Privacy Policy

1. General Information

The following notes provide a simple overview of what happens to your personal data when you visit this website.
Personal data is any data that can be used to identify you personally.
For detailed information on data protection, please refer to our full Privacy Policy below.

Data Collection on This Website

Who is responsible for data collection on this website?
Data processing on this website is carried out by the website operator. You can find their contact details in the section "Information on the Responsible Party" below.

How do we collect your data?
Some data is collected when you provide it to us – for example, via a contact form.
Other data is automatically collected by our IT systems when you visit the website (e.g. browser, operating system, time of access).

Why do we collect your data?
To provide and improve the website, analyze user behavior, and – if applicable – to process orders.

What rights do you have regarding your data?
You have the right to access, correct, delete, or restrict the processing of your personal data. You also have the right to lodge a complaint with the competent supervisory authority. Any consent you have given can be withdrawn at any time.

Analytics and Third-Party Tools

When you visit this website, your browsing behavior may be statistically evaluated using analytics tools.
You’ll find more information in the full Privacy Policy below.

2. Hosting

We host our website with the following provider:

Shopify
Shopify International Limited, Victoria Buildings, 1-2 Haddington Road, Dublin 4, D04 XN32, Ireland.

When you visit our website, Shopify collects your IP address as well as information about your device and browser.
It also analyzes visitor numbers, traffic sources, customer behavior, and order data. Shopify uses cookies in your browser for this purpose.
For more information: Shopify Privacy Policy

Legal Basis:
Art. 6 (1) lit. f GDPR (legitimate interest in a reliable website experience).
With consent, additionally Art. 6 (1) lit. a GDPR & § 25 (1) TDDDG. Consent can be revoked at any time.

Data Processing Agreement

We have entered into a Data Processing Agreement (DPA) with Shopify to ensure GDPR-compliant handling of personal data.

3. General Information and Mandatory Disclosures

Data Protection
We treat your personal data confidentially and in accordance with legal regulations.
This Privacy Policy explains what data we collect, how we collect it, and for what purpose.

Please note that data transmission over the internet (e.g. email communication) may have security gaps. Complete protection of data from third-party access is not possible.

Note on the Responsible Party
The responsible party for data processing on this website is:

Katharina Valoskova
Peachy Puzzles
Ludwig-Windthorst-Str. 44
76187 Karlsruhe, Germany
Phone: +49 159 06191639
Email: hello@peachypuzzles.com

The responsible party is the natural or legal person who alone or jointly with others determines the purposes and means of processing personal data.

Storage Duration
Unless otherwise stated, we store your personal data only for as long as necessary for the respective purpose. Statutory retention periods (e.g. for tax reasons) remain unaffected.

4. Legal Bases for Data Processing

If you have consented to data processing, we process your personal data based on Art. 6 (1) lit. a GDPR and, if applicable, Art. 9 (2) lit. a GDPR in the case of special categories of data under Art. 9 (1) GDPR.

If you have explicitly consented to the transfer of personal data to third countries, data processing is also based on Art. 49 (1) lit. a GDPR.

If you have consented to the storage of cookies or access to information on your device (e.g. via device fingerprinting), data processing is additionally based on § 25 (1) TDDDG. Consent can be revoked at any time.

If your data is required for contract performance or pre-contractual measures, we process it on the basis of Art. 6 (1) lit. b GDPR.
If processing is required to fulfill a legal obligation, it is based on Art. 6 (1) lit. c GDPR.

Data processing may also be based on our legitimate interests pursuant to Art. 6 (1) lit. f GDPR. The specific legal bases applicable in each individual case are detailed in the relevant sections of this Privacy Policy.

5. Data Transfers to Third Countries

Note on data transfers to countries with inadequate data protection standards and to US companies not certified under the Data Privacy Framework (DPF)

We use tools provided by companies based in countries that are not considered to offer adequate data protection under EU law, including US-based providers that are not certified under the EU-US Data Privacy Framework (DPF).
When these tools are active, your personal data may be transferred to and processed in those countries.

Please note that these countries may not guarantee a level of data protection comparable to that of the EU.

The USA is generally considered a safe third country with a data protection level comparable to the EU, provided that the data recipient is certified under the EU-US Data Privacy Framework (DPF) or offers appropriate additional safeguards.
Details on data transfers to third countries and the involved recipients can be found in this Privacy Policy.

6. Recipients of Personal Data

As part of our business operations, we work with various external parties. This may require us to share personal data with these external recipients.

We only disclose personal data to third parties when this is necessary for contract performance, required by law (e.g. disclosure to tax authorities), based on a legitimate interest pursuant to Art. 6 (1) lit. f GDPR, or if another legal basis permits such disclosure.

If we engage processors (service providers processing data on our behalf), we only transfer personal data under a valid Data Processing Agreement (DPA).
In the case of joint processing, we conclude a Joint Controllership Agreement.

7. Withdrawal of Your Consent to Data Processing

Many data processing activities are only possible with your explicit consent.
You can revoke your consent at any time.

The lawfulness of the data processing carried out before the revocation remains unaffected.

8. Right to Object under Article 21 GDPR

If data processing is based on Art. 6 (1) lit. e or f GDPR, you have the right to object at any time, on grounds relating to your particular situation, to the processing of your personal data, including profiling based on those provisions.

The relevant legal basis for processing can be found in this Privacy Policy.
If you object, we will no longer process your affected personal data unless we can demonstrate compelling legitimate grounds for the processing which override your interests, rights, and freedoms, or the processing serves the establishment, exercise, or defense of legal claims (objection pursuant to Art. 21 (1) GDPR).

If your personal data is processed for direct marketing purposes, you have the right to object at any time to the processing of your personal data for such marketing, including profiling to the extent that it is related to such direct marketing.

If you object, your personal data will no longer be used for direct marketing purposes (objection pursuant to Art. 21 (2) GDPR).

9. Additional Data Subject Rights

Right to Lodge a Complaint with a Supervisory Authority
If you believe that your rights under the GDPR have been violated, you have the right to lodge a complaint with a supervisory authority, particularly in the EU member state of your habitual residence, workplace, or the place of the alleged infringement.
This right exists regardless of any other administrative or judicial remedies.

Right to Data Portability
You have the right to receive data that we process based on your consent or in fulfillment of a contract in a structured, commonly used, and machine-readable format.
You also have the right to request the direct transfer of this data to another controller, where technically feasible.

Right of Access, Rectification, and Erasure
You have the right, within the scope of applicable legal provisions, to access your stored personal data free of charge, including its origin, recipients, and the purpose of processing.
You may also have the right to request correction or deletion of this data. For these matters and any other questions regarding personal data, you can contact us at any time.

Right to Restriction of Processing
You have the right to request the restriction of processing of your personal data in the following cases:

If the processing of your personal data has been restricted, such data may – apart from being stored – only be processed with your consent or for the establishment, exercise, or defense of legal claims, or to protect the rights of another natural or legal person, or for important reasons of public interest of the European Union or a Member State.

10. Data Collection on This Website

Cookies
Our website uses "cookies." Cookies are small text files that do no harm to your device.
They are either temporary (session cookies) or stored permanently (persistent cookies).
Session cookies are automatically deleted after your visit. Persistent cookies remain stored on your device until you delete them or your browser deletes them automatically.

Cookies may be set by us (first-party cookies) or by third parties (third-party cookies).
Third-party cookies enable the integration of specific services from external providers (e.g. payment processing).

Cookies serve various purposes. Some are technically necessary to ensure certain website functions (e.g. shopping cart or video display). Others are used to analyze user behavior or for advertising purposes.

Necessary cookies required for electronic communication, specific functions requested by you (e.g. shopping cart), or website optimization (e.g. audience measurement) are stored based on Art. 6 (1) lit. f GDPR unless another legal basis is stated.
The website operator has a legitimate interest in storing necessary cookies for a technically flawless and optimized website experience.

Where consent has been requested for the storage of cookies or use of comparable recognition technologies, processing is based exclusively on that consent (Art. 6 (1) lit. a GDPR and § 25 (1) TDDDG); consent can be withdrawn at any time.

You can configure your browser to notify you when cookies are set, allow them only on a case-by-case basis, exclude cookies in general, or enable automatic deletion when closing the browser.
Disabling cookies may limit the functionality of this website.

Details on the cookies and services used on this website are provided in this Privacy Policy.

11. Social Media

Facebook
This website integrates elements of the social network Facebook, provided by Meta Platforms Ireland Limited, Merrion Road, Dublin 4, D04 X2K5, Ireland. According to Facebook, data collected may also be transferred to the USA and other third countries.

An overview of Facebook social media elements can be found here: Facebook Plugins

When a social media element is active, a direct connection is established between your device and the Facebook server. Facebook thereby receives the information that you visited our website with your IP address. If you click the Facebook “Like” button while logged into your Facebook account, the content of our site can be linked to your Facebook profile. This allows Facebook to associate your visit to our website with your user account.

More information: Facebook Privacy Policy

Legal basis: Art. 6 (1) lit. a GDPR and § 25 (1) TDDDG (consent), which can be withdrawn at any time.

The processing of personal data on our website is carried out jointly with Facebook under Art. 26 GDPR. This joint responsibility is limited to data collection and transmission. More details: Joint Processing Agreement

EU Standard Contractual Clauses: here

Instagram
Functions of the Instagram service (Meta Platforms Ireland Limited) are also integrated into our website. When such an element is active, a direct connection to Instagram’s servers is established.

If you are logged into your Instagram account, Instagram may associate your visit to our website with your user profile.
More information: Instagram Privacy Policy

Legal basis: Art. 6 (1) lit. a GDPR and § 25 (1) TDDDG, which can be withdrawn at any time.

This is also a case of joint processing under Art. 26 GDPR. Details can be found here: Joint Agreement Facebook/Instagram

Pinterest
This website uses features of the social network Pinterest (Pinterest Europe Ltd., Palmerston House, 2nd Floor, Fenian Street, Dublin 2, Ireland).

When you visit a page containing a Pinterest element, a direct connection is established between your device and Pinterest’s servers. This may involve the transmission of your IP address, visited pages, browser data, and timestamps.

Legal basis: Art. 6 (1) lit. a GDPR and § 25 (1) TDDDG, which can be withdrawn at any time.

More information: Pinterest Privacy Policy

12. Newsletter

Newsletter Data
If you would like to receive the newsletter offered on this website, we require your email address and information that allows us to verify that you are the owner of the email address and agree to receive the newsletter. No further data is collected unless provided voluntarily. We use this data exclusively to send the requested information and do not share it with third parties.

The processing of the data entered in the newsletter sign-up form is based solely on your consent (Art. 6 (1) lit. a GDPR). You can revoke your consent at any time – for example, via the “unsubscribe” link in the newsletter. The legality of data processing prior to the revocation remains unaffected.

Data you provide for the purpose of receiving the newsletter will be stored until you unsubscribe and deleted from the mailing list afterwards. We reserve the right to delete or block email addresses from our mailing list at our discretion within the scope of our legitimate interest under Art. 6 (1) lit. f GDPR.

Data stored for other purposes remains unaffected.

After you unsubscribe, your email address may be stored in a blacklist if necessary to prevent future mailings. The data in the blacklist will be used only for this purpose and not merged with other data. This serves both your interest and our interest in complying with legal requirements for newsletter communications (legitimate interest pursuant to Art. 6 (1) lit. f GDPR). Blacklist entries are stored indefinitely. You may object to the storage if your interests outweigh our legitimate interest.

13. Plugins and Tools

Google Fonts
This site uses web fonts provided by Google for uniform font display. When you visit a page, your browser loads the necessary fonts into its cache to properly display text and fonts.

To do this, your browser must establish a connection to Google’s servers. This allows Google to know that your IP address accessed our website.
The use of Google Fonts is based on Art. 6 (1) lit. f GDPR. The website operator has a legitimate interest in the consistent presentation of typography on their website.

If consent has been requested, processing is carried out exclusively based on Art. 6 (1) lit. a GDPR and § 25 (1) TDDDG, insofar as the consent includes the storage of cookies or access to information on the user's device (e.g. device fingerprinting) as defined by the TDDDG. Consent can be revoked at any time.

If your browser does not support Google Fonts, a default font from your computer will be used.

More information about Google Fonts can be found at: https://developers.google.com/fonts/faq
Google’s Privacy Policy: https://policies.google.com/privacy

Google is certified under the EU-US Data Privacy Framework (DPF):
https://www.dataprivacyframework.gov/participant/5780

Google reCAPTCHA
We use “Google reCAPTCHA” (hereinafter “reCAPTCHA”) on this website. The provider is Google Ireland Limited, Gordon House, Barrow Street, Dublin 4, Ireland.

reCAPTCHA is used to check whether data entered on this website (e.g. via a contact form) is made by a human or an automated program. To do this, reCAPTCHA analyzes the behavior of the website visitor based on various characteristics. This analysis starts automatically as soon as the visitor enters the website. reCAPTCHA evaluates information such as IP address, time spent on the site, or mouse movements made by the user. The data collected during the analysis is transmitted to Google.

reCAPTCHA runs entirely in the background and visitors are not notified that an analysis is taking place.

The storage and analysis of data is based on Art. 6 (1) lit. f GDPR. The website operator has a legitimate interest in protecting its site from abusive automated spying and spam.

More information about Google reCAPTCHA can be found in Google’s Privacy Policy: https://policies.google.com/privacy
and Terms of Use: https://policies.google.com/terms