Each fragrance is sourced directly from the Maison.
Enjoy free express shipping on select regions.
Change of heart? Returns made simple within 14 days.
Exclusive surprises await you when you celebrate with us.
PRIVACY
POLICY
Effective Date: 11 August 2025
Last Updated: 11 August 2025
This Privacy Policy explains how we at Niche Story UG (“we,” “our,” or “us”) collect, use, and protect your personal data when you visit our website or use our services.
You can always access the current version of this Privacy Policy online at https://stg-httpsnichestoryeu-xstoreup.kinsta.cloud/privacy-and-data-protection/.
1. Contact Information
The controller responsible for data processing on this website within the meaning of the General Data Protection Regulation (GDPR) is:
Niche Story UG
Franz Joseph Straße 11
80801 Munich, Germany
Commercial
Register (HRB): 253020
Telephone: +49 (0) 89 20190986
Email: de@nichestory.eu
The controller is the natural or legal person who alone or jointly with others determines the purposes and means of the processing of personal data.
2. Data Protection Statement
General Information
This Privacy Statement explains how, to what extent, and for what purposes we process your personal data (“data”) in connection with our website and related online services, including content, features, and external profiles such as our social media accounts (collectively referred to as the “website”).
The terms “processing,” “controller,” and other definitions are used in accordance with Art. 4 of the General Data Protection Regulation (GDPR).
Types of
Data Processed:
– Basic information (e.g., name, address)
– Contact details (e.g., email, phone number)
– Content data (e.g., text, photos, videos)
– Contractual data (e.g., orders, invoices)
– Payment data (e.g., bank details, payment history)
– Usage data (e.g., visited pages, access times)
– Metadata/communication data (e.g., device data, IP addresses)
Special
Categories of Data (Art. 9 GDPR):
We do not process any special categories of personal data.
Categories
of Data Subjects:
Customers, interested parties, business partners, and website visitors
(collectively referred to as “users”).
Purpose of
Processing:
– Operation and provision of the website and its functions
– Performance of contracts and customer service
– Response to inquiries and communication with users
– Marketing, advertising, and market research
3. Definition of Terms
Personal
Data:
Any information relating to an identified or identifiable natural person (“data
subject”). A person is identifiable if they can be recognized, directly or
indirectly, through identifiers such as a name, ID number, location data,
online identifier, or factors specific to their physical, mental, economic,
cultural, or social identity.
Processing:
Any operation performed on personal data, whether automated or not, such as
collection, storage, use, transfer, or deletion.
Controller:
The natural or legal person, public authority, or body that determines the
purposes and means of data processing.
Processor:
A person or company that processes personal data on behalf of the controller
under a written contract (Art. 28 GDPR).
Consent:
Any freely given, specific, informed, and unambiguous indication of the data
subject’s wishes by which they agree to the processing of personal data.
4. Legal Basis for Processing
In accordance with Art. 13 GDPR, we inform you of the legal grounds on which we process personal data:
If we rely on your consent as a legal basis, you can withdraw it at any time with future effect.
Full text available at https://gdpr-info.eu
5. Updates to This Privacy Policy
We may update or revise this Privacy Policy from time to time to comply with legal requirements or reflect changes to our services.
The latest version, published on this page, applies to your visit.
If major changes require your renewed consent or significantly affect your rights, we will notify you directly by email or on our website.
We recommend reviewing this policy regularly to stay informed about how we protect your data.
6. Security Measures
We take data protection seriously and implement appropriate technical and organizational measures in accordance with Art. 32 GDPR.
These measures ensure the confidentiality, integrity, and availability of your personal data. They include:
We also apply the principles of data protection by design and by default (Art. 25 GDPR), ensuring that privacy is considered from the start when selecting technologies and designing our systems.
8. Data Processing When Visiting Our Website
When you visit our website, your browser automatically sends certain information to our web server for technical reasons.
The following data is temporarily stored in server log files:
· Visited domain and accessed pages
· Date and time of access
· Referring URL (the page from which you visited us)
· Browser type and version, and operating system used
· IP address of the requesting device
· Access status (file delivered, file not found, etc.)
· Amount of data transmitted
This data is processed to ensure stable website operation, system security, and optimization of our online services.
The legal basis for this processing is Art. 6(1)(f) GDPR, representing our legitimate interest in providing a technically secure and functional website.
Log files are automatically deleted or anonymized after a short retention period, once they are no longer needed for security or analysis purposes.
9. Communication by Email, Post, or Telephone
If you contact us by email, telephone, or post, we process the personal data you provide (such as name, contact details, and message content) to handle your inquiry or any follow-up communication.
The legal basis for processing is:
We will not share your data with third parties without your consent unless required by law.
Correspondence data is deleted once your inquiry has been fully resolved, unless legal retention obligations require longer storage.
Please note that email communication over the internet may have security vulnerabilities. If you prefer, you can contact us by post.
10. Disclosure and Transfer of Data
We only share your personal data with third parties when it is legally permitted and necessary for specific purposes, such as:
Data shared with external service providers is handled strictly under data processing agreements (Art. 28 GDPR) to ensure GDPR compliance.
Transfers to third countries (outside the EU/EEA) occur only if necessary for contract fulfillment or when the recipient provides adequate safeguards under Art. 46 GDPR, such as EU Standard Contractual Clauses or participation in the EU–US Data Privacy Framework (DPF).
We do not sell or trade personal data under any circumstances.
11. Rights of Data Subjects
Under the General Data Protection Regulation (GDPR), you have the following rights regarding your personal data:
For Germany,
you may contact:
Bayerisches Landesamt für Datenschutzaufsicht (BayLDA)
Promenade 27, 91522 Ansbach, Germany
Website: https://www.lda.bayern.de
12. Cookies and Cookie Settings
Our website uses cookies and similar technologies to ensure proper functionality and to improve the user experience. Cookies are small text files that are stored on your device by your browser.
Types of Cookies:
Legal Basis:
Managing and Changing Cookie Settings:
You can grant or withdraw consent for non-essential cookies at any time by
clicking the “Cookie Settings” button at the bottom left of our website.
Most browsers also allow you to manage cookies manually. You can configure your browser to:
You can also manage advertising-related cookies via:
Please note that disabling cookies may limit certain website functions. You can reopen the cookie banner at any time to change or withdraw your preferences via the icon at the bottom left of our website.
13. Order Processing in the Online Shop and Customer Accounts
13.1 Purpose of Processing
We process personal data of our customers and users to enable them to browse, select, purchase, and receive products offered in our online shop. This includes processing for payment, invoicing, shipping, and customer support.
13.2 Data Categories Processed
The following categories of data may be processed:
13.3 Legal Basis
13.4 Customer Accounts
Customers
can create personal accounts to manage their orders and preferences.
Creating an account is voluntary. Required information is marked as mandatory
during registration.
Customer accounts are protected by a password chosen by the user. You are responsible for keeping this password confidential. We recommend using a strong, unique password and changing it regularly to enhance account security.
You may
delete your customer account at any time by contacting us at de@nichestory.eu.
After deletion, your data will be removed unless storage is required by legal
or tax obligations.
13.5 Disclosure of Data to Third Parties
Data will
only be shared with third parties where necessary for the performance of the
contract or to comply with legal requirements.
Examples include:
All third parties process data under data processing agreements (Art. 28 GDPR) or as independent controllers under their own legal obligations.
13.6 Retention Periods
Data processed for contractual purposes is stored for the duration of the contractual relationship and deleted once no longer required.
Business and tax-related data are retained according to statutory requirements:
After expiry of these retention periods, data will be deleted automatically unless further storage is required for legal reasons (e.g., warranty or liability claims).
13.7 Security
All order
and payment processes are transmitted via secure SSL/TLS encryption.
Access to customer accounts is restricted to authorized users only.
We take technical and organizational measures to ensure that your data is protected against loss, misuse, and unauthorized access in accordance with Art. 32 GDPR.
14. Transfer of Data to Payment Providers
14.1 General Information
For the purpose of payment processing and contract fulfillment, personal data
is transmitted to the payment service provider selected during checkout.
The type of data transferred depends on the payment method you choose.
This may include name, billing address, email, payment information (bank
details, credit card number, transaction ID), and order reference.
The legal basis for this processing is Art. 6(1)(b) GDPR
(performance of a contract).
Transfers are made only to the extent necessary for payment processing.
If the payment provider carries out a credit check or fraud prevention
measures, this is done based on Art. 6(1)(f) GDPR (legitimate interest
in preventing fraud).
Each provider acts as an independent data controller for these activities.
14.2 PayPal
Payments made via PayPal, PayPal Credit, direct debit, or “Pay Later” options
are processed by
PayPal (Europe) S.à r.l. et Cie, S.C.A.,
22–24 Boulevard Royal, L-2449 Luxembourg.
Your payment data is transferred to PayPal to process your payment.
If you use a PayPal account, PayPal may also perform credit checks.
Legal basis: Art. 6(1)(b) GDPR (contract performance) and Art. 6(1)(f) GDPR (fraud prevention).
Further information:
https://www.paypal.com/de/webapps/mpp/ua/privacy-full
14.3 Klarna
If you choose payment via Klarna (e.g., “Purchase on Account” or “Installment
Purchase”), the payment is processed by
Klarna Bank AB (publ), Sveavägen
46, 111 34 Stockholm, Sweden.
To complete the transaction, personal data (name, address, date of birth, gender, email, phone number, IP address, order amount, and payment method) may be transmitted to Klarna for identity and credit checks.
Legal basis: Art. 6(1)(a) GDPR (explicit consent) and Art. 6(1)(b) GDPR (contract performance).
Details on credit agencies used by Klarna:
https://cdn.klarna.com/1.0/shared/content/legal/terms/0/en_gb/credit_rating_agencies
Klarna Privacy Policy:
https://www.klarna.com/de/datenschutz/
14.4 Stripe
For credit card payments, we use
Stripe Payments Europe, Ltd.,
C/O A&L Goodbody, Ifsc, North Wall Quay, Dublin 1, Ireland.
The following data is transferred to Stripe: name, address, payment information (e.g., credit card number, expiry date, CVC), transaction amount, currency, and IP address.
Legal basis: Art. 6(1)(b) GDPR.
Stripe acts as an independent controller for payment verification and fraud
prevention under Art. 6(1)(f) GDPR.
Stripe Privacy Policy:
https://stripe.com/de/privacy
14.5 SEPA Direct Debit via Wise
For SEPA direct debit transactions, payment is processed by
Wise Europe SA, Rue du Trône
100/3, 1050 Brussels, Belgium.
Data transferred may include your name, IBAN, and payment reference.
Wise may conduct fraud prevention or identity verification checks.
Legal basis: Art. 6(1)(b) GDPR (contract performance) and Art. 6(1)(f) GDPR (legitimate interest in secure payment handling).
Wise Privacy Policy:
https://wise.com/gb/legal/global-privacy-policy-en#chapter6
14.6 Mollie
Payments via Mollie B.V.,
Keizersgracht 313, 1016 EE Amsterdam, Netherlands, are processed depending on
the payment method (e.g., iDEAL, Bancontact, Apple Pay, Giropay, SOFORT).
For each transaction, Mollie receives the data necessary to process the payment: name, email address, payment details, order amount, and IP address.
Legal basis: Art. 6(1)(b) GDPR.
Mollie acts as an independent controller for payment security and fraud
prevention under Art. 6(1)(f) GDPR.
Mollie Privacy Policy:
https://www.mollie.com/en/privacy
15. Contact Form and Customer Service
15.1 Purpose of Processing
When you contact us via the contact form on our website or by email, the data
you provide is collected and processed solely for the purpose of responding to
your inquiry and managing any related correspondence.
15.2 Data Categories
We may process the following information:
15.3 Legal Basis
15.4 Data Retention
We store inquiries only as long as necessary to process them.
If a customer relationship exists, the communication may be archived for
record-keeping purposes.
Emails subject to legal retention (e.g., accounting correspondence) are stored
for up to 6 years in accordance
with §257 HGB and §147 AO.
All other messages are deleted after the inquiry has been resolved.
15.5 Security and Third-Party Access
All form submissions are transmitted using SSL/TLS encryption.
We do not share data from contact forms or customer service emails with third
parties, unless required by law or necessary to fulfill your request (for
example, forwarding a warranty inquiry to a manufacturer).
15.6 Communication via WhatsApp (if applicable)
If you contact us via WhatsApp, communication occurs through
WhatsApp Ireland Ltd., 4 Grand
Canal Square, Grand Canal Harbour, Dublin 2, Ireland.
Please note that WhatsApp stores messages on servers outside the EU (including
the USA).
We recommend not sharing sensitive or financial information via WhatsApp.
Legal basis: Art. 6(1)(a) GDPR
(consent) and Art. 6(1)(f) GDPR
(legitimate interest in fast communication).
WhatsApp Privacy Policy:
https://www.whatsapp.com/legal/privacy-policy-eea
16. Customer Reviews via Trustpilot and Trusted Shops
16.1 Purpose of Processing
After completing an order, we may invite you to leave a review of your shopping
experience using independent review platforms such as Trustpilot and Trusted
Shops.
This helps us ensure transparency and continuously improve our service quality.
We only transmit your personal data (e.g., name, email address, order reference) to these providers if you have explicitly consented to receiving a review request under Art. 6(1)(a) GDPR.
16.2 Trustpilot
We use the services of
Trustpilot A/S, Pilestræde 58,
5th floor, 1112 Copenhagen, Denmark.
If you consent to a review request, your name, email address, and
reference number may be transmitted to Trustpilot to verify the authenticity of
your review.
You will then receive an email invitation from Trustpilot to leave feedback.
Trustpilot acts as an independent controller under Art. 4(7) GDPR.
We have concluded a Data Processing Agreement (Art. 28 GDPR) with
Trustpilot for embedded widgets and on-site integrations.
Trustpilot’s Privacy Policy:
https://de.legal.trustpilot.com/end-user-privacy-terms
You may request deletion or anonymization of your review directly from Trustpilot or withdraw your consent by contacting us.
16.3 Trusted Shops
We also use the services of
Trusted Shops GmbH, Subbelrather
Str. 15c, 50823 Cologne, Germany.
If you give your explicit consent during or after your order, your email address and order number will be transferred to Trusted Shops to send you a one-time review invitation.
Legal basis: Art. 6(1)(a) GDPR (consent).
You can revoke your consent at any time with future effect by contacting us or
Trusted Shops directly.
Trusted Shops acts as an independent controller for customer reviews.
We have entered into a Data Processing Agreement (Art. 28 GDPR) to
ensure GDPR compliance for all integrations (e.g., review widgets or badges).
Trusted Shops Privacy Policy:
https://www.trustedshops.com/tsdocument/TS_UB_EN.pdf
16.4 Data Retention and Deletion
Review invitations are sent only once per transaction.
If you do not respond, your email address is deleted from the review platform’s
system after 30 days.
If you publish a review, it remains visible until you delete it or request
removal from the review provider.
17. Newsletter and Promotional Emails
17.1 Purpose
of Processing
We offer newsletters and promotional emails to inform you about new products,
special offers, and updates about our company.
Newsletters are sent only after you have provided explicit consent in
accordance with Art. 6(1)(a) GDPR
and §7(2) No. 3 UWG (German Act
Against Unfair Competition).
You can
subscribe to the newsletter via our website by providing your email address and
confirming your subscription through the double opt-in process.
This means you will receive an email asking you to confirm your subscription.
Your consent is logged to provide legal proof of registration.
17.2 Data
Categories and Processing
To send the newsletter, we process your:
We use this data exclusively for sending newsletters and related performance analysis.
17.3 Legal Basis
17.4 Service
Provider (Email Platform)
Our newsletters are sent through
Intuit Inc., represented in the
EU by Intuit France SAS, 7 Rue
de la Paix, 75002 Paris, France.
Data is stored and processed in accordance with GDPR requirements under a Data Processing Agreement (Art. 28 GDPR).
Intuit’s
Privacy Policy:
https://quickbooks.intuit.com/eu/gdpr/
17.5
Tracking and Performance Analysis
Our newsletters contain a tracking pixel (“web beacon”) that allows us to
measure open rates, link clicks, and overall performance.
This helps us understand which topics are most relevant to our readers and
improve our communication.
Statistical data is analyzed anonymously, and no individual user behavior is
monitored.
Legal basis: Art. 6(1)(a) GDPR (consent) and Art. 6(1)(f) GDPR (legitimate interest in improving communication).
17.6 Data
Retention
Your data will be stored as long as you are subscribed to the newsletter.
After unsubscribing, your data will be deleted or anonymized unless retention
is required for legal reasons (for example, proof of prior consent under Art. 7(1) GDPR).
17.7
Withdrawal of Consent
You can unsubscribe from the newsletter at any time using the “Unsubscribe”
link included in each email.
You may also contact us directly at de@nichestory.eu
to withdraw your consent.
Unsubscribing automatically stops further data processing for newsletter
purposes.
18. Business Analysis and Market Research
18.1 Purpose
of Processing
We analyze transactional, behavioral, and demographic data to understand
customer preferences, improve our product range, and enhance the usability and
performance of our online shop.
This analysis also helps us identify market trends, optimize marketing
campaigns, and ensure long-term business development.
18.2 Data
Categories Processed
The following types of data may be used for analysis:
Data is analyzed only in pseudonymized or aggregated form whenever possible.
18.3 Legal
Basis
Processing is based on our legitimate interests under Art. 6(1)(f) GDPR in improving our business operations,
understanding customer behavior, and maintaining economic sustainability.
We ensure that our legitimate interests do not override your fundamental rights
and freedoms.
If we use cookies or analytics tools for this purpose, processing is done only with your consent under Art. 6(1)(a) GDPR in accordance with §25 TTDSG.
18.4
Recipients and Access
Data is processed internally by authorized staff or external service providers
under a Data Processing Agreement (Art.
28 GDPR).
These include analytics providers, IT service companies, and marketing agencies
that support our business analysis.
Personal data is never sold or disclosed to unauthorized third parties.
18.5 Data
Retention
Analysis data related to customer activity is retained as long as it is
relevant for the business purpose and deleted or anonymized once no longer
needed.
Contractual and accounting data are retained according to statutory
requirements (§257 HGB, §147 AO).
18.6 Your
Rights
You have the right to object at any time to the processing of your data for
analysis or marketing purposes under Art.
21 GDPR.
To exercise this right, please contact us at de@nichestory.eu.
19. Web Analytics and Advertising Tracking
19.1 General
Information
We use web analytics and advertising tools to understand how visitors use our
website, improve user experience, and display relevant offers.
All tracking tools are activated only
after you give explicit consent through our cookie banner in accordance
with Art. 6(1)(a) GDPR and §25 TTDSG.
You can withdraw your consent at any time via the Cookie Settings button at the bottom of the website.
19.2 Google
Analytics
This website uses Google Analytics,
a web analysis service provided by
Google Ireland Limited, Gordon
House, Barrow Street, Dublin 4, Ireland.
Google
Analytics uses cookies to analyze website usage. The information collected
(including your IP address) may be transmitted to Google servers in the USA.
We use Google Analytics with IP anonymization enabled, ensuring that
your IP address is shortened within the EU or EEA before transmission.
Data
processing is based on your consent under Art. 6(1)(a) GDPR.
Google acts as our processor under a Data Processing Agreement (Art.
28 GDPR).
We have agreed on Standard Contractual Clauses (Art. 46 GDPR) with Google to ensure adequate protection of data transferred to the USA.
Google
Privacy Policy:
https://policies.google.com/privacy
Opt-Out Plugin:
https://tools.google.com/dlpage/gaoptout
19.3 Google
Tag Manager
We use Google Tag Manager, a
service provided by Google Ireland
Limited, to manage website tags efficiently.
The Tag Manager itself does not collect personal data but may trigger other
tracking tags that do.
Data processing is based on your consent under Art. 6(1)(a) GDPR.
19.4 Google
Marketing and Remarketing Services
Our website uses various Google marketing tools, including Google Ads Remarketing and Google Ads Conversion Tracking, to
show relevant ads to users who have previously visited our site.
These
services may use cookies and similar technologies to track user interactions.
If personal data is transferred to the USA, it is protected by Standard
Contractual Clauses (Art. 46 GDPR).
Legal basis:
Art. 6(1)(a) GDPR (consent).
You can adjust ad personalization at:
https://adssettings.google.com
19.5 Meta
(Facebook) Pixel
We use the Meta Pixel (Facebook
Pixel) provided by
Meta Platforms Ireland Ltd., 4
Grand Canal Square, Grand Canal Harbour, Dublin 2, Ireland.
This allows
us to measure conversions from Facebook ads and show relevant ads to users who
have visited our website.
If you are logged in to Facebook, Meta may associate this data with your user
profile.
Legal basis:
Art. 6(1)(a) GDPR (consent).
We have entered into Standard Contractual Clauses (Art. 46 GDPR) with
Meta for transfers to the USA.
Facebook
Data Policy:
https://www.facebook.com/privacy/policy
You can
adjust your ad settings at:
https://www.facebook.com/adpreferences/ad_settings
19.6 Uptain
Plugin
We use a JavaScript plugin from
uptain GmbH, Stephanstraße 25,
20549 Hamburg, Germany,
to analyze user behavior and improve customer interaction, for example by
showing reminders for abandoned carts or offering help pop-ups.
The plugin
collects pseudonymized behavioral data (e.g., cursor movement, pages visited,
session duration).
Data is processed solely within Germany and not shared with third parties.
Legal basis:
Art. 6(1)(f) GDPR, representing our legitimate interest in optimizing
sales processes and customer communication.
Uptain acts as a processor (Art. 28 GDPR).
You can
deactivate Uptain tracking at any time via:
https://www.stg-httpsnichestoryeu-xstoreup.kinsta.cloud/privacy?__up_tracking_unsubscribe
Uptain
Privacy Policy:
https://www.uptain.de/en/privacy
20. Social Media Integration and Presence
20.1 Social
Media Links
Our website contains links to our official pages on social media platforms such
as Facebook, Instagram, YouTube, Pinterest,
and WhatsApp.
These links are simple hyperlinks.
When you click on them, you are redirected to the respective provider’s
website, where that provider’s privacy policy applies.
No data is transmitted to social networks before you click the link.
20.2 Legal
Basis
The integration of social media links is based on our legitimate interest under
Art. 6(1)(f) GDPR in promoting
our online presence and enabling communication with customers.
You can object to this processing at any time by not clicking the respective
links.
20.3 Our
Social Media Accounts
We maintain official company pages (fan pages) on various social media
platforms to communicate with customers, partners, and interested users.
When you visit our profiles, data may be collected directly by the respective
platform operators for market research and advertising purposes.
Usage profiles can be created from this data, even if you are not logged in.
These profiles are used to deliver personalized ads.
Legal basis:
Art. 6(1)(f) GDPR, representing our legitimate interest in effective
communication and public relations.
If you are asked by the platform for consent (e.g., via a checkbox), processing
is based on Art. 6(1)(a) GDPR.
20.4 Joint
Responsibility (Facebook Fan Page)
For our Facebook page, data processing is carried out under joint
responsibility with
Meta Platforms Ireland Ltd., 4
Grand Canal Square, Grand Canal Harbour, Dublin 2, Ireland,
in accordance with Art. 26 GDPR
(Controller Addendum).
Meta
provides us with anonymized “Page Insights” about visitor interactions.
We have no direct access to individual user data.
You can read
the joint controller agreement here:
https://www.facebook.com/legal/controller_addendum
Facebook Privacy Policy:
https://www.facebook.com/privacy/policy
If personal data is transferred to the USA, it is protected under the EU–US Data Privacy Framework (DPF) and Standard Contractual Clauses (Art. 46 GDPR).
20.5 Data
Processing by Social Media Providers
Each provider acts as an independent controller for data collected on its
platform.
For information about data processing and your rights, please refer to the
providers’ privacy policies:
20.6
Communication via Social Media
If you send us messages or inquiries through social media platforms, we process
the data you provide (e.g., username, profile link, message content) to respond
to your request.
Legal basis: Art. 6(1)(b) GDPR
(contractual communication) or Art.
6(1)(f) GDPR (legitimate interest in handling inquiries).
Your messages are deleted once your inquiry has been fully resolved, unless
statutory retention obligations apply.
20.7 Data
Transfers and Safeguards
Where social media platforms transfer data to countries outside the EU or EEA,
such transfers are safeguarded through Standard
Contractual Clauses (Art. 46 GDPR) or participation in the EU–US Data Privacy Framework (DPF).
Further information can be found in each provider’s privacy policy.
21. Embedded Third-Party Services and
Content
21.1 Purpose
of Processing
Our website integrates third-party services and content, such as videos, maps,
and fonts, to enhance usability and improve the visual experience.
This may include services provided by Google,
YouTube, or other external
platforms.
These integrations require the providers to process your IP address, as this is
necessary for delivering the content to your browser.
Legal basis: Art. 6(1)(a) GDPR (consent) when the service requires activation via our cookie banner, or Art. 6(1)(f) GDPR (legitimate interest) for essential technical integrations.
You can withdraw or modify your consent at any time via the Cookie Settings button.
21.2 Google
Fonts
Our website uses Google Fonts, a
service of Google Ireland Limited,
Gordon House, Barrow Street, Dublin 4, Ireland, to display fonts consistently
across all browsers.
Google Fonts are hosted locally on our server whenever possible to avoid
unnecessary data transfer to Google servers.
When remote loading is required, your IP address and browser information may be
transmitted to Google.
Legal basis: Art. 6(1)(f) GDPR, representing our legitimate interest in providing a uniform and visually optimized website.
Google
Privacy Policy:
https://policies.google.com/privacy
21.3 YouTube
Videos
We embed videos from YouTube,
operated by Google Ireland Limited,
Gordon House, Barrow Street, Dublin 4, Ireland.
To protect your privacy, we use YouTube’s
extended data protection mode, ensuring that no cookies are placed until
you play the video.
When playback starts, YouTube receives information about which of our pages you visited and may link this data to your Google account if you are logged in.
Legal basis: Art. 6(1)(a) GDPR (consent).
You can prevent YouTube from associating your visit with your Google account by logging out before playing the video.
Google
Privacy Policy:
https://policies.google.com/privacy
21.4 Google
Maps
We may embed Google Maps to
display interactive location maps.
When you view a map, your IP address and browser information are transmitted to
Google Ireland Limited.
This may involve data transfer to Google servers in the USA, safeguarded
through Standard Contractual Clauses
(Art. 46 GDPR).
Legal basis: Art. 6(1)(a) GDPR (consent).
Google
Privacy Policy:
https://policies.google.com/privacy
21.5 Other
External Elements (e.g., Widgets, APIs)
Occasionally, our website may include additional external widgets, APIs, or
interactive plugins (for example, Instagram feeds or Trustpilot badges).
Such elements always require a connection to the respective provider’s servers.
The provider receives at least your IP address to display the content.
Where consent is required (e.g., marketing or tracking cookies), the integration occurs only after you have accepted it via our cookie banner.
Legal basis: Art. 6(1)(a) GDPR or Art. 6(1)(f) GDPR depending on the tool’s necessity and function.
21.6 Data
Safeguards and Transfers
Whenever third-party providers are located outside the EU or EEA, data
transfers are carried out under Standard
Contractual Clauses (Art. 46 GDPR) or within the EU–US Data Privacy Framework (DPF) to ensure adequate protection.
22. Hosting, Content Delivery, and Security (Cloudflare)
22.1 Hosting Provider (Kinsta)
Our website is hosted by Kinsta Ltd.,
headquartered in Dublin, Ireland.
Kinsta processes technical server data such as IP addresses, browser type,
access time, and URL requests to ensure stability, performance, and system
security.
Legal basis: Art. 6(1)(f) GDPR, representing our legitimate
interest in maintaining a reliable and secure website.
We have entered into a Data Processing Agreement (Art. 28 GDPR) with
Kinsta.
Kinsta Privacy Policy:
https://kinsta.com/privacy-policy/
22.2 Content Delivery Network and Web Security
(Cloudflare)
To enhance loading speed and protect our website from malicious traffic (e.g.,
DDoS attacks or spam bots), we use the Content
Delivery Network (CDN) and security services provided by
Cloudflare, Inc., 101 Townsend
Street, San Francisco, CA 94107, USA.
When you visit our website, your browser communicates with Cloudflare’s
global network of servers.
This may involve the temporary processing of your IP address, device
information, and access time to filter harmful traffic and optimize delivery
speed.
Legal basis: Art. 6(1)(f) GDPR, representing our legitimate interest in maintaining a fast and secure online service.
Cloudflare acts as a processor under Art. 28 GDPR.
We have concluded a Data Processing Agreement with Cloudflare.
Cloudflare participates in the EU–US Data Privacy Framework (DPF), ensuring compliance with European data protection standards for any data transfers to the USA.
Cloudflare Privacy Policy:
https://www.cloudflare.com/privacypolicy/
22.3 Data Retention and Deletion
Cloudflare retains logs only for as long as necessary to detect and mitigate
security threats, typically a few hours to a few days.
Data is automatically deleted or anonymized once no longer required for
operational purposes.
22.4 No Automated Profiling or Tracking
Cloudflare does not use the transmitted data to analyze user behavior, build
profiles, or serve advertising.
The data processing is strictly limited to website protection, optimization,
and error prevention.
23. Final Provisions
23.1 External Links
Our website may contain links to third-party websites.
We have no control over the content or data protection practices of these
external sites.
We recommend that you review the respective privacy policies of any linked
websites before providing personal data.
We are not responsible for the content or accuracy of third-party pages.
23.2 Legal Obligations and Contractual Requirements
Providing your personal data is voluntary.
However, some data is necessary for the conclusion or performance of a contract
(for example, order processing or delivery).
Without this information, we may be unable to fulfill contractual obligations.
The legal basis for this processing is Art.
6(1)(b) GDPR.
23.3 Automated Decision-Making
We do not use automated decision-making or profiling within the meaning of Art. 22 GDPR that produces legal
effects or similarly significantly affects you.
23.4 Changes to This Privacy Policy
We reserve the right to modify this Privacy Policy in order to comply with
updated legal requirements or reflect changes to our services.
The current version published on this page applies to your visit.
If significant changes affect your rights or require renewed consent, we will
notify you in advance.
23.5 Contact Information
If you have any questions regarding the collection, processing, or use of your
personal data, or if you wish to exercise your rights (access, correction,
deletion, restriction, objection, or data portability), please contact us at:
Niche Story UG
Franz Joseph Straße 11
80801 Munich, Germany
Email: de@nichestory.eu
Telephone: +49 (0) 89 20190986
© 2025 Niche Story UG – All rights reserved.
