Privacy policy

PRIVACY POLICY
Lune Ndiaye
Last Updated: February 2025

1. CONTROLLER AND CONTACT
The controller responsible for data processing on this website within the meaning of the General Data Protection Regulation (GDPR), UK GDPR and other applicable data protection laws is:
Controller: Alioune Ndiaye, operating under the business name "Lune Ndiaye"
Address: Mira e.V., Zur Bettfedernfabrik 3, 30451 Hannover, Germany
Phone: +49 1520 3997808
Email: kontakt@lune-ndiaye.com
2. GENERAL INFORMATION ON DATA PROCESSING
We take the protection of your personal data very seriously. We treat your personal data confidentially and in accordance with statutory data protection regulations as well as this privacy policy.
Personal data is any data that can be personally related to you, e.g. name, address, email addresses, user behavior, IP address.
This privacy policy applies to users worldwide and takes into account:
  • GDPR (General Data Protection Regulation) for EU/EEA customers
  • UK GDPR for customers in the United Kingdom
  • CCPA/CPRA (California Consumer Privacy Act) for California customers
  • Swiss Data Protection Act (revDSG) for Swiss customers
  • Other applicable regional data protection laws
3. COLLECTION AND STORAGE OF PERSONAL DATA
3.1 Type and Scope of Data Processing
When you visit our website, the following information is automatically collected by our technical service provider Shopify:
  • IP address of the requesting computer
  • Date and time of access
  • Name and URL of the retrieved file
  • Website from which access is made (referrer URL)
  • Browser used and, if applicable, the operating system of your computer
  • Device information (device type, screen resolution)
  • Location data (country, region, based on IP address)
3.2 Legal Basis
Processing is carried out in accordance with:
  • Art. 6 para. 1 lit. f GDPR based on our legitimate interest in improving the stability and functionality of our website
  • CCPA: As necessary for the operation of the website
3.3 Storage Duration
The data is deleted as soon as it is no longer required to achieve the purpose for which it was collected. This is usually the case after 7 days. Server logs may be stored for up to 90 days.
4. DATA PROCESSING FOR ORDERS
4.1 Data Collected
When placing an order, we collect the following data:
  • First and last name
  • Email address
  • Delivery address (street, house number, postal code, city, country)
  • Billing address (if different)
  • Phone number (optional, but recommended for queries)
  • Payment information (transmitted directly to the payment service provider)
  • Order history and transaction data
4.2 Legal Basis and Purpose
Processing is carried out in accordance with:
  • Art. 6 para. 1 lit. b GDPR for contract fulfillment or to carry out pre-contractual measures
  • CCPA: For contract fulfillment and provision of requested services
The data is required to:
  • Process your order
  • Ship the goods
  • Send you an invoice
  • Contact you if there are queries
  • Fulfill our legal obligations
4.3 Storage Duration
We store your personal data as long as necessary to process your order. After complete contract processing, your data is restricted for further processing and deleted after expiry of the tax and commercial law retention periods:
  • Commercial and tax law (Germany): 10 years
  • After expiry of these periods: Deletion, unless you have expressly consented to further use
5. USE OF SHOPIFY
Our online shop is hosted on the Shopify platform.
5.1 Provider
Shopify Inc.
151 O'Connor Street, Ground floor
Ottawa, Ontario K2P 2L8, Canada
5.2 Purpose of Processing
Shopify is our data processor in accordance with Art. 28 GDPR and processes your data on our behalf. This includes in particular:
  • Provision and maintenance of the shop infrastructure
  • Hosting of the website and storage of data
  • Storage of order and customer data
  • Processing of payments (in cooperation with payment service providers)
  • Sending of confirmation and transaction emails
  • Provision of analytics tools (Shopify Analytics)
5.3 Data Transfer to Third Countries
Shopify also processes data in the USA and other countries outside the EU/EEA. For data transfer, Shopify relies on:
  • Standard contractual clauses of the EU Commission (Art. 46 GDPR)
  • The EU-US Data Privacy Framework (for US data transfers)
  • Adequacy decisions for other countries
5.4 Legal Basis
Data processing is based on:
  • Art. 6 para. 1 lit. b GDPR (contract fulfillment)
  • Art. 6 para. 1 lit. f GDPR (legitimate interest in a reliable and secure shop system)
5.5 Further Information
Shopify Privacy Policy: https://www.shopify.com/legal/privacy
Shopify Data Processing Addendum: https://www.shopify.com/legal/dpa
5.6 List of Sub-Processors
IMPORTANT: Shopify uses various sub-processors to provide its services. A current list of all sub-processors can be found at: 
https://www.shopify.com/legal/subprocessors
We have concluded data processing agreements with Shopify in accordance with Art. 28 GDPR, which ensure appropriate safeguards for your personal data.
6. PAYMENT SERVICE PROVIDERS
We use external payment service providers through whose platforms users and we can make payment transactions.
6.1 Shopify Payments (Powered by Stripe)
Provider: Stripe Payments Europe Ltd., 1 Grand Canal Street Lower, Grand Canal Dock, Dublin, Ireland
Purpose: Processing of credit card and debit card payments, Apple Pay, Google Pay, Shop Pay
Supported payment methods:
  • Credit cards (Visa, Mastercard, American Express)
  • Debit cards
  • Apple Pay
  • Google Pay
  • Shop Pay
  • Local payment methods depending on region
Privacy Policy: https://stripe.com/privacy
6.2 PayPal
Provider: PayPal (Europe) S.à r.l. et Cie, S.C.A., 22-24 Boulevard Royal, L-2449 Luxembourg
Purpose: Processing of PayPal payments, PayPal Express Checkout
Privacy Policy: https://www.paypal.com/webapps/mpp/ua/privacy-full
6.3 Klarna / Sofortüberweisung
Provider: Klarna Bank AB (publ), Sveavägen 46, 111 34 Stockholm, Sweden
Purpose: Processing of instant bank transfers and Klarna payments
Privacy Policy: https://www.klarna.com/international/privacy/
6.4 Legal Basis
The legal basis for sharing your data is:
  • Art. 6 para. 1 lit. b GDPR (contract fulfillment)
  • CCPA: Required for contract fulfillment
7. COOKIES AND TRACKING TECHNOLOGIES
Our website uses cookies. Cookies are small text files that are stored on your device and saved by your browser.
7.1 Cookie Consent Mechanism
IMPORTANT: We obtain your explicit consent before placing non-essential cookies on your device. When you visit our website for the first time, you will see a cookie consent banner that:
  • Provides clear information about the types of cookies we use
  • Allows you to accept or reject non-essential cookies
  • Offers equally visible 'Accept' and 'Reject' buttons
  • Does NOT set non-essential cookies until you provide consent
  • Allows you to withdraw your consent at any time
Legal basis for cookie consent: Art. 6 para. 1 lit. a GDPR and ePrivacy Directive (2002/58/EC), as well as compliance with the enforcement standards set by the European Data Protection Board (EDPB) and national data protection authorities.
7.2 Technically Necessary Cookies
These cookies are essential for the operation of the website. They enable basic functions such as page navigation and access to secure areas.
The legal basis is:
  • Art. 6 para. 1 lit. f GDPR (legitimate interest)
  • § 25 para. 2 TTDSG (technical necessity)
Examples:
  • Shopping cart cookies (storage of selected products)
  • Session cookies (for identification during the session)
  • Security cookies (to protect against fraud attempts)
  • Language selection cookies (storage of selected language)
  • Currency selection cookies
Storage duration: These cookies are usually deleted at the end of the browser session or have a maximum lifetime of 30 days.
7.3 Shopify's Own Cookies and Tracking
Shopify automatically sets the following cookies:
a) TECHNICAL COOKIES (NO CONSENT REQUIRED):
  • _shopify_y: Stores checkout information (1 year)
  • _shopify_s: Stores shop session data (30 minutes)
  • cart: Stores shopping cart contents (2 weeks)
b) ANALYTICS COOKIES (ONLY WITH CONSENT):
  • _landing_page: Stores the first visited page (2 weeks)
  • _orig_referrer: Stores the referrer page (2 weeks)
  • _shopify_fs: Stores first-session data (30 minutes)
Important: We have turned OFF Shopify Network Intelligence. This means that no data is used for cross-network tracking or advertising purposes by Shopify.
7.4 Analytics and Marketing Cookies (Only with Consent)
We do NOT use additional tracking tools such as Google Analytics, Facebook Pixel or similar services.
If you consent to the use of marketing cookies, Shopify's own analytics data may be collected for:
  • Analysis of user behavior
  • Improvement of shop performance
  • Optimization of the shopping experience
These cookies are only set with your express consent in accordance with Art. 6 para. 1 lit. a GDPR.
You can revoke your consent at any time via our cookie settings or block cookies in your browser settings.
7.5 Consent Renewal
Your cookie consent is valid for 12 months. After this period, we will ask for your consent again. You may also need to provide new consent if:
  • Our purposes for collecting data change
  • You clear your browser settings or cookies
  • You use a different browser or device
7.6 Cookie Management
You can manage cookies in your browser settings:
  • Block all cookies
  • Allow only certain cookies
  • Delete cookies after each session
  • Receive notification of new cookies
Please note: If you block all cookies, some functions of our website may no longer be available (e.g. shopping cart).
7.7 Cookie Policy Updates
Our cookie consent banner is designed according to current GDPR and ePrivacy Directive requirements as of 2025:
  • Prior consent required before setting non-essential cookies
  • Equal prominence of 'Accept' and 'Reject' buttons
  • No dark patterns or manipulative design
  • Clear categorization of cookie types
  • Easy withdrawal of consent
8. USE OF THE 'TRANSLATE & ADAPT' APP
We use the official Shopify app 'Translate & Adapt' for multilingual functionality of our shop.
8.1 Provider
Shopify Inc., 151 O'Connor Street, Ground floor, Ottawa, Ontario K2P 2L8, Canada
8.2 Purpose and Functionality
The app enables:
  • Automatic translation of shop content (via Google Translate)
  • Manual adjustment of translations
  • Language switching based on browser language or manual selection
  • Adaptation of content for different markets
8.3 Data Processing
The app processes the following data:
  • Browser language and language preference
  • IP address (for location determination - this is personal data under GDPR)
  • Device information (browser, operating system)
App access to shop data (according to Shopify app permissions):
  • Online Store pages and theme (for translation)
  • Metaobjects (for structured content)
  • Web cookies (to store language selection)
  • Translations (management of multilingual content)
  • Images (for visual content)
Important: The app processes IP addresses (which are personal data under GDPR) for location determination and language selection. The app does not collect payment information or store extensive personal customer profiles.
8.4 Legal Basis
  • Art. 6 para. 1 lit. f GDPR (legitimate interest in multilingual offering)
  • Art. 6 para. 1 lit. b GDPR (contract fulfillment for multilingual orders)
8.5 Google Translate Integration
For automatic translations, the app uses Google Translate. Text content is transmitted to Google servers for translation.
Provider: Google Ireland Limited, Gordon House, Barrow Street, Dublin 4, Ireland
Privacy Policy: https://policies.google.com/privacy
Note: When you use our website in a language other than the default, content is automatically translated via Google Translate. This means that text from our website is sent to Google servers for processing. Google may process this data in accordance with their privacy policy.
9. DISCLOSURE OF DATA TO THIRD PARTIES
We only disclose your personal data to third parties if:
  • You have given your express consent in accordance with Art. 6 para. 1 lit. a GDPR
  • The disclosure is necessary in accordance with Art. 6 para. 1 lit. f GDPR for the assertion, exercise or defense of legal claims
  • There is a legal obligation for the disclosure in accordance with Art. 6 para. 1 lit. c GDPR
  • This is legally permissible and necessary in accordance with Art. 6 para. 1 lit. b GDPR for the processing of contractual relationships with you
Recipients of personal data may include:
  • Shipping service providers (e.g. DHL, DPD, Hermes, UPS, FedEx) for delivery of goods
  • Payment service providers (Shopify Payments/Stripe, PayPal, Klarna) for payment processing
  • IT service providers (Shopify) for operation and maintenance of our website
  • Tax advisors and lawyers (in case of legal obligation)
We have concluded data processing agreements with all processors in accordance with Art. 28 GDPR.
10. INTERNATIONAL DATA TRANSFERS
As we serve customers worldwide and use international service providers, your data may be transferred to countries outside the EU/EEA.
10.1 Transfer to the USA
For data transfers to the USA (Shopify, Stripe, Google), we rely on:
  • The EU-US Data Privacy Framework (adequacy decision of the EU Commission)
  • Standard contractual clauses of the EU Commission (Art. 46 GDPR)
  • Additional technical and organizational measures
10.2 Transfer to Other Third Countries
For other countries outside the EU/EEA, we use:
  • Adequacy decisions of the EU Commission (e.g. Switzerland, UK, Canada)
  • Standard contractual clauses of the EU Commission
  • Binding corporate rules
11. SSL/TLS ENCRYPTION
For security reasons and to protect the transmission of confidential content, this website uses SSL or TLS encryption (HTTPS).
You can recognize an encrypted connection by:
  • The browser address bar changing from 'http://' to 'https://'
  • A lock symbol appearing in your browser bar
All data transmissions between your browser and our server are encrypted.
12. YOUR RIGHTS AS A DATA SUBJECT
You have the following rights regarding your personal data:
12.1 Right to Access (Art. 15 GDPR, CCPA)
You have the right to request information about your personal data processed by us. In particular, you can request information about:
  • Processing purposes
  • Categories of personal data
  • Recipients or categories of recipients
  • Planned storage duration
  • Existence of a right to rectification, erasure or restriction
  • Right to lodge a complaint with a supervisory authority
  • Origin of the data
  • Existence of automated decision-making
12.2 Right to Rectification (Art. 16 GDPR)
You have the right to request the correction of inaccurate data or the completion of incomplete data.
12.3 Right to Erasure (Art. 17 GDPR, CCPA - 'Right to Delete')
You have the right to request the deletion of your personal data if:
  • The data is no longer necessary for the purposes
  • You have withdrawn your consent
  • You have objected
  • The data was processed unlawfully
  • There is a legal obligation to delete
Exceptions: No deletion in case of statutory retention obligations, for assertion of legal claims or to fulfill legal obligations.
12.4 Right to Restriction of Processing (Art. 18 GDPR)
You have the right to request restriction of processing of your data if:
  • The accuracy of the data is disputed
  • The processing is unlawful
  • The data is no longer required by us but you need it to assert legal claims
  • You have objected
12.5 Right to Data Portability (Art. 20 GDPR)
You have the right to receive your data in a structured, commonly used and machine-readable format and to transmit this data to another controller.
12.6 Right to Object (Art. 21 GDPR, CCPA - 'Right to Opt-Out')
You have the right, for reasons arising from your particular situation, to object at any time to the processing of personal data concerning you that is based on Art. 6 para. 1 lit. e or f GDPR.
Objection to direct marketing: You can object at any time to the processing of your personal data for the purpose of direct marketing.
12.7 Revocation of Consent (Art. 7 Para. 3 GDPR)
You have the right to revoke your consent at any time with effect for the future. The lawfulness of processing based on consent until revocation remains unaffected.
12.8 Right to Lodge a Complaint with a Supervisory Authority (Art. 77 GDPR)
You have the right to lodge a complaint with a data protection supervisory authority about our processing of your personal data.
Competent supervisory authorities:
FOR GERMANY (LOWER SAXONY):
Die Landesbeauftragte für den Datenschutz Niedersachsen
Prinzenstraße 5, 30159 Hannover, Germany
Website: https://lfd.niedersachsen.de
FOR EU CITIZENS IN OTHER COUNTRIES:
List of all EU data protection authorities: https://edpb.europa.eu/about-edpb/board/members_en
FOR UK CUSTOMERS:
Information Commissioner's Office (ICO)
Wycliffe House, Water Lane, Wilmslow, Cheshire SK9 5AF, United Kingdom
Website: https://ico.org.uk
FOR SWISS CUSTOMERS:
Federal Data Protection and Information Commissioner (FDPIC)
Feldeggweg 1, 3003 Bern, Switzerland
Website: https://www.edoeb.admin.ch
12.9 Additional Rights for California Customers (CCPA/CPRA)
If you reside in California, you additionally have the following rights:
  • Right to information about sold or shared data
  • Right to opt-out of sale/sharing of data
  • Right to deletion of personal data
  • Right to non-discrimination when exercising your rights
  • Right to correction of inaccurate data
Important: We do NOT SELL your personal data to third parties.
12.10 'Do Not Sell or Share My Personal Information' (CCPA)
California residents have the right to opt-out of the sale or sharing of their personal information. While we do NOT sell your personal data, you can exercise your opt-out rights at any time.
To exercise your CCPA rights, please contact us at:
Email: kontakt@lune-ndiaye.com
Phone: +49 1520 3997808
We will process your request within 45 days as required by CCPA.
13. AUTOMATED DECISION-MAKING AND PROFILING
We do NOT use automated decision-making including profiling in accordance with Art. 22 GDPR.
This means: No automated decisions are made that have legal effect or similarly significantly affect you.
14. DATA SECURITY
We use appropriate technical and organizational measures to protect personal data:
Technical measures:
  • SSL/TLS encryption for all data transmissions
  • Encrypted storage of sensitive data
  • Regular security updates
  • Firewall protection
  • Access control systems
Organizational measures:
  • Data protection training for employees
  • Restriction of data access to authorized persons
  • Regular review of security measures
  • Confidentiality agreements with employees
  • Data processing agreements with service providers
15. DATA DELETION AND STORAGE DURATION
We only store personal data for as long as necessary for the respective purpose or as required by statutory retention obligations.
OVERVIEW OF RETENTION PERIODS:
  • Order and invoice data: 10 years (tax and commercial law retention obligations)
  • Shipping data: Until complete delivery + 3 years
  • Customer account data: Until deletion of account by customer
  • Contact inquiries: Until completion + 3 years
  • Server logs: 7-90 days
  • Cookie data: Depending on cookie type (see Section 7)
  • Marketing consents: Until revocation + 3 years
After expiry of the retention periods, data is routinely deleted unless further storage is necessary for contract fulfillment or for legal reasons.
16. NO DISCLOSURE OF DATA FOR ADVERTISING PURPOSES
We do NOT disclose your personal data to third parties for advertising purposes. Your data is used exclusively to fulfill our contractual and legal obligations.
17. CURRENCY AND AMENDMENT OF THIS PRIVACY POLICY
This privacy policy is currently valid and dated February 2025.
Due to the further development of our website and services or due to changed legal or regulatory requirements, it may become necessary to amend this privacy policy.
The current privacy policy can always be accessed and printed from this website. We recommend reading this privacy policy regularly.
In the event of significant changes, we will inform you through a clear notice on our website.
18. CONTACT FOR DATA PROTECTION QUESTIONS
If you have questions about data protection, wish to exercise your rights or have a complaint, please contact:
Lune Ndiaye
Alioune Ndiaye
Mira e.V., Zur Bettfedernfabrik 3
30451 Hannover, Germany
Phone: +49 1520 3997808
Email: kontakt@lune-ndiaye.com
We will process your request within 30 days (EU/UK) or 45 days (California).
19. SPECIAL NOTICES FOR DIFFERENT JURISDICTIONS
19.1 For EU/EEA Customers
This privacy policy meets the requirements of the GDPR. Your data is processed in accordance with GDPR principles: lawfulness, transparency, purpose limitation, data minimization, accuracy, storage limitation, integrity and confidentiality.
19.2 For UK Customers
After Brexit, the UK GDPR applies in the UK, which largely corresponds to the EU GDPR. Your rights and our data protection apply equally.
19.3 For Swiss Customers
The revised Swiss Data Protection Act (revDSG) grants you similar rights to the GDPR. Your data is protected accordingly.
19.4 For California Customers (CCPA/CPRA)
In addition to the rights mentioned above:
Categories of personal data we collect:
  • Identifiers (name, address, email, IP address)
  • Commercial information (purchase history, product interests)
  • Internet/network activity information (browsing behavior)
  • Geolocation data (based on IP address)
Business purposes for data collection:
  • Contract fulfillment (order processing, shipping)
  • Customer service
  • Security and fraud prevention
  • Legal compliance
WE DO NOT SELL YOUR DATA. WE DO NOT SHARE YOUR DATA FOR CROSS-CONTEXT BEHAVIORAL ADVERTISING.
19.5 For Customers in Other Countries
If you reside in a country not listed above, the data protection laws of your country apply. We strive to comply with the strictest international data protection standards.

Last Updated: February 2025
Lune Ndiaye | Alioune Ndiaye
kontakt@lune-ndiaye.com