1) Controller

Klaviyo Bikes
Merienber Strasse 36
83022 Rosenheim, Germany
Phone: +49 (0)8031 000000
Email: info@klaviyo.org

Data Protection Contact (DPO/Privacy Contact):
Email: datenschutz@klaviyo.org
Postal: Merienber Strasse 36, 83022 Rosenheim, Germany

2) Scope

This policy explains how we process personal data when you visit https://www.klaviyo.org, purchase products, contact us, or subscribe to communications.

3) Categories of data we process

  • Identification & contact: name, address, email, phone (if provided).
  • Order & account: cart contents, delivery details, chosen payment/shipping method, order IDs, customer IDs.
  • Support & forms: message content, consent, meta data (time, IP), attachments (if any).
  • Technical: IP (shortened where possible), device/browser info, cookies/identifiers, log data.
  • Marketing (optional): newsletter preferences, campaign interactions.

We aim to minimise PII and—where feasible—store pseudonymised values (e.g., hashed emails) in analytics/warehouse systems.

4) Purposes & legal bases (Art. 6 GDPR)

  • Contract & pre-contract (Art. 6(1)(b)): order handling, delivery, returns, customer service, account creation (optional).
  • Legal obligations (Art. 6(1)(c)): tax/commercial retention (esp. §§ 147 AO, 257 HGB), warranty handling.
  • Consent (Art. 6(1)(a)): cookies beyond essential, analytics, marketing emails, embedded maps/videos. You can withdraw consent at any time with future effect.
  • Legitimate interests (Art. 6(1)(f)): site security, fraud prevention, basic web operations, internal reporting (balanced against your interests).

5) Sources

We receive data directly from you (checkout, forms, emails) and indirectly via your device (cookies, logs, analytics if you consent).

6) Recipients / processors

We share data only as necessary:

  • Payment services (separate controllers):
    • PayPal: transactions are subject to PayPal’s own privacy policy (see paypal.com).
    • Klarna: transactions are subject to Klarna’s privacy policy (see klarna.com).
  • Shipping/fulfilment: postal and logistics providers.
  • Hosting & IT: EU-based hosting for the website; Google Cloud BigQuery (EU region) for data warehousing; Make.com (Integromat) as integration processor for automated transfers.
  • Analytics/marketing (if consented): Google Analytics / Google Ads.
  • Support tools: email providers and form plugins (e.g., WordPress plugins).

With processors, we conclude Data Processing Agreements (DPAs) and apply EU Standard Contractual Clauses where required.

7) International transfers

Where services involve providers outside the EU/EEA (e.g., Google LLC, USA), we rely on appropriate safeguards (e.g., Standard Contractual Clauses) and minimize personal data. Some services provide EU processing by default (e.g., GA4 EU data regions; BigQuery dataset set to EU).

8) Retention

  • Orders & invoices: up to 10 years (tax/commercial law).
  • Customer accounts: until deletion or inactivity per our housekeeping rules.
  • Pre-contract queries: delete once resolved unless they lead to a contract or statutory duties apply.
  • Newsletter: until you unsubscribe (proof of consent retained for limitation periods).
  • Logs/analytics: per tool settings; GA4 default lookback can be set (e.g., 14 months).
    After expiry, data is deleted or anonymised.

9) Cookies & similar technologies

We use essential cookies to operate the site (e.g., cart, login). Non-essential cookies (analytics/marketing) are used only with your consent via the cookie banner, where you can change settings anytime. You can also clear cookies in your browser; doing so may limit functionality.

Examples (may vary by setup):

  • Essential session IDs (expire at session end)
  • Preference cookies (language, consent state)
  • Analytics/Ads cookies only if consented

10) Analytics (optional – if enabled via consent)

With your consent, we use Google Analytics (Google Ireland Limited). IP anonymisation is active; data may be processed outside the EU with safeguards. Purpose: usage statistics, site improvement, aggregated reporting. You can withdraw consent at any time in the cookie settings and/or clear cookies. Typical retention can be configured (e.g., 14 months).

Google Ads Conversion Tracking (optional, with consent): helps measure ad effectiveness. Cookies typically expire after ~30 days.

11) Embedded services (optional)

  • Google Maps (with consent): when you activate the map, your browser connects to Google and transmits data (see Google’s privacy policy). If you do not wish this, do not activate the map.
  • Videos/social embeds (with consent): may set third-party cookies when played/loaded.

12) Newsletter (optional)

If you subscribe, we process your email for periodic updates (approx. 1–2 per month). Legal basis: consent (Art. 6(1)(a)). You can unsubscribe at any time via the link in emails; revocation does not affect past lawful processing.

13) Security

We use technical and organisational measures (TLS/HTTPS, access controls, minimisation) appropriate to risk to protect your data against loss, misuse, or unauthorised access.

14) Your rights (Arts. 15–21 GDPR)

You have the right to access, rectification, erasure, restriction, data portability, and to object to processing based on Art. 6(1)(e) or (f). Where processing is based on consent, you can withdraw it at any time with future effect. To exercise rights, contact info@klaviyo.org or datenschutz@klaviyo.org.

Supervisory authority (commonly competent):
Bayerisches Landesamt für Datenschutzaufsicht (BayLDA)
Promenade 18, 91522 Ansbach, Germany
Phone: +49 (0)981 180093-0
Email: poststelle@lda.bayern.de

15) Children

Our services are intended for adults. We do not knowingly collect data from children without parental consent where required.

16) Changes to this policy

We may update this policy to reflect legal, technical, or business developments. The current version is published here.

Last updated: 24 Aug 2025

Shopping Cart
Scroll to Top