Privacy policy

Privacy Policy

Last updated: 23 April 2026

This Privacy Policy explains how personal data is processed when you visit our website holzgestein.com and when you make a purchase in our online shop.

1. Controller

PARAX GmbH
Bockeldamm 19
59199 Bönen
Germany
Email: info@parax.de

HOLZGESTEIN is a brand of PARAX GmbH.

Contact for data protection matters:
PARAX GmbH – Data Protection
Email: info@parax.de

2. Scope

This Privacy Policy applies to our website holzgestein.com, including all subpages, language and country versions, as well as to the functions offered via the website, in particular the cart, checkout, newsletter, product reviews, contact requests, and embedded content.

3. Definitions

Terms such as “personal data”, “processing”, “controller”, and “processor” are used in accordance with the definitions of the General Data Protection Regulation (GDPR).

Where information is stored on or accessed from your device, this is also governed by Section 25 of the German Telecommunications Digital Services Data Protection Act (TDDDG).

4. Legal Bases for Processing

We process personal data in particular on the following legal bases:

  • Art. 6(1)(b) GDPR – for the performance of pre-contractual measures and contract fulfillment
  • Art. 6(1)(c) GDPR – for compliance with legal obligations
  • Art. 6(1)(f) GDPR – for the purposes of legitimate interests, in particular IT security, fraud prevention, and the economically efficient provision of our online services
  • Art. 6(1)(a) GDPR – on the basis of your consent, in particular for marketing, tracking, newsletters, and non-essential cookies or similar technologies

5. Hosting and Shop Operation via Shopify

Our online shop is operated via the Shopify platform. Shopify provides the technical infrastructure, hosting, shop operation, checkout, and related functions for the provision of our online services. In this context, Shopify may process IP addresses, device and browser information, usage data, order information, contact information, and transaction data. Shopify also documents international data transfers, in particular within the Shopify group and to subprocessors; for this purpose, Shopify refers in particular to contractual safeguards including the current Standard Contractual Clauses. Shopify further states that personal data of individuals from the EEA, the United Kingdom, or Switzerland is protected for transfers to Canada by way of an adequacy decision and, for onward transfers outside Canada, by contractual obligations comparable to Standard Contractual Clauses.

This processing takes place for the purpose of technically providing the shop, processing orders, ensuring security and performance, preventing fraud, and sending transaction-related messages. The legal basis for this processing is Art. 6(1)(b), (c), and (f) GDPR.

6. Server Log Files and IT Security

When you access our website, technically necessary connection data is processed, in particular IP address, date and time, requested URL, referrer, browser type, operating system, and status codes.

This processing is carried out to ensure the stability, security, and protection of our online services against misuse. The legal basis is Art. 6(1)(f) GDPR.

7. Consent Management, Cookies, and Similar Technologies

We use a consent management tool that allows you to decide whether and to what extent non-essential technologies may be used. We use technically necessary cookies and similar technologies where required for the operation of the website, the shopping cart, checkout, language settings, or security-related functions.

Non-essential cookies, pixels, tags, and similar marketing or analytics technologies are only used with your consent. Shopify documents that, for markets such as the EEA and the United Kingdom, the relevant privacy settings take regional consent requirements into account and that web pixels in such markets are executed only in accordance with the permissions granted.

You can change or withdraw your settings at any time via the “Cookie Settings” link on our website.

8. Orders and Contract Fulfillment

When you place an order in our shop, we process the data required for the contract, in particular:

  • First and last name
  • Billing and delivery address
  • Email address
  • Ordered products
  • Payment information
  • Shipping and transaction data
  • If applicable, return, warranty, and support information

The processing is carried out for contract performance, delivery, communication, handling of returns and complaints, and compliance with commercial and tax retention obligations. The legal basis is Art. 6(1)(b) and (c) GDPR.

9. Payments

To process payments, we transfer the data required for this purpose to the payment service provider selected by you. Depending on the chosen payment method, this may include in particular your name, billing address, delivery address, email address, order amount, currency, transaction references, and payment-related information.

Active payment methods may include in particular:

  • Credit card via Shopify Payments
  • PayPal
  • Klarna
  • Prepayment / bank transfer

The processing is carried out for payment handling and contract fulfillment on the basis of Art. 6(1)(b) GDPR. Where credit checks, fraud checks, or risk assessments are carried out, the processing may additionally be based on Art. 6(1)(f) GDPR.

10. Shipping and Shipment Tracking

To deliver your order, we transfer the necessary data to the commissioned shipping provider, in particular your name and delivery address, and – where necessary and provided by you – your email address or telephone number for shipping notifications.

The processing is carried out for contract fulfillment on the basis of Art. 6(1)(b) GDPR.

11. Contact and Customer Service

If you contact us by email, contact form, or by any other means, we process the data you provide in order to handle your request. This may include in particular your name, email address, order reference, and the content of your communication.

Depending on the nature of your request, the processing is based on Art. 6(1)(b) GDPR or Art. 6(1)(f) GDPR.

If we provide links on our website to WhatsApp or other messenger services, data will only be transferred to the respective provider once you actively click such a link. Please do not send sensitive information or payment data via messenger services.

12. Newsletter and Email Marketing

If you subscribe to our newsletter, we process your email address and any other information you voluntarily provide in order to send you information about products, offers, and news related to HOLZGESTEIN.

Subscription generally takes place via a double opt-in procedure. You may withdraw your consent at any time with future effect, for example via the unsubscribe link in the newsletter or by contacting us.

If we use Shopify Email for sending newsletters, processing takes place within Shopify’s infrastructure. Where Mailchimp is additionally used, processing is carried out via The Rocket Science Group LLC d/b/a Mailchimp.

To the extent that we measure open rates and click rates, this is done only to the extent permitted under data protection law. The legal basis is Art. 6(1)(a) GDPR.

13. Product Reviews via Judge.me

We use Judge.me for product and shop reviews. In this context, the following data may be processed in particular: name or pseudonym, email address, order or product reference, star rating, review text, and voluntarily uploaded photos or videos.

The processing is carried out for the purpose of displaying authentic customer reviews and improving transparency in our shop. Depending on the specific setup, the legal basis is Art. 6(1)(b) GDPR, Art. 6(1)(a) GDPR, or Art. 6(1)(f) GDPR.

14. Web Analytics with etracker

We use etracker Analytics by etracker GmbH, Erste Brunnenstraße 1, 20459 Hamburg, Germany.

Where etracker is used in its cookieless standard mode and no access to information on your device takes place, we base the processing on our legitimate interest in the statistical analysis and optimization of our online services pursuant to Art. 6(1)(f) GDPR.

Where cookies or comparable technologies are used beyond this, such processing takes place only on the basis of your consent pursuant to Art. 6(1)(a) GDPR in conjunction with Section 25 TDDDG.

You may object to the processing of your data by etracker at any time with future effect.

15. Facebook / Instagram by Meta – Meta Pixel, Conversions API, “Maximum” Data Sharing

We use the Shopify integration “Facebook & Instagram by Meta” with data sharing set to “Maximum”. Shopify describes this setting as using the Meta Pixel, the Conversions API, and other current Meta advertising technologies. According to Shopify’s documentation, the information transmitted under Enhanced and Maximum may include data such as name, location, email address, telephone number, as well as information about browsing and purchasing behavior in our online shop. Shopify also describes that standard events such as PageView, ViewContent, Search, AddToCart, InitiateCheckout, AddPaymentInfo, and Purchase may be collected.

The processing serves the purposes of measuring advertising performance, attributing conversions, building audiences, remarketing, and optimizing our advertising on Meta platforms such as Facebook and Instagram. Activation takes place only on the basis of your consent.

Please note that personal data may also be transferred to Meta companies and affiliated entities in third countries, in particular the United States.

16. Note on the Technical Integration of Meta

We integrate Meta technologies via the Shopify integration. Shopify notes that additional manual pixel integrations in the theme or in other shop areas may lead to duplicate data collection and inaccurate reporting.

17. Embedded Content and YouTube

Our website may include embedded content from third-party providers. This may in particular include YouTube videos. When you access a page containing such an embed, a connection to YouTube’s or Google’s servers may be established. In this process, your IP address, browser and device information, referrer, and information about the page accessed may in particular be processed.

Google also states that cookies and similar technologies may be used for embedded content. Where the integration of YouTube is not technically necessary for the operation of the website, the video or player is only loaded with your consent. In that case, the legal basis is Art. 6(1)(a) GDPR in conjunction with Section 25 TDDDG.

Where we use YouTube in enhanced privacy mode, YouTube indicates that the embed domain is changed from youtube.com to youtube-nocookie.com. Even in that case, data processing by Google or YouTube may occur when the embedded player is used.

18. Social Media Profiles

We maintain online presences on social networks and platforms, in particular on Instagram, Pinterest, TikTok, and YouTube. If you visit our pages there, personal data is also processed by the respective platform operators in accordance with their own privacy policies.

Where personal data is processed on our social media pages, we may be jointly responsible with the respective platform operator to the extent provided by law.

19. Recipients of Personal Data

Depending on the specific processing activity, your data may in particular be transferred to the following categories of recipients:

  • Shopify and service providers affiliated with Shopify
  • Payment service providers and payment processors
  • Shipping providers
  • Review service providers
  • Newsletter and email marketing providers
  • Analytics and marketing service providers
  • Google / YouTube for embedded videos
  • IT, hosting, and support service providers
  • Tax advisors, legal advisors, public authorities, and other bodies where legally required

20. Transfers to Third Countries

Where we use service providers outside the EU or EEA, or where data is transferred there, this is done only in compliance with the applicable legal requirements.

Shopify documents international transfers within its group and to subprocessors and refers in particular to the use of contractual safeguards including Standard Contractual Clauses. Transfers to third countries may also occur with other third-party providers we use, such as Meta, Google/YouTube, or Mailchimp.

21. Storage Period

We store personal data only for as long as necessary for the relevant purposes or as required by statutory retention obligations.

In particular, the following periods generally apply:

  • Order and accounting data: 6 to 10 years
  • Contact and support data: generally until final handling of the request and beyond that within the framework of statutory or defense-related limitation periods
  • Proof of consent and consent logs: as long as necessary for evidentiary purposes
  • Server log data: generally only for a short period and for security-related purposes
  • Customer accounts: until deletion by the data subject or until the purpose no longer applies

22. Obligation to Provide Data

The provision of certain personal data is required for entering into and performing the contract. Without this data, we cannot process your order.

The provision of data for marketing, tracking, and newsletters is voluntary.

23. Your Rights

Subject to the applicable legal requirements, you have the following rights in particular:

  • Right of access pursuant to Art. 15 GDPR
  • Right to rectification pursuant to Art. 16 GDPR
  • Right to erasure pursuant to Art. 17 GDPR
  • Right to restriction of processing pursuant to Art. 18 GDPR
  • Right to data portability pursuant to Art. 20 GDPR
  • Right to object pursuant to Art. 21 GDPR
  • Right to withdraw consent with future effect pursuant to Art. 7(3) GDPR

To exercise your rights, a simple message to info@parax.de is sufficient.

24. Right to Object under Art. 21 GDPR

Where we process data on the basis of Art. 6(1)(f) GDPR, you have the right to object to such processing at any time on grounds relating to your particular situation.

Where personal data is processed for direct marketing purposes, you have the right to object at any time to processing for such marketing purposes.

25. Right to Lodge a Complaint with a Supervisory Authority

You also have the right to lodge a complaint with a data protection supervisory authority regarding the processing of your personal data.

The supervisory authority competent for us is in particular:

State Commissioner for Data Protection and Freedom of Information North Rhine-Westphalia (LDI NRW)
Kavalleriestraße 2–4
40213 Düsseldorf
Germany

26. Changes to This Privacy Policy

We reserve the right to amend this Privacy Policy if this becomes necessary due to legal, technical, or organizational changes.

The version published on our website at the time of your visit shall apply.

© 2026 HOLZGESTEIN. Powered by Shopify
  • American Express
  • Apple Pay
  • Bancontact
  • EPS
  • Google Pay
  • iDEAL Wero
  • Klarna
  • Maestro
  • Mastercard
  • PayPal
  • Shop Pay
  • Union Pay
  • Visa