Privacy Policy

Preamble

With the following privacy policy, we would like to inform you about which types of your personal data (hereinafter also referred to briefly as "data") we process, for which purposes and to what extent. This privacy policy applies to all processing of personal data carried out by us, both in the context of providing our services and in particular on our websites and within external online presences, such as our social-media profiles (hereinafter collectively referred to as the "online offer").

The terms used are not gender-specific.

Status: April 2026

Table of Contents

1. Controller
2. Overview of Processing Operations
3. Relevant Legal Bases
4. Security Measures
5. Transfer of Personal Data
6. International Data Transfers
7. General Information on Data Storage and Deletion
8. Rights of Data Subjects
9. Business Services / Online Shop
10. Payment Procedures
11. Provision of the Online Offer and Web Hosting
12. Use of Cookies
13. User Account / Loyalty Programme (Le Cercle)
14. Contact and Enquiry Management
15. Newsletter and Electronic Notifications
16. Promotional Communication via E-Mail
17. Changes and Updates
18. Definitions of Terms

1. Controller

sentiments de vie UG (limited liability)
Bgm-Aurnhammer-Straße 3
86199 Augsburg
Germany

Managing directors authorised to represent the company: Tarek Naim, Enam Hötzl

E-mail: naim@sentimentsdevie.com / hoetzl@sentimentsdevie.com
Website: https://www.sentimentsdevie.com

2. Overview of Processing Operations

The following overview summarises the types of data processed and the purposes of processing.

Types of Data Processed

• Inventory data (e.g. full name, home address, customer number)
• Payment data (e.g. bank details, invoices, payment history)
• Contact data (e.g. postal and e-mail addresses, telephone numbers)
• Content data (e.g. messages, posts, information on authorship)
• Contract data (e.g. subject matter of contract, term, customer category)
• Usage data (e.g. page views, click paths, device information)
• Meta, communication and procedural data (e.g. IP addresses, timestamps)
• Log data (e.g. server log files, login timestamps)

Categories of Data Subjects

• Service recipients and clients (customers)
• Prospective customers
• Communication partners
• Users (website visitors, online shop users, Le Cercle members)
• Business and contractual partners

Purposes of Processing

• Provision of contractual services and fulfilment of contractual obligations
• Communication and responding to enquiries
• Security measures and protection against misuse
• Direct marketing and reach measurement
• Office and organisational procedures
• Provision of our online offer and user-friendliness
• Information technology infrastructure
• Sales promotion (e.g. Le Cercle loyalty programme)

3. Relevant Legal Bases

Legal bases under the GDPR:

• Consent (Art. 6(1)(a) GDPR): The data subject has given consent to the processing of their personal data for one or more specific purposes.
• Performance of a contract and pre-contractual enquiries (Art. 6(1)(b) GDPR): Processing is necessary for the performance of a contract to which the data subject is party, or in order to take steps at the request of the data subject prior to entering into a contract.
• Legal obligation (Art. 6(1)(c) GDPR): Processing is necessary for compliance with a legal obligation to which the controller is subject.
• Legitimate interests (Art. 6(1)(f) GDPR): Processing is necessary for the purposes of the legitimate interests pursued by the controller or by a third party, except where such interests are overridden by the interests or fundamental rights and freedoms of the data subject.

National rules in Germany:
In addition to the GDPR, the German Federal Data Protection Act (BDSG) applies, which contains in particular specific provisions on the right of access, the right to erasure, the right to object and automated individual decision-making. The data protection laws of the individual federal states may also apply.

4. Security Measures

We take appropriate technical and organisational measures (TOM) in accordance with the legal requirements, taking into account the state of the art and the relevant processing risks, in order to ensure a level of protection appropriate to the risk. These measures include in particular:

• Safeguarding the confidentiality, integrity and availability of data through access controls
• TLS/SSL encryption (HTTPS) for all data transmissions on our website
• HttpOnly cookies and server-side authentication (Supabase Auth)
• HMAC signature verification for all Stripe webhooks
• IP hashing for newsletter registrations
• Rate limiting on all privacy-relevant API routes

When a website is secured by an SSL/TLS certificate, this is indicated by the display of HTTPS in the URL.

5. Transfer of Personal Data

In the context of our processing operations, data is transferred to processors and other recipients. This includes in particular:

• Payment service providers (Stripe – for processing purchase transactions)
• Hosting and infrastructure providers (Vercel, Supabase – for operating the website and database)
• E-mail service providers (Resend – for sending transactional e-mails and newsletters)
• Content management (Sanity – for managing website content)
• Web analytics (Google Analytics – if consent has been given)

In all cases, we conclude data processing agreements (DPA) with recipients pursuant to Art. 28 GDPR, or rely on other appropriate safeguards.

6. International Data Transfers

Several of the service providers we use are headquartered in the USA (Vercel, Supabase, Sanity, Resend, Stripe, Google). For data transfers to third countries outside the EU/EEA, we rely on:

• EU-US Data Privacy Framework (DPF): Adequacy decision of the EU Commission of 10 July 2023, to the extent the respective provider is certified.
• Standard Contractual Clauses (SCC): EU Commission standard contractual clauses as supplementary or alternative safeguards.

We provide information on the applicable transfer basis for each individual service provider. Further information on the DPF is available at https://www.dataprivacyframework.gov/.

7. General Information on Data Storage and Deletion

We delete personal data as soon as the purpose of processing has ceased and no statutory retention obligations prevent deletion.

Statutory retention periods under German law:

• 10 years: Books, records, annual financial statements, inventories, management reports, opening balance sheets and associated working instructions and organisational documents (section 147(1) no. 1 in conjunction with (3) AO; section 14b(1) UStG; section 257(1) no. 1 in conjunction with (4) HGB).
• 8 years: Accounting vouchers such as invoices and cost receipts (section 147(1) nos. 4 and 4a in conjunction with (3) sentence 1 AO; section 257(1) no. 4 in conjunction with (4) HGB).
• 6 years: Other business documents, received and dispatched commercial and business letters, and other tax-relevant documents (section 147(1) nos. 2, 3, 5 in conjunction with (3) AO; section 257(1) nos. 2, 3 in conjunction with (4) HGB).
• 3 years: Data required to consider warranty and damages claims (regular statutory limitation period under sections 195, 199 BGB).

The period begins at the end of the calendar year in which the triggering event occurred.

8. Rights of Data Subjects

Under the GDPR (Arts. 15–21), you have the following rights:

• Right to object (Art. 21 GDPR): You may object at any time to the processing of your data where it is based on Art. 6(1)(e) or (f) GDPR; this also applies to profiling.
• Right to withdraw consent (Art. 7(3) GDPR): You may withdraw consent given at any time with effect for the future.
• Right of access (Art. 15 GDPR): You may request information about the data we process.
• Right to rectification (Art. 16 GDPR): You may request the completion or rectification of inaccurate data.
• Right to erasure (Art. 17 GDPR): You may request the immediate deletion of your data, unless retention obligations apply.
• Right to restriction of processing (Art. 18 GDPR): You may request restriction of the processing of your data.
• Right to data portability (Art. 20 GDPR): You may request that your data be provided in a machine-readable format.
• Right to lodge a complaint with a supervisory authority (Art. 77 GDPR): Competent supervisory authority for sentiments de vie UG:
  Bayerisches Landesamt für Datenschutzaufsicht (BayLDA)
  Promenade 18, 91522 Ansbach, Germany
  Postfach 1349, 91504 Ansbach
  Tel: +49 (0) 981 180093-0
  E-mail: poststelle@lda.bayern.de
  Website: https://www.lda.bayern.de

9. Business Services / Online Shop

We operate an online shop for niche perfumes (D2C) and process personal data of our customers and prospective customers for the initiation, performance and handling of purchase contracts.

We process in particular: name, delivery address, e-mail address, order information, payment data and communication history. Where necessary for order fulfilment, we engage shipping service providers and pass on the required data to them.

Processed data types: Inventory data; payment data; contact data; contract data; usage data; meta, communication and procedural data.

Data subjects: Service recipients and clients; prospective customers; business and contractual partners.

Legal bases: Performance of a contract and pre-contractual enquiries (Art. 6(1)(b) GDPR); legal obligation (Art. 6(1)(c) GDPR); legitimate interests (Art. 6(1)(f) GDPR).

Retention and deletion: As per Section 7; statutory commercial and tax retention periods remain unaffected.

10. Payment Procedures

For payment processing we use the following payment service provider:

Stripe: Payment services (technical integration of online payment methods).
Provider: Stripe, Inc., 510 Townsend Street, San Francisco, CA 94103, USA.
Website: https://stripe.com | Privacy policy: https://stripe.com/privacy
Legal basis for third-country transfer: Data Privacy Framework (DPF) + Standard Contractual Clauses.

All payment transactions are conducted exclusively via encrypted connections. We do not receive any account or credit card data; we only receive confirmation or rejection of the payment. Data entered is processed and stored exclusively by Stripe.

Legal bases: Performance of a contract (Art. 6(1)(b) GDPR); legitimate interests (Art. 6(1)(f) GDPR).

11. Provision of the Online Offer and Web Hosting

We process user data in order to provide our online services. We use the following service providers:

Vercel (Hosting & CDN)

Provider: Vercel Inc., 440 N Barranca Ave #4133, Covina, CA 91723, USA.
Website: https://vercel.com | Privacy policy: https://vercel.com/legal/privacy-policy
EU data protection contact: Vercel Inc., Attn: Data Protection, c/o EDPO, Avenue Huart Hamoir 71, 1030 Brussels, Belgium.
Legal basis for third-country transfer: Standard Contractual Clauses.
Note: We use Vercel in the EU region; data is processed within the EU wherever possible.

Supabase (Database & Authentication)

Provider: Supabase, Inc., 970 Toa Payoh North #07-04, Singapore 318992 (operates EU hosting in Frankfurt/Ireland).
Website: https://supabase.com | Privacy policy: https://supabase.com/privacy
Legal basis for third-country transfer: Standard Contractual Clauses (DPA pursuant to Art. 28 GDPR in place).
Note: We use the EU region (eu-west-1); personal data is stored within the EU.

Sanity (Content Management System)

Provider: Sanity AS, 351 California St, Suite 650, San Francisco, CA 94104, USA (headquarters; EU hosting available).
Website: https://www.sanity.io | Privacy policy: https://www.sanity.io/legal/privacy
Legal basis for third-country transfer: Standard Contractual Clauses; we use EU hosting.

Server log files: Every access automatically generates server log files, which may contain: address and name of the page accessed, date and time of access, data volume transferred, browser type and version, operating system, referrer URL and IP address. This data is used for security purposes and to ensure operation; it is deleted or anonymised after a maximum of 30 days.

E-mail dispatch (Resend):
Transactional e-mails and newsletters are sent via Resend.
Provider: Resend (Zuplo, Inc.), 2261 Market Street #5039, San Francisco, CA 94114, USA.
Website: https://resend.com | Privacy policy: https://resend.com/legal/privacy-policy
Legal basis for third-country transfer: Standard Contractual Clauses (DPA in place).
Note: E-mails are generally encrypted in transit, but not necessarily on the recipient's server.

Processed data types: Usage data; meta, communication and procedural data; log data; content data.

Data subjects: Users (website visitors, users of online services).

Legal basis: Legitimate interests (Art. 6(1)(f) GDPR).

12. Use of Cookies

We use cookies and comparable technologies (e.g. LocalStorage). "Cookies" are small text files stored on the user's device.

Cookie Categories

Category

Purpose

Consent required

Necessary

Website operation, session management, authentication (HttpOnly cookies), Stripe checkout

No

Statistics

Measurement of website usage (e.g. Google Analytics)

Yes

Marketing

Personalised advertising measures

Yes

We use a consent management solution (cookie banner) through which users can grant, manage and withdraw their consent. Technically necessary cookies are set without consent. For all other cookies we obtain informed, voluntary and active consent (no pre-ticked options).

Storage periods:

• Temporary cookies (session cookies): deleted after the browser is closed.
• Permanent cookies: stored for up to 2 years (unless otherwise specified).

Withdrawal: Users can withdraw consents at any time via the cookie banner or via their browser's privacy settings.

Legal bases: Consent (Art. 6(1)(a) GDPR); legitimate interests (Art. 6(1)(f) GDPR) for technically necessary cookies. For cookies stored on terminal equipment, section 25 TDDDG (German Telecommunications Digital Services Data Protection Act) applies additionally.

13. User Account / Loyalty Programme (Le Cercle)

Users can create an account on our website (Le Cercle membership). During registration, the required mandatory information is collected and processed on the basis of contractual performance. We process in particular: e-mail address, password (stored encrypted), optional delivery address (for the loyalty programme gift), date of registration and IP address at the time of registration.

User profiles are not publicly accessible. IP addresses are stored for misuse prevention. Upon account termination, user data is deleted unless statutory retention obligations apply.

Processed data types: Inventory data; contact data; usage data; log data.

Data subjects: Users.

Legal bases: Performance of a contract (Art. 6(1)(b) GDPR); legitimate interests (Art. 6(1)(f) GDPR).

14. Contact and Enquiry Management

When you contact us (e.g. by e-mail or contact form), we process the data provided by you insofar as this is necessary to respond to your enquiry and any requested measures.

Processed data types: Contact data; content data; meta, communication and procedural data.

Data subjects: Communication partners.

Retention and deletion: Enquiries are deleted after full processing, unless statutory retention obligations apply.

Legal bases: Performance of a contract and pre-contractual enquiries (Art. 6(1)(b) GDPR); legitimate interests (Art. 6(1)(f) GDPR).

15. Newsletter and Electronic Notifications

We send newsletters and e-mail notifications only with the recipients' consent (Art. 6(1)(a) GDPR in conjunction with section 7(2) no. 3 UWG).

Registration procedure: We use a double opt-in procedure. After registration, you receive a confirmation e-mail with a link that you must actively click to confirm your registration. Consent is logged with timestamp, e-mail address and hashed IP address.

E-mail dispatch: Newsletters are sent via Resend (see Section 11).

Performance measurement: Our newsletters may contain a so-called tracking pixel (web beacon). When the newsletter is opened, we collect whether and when it was opened and which links were clicked. This information is used solely to improve our communication and is collected exclusively on the basis of your consent.

Unsubscription: You may unsubscribe from the newsletter at any time via the unsubscribe link in every e-mail or by contacting us. We store unsubscribed e-mail addresses for up to 3 years on the basis of legitimate interests (evidence of previously given consent).

Processed data types: Inventory data; contact data; meta, communication and procedural data; usage data (open and click rates).

Data subjects: Communication partners; prospective customers.

Legal basis: Consent (Art. 6(1)(a) GDPR).

16. Promotional Communication via E-Mail

We process personal data for the purpose of promotional communication by e-mail, post or other channels on the basis of consent or legitimate interests (e.g. direct marketing to existing customers pursuant to section 7(3) UWG).

Recipients have the right to object to processing at any time free of charge. After objection or withdrawal, data required for the purposes of providing evidence will be stored for up to 3 years after the end of the year of unsubscription; processing is limited to this purpose.

Legal bases: Consent (Art. 6(1)(a) GDPR); legitimate interests (Art. 6(1)(f) GDPR).

17. Changes and Updates

We reserve the right to adapt this privacy policy when processing operations or legal requirements change. We recommend that you review the content of this privacy policy regularly. Where a change requires your consent or individual notification, we will inform you separately.

18. Definitions of Terms

• Personal data: Any information relating to an identified or identifiable natural person.
• Processing: Any operation in connection with personal data (collection, storage, use, transfer, deletion, etc.).
• Controller: The natural or legal person that determines the purposes and means of processing.
• Processor: A natural or legal person that processes personal data on behalf of the controller.
• Consent: Any freely given, specific, informed and unambiguous indication of the data subject's wishes.
• Cookies: Small text files stored on terminal devices that contain information about the use of an online offer.