Privacy policy

Introduction

We take the protection of your personal data (hereinafter referred to as “data”) seriously and comply with applicable data protection laws.

With this privacy policy, we fulfill our information obligations under Articles 12 et seq. of the General Data Protection Regulation (hereinafter referred to as “GDPR”). This policy is intended to provide you with an overview of how we handle your personal data processed in connection with the use of our services.

Our service offering includes, in addition to our website with editorial content, a digital personalized support program, an AI-powered 24/7 chat, a community area for users, as well as physical products such as fertility tests and dietary supplements.

Please read this privacy policy in conjunction with our General Terms of Use. The current version of our General Terms of Use can always be accessed at https://fyrcecare.com/en/policies/terms-of-service.

Information about the Responsible Party

The responsible party for data processing within the meaning of Article 4(7) GDPR is Fyrce Care (“we” or “us”), represented by its management. Further details can be found in our legal notice.

This privacy policy describes how we collect, use, and disclose your personal data when you visit the website or make a purchase through the website.

If you have questions regarding the processing of your data or about exercising your rights as a data subject under the GDPR, you can contact us at any time by email at hi@fyrcecare.com. This also applies if you are unclear about any of the terms used in this privacy policy.

Collection of Personal Data

When you visit the website, we collect certain information about your device, your interactions with the website, and information necessary to process your purchases. We may also collect additional information if you contact us for customer support. In this privacy policy, we refer to all information relating to an identifiable person (including the information listed below) as “personal data.” Below you will find a list of the personal data we collect and the reasons for doing so.

Device Information

Purpose of Collection: To properly load the website for you and to conduct analyses on website usage to optimize our website.
Source of Collection: Automatically collected when you access our website through cookies, log files, web beacons, tags, or pixels.
Disclosure for Business Purposes: Shared with our processors Shopify and Klaviyo.
Collected Personal Data: IP address, time zone, date and time of access, cookie information, amount of data transferred, indication of whether the request was successful, information about the browser and operating system used, name of your internet provider, which pages or products you view, search terms, and how you interact with the website. This data is processed and temporarily stored to technically enable the use of the platform (e.g., establishing a connection). Additionally, the data is evaluated anonymously and in aggregated form (i.e., without the possibility of identifying individual users) for the purpose of system security, technical administration of the network infrastructure, and optimization of our platform. These are legitimate interests; therefore, the processing is based on Article 6(1)(f) GDPR.

Data Security Information

To ensure the best possible protection of your data, it is secured during transmission using Secure Socket Layer (SSL) encryption in combination with Transport Layer Security (TLS) encryption. This type of encryption ensures that data cannot be read, intercepted, or altered by unauthorized third parties during transmission.

If we store your data, it is stored exclusively in appropriately security-certified data centers within the European Union (EU) under the scope of the GDPR. We explicitly reserve the right to engage external service providers for the storage and processing of your data; however, they will act solely on our behalf and according to our instructions (processors).

The processors we use are contractually obligated to implement such technical and organizational measures (TOMs) as are appropriate according to the current state of the art to ensure GDPR-compliant processing of your data.

Under no circumstances will your data be sold or unlawfully disclosed to third parties by us or by any processor we engage without a legal basis.

Data Transfers to Third Countries

We may use processors that are based in a third country or are part of an international organization based in a third country. In the context of the GDPR, a third country is defined as a country that is neither a member of the European Union (EU) nor of the European Economic Area (EEA), and thus not subject to the GDPR’s jurisdiction. These third countries may have their own data protection laws, which might not offer the same level of protection as the GDPR.

The transfer of data to third countries is only permissible under certain legal conditions according to Article 44 GDPR:

Adequacy Decision: An adequacy decision indicates that the data protection laws of the third country in question offer a level of protection for your personal data comparable to that under the GDPR. In such cases, data transfers are allowed without further approval. This includes:

EU-U.S. Privacy Framework: For U.S. companies certified under this framework, an adequate level of protection for personal data is assumed.

Standard Contractual Clauses: If no adequacy decision exists, data transfers may be based on standard contractual clauses issued by the European Commission (Article 46(2)(c) GDPR). These clauses provide sufficient guarantees from the service provider, including enforceability of the rights granted under the GDPR.

We will explicitly inform you within this privacy policy if a service provider is based in a third country. In such cases, by giving your consent, you agree to the transfer of your personal data to the respective company under the conditions described.

Our service providers based in third countries are processors under Article 4(8) GDPR and are contractually bound to comply with data protection regulations.

By providing your consent, you agree that your personal data may be transferred to companies in third countries under the specified conditions.

Our service providers based in third countries are processors under Article 4(8) GDPR and are contractually bound to comply with data protection regulations.

By providing your consent, you agree that your personal data may be transferred to companies in third countries under the specified conditions.

Order Information and Customer Support

Purpose of Collection: To provide you with products or services, fulfill our contract with you, process your payment information, arrange for shipping, send you invoices and/or order confirmations, communicate with you, screen orders for potential risks or fraud, and, in accordance with the preferences you have shared with us, send you information or advertising regarding our products or services.
Source of Collection: Provided by you.
Disclosure for Business Purposes: Shared with our processors Shopify and Klaviyo.
Collected Personal Data: Name, billing address, shipping address, payment information (including credit card numbers or PayPal address), email address, and phone number.

User Account

Purpose of Collection: You have the option to register a user account on our platform. The data marked as mandatory fields in the form are required to create a user account and are processed based on Article 6(1)(b) GDPR. Any additional information you voluntarily provide beyond the mandatory fields is processed based on our legitimate interest in using your voluntarily provided information for the user account (Article 6(1)(f) GDPR). Acceptance of our Terms of Use and Privacy Policy is a prerequisite for using the platform.

Legal Basis for Processing Personal Data

We use our website as an informational platform to respond to your inquiries. To personalize contact requests, you have the option to provide information about yourself, comments, and questions via a contact form. The legal basis for such processing is our legitimate interest (Article 6(1)(f) GDPR).

We may also process your personal data for the purpose of providing offers and fulfilling contractual obligations (based on Article 6(1)(b) GDPR).

Where we process your personal data for accounting, cost calculation, or to fulfill legal obligations (e.g., commercial and tax regulations), the processing is based on Article 6(1)(c) GDPR.

On the legal basis of Article 6(1)(f) GDPR, we collect information through participation in conferences and events, personal recommendations, registration of employees by employers for our services, and through selected external business partners.

Based on your consent (Article 6(1)(a) GDPR), we use your data to send you information about products, services, events, and other relevant news about our company. You may withdraw your consent at any time with future effect by using the contact details provided in our legal notice.

Our Community Area

As part of our platform, we offer a community area for user interaction. The technical provision is handled by the platform Circle, provided by CircleCo, Inc., USA. Circle acts as our processor and is contractually obligated to comply with applicable data protection laws.

Within the community area, we process the following data: Email address, name, profile information (as provided by you during registration), content you voluntarily post, contributions, comments, potentially also sensitive data (e.g., health information) if you choose to share it, as well as usage data and interactions within the community.

The data is processed solely for the purpose of providing and moderating the community, fostering user interaction, and improving our services. The legal basis is Article 6(1)(b) GDPR and, for the processing of special categories of personal data, your explicit consent under Article 9(2)(a) GDPR.

Please note that content you post in the community is visible to other registered users. Therefore, be cautious when sharing sensitive information.

Appointment Booking via Calendly

We use the service Calendly, offered by Calendly LLC, for scheduling consultation appointments (“Call your Bestie”). When booking an appointment, personal data such as your name, email address, and, if applicable, additional information required for the appointment are collected and processed. The data processing is carried out for the purpose of appointment planning and coordination (Article 6(1)(b) GDPR).

Calendly processes your data on our behalf and is contractually obligated to comply with data protection regulations. A data transfer to third countries (e.g., India, USA) cannot be ruled out. The transfer is based on the European Commission’s Standard Contractual Clauses. Further information can be found in Calendly's Bookings' privacy policy, available at Calendly's Privacy Policy.

Without providing the required data, it is not possible to book an appointment.

Downloading and using the Circle App

To access our content, you must download and use the Circle app, which is provided by CircleCo, Inc. and available in the Apple App Store and the Google Play Store. When downloading the Circle app, certain personal data is transmitted to the respective app store (Apple Inc. or Google LLC). We have no control over this data processing; it is solely the responsibility of the respective app store operator.

Data Processed During Download: Store account username, email address, content of the request (e.g., which app is downloaded), operating system and version of the device.

This data is required by the app store operator to provide the app for download and to technically enable the download process. The data processing is carried out solely by the app store operator and lies outside our responsibility. The recipient of your personal data within the meaning of Article 4(9) GDPR is the respective app store operator (Apple Inc. or Google LLC) from which you download the app.

Please refer to the respective app store’s privacy policy regarding legal basis and storage duration:

Google Play Store Privacy Policy: Privacy Policy – Privacy & Terms – Google
Apple App Store Privacy Policy: Apple Privacy Policy

Please note: Within the Circle app, we operate our own space. The data processing that occurs once you interact with our content is described in the relevant sections of this privacy policy.

Use of the Contact Form

When you contact us via the provided contact form, the data you enter (name, email address, message) will be processed for the purpose of handling your inquiry (Article 6(1)(f) GDPR). Providing additional information is voluntary. The data will be used exclusively to process your inquiry and will be deleted once your request has been fully handled, unless legal retention obligations require otherwise.

Fertility Tests

When you order a fertility test, we collect the personal data necessary for this purpose (name, address, email address, birth date). This data is exclusively transferred to our partner laboratory in Germany for the purpose of conducting and analyzing the fertility test. The processing is carried out to fulfill the contract in accordance with Article 6(1)(b) GDPR. The laboratory is contractually obligated to comply with data protection regulations. The test results are sent to you directly. No further use or disclosure of your data takes place.

Disclosure of Personal Data

We share your personal data with service providers to assist us in providing our services and fulfilling our contracts with you, as described above. For example:

We use Shopify to operate our online store. You can read more about how Shopify uses your personal data here: Shopify Privacy Policy.
We may also disclose your personal data to comply with applicable laws and regulations, to respond to subpoenas, search warrants, or other lawful requests for information we receive, or to otherwise protect our rights.

Advertising

As described above, we use your personal data to send you targeted advertising or marketing communications that we believe may be of interest to you. Below you will find further details:

Processing of Personal Data by Google:
Information collected by Google is transmitted to Google, based in the USA. Google has self-certified under the EU-U.S. Privacy Shield Framework. You can change your preferences by visiting the Google Marketing Platform Opt-Out page or the Network Advertising Initiative (NAI) Opt-Out page. Alternatively, you can disable Google cookies via the Digital Advertising Alliance’s website. You can also block the storage of cookies by changing your browser settings.

Google Services

Google Analytics: We use Google Analytics to better understand how our customers use the website. Google Analytics enables the creation of statistics that help us understand website traffic and its sources. We use Google Analytics solely for statistical purposes, such as tracking how many users have clicked on a specific element or piece of information. The cookie retention period is 2 years. The legal basis is our legitimate interest (Article 6(1)(f) GDPR).
Google Analytics uses cookies and collects information about your use of our website, including your IP address. To prevent the identification of users via their IP addresses, we use a special code that ensures your IP address is recorded only in truncated and thus anonymized form. Identifying individual users based on this shortened IP address is no longer possible. For more information on data privacy when using Google Analytics, visit: Google Privacy Policy. You can also opt out of Google Analytics here: Google Analytics Opt-Out.
Google Analytics Audiences: We use Google Analytics Audiences, a service provided by Google. Google Analytics Audiences uses cookies stored on your computer and other mobile devices (such as smartphones, tablets, etc.) to analyze how users utilize these devices (legal basis: consent under Article 6(1)(a) GDPR). The cookie retention period is 2 years. Google gains access to the cookies generated by Google AdWords and Google Analytics. During use, data such as IP addresses and user activities are transmitted to Google servers. You can prevent Google from collecting such data as described above under "General Information on Data Processing by Google."
Google Tag Manager: We use Google Tag Manager on our website, which serves to trigger tags that we manage through an interface. The Tag Manager itself (which implements the tags) works without cookies and does not collect personal data. However, it may trigger other tags that collect personal data. Google Tag Manager does not access this data. If a deactivation has been made at the domain or cookie level, it remains effective for all tracking tags implemented via Google Tag Manager.
Google Dynamic Remarketing: Google Dynamic Remarketing is a service by Google. Our website uses a pixel that connects to Google servers. The information transmitted to Google includes, for example, that you have visited our website. Google links this information to an ID stored in a cookie or provided by your device. If you visit other websites that also use Google Dynamic Remarketing, this information is linked to your pseudonymous ID. The legal basis is your consent (Article 6(1)(a) GDPR). We may also use "remarketing tags" on our website, meaning we include keywords on our website that describe the content displayed (e.g., product or service categories). The keywords we use contain no personally identifiable information. Google receives and stores these keywords for recognition purposes. If you visit a page identified with a specific product category, Google saves the keyword and associates it with your recognition features. The processed data is retained for up to two years.
Google AdWords and Google AdWords Conversion: We use Google AdWords and Google AdWords Conversion to measure the effectiveness of individual ads, offers, and features. A cookie is set when you click on a Google ad. This cookie is not intended to identify individuals but allows us to determine whether you returned to the website within the cookie’s validity period of 30 days. The information collected through the conversion cookie is used to generate conversion statistics for AdWords customers who have opted for conversion tracking.
DoubleClick: DoubleClick is a service provided by Google. DoubleClick uses cookies to display ads that are relevant to you. Your browser is assigned a pseudonymous identification number to track which ads have been shown to you and which have been viewed. Using DoubleClick cookies allows Google and its partner websites to display ads based on previous visits to our or other websites. The legal basis is your consent (Article 6(1)(a) GDPR). The information generated by the cookies is transferred to Google servers in the USA. Google discloses the data only under legal obligations or within its processing agreements. Data processed with DoubleClick is stored for up to 2 years, and the cookies are deleted after 11 months.
Google Webfonts: Our platform uses web fonts provided by Google to ensure a consistent and appealing presentation of fonts. The Google Fonts are integrated locally on our server. This means no connection to Google’s servers is established when you access our website, and no data (such as your IP address) is transmitted to Google. The integration is based on our legitimate interest in a consistent and appealing presentation of our online offerings under Article 6(1)(f) GDPR. No personal data is shared with third parties through the local hosting of the fonts.

Shopify Audiences

We use Shopify Audiences to help us display ads on other websites through our advertising partners to customers who have made purchases from other Shopify merchants and who may also be interested in our offerings.

We also share information about your use of the platform, your purchases, and the email address linked to your purchases with Shopify Audiences, allowing other Shopify merchants to potentially offer you relevant deals.

Use of the AI-Based Knowledge and RAG Platform (Blockbrain)

For the development and provision of our AI-supported features - particularly our chat-based information and guidance tool - we use the platform “Blockbrain”, provided by Blockbrain AI Ltd. (https://theblockbrain.ai/). Blockbrain is an enterprise knowledge-management and Retrieval-Augmented Generation (RAG) infrastructure that enables us to organize internal content, feed proprietary knowledge (e.g., studies, educational materials), and operate an AI-based chat system.

Blockbrain acts solely as a technical service provider (processor) in accordance with Article 28 GDPR. The system processes information exclusively on our behalf and according to our instructions.

The following categories of personal data may be processed through our AI-based chat features:

Email address
First and last name
Age (e.g., when necessary for interpreting inputs such as AMH values or other cycle-related information)
Interaction data within the chat (questions, messages, usage patterns)
Optional: Information you voluntarily share during interactions (e.g., lifestyle-related inputs or health-related descriptions)

The legal basis for processing is Article 6(1)(b) GDPR (contract performance) and - when processing special categories of personal data (health data) - your explicit consent according to Article 9(2)(a) GDPR. Data is stored for as long as necessary to provide the digital program and to fulfill legal retention obligations. After the usage relationship ends and any legal retention periods expire, the data will be deleted.

Blockbrain does not use your data for its own purposes and does not gain independent access rights to your content.

Advertising on Social Media Platforms

We run advertising campaigns on social media platforms such as Meta (formerly Facebook) Tiktok and LinkedIn. These campaigns are designed to deliver personalized ads to users who have shown interest in our products or have visited our platform.

To provide these targeted ads, we may collect certain user data, including IP addresses, device information, browsing behavior, and interactions with our platform.

Please note that these social media platforms may also collect additional data directly from users when they interact with our ads or visit our social media pages. The collection and processing of such data are subject to the respective platform’s privacy policies. We have no control over the data collected by these platforms, and we recommend reviewing their privacy policies for more information about their data practices.

Further information about how targeted advertising works can be found on the Network Advertising Initiative’s educational page: How Does Online Advertising Work?

You can opt out of targeted advertising via:

Facebook: Facebook Ad Settings
Google: Google Ad Settings
Tiktok: TikTok Ads Settings
Additionally, you can opt out of some of these services through the Digital Advertising Alliance’s opt-out portal: DAA Opt-Out.

Contests

To participate in contests, it is necessary to provide personal data. We use this data for the duration and management of the respective contest, including the drawing of winners and notifying them. If prizes are provided by a third party, we may share the winners’ data with the prize sponsor or their service provider. Otherwise, participants’ personal data will not be shared with third parties without consent. The legal basis for processing is Article 6(1)(b) GDPR.

Surveys

If you participate in one of our surveys, we use your data for market and opinion research. The data is analyzed anonymously for internal purposes. If surveys are exceptionally not anonymous, data is collected only with your consent. For anonymous surveys, the GDPR does not apply; for personal evaluations, the legal basis is your consent (Article 6(1)(a) GDPR).

When you sign up for our newsletter on our website, we process your data (e.g., name, email address, IP address, as well as the date and time of your registration). We use a double opt-in procedure for newsletter subscriptions: After signing up, you will receive an email asking you to confirm your registration. This confirmation ensures that no unauthorized third party can use your email address. The legal basis for processing is your consent (Article 6(1)(a) GDPR). Your data will be stored for as long as your newsletter subscription remains active. You can revoke your consent at any time, for example by using the “unsubscribe” link included in every newsletter or by emailing hi@fyrcecare.com.

We use common technologies in our newsletters that allow us to measure interactions with the newsletters (e.g., whether the email was opened, which links were clicked). We use this data in pseudonymized form for general statistical evaluations as well as for optimizing and improving our content and customer communications. This is done using small graphics embedded in the newsletter (so-called pixels). The data is collected solely under a pseudonym and is not combined with your other personal data. The legal basis for this is your consent (Article 6(1)(a) GDPR). If you do not want us to analyze the effectiveness of our newsletter, you can disable image downloads by default in your email program or unsubscribe from the newsletter. Data related to interactions with our newsletters is stored pseudonymized for 30 days and then fully anonymized.

YouTube Videos

We use the provider YouTube to present videos. YouTube is operated by YouTube LLC, located at 901 Cherry Avenue, San Bruno, CA 94066, USA, and represented by Google. The legal basis for using YouTube plugins is our legitimate interest (Article 6(1)(f) GDPR). We use embedded YouTube videos in enhanced privacy mode. According to YouTube, this means that YouTube does not store cookies for users who visit a website with an embedded YouTube video player without clicking on the video to start playback.

If you click on the YouTube video player, YouTube may store cookies on the user’s device. However, we do not store any personal cookie information for the playback of embedded videos.

Note on your data subject rights: You may withdraw your consent at any time with future effect by contacting us via the contact details provided in the legal notice. The withdrawal of consent does not affect the lawfulness of processing based on consent before its withdrawal.

Social Media Platforms

We use the following social media platforms:

Facebook
LinkedIn
Xing
Twitter
Instagram
Pinterest
TikTok
YouTube

The operators of these social media platforms (e.g., Facebook) are involved in the use of the platforms listed above. They are also considered responsible parties under data protection law. We have only limited influence over the data processing carried out by the platform operators and rely on the information provided by the respective providers. Where we can influence or are involved in defining the data processing, we aim to ensure that the social media platform operators handle data in a privacy-compliant manner.

Use of Social Media

The data you disclose on our social media pages - such as comments, videos, images, likes, public messages, etc. - is published by the social media platform. We reserve the right to comment on or delete content if necessary. In some cases, we may share your content on our page and communicate with you via the social media platform. We use social media platforms for advertising purposes. The statistics provided to us by the social media platform operators can only be influenced to a limited extent and cannot be disabled. The legal basis for this processing is our legitimate interest in carrying out the aforementioned activities (Article 6(1)(f) GDPR).

Data Processed by Social Media Platform Operators

Social media platform operators use web tracking methods. This tracking may occur regardless of whether you are logged in to or registered with the platform. As previously mentioned, we have limited influence over the tracking methods used by these platforms and cannot disable them, for example. It cannot be ruled out that the platform operator uses your data - for example, to analyze habits, personal relationships, preferences, etc. We have no influence over the platform operator’s data processing practices in this regard. For more information on how the respective social media platforms process data and on available opt-out options, please refer to the privacy policies of the respective providers:

Facebook: Facebook Privacy Policy
YouTube: YouTube Privacy Policy
LinkedIn: LinkedIn Privacy Policy
Instagram: Instagram Privacy Policy
Pinterest: Pinterest Privacy Policy
TikTok: TikTok Privacy Policy

Data Processed by Us

The data you disclose on our social media pages - such as comments, videos, images, likes, public messages, etc. - is published by the social media platform. We reserve the right to comment on or delete content if necessary. In some cases, we may share your content on our page and communicate with you via the social media platform. We use the social media platforms for advertising purposes. The statistics provided to us by the social media platform operators can only be influenced to a limited extent and cannot be disabled. The legal basis for this processing is our legitimate interest in carrying out the aforementioned activities (Article 6(1)(f) GDPR).

Use of CRM Systems

We process personal data (such as name, contact details, and communication history) in CRM systems for the purpose of managing contact information, handling inquiries, and optimizing our services. The legal basis for this processing is Article 6(1)(b) GDPR and Article 6(1)(f) GDPR (our legitimate interest in efficient customer communication).

Use of Personal Data

We use your personal data to provide our services to you, including offering products for sale, processing payments, shipping and fulfilling your orders, and keeping you informed about new products, services, and offers.

Disclosure of Data to Third Parties

We work with service providers who support us in providing our services on this platform. These service providers are mentioned in the respective sections of this privacy policy and process data exclusively on our behalf and under our control, and only for the purposes described in this privacy policy.

Data Retention

Personal data is stored for as long as necessary for the purposes mentioned above. Data is deleted at the latest after the end of the contractual relationship and after the expiration of civil, commercial, and tax-related retention periods. Data collected while browsing our platform (see Section 1), which may legally be considered personal data (e.g., the full IP address), is stored for a period of 14 days unless an unusual incident requires a longer retention period (e.g., after a hacking attack). If we process data based on legitimate interests (Article 6(1)(f) GDPR), it will be stored until you object to the processing or until your legitimate interests outweigh ours.

Automated Decision-Making

If you are located in the EEA, you have the right to object to processing based solely on automated decision-making (including profiling) where such processing has legal effects on you or similarly significantly affects you.

We do not engage in fully automated decision-making that has legal or otherwise significant effects on you using customer data. Our processor, Shopify, uses limited automated decision-making to prevent fraud, which does not have legal or similarly significant effects on you.

Examples of services that involve elements of automated decision-making include:

Temporary blacklist of IP addresses associated with repeated failed transactions. This blacklist remains in place for a few hours.
Temporary blacklist of credit cards associated with blacklisted IP addresses. This blacklist remains in place for a few days.

Your Rights under the GDPR

If you are located in the EEA, you have the right to access the personal data we hold about you, to request that your data be corrected, updated, or deleted, and to request the transfer of your personal data to a new service. If you wish to exercise these rights, please contact us at hi@fyrcecare.com.

Your personal data is initially processed in Ireland and then transferred for storage and further processing outside Europe, including to Canada and the United States. For more information about how Shopify ensures GDPR compliance during such data transfers, please refer to Shopify’s GDPR Whitepaper: Shopify GDPR Whitepaper.

Opt-out / Withdrawal

If we process your personal data based on our legitimate interests, you may object to the processing and use of your data at any time. In this case, we will no longer process your data unless we can demonstrate compelling legitimate grounds that override your interests. You can object to the use of your data for direct marketing purposes at any time without further consideration.

Cookies

A cookie is a small amount of information that is downloaded to your computer or device when you visit our website. We use various cookies, including functional, performance, advertising, and social media or content cookies. Cookies improve your browsing experience by allowing the website to remember your actions and preferences (such as login and region selection). This means you don’t have to re-enter this information every time you return to the site or navigate from one page to another. Cookies also provide information about how people use the website, such as whether it’s their first visit or whether they are frequent visitors.

We use the following cookies to optimize your experience on our site and to provide our services:

Cookie: _ab
Purpose: Used in connection with access to admin panel
Duration: 2 years

Cookie: _secure_session_id
Purpose: Used in connection with navigation through the storefront
Duration: 24 hours

Cookie: _shopify_country
Purpose: Used in connection with checkout
Duration: Session

Cookie: _shopify_m
Purpose: Used to manage customer privacy settings
Duration: 1 year

Cookie: _shopify_tm
Purpose: Used to manage customer privacy settings
Duration: 30 minutes

Cookie: _shopify_tw
Purpose: Used to manage customer privacy settings
Duration: 2 weeks

Cookie: _storefront_u
Purpose: Used to facilitate updating customer account information
Duration: 1 minute

Cookie: _tracking_consent
Purpose: Tracking preferences
Duration: 1 year

Cookie: c
Purpose: Used in connection with checkout
Duration: 1 year

Cookie: cart
Purpose: Used in connection with shopping cart
Duration: 2 weeks

Cookie: cart_currency
Purpose: Used in connection with shopping cart
Duration: 2 weeks

Cookie: cart_sig
Purpose: Used in connection with checkout
Duration: 2 weeks

Cookie: cart_ts
Purpose: Used in connection with checkout
Duration: 2 weeks

Cookie: cart_ver
Purpose: Used in connection with shopping cart
Duration: 2 weeks

Cookie: checkout
Purpose: Used in connection with checkout
Duration: 4 weeks

Cookie: checkout_token
Purpose: Used in connection with checkout
Duration: 1 year

Cookie: dynamic_checkout_shown_on_cart
Purpose: Used in connection with checkout
Duration: 30 minutes

Cookie: hide_shopify_pay_for_checkout
Purpose: Used in connection with checkout
Duration: Session

Cookie: keep_alive
Purpose: Used in connection with buyer localization
Duration: 2 weeks

Cookie: master_device_id
Purpose: Used in connection with merchant login
Duration: 2 years

Cookie: previous_step
Purpose: Used in connection with checkout
Duration: 1 year

Cookie: remember_me
Purpose: Used in connection with checkout
Duration: 1 year

Cookie: secure_customer_sig
Purpose: Used in connection with customer login
Duration: 20 years

Cookie: shopify_pay
Purpose: Used in connection with checkout
Duration: 1 year

Cookie: shopify_pay_redirect
Purpose: Used in connection with checkout
Duration: 30 minutes, 3 weeks, or 1 year, depending on value

Cookie: storefront_digest
Purpose: Used in connection with customer login
Duration: 2 years

Cookie: tracked_start_checkout
Purpose: Used in connection with checkout
Duration: 1 year

Cookie: checkout_one_experiment
Purpose: Used in connection with checkout
Duration: Session

Cookie: checkout_session_lookup
Purpose: Used in connection with checkout
Duration: 3 weeks

Cookie: checkout_session_token_<<token>>
Purpose: Used in connection with checkout
Duration: 3 weeks

Cookie: identity-state
Purpose: Used in connection with customer authentication
Duration: 24 hours

Cookie: identity-state-<<token>>
Purpose: Used in connection with customer authentication
Duration: 24 hours

Reporting and Analytics

Cookie: _landing_page
Purpose: Tracking landing pages
Duration: 2 weeks

Cookie: _orig_referrer
Purpose: Tracking landing pages
Duration: 2 weeks

Cookie: _s
Purpose: Shopify analytics
Duration: 30 minutes

Cookie: _shopify_d
Purpose: Shopify analytics
Duration: Session

Cookie: _shopify_s
Purpose: Shopify analytics
Duration: 30 minutes

Cookie: _shopify_sa_p
Purpose: Shopify analytics related to marketing and referrals
Duration: 30 minutes

Cookie: _shopify_sa_t
Purpose: Shopify analytics related to marketing and referrals
Duration: 30 minutes

Cookie: _shopify_y
Purpose: Shopify analytics
Duration: 1 year

Cookie: _y
Purpose: Shopify analytics
Duration: 1 year

Cookie: _shopify_ga
Purpose: Shopify and Google Analytics
Duration: Session

Cookie: customer_auth_provider
Purpose: Shopify analytics
Duration: Session

Cookie: customer_auth_session_created_at
Purpose: Shopify analytics
Duration: Session

The duration for which a cookie remains on your computer or mobile device depends on whether it is a “persistent” or “session” cookie. Session cookies remain active until you stop browsing, while persistent cookies remain until they expire or are deleted. Most of the cookies we use are persistent and expire between 30 minutes and two years from the date they are downloaded to your device. You can control and manage cookies in various ways. Please note that removing or blocking cookies may negatively impact your user experience, and parts of our platform may no longer be fully accessible.

Most browsers automatically accept cookies, but you can choose whether to accept cookies through your browser settings, usually found in the “Tools” or “Settings” menu. For more information on how to change your browser settings or how to block, manage, or filter cookies, please refer to your browser’s help section or visit websites such as All About Cookies. Please also note that blocking cookies may not fully prevent us from sharing information with third parties, such as our advertising partners. To exercise your rights or prevent these parties from using your information, please follow the instructions provided in the “Behavioral Advertising” section above.

Do Not Track

Please note that we do not alter our data collection and usage practices when we detect a “Do Not Track” signal from your browser, as there is no consistent industry standard for how to respond to such signals.

Changes

We may update this privacy policy from time to time to reflect, for example, changes to our practices or for other operational, legal, or regulatory reasons.

Complaints

As previously mentioned, please contact us via email or by mail using the contact information provided in our legal notice if you wish to file a complaint.

If you are not satisfied with our response to your complaint, you have the right to lodge a complaint with the relevant data protection authority. You may contact your local data protection authority or our supervisory authority: Berlin Commissioner for Data Protection and Freedom of Information.

Definitions

“Controller” means the entity that determines the purposes and means of the processing of personal data according to Article 4(7) GDPR. The controller decides what, how, and for what purpose data is processed and is responsible for compliance with data protection regulations.
“Processor” means the entity that processes personal data on behalf of the controller according to Article 4(8) GDPR.
“Personal data” means any information relating to an identified or identifiable natural person (“data subject”) according to Article 4(1) GDPR.
“Processing” means any operation or set of operations performed on personal data, as defined in Article 4(2) GDPR. This includes collecting, recording, organizing, structuring, storing, adapting, altering, retrieving, consulting, using, disclosing, transmitting, disseminating, linking, restricting, deleting, or destroying personal data.
“Data subject” means the identified or identifiable natural person whose personal data is processed by the controller according to Article 4(1) GDPR.
“Recipient” means the entity to whom personal data is disclosed, according to Article 4(9) GDPR, whether a third party or not.
“Third party” means anyone other than the data subject, the controller, the processor, and persons who, under the direct authority of the controller or processor, are authorized to process personal data, according to Article 4(10) GDPR.
“Special categories of personal data” include, in particular, health data of the data subject, according to Article 9(1) GDPR. These data require a higher level of protection.
“Health data” refers to personal data related to the physical or mental health of the data subject that reveals information about their health status, according to Article 4(15) GDPR.
“Consent” means any freely given, specific, informed, and unambiguous indication of the data subject’s wishes by which they, by a statement or by a clear affirmative action (such as ticking a checkbox), signify agreement to the processing of their personal data, according to Article 4(11) GDPR.
“Pseudonymization” means processing personal data in such a manner that the data can no longer be attributed to a specific data subject without additional information, according to Article 4(5) GDPR. Such additional information must be kept separately, and measures must be taken to ensure that the data cannot be attributed to an identified or identifiable individual.
“Anonymization” refers to the process by which personal data is irreversibly altered by the controller, either alone or in cooperation with others, so that the data subject can no longer be identified, directly or indirectly, according to DIN EN ISO 25237.

Processors

Shopify
Purpose: Website hosting, payment processing
Location / Third Country: Canada

Mighty Networks
Purpose: Provision of the community platform
Location / Third Country: USA

EMA Health
Purpose: Development and hosting of the app platform
Location / Third Country: Europe (planned GDPR compliance)

Stripe
Purpose: Payment processing
Location / Third Country: USA (Standard Contractual Clauses)

Shopify Payments
Purpose: Payment processing
Location / Third Country: Canada

PayPal
Purpose: Payment processing
Location / Third Country: Luxembourg (EEA)

Google Analytics
Purpose: Web analytics
Location / Third Country: USA (Privacy Framework)

Google Tag Manager
Purpose: Tag management, indirect access to analytics tags
Location / Third Country: USA

Google Ads / AdWords / Remarketing
Purpose: Advertising tracking
Location / Third Country: USA

DoubleClick
Purpose: Advertising network, tracking
Location / Third Country: USA

Shopify Audiences
Purpose: Retargeting, advertising networking
Location / Third Country: Canada

Klaviyo
Purpose: Newsletter delivery, marketing automation, user communications
Location / Third Country: USA

Last updated: November 26, 2025