Privacy Policy

🇩🇪 German version ->

Preamble

With the following privacy policy, we would like to inform you about the types of your personal data (hereinafter also referred to as “data”) that we process, for which purposes, and to what extent. This privacy policy applies to all processing of personal data carried out by us, both in the context of providing our services and, in particular, on our websites, in mobile applications, and within external online presences, such as our social media profiles (hereinafter collectively referred to as the “Online Offering”).

The terms used are not gender-specific.

Status: December 19, 2025

Controller

Generated GbR
Schoenblickstrasse 5
72202 Nagold
Germany

Authorized representatives: Daniel Hartmann, Georgios Dimitropoulos

Email address: info@generated-tshirt.com

Legal notice: www.generated-tshirt.com/Impressum

Overview of Processing Activities

The following overview summarizes the types of data processed and the purposes of their processing and refers to the categories of data subjects concerned.

Types of Data Processed

Master data
Payment data
Contact data
Content data
Contract data
Usage data
Meta, communication, and procedural data
Log data

Categories of Data Subjects

Customers and clients
Prospective customers
Communication partners
Users
Business and contractual partners

Purposes of Processing

Provision of contractual services and fulfillment of contractual obligations
Communication
Security measures
Direct marketing
Reach measurement
Tracking
Office and organizational procedures
Audience building
Affiliate tracking
Administrative procedures
Feedback
Marketing
User-related profiling
Authentication procedures
Provision of our online offering and user friendliness
IT infrastructure
Public relations
Sales promotion
Business and economic processes

Applicable Legal Bases

Applicable legal bases under the GDPR: Below is an overview of the legal bases of the GDPR on which we process personal data. Please note that, in addition to the provisions of the GDPR, national data protection regulations may apply in your or our country of residence.

Consent (Art. 6(1)(a) GDPR) – The data subject has given consent to the processing of their personal data for one or more specific purposes.
Performance of a contract (Art. 6(1)(b) GDPR) – Processing is necessary for the performance of a contract to which the data subject is party or for pre-contractual measures.
Legal obligation (Art. 6(1)(c) GDPR) – Processing is necessary to comply with a legal obligation.
Legitimate interests (Art. 6(1)(f) GDPR) – Processing is necessary to protect legitimate interests, provided that the interests or fundamental rights of the data subject do not override them.

Security Measures

We implement appropriate technical and organizational measures in accordance with legal requirements, taking into account the state of the art, implementation costs, and the nature, scope, circumstances, and purposes of processing, as well as the likelihood and severity of risks to the rights and freedoms of natural persons.

These measures include, in particular, safeguarding the confidentiality, integrity, and availability of data by controlling physical and electronic access to data, access rights, data entry, transmission, availability, and separation. Furthermore, we have established procedures to ensure the exercise of data subject rights, data deletion, and responses to data security incidents.

SSL/TLS Encryption: To protect user data transmitted via our online services, we use TLS/SSL encryption technology (HTTPS). This ensures that data transmitted between the website or app and the user’s browser is protected from unauthorized access.

Transfer of Personal Data

In the course of processing personal data, it may be transferred to other entities, companies, legally independent organizational units, or individuals. Such recipients may include IT service providers or providers of services and content integrated into our website.

In all cases, we comply with applicable legal requirements and conclude appropriate contracts or data processing agreements to protect your data.

International Data Transfers

If personal data is transferred to third countries (outside the EU or EEA), this is done in accordance with applicable legal requirements.

For data transfers to the United States, we primarily rely on the EU-U.S. Data Privacy Framework (DPF), recognized as an adequate level of protection by the European Commission on July 10, 2023. In addition, we use standard contractual clauses approved by the European Commission.

General Information on Data Retention and Deletion

We delete personal data in accordance with statutory requirements once the purpose for processing no longer applies or consent has been withdrawn, unless statutory retention obligations apply.

Rights of Data Subjects

Under the GDPR, you have the following rights:

Right to object
Right to withdraw consent
Right of access
Right to rectification
Right to erasure and restriction of processing
Right to data portability
Right to lodge a complaint with a supervisory authority

Business Services

We process data of our customers and business partners within contractual and comparable legal relationships in order to fulfill our contractual obligations and protect our legitimate interests.

Types of data processed: Inventory data (e.g. full name, residential address, contact details, customer number); payment data (e.g. bank details, invoices, payment history); contact data (e.g. postal and email addresses or phone numbers); contract data (e.g. subject of the contract, duration, customer category); usage data (e.g. page views, duration of visits, click paths, usage intensity and frequency, device types and operating systems, interactions with content and functions); meta, communication and procedural data (e.g. IP addresses, timestamps, identification numbers, involved persons).
Data subjects: Service recipients and clients; interested parties; business and contractual partners.
Purposes of processing: Provision of contractual services and fulfillment of contractual obligations; security measures; communication; office and organizational processes; organizational and administrative procedures; business processes and commercial operations.
Retention and deletion: Deletion in accordance with the information in the section “General information on data retention and deletion”.
Legal bases: Performance of a contract and pre-contractual inquiries (Art. 6 para. 1 lit. b GDPR); legal obligation (Art. 6 para. 1 lit. c GDPR); legitimate interests (Art. 6 para. 1 lit. f GDPR).

Additional notes on processing activities, procedures and services:

Online shop, order forms, e-commerce and service fulfillment: We process customer data to enable the selection, purchase or ordering of products and services, including payment, delivery, or performance. Where necessary, we use service providers such as postal, shipping and logistics companies to fulfill deliveries. Payment transactions are handled via banks and payment service providers. Required information is marked accordingly during the ordering process and includes data necessary for delivery, provision and billing as well as contact details for communication if needed. Legal basis: Performance of a contract and pre-contractual inquiries (Art. 6 para. 1 lit. b GDPR).

Payment Methods

Within contractual and other legal relationships, based on legal obligations or our legitimate interests, we offer efficient and secure payment options and use banks and payment service providers (“payment service providers”). Payment transactions are carried out exclusively via encrypted connections in accordance with the state of the art.

Data processed by payment service providers includes inventory data (e.g. name and address), banking data (e.g. account or credit card numbers), passwords, TANs, checksums, and transaction- related information. These details are required to process payments. The entered data is processed and stored only by the payment service providers. We do not receive account or credit card details, only confirmation or rejection of payments. In some cases, payment service providers may transmit data to credit agencies for identity and creditworthiness checks.

The terms and privacy policies of the respective payment service providers apply and are accessible on their websites or transaction platforms.

Types of data processed: Inventory data, payment data, contract data, usage data, meta/communication/procedural data.
Data subjects: Service recipients, clients, business partners, interested parties.
Purposes of processing: Contract fulfillment and business processes.
Legal bases: Performance of a contract (Art. 6 para. 1 lit. b GDPR); legitimate interests (Art. 6 para. 1 lit. f GDPR).

Additional notes on services:

Stripe: Payment processing services; Service provider: Stripe, Inc., 510 Townsend Street, San Francisco, CA 94103, USA; Legal basis: Performance of a contract (Art. 6 para. 1 lit. b GDPR); Website: https://stripe.com; Privacy policy: https://stripe.com/privacy; Third-country transfer basis: Data Privacy Framework (DPF).

Provision of Online Services and Web Hosting

We process user data to provide our online services. This includes processing IP addresses, which are necessary to deliver content and functions to users’ browsers or devices.

Types of data processed: Usage data, meta/communication/procedural data, log data.
Data subjects: Users.
Purposes of processing: Provision of online services, IT infrastructure, security measures, contract fulfillment.
Legal basis: Legitimate interests (Art. 6 para. 1 lit. f GDPR).

Additional hosting-related information:

Hosting services: We use rented server infrastructure and related services to provide our online offering. Legal basis: Legitimate interests (Art. 6 para. 1 lit. f GDPR).
Server log files: Access data such as requested pages, timestamps, browser type, operating system, referrer URL and IP addresses are logged for security and stability purposes. Log data is stored for up to 30 days and then deleted or anonymized.
IONOS: Hosting and infrastructure services; Provider: IONOS SE, Montabaur, Germany; Privacy policy: https://www.ionos.de/terms-gtc/terms-privacy .

Use of Cookies

Cookies store or retrieve information on users’ devices and are used for functionality, security, comfort, and analytics. Where required, we obtain user consent. Otherwise, cookies are used based on our legitimate interests.

Cookie duration:

Session cookies: Deleted when the browser is closed.
Persistent cookies: Remain stored and may last up to two years.

Users may withdraw consent or object to cookie usage at any time via browser settings.

Single Sign-On (SSO)

Single Sign-On allows users to authenticate using accounts from third-party providers such as Facebook or Google. Authentication occurs directly with the provider. We receive a user ID but no passwords.

Types of data processed: Inventory data, contact data, usage data, meta/communication/procedural data.
Purposes: Authentication, security, service provision.
Legal bases: Contract performance and legitimate interests.

Contact and Inquiry Management

When users contact us (e.g. via form, email, phone, or social media), we process the provided data to respond to inquiries.

Types of data processed: Inventory data, contact data, content data.
Purposes: Communication and organizational processes.
Legal bases: Contract performance and legitimate interests.

Marketing Communication

We process personal data for marketing communication via email, phone, post or fax in accordance with legal requirements. Users may withdraw consent or object at any time.

Web Analytics and Optimization

Web analytics helps us analyze visitor behavior and optimize our services. IP addresses are pseudonymized using IP masking.

Types of data processed: Usage data and meta data.
Purposes: Reach measurement, optimization, usability.
Legal bases: Consent and legitimate interests.

Google Analytics: We use Google Analytics to measure and analyze the use of our online offering based on a pseudonymous user identification number. This identification number does not contain any unique data such as names or email addresses. It is used to assign analysis information to an end device in order to determine which content users accessed during one or multiple sessions, which search terms they used, whether they returned to certain content, or how they interacted with our online offering.

The time and duration of use, the sources from which users access our website, and technical information about their devices and browsers are also stored. Pseudonymous user profiles may be created using information from different devices, and cookies may be used for this purpose.

Google Analytics does not log or store individual IP addresses for users in the European Union. Instead, it provides coarse geographic location data by deriving the following metadata from IP addresses: city (including derived latitude and longitude), continent, country, region, and sub-region. For EU data traffic, IP addresses are used exclusively for deriving geolocation data and are deleted immediately afterward. They are not logged, accessible, or used for any other purposes.

Service provider: Google Ireland Limited, Gordon House, Barrow Street, Dublin 4, Ireland;
Legal basis: Consent (Art. 6 para. 1 sentence 1 lit. a GDPR);
Website: https://marketingplatform.google.com/intl/en/about/analytics/ ;
Security measures: IP masking (pseudonymization of IP addresses);
Privacy policy: https://policies.google.com/privacy ;
Data processing agreement: https://business.safety.google/adsprocessorterms/ ;
Basis for third-country transfers: Data Privacy Framework (DPF) and Standard Contractual Clauses ( https://business.safety.google/adsprocessorterms );
Opt-out option: Google Analytics Opt-Out Browser Add-on , Ad personalization settings ;
Further information: https://business.safety.google/adsservices/

Affiliate Programs and Affiliate Links

We integrate so-called affiliate links or other references (such as search widgets or discount codes) to offers and services of third-party providers within our online offering (collectively referred to as “affiliate links”). If users follow these links or subsequently make use of the offers, we may receive a commission or other benefits.

In order to track whether users have taken advantage of an offer via an affiliate link, it is necessary for the respective third-party providers to know that users followed an affiliate link on our website. The allocation of affiliate links to transactions or other actions serves solely the purpose of commission settlement and is discontinued as soon as it is no longer required for that purpose.

For this purpose, affiliate links may be supplemented with certain values that are part of the link or may be stored elsewhere, for example in a cookie. These values may include the referring website, the time of access, an online identifier of the website operator, an identifier of the offer, the type of link, the type of offer, and an online identifier of the user.

Legal basis notes: If we request user consent for the use of third-party providers, the legal basis for data processing is consent. Otherwise, user data is processed on the basis of our legitimate interests (Art. 6 para. 1 lit. f GDPR).

Types of data processed: Contract data, usage data, meta/communication and procedural data.
Data subjects: Interested parties and users.
Purposes of processing: Affiliate tracking.
Retention and deletion: Deletion in accordance with the information in the section “General information on data retention and deletion.”
Legal bases: Consent (Art. 6 para. 1 lit. a GDPR), legitimate interests (Art. 6 para. 1 lit. f GDPR).

Social Media Presences

We maintain online presences within social networks and process user data in this context in order to communicate with users active there or to provide information about us.

We point out that user data may be processed outside the European Union. This may result in risks for users, as the enforcement of their rights may be more difficult.

User data within social networks is generally processed for market research and advertising purposes. Usage profiles may be created based on user behavior and interests, which may then be used to display advertising within and outside the networks.

For detailed information on the respective processing activities and opt-out options, please refer to the privacy policies of the respective network operators.

Types of data processed: Contact data, content data, and usage data.
Data subjects: Users.
Purposes of processing: Communication, feedback, and public relations.
Legal basis: Legitimate interests (Art. 6 para. 1 lit. f GDPR).

Plug-ins and Embedded Functions and Content

We integrate functional and content elements into our online offering that are obtained from the servers of their respective providers (“third-party providers”), such as videos, graphics, or maps.

The integration always requires that the third-party providers process the users’ IP addresses, as the content cannot otherwise be delivered to their browsers. The IP address is therefore required to display these contents or functions.

Third-party providers may also use so-called pixel tags (web beacons) for statistical or marketing purposes. Pseudonymous information may be stored in cookies on users’ devices and may include technical information about browsers and operating systems, referring websites, visit times, and further details about the use of our online offering.

Legal basis notes: If we ask users for their consent to use third-party providers, the legal basis for data processing is consent. Otherwise, user data is processed on the basis of our legitimate interests.

Types of Data Processed: Usage data (e.g. page views and time spent on pages, click paths, intensity and frequency of use, device types and operating systems used, interactions with content and features). Metadata, communication and procedural data (e.g. IP addresses, timestamps, identification numbers, involved persons).
Data Subjects: Users (e.g. website visitors, users of online services).
Purposes of Processing: Provision of our online services and user-friendliness; reach measurement (e.g. access statistics, recognition of returning visitors); tracking (e.g. interest- and behavior-based profiling, use of cookies); audience creation; marketing.
Storage and Deletion: Deletion in accordance with the information provided in the section “General Information on Data Storage and Deletion”. Storage of cookies for up to two years (unless otherwise stated, cookies and similar storage technologies may be stored on users’ devices for up to two years).
Legal Bases: Consent (Art. 6 para. 1 sentence 1 lit. a GDPR); Legitimate interests (Art. 6 para. 1 sentence 1 lit. f GDPR).

Additional information on processing activities, procedures, and services:

Stripe: Payment processing – performance of contract (Art. 6 para. 1 lit. b GDPR) – Privacy Policy
OpenAI: Image generation – performance of contract / legitimate interest – Privacy Policy
IONOS Cloud: Storage of generated content – performance of contract – Privacy Policy
Brevo: Newsletter delivery – consent – Privacy Policy
A61 Dropshipping Plattform: Production and Shipping of personalized products - performance of contract - Privacy Policy
Google Fonts (served from Google servers): Retrieval of fonts (and symbols) for technically secure, maintenance-free and efficient use with regard to performance and consistent presentation. The user’s IP address is transmitted to Google to provide the fonts. Technical data (language settings, screen resolution, operating system, hardware) may also be processed. Data may be processed on servers in the USA. IP addresses are not logged or stored by Google according to Google’s own statement.

Service Provider: Google Ireland Limited, Gordon House, Barrow Street, Dublin 4, Ireland;
Legal Basis: Legitimate interests (Art. 6 para. 1 lit. f GDPR);
Website: https://fonts.google.com/
Privacy Policy: https://policies.google.com/privacy
Third Country Transfers: Data Privacy Framework (DPF);
Further Information: https://developers.google.com/fonts/faq/privacy
YouTube Videos: Video content;
Service Provider: Google Ireland Limited, Gordon House, Barrow Street, Dublin 4, Ireland;
Legal Basis: Consent (Art. 6 para. 1 lit. a GDPR);
Website: https://www.youtube.com
Privacy Policy: https://policies.google.com/privacy
Third Country Transfers: Data Privacy Framework (DPF);
Opt-Out Options: Google Analytics Opt-Out , Ad personalization settings

Changes and Updates

We ask you to regularly review the contents of our Privacy Policy. We adapt the Privacy Policy as soon as changes to the data processing carried out by us make this necessary. We will inform you as soon as the changes require your cooperation (e.g. consent) or any other individual notification.

If addresses or contact details of companies and organizations are provided in this Privacy Policy, please note that these may change over time. We ask you to verify the information before contacting the respective entities.

Definitions

This section provides an overview of the terminology used in this Privacy Policy. Where terms are legally defined, those legal definitions apply. The following explanations are intended to support understanding.

Personal Data: Any information relating to an identified or identifiable natural person.
Processing: Any operation performed on personal data, whether automated or not, such as collection, storage, use, disclosure, or deletion.
Controller: The natural or legal person who determines the purposes and means of processing personal data.
Usage Data: Data describing how users interact with digital services, including duration, frequency, device information, and navigation behavior.
Tracking: Monitoring user behavior across online services to create interest or usage profiles, often using cookies or similar technologies.
Reach Measurement: Analysis of visitor behavior to evaluate and improve online offerings.

Created with the free Datenschutz-Generator.de by Dr. Thomas Schwenke