Privacy Policy

Last updated: August 16, 2025

​

​

1) Who we are (Controller)

Fan Finds, Berlin, Germany. We curate and sell ritual goods. For EU/UK data protection laws, Fan Finds is the controller of your personal data.
Contact: hello@fanfinds.store
Supervisory authority: Berliner Beauftragte für Datenschutz und Informationsfreiheit (see “Your rights” below).

 

2) What this policy covers

This policy explains what we collect, why, how long we keep it, who we share it with, and how you can exercise your rights. It applies to our website, checkout, email/SMS, social media/pages, messengers (e.g., Telegram/WhatsApp), and ad/analytics tools we use to run the business.

 

3) Data we collect

Data you give us

• Identification & contact (name, email, phone, addresses)

• Order & delivery info, returns messages

• Account & community details (username, preferences)

• Messages you send (email, forms, messengers), UGC (reviews, tags)

Data we collect automatically

• Device & usage data (IP address, time, pages, referrer, identifiers, approximate location, browser/device; server log files for performance/security)

• Cookie/SDK data for analytics, personalization, and ads (only after consent, where required)

Data from others

• Payment & anti-fraud signals from payment providers

• Delivery updates from carriers

• Marketing & analytics partners (aggregated stats; audience segments)

• Address correction/verification services

 

4) Why we process your data (legal bases)

To sell & deliver your order (name, address, contact, order data, payments; sharing with payment providers, carriers, Wix/hosting): contract (Art. 6(1)(b)); legal obligations for invoicing/records; legitimate interests for service quality.
Account, community, and customer support: contract / legitimate interests.
Payments & fraud prevention (3-D Secure, risk scoring, IP/device checks): legitimate interests in preventing fraud and securing our services.
Analytics, performance & product improvement (after consent where required): consent / legitimate interests for aggregated insights.
Marketing communications:

• Newsletters, SMS, messengers: consent (opt-in; withdraw anytime).

• Post-purchase email about similar goods: legitimate interests with easy opt-out in every message.
  Advertising & personalization (pixels, retargeting, lookalikes; cookies/SDKs): consent via our cookie banner; withdraw anytime in the banner or account/email settings.
  Legal & compliance (tax, accounting, consumer law, requests from authorities): legal obligations; legitimate interests for establishing/defending claims.

 

5) Cookies & similar technologies

We use cookies/SDKs for (i) essentials (security, checkout), (ii) preferences, (iii) analytics, and (iv) advertising. In Germany, non-essential cookies require prior consent. Use our cookie banner to grant or withdraw consent anytime; essential cookies run regardless to provide the service. StripeCookieYes

 

6) Marketing choices

• Email/SMS/messengers: unsubscribe links/settings in each message or email hello@fanfinds.store.

• Ads & pixels: manage consent in the cookie banner; you can also use platform ad settings (Meta, Google, LinkedIn, Pinterest, TikTok).

• We never sell your data.

 

7) Social media pages & embeds

We run pages on platforms like Instagram, Facebook, Pinterest, LinkedIn, TikTok, and YouTube. Those platforms process your data under their own policies. We receive page-level analytics (“Insights”) and may run ads to show you relevant products. For some pixels, we and the platform act as joint controllers for the initial collection; after that, the platform is independent controller. Links to platform privacy notices are available on our Vendors & Sub-processors page.

 

8) Messengers (Telegram/WhatsApp)

If you contact us via messengers, we will see your profile info and messages. These services process data under their own terms. Using messengers is optional; you can always email us instead. We do not create group chats without your action.

 

9) Payments & fraud prevention

We use PCI-compliant providers to process payments. We may use automated checks (e.g., device/IP signals, blacklists) to protect you and us from fraud/abuse. This may affect the ability to place an order when a high risk is detected; you can contact support to review.

 

10) Sharing your data (categories of recipients)

• Hosting & store platform: Wix and infrastructure providers

• Payments: card processors, PayPal, etc.

• Delivery: carriers, customs brokers

• Analytics/ads: measurement and advertising partners (only after consent where required)

• Support & communication: email, CRM, helpdesk, messenger tools

• Professional services: auditors, accountants, legal
  A live list is maintained on our Vendors & Sub-processors page.

 

11) International transfers

We store data in the EU/EEA where possible. Some partners are outside the EEA:

• United States: where a vendor is certified under the EU–US Data Privacy Framework, we rely on the adequacy decision; otherwise we use Standard Contractual Clauses plus supplementary measures. EUR-LexEuropean Commission

• Canada: adequacy under EU law. EUR-Lexgowlingwlg.com

• Israel: adequacy under EU law. Government of IsraelEuropean Parliament
  Details for each vendor are shown on our Vendors & Sub-processors page.

 

12) Retention

• Orders, invoices, tax records: generally 10 years under German law. meissner-meissner.deGründerMV

• Customer support & warranty files: until a claim window closes (typically warranty/limitation period), then archived/deleted.

• Accounts & marketing preferences: until deletion/unsubscribe.

• Server logs & security events: typically up to 12 months unless needed longer for security/abuse investigations.
  We delete or anonymize data when it’s no longer needed.

 

13) Security

We use technical and organizational measures such as TLS encryption in transit, strict access controls, least-privilege permissions, backups, and vendor due diligence.

 

14) Your rights

GDPR gives you the right to access, rectify, erase, restrict, port, and object to processing on legitimate-interest grounds, as well as withdraw consent at any time (does not affect prior processing). We do not make decisions solely by automated means that produce legal or similarly significant effects.
Contact: hello@fanfinds.store
You can lodge a complaint with the Berlin supervisory authority (contact details on their website).

 

15) Children

Our services are not directed to children, and we do not knowingly collect data from children. Where consent is used as the legal basis for online services, the GDPR default age of consent is 16 (Member States may set 13–16; Germany applies 16). GDPRgdpr-text.com

 

16) Changes

We’ll post updates here and adjust the “Last updated” date. Material changes will be highlighted in-site or by email where appropriate.