urne.store

Privacy policy

1. Controller

The controller responsible for processing personal data on this website is:
[Vor- und Nachname]
[Straße und Hausnummer]
[PLZ] [Ort]
Germany
Email: kontakt@urne.store

2. General

We process personal data in accordance with the GDPR, applicable national data protection law, and — where relevant — the TTDSG. This policy explains the main processing activities on this website.

3. Cookie consent and local storage

On your first visit you can choose whether to allow optional categories (analytics, marketing) in addition to strictly necessary cookies. Optional categories are off by default. Your choice is stored in the browser (localStorage); you can change it anytime via “Cookie settings” in the footer. Strictly necessary cookies do not require consent (Section 25(2) TTDSG). For analytics and marketing, the legal basis when you consent is Art. 6(1)(a) GDPR in conjunction with Section 25(1) TTDSG; you may withdraw consent with future effect.

4. Hosting (Vercel)

This site is hosted on Vercel Inc. (USA). When you access pages, technical data (e.g. IP address, time of access) is processed to deliver content. Legal bases: Art. 6(1)(b) GDPR (contract / pre-contract) and Art. 6(1)(f) GDPR (legitimate interest in secure operation). See Vercel's privacy policy. Transfers to the USA rely on appropriate safeguards (e.g. Standard Contractual Clauses).

5. Database (PostgreSQL)

The PostgreSQL database is operated by the hosting provider in use — please enter provider and location in this configuration (e.g. EU).

We store account, configuration and order data there as required to operate the shop. Legal basis: Art. 6(1)(b) GDPR.

6. Account and sign-in (NextAuth, Google)

You may sign in with Google. The provider is Google Ireland Limited, Gordon House, Barrow Street, Dublin 4, Ireland. Data such as name, email and profile image may be processed as needed for authentication. Legal basis: Art. 6(1)(b) GDPR. See Google Privacy.

Technically necessary cookies or similar mechanisms may be used for session management. Legal basis: Art. 6(1)(b) GDPR.

7. Configurator and uploads

Images or other content you upload for reliefs are processed to provide the service and store your configuration. Legal basis: Art. 6(1)(b) GDPR.

Processed data may include in particular:

  • the image file itself (pixel data), file name, file type (MIME type) and file size,
  • technical derivatives we generate (e.g. normal/displacement maps, 3D preview data) where required for the service,
  • metadata embedded in image files (e.g. EXIF in JPEG/WebP, such as capture time, camera information or — if present — location data).

To minimise data, we remove embedded metadata from supported raster formats (JPEG, WebP, PNG) after upload where technically possible, before or as soon as the file is further processed. SVG files may retain structured metadata in the file format; only upload such files if you are comfortable with that.

The file is initially stored on our configurator backend server (VPS) and linked to your configuration in the related database. For previews and media delivery, data or derived files may be provided via our processor Bunny.net (CDN/storage, see Section 11). Technical access data (e.g. IP address) may be generated at the CDN provider.

8. Contact requests

If you contact us via the form or email, we process your details to handle the request. Legal basis: Art. 6(1)(b) or Art. 6(1)(f) GDPR (legitimate interest in responding to enquiries).

9. Orders and payments (Stripe)

Payments are processed by Stripe (Stripe Payments Europe Ltd. / Stripe Technology Europe Ltd., Ireland; possibly Stripe Inc., USA). Payment data is processed as necessary to complete the purchase. Legal basis: Art. 6(1)(b) GDPR. See Stripe Privacy.

10. Email (Resend)

Transactional emails may be sent via Resend (provider in the USA). Legal basis: Art. 6(1)(b) GDPR. See Resend Privacy.

11. CDN and storage (Bunny.net)

Media delivery (e.g. 3D assets, images) may use Bunny.net (Slovakia / global CDN). Technical access data may be generated. Legal bases: Art. 6(1)(b) and (f) GDPR. See Bunny Privacy.

12. Web fonts and 3D decoder (Google Fonts, Draco)

We use the "Geist" and "Geist Mono" fonts via the Next.js font system. Font files are bundled at build time and served from the same domain as the website; loading the fonts does not establish a connection to Google LLC servers for that purpose alone. Legal basis: Art. 6(1)(f) GDPR (legitimate interest in readable, consistent presentation).

Certain 3D features (in particular Draco-compressed GLB models) may load Google's Draco WebAssembly decoder (served via www.gstatic.com). Your browser may transfer technical data (in particular IP address and requested files) to Google. Legal bases: Art. 6(1)(b) GDPR (providing the configurator) and Art. 6(1)(f) GDPR. See Google Privacy.

13. Processors

Where we use processors, we do so in line with Art. 28 GDPR and appropriate agreements, where required.

14. Retention

We keep personal data only as long as necessary for the respective purposes or as required by statutory retention rules. In particular, the following orientations apply:

  • Account (sign-in): until deletion of your user account or deletion of stored account data, unless statutory retention obligations require longer storage.
  • Contact requests (form/email): typically up to 6 months after the request is fully handled, unless no contract is concluded and longer retention is required for a legitimate interest (e.g. evidence).
  • Orders, invoices and payment processing: up to 10 years in line with statutory retention under German tax and commercial law (e.g. Section 147 AO, Section 257 HGB), where applicable.
  • Uploaded relief source files and related derivatives: generally until manufacture and delivery of the urn; at the latest 90 days after completion of the order or final conclusion of the business relationship, unless statutory duties or legitimate interests (e.g. warranty) require longer retention.

Otherwise we delete or anonymise data once the purpose of processing no longer applies and no retention obligations prevent deletion.

15. Your rights

Under the GDPR you have the right to access, rectification, erasure, restriction, data portability and objection where applicable, as well as the right to lodge a complaint with a supervisory authority (Art. 77 GDPR).

16. Provision of data

Where data is required for the contract or sign-in, providing it is necessary; otherwise we may not be able to provide the service.