Skip to main content

Ships from Tenerife · EU 5–7 days · Free shipping over 100€

Privacy Policy

Also available in German (Deutsch).

1. Data Controller

Ben Flagmeyer / Imperfectly Perfect
C/ Mar Cantábrico 18, Casa 31
38612 El Médano, Tenerife, Spain
Email: contact@imperfectly-perfect.shop
Phone: +34 627 657 305

2. Overview of Data Processing

We only process personal data to the extent necessary to provide our online shop and services. Processing is carried out on the basis of the EU General Data Protection Regulation (GDPR) and the Spanish Ley Orgánica 3/2018 (LOPDGDD).

3. Legal Bases

We process your data on the following legal bases:

  • Art. 6(1)(a) GDPR (Consent): Newsletter subscription, contact inquiries
  • Art. 6(1)(b) GDPR (Contract performance): Order processing, payment, shipping, customer communication
  • Art. 6(1)(c) GDPR (Legal obligation): Tax retention obligations, invoicing
  • Art. 6(1)(f) GDPR (Legitimate interest): IT security, fraud prevention, service improvement

4. Collection and Storage of Personal Data

4.1 Server Log Files

When you visit our website, information is automatically transmitted to our server (server log files): IP address, date and time of request, URL accessed, referrer URL, browser and operating system used, amount of data transferred, HTTP status code.

Legal basis: Art. 6(1)(f) GDPR (legitimate interest in IT security).
Retention period: 30 days, then automatically deleted.

4.2 Orders

When you place an order, we collect: name, email address, shipping address, order details. Payment processing is handled exclusively by Stripe (see section 6.1) — we do not store any credit card or bank details.

Legal basis: Art. 6(1)(b) GDPR (contract performance).
Retention period: 10 years (statutory retention obligation for business records under Spanish commercial law).

4.3 Newsletter

When you subscribe to our newsletter, we store your email address to send product news and drop notifications. Registration uses a double opt-in process: after entering your email, you receive a confirmation email with an activation link.

You can unsubscribe from the newsletter at any time — an unsubscribe link is included in every newsletter email.

Legal basis: Art. 6(1)(a) GDPR (consent).
Retention period: Until withdrawal of consent (unsubscription).

4.4 Contact Inquiries (WhatsApp, Email)

When you contact us by email or WhatsApp, your details are stored for processing the inquiry. When contacting via WhatsApp, your data is also processed by Meta Platforms Ireland Ltd. (see section 6.4).

Legal basis: Art. 6(1)(a)/(b) GDPR (consent or pre-contractual measures).
Retention period: Until completion of the inquiry, maximum 12 months.

4.5 NFC Products (Customer-Provided Content)

When you order an NFC product with custom linking, you provide us with the desired URL or content to be stored on the NFC chip. This data is used exclusively for the production of the ordered product.

Legal basis: Art. 6(1)(b) GDPR (contract performance).
Retention period: NFC content data is stored together with order data (10 years). You may request deletion of the content data you provided at any time, unless a statutory retention obligation applies.

5. Cookies and Local Storage

This website uses no tracking cookies and no analytics tools.

We only use:

  • Local browser storage (localStorage): To store your shopping cart and functional preferences (e.g. whether the newsletter popup has been dismissed). This data remains exclusively in your browser, is not transmitted to our servers or third parties, and serves no tracking or analytics purpose.
  • Session storage (sessionStorage): To count page visits within a session for functional purposes (e.g. newsletter popup timing). This data is automatically deleted when the browser tab is closed.
  • Technically necessary cookies: A language preference cookie (ip-lang) and session cookies for the admin area (not visible or relevant to regular visitors).

All storage technologies used are strictly necessary within the meaning of Art. 22.2 LSSI-CE (Ley 34/2002, Spanish e-commerce law) and Art. 5(3) of the ePrivacy Directive (2002/58/EC). Since we do not use tracking, marketing, or analytics cookies, no cookie consent banner is required.

6. External Service Providers and Data Transfers

6.1 Stripe (Payment Processing)

We use Stripe, Inc., 354 Oyster Point Blvd, South San Francisco, CA 94080, USA for payment processing. When placing an order, your payment data is transmitted directly to Stripe and processed there. We only receive confirmation of payment status from Stripe.

Stripe processes your data on the basis of Standard Contractual Clauses (SCC) pursuant to Art. 46(2)(c) GDPR.

Stripe's privacy policy: https://stripe.com/privacy

6.2 Resend (Email Delivery)

We use Resend, Inc. (USA) to send order confirmations, shipping notifications and newsletter emails. Your email address is transmitted to Resend for this purpose.

Legal basis: Art. 6(1)(b) GDPR (contract performance) or Art. 6(1)(a) GDPR (newsletter).
Resend processes data on the basis of Standard Contractual Clauses (SCC).

6.3 Railway (Hosting)

Our website is hosted by Railway Corp. (USA). Each time our website is accessed, data (see 4.1 Server Log Files) is transmitted to Railway's servers.

Legal basis: Art. 6(1)(f) GDPR (legitimate interest in reliable website operation).

6.4 WhatsApp / Meta

We offer the option to contact us via WhatsApp. WhatsApp is operated by Meta Platforms Ireland Ltd., 4 Grand Canal Square, Dublin 2, Ireland. When you contact us via WhatsApp, your data (phone number, message content, timestamps, and any media) is processed by Meta.

Meta processes this data for its own purposes in accordance with the WhatsApp privacy policy. We have no influence over the nature and extent of data processing by Meta and it is not possible to conclude a data processing agreement pursuant to Art. 28 GDPR with Meta. Meta may transfer data to the USA.

WhatsApp privacy policy: https://www.whatsapp.com/legal/privacy-policy

Legal basis: Art. 6(1)(a) GDPR (consent through active contact initiation). You can always contact us by email instead, without your data being transmitted to Meta.

6.5 Instagram

We link to our Instagram profile. When you click the link, you are redirected to Instagram (Meta Platforms Ireland Ltd.). Data collection by Instagram only occurs there. No Instagram data is loaded or tracking pixels embedded on our website.

6.6 Google Maps (Map Embed)

On our events page, we embed Google Maps as an iframe to display event locations. Provider: Google Ireland Limited, Gordon House, Barrow Street, Dublin 4, Ireland. The map is only loaded after you actively click the load button (click-to-load). Only then is data (including your IP address and location data) transmitted to Google. Google may set cookies in this context.

Legal basis: Art. 6(1)(a) GDPR (consent through actively clicking the load button). You may withdraw your consent at any time by reloading the page and not clicking the button again.
Google's privacy policy: https://policies.google.com/privacy

6.7 Spotify (Embedded Player)

On certain product pages, we embed the Spotify player as an iframe to demonstrate NFC products. Provider: Spotify AB, Regeringsgatan 19, 111 53 Stockholm, Sweden. The player is only loaded after your active interaction (click-to-load). Only then is data (including your IP address) transmitted to Spotify. Spotify may set cookies in this context.

Legal basis: Art. 6(1)(a) GDPR (consent through active interaction). You may withdraw your consent at any time by reloading the page and not interacting again.
Spotify's privacy policy: https://www.spotify.com/legal/privacy-policy/

6.8 FacturaDirecta (Invoice Generation)

We use the service FacturaDirecta (Spain) for invoice generation. When you place an order, your billing data (name, address, email, order details) is transmitted to FacturaDirecta to create a proper invoice.

Legal basis: Art. 6(1)(c) GDPR (legal obligation for invoicing).

6.9 Data Processing Agreements

Data processing agreements pursuant to Art. 28 GDPR have been concluded with all service providers listed above that process personal data on our behalf — with the exception of WhatsApp/Meta (see section 6.4), as Meta acts as an independent controller and does not offer a data processing agreement.

7. Your Rights

You have the following rights regarding your personal data:

  • Access (Art. 15 GDPR) — What data we have stored about you
  • Rectification (Art. 16 GDPR) — Correction of inaccurate data
  • Erasure (Art. 17 GDPR) — Deletion of your data, provided no retention obligation exists
  • Restriction of processing (Art. 18 GDPR)
  • Data portability (Art. 20 GDPR) — Provision of your data in a machine-readable format
  • Objection (Art. 21 GDPR) — Objection to processing based on legitimate interests
  • Withdrawal of consent (Art. 7(3) GDPR) — Possible at any time, without giving reasons

To exercise your rights, contact us by email: contact@imperfectly-perfect.shop

8. How to Exercise Your Rights (Practical Guide)

You can exercise your data protection rights at any time by sending an informal email to contact@imperfectly-perfect.shop. To help us process your request promptly, please state which right you wish to exercise:

  • Access: "I would like to know what data you have stored about me." — We will respond within 30 days with a complete overview.
  • Erasure: "Please delete all my personal data." — We will delete all data not subject to a statutory retention obligation (e.g. invoice data: 10 years).
  • Rectification: "Please correct the following data: [...]" — We will update your data promptly.
  • Data portability: "Please send me my data in a machine-readable format." — You will receive your data as a JSON or CSV file.
  • Withdraw newsletter consent: Simply click the unsubscribe link in any newsletter email, or send us a brief email.

We process all requests free of charge and within the statutory period of 30 days (Art. 12(3) GDPR). For complex requests, the period may be extended by a further 60 days — we will inform you in good time.

9. Right to Lodge a Complaint with a Supervisory Authority

You have the right to lodge a complaint with a data protection supervisory authority. The competent authority for us is:

Agencia Española de Protección de Datos (AEPD)
C/ Jorge Juan 6, 28001 Madrid, Spain
https://www.aepd.es

Alternatively, you may contact the data protection authority of your country of residence.

10. Obligation to Provide Data

The provision of personal data is neither legally nor contractually required. However, certain data (name, address, email) is necessary for processing an order. Without this data, we cannot fulfil the purchase contract.

Providing an email address for the newsletter is voluntary.

11. Rights Under Spanish Data Protection Law (LOPDGDD)

In addition to your rights under the GDPR, you have the following rights under the Spanish Ley Orgánica 3/2018 (LOPDGDD):

  • Right to digital legacy (Art. 96 LOPDGDD) — Relatives or heirs of a deceased person may request the deletion or rectification of their personal data, unless the deceased person excluded this during their lifetime.

To exercise these rights, contact us by email: contact@imperfectly-perfect.shop

12. Changes to This Privacy Policy

We reserve the right to update this privacy policy to reflect changes in legal requirements or changes to our data processing. The current version published on our website applies.

Last updated: 14 April 2026