Introduction

Protecting your personal data is of the highest importance. This Privacy Policy explains the nature, scope and purpose of the processing of personal data (hereinafter "data") in connection with the online offering. This includes the associated website, its features and content, as well as external online presences such as social-media profiles (together referred to as the "online offering"). Your personal data is treated confidentially, and processing strictly follows the applicable data-protection laws and the provisions of this Privacy Policy. General notes This Privacy Policy gives you a comprehensive overview of what happens to your personal data when you visit this website. Personal data is any information that can be used to identify you personally. For details please refer to the full Privacy Policy below. Controller Data processing on this website is carried out by the website operator. Contact details of the controller can be found in the section "Controller". How your data is collected Some personal data is provided actively by you — for example by filling in a contact form. Other data is collected automatically, or with your consent, when you visit the website (in particular technical data such as your browser, operating system or the time of access). This automatic collection happens as soon as you enter the website. How your data is used Some data is collected to ensure the website works correctly. Other data may be used to analyse usage so that the offering can be improved and adapted to user needs. Disclosure to external parties In the course of business it may be necessary to share personal data with external parties. This only happens under specific conditions: where disclosure is needed to perform a contract, where there is a legal obligation (e.g. towards tax authorities), where there is a legitimate interest under Art. 6(1)(f) GDPR, or where another legal basis permits the transfer. When external service providers process personal data, this happens exclusively on the basis of a valid data-processing agreement under Art. 28 GDPR. Where data is processed jointly with another party, an agreement on joint controllership under Art. 26 GDPR is concluded. Withdrawal of consent Some processing is only possible with your express consent. You may withdraw any such consent at any time. The lawfulness of processing carried out before the withdrawal remains unaffected. Right to object to specific processing and to direct marketing (Art. 21 GDPR) If your personal data is processed on the basis of Art. 6(1)(e) or (f) GDPR, you have the right at any time to object to that processing on grounds relating to your particular situation. This also applies to profiling based on those provisions. The specific legal basis for each processing is stated in this Privacy Policy. Following an objection, the controller will no longer process your personal data unless compelling legitimate grounds for processing can be demonstrated which override your interests, rights and freedoms, or unless the processing serves the establishment, exercise or defence of legal claims (objection under Art. 21(1) GDPR). If your personal data is processed for direct-marketing purposes, you have the right to object to that processing at any time. This also applies to profiling associated with direct marketing. Following your objection, the controller will no longer use your personal data for those marketing purposes (objection under Art. 21(2) GDPR). Your rights under the GDPR You have the right to lodge a complaint with a competent supervisory authority in case of breaches of the GDPR. This right may be exercised in particular in the EU member state of your usual residence, place of work or the place of the alleged breach. Other administrative or judicial remedies remain unaffected. Personal data that is processed automatically on the basis of consent or in performance of a contract may be requested in a structured, common and machine-readable format. On request, the data may also be transmitted directly to another controller, where technically feasible. Every data subject has the right to receive free information about the personal data stored about them, its origin, recipients and the purpose of the processing. There is also a right to correction or erasure of this data, where statutory provisions allow. For any further questions or concerns regarding personal data, please contact the controller at any time. You also have the right to request restriction of processing where the accuracy of the data is contested and pending verification, where processing is unlawful but you prefer restriction over erasure, where the data is no longer needed for processing but you require it for the establishment, exercise or defence of legal claims, or where you have objected under Art. 21(1) GDPR pending the assessment of whose interests prevail. While processing is restricted, the data — apart from being stored — may only be processed with your consent, for the establishment, exercise or defence of legal claims, for the protection of the rights of another natural or legal person, or for reasons of important public interest of the EU or a member state.

Controller

The controller responsible for data processing on this website within the meaning of the General Data Protection Regulation (GDPR) is: Adrian Grund Address: Bruder-Konrad-Str. 24c, 82216 Maisach, Germany Website: fineart.adescarbon.de Email: studio@adescarbon.de Phone: +49 (0) 151 21275416

Data protection officer

The data protection officer is available for any questions and as your point of contact on matters of data protection: Name: Adrian Grund Address: Bruder-Konrad-Str. 24c, 82216 Maisach, Germany Email: studio@adescarbon.de Phone: +49 (0) 151 21275416

Data processors

The following service providers process personal data on behalf of the controller under data-processing agreements pursuant to Art. 28 GDPR. Personal data is processed only within the scope of the respective service; any use beyond that scope is contractually excluded. 1. Strato AG Pascalstraße 10 10587 Berlin Germany Function: Email sending and receiving (SMTP/IMAP) for communication with enquirers and clients. Data processed: email content, sender and recipient addresses, technical headers. Privacy policy: https://www.strato.de/datenschutz/ 2. Stripe Payments Europe, Ltd. (and Stripe, Inc.) Stripe, Inc., 510 Townsend Street, San Francisco, CA 94103, USA Function: Processing of payments via Stripe Payment Links. When you click a payment link, you leave this website and are redirected to a payment page hosted by Stripe (stripe.com). No card, account or other payment data is collected or processed on this website itself. Transfer to the USA: Stripe has been certified under the EU-US Data Privacy Framework (DPF) since July 2023, which ensures an adequate level of data protection within the meaning of the GDPR. Privacy policy: https://stripe.com/de/privacy Note: The content management system (Directus) and the database that stores content and customer data run on the same privately operated server as the website (see "Hosting"). No third-party processing of this data takes place.

Definitions

To make this Privacy Policy as transparent and understandable as possible, it primarily uses terms also defined in the General Data Protection Regulation (GDPR). The full statutory definitions are found in Art. 4 GDPR. The most important terms used in this Privacy Policy are explained below: Personal data: Any information relating to an identified or identifiable natural person (the "data subject"). A person is identifiable if they can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier (e.g. a cookie) or one or more factors specific to their physical, physiological, genetic, mental, economic, cultural or social identity. Processing: Any operation or set of operations performed on personal data, whether or not by automated means. This includes collection, recording, organisation, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure or destruction. Controller: The natural or legal person, public authority, agency or other body which, alone or jointly with others, determines the purposes and means of the processing of personal data. Processor: A natural or legal person, public authority, agency or other body that processes personal data on behalf of the controller. Consent: Any freely given, specific, informed and unambiguous indication of the data subject's wishes by which they, by a statement or by a clear affirmative action, signify agreement to the processing of personal data relating to them. Website: The website refers to the entire online offering provided by the controller under a specific URL. This includes all content, information, features and services that the controller publishes and makes available to users via that URL. The website serves as a digital platform for providing information, services and interaction between the controller and users. End device: An electronic device capable of accessing the internet and loading websites. This includes, among others, computers, laptops, tablets and smartphones. These definitions help you understand the Privacy Policy and the meaning of the terms it uses.

Hosting

This website is not operated by an external hosting provider; it is hosted on private infrastructure of the controller in Germany. Specifically, the website runs on a privately operated server (Unraid) at the controller's home in 82216 Maisach, Bavaria. No data is transmitted to an external hosting provider. Each time the website is accessed, the following data is recorded in the server log files: a) IP address of the requesting computer b) date and time of the request c) URL or file requested d) referrer URL e) browser and user agent f) HTTP status code These log entries are used solely for the smooth operation of the website, error analysis and the prevention and investigation of abusive access (e.g. brute-force attempts). The data is not combined with other sources and is not analysed on a personal basis. Retention: at most 7 days. After that, log files are deleted automatically. Longer retention only takes place where necessary to investigate a specific security-relevant incident; in such cases retention is limited to the data relevant to the incident. Legal basis: Art. 6(1)(f) GDPR (legitimate interest in stable, secure provision of the website and the prevention of abusive access).

Legal bases for processing

Your personal data is processed on the basis of the General Data Protection Regulation (GDPR) and other relevant statutory provisions. Different legal bases apply depending on the purpose of the processing. Where you have given consent to the processing of your personal data, processing is based on your consent under Art. 6(1)(a) GDPR. This applies in particular to the processing of special categories of personal data under Art. 9(2)(a) GDPR and to transfers of personal data to third countries under Art. 49(1)(a) GDPR. You may withdraw your consent at any time. Processing of your data may be necessary to perform a contract or to take pre-contractual steps and is then based on Art. 6(1)(b) GDPR. Processing may also be necessary to comply with a legal obligation, in which case it is based on Art. 6(1)(c) GDPR. In certain cases, processing is carried out to safeguard legitimate interests of the controller or a third party, provided that your interests or fundamental rights and freedoms do not override them. This processing is based on Art. 6(1)(f) GDPR. For some forms of processing, national rules may also apply — for example § 25 TTDSG for the storage of cookies or access to information on your end device. The applicable legal basis is explained in detail in the relevant section of this Privacy Policy.

Data transfers to unsafe third countries and non-DPF-certified US providers

If tools from companies based in third countries without an equivalent level of data protection, or US tools whose providers are not certified under the EU-US Data Privacy Framework (DPF), are used on this website, your personal data may be transferred to those countries and processed there. Please note that an EU-equivalent level of data protection cannot be guaranteed in unsafe third countries. The USA, as an unsafe third country, in principle does not offer a level of data protection comparable to that of the EU. A transfer to the USA is therefore only permissible where the recipient is either certified under the EU-US Data Privacy Framework (DPF) or has implemented suitable additional safeguards. Detailed information on possible transfers to third countries, including the recipients, can be found in the relevant sections of this Privacy Policy.

Retention period

Unless a more specific retention period is stated elsewhere in this Privacy Policy, personal data is kept by the controller until the purpose for processing it ceases to apply. Where you make a justified request for deletion or withdraw a consent on which the processing was based, the data in question is deleted, unless other legally permissible grounds for storage exist (e.g. statutory retention obligations under tax or commercial law). In such cases, deletion takes place once those grounds no longer apply. The controller stores personal data only for as long as necessary to fulfil the purposes for which it was collected. This includes in particular the performance of contractual obligations, compliance with statutory retention requirements and the safeguarding of legitimate interests of the controller, such as IT security and protection against misuse. Where the processing is based on consent, the data is stored until the consent is withdrawn by the data subject. Such withdrawal is possible at any time with effect for the future. After withdrawal, the data is deleted without undue delay, unless statutory retention obligations or other overriding legal grounds require continued storage. In summary: personal data is deleted once the purpose has been fulfilled or the legal basis for storage no longer applies, unless legal obligations or legitimate interests justify continued retention.

Security measures and data minimisation

Comprehensive technical and organisational measures are in place to effectively protect your personal data against accidental or unlawful destruction, loss, alteration, unauthorised disclosure or unauthorised access. Care is taken to collect and process only data strictly necessary for the respective purpose. This data-minimisation strategy significantly reduces the risk of misuse and unauthorised access. Security measures are continuously adapted to the state of the art to maintain a high level of protection of your data over time.

SSL/TLS encryption

To protect the security of your data during transmission, this website uses encryption methods in line with current industry standards (such as SSL or TLS) over HTTPS. SSL (Secure Socket Layer) and TLS (Transport Layer Security) are protocols for encrypting data transmissions over the internet. They ensure that data exchanged between your browser and the server is protected against unauthorised access. You can identify an encrypted connection by the address bar switching from "http://" to "https://" and by the padlock icon in your browser.

Cookies

This website uses only strictly necessary cookies. No tracking, analytics or marketing cookies are used. The cookies listed below are based on Art. 6(1)(f) GDPR (legitimate interest in providing a functional, secure online offering) and § 25(2)(2) TTDSG (strictly necessary for the operator to provide the telemedia service explicitly requested by the user). The following cookies are set: 1. lang Purpose: stores the selected language preference (German/English) so that the website is loaded in the chosen language on your next visit. Lifetime: 1 year HttpOnly: no (also readable client-side, so the language switch can work) SameSite: Lax Legal basis: Art. 6(1)(f) GDPR 2. client_session Purpose: authentication for the client area (Private View). Only set when a client has actively signed in with email and password. Contains only a random session token, mapped to the client ID server-side. Lifetime: 30 days HttpOnly: yes (not readable from JavaScript) SameSite: Strict Legal basis: Art. 6(1)(f) GDPR 3. admin_session Purpose: authentication for the administration area. This area is accessible only via local network and is not relevant for visitors of the public website. Lifetime: 8 hours HttpOnly: yes SameSite: Strict Legal basis: Art. 6(1)(f) GDPR In addition, when you click "Got it" on the cookie notice, the website stores an entry in your browser's local storage (key: cookie_notice_dismissed) so that the notice is not shown again. This is not a cookie, and no personal data is stored. You can delete cookies in your browser at any time, or disable cookie storage entirely. If you do, some features may stop working — in particular, your selected language will not be remembered, and signing in to the client area will not be possible.

Cookie notice

On your first visit to this website, an unobtrusive notice appears at the bottom of the screen informing you about the use of cookies and pointing you to this Privacy Policy. Because only strictly necessary cookies (language preference, secure sign-in) are used, no consent ("opt-in") is required under § 25(2)(2) TTDSG. There is therefore no accept/decline dialog — the notice is purely informational. Clicking "Got it" (or "Verstanden") permanently dismisses the notice. To do this, the entry cookie_notice_dismissed is stored in your browser's local storage. No personal data is stored, and no consent is requested or recorded. If you would like to see the cookie notice again, you can delete the cookie_notice_dismissed entry from your browser's local storage or clear your browser cache.

Self-hosted fonts

For displaying text, this website uses only self-hosted fonts. The font files are served directly from this server (see "Hosting") together with the rest of the website content. Fonts in use: a) Source Serif 4 — licence: SIL Open Font License (OFL) b) Inter — licence: SIL Open Font License (OFL) When the website is loaded, no requests are made to external font services such as Google Fonts, Adobe Fonts (Typekit) or similar providers. Neither your IP address nor any other data is transmitted to a third party for the purpose of font loading.

Server-side analytics

A simple, server-side analytics system is in place to help identify popular content and to continuously improve the online offering. It runs entirely on this server (see "Hosting") — no third-party tools such as Google Analytics, Matomo, Plausible or similar are used. Only the following non-personal data points are recorded: a) the requested URL path (e.g. "/en/series/example") as an anonymous counter — one hit counter per path, with no link to an individual person or session b) a daily total counter ("how many requests were there today in total?") c) the referrer URL's host name (e.g. "google.com") — only the domain, not the full referrer URL Explicitly not collected and not stored: IP addresses, user agents, cookies, session IDs, time spent, mouse movements, individual click paths or any other identifiable attributes. The data collected does not allow profiling or recognition of individual visitors. The aggregated counters are stored in a simple JSON file on the server and are used internally only for evaluating content performance. Legal basis: Art. 6(1)(f) GDPR (legitimate interest in anonymous reach measurement to optimise the online offering). No consent ("opt-in") is required because the data is not personal.

Client sign-in / private area

This website provides selected clients with a protected area ("Private View") where personal content, booked sessions and download material are made available. Access is granted only by individual invitation from the controller. Data processed: a) email address — used as the unique sign-in identifier and primary contact channel b) password — stored only as a bcrypt hash; the plain-text password is not accessible even to the controller c) name (first and last) — for personal addressing in the sign-in area d) preferred language — so the sign-in area is loaded in the desired language automatically e) optional: additional notes or a welcome text that the controller may add to the account Session management: after a successful sign-in, a random session token is generated and stored in the HttpOnly cookie "client_session" (lifetime 30 days). The mapping from this token to the client ID is held only in server memory; on a server restart, all sessions become invalid and a new sign-in is required. Purpose: providing the personal client area (display of individually shared series and curations, access to download files, history of submitted enquiries). Retention: the client data is stored for as long as the client account is active and the controller continues to make content available to the client. On request from the client — or at the latest when the purpose ceases to apply — the account data, including the password hash, is deleted. Related content (e.g. previous enquiries or orders) is handled separately according to the applicable retention rules (see "Retention period"). Legal basis: Art. 6(1)(b) GDPR (performance of a contract or pre-contractual steps). Additionally, the client's browser stores some selection states locally — without transmission to the server — such as the list of marked works (in local storage), so that they remain available on the next visit. This data does not leave the device.

Use of the contact form

For any kind of question, you may contact the controller via a form provided on this website. To know who the request is from and to be able to answer it, the following information is required: a) name b) email address c) message The processing of data for the purpose of contacting the controller is based on Art. 6(1)(a) GDPR (your freely given consent). If the request leads to a contract or pre-contractual measures, further processing is additionally based on Art. 6(1)(b) GDPR. The personal data collected via the contact form is deleted once your enquiry has been handled, unless statutory retention periods apply. The data is not shared with third parties; the email infrastructure used to reply is provided by the service provider listed in the section "Data processors".

Requests by email or phone

You may also contact the controller by email or by phone. The personal data transmitted in this way (e.g. name, email address, phone number and the request itself) is processed and stored by the controller solely for the purpose of handling the request and any follow-up questions. The legal basis for this processing is Art. 6(1)(b) GDPR, as the processing is necessary to perform a contract or to take pre-contractual steps. Where the processing is not related to a contract, it is based on Art. 6(1)(f) GDPR, since the controller has a legitimate interest in handling and responding to the request.

No use of contact details for advertising

The use of contact details published in the imprint to send unsolicited advertising or information material is hereby prohibited. Any unauthorised use of the contact details for advertising purposes constitutes an infringement of the rights of the operator of this website and will not be tolerated. The operator expressly reserves the right to take legal action in case of violations, in particular against unsolicited advertising such as spam emails. Sending to existing customers without consent Under specific conditions, newsletters may be sent to existing customers even without their explicit consent. This is permissible under Art. 6(1)(f) GDPR provided that: a) Existing-customer relationship: the customer provided their email address in connection with the sale of goods or services. b) Direct advertising for the operator's own similar products or services: the newsletter only contains advertising for similar products or services of the operator. c) Notice of the right to object: the customer was clearly informed, both at the point the email address was collected and in every newsletter, that they may object to the use of their email address at any time, without incurring costs other than the basic transmission charges. d) No objection from the customer: the customer has not objected to the use of their email address. This form of newsletter sending is based on the controller's legitimate interest in informing existing customers about similar products or services and in maintaining the business relationship. The processing is based on Art. 6(1)(f) GDPR. Of course, customers may object to the use of their email address for this purpose at any time. An informal message by email to the controller or the use of the "unsubscribe" link in the relevant newsletter is sufficient.

Processing of customer and contract data

Personal customer and contract data is collected, processed and used to establish, organise the content of, and modify contractual relationships. Specifically, the following data may be processed: a) name (first and last) b) email address c) shipping address (where applicable, for delivery of ordered works) d) phone number (where applicable, if voluntarily provided by the customer) e) ordered works and versions, order date, order amount This information is necessary to provide the agreed services, fulfil an order and communicate with you. Payment data (e.g. credit-card number, IBAN or data from third-party payment systems) is expressly not collected or stored on this website. Payment is handled entirely by the service provider described in the section "Payment processing"; payment data entered there remains with that provider. Usage and stock data is processed exclusively to fulfil contractual obligations and for proper invoicing. Any use beyond that (e.g. for marketing or advertising purposes) does not take place without your express consent. Legal basis: Art. 6(1)(b) GDPR (performance of a contract or pre-contractual steps) and Art. 6(1)(c) GDPR (compliance with statutory retention obligations, in particular under tax and commercial law). Retention: contract and order data is kept after completion of the order for as long as required by statutory retention periods (typically 6 to 10 years under §§ 147 AO, 257 HGB). After those periods expire, the data is deleted unless another reason for further storage exists.

Payment processing

Payments for ordered works are not handled on this website itself but exclusively via the external payment service provider Stripe. After your order is confirmed, an individual "Stripe Payment Link" is generated and sent to you by email. As soon as you click the payment link, you leave this website and are redirected to a payment page hosted by Stripe (stripe.com). Only there do you enter your payment details (e.g. credit-card number, IBAN or data from third-party providers such as Apple Pay or Google Pay). This data is processed exclusively by Stripe — no card, account or other payment data is collected, transmitted or stored on this website. When generating the payment link, the controller transmits to Stripe: a reference to the order (internal request ID), the order amount, a short description of the ordered works, and the customer's name. Any further personal data required to process the payment (e.g. cardholder name, address) is collected by Stripe directly from the customer. After a successful payment, the controller receives a confirmation from Stripe that the payment has been received, together with a Stripe-internal reference. The subsequent order confirmation, provision of download material and shipping are handled again on this website or outside of Stripe. Provider: Stripe Payments Europe, Ltd. (Ireland) and Stripe, Inc. (USA, certified under the EU-US Data Privacy Framework since July 2023). Stripe's privacy policy: https://stripe.com/de/privacy Legal basis: Art. 6(1)(b) GDPR (performance of a contract or pre-contractual steps).

Your rights as a data subject

As a data subject whose personal data is being processed, you have the following rights, which you may exercise against the controller at any time: a) Right of access (Art. 15 GDPR) You have the right to obtain confirmation as to whether or not personal data concerning you is being processed, and to receive information about that data and all the details listed in Art. 15 GDPR. b) Right to rectification (Art. 16 GDPR) You have the right to obtain the immediate rectification of inaccurate data or the completion of incomplete data. c) Right to erasure (Art. 17 GDPR) You have the right to request the erasure of your personal data where one of the grounds set out in Art. 17 GDPR applies (e.g. the purpose for processing has ceased, consent has been withdrawn, or the processing is unlawful). d) Right to restriction of processing (Art. 18 GDPR) Under the conditions set out in Art. 18 GDPR — for example where the accuracy of the data is contested or processing is unlawful — you have the right to request that the processing of your data be restricted. e) Right to data portability (Art. 20 GDPR) Where processing is based on consent or on a contract and is carried out by automated means, you have the right to receive the data concerning you in a structured, common and machine-readable format, or to have it transmitted to another controller. f) Right to object (Art. 21 GDPR) You have the right, on grounds relating to your particular situation, to object at any time to the processing of personal data concerning you which is based on Art. 6(1)(e) or (f) GDPR. Where personal data is processed for the purposes of direct marketing, you have the right to object to that processing at any time. g) Withdrawal of consent (Art. 7(3) GDPR) Where processing is based on consent, you may withdraw it at any time with effect for the future, without affecting the lawfulness of processing carried out before the withdrawal. To exercise these rights, an informal message is sufficient: Adrian Grund Bruder-Konrad-Str. 24c 82216 Maisach Germany Email: studio@adescarbon.de h) Right to lodge a complaint with a supervisory authority (Art. 77 GDPR) Without prejudice to any other administrative or judicial remedy, you have the right to lodge a complaint with a data-protection supervisory authority — in particular in the EU member state of your habitual residence, place of work or place of the alleged infringement. The supervisory authority responsible for the controller is: Bayerisches Landesamt für Datenschutzaufsicht (BayLDA) Promenade 18 91522 Ansbach Germany Email: poststelle@lda.bayern.de Website: https://www.lda.bayern.de