Privacy Policy

Last updated: 28 April 2026

0. Controller

The controller responsible under the General Data Protection Regulation (GDPR), other national data protection laws of EU Member States and other applicable data protection rules is:

Bitcoin21 Retail UG (haftungsbeschränkt)
Ludwig-Erhard-Straße 18
20459 Hamburg
Germany

Represented by the managing directors Tobias Cors and Henry Lindemann.
Phone: +49 151 5618 4307
E-mail: info@bitcoin21.shop
Commercial register: HRB 195271, Hamburg Local Court (Amtsgericht Hamburg)
VAT ID: DE460828994

1. Data protection officer

We are not legally required to appoint a data protection officer (Section 38 of the German Federal Data Protection Act, BDSG), and have therefore not appointed one. For data protection enquiries, please contact the controller directly using the details above.

2. General information on data processing

We process personal data of our users only insofar as this is necessary to provide a functional website and our content and services. As a rule, processing only takes place with the user's consent (Art. 6(1)(a) GDPR), to perform a contract (Art. 6(1)(b) GDPR), to comply with a legal obligation (Art. 6(1)(c) GDPR) or on the basis of legitimate interests (Art. 6(1)(f) GDPR).

3. Hosting and server log files (Shopify)

This website is hosted on servers operated by Shopify International Limited, Victoria Buildings, 2nd Floor, 1-2 Haddington Road, Dublin 4, D04 XN32, Ireland. When you access our website, technical data is automatically recorded in so-called server log files, including:

  • IP address
  • Date and time of access
  • Browser type and version
  • Operating system
  • Referrer URL (previously visited page)
  • Volume of data transferred

The legal basis is Art. 6(1)(f) GDPR (legitimate interest in stable, secure operation of the website). Data is retained for a maximum of 30 days. We have entered into a data processing agreement (DPA) with Shopify pursuant to Art. 28 GDPR. Transfers to the Shopify parent company in Canada/USA are safeguarded by EU Standard Contractual Clauses (SCC). More information: shopify.com/legal/privacy.

4. Cookies and consent management (Pandectes)

We use cookies and similar technologies (local storage, pixels) to provide our website, measure reach and evaluate marketing activities. On your first visit, our consent banner allows you to grant or refuse consent to non-strictly-necessary cookies on a category-by-category basis.

To manage your consent we use the app Pandectes GDPR Compliance by Pandectes Ltd., Athens, Greece. Pandectes stores your consent decisions and technical data (e.g. anonymised IP, date and version of the banner) as evidence of consent. Legal basis: Art. 6(1)(c) GDPR in conjunction with Art. 7(1) GDPR (obligation to demonstrate consent). Privacy notice: pandectes.io/privacy-policy.

You can withdraw your consent at any time via the "Privacy settings" link in the footer. The legal basis for strictly necessary cookies is Art. 6(1)(f) GDPR and Section 25(2)(2) TDDDG. For all other cookies and technologies (statistics, marketing) the legal basis is your consent under Art. 6(1)(a) GDPR in conjunction with Section 25(1) TDDDG.

5. Order processing in our online shop

When you place an order in our shop, we process the data necessary to perform the contract: name, delivery and billing address, e-mail address, phone number (optional), order content, payment data. Legal basis: Art. 6(1)(b) GDPR. Retention periods follow commercial and tax law requirements (typically 6 or 10 years, Sections 257 HGB, 147 AO).

6. Print-on-demand production and shipping

Our apparel is produced on a print-on-demand basis. For this purpose we use a print-on-demand provider based in Germany. After your order is placed we transmit the data required for production and shipping – in particular name, delivery address, e-mail address (for shipping notifications) and order content – to this provider. The provider takes care of printing, finishing and shipping. Upon request under Art. 15 GDPR we will disclose the specific recipient.

Legal basis: Art. 6(1)(b) GDPR (performance of contract). A data processing agreement under Art. 28 GDPR is in place with the print-on-demand provider.

To deliver your order, the print-on-demand provider passes your shipping data to the relevant parcel carrier (e.g. DHL, DPD, UPS, Hermes). Legal basis: Art. 6(1)(b) GDPR.

7. Payment service providers

During checkout you may choose between several payment methods. The payment is processed by the provider you have chosen, to which the necessary data is transmitted:

  • Shopify Payments (Shopify International Payments Limited, Ireland) for credit card, SEPA and similar payments. Privacy notice: shopify.com/legal/privacy.
  • Shop Pay (Shopify Inc.) – accelerated wallet checkout. Your payment and shipping details are stored encrypted with Shopify. Privacy notice: shop.app/privacy.
  • PayPal (PayPal (Europe) S.à r.l. et Cie, S.C.A., Luxembourg) – if selected. Privacy notice: paypal.com/legalhub/privacy-full.
  • Coinsnap (Coinsnap GmbH) for Bitcoin / Lightning payments. When you select the Bitcoin payment option, the order data and payment confirmations required for processing are exchanged with Coinsnap. We do not identify you via the Bitcoin / Lightning transaction itself. Privacy notice: coinsnap.io/datenschutzerklaerung.

Legal basis: Art. 6(1)(b) GDPR (performance of contract).

9. Product reviews (Judge.me)

To collect and display customer reviews we use Judge.me by Judge.me Limited, Hong Kong. If you receive a review invitation after placing an order, your e-mail address, first name and order information will be transmitted to Judge.me. Submitting a review is voluntary.

Legal basis: our legitimate interest in operating a meaningful review system (Art. 6(1)(f) GDPR) and – for sending the review invitation – Art. 6(1)(f) GDPR in conjunction with Section 7(3) UWG. You may object at any time at info@bitcoin21.shop. Privacy notice: judge.me/privacy.

10. Affiliate programme (GoAffPro)

We operate an affiliate programme using GoAffPro by NUVOLLO Pte. Ltd., Singapore. If you visit our website via an affiliate link, a cookie is set so that any resulting order can be attributed to the referring affiliate partner and a commission can be calculated.

Data processed includes cookie ID, IP address, referrer, affiliate ID and – upon order – order number and order value. Legal basis: your consent under Art. 6(1)(a) GDPR in conjunction with Section 25(1) TDDDG. You may withdraw this consent at any time via the privacy settings in the footer. Privacy notice: goaffpro.com/privacy.

11. Spam protection (hCaptcha)

To protect our forms from automated requests we use hCaptcha by Intuition Machines, Inc., 350 Alabama Street, San Francisco, CA 94110, USA. This processes IP address, browser data and interaction patterns. Legal basis: Art. 6(1)(f) GDPR (legitimate interest in spam and abuse prevention). Privacy notice: hcaptcha.com/privacy.

12. Live chat (Shopify Inbox)

For our customer service chat we use Shopify Inbox by Shopify International Limited. The data you enter into the chat (in particular name, e-mail, message content) and technical connection data are processed. Legal basis: Art. 6(1)(b) GDPR for contract-related enquiries, otherwise Art. 6(1)(f) GDPR. Privacy notice: shopify.com/legal/privacy.

13. Reach measurement (Google Analytics 4)

Subject to your consent we use Google Analytics 4 (measurement ID: G-HB8BGGZ34W) by Google Ireland Limited, Gordon House, Barrow Street, Dublin 4, Ireland. Google Analytics uses cookies and similar technologies to analyse user behaviour and traffic. IP addresses are processed in shortened form. Data processed includes shortened IP address, device and browser information, referrer, pages viewed and time spent.

Legal basis: your consent under Art. 6(1)(a) GDPR in conjunction with Section 25(1) TDDDG. You may withdraw consent at any time via the privacy settings in the footer. A data processing agreement is in place with Google. Transfers to the USA are safeguarded by EU Standard Contractual Clauses and the EU-US Data Privacy Framework. Privacy notice: policies.google.com/privacy.

14. Online advertising (Google Ads & conversion tracking)

Subject to your consent we use Google Ads including conversion tracking (account ID: AW-17759392419) by Google Ireland Limited. This allows us to measure whether you have placed an order after clicking on one of our ads. Data processed includes cookie ID, IP address and click / conversion data.

Legal basis: your consent under Art. 6(1)(a) GDPR in conjunction with Section 25(1) TDDDG. You may withdraw this consent at any time. Privacy notice: policies.google.com/privacy. You can disable Google's ad personalisation at adssettings.google.com.

15. What we do not use

For transparency: we currently do not use any tracking pixels or advertising networks from Meta/Facebook, Instagram, TikTok, Pinterest, Snapchat, X/Twitter, LinkedIn, Microsoft Clarity, Hotjar or Microsoft/Bing Ads. We will update this Privacy Policy if this changes.

16. Contact form and e-mail contact

If you contact us via the contact form or by e-mail, we process your information (name, e-mail, optional phone number, content of your enquiry) to handle your request. Legal basis: Art. 6(1)(b) GDPR for contract-related enquiries, otherwise Art. 6(1)(f) GDPR. We retain the data for as long as needed to handle your request and to fulfil statutory retention obligations.

17. Customer account

You may optionally create a customer account in our shop. Data processed includes name, e-mail address, password (encrypted), delivery and billing addresses and order history. Legal basis: Art. 6(1)(b) GDPR. You can have your customer account deleted at any time by contacting us at info@bitcoin21.shop; statutory retention obligations remain unaffected.

18. Recipients of personal data

Your personal data is only transferred to the recipients listed in this Privacy Policy and to:

  • our hosting and shop platform provider Shopify;
  • our print-on-demand provider and the parcel carriers it engages;
  • the payment service providers you choose;
  • authorities, where required by law;
  • our tax and legal advisers in the course of their work for us.

19. Transfers to third countries

Where personal data is transferred to countries outside the EEA (in particular the USA, Hong Kong, Singapore) – e.g. when using Judge.me, hCaptcha, GoAffPro, Google Analytics and Google Ads – the transfer is based on:

  • an adequacy decision of the EU Commission (e.g. EU-US Data Privacy Framework where the recipient is certified),
  • EU Standard Contractual Clauses pursuant to Art. 46(2)(c) GDPR, or
  • your explicit consent pursuant to Art. 49(1)(a) GDPR.

20. Retention period

We only retain personal data for as long as is necessary for the respective purposes or as required by statutory retention obligations. Tax and commercial law data is retained for 6 or 10 years (Sections 257 HGB, 147 AO). Newsletter data is retained until your consent is withdrawn; log files for a maximum of 30 days.

21. Your rights

You have the following rights regarding your personal data:

  • Right of access (Art. 15 GDPR),
  • Right to rectification (Art. 16 GDPR),
  • Right to erasure (Art. 17 GDPR),
  • Right to restriction of processing (Art. 18 GDPR),
  • Right to data portability (Art. 20 GDPR),
  • Right to object (Art. 21 GDPR),
  • Right to withdraw consent with effect for the future (Art. 7(3) GDPR).

To exercise these rights, an informal notice to info@bitcoin21.shop or by post to the address stated in the legal notice is sufficient.

22. Right to lodge a complaint with a supervisory authority

You have the right to lodge a complaint with a data protection supervisory authority regarding our processing of your personal data. Our competent supervisory authority is:

Hamburg Commissioner for Data Protection and Freedom of Information
Ludwig-Erhard-Straße 22, 7th floor
20459 Hamburg, Germany
Phone: +49 40 428 54-4040
E-mail: mailbox@datenschutz.hamburg.de
Web: datenschutz-hamburg.de

23. Automated decision-making

No automated decision-making, including profiling within the meaning of Art. 22 GDPR, takes place.

24. Changes to this Privacy Policy

We reserve the right to amend this Privacy Policy to reflect current legal requirements or changes in our services. The new version will apply to your next visit.