Privacy Policy

1. Information about the collection of personal data and contact details of the data controller

1.1 We are delighted that you are visiting our website and thank you for your interest. Below, we explain how we handle your personal data when you use our website. “Personal data” means any information relating to an identified or identifiable natural person.

1.2 The data controller within the meaning of the GDPR for this website is Lunyssa. The data controller is the natural or legal person who, alone or jointly with others, determines the purposes and means of processing personal data. You can contact us at contact@lunyssa.com.

1.3 For security reasons and to protect the transmission of personal data and other confidential content (e.g., orders or inquiries), this website uses SSL/TLS encryption. You can recognize an encrypted connection by the “https://” prefix and the padlock icon in your browser bar.

2. Data collection when visiting our website

When you visit our website for informational purposes only (i.e., you do not register or otherwise transmit information), we collect only the data your browser sends to our server (“server log files”). This data is technically necessary to display the website and includes:

• The page visited on our site
• Date and time of access
• Amount of data transferred
• Referrer URL (source from which you visited us)
• Browser used
• Operating system used
• IP address (where applicable, in anonymized form)

Processing takes place pursuant to Art. 6(1)(f) GDPR based on our legitimate interest in improving the stability and functionality of our website. Data is not passed on or otherwise used. However, we reserve the right to review server log files retrospectively if there are concrete indications of unlawful use.

3. Cookies

We use cookies to make our website attractive and to enable certain functions. Some cookies are deleted after your browser session ends (session cookies). Others remain on your device and allow us or our partners (third-party cookies) to recognize your browser on your next visit (persistent cookies). Persistent cookies are automatically deleted after a defined period, which may vary by cookie.

Cookies may simplify the ordering process (e.g., remembering items in your cart). Where personal data is processed via cookies, processing is either pursuant to Art. 6(1)(b) GDPR (contract performance) or Art. 6(1)(f) GDPR (our legitimate interest in a functional, user-friendly website).

We may cooperate with advertising partners who help make our website more interesting for you; in that case, third-party cookies may be stored on your device. If such cooperation occurs, you will be informed separately.

You can configure your browser to inform you about cookie placement and decide on a case-by-case basis, refuse cookies in certain cases or in general, or automatically delete cookies when closing the browser. Instructions are available here:

• Internet Explorer
• Firefox
• Chrome
• Safari
• Opera

If you do not accept cookies, some website functions may be limited.

4. Contacting us

When you contact us (e.g., via form or email), we collect personal data. The specific fields are visible on the contact form. Data is stored and used solely to respond to your inquiry and for related technical administration. Legal basis: Art. 6(1)(f) GDPR (legitimate interest in responding to inquiries); where your inquiry aims to conclude a contract, Art. 6(1)(b) GDPR. Your data will be deleted once your inquiry is fully resolved, unless legal retention obligations apply.

5. Data processing when opening a customer account and for contract execution

Pursuant to Art. 6(1)(b) GDPR, we collect and process personal data when you provide it for contract execution or to open a customer account. Required fields are indicated in the relevant forms. You may delete your account at any time by contacting us. We store and use your data to process the contract. After full performance or account deletion, your data is restricted and deleted after applicable tax/commercial retention periods, unless you consent to further use or we are legally permitted to retain it.

6. Use of your data for direct marketing

6.1 Newsletter subscription

If you subscribe to our newsletter, we will regularly email you information about our offers. Only your email address is required; other data is optional. We use a double opt-in process. By confirming, you consent to processing under Art. 6(1)(a) GDPR. We store your IP address and the date/time of sign-up to document consent and prevent abuse. You may unsubscribe at any time via the link in the newsletter or by emailing us; your email will then be removed unless further use is permitted by law or consented to.

6.2 Newsletter to existing customers

If you provided your email during a purchase, we may send offers for similar goods/services based on our legitimate interest in direct marketing (Art. 6(1)(f) GDPR). You can object at any time; after objection, we will stop using your email for marketing.

7. Data processing for order processing

7.1 Logistics and payments

We share necessary personal data with the carrier for delivery and with financial institutions/payment providers for payment processing (Art. 6(1)(b) GDPR).

7.2 Payment service providers

PayPal. If you pay via PayPal (or methods offered via PayPal), we transmit payment data to PayPal (Europe) S.à r.l. et Cie, S.C.A., 22-24 Boulevard Royal, L-2449 Luxembourg, as necessary (Art. 6(1)(b) GDPR). PayPal may perform credit checks under Art. 6(1)(f) GDPR. Details: PayPal Privacy Policy. You may object to processing by contacting PayPal; PayPal may still process data where necessary for contractual payments.

SOFORT/Klarna. If you choose “SOFORT,” processing is carried out by SOFORT GmbH, Theresienhöhe 12, 80339 Munich, Germany (Klarna Group). We transmit order and payment details as necessary (Art. 6(1)(b) GDPR). Privacy: Klarna SOFORT Privacy.

8. Review reminders

With your explicit consent (Art. 6(1)(a) GDPR), we may send a one-time email reminder to review your order. You may revoke consent at any time.

9. Use of social media: social plugins (Shariff solution)

To better protect your data, our Facebook/Google/Instagram buttons are embedded as simple HTML links (Shariff), so no connection to those providers is made on page load. Only when you click a button is the respective page opened, where you may interact with plugins.

• Facebook (Meta Platforms, Inc., USA). Privacy Policy
• Google (incl. Google+ legacy), Google LLC, USA. Privacy Policy
• Instagram (Instagram LLC, USA). Privacy Policy

These providers participate in the EU-U.S. Data Privacy Framework, supporting EU-level protections for data transfers.

10. Online marketing

10.1 DoubleClick by Google

We use DoubleClick (Google LLC) to show relevant ads, improve reporting, and avoid repeat impressions. Processing is based on our legitimate interest in optimizing marketing (Art. 6(1)(f) GDPR). Google may associate visits with your Google account if logged in; otherwise, your IP may be stored. You can opt out by blocking cookies from googleadservices.com, using the DAA tools, or configuring your browser.

Privacy: Google Privacy Policy

10.2 Google Ads Conversion Tracking

We use Google Ads Conversion Tracking to measure campaign performance (Art. 6(1)(f) GDPR). A cookie is set when you click our ad and expires after ~30 days. It is not used for personal identification. You can opt out by disabling the conversion cookie in your browser or installing the plugin: Google Ads Plugin.

12. Retargeting / remarketing / recommendation advertising

Facebook Custom Audiences (Pixel). With your explicit consent (Art. 6(1)(a) GDPR), we use the Facebook Pixel to measure ad effectiveness and build audiences. Data may be linked to your Facebook profile and used per Facebook’s policy. You can manage third-party cookie preferences via the DAA.

Google Ads Remarketing. We use Google Ads Remarketing to display interest-based ads using a pseudonymous cookie ID (Art. 6(1)(f) GDPR). If you allow Google to link your web/app history with your Google account, cross-device remarketing may occur. Opt-out: Google Ads Settings.

13. Data subject rights

You have the following rights under the GDPR:

• Access (Art. 15) – information about the data we process about you
• Rectification (Art. 16) – correction of inaccurate or incomplete data
• Erasure (Art. 17) – deletion under the conditions of Art. 17(1)
• Restriction (Art. 18) – restriction in the cases listed in Art. 18
• Notification (Art. 19) – to recipients about rectification/erasure/restriction
• Portability (Art. 20) – receive your data in a structured, machine-readable format
• Withdrawal (Art. 7(3)) – withdraw consent at any time with future effect
• Complaint (Art. 77) – lodge a complaint with a supervisory authority in your Member State

13.2 Right to object

If we process your personal data based on a balance of interests (Art. 6(1)(f) GDPR), you may object at any time on grounds relating to your particular situation. We will stop processing unless we demonstrate compelling legitimate grounds that override your interests or the processing is for the establishment, exercise, or defense of legal claims.

If we process your data for direct marketing, you may object at any time; we will then stop processing for these purposes.

14. Duration of storage of personal data

Storage duration is determined by statutory retention periods (e.g., commercial/tax). After expiry, data is routinely deleted unless needed to fulfill/initiate a contract or we have a continuing legitimate interest.