Sadplants.fun
Opening soon
Behind this veil, a new collection is being prepared. Each piece is a living narrative, a bespoke treasure of ephemeral beauty, designed to grow with its possessor.
Enter password below to access the store
About
Your plants have secrets to share. Soon, you'll be able to listen. And you won't be the only one
Privacy Policy
Last Updated: October 30, 2025
Effective Date: October 30, 2025
1. Introduction and Data Controller
Sadplants.fun (operated by Fortify Top Business Solutions UG (haftungsbeschränkt)) operates this website and store, including all related information, content, features, tools, products, and services (the "Services"). This Privacy Policy describes how we collect, use, disclose, and process your personal information in accordance with the General Data Protection Regulation (GDPR), the German Federal Data Protection Act (BDSG), the German Telecommunications and Telemedia Data Protection Act (TTDSG), and other applicable German and EU data protection laws.
By using our Services, you acknowledge that you have read and understood this Privacy Policy. If you do not agree with our practices, please do not use our Services.
For the purposes of applicable data protection laws, Sadplants.fun is the data controller responsible for your personal information.
2. Data Protection Officer
As a business processing personal data on a large scale, we have appointed a Data Protection Officer:
Data Protection Officer Contact:
Name: Michiel Top
Email: michiel.top@gmail.com
Phone: +491712084868
Address: Hauptstraße 70, 12159 Berlin, Germany
You may contact our DPO with any data protection questions or concerns. You have the right to lodge a complaint with the DPO at any time.
3. Types of Personal Information We Collect
Depending on how you interact with our Services, we may collect the following categories of personal information:
3.1 Information You Provide Directly
- Account Information: Name, email address, username, password, date of birth, security questions and answers, account preferences and settings
- Contact Details: Billing address, shipping address, telephone number, email address
- Payment Information: Credit card or debit card numbers, payment card expiration dates, billing address, payment confirmation details, financial account information, and transaction history
- Communications: Content of emails, messages, or customer support inquiries you send us
- Feedback and Reviews: Product reviews, ratings, testimonials, suggestions, and other feedback
- Wishlist and Preference Data: Items you bookmark, add to cart, add to wishlist, or express interest in
3.2 Information Collected Automatically
- Device Information: Device type, operating system, unique device identifiers, device settings
- Network and Connection Data: IP address, browser type, browser language, pages visited, referral source, date and time stamps
- Usage Information: How and when you access or interact with our Services, features used, content viewed, searches performed, links clicked
- Location Information: Approximate geographic location based on IP address (not precise GPS location unless you opt-in)
- Cookies and Similar Technologies: Information stored via cookies, pixels, web beacons, local storage, and similar tracking technologies
3.3 Information from Third Parties
- Service Providers: Payment processors, shipping carriers, fulfillment partners, analytics providers
- Business Partners: Marketing partners, social media platforms when you use social login
- Publicly Available Sources: Public records, regulatory databases (for fraud prevention and verification)
- Other Users: Information other users provide about you (e.g., referral programs, gift purchases)
4. Sources of Personal Information
We collect personal information from the following sources:
- Directly from you: Account creation, purchases, communications, form submissions
- Automatically: Cookies, pixels, device information during site visits and transactions
- Service providers and processors: Payment processors, logistics partners, hosting providers
- Business partners: Marketing partners, social networks when you use social login
- Publicly available sources: For fraud prevention and compliance verification
5. Legal Basis for Data Processing
We process your personal information based on the following legal bases under GDPR Article 6(1):
5.1 Contractual Necessity (Art. 6(1)(b))
- To enter into and perform our contract with you
- To process your orders, payments, and shipments
- To provide customer support
- To manage returns and exchanges
- To verify your identity
5.2 Legal Compliance (Art. 6(1)(c))
- To comply with German tax law (§257 HGB, §90 AO)
- To comply with anti-money laundering and fraud prevention regulations
- To comply with consumer protection laws
- To respond to legal requests from law enforcement or government agencies
- To investigate and defend against legal claims
5.3 Legitimate Interests (Art. 6(1)(f))
We process your data to pursue our legitimate business interests, which we have balanced against your privacy rights:
- To improve, personalize, and optimize our Services
- To prevent fraud and unauthorized access
- To maintain website security and functionality
- To analyze usage patterns and business analytics
- To detect and resolve technical issues
- To enforce our Terms of Service
- For marketing and business development purposes (when not requiring separate consent)
5.4 Consent (Art. 6(1)(a))
For processing that requires your explicit consent, we obtain it separately:
- Marketing communications (email, SMS, push notifications)
- Non-essential cookies and tracking
- Behavioral profiling and personalized advertising
- Additional data processing beyond operational necessity
You may withdraw consent at any time. Withdrawal does not affect processing already completed based on prior consent.
6. How We Use Your Personal Information
We use your personal information for the following purposes:
6.1 Providing and Operating Services
- Creating and managing your account
- Processing purchases, payments, and transactions
- Arranging shipping and delivery
- Fulfilling, processing, and managing returns and exchanges
- Providing customer support and responding to inquiries
- Sending transactional notifications (order confirmations, shipping updates, receipt notifications)
- Verifying your identity and preventing unauthorized access
6.2 Improving and Personalizing Services
- Remembering your preferences and customizing your experience
- Providing product recommendations based on your purchase history
- Conducting analytics to improve website functionality and user experience
- Testing new features and analyzing user behavior
- Troubleshooting technical issues
- Conducting research and surveys
6.3 Marketing and Advertising
- Sending promotional emails, SMS messages, and push notifications (with your consent)
- Displaying personalized advertisements on our website and third-party platforms
- Retargeting based on your browsing and purchase history
- Measuring marketing campaign effectiveness
- Creating lookalike audiences for advertising purposes
6.4 Security and Fraud Prevention
- Detecting and preventing fraudulent transactions
- Protecting against unauthorized access and cyberattacks
- Investigating suspicious activity
- Implementing security measures
- Authenticating your account credentials
- Securing payment processing
6.5 Legal and Regulatory Compliance
- Complying with tax and accounting requirements
- Responding to legal process and law enforcement requests
- Investigating violations of our Terms of Service
- Enforcing our contractual agreements
- Collecting debts and resolving disputes
6.6 Communication
- Sending administrative updates about your account
- Notifying you of changes to our policies
- Responding to your inquiries and complaints
- Providing customer support
7. Data Processors and Sub-Processors
Your personal information may be transferred to and processed by the following data processors and service providers acting on our behalf:
7.1 Core Ecommerce and Hosting
ProcessorLocationPurposeData Processing AgreementShopify, Inc.Canada, USAPlatform hosting, store management, payment gatewayYes (§28 BDSG)Shopify PaymentsCanada, USAPayment processingYes (§28 BDSG)
7.2 Fulfillment and Logistics
ProcessorLocationPurposeData Processing AgreementEverspringEU (Netherlands)Dropshipping fulfillment, inventory managementYes (§28 BDSG)[Shipping Carrier - e.g., DHL/DPD]Germany/EUShipping and delivery logisticsYes (§28 BDSG)
7.3 Analytics and Performance
ProcessorLocationPurposeData Processing AgreementGoogle Ireland Limited (Google Analytics)Ireland, USAWebsite analytics, traffic analysis, user behavior trackingYes (§28 BDSG)SearchanizeEUSite search analytics, heatmaps, user behaviorYes (§28 BDSG)
7.4 Marketing and Advertising
ProcessorLocationPurposeData Processing AgreementFacebook Ireland LimitedIreland, USAPixel tracking, behavioral advertising, lookalike audiencesYes (§28 BDSG)Google Ads (Google Ireland Limited)Ireland, USASearch ads, display ads, remarketingYes (§28 BDSG)NudgifyEUPush notifications, engagement messagingYes (§28 BDSG)
7.5 Localization and Customization
ProcessorLocationPurposeData Processing AgreementShopify Translate & AdaptCanada, USAMulti-language content deliveryYes (§28 BDSG)LocksmithUSAPaywall management, content access controlYes (§28 BDSG)
7.6 Additional Tools
ProcessorLocationPurposeData Processing AgreementLexware OfficeGermanyInvoicing, accounting, financial recordsYes (§28 BDSG)Searchanize TrustEUTrust signals, reviews, customer feedbackYes (§28 BDSG)
All processors listed above have signed Data Processing Agreements (Datenverarbeitungsverträge) pursuant to §28 BDSG and GDPR Article 28, ensuring they process personal information only on our instructions and maintain equivalent data protection standards.
You have the right to request copies of any Data Processing Agreements. Contact: info@sadplants.fun
8. Cookies and Tracking Technologies
We use cookies and similar tracking technologies (pixels, web beacons, local storage, scripts) on our website. Under German law (TTDSG §25 and GDPR Article 5(3)), we require your explicit prior consent before setting non-essential cookies or accessing information stored on your device, except for strictly necessary technical cookies.
8.1 Essential and Strictly Necessary Cookies (No Consent Required)
These cookies are necessary for basic website functionality, security, and to fulfill your requests:
- Session cookies for account login and authentication
- Security and fraud prevention cookies
- Load balancing and performance optimization
- Shopping cart functionality
- Payment processing and security
- Cookie consent and preference storage
Duration: Session or up to 1 year
8.2 Analytical and Performance Cookies (Requires Consent)
These cookies help us understand how users interact with our website to improve functionality:
- Google Analytics (Google Ireland Limited): Analyzes site traffic, user behavior, conversion tracking
- Heatmaps and session recordings (Searchanize): Visualizes user interactions on pages
- Performance monitoring: Server response times, error tracking
Third-Party Providers: Google Analytics, Searchanize
Duration: 13 months (Google Analytics standard), 6 months (other analytics)
Data Shared: Anonymized event data, user IDs, device information
8.3 Marketing and Advertising Cookies (Requires Consent)
These cookies track your behavior across websites for personalized advertising:
- Facebook Pixel: Tracks conversions, builds audiences, enables retargeting
- Google Ads Conversion Tracking: Measures ad performance, builds lookalike audiences
- Nudgify: Personalized messaging and notifications
Third-Party Providers: Facebook Ireland Limited, Google Ads, Nudgify
Duration: 6 months to 2 years depending on provider
Data Shared: User ID, device information, behavioral patterns, purchase history
8.4 Personalization Cookies (Requires Consent)
These cookies remember your preferences and provide customized experiences:
- Translate & Adapt: Language and localization preferences
- Locksmith: Content access and paywall preferences
- Product recommendations: Purchase history and browsing behavior
Duration: 12 months
8.5 Cookie Consent Management
When you first visit our website, you will see a cookie consent banner. You can:
- Accept All: Consent to all non-essential cookies
- Reject All: Decline non-essential cookies (only essential cookies will be used)
- Manage Preferences: Select which cookie categories you consent to
You can modify or withdraw consent at any time via:
- Cookie preference center on our website [link]
- Browser cookie settings
- Email to info@sadplants.fun
Withdrawal of consent will not affect processing based on your prior consent.
Important: Declining non-essential cookies will not prevent you from using our Services, though some personalization features may be limited.
9. Third-Party Websites and External Links
Our Services may contain links to websites and platforms operated by third parties. We are not responsible for their privacy practices, security measures, or content. When you click external links:
- You leave our website and their privacy policies apply
- We do not endorse or control their content
- They may collect their own personal data from you
We recommend reviewing their privacy policies before providing your information.
Information You Share on Third-Party Platforms:
Any information you share on social media, reviews sites, or other public platforms may be viewable and used by other users without limitation.
10. Automated Decision-Making and Profiling
10.1 Fraud Detection (Automated Decision)
We use automated systems to evaluate transaction risk and detect fraudulent activity. If your transaction is flagged as potentially fraudulent:
- Your transaction may be blocked or delayed
- We may require additional verification
- Your Right: You may request manual review and explanation from a human. Contact info@sadplants.fun with your order number.
10.2 Behavioral Profiling (Marketing)
We use algorithmic profiling based on your browsing history, purchase behavior, and interactions to:
- Show personalized product recommendations
- Display targeted advertisements
- Create lookalike audiences for advertising
Your Rights:
- You have the right to object to profiling for marketing purposes
- You can opt-out of targeted advertising through browser settings or our preference center
11. International Data Transfers
Since some of our processors are located outside the European Union (particularly in the USA and Canada), your personal information may be transferred, stored, and processed outside the EU/EEA.
11.1 Transfer Mechanisms
We rely on the following approved mechanisms to ensure your data receives equivalent protection:
Standard Contractual Clauses (SCCs):
Approved by EU Commission Decision 2021/914, SCCs are contracts between us and our processors ensuring GDPR-compliant data protection standards apply, regardless of the processor's location.
Adequacy Decisions:
Where the EU has determined a country provides adequate data protection (currently limited), we rely on these determinations.
Your Rights:
- You may request a copy of the Standard Contractual Clauses: Email info@sadplants.fun
- You have the right to object to transfers: Contact our DPO
11.2 Specific Transfers
- Shopify (USA/Canada): Data Processing Agreement with SCCs
- Google (USA): Google's Standard Contractual Clauses (https://policies.google.com/privacy)
- Facebook (USA): Meta's Standard Contractual Clauses
- Everspring (EU): EU-based, no SCC required
12. Data Retention
We retain your personal information only as long as necessary for the purposes outlined in this policy or as required by law. Retention periods vary by data type:
Data CategoryRetention PeriodLegal BasisAccount data (if active)Duration of account + 3 yearsTax law §257 HGB, dispute resolutionPurchase/transaction records10 yearsGerman tax law §257 HGBCustomer support communications3 yearsDispute resolution, legal obligationsFinancial records (invoices, receipts)10 yearsTax law §90 AOPayment card informationNot stored (processed directly by Shopify Payments)PCI-DSS complianceMarketing/email consent records3 years from last contactTTDSG, UWG complianceSMS consent records2 years from last SMSTTDSG §45 complianceAnalytical data (Google Analytics)13 monthsAutomatic deletion by GoogleCookies and tracking data1 month to 2 years depending on typeCookie-specific retentionDevice/IP logs7 daysSecurity and fraud preventionDeleted account data90 days (backup/recovery period)System security
After the retention period, we delete or anonymize your data. Data required for legal compliance is retained for the full statutory period, even if your account is deleted.
13. Your Rights and How to Exercise Them
Under GDPR and German law, you have the following rights regarding your personal information:
13.1 Right to Access (Auskunftsrecht)
You have the right to request access to the personal information we hold about you, including:
- Confirmation of whether we process your data
- The categories of data processed
- The purposes of processing
- Recipients of your data
- How long we retain your data
- Your other rights available
How to Request: Email info@sadplants.fun with subject line "Request for Data Access" and include:
- Your full name
- Email address associated with your account
- Order number (if applicable)
Response Time: Within 30 days (may be extended to 60 days for complex requests)
13.2 Right to Correction (Berichtigungsrecht)
You have the right to request that we correct any inaccurate, incomplete, or outdated personal information we hold about you.
How to Request: Email info@sadplants.fun with subject line "Request for Data Correction" and provide:
- Your name and account information
- Specific data that is inaccurate
- Correct information
- Supporting documentation if applicable
13.3 Right to Deletion (Löschungsrecht / Recht auf Vergessenwerden)
You have the right to request deletion of your personal information in certain circumstances, including:
- Data no longer necessary for the purposes collected
- Withdrawal of consent (when consent was the legal basis)
- Objection to processing
- Unlawful processing
Exceptions: We may not delete data if:
- Required by law (tax records, legal obligations)
- Necessary to defend legal claims
- Fraud prevention is ongoing
- Contractual obligations require retention
- Vital interests require retention
How to Request: Email info@sadplants.fun with subject line "Request for Data Deletion" and include:
- Your name and account information
- Specific data you want deleted
- Reason for deletion request
13.4 Right to Restrict Processing (Einschränkung der Verarbeitung)
You have the right to request that we limit processing of your personal information in certain circumstances:
- You contest the accuracy and we verify correctness
- Processing is unlawful but you oppose deletion
- We no longer need the data but you require retention for legal claims
- You have objected to processing while we verify legitimate interests
How to Request: Email info@sadplants.fun with subject line "Request to Restrict Processing" and provide:
- Your account information
- Reason for restriction request
- Time period for restriction (if applicable)
13.5 Right to Data Portability (Datenportabilität)
You have the right to receive your personal information in a structured, commonly used, machine-readable format (such as CSV or JSON) and to transmit it to another service provider, where technically feasible.
How to Request: Email info@sadplants.fun with subject line "Request for Data Portability" and include:
- Your name and account information
- Specific data you want transferred
- Name and email of recipient service (if applicable)
13.6 Right to Object (Widerspruchsrecht)
You have the right to object to processing of your personal information based on:
- Legitimate interests: We will stop processing unless we have overriding reasons
- Direct marketing: We will stop marketing immediately
- Profiling: We will stop profiling for marketing/advertising purposes
- Automated decisions: We will stop automated processing
How to Request: Email info@sadplants.fun with subject line "Request to Object" and specify:
- Type of processing you object to
- Reason for objection
13.7 Right to Withdraw Consent
Where we rely on your consent to process data, you have the right to withdraw that consent at any time without penalty. Withdrawal does not affect processing already completed based on prior consent.
Withdraw Consent for:
- Marketing emails: Use unsubscribe link in emails or email info@sadplants.fun
- SMS marketing: Reply STOP to any SMS or email info@sadplants.fun
- Push notifications: Disable in app settings or email info@sadplants.fun
- Cookies: Use our cookie preference center or browser settings
- Marketing generally: Email info@sadplants.fun with subject "Withdraw Marketing Consent"
13.8 Right to Lodge a Complaint
If you believe we have violated your data protection rights, you have the right to lodge a complaint with the competent data protection authority:
Federal Data Protection Officer (for federal agencies):
Bundesdatenschutzbeauftragter (BfDI)
Husarenstr. 30
53117 Bonn
Germany
Tel: +49 (0)228 77007-0
Email: poststelle@bfdi.bund.de
Website: https://www.bfdi.bund.de
Berlin State Data Protection Authority:
Berliner Beauftragte für Datenschutz und Informationsfreiheit
Friedrichstr. 219
10969 Berlin
Germany
Email: mailbox@senbjf.berlin.de
Right to Appeal:
You may also appeal our response to your data subject rights request to the applicable data protection authority.
13.9 Non-Discrimination
We will not discriminate against you for exercising any of these rights. You will not receive different service, pricing, or quality of service as a result of asserting your data protection rights.
13.10 Verification of Identity
Before processing your request, we may need to verify your identity to ensure we release information only to the authorized individual. We may request:
- Full name and address
- Account email and order number
- Identification document (copy)
- Additional security questions
13.11 Authorized Representatives
You may authorize another person to submit requests on your behalf. If you do:
- Provide written authorization (power of attorney)
- Include the representative's contact information
- We may still require you to verify your identity directly
14. SMS and Marketing Communications
14.1 SMS Care Reminders
If you opt-in to SMS reminders for plant care:
- You provide explicit consent via checkbox at account creation or checkout
- Consent is freely given, specific, informed, and unambiguous
- You receive SMS notifications at times you specify
- We maintain records of your SMS consent
Opt-Out:
- Reply STOP to any SMS message
- Contact info@sadplants.fun
- Modify preferences in your account settings
14.2 Email Marketing
If you opt-in to email marketing:
- We send promotional offers, new product announcements, and content
- Consent is optional and not required to purchase
- You may unsubscribe using the link in every email
- Contact info@sadplants.fun to opt-out
14.3 Push Notifications
If you enable push notifications:
- We may send transactional and promotional messages
- You can disable via browser/app settings
- You can contact us to opt-out
Important: We do not use pre-ticked consent boxes. Consent must be explicit, informed, and freely given. By default, marketing communications are opt-in only.
15. Children's Privacy
Our Services are not intended for children under 16 years of age. We do not knowingly collect personal information from children under 16. If you are under 16, please do not use our Services or provide any information.
If you are the parent/guardian of a child who has provided us personal information:
- Contact us immediately at info@sadplants.fun
- Provide the child's name and your proof of authority
- We will delete the child's data
Note: In certain EU countries, parental consent may be required for children ages 16-18. We comply with age verification requirements where applicable.
16. Security Measures
We implement appropriate technical and organizational security measures to protect your personal information against unauthorized access, alteration, disclosure, or destruction:
- Encryption: HTTPS/TLS encryption for data in transit
- Payment Security: PCI-DSS compliance for payment processing (handled by Shopify Payments)
- Access Controls: Role-based access, authentication requirements
- Firewalls: Network segmentation and intrusion detection
- Monitoring: Regular security monitoring and threat detection
- Employee Training: Data protection training for staff
- Incident Response: Procedures for data breach detection and response
No Guaranteed Security:
While we maintain reasonable security, no system is completely impenetrable. We cannot guarantee absolute security. We recommend:
- Using strong, unique passwords
- Not sharing login credentials
- Using secure internet connections
- Monitoring your account for unauthorized activity
17. Data Breach Notification
In the event of a personal data breach (unauthorized access, disclosure, or loss), we will:
- Investigate the breach promptly
- Notify affected individuals without undue delay
- Notify competent data protection authorities (if required by law)
- Document the breach and remediation efforts
You will be notified if:
- A breach poses high risk to your data protection rights
- As required by applicable law
- Contact method: Email to your registered address
18. Changes to This Privacy Policy
We may update this Privacy Policy from time to time to:
- Reflect changes to our practices
- Address new technologies or services
- Comply with legal requirements
- Improve clarity or transparency
Material Changes:
We will provide notice of material changes via:
- Email notification to your registered address
- Prominent notice on our website
- Other methods as required by law
Your Acceptance:
Continued use of our Services after updates constitutes acceptance of the revised policy. We recommend reviewing this policy periodically.
Changes take effect on the date specified in the notice. Your rights under the previous policy are preserved for data collected before the change date.
19. Data Retention Upon Account Deletion
If you delete your account:
- Your account and associated data are marked for deletion
- Deletion occurs within 90 days (backup and recovery period)
- Data required by law (tax records, transaction history) is retained per legal requirements
- You may not use your account during the deletion period
Contact info@sadplants.fun to request immediate permanent deletion (subject to legal retention requirements).
20. Contact Us and Data Protection Officer
For questions about this Privacy Policy or to exercise your data protection rights:
Customer Support:
Email: info@sadplants.fun
Phone: +491712084868
Address: Hauptstraße 70, 12159 Berlin, Germany
Data Protection Officer:
Name: Michiel Top
Email: michiel.top@gmail.com
Phone: +491712084868
Address: Hauptstraße 70, 12159 Berlin, Germany
Data Controller (Legal Entity):
Fortify Top Business Solutions UG (haftungsbeschränkt)
Hauptstraße 70
12159 Berlin
Germany
Tax ID: DE454528091
Registered in: Berlin Handelsregister (Commercial Registry)
Registration Number: HRB 274316
21. Additional Resources
- Shopify Privacy Policy: https://www.shopify.com/legal/privacy
- Shopify Data Subject Rights Portal: https://privacy.shopify.com/en
- German Data Protection Authority (BfDI): https://www.bfdi.bund.de
- GDPR Official Text: https://gdpr-info.eu
- EU Data Protection Board Guidelines: https://edpb.europa.eu
This Privacy Policy is effective as of October 30, 2025 and supersedes all previous privacy policies.
Legal Notice
Legal Notice according to § 5 TMG
Sadplants.fun
Fortify Top Business Solutions UG (Haftungsbeschänkt)
Hauptstraße 70,
12159 Berlin, Germany
Represented by:
Michiel Top
Contact:
Telephone: +491712084868
Email: info@fortifysolutions.eu
Register:
Registration in the registry court: Berlin (Charlottenburg)
Registration number: HRB274316
VAT-ID:
Sales tax identification number according to §27a Value Added Tax Act: DE454528091
Your plants have secrets to share. Soon, you'll be able to listen. And you won't be the only one
Last Updated: October 30, 2025
Effective Date: October 30, 2025
1. Introduction and Data Controller
Sadplants.fun (operated by Fortify Top Business Solutions UG (haftungsbeschränkt)) operates this website and store, including all related information, content, features, tools, products, and services (the "Services"). This Privacy Policy describes how we collect, use, disclose, and process your personal information in accordance with the General Data Protection Regulation (GDPR), the German Federal Data Protection Act (BDSG), the German Telecommunications and Telemedia Data Protection Act (TTDSG), and other applicable German and EU data protection laws.
By using our Services, you acknowledge that you have read and understood this Privacy Policy. If you do not agree with our practices, please do not use our Services.
For the purposes of applicable data protection laws, Sadplants.fun is the data controller responsible for your personal information.
2. Data Protection Officer
As a business processing personal data on a large scale, we have appointed a Data Protection Officer:
Data Protection Officer Contact:
Name: Michiel Top
Email: michiel.top@gmail.com
Phone: +491712084868
Address: Hauptstraße 70, 12159 Berlin, Germany
You may contact our DPO with any data protection questions or concerns. You have the right to lodge a complaint with the DPO at any time.
3. Types of Personal Information We Collect
Depending on how you interact with our Services, we may collect the following categories of personal information:
3.1 Information You Provide Directly
- Account Information: Name, email address, username, password, date of birth, security questions and answers, account preferences and settings
- Contact Details: Billing address, shipping address, telephone number, email address
- Payment Information: Credit card or debit card numbers, payment card expiration dates, billing address, payment confirmation details, financial account information, and transaction history
- Communications: Content of emails, messages, or customer support inquiries you send us
- Feedback and Reviews: Product reviews, ratings, testimonials, suggestions, and other feedback
- Wishlist and Preference Data: Items you bookmark, add to cart, add to wishlist, or express interest in
3.2 Information Collected Automatically
- Device Information: Device type, operating system, unique device identifiers, device settings
- Network and Connection Data: IP address, browser type, browser language, pages visited, referral source, date and time stamps
- Usage Information: How and when you access or interact with our Services, features used, content viewed, searches performed, links clicked
- Location Information: Approximate geographic location based on IP address (not precise GPS location unless you opt-in)
- Cookies and Similar Technologies: Information stored via cookies, pixels, web beacons, local storage, and similar tracking technologies
3.3 Information from Third Parties
- Service Providers: Payment processors, shipping carriers, fulfillment partners, analytics providers
- Business Partners: Marketing partners, social media platforms when you use social login
- Publicly Available Sources: Public records, regulatory databases (for fraud prevention and verification)
- Other Users: Information other users provide about you (e.g., referral programs, gift purchases)
4. Sources of Personal Information
We collect personal information from the following sources:
- Directly from you: Account creation, purchases, communications, form submissions
- Automatically: Cookies, pixels, device information during site visits and transactions
- Service providers and processors: Payment processors, logistics partners, hosting providers
- Business partners: Marketing partners, social networks when you use social login
- Publicly available sources: For fraud prevention and compliance verification
5. Legal Basis for Data Processing
We process your personal information based on the following legal bases under GDPR Article 6(1):
5.1 Contractual Necessity (Art. 6(1)(b))
- To enter into and perform our contract with you
- To process your orders, payments, and shipments
- To provide customer support
- To manage returns and exchanges
- To verify your identity
5.2 Legal Compliance (Art. 6(1)(c))
- To comply with German tax law (§257 HGB, §90 AO)
- To comply with anti-money laundering and fraud prevention regulations
- To comply with consumer protection laws
- To respond to legal requests from law enforcement or government agencies
- To investigate and defend against legal claims
5.3 Legitimate Interests (Art. 6(1)(f))
We process your data to pursue our legitimate business interests, which we have balanced against your privacy rights:
- To improve, personalize, and optimize our Services
- To prevent fraud and unauthorized access
- To maintain website security and functionality
- To analyze usage patterns and business analytics
- To detect and resolve technical issues
- To enforce our Terms of Service
- For marketing and business development purposes (when not requiring separate consent)
5.4 Consent (Art. 6(1)(a))
For processing that requires your explicit consent, we obtain it separately:
- Marketing communications (email, SMS, push notifications)
- Non-essential cookies and tracking
- Behavioral profiling and personalized advertising
- Additional data processing beyond operational necessity
You may withdraw consent at any time. Withdrawal does not affect processing already completed based on prior consent.
6. How We Use Your Personal Information
We use your personal information for the following purposes:
6.1 Providing and Operating Services
- Creating and managing your account
- Processing purchases, payments, and transactions
- Arranging shipping and delivery
- Fulfilling, processing, and managing returns and exchanges
- Providing customer support and responding to inquiries
- Sending transactional notifications (order confirmations, shipping updates, receipt notifications)
- Verifying your identity and preventing unauthorized access
6.2 Improving and Personalizing Services
- Remembering your preferences and customizing your experience
- Providing product recommendations based on your purchase history
- Conducting analytics to improve website functionality and user experience
- Testing new features and analyzing user behavior
- Troubleshooting technical issues
- Conducting research and surveys
6.3 Marketing and Advertising
- Sending promotional emails, SMS messages, and push notifications (with your consent)
- Displaying personalized advertisements on our website and third-party platforms
- Retargeting based on your browsing and purchase history
- Measuring marketing campaign effectiveness
- Creating lookalike audiences for advertising purposes
6.4 Security and Fraud Prevention
- Detecting and preventing fraudulent transactions
- Protecting against unauthorized access and cyberattacks
- Investigating suspicious activity
- Implementing security measures
- Authenticating your account credentials
- Securing payment processing
6.5 Legal and Regulatory Compliance
- Complying with tax and accounting requirements
- Responding to legal process and law enforcement requests
- Investigating violations of our Terms of Service
- Enforcing our contractual agreements
- Collecting debts and resolving disputes
6.6 Communication
- Sending administrative updates about your account
- Notifying you of changes to our policies
- Responding to your inquiries and complaints
- Providing customer support
7. Data Processors and Sub-Processors
Your personal information may be transferred to and processed by the following data processors and service providers acting on our behalf:
7.1 Core Ecommerce and Hosting
ProcessorLocationPurposeData Processing AgreementShopify, Inc.Canada, USAPlatform hosting, store management, payment gatewayYes (§28 BDSG)Shopify PaymentsCanada, USAPayment processingYes (§28 BDSG)
7.2 Fulfillment and Logistics
ProcessorLocationPurposeData Processing AgreementEverspringEU (Netherlands)Dropshipping fulfillment, inventory managementYes (§28 BDSG)[Shipping Carrier - e.g., DHL/DPD]Germany/EUShipping and delivery logisticsYes (§28 BDSG)
7.3 Analytics and Performance
ProcessorLocationPurposeData Processing AgreementGoogle Ireland Limited (Google Analytics)Ireland, USAWebsite analytics, traffic analysis, user behavior trackingYes (§28 BDSG)SearchanizeEUSite search analytics, heatmaps, user behaviorYes (§28 BDSG)
7.4 Marketing and Advertising
ProcessorLocationPurposeData Processing AgreementFacebook Ireland LimitedIreland, USAPixel tracking, behavioral advertising, lookalike audiencesYes (§28 BDSG)Google Ads (Google Ireland Limited)Ireland, USASearch ads, display ads, remarketingYes (§28 BDSG)NudgifyEUPush notifications, engagement messagingYes (§28 BDSG)
7.5 Localization and Customization
ProcessorLocationPurposeData Processing AgreementShopify Translate & AdaptCanada, USAMulti-language content deliveryYes (§28 BDSG)LocksmithUSAPaywall management, content access controlYes (§28 BDSG)
7.6 Additional Tools
ProcessorLocationPurposeData Processing AgreementLexware OfficeGermanyInvoicing, accounting, financial recordsYes (§28 BDSG)Searchanize TrustEUTrust signals, reviews, customer feedbackYes (§28 BDSG)
All processors listed above have signed Data Processing Agreements (Datenverarbeitungsverträge) pursuant to §28 BDSG and GDPR Article 28, ensuring they process personal information only on our instructions and maintain equivalent data protection standards.
You have the right to request copies of any Data Processing Agreements. Contact: info@sadplants.fun
8. Cookies and Tracking Technologies
We use cookies and similar tracking technologies (pixels, web beacons, local storage, scripts) on our website. Under German law (TTDSG §25 and GDPR Article 5(3)), we require your explicit prior consent before setting non-essential cookies or accessing information stored on your device, except for strictly necessary technical cookies.
8.1 Essential and Strictly Necessary Cookies (No Consent Required)
These cookies are necessary for basic website functionality, security, and to fulfill your requests:
- Session cookies for account login and authentication
- Security and fraud prevention cookies
- Load balancing and performance optimization
- Shopping cart functionality
- Payment processing and security
- Cookie consent and preference storage
Duration: Session or up to 1 year
8.2 Analytical and Performance Cookies (Requires Consent)
These cookies help us understand how users interact with our website to improve functionality:
- Google Analytics (Google Ireland Limited): Analyzes site traffic, user behavior, conversion tracking
- Heatmaps and session recordings (Searchanize): Visualizes user interactions on pages
- Performance monitoring: Server response times, error tracking
Third-Party Providers: Google Analytics, Searchanize
Duration: 13 months (Google Analytics standard), 6 months (other analytics)
Data Shared: Anonymized event data, user IDs, device information
8.3 Marketing and Advertising Cookies (Requires Consent)
These cookies track your behavior across websites for personalized advertising:
- Facebook Pixel: Tracks conversions, builds audiences, enables retargeting
- Google Ads Conversion Tracking: Measures ad performance, builds lookalike audiences
- Nudgify: Personalized messaging and notifications
Third-Party Providers: Facebook Ireland Limited, Google Ads, Nudgify
Duration: 6 months to 2 years depending on provider
Data Shared: User ID, device information, behavioral patterns, purchase history
8.4 Personalization Cookies (Requires Consent)
These cookies remember your preferences and provide customized experiences:
- Translate & Adapt: Language and localization preferences
- Locksmith: Content access and paywall preferences
- Product recommendations: Purchase history and browsing behavior
Duration: 12 months
8.5 Cookie Consent Management
When you first visit our website, you will see a cookie consent banner. You can:
- Accept All: Consent to all non-essential cookies
- Reject All: Decline non-essential cookies (only essential cookies will be used)
- Manage Preferences: Select which cookie categories you consent to
You can modify or withdraw consent at any time via:
- Cookie preference center on our website [link]
- Browser cookie settings
- Email to info@sadplants.fun
Withdrawal of consent will not affect processing based on your prior consent.
Important: Declining non-essential cookies will not prevent you from using our Services, though some personalization features may be limited.
9. Third-Party Websites and External Links
Our Services may contain links to websites and platforms operated by third parties. We are not responsible for their privacy practices, security measures, or content. When you click external links:
- You leave our website and their privacy policies apply
- We do not endorse or control their content
- They may collect their own personal data from you
We recommend reviewing their privacy policies before providing your information.
Information You Share on Third-Party Platforms:
Any information you share on social media, reviews sites, or other public platforms may be viewable and used by other users without limitation.
10. Automated Decision-Making and Profiling
10.1 Fraud Detection (Automated Decision)
We use automated systems to evaluate transaction risk and detect fraudulent activity. If your transaction is flagged as potentially fraudulent:
- Your transaction may be blocked or delayed
- We may require additional verification
- Your Right: You may request manual review and explanation from a human. Contact info@sadplants.fun with your order number.
10.2 Behavioral Profiling (Marketing)
We use algorithmic profiling based on your browsing history, purchase behavior, and interactions to:
- Show personalized product recommendations
- Display targeted advertisements
- Create lookalike audiences for advertising
Your Rights:
- You have the right to object to profiling for marketing purposes
- You can opt-out of targeted advertising through browser settings or our preference center
11. International Data Transfers
Since some of our processors are located outside the European Union (particularly in the USA and Canada), your personal information may be transferred, stored, and processed outside the EU/EEA.
11.1 Transfer Mechanisms
We rely on the following approved mechanisms to ensure your data receives equivalent protection:
Standard Contractual Clauses (SCCs):
Approved by EU Commission Decision 2021/914, SCCs are contracts between us and our processors ensuring GDPR-compliant data protection standards apply, regardless of the processor's location.
Adequacy Decisions:
Where the EU has determined a country provides adequate data protection (currently limited), we rely on these determinations.
Your Rights:
- You may request a copy of the Standard Contractual Clauses: Email info@sadplants.fun
- You have the right to object to transfers: Contact our DPO
11.2 Specific Transfers
- Shopify (USA/Canada): Data Processing Agreement with SCCs
- Google (USA): Google's Standard Contractual Clauses (https://policies.google.com/privacy)
- Facebook (USA): Meta's Standard Contractual Clauses
- Everspring (EU): EU-based, no SCC required
12. Data Retention
We retain your personal information only as long as necessary for the purposes outlined in this policy or as required by law. Retention periods vary by data type:
Data CategoryRetention PeriodLegal BasisAccount data (if active)Duration of account + 3 yearsTax law §257 HGB, dispute resolutionPurchase/transaction records10 yearsGerman tax law §257 HGBCustomer support communications3 yearsDispute resolution, legal obligationsFinancial records (invoices, receipts)10 yearsTax law §90 AOPayment card informationNot stored (processed directly by Shopify Payments)PCI-DSS complianceMarketing/email consent records3 years from last contactTTDSG, UWG complianceSMS consent records2 years from last SMSTTDSG §45 complianceAnalytical data (Google Analytics)13 monthsAutomatic deletion by GoogleCookies and tracking data1 month to 2 years depending on typeCookie-specific retentionDevice/IP logs7 daysSecurity and fraud preventionDeleted account data90 days (backup/recovery period)System security
After the retention period, we delete or anonymize your data. Data required for legal compliance is retained for the full statutory period, even if your account is deleted.
13. Your Rights and How to Exercise Them
Under GDPR and German law, you have the following rights regarding your personal information:
13.1 Right to Access (Auskunftsrecht)
You have the right to request access to the personal information we hold about you, including:
- Confirmation of whether we process your data
- The categories of data processed
- The purposes of processing
- Recipients of your data
- How long we retain your data
- Your other rights available
How to Request: Email info@sadplants.fun with subject line "Request for Data Access" and include:
- Your full name
- Email address associated with your account
- Order number (if applicable)
Response Time: Within 30 days (may be extended to 60 days for complex requests)
13.2 Right to Correction (Berichtigungsrecht)
You have the right to request that we correct any inaccurate, incomplete, or outdated personal information we hold about you.
How to Request: Email info@sadplants.fun with subject line "Request for Data Correction" and provide:
- Your name and account information
- Specific data that is inaccurate
- Correct information
- Supporting documentation if applicable
13.3 Right to Deletion (Löschungsrecht / Recht auf Vergessenwerden)
You have the right to request deletion of your personal information in certain circumstances, including:
- Data no longer necessary for the purposes collected
- Withdrawal of consent (when consent was the legal basis)
- Objection to processing
- Unlawful processing
Exceptions: We may not delete data if:
- Required by law (tax records, legal obligations)
- Necessary to defend legal claims
- Fraud prevention is ongoing
- Contractual obligations require retention
- Vital interests require retention
How to Request: Email info@sadplants.fun with subject line "Request for Data Deletion" and include:
- Your name and account information
- Specific data you want deleted
- Reason for deletion request
13.4 Right to Restrict Processing (Einschränkung der Verarbeitung)
You have the right to request that we limit processing of your personal information in certain circumstances:
- You contest the accuracy and we verify correctness
- Processing is unlawful but you oppose deletion
- We no longer need the data but you require retention for legal claims
- You have objected to processing while we verify legitimate interests
How to Request: Email info@sadplants.fun with subject line "Request to Restrict Processing" and provide:
- Your account information
- Reason for restriction request
- Time period for restriction (if applicable)
13.5 Right to Data Portability (Datenportabilität)
You have the right to receive your personal information in a structured, commonly used, machine-readable format (such as CSV or JSON) and to transmit it to another service provider, where technically feasible.
How to Request: Email info@sadplants.fun with subject line "Request for Data Portability" and include:
- Your name and account information
- Specific data you want transferred
- Name and email of recipient service (if applicable)
13.6 Right to Object (Widerspruchsrecht)
You have the right to object to processing of your personal information based on:
- Legitimate interests: We will stop processing unless we have overriding reasons
- Direct marketing: We will stop marketing immediately
- Profiling: We will stop profiling for marketing/advertising purposes
- Automated decisions: We will stop automated processing
How to Request: Email info@sadplants.fun with subject line "Request to Object" and specify:
- Type of processing you object to
- Reason for objection
13.7 Right to Withdraw Consent
Where we rely on your consent to process data, you have the right to withdraw that consent at any time without penalty. Withdrawal does not affect processing already completed based on prior consent.
Withdraw Consent for:
- Marketing emails: Use unsubscribe link in emails or email info@sadplants.fun
- SMS marketing: Reply STOP to any SMS or email info@sadplants.fun
- Push notifications: Disable in app settings or email info@sadplants.fun
- Cookies: Use our cookie preference center or browser settings
- Marketing generally: Email info@sadplants.fun with subject "Withdraw Marketing Consent"
13.8 Right to Lodge a Complaint
If you believe we have violated your data protection rights, you have the right to lodge a complaint with the competent data protection authority:
Federal Data Protection Officer (for federal agencies):
Bundesdatenschutzbeauftragter (BfDI)
Husarenstr. 30
53117 Bonn
Germany
Tel: +49 (0)228 77007-0
Email: poststelle@bfdi.bund.de
Website: https://www.bfdi.bund.de
Berlin State Data Protection Authority:
Berliner Beauftragte für Datenschutz und Informationsfreiheit
Friedrichstr. 219
10969 Berlin
Germany
Email: mailbox@senbjf.berlin.de
Right to Appeal:
You may also appeal our response to your data subject rights request to the applicable data protection authority.
13.9 Non-Discrimination
We will not discriminate against you for exercising any of these rights. You will not receive different service, pricing, or quality of service as a result of asserting your data protection rights.
13.10 Verification of Identity
Before processing your request, we may need to verify your identity to ensure we release information only to the authorized individual. We may request:
- Full name and address
- Account email and order number
- Identification document (copy)
- Additional security questions
13.11 Authorized Representatives
You may authorize another person to submit requests on your behalf. If you do:
- Provide written authorization (power of attorney)
- Include the representative's contact information
- We may still require you to verify your identity directly
14. SMS and Marketing Communications
14.1 SMS Care Reminders
If you opt-in to SMS reminders for plant care:
- You provide explicit consent via checkbox at account creation or checkout
- Consent is freely given, specific, informed, and unambiguous
- You receive SMS notifications at times you specify
- We maintain records of your SMS consent
Opt-Out:
- Reply STOP to any SMS message
- Contact info@sadplants.fun
- Modify preferences in your account settings
14.2 Email Marketing
If you opt-in to email marketing:
- We send promotional offers, new product announcements, and content
- Consent is optional and not required to purchase
- You may unsubscribe using the link in every email
- Contact info@sadplants.fun to opt-out
14.3 Push Notifications
If you enable push notifications:
- We may send transactional and promotional messages
- You can disable via browser/app settings
- You can contact us to opt-out
Important: We do not use pre-ticked consent boxes. Consent must be explicit, informed, and freely given. By default, marketing communications are opt-in only.
15. Children's Privacy
Our Services are not intended for children under 16 years of age. We do not knowingly collect personal information from children under 16. If you are under 16, please do not use our Services or provide any information.
If you are the parent/guardian of a child who has provided us personal information:
- Contact us immediately at info@sadplants.fun
- Provide the child's name and your proof of authority
- We will delete the child's data
Note: In certain EU countries, parental consent may be required for children ages 16-18. We comply with age verification requirements where applicable.
16. Security Measures
We implement appropriate technical and organizational security measures to protect your personal information against unauthorized access, alteration, disclosure, or destruction:
- Encryption: HTTPS/TLS encryption for data in transit
- Payment Security: PCI-DSS compliance for payment processing (handled by Shopify Payments)
- Access Controls: Role-based access, authentication requirements
- Firewalls: Network segmentation and intrusion detection
- Monitoring: Regular security monitoring and threat detection
- Employee Training: Data protection training for staff
- Incident Response: Procedures for data breach detection and response
No Guaranteed Security:
While we maintain reasonable security, no system is completely impenetrable. We cannot guarantee absolute security. We recommend:
- Using strong, unique passwords
- Not sharing login credentials
- Using secure internet connections
- Monitoring your account for unauthorized activity
17. Data Breach Notification
In the event of a personal data breach (unauthorized access, disclosure, or loss), we will:
- Investigate the breach promptly
- Notify affected individuals without undue delay
- Notify competent data protection authorities (if required by law)
- Document the breach and remediation efforts
You will be notified if:
- A breach poses high risk to your data protection rights
- As required by applicable law
- Contact method: Email to your registered address
18. Changes to This Privacy Policy
We may update this Privacy Policy from time to time to:
- Reflect changes to our practices
- Address new technologies or services
- Comply with legal requirements
- Improve clarity or transparency
Material Changes:
We will provide notice of material changes via:
- Email notification to your registered address
- Prominent notice on our website
- Other methods as required by law
Your Acceptance:
Continued use of our Services after updates constitutes acceptance of the revised policy. We recommend reviewing this policy periodically.
Changes take effect on the date specified in the notice. Your rights under the previous policy are preserved for data collected before the change date.
19. Data Retention Upon Account Deletion
If you delete your account:
- Your account and associated data are marked for deletion
- Deletion occurs within 90 days (backup and recovery period)
- Data required by law (tax records, transaction history) is retained per legal requirements
- You may not use your account during the deletion period
Contact info@sadplants.fun to request immediate permanent deletion (subject to legal retention requirements).
20. Contact Us and Data Protection Officer
For questions about this Privacy Policy or to exercise your data protection rights:
Customer Support:
Email: info@sadplants.fun
Phone: +491712084868
Address: Hauptstraße 70, 12159 Berlin, Germany
Data Protection Officer:
Name: Michiel Top
Email: michiel.top@gmail.com
Phone: +491712084868
Address: Hauptstraße 70, 12159 Berlin, Germany
Data Controller (Legal Entity):
Fortify Top Business Solutions UG (haftungsbeschränkt)
Hauptstraße 70
12159 Berlin
Germany
Tax ID: DE454528091
Registered in: Berlin Handelsregister (Commercial Registry)
Registration Number: HRB 274316
21. Additional Resources
- Shopify Privacy Policy: https://www.shopify.com/legal/privacy
- Shopify Data Subject Rights Portal: https://privacy.shopify.com/en
- German Data Protection Authority (BfDI): https://www.bfdi.bund.de
- GDPR Official Text: https://gdpr-info.eu
- EU Data Protection Board Guidelines: https://edpb.europa.eu
This Privacy Policy is effective as of October 30, 2025 and supersedes all previous privacy policies.
Legal Notice according to § 5 TMG
Sadplants.fun
Fortify Top Business Solutions UG (Haftungsbeschänkt)
Hauptstraße 70,
12159 Berlin, Germany
Represented by:
Michiel Top
Contact:
Telephone: +491712084868
Email: info@fortifysolutions.eu
Register:
Registration in the registry court: Berlin (Charlottenburg)
Registration number: HRB274316
VAT-ID:
Sales tax identification number according to §27a Value Added Tax Act: DE454528091