Privacy Policy

This privacy policy informs you about the nature, scope and purpose of the processing of personal data when you visit kuudu.de and when you place orders through our online shop. Authoritative regulations include in particular the General Data Protection Regulation (GDPR), the German Federal Data Protection Act (BDSG), and the German Telecommunications-Digital-Services Data Protection Act (TDDDG).

The legally binding version of this privacy policy is the German Datenschutzerklärung. This English version is provided for your convenience.

1. Data controller

The controller responsible for the processing of personal data on this website is:

KUUDU GbR Henning Lüke & Dominik Siemon Röhrenstraße 5 14480 Potsdam Germany

Phone: +49 176 64162528 Email: info@kuudu.de

We have not appointed a data protection officer as the statutory requirements (e.g. company size or type of processing) do not apply.

2. Your rights

You have the following rights at any time:

• Right of access to your data (Art. 15 GDPR)
• Right to rectification of incorrect data (Art. 16 GDPR)
• Right to erasure ("right to be forgotten", Art. 17 GDPR)
• Right to restriction of processing (Art. 18 GDPR)
• Right to data portability in a structured, commonly used format (Art. 20 GDPR)
• Right to object to processing (Art. 21 GDPR), in particular against direct marketing and profiling
• Right to withdraw consent with effect for the future (Art. 7 (3) GDPR)

To exercise your rights, please contact info@kuudu.de.

You also have the right to lodge a complaint with a data protection authority. The authority responsible for us is the State Commissioner for Data Protection Brandenburg (Stahnsdorfer Damm 77, 14532 Kleinmachnow, www.lda.brandenburg.de).

3. General principles

We generally process personal data only to the extent necessary to provide a functional website and our content and services. Processing only takes place with your consent or where a legal basis (Art. 6 GDPR) permits it.

Consent: Art. 6 (1) (a) GDPR. Contract performance: Art. 6 (1) (b) GDPR. Legal obligation: Art. 6 (1) (c) GDPR. Legitimate interests: Art. 6 (1) (f) GDPR.

4. Server log files

When you access our website, our hosting provider automatically collects information transmitted by your browser:

• IP address (truncated / hashed)
• date and time of the request
• time-zone difference to GMT
• content of the request (specific page)
• HTTP status code
• transferred data volume
• referrer URL
• user agent (browser, operating system)

Legal basis: Art. 6 (1) (f) GDPR (legitimate interest in a technically error-free and secure website).

Retention: Log files are deleted after a maximum of 30 days. No merging with other data sources takes place.

5. Hosting and provision

Our website is hosted by:

• Vercel Inc., 340 S Lemon Ave #4133, Walnut, CA 91789, USA, for the frontend (Next.js storefront)
• Shopify International Limited, 2nd Floor Victoria Buildings, 1–2 Haddington Road, Dublin 4, D04 XN32, Ireland, for shop functions, checkout, payment, order processing

Vercel and Shopify process the data on our behalf (Art. 28 GDPR).

Third-country transfers (USA): Where data is transferred to the USA (Vercel, Shopify sub-processors), this is based on the EU Commission's Standard Contractual Clauses and/or the EU-U.S. Data Privacy Framework.

6. Order processing

When you place an order, we process the following data:

• first and last name
• delivery and billing address
• email address
• phone number (for delivery enquiries)
• order details (products, configurator snapshots, prices)
• payment data (via the respective payment service provider)
• IP address at the time of order (fraud prevention)

Legal basis: Art. 6 (1) (b) GDPR (contract performance).

Recipients:

• Shopify (shop platform, checkout)
• Shipping carrier: DHL (Deutsche Post AG / DHL Group, Charles-de-Gaulle-Straße 20, 53113 Bonn, Germany)
• Payment service providers: depending on selected method (Shopify Payments, PayPal, Klarna, SOFORT, etc.). Details shown at checkout
• Tax advisors and tax authorities for fulfilment of statutory retention and reporting obligations

Retention: Order data is retained for at least 10 years (§ 147 AO, § 257 HGB German tax/commercial codes).

7. Customer account

You can optionally create a customer account. We store your contact data, delivery/billing addresses and order history to simplify future orders.

Legal basis: Art. 6 (1) (b) GDPR. Authentication runs through the Shopify Customer Account API. You can delete your account at any time, or ask us to delete it by email.

8. Configurator data

When you use the configurator on a product page or partner landing page, we temporarily store your configuration locally in your browser (localStorage) and in the URL (query parameter ?c=). Data is only transmitted to us when you add the configuration to the cart, send a request, or share a partner link.

When you complete an order, the configuration is stored as part of the order in our ERP system (kuudu-os) and is subject to the same retention periods.

Legal basis: Art. 6 (1) (b) GDPR.

9. Pro Tier (B2B partners)

For our Pro Tier (architects, interior designers, furniture trade) we additionally process company name, address, VAT ID, field of activity, employee count, and verification documents. This data is stored in our ERP system (kuudu-os, hosted on Neon, EU region) and used exclusively for verifying Pro status and for contract performance.

Legal basis: Art. 6 (1) (b) GDPR (pre-contractual measures), where voluntary Art. 6 (1) (a) GDPR (consent via the DPA checkbox on the apply form).

10. Contact

When you contact us by email, your information is stored to process the enquiry and any follow-up questions.

Legal basis: Art. 6 (1) (b) and (f) GDPR.

11. Newsletter

We send newsletters only with your consent (double opt-in). At sign-up we store your email address, the time of sign-up and confirmation, and the IP address used.

Service provider: Klaviyo Inc., 125 Summer St, 6th Floor, Boston, MA 02110, USA, as processor (Art. 28 GDPR). Data is transferred to the USA (Standard Contractual Clauses + EU-U.S. Data Privacy Framework).

Legal basis: Art. 6 (1) (a) GDPR. You can unsubscribe at any time via the link in every email or by writing to info@kuudu.de.

12. Cookies and tracking

We use cookies and similar technologies (LocalStorage, SessionStorage).

Strictly necessary cookies (e.g. cart, locale, login session) are used without consent under § 25 (2) TDDDG and Art. 6 (1) (f) GDPR.

Optional cookies (analytics, marketing) are only set after your active consent via our consent banner. Legal basis: § 25 (1) TDDDG, Art. 6 (1) (a) GDPR.

Optional services (only with consent):

• Google Analytics 4 (Google Ireland Ltd., Gordon House, Barrow Street, Dublin 4, Ireland): reach measurement, IP anonymisation enabled. Data may be transferred to the USA (Standard Contractual Clauses).
• Klaviyo tracking (see newsletter section): browser identification for personalised emails, if consented.

You can adjust or withdraw your cookie settings at any time (link in the footer / cookie settings).

13. Social media

We link to our profiles on social networks (e.g. Instagram, Pinterest). When you click an icon you are redirected to the external platform; data is only transmitted at that point. Please refer to the privacy notices of the respective provider.

14. Data security

We take technical and organisational measures to protect your data against loss, manipulation and unauthorised access, in particular: TLS encryption (HTTPS) for the entire site, access controls, regular security updates and backups.

15. Changes to this privacy policy

We reserve the right to adapt this privacy policy to ensure it always complies with current legal requirements or to reflect changes to our services. The current version applies for each visit.

Last updated: May 2026