Privacy policy
This online store (the “Services”) is operated by Goldfels Julian Pfeffer (“Goldfels”, “we”, “our”, “us”) and is powered by Shopify. This Privacy Policy explains in detail how we collect, use, disclose and safeguard your personal information when you browse, purchase our products or otherwise interact with the Services, and how you can exercise your data-protection rights.
Please read this Policy carefully. By accessing or using the Services, you acknowledge that you have read and understood it. Where this Policy conflicts with other Goldfels terms, this Policy prevails for privacy matters.
0. Legal framework
- EU General Data Protection Regulation (Reg. (EU) 2016/679 – “GDPR”)
- United Kingdom GDPR (“UK GDPR”)
- Swiss Federal Act on Data Protection 2023 (“revFADP”)
1. Controller details
- Goldfels Julian Pfeffer – Eichenhainstr. 11, 94526 Metten, Germany
- Phone: +49 991 297 99079
- E-mail: privacy@goldfelsstore.com
2. Relationship with Shopify
The Services are hosted by Shopify International Ltd. Shopify may process certain personal information as an independent controller in order to operate, secure and improve its platform. Please refer to the Shopify Consumer Privacy Policy and Privacy Portal for those specific activities and associated rights.
Meta Pixel & Instagram Shop: For the initial collection and transmission of data via the Meta Pixel we and Meta Platforms Ireland Ltd. act as joint controllers within the meaning of Art. 26 GDPR. We have concluded the Joint Controller Addendum provided by Meta. Meta processes the data thereafter under its own responsibility; see Meta’s privacy notice for details.
3. Personal data we collect or process
- Contact data – name, billing / shipping address (including company name & VAT number if you buy on behalf of a business), phone, e-mail
- Payment & transaction tokens – card-token, PayPal / Klarna / Stripe reference, transaction IDs (we do not store full card numbers; payment details are handled directly by our payment providers)
- Order & returns history – products viewed, cart contents, purchases, returns
- Device & usage data – IP address, browser & OS, click-stream, general location inferred from IP (city/region level only)
- Communications – e-mails, customer-service messages
- Inferences – product interests derived from browsing & purchase behaviour
We do not process any information that qualifies as a “special category of personal data” under Art. 9 GDPR or similarly sensitive categories under other applicable data-protection laws.
Mandatory vs. optional data: Certain information is required to enter into a purchase contract (e.g. name, delivery address and payment details). If you do not provide these, we cannot fulfil your order. Other information is optional and is marked as such at the point of collection.
4. Why and on what legal basis we process your data
| Purpose | Legal basis | Legitimate interest (where applicable) |
|---|---|---|
| Process orders, payments, returns, manage your account | Art. 6(1)(b) GDPR – Contract performance | — |
| Personalise and improve the Services; remember preferences | Art. 6(1)(f) GDPR – Legitimate interest / Art. 6(1)(a) GDPR – Consent (for non-essential cookies) | Providing a smooth, efficient and personalised shopping experience |
| Marketing e-mails, SMS & targeted advertising | Art. 6(1)(a) GDPR – Consent (opt-out / withdraw at any time) | — |
| Fraud prevention & security monitoring | Art. 6(1)(f) GDPR – Legitimate interest | Protecting our business and customers from fraudulent or illegal activity |
| Tax, accounting & other legal obligations | Art. 6(1)(c) GDPR – Legal obligation | — |
5. Cookies & similar technologies
We use Shopify’s consent banner. Strictly-necessary cookies load by default; Analytics, Performance and Marketing cookies load only with your consent. Below is the current set of cookies in use:
| Cookie | Category | Duration | Description |
|---|---|---|---|
| preferredLang | Necessary | 30 days | Stores chosen language to prevent repeated redirects. |
| keep_alive | Necessary | 1 hour | Keeps session active during checkout. |
| localization | Necessary | 1 year | Stores language/region preferences. |
| cart_currency | Necessary | 14 days | Remembers cart currency. |
| _secure_session_id | Necessary | 24 h | Secures navigation through checkout. |
| _tracking_consent | Necessary | 1 year | Stores cookie-consent choices. |
| shopify_pay_redirect | Necessary | 1 hour | Handles Shop Pay redirect. |
| _shopify_essential | Necessary | 1 year | Core Shopify functionality. |
| _shop_app_essential | Necessary | 1 year | Mobile-app compatibility. |
| my_consent_state | Necessary | 1 year | Saves granular banner selections. |
| _shopify_test | Necessary | Session | Checks browser cookie support. |
| omnisendShopifyCart | Necessary | Session | Syncs cart with Omnisend Ltd. for abandoned-cart e-mails. |
| connect.sid | Necessary | 7 days | Session ID for secure login. |
| _ga | Analytics | 2 years | Google Analytics 4 – visitor ID. |
| _ga_* | Analytics | 2 years | GA4 property identifier. |
| _landing_page | Analytics | 14 days | Saves landing page. |
| _orig_referrer | Analytics | 14 days | Saves original referrer. |
| _shopify_s | Analytics | Session | Shopify analytics session cookie. |
| _shopify_y | Analytics | 1 year | Shopify analytics ID. |
| soundestID | Analytics | Session | Omnisend Ltd. – new vs returning visitor. |
| omnisendSessionID | Analytics | 1 hour | Session ID for Omnisend stats. |
| page-views | Analytics | Session | Counts page views. |
| AWSALB | Performance | 7 days | AWS load balancer routing. |
| AWSALBCORS | Performance | 7 days | CORS version of AWSALB. |
| _fbp | Marketing | 3 months | Meta Pixel – personalised ads. |
| _shopify_essential (alt) | Uncategorised | 1 year | Additional Shopify platform cookie – under review. |
You can change or withdraw your cookie consent at any time via the banner or your browser settings.
6. Who we share data with
We share personal data only with the following categories of recipients, and only to the extent necessary for the purposes described:
- Shopify International Ltd. – hosting, checkout
- Stripe Payments Europe Ltd. – Shop Pay & card processing
- PayPal (Europe) S.à r.l.
- Klarna Bank AB – Pay Later & Sofort
- Meta Platforms Ireland Ltd. – Meta Pixel, Instagram Shop (see joint-controller note above)
- Google Ireland Ltd. – Google Analytics 4, Google Ads
- Omnisend Ltd. – e-mail & SMS marketing
- Logistics & carriers: Deutsche Post, DHL, UPS, DPD, GLS
- Professional advisers & service providers (e.g. accountants, legal counsel, IT-maintenance)
We do not sell your personal data to third parties. We may share limited identifiers with advertising partners (e.g. Meta, Google) for personalised advertising, but only based on your prior consent via our cookie banner.
7. International transfers
Where personal data is transferred to a country outside the European Economic Area, the United Kingdom or Switzerland, we rely on one of the following safeguards:
- Certification of the recipient under the EU-US Data Privacy Framework (and corresponding UK / Swiss frameworks), and/or
- Standard Contractual Clauses (Commission Decision 2021/914) with appropriate supplementary measures.
8. Third-party links
External websites or services linked from our Store are outside Goldfels’ control. Please review their privacy notices before providing any personal data.
9. Security & retention
We apply appropriate technical and organisational measures to protect your data; however, no security system is infallible. Please avoid unencrypted channels for sensitive information.
- Order & invoice data: 10 years (statutory).
- Customer account data: retained until you request deletion or applicable legal retention periods lapse.
- Marketing suppression lists: stored indefinitely to honour your opt-out choices.
- Server log files: stored up to 12 months for security and auditing, then anonymised or deleted.
10. Your rights
- Right of access
- Right to rectification
- Right to erasure
- Right to restriction of processing
- Right to data portability
- Right to object to processing (including direct marketing)
- Right to withdraw consent at any time (where processing is based on consent)
To exercise any of these rights, e-mail privacy@goldfelsstore.com. We will respond without undue delay and generally within one month of receiving your request, and we may extend this period by up to two further months where necessary, as permitted by law. We do not discriminate against anyone for exercising their privacy rights.
11. Complaints
12. Children
The Services are not directed to anyone under 16. If you believe we have collected data from a minor, please contact us for immediate deletion.
13. Automated decision-making
We do not carry out automated decision-making or profiling that produces legal or similarly significant effects within the meaning of Art. 22 GDPR.
14. Changes to this Policy
We may update this Policy from time to time to reflect legal, technical or business developments. The new version will be posted here with an updated “Last updated” date.
Last updated: December 2025