Privacy Policy

Last updated: April 2026

Pepspan ("we", "us", or "our") is committed to protecting the privacy and personal data of our customers and website visitors. This Privacy Policy explains how we collect, use, store, and protect your personal information in compliance with the General Data Protection Regulation (EU) 2016/679 ("GDPR") and applicable national data protection laws.

1. Information We Collect

We collect and process the following categories of personal data when you use our website or place an order:

• Identity Data: Full name, as provided during the ordering process.
• Contact Data: Email address, telephone number (if provided), and shipping address.
• Transaction Data: Order history, products purchased, order amounts, and payment status. Payment card details are processed directly by Stripe and are never stored on our servers.
• Technical Data: IP address, browser type and version, operating system, referral source, pages visited, page interaction data, and visit timestamps. This data is collected via analytics tools.
• Communication Data: Records of correspondence if you contact us via email or WhatsApp, including the content and metadata of such communications.

2. How We Use Your Data

We process your personal data for the following purposes:

• To fulfill and deliver your orders, including processing payments, arranging shipping, and providing order confirmations and tracking information.
• To communicate with you regarding your orders, respond to inquiries, and provide customer support.
• To comply with legal obligations, including tax reporting, fraud prevention, and regulatory compliance.
• To improve our website, products, and services through aggregated analytics data.
• To protect our legitimate business interests, including enforcing our Terms and Conditions and preventing misuse of our services.

We do not sell, rent, or share your personal data with third parties for marketing purposes.

3. Legal Basis for Processing (GDPR Article 6)

We process your personal data based on the following legal grounds:

• Contractual Necessity (Art. 6(1)(b)): Processing necessary for the performance of a contract, such as fulfilling your product orders and providing customer support related to your purchases.
• Legal Obligation (Art. 6(1)(c)): Processing necessary to comply with legal obligations, including tax record-keeping, anti-fraud regulations, and responding to lawful requests from public authorities.
• Legitimate Interests (Art. 6(1)(f)): Processing necessary for our legitimate interests, such as website security, analytics for service improvement, and fraud prevention, where such interests are not overridden by your fundamental rights and freedoms.
• Consent (Art. 6(1)(a)): Where applicable, for non-essential cookies and analytics tracking. You may withdraw consent at any time without affecting the lawfulness of processing based on consent before its withdrawal.

4. Data Retention

We retain your personal data only for as long as necessary to fulfill the purposes for which it was collected:

• Order and transaction data: Retained for 7 years from the date of the transaction, in accordance with German tax and commercial law requirements (Section 147 AO, Section 257 HGB).
• Communication records: Retained for 3 years after the last interaction, unless a longer retention period is required for legal claims.
• Analytics data: Aggregated and anonymized within 26 months of collection.
• Cookie consent records: Retained for 12 months from the date of consent.

When personal data is no longer required, it is securely deleted or anonymized in accordance with our data disposal procedures.

5. Cookies

Our website uses cookies and similar technologies to enhance your browsing experience and collect analytics data. We use the following types of cookies:

• Essential Cookies: Required for the website to function properly, including session management and security features. These do not require consent.
• Analytics Cookies: Used to understand how visitors interact with our website, track page views, and measure the effectiveness of our content. These are set only with your consent.
• Preference Cookies: Used to remember your cookie consent choice via localStorage. These are functional in nature and do not track personal data.

You can manage your cookie preferences through your browser settings. Disabling cookies may affect the functionality of certain website features.

6. Third-Party Services

We share personal data with the following third-party service providers, who act as data processors on our behalf:

• Stripe (Stripe, Inc.): Processes all payment transactions. Stripe is PCI-DSS Level 1 certified and processes payment data in accordance with its own privacy policy. We do not have access to your full card details. Stripe Privacy Policy.
• Google Analytics (Google LLC): Provides website analytics and traffic measurement. IP addresses are anonymized. Data may be transferred to the United States under Standard Contractual Clauses (SCCs). Google Privacy Policy.
• Shipping carriers: Your name and shipping address are shared with our shipping partners solely for the purpose of delivering your order.

All third-party processors are contractually obligated to process your data in compliance with GDPR and applicable data protection laws.

7. Your Rights Under GDPR

As a data subject under the GDPR, you have the following rights:

• Right of Access (Art. 15): You have the right to request a copy of the personal data we hold about you.
• Right to Rectification (Art. 16): You have the right to request correction of inaccurate or incomplete personal data.
• Right to Erasure (Art. 17): You have the right to request deletion of your personal data, subject to our legal retention obligations.
• Right to Data Portability (Art. 20): You have the right to receive your personal data in a structured, commonly used, and machine-readable format.
• Right to Restriction of Processing (Art. 18): You have the right to request that we restrict the processing of your personal data in certain circumstances.
• Right to Object (Art. 21): You have the right to object to the processing of your personal data based on legitimate interests or for direct marketing purposes.
• Right to Withdraw Consent: Where processing is based on consent, you may withdraw your consent at any time.

To exercise any of these rights, please contact us at the email address listed below. We will respond to your request within 30 days, as required by law. If you are unsatisfied with our response, you have the right to lodge a complaint with your national data protection authority.

8. International Transfers

Your personal data is primarily stored and processed within the European Economic Area (EEA). Where data is transferred outside the EEA (for example, to Google LLC in the United States), we ensure appropriate safeguards are in place, including:

• Standard Contractual Clauses (SCCs) approved by the European Commission.
• Verification that the recipient maintains adequate data protection practices.

9. Data Security

We implement appropriate technical and organizational measures to protect your personal data against unauthorized access, alteration, disclosure, or destruction. These measures include:

• SSL/TLS encryption for all data transmitted between your browser and our servers.
• Secure payment processing through PCI-DSS certified providers.
• Access controls limiting data access to authorized personnel only.
• Regular review and testing of our security measures.

While we take all reasonable precautions, no method of transmission or storage is completely secure. We cannot guarantee absolute security of your data.

10. Children's Privacy

Our website and products are not intended for individuals under the age of 18. We do not knowingly collect personal data from children. If we become aware that we have collected personal data from a person under 18, we will take prompt steps to delete that information. If you believe a child has provided us with personal data, please contact us immediately.

11. Data Protection Officer

For any questions or concerns regarding this Privacy Policy or the processing of your personal data, please contact our Data Protection Officer:

• Email: [email protected]
• Website: pepspan.com

You also have the right to lodge a complaint with your local data protection supervisory authority. In Germany, the relevant authority is the Bundesbeauftragte fuer den Datenschutz und die Informationsfreiheit (BfDI).

12. Changes to This Policy

We may update this Privacy Policy from time to time to reflect changes in our practices, legal requirements, or for other operational reasons. The "Last updated" date at the top of this page indicates when the most recent revisions were made. We encourage you to review this page periodically.

For significant changes that materially affect how we process your personal data, we will provide notice via email to registered customers at least 14 days before the changes become effective.