie Settings”, Art. 6(1)(a) GDPR and § 25(1) TTDSG). You can withdraw your consent at any time via the “Cookie Settings” link in the footer. A current list of cookies used can be found there and in our consent tool.

6. Orders & Customer Accounts
When you shop in our store or create a customer account, we process your name, address, email, phone number, order details (products, price, payment method, shipping and billing address), as well as account data (username, password encrypted). The legal basis is the initiation and performance of a contract (Art. 6(1)(b) GDPR) and legal obligations for storage (Art. 6(1)(c) GDPR). Contract and invoice data are stored for up to 10 years in line with commercial and tax law. Customer account data is stored until you request deletion.

Providing this data is necessary for the conclusion of the contract. Without it, we cannot process your order.

7. Payment Processing
To process payments, we share your data with the respective payment service provider. For payments via Shopify Payments (credit card, Klarna Pay Now, Sofort, Apple Pay, Google Pay), Shopify International Ltd. and Stripe Payments Europe Ltd. act as joint controllers. For PayPal payments, the independent controller is PayPal (Europe) S.à r.l. et Cie, S.C.A., Luxembourg. The legal basis is Art. 6(1)(b) GDPR for contract processing and Art. 6(1)(f) GDPR for secure, fraud-proof payment handling.

8. Shipping Providers
To deliver your orders, we share shipping and contact details with Deutsche Post DHL Group based on Art. 6(1)(b) GDPR.

9. Newsletter (Shopify Email)
With your explicit consent (Art. 6(1)(a) GDPR; § 7(2) No. 3 UWG), we send email newsletters via Shopify Email. We use a double opt-in procedure. Each newsletter contains an unsubscribe link. You can withdraw your consent at any time without incurring any costs other than transmission costs at basic rates.

10. Web Analytics with Google Analytics
Our Website uses Google Analytics (Google Ireland Ltd.) to analyze usage behavior. Google Analytics is only activated after you have given your consent (Art. 6(1)(a) GDPR and § 25 TTDSG). IP anonymization is enabled. Data may be transferred to Google LLC in the USA, with protection ensured through SCCs and additional safeguards. You can withdraw your consent at any time via the consent banner.

11. Recipients & Processors
In addition to the companies named above, we use service providers in categories such as hosting, IT support, customer service, accounting, and document destruction. All service providers are bound by data processing agreements in accordance with Art. 28 GDPR.

12. Data Transfers to Third Countries
Some recipients (Shopify, Google, Stripe) are located in or process data in countries outside the EU/EEA. Data protection is ensured through an EU adequacy decision for Canada (Shopify Inc.) and EU Standard Contractual Clauses for transfers to the USA, combined with additional safeguards such as encryption and pseudonymization. Copies of the SCCs can be provided on request.

13. Storage Periods
Contract and invoice data are stored for 10 years in accordance with tax and commercial law. Customer account data is stored until you request deletion or for up to 3 years after your last activity. Newsletter consent is retained for 3 years after your last use as proof of consent. Google Analytics data is retained for 14 months. Server log files are stored for 30 days.

14. Your Rights
You have the right to request information about your stored data (Art. 15 GDPR), to correct inaccurate data (Art. 16 GDPR), to have your data erased (Art. 17 GDPR), to restrict processing (Art. 18 GDPR), to receive your data in a portable format (Art. 20 GDPR), to object to processing based on Art. 6(1)(e) or (f) GDPR (Art. 21 GDPR), and to withdraw consent given at any time (Art. 7(3) GDPR). You also have the right to lodge a complaint with a supervisory authority, such as the Bavarian Data Protection Authority (BayLDA), Promenade 27, 91522 Ansbach, Germany.

15. Obligation to Provide Data
Providing personal data is not legally or contractually required. However, name, address, and payment and shipping data are necessary for concluding a contract. Without this information, we cannot conclude a contract with you.

16. Automated Decision-Making
We do not carry out automated decision-making or profiling as defined in Art. 22 GDPR.

17. Data Security
We secure our Website and IT systems through technical and organizational measures in accordance with Art. 32 GDPR. This includes TLS encryption, access controls, and regular backups.

18. Changes to This Privacy Policy
We reserve the right to adjust this Privacy Policy if we introduce new features or if legal requirements change. The current version is always available on our Website.

19. Contact
If you have any questions or concerns about data protection, please contact us at:
Email: auftrag@terranatura.de
Post: TERRA NATURA UG, Jakob-Klar-Strasse 4, 80796 Munich, Germany.