Privacy Policy

Last Updated: March 2026

1. Data Controller and Contact

The controller responsible for processing your personal data within the meaning of the General Data Protection Regulation (GDPR) is:

Onyx Underwear
Holunderstraße 3
45770 Marl
Germany

Represented by: Abdullah Al Saado
Phone: +49 177 2310549
Email: onyx.storeunderwear@gmail.com
Website: https://onyxunderwear.com

2. General Information on Data Protection

We take the protection of your personal data very seriously and treat your personal data confidentially and in accordance with statutory data protection regulations (GDPR, BDSG and TTDSG).

Personal data means any information relating to an identified or identifiable natural person. This includes, for example, name, address, email address, telephone number or online identifiers such as IP addresses.

3. What Data Do We Process and for What Purpose?

3.1 Order Processing and Contract Fulfillment

When you place an order in our online shop, we collect and process the following data:

• Title, first name, last name
• Billing and delivery address
• Email address
• Telephone number (optional)
• Payment information
• Order details (products, prices, date)

Purpose: Processing of your order, fulfillment of the contract, delivery of goods, payment processing, communication with you, returns and warranty claims.

Legal basis: Art. 6 para. 1 lit. b GDPR (contract fulfillment) and Art. 6 para. 1 lit. c GDPR (legal obligation, e.g., tax retention).

3.2 Customer Account Registration

If you open a customer account with us, we store:

• Email address
• Password (encrypted)
• Order history
• Saved addresses

Purpose: Provision of a customer account for simplified order processing, overview of your orders, storage of wish lists.

Legal basis: Art. 6 para. 1 lit. b GDPR (contract fulfillment) or Art. 6 para. 1 lit. a GDPR (consent).

3.3 Contact Requests

When you contact us via email, contact form, WhatsApp, Instagram or Facebook, we process:

• Name
• Contact details (email, phone number)
• Content of your message
• Communication metadata (date, time)

Purpose: Processing of your inquiry, communication with you.

Legal basis: Art. 6 para. 1 lit. b GDPR (contract fulfillment/contract initiation) or Art. 6 para. 1 lit. f GDPR (legitimate interest in responding to inquiries).

3.4 Email Marketing and Newsletter

For sending our newsletter, we process:

• Email address
• Name (optional)
• Consent proof (time, IP address)

Purpose: Sending promotional emails, information about new products, offers and promotions.

Legal basis: Art. 6 para. 1 lit. a GDPR (consent). You can unsubscribe from the newsletter at any time via the unsubscribe link in each email or by notifying us.

3.5 Fraud Prevention and Security

To detect and prevent fraud, we process:

• IP address
• Order history
• Payment data
• Device information

Purpose: Protection against fraudulent activities, ensuring payment ability.

Legal basis: Art. 6 para. 1 lit. f GDPR (legitimate interest in fraud prevention and security).

4. Cookies and Tracking Technologies

We use cookies and similar technologies on our website. Cookies are small text files stored on your device.

4.1 Essential Cookies

These cookies are technically necessary for the operation of the website (e.g., shopping cart function, login).

Legal basis: Art. 6 para. 1 lit. f GDPR (legitimate interest in website functionality).

4.2 Analytics and Marketing Cookies

With your consent, we use:

• Google Analytics: Analysis of user behavior to improve our offering
• Meta Pixel: Creation of custom audiences for Facebook/Instagram advertising
• Shopify Analytics: Internal evaluation of shop performance

Legal basis: Art. 6 para. 1 lit. a GDPR (consent).

You can adjust your cookie settings at any time via the cookie banner or in your browser settings.

5. Recipients of Your Data

For contract fulfillment, we transfer your data to the following categories of recipients if necessary:

5.1 Shipping Service Providers

We transmit your address data to shipping service providers (e.g., DHL, DPD, GLS) for delivery of the goods.

5.2 Payment Service Providers

When paying via external service providers (PayPal, Klarna, credit card), we transmit the data required for payment processing to these providers.

5.3 Technical Service Providers

We use Shopify as our shop system. Shopify collects and processes customer data as part of order processing. Additional service providers may be used for hosting, email delivery and IT security.

5.4 Marketing Service Providers

For marketing purposes, data may be transmitted to Meta (Facebook/Instagram), Google or email marketing providers – only with appropriate consent.

6. Data Storage Duration

We store your personal data only as long as necessary for the purposes for which it was collected or if legal retention periods exist.

• Contract data: 10 years (tax retention)
• Customer account: Until deletion of the account by you or after 2 years of inactivity
• Correspondence: 3 years after conclusion of the matter
• Newsletter consent: Until revocation of consent

7. Your Rights

As a data subject, you have the following rights:

7.1 Right of Access (Art. 15 GDPR)

You have the right to obtain information about your personal data stored by us at any time.

7.2 Right to Rectification (Art. 16 GDPR)

You have the right to request the correction of inaccurate or incomplete data.

7.3 Right to Erasure (Art. 17 GDPR)

You have the right to request the deletion of your personal data, provided no legal retention obligations prevent this.

7.4 Right to Restriction of Processing (Art. 18 GDPR)

Under certain circumstances, you can request the restriction of processing of your data.

7.5 Right to Data Portability (Art. 20 GDPR)

You have the right to receive your data in a structured, commonly used and machine-readable format.

7.6 Right to Object (Art. 21 GDPR)

You have the right to object at any time, on grounds relating to your particular situation, to processing of personal data concerning you which is based on point (e) or (f) of Article 6(1) GDPR.

For direct marketing (e.g., newsletters), you can object at any time without stating reasons.

7.7 Withdrawal of Consent (Art. 7 para. 3 GDPR)

You have the right to withdraw your consent at any time. The lawfulness of the processing carried out until withdrawal remains unaffected.

7.8 Right to Lodge a Complaint (Art. 77 GDPR)

You have the right to lodge a complaint with a data protection supervisory authority if you believe that the processing of your personal data violates the GDPR.

Competent supervisory authority:
State Commissioner for Data Protection and Freedom of Information North Rhine-Westphalia
Kavalleriestraße 2-4
40213 Düsseldorf
Phone: 02 11/384 24-0
Email: poststelle@ldi.nrw.de

8. Data Transfer to Third Countries

Some of our service providers (e.g., Meta, Google, Shopify) are based in the USA or other third countries. When transferring data to these countries, we ensure an adequate level of data protection through suitable guarantees (e.g., EU Commission standard contractual clauses).

9. Data Security

We implement technical and organizational security measures to protect your data against manipulation, loss, destruction or unauthorized access. These include:

• SSL/TLS encryption for data transmission
• Firewall systems
• Password protection for customer accounts
• Access restrictions to personal data

10. Changes to This Privacy Policy

We reserve the right to amend this privacy policy as necessary to adapt it to changed legal situations or changes to our service and data processing. The current version is always available on this page.