Free shipping from Germany · 14-day money-back guarantee · No app needed
tTapenda

Privacy Policy

This English translation is provided for convenience only. The German version is legally binding.

1. Data Controller

The controller within the meaning of the General Data Protection Regulation (GDPR) is:
Admir Fazlic, Tapenda
Germanenstr. 34
45888 Gelsenkirchen
Email: info@tapenda.com

You can find our complete contact details in our Legal Notice.

2. Hosting (Vercel)

This website is hosted by Vercel Inc., 340 S Lemon Ave #4133, Walnut, CA 91789, USA. When the website is accessed, technically necessary data (including IP address, date and time of access, requested URL, referrer, user agent) is processed in server logs. The legal basis is Art. 6(1)(f) GDPR (legitimate interest in secure and stable operation). This may involve a transfer to the USA, which is based on the EU Standard Contractual Clauses.

3. Database & Authentication (Supabase)

For our database and authentication, we use Supabase (Supabase Inc.). Product, order and, where applicable, account data as well as admin login credentials are stored and processed there. The legal basis is Art. 6(1)(b) GDPR (performance of a contract) and Art. 6(1)(f) GDPR (operation and security of the application). Server location: Frankfurt am Main, Germany (AWS eu-central-1). A data processing agreement (DPA) is in place with the provider.

4. Payment Processing (Stripe)

We process payments via Stripe (Stripe Payments Europe, Ltd., Ireland; Stripe, Inc., USA). As part of the payment process, your name, email address, billing and/or delivery address as well as payment data are transmitted to Stripe and processed there. We do not collect or store credit card and bank details ourselves — these are processed exclusively by Stripe. The legal basis is Art. 6(1)(b) GDPR (performance of a contract) and Art. 6(1)(f) GDPR (fraud prevention). Further information: stripe.com/de/privacy.

5. Email Dispatch (Resend)

For sending transactional emails (e.g. order and shipping confirmations) we use Resend (Resend, Inc., USA). In doing so, your email address and the contents of the respective message are processed. The legal basis is Art. 6(1)(b) GDPR (performance of a contract) or Art. 6(1)(f) GDPR (legitimate interest in reliable communication). A transfer to the USA is based on the EU Standard Contractual Clauses.

6. Cookies

Technically necessary cookies:

  • Shopping cart cookie — stores the contents of your shopping cart so that they are retained between page views (functional).
  • Admin session cookie — keeps users who are logged in to the admin area signed in (functional / security).
  • Consent cookie — stores your decision regarding the cookie banner (functional, 6 months).

These cookies are required for the operation of the website; the legal basis is § 25(2) TDDDG in conjunction with Art. 6(1)(f) GDPR. No consent is required for this. Statistics cookies (Google Analytics, see the following section) are set exclusively after your consent via the cookie banner.

6a. Web Analytics (Google Analytics 4)

Only with your consent (cookie banner, Art. 6(1)(a) GDPR, § 25(1) TDDDG) do we use Google Analytics 4 provided by Google Ireland Ltd., Gordon House, Barrow Street, Dublin 4, Ireland. Pseudonymized usage data is processed (pages viewed, events such as “add to cart”, truncated IP address, device information). This may involve a transfer to Google LLC in the USA, which is based on the EU-US Data Privacy Framework or the EU Standard Contractual Clauses. The retention period for the analytics data is a maximum of 14 months.

You can withdraw your consent at any time with effect for the future: via the “Cookie settings” link in the page footer, you can reopen the banner and change your selection (alternatively by deleting the consent cookie). Without consent, no web analytics take place. In addition, we measure order completions on the server side (order value and products). If your analytics consent was present at the time of the order, we use your Google Analytics client ID to attribute the order to your session (legal basis Art. 6(1)(a) GDPR). Otherwise, we transmit only a pseudonymous order ID with no personal reference (legal basis Art. 6(1)(f) GDPR, reach/revenue measurement).

7. Redirect & Scan Statistics

When a redirect link is accessed (path /r/{code}, e.g. by scanning a QR code or tapping an NFC tag), we log the user agent (browser/device identifier) and the referrer of the request for statistical purposes. We derive the country from the IP address; the IP address is processed in the process. This data serves to evaluate the reach and usage of the codes we provide.

The legal basis is Art. 6(1)(f) GDPR (legitimate interest in evaluating the use of our products and redirects). Retention period: 90 days. You can object to the processing pursuant to Art. 21 GDPR.

8. Product Reviews

After an order has been shipped, we send a one-time email requesting a product review (legal basis: Art. 6(1)(f) GDPR — legitimate interest in customer feedback on purchased products; § 7(3) UWG). If you submit a review, we process the review content, the optionally provided display name and the association with your order (proof of “verified purchase”). Approved reviews are displayed publicly on the product page with the display name (or “Anonymous”). You can request the deletion of your review at any time without any formal requirements.

9. Newsletter & Cart Reminder

Newsletter: When you sign up, we store your email address and the time of registration and confirmation (double opt-in). The legal basis is your consent (Art. 6(1)(a) GDPR); dispatch is carried out via Resend (see section 5). You can unsubscribe at any time via the link in every email.

Cart reminder: Only if you expressly consent in the shopping cart (non-pre-selected checkbox) will we send you a one-time reminder if you do not complete the purchase. The legal basis is your consent (Art. 6(1)(a) GDPR); you can withdraw it at any time with effect for the future.

10. Retention Period

We store personal data only for as long as is necessary for the respective purposes or as required by statutory retention periods (e.g. up to 10 years under commercial and tax law). After that, the data is deleted or anonymized.

11. Your Rights as a Data Subject

You have the following rights:

  • Access to your stored data (Art. 15 GDPR)
  • Rectification of inaccurate data (Art. 16 GDPR)
  • Erasure (Art. 17 GDPR)
  • Restriction of processing (Art. 18 GDPR)
  • Data portability (Art. 20 GDPR)
  • Objection to processing based on Art. 6(1)(f) GDPR (Art. 21 GDPR)
  • Withdrawal of consent granted, with effect for the future

To exercise your rights, an informal message to the following address is sufficient: info@tapenda.com.

12. Right to Lodge a Complaint with a Supervisory Authority

You have the right to lodge a complaint with a data protection supervisory authority regarding the processing of your personal data (Art. 77 GDPR). The competent authority is, among others, the supervisory authority of your habitual residence or the supervisory authority responsible for us, the State Commissioner for Data Protection and Freedom of Information of North Rhine-Westphalia (LDI NRW), Kavalleriestraße 2–4, 40213 Düsseldorf.

Last updated: 16 July 2026. This privacy policy will be adjusted in the event of changes to data processing.