Privacy policy

Last updated: April 9, 2026

ALEBRI, represented by Ana-Maria-Alexandra Brincus, Dr.-Kurt-Schumacher-Str. 7, 93133 Burglengenfeld, Germany (hereinafter “we”, “us” or “ALEBRI”) is the controller within the meaning of the General Data Protection Regulation (GDPR) for the processing of personal data on the website www.alebri.com (hereinafter “Services”).

This Privacy Policy informs you about how we collect, process, and protect your personal data.

Introduction

SSL or TLS Encryption

We use SSL/TLS encryption to protect the transmission of personal data. This ensures that data transmitted via our website cannot be read by unauthorized third parties.

1. Categories of Personal Data Collected

We process the following categories of personal data:

a) Contact and identification data

Name, billing and shipping address, company name (if provided), phone number (if provided), email address

b) Order and payment data

Products ordered, order value, order date and time, payment method, transaction details, payment confirmation.
We do not store full card numbers or security codes.

c) Customer account data (if created)

Username, saved addresses, preferences, and order history

d) Communication data

Content of messages sent via email, contact forms, or customer support

e) Usage data

IP address, browser type and version, operating system, device type and technical identifiers (where necessary), pages visited, dwell time, interactions

f) Cookie and tracking data

See Section 6

g) Server log files

When you access our website, our hosting provider automatically collects and stores information in so-called server log files. This includes:

• IP address

• Date and time of access

• Browser type and version

• Operating system

• Referrer URL

• Accessed pages

The processing is carried out on the basis of Art. 6(1)(f) GDPR. Our legitimate interest lies in ensuring the security, stability, and integrity of our website.

Server log files are stored for a limited period necessary for security purposes and are then automatically deleted, unless further retention is required for security or legal reasons.

2. Legal Bases for Processing (Art. 6 GDPR)

Personal data is processed on the following legal bases:

• Contract performance (Art. 6(1)(b) GDPR):
  Order processing, payment, shipping, returns, refunds, customer accounts.

• Legal obligation (Art. 6(1)(c) GDPR):
  Tax, accounting, and retention obligations.

• Legitimate interests (Art. 6(1)(f) GDPR):
  Ensuring the secure operation of the website, fraud prevention, abuse detection, delivery coordination, and efficient fulfillment of contractual obligations.
  

• Marketing to existing customers (Art. 6(1)(f) GDPR in conjunction with § 7(3) UWG):
  Promotion of products, collections, sales campaigns via email.

• Consent (Art. 6(1)(a) GDPR):
  Analytics, non-essential cookies, newsletter subscriptions, and marketing communications.

You may withdraw any consent at any time with effect for the future.

You may object at any time to processing for direct marketing purposes, free of charge.

3. Purposes of Processing

Personal data is processed exclusively for the following purposes:

• Order processing, payment, shipping, returns, refunds

• Delivery-related communication with shipping providers

• Operation, security, and improvement of the Services

• Personalization (e.g. saved addresses)

• Transactional emails and service notifications

• Fraud prevention and abuse detection

• Processing inquiries and customer support requests

• With consent: marketing communications and website analytics

We process personal data only to the extent necessary for the stated purposes and in accordance with the principles of data minimization and purpose limitation pursuant to Art. 5 GDPR.

4. Provision of Personal Data

The provision of personal data is generally required for the conclusion and performance of a contract (e.g. processing orders, payments, and deliveries).

If mandatory data is not provided, we may be unable to conclude or perform the contract.

The provision of personal data for marketing purposes, newsletters, analytics, and non-essential cookies is voluntary and based solely on your consent.

5. Disclosure to Third Parties

Personal data is disclosed to third parties only where legally permitted and necessary:

a) Shopify (Shop Platform)

Shopify International Ltd., Victoria Buildings, 1–2 Haddington Road, Dublin 4, D04 XN32, Ireland, acts as a processor pursuant to Art. 28 GDPR for hosting, checkout, platform security, and technical operation of our online store.

For certain processing activities, such as fraud prevention, abuse detection, platform security, and Shop Pay services, Shopify may act as an independent controller within the meaning of Art. 4(7) GDPR. In these cases, Shopify processes personal data under its own responsibility. Further information can be found in Shopify’s privacy policy.

Shopify Privacy Policy: https://www.shopify.com/legal/privacy
Shopify DPA: https://www.shopify.com/legal/dpa

b) Payment Service Providers

Payment data is transferred directly to the selected provider. The following payment methods are available on our website, each processed by their respective provider acting as an independent controller:

• Card Payments (Visa, Mastercard, American Express, Maestro, UnionPay) Processed via Shopify Payments, operated by Stripe Payments Europe Ltd., 1 Grand Canal Street Lower, Grand Canal Dock, Dublin, D02 H210, Ireland. Privacy Policy: https://stripe.com/privacy

• PayPal (Europe) S.à r.l. et Cie, S.C.A., 22-24 Boulevard Royal, L-2449 Luxembourg. Privacy Policy: https://www.paypal.com/privacy

• Shop Pay Operated by Shopify International Ltd., Victoria Buildings, 1–2 Haddington Road, Dublin 4, D04 XN32, Ireland. Privacy Policy: https://www.shopify.com/legal/privacy

• Apple Pay Apple Distribution International Ltd., Hollyhill Industrial Estate, Hollyhill, Cork, Ireland. Privacy Policy: https://www.apple.com/legal/privacy

• Google Pay Google Ireland Ltd., Gordon House, Barrow Street, Dublin 4, Ireland. Privacy Policy: https://policies.google.com/privacy

ALEBRI does not store full card numbers, security codes, or sensitive payment authentication data. All payment data is processed exclusively by the respective payment service provider.

c) Shipping and Logistics Providers

To fulfill the contract, we transmit your name and delivery address to the shipping provider selected by us for the respective order (e.g. DHL, DPD, Hermes, GLS, Deutsche Post) (Art. 6(1)(b) GDPR).

Depending on the destination country and the requirements of the respective shipping provider, we may also transmit your email address and/or phone number if this is necessary to ensure successful delivery (e.g. where local carriers require contact details for delivery coordination) (Art. 6(1)(b) GDPR).

In cases where contact details are not strictly required for delivery but are used to facilitate delivery notifications, processing is based on our legitimate interest in ensuring smooth contract performance (Art. 6(1)(f) GDPR).

You may object to the processing based on Art. 6(1)(f) GDPR at any time.

d) Other recipients

• Authorities, where legally required

• Email service providers for transactional emails

• IT and infrastructure providers under Art. 28 GDPR

We do not sell personal data.

Where processors are used, we have concluded Data Processing Agreements (Art. 28 GDPR).

6. Cookies and Tracking (TDDDG)

Essential cookies pursuant to § 25(2) TDDDG are required for the technical operation of the website and do not require consent.

Optional cookies pursuant to § 25(1) TDDDG and Art. 6(1)(a) GDPR (e.g. analytics and marketing) are used only with your consent via the cookie banner.

You can change or withdraw your cookie consent at any time via the cookie settings link on our website (present in the footer at all times).

7. Use of Analytics Tools

We use web analytics tools to understand how visitors interact with our website and to improve our services.

7.1 Google Analytics (GA4)

We use Google Analytics, a web analytics service provided by Google Ireland Limited, Gordon House, Barrow Street, Dublin 4, Ireland.

Google Analytics uses cookies and similar technologies to analyze your use of our website.

The use of Google Analytics is based exclusively on your consent in accordance with Art. 6(1)(a) GDPR and §25(1) TDDDG. Without your consent, Google Analytics will not be activated.

IP anonymization is enabled, meaning your IP address is shortened before processing within the European Union or the European Economic Area.

The information collected may be transferred to servers of Google in the United States. For such transfers, we rely on the EU-U.S. Data Privacy Framework.

We have concluded a Data Processing Agreement (DPA) with Google.

The data is used to evaluate website usage, compile reports on website activity, and improve our services.

7.1.1. Purpose of Processing

We use this data to evaluate the use of our website, to compile reports on website activity, and to provide other services related to website activity and internet usage for the purpose of market research and the demand-oriented design of our shop.

7.1.2. Legal Basis

The legal basis for the use of Google Analytics is your explicit consent pursuant to:

• Art. 6 (1) (a) GDPR (Data processing consent)

• § 25 (1) TDDDG (Storage of information on the user's terminal equipment/cookies)

7.1.3. Data Transfer to Third Countries (USA)

Data may be transferred to Google LLC in the USA. Google is certified under the EU-U.S. Data Privacy Framework, which ensures a level of data protection that corresponds to the standards of the European Union.

7.1.4. Retention Period

The data sent by us and linked to cookies is automatically deleted after 2 months. Data whose retention period has been reached is automatically deleted once a month.

7.1.5. Withdrawal of Consent (Opt-Out)

You can withdraw your consent at any time with effect for the future by:

• Adjusting your preferences in our Cookie Consent Manager.

• Downloading and installing the Google Analytics Opt-out Browser Add-on.

Further information: https://policies.google.com/privacy

7.2 Pinterest Tag

We use the Pinterest Tag, a tracking technology provided by Pinterest Europe Ltd., Palmerston House, 2nd Floor, Fenian Street, Dublin 2, Ireland.

The Pinterest Tag uses cookies and similar technologies to track user behavior on our website and to measure the effectiveness of advertising campaigns.

The use of the Pinterest Tag is based exclusively on your consent in accordance with Art. 6(1)(a) GDPR and § 25(1) TDDDG. Without your consent, the Pinterest Tag will not be activated.

The data collected may include information about your interactions with our website, such as page views, product views, and completed purchases.

Pinterest may process personal data for its own purposes and acts, at least in part, as an independent controller within the meaning of Art. 4(7) GDPR. Where required, joint controllership pursuant to Art. 26 GDPR may apply between us and Pinterest. However, primary responsibility for advertising-related processing lies with Pinterest.

7.2.1 Purpose of Processing

We use the Pinterest Tag to:

• measure and analyze user behavior on our website

• track conversions (e.g. purchases)

• optimize our marketing and advertising campaigns

• display personalized advertisements on Pinterest

7.2.2 Legal Basis

The legal basis for the use of the Pinterest Tag is your explicit consent pursuant to:

• Art. 6 (1) (a) GDPR (consent)
• § 25 (1) TDDDG (storage of information on user devices/cookies)

7.2.3 Data Transfer to Third Countries (USA)

Personal data may be transferred to Pinterest Inc., 651 Brannan Street, San Francisco, CA 94107, USA.

Such transfers are based on appropriate safeguards in accordance with Art. 46 GDPR, in particular Standard Contractual Clauses (SCCs).

Please note that when transferring data to the United States, there is a risk that public authorities may access personal data without providing a level of protection comparable to that in the European Union, and that effective legal remedies may not be available.

7.2.4 Retention Period

We do not have direct control over the retention period of the data processed by Pinterest. The retention period is determined by Pinterest.

7.2.5 Withdrawal of Consent (Opt-Out)

You can withdraw your consent at any time with effect for the future by:

• adjusting your preferences in our Cookie Consent Manager located in our footer

7.2.6 Further Information

Further information on data processing by Pinterest can be found here:

• https://policy.pinterest.com/en/privacy-policy

• https://policy.pinterest.com/en/cookies

8. Newsletter (Klaviyo)

If you subscribe to our newsletter, we process your email address to send updates about products, offers, content, and brand insights. We may send marketing emails regularly (up to maximum 4 marketing emails per week).

Note: Transactional communications, including information regarding product availability, order processing, shipping status, account-related functions, and responses to customer inquiries, do not constitute marketing or promotional communications.

Newsletter registration uses the double opt-in procedure.

Processed data includes:

• Email address

• Date and time of registration and confirmation

• IP address at registration and confirmation

Our newsletters contain tracking technologies (e.g. tracking pixels) that allow us to measure whether and when a newsletter was opened and which links were clicked.

This analysis is carried out exclusively on the basis of your consent (Art. 6(1)(a) GDPR) and serves to optimize our communication and improve content relevance.

Service provider (processor pursuant to Art. 28 GDPR):
Klaviyo, Inc., 125 Summer Street, Boston, MA 02111, USA

Klaviyo processes personal data on our behalf based on a Data Processing Agreement (DPA) and in accordance with the Standard Contractual Clauses (Art. 46 GDPR).

Privacy Policy: https://www.klaviyo.com/privacy

DPA: https://www.klaviyo.com/legal/data-processing-agreement

You may unsubscribe at any time via the unsubscribe link provided in all marketing emails, or by contacting info@alebri.com

9. Social Media Presence & Communication

ALEBRI maintains professional profiles on various social media platforms to communicate with customers and interested parties.

9.1 Joint Responsibility

When you visit our social media profiles (e.g., Instagram, Facebook, TikTok), personal data may be processed both by ALEBRI and by the respective platform operator.

In relation to certain analytics and tracking functions (such as “Page Insights”), joint responsibility pursuant to Art. 26 GDPR exists between ALEBRI and the respective platform operator.

Where required, joint responsibility agreements pursuant to Art. 26 GDPR have been concluded with the respective platform operators. The primary responsibility for processing personal data for advertising, tracking, and market research purposes lies with the respective platform operator.

We have no influence over the scope, purposes, or duration of data processing carried out by the platform providers.

Further information on joint responsibility arrangements can be found in the privacy policies of the respective providers.

9.2 Communication via Social Media & WhatsApp 

If you contact us via direct message on social media or via WhatsApp, we process the data you provide (e.g., name, phone number, message content) solely to handle your inquiry.

• Legal Basis: If your inquiry relates to an order or a contract, the legal basis is Art. 6(1)(b) GDPR. For general inquiries, the basis is our legitimate interest in efficient communication according to Art. 6(1)(f) GDPR.

• WhatsApp Notice: Please note that WhatsApp (Meta Platforms, Inc.) may transfer data to servers in the USA. If you contact us via WhatsApp, data processing by WhatsApp takes place under WhatsApp’s own responsibility. We recommend not sending sensitive personal data (like bank details) via these channels.

9.3 Links to Privacy Policies

For detailed information on data processing and your opt-out options, please refer to the providers' policies:

• Facebook: Facebook Privacy Policy

• Instagram: Instagram Privacy Policy

• TikTok: TikTok Privacy Policy

• WhatsApp: WhatsApp Privacy Policy

10. International Data Transfers

Personal data may be transferred outside the EU/EEA only on the basis of:

• Adequacy decisions by the European Commission, or

• Standard Contractual Clauses pursuant to Art. 46 GDPR

Transfers may involve Canada and the United States (Shopify).

When transferring data to third countries without an adequacy decision, there is a risk that public authorities may access data without effective legal remedies. We implement supplementary safeguards where required.

11. External Links

Our website and this Privacy Policy contain links to external websites and services operated by third parties. When you click on such links, you leave our website and are subject to the privacy policies of the respective provider.

We have no influence over the content or data processing practices of third-party websites. Responsibility for data processing on those websites lies solely with the respective operator.

12. Data Retention Periods

• Invoices and accounting records: 10 years (HGB § 257, AO § 147)

• Contract-related data: up to 3 years after contract end (BGB § 195)

• Consent-based data: until consent is withdrawn

• Analytics data processed by us (e.g. Google Analytics) is deleted or anonymized after a maximum of 2 months

Data is deleted or anonymized once retention obligations expire.

13. Your Rights

You have the right to:

• Access (Art. 15 GDPR)

• Rectification (Art. 16 GDPR)

• Erasure (Art. 17 GDPR)

• Restriction of processing (Art. 18 GDPR)

• Data portability (Art. 20 GDPR)

• Objection to processing (Art. 21 GDPR)

• Withdrawal of consent (Art. 7(3) GDPR)

Requests can be sent to info@alebri.com

We respond within one month (Art. 12(3) GDPR).

You also have the right to lodge a complaint with:

Bayerisches Landesamt für Datenschutzaufsicht (BayLDA)
Promenade 18
91522 Ansbach
Germany

14. Automated Decision-Making

No automated decision-making or profiling pursuant to Art. 22 GDPR takes place.

15. Data Protection Officer (DPO)

ALEBRI is not legally required to appoint a Data Protection Officer pursuant to Art. 37 GDPR.

If you have questions regarding data protection, you may contact us at:

Email: info@alebri.com

16. Contact

ALEBRI
Ana-Maria-Alexandra Brincus
Dr.-Kurt-Schumacher-Str. 7
93133 Burglengenfeld
Germany

Email: info@alebri.com