Skip to main content

Privacy Policy

1. Controller and Contact

The controller responsible for data processing on this website within the meaning of the General Data Protection Regulation (DSGVO) is:

WELANDA - Piyal Ranasinghe
Querstraße 6
90489 Nürnberg
Phone: +49 151 22628518
E-Mail: contact@welanda.com

A Data Protection Officer is not required by law, as fewer than 20 persons are constantly engaged in the automated processing of personal data (§ 38 Abs. 1 BDSG).

2. General Information on Data Processing

Legal Bases

We only process personal data if there is a legal basis for doing so. In the context of our website, the following legal bases are particularly relevant:

  • Consent (Art. 6 Abs. 1 lit. a DSGVO):You have given us your explicit consent for processing, e.g. for analytics cookies. You may revoke your consent at any time with effect for the future.
  • Performance of a contract (Art. 6 Abs. 1 lit. b DSGVO):Processing is necessary for the performance of a contract or for the implementation of pre-contractual measures, e.g. for orders or customer enquiries.
  • Legal obligation (Art. 6 Abs. 1 lit. c DSGVO):Processing is necessary for compliance with a legal obligation, e.g. tax retention obligations.
  • Legitimate interest (Art. 6 Abs. 1 lit. f DSGVO):Processing is necessary for the purposes of the legitimate interests pursued by us, provided that your fundamental rights and freedoms do not override these interests, e.g. for the provision and security of the website.

Data Security

We implement technical and organisational security measures (TOMs) pursuant to Art. 32 DSGVO to protect your data against manipulation, loss, destruction, or unauthorised access. Our measures include, among others:

  • Encrypted data transmission via TLS/SSL (HTTPS) for all connections
  • Regular security updates of our systems
  • Access restrictions to personal data based on the need-to-know principle
  • Server-side storage within the EU (Frankfurt am Main and Karlsruhe)

Our security measures are continuously adapted to technological progress.

Storage Duration

We generally only store personal data for as long as is necessary for the respective processing purpose. Where statutory retention obligations exist (e.g. commercial or tax law), we store the affected data for the duration of the retention obligation (generally 6 or 10 years). After expiry, we delete the data unless it is still required.

3. Hosting and Website Provision

Storefront Hosting (Vercel)

The user interface of our online shop (storefront) is hosted by Vercel Inc., 340 S Lemon Ave #4133, Walnut, CA 91789, USA. The server location for our website is Frankfurt am Main, Germany (Region fra1).

When you visit our website, technical data (IP address, browser type, access time) is automatically processed by Vercel's servers. Vercel uses the IP address, among other things, to determine the country of origin (geolocation header) in order to display the correct country version of the website. This processing is necessary to provide the website and is based on Art. 6 Abs. 1 lit. f DSGVO (legitimate interest in reliable and performant website provision).

We have concluded a Data Processing Agreement with Vercel. Vercel has joined the EU-US Data Privacy Framework, which ensures an adequate level of data protection. For more information, please refer to Vercel's privacy policy:https://vercel.com/legal/privacy-policy

Backend Hosting (Netcup)

Our backend system (database, order processing, image processing) is hosted by Netcup GmbH, Daimlerstraße 25, 76185 Karlsruhe, Germany. Netcup processes data exclusively within the EU. Processing is based on Art. 6 Abs. 1 lit. f DSGVO.

4. Cookies and Local Storage

Our website uses cookies and local storage mechanisms (localStorage, sessionStorage). Cookies are small data packets that are stored on your device. They do not cause any harm.

We distinguish between technically necessary cookies that are required for the operation of the website, and optional analytics cookies.

Technically necessary cookies are stored on the basis of § 25 Abs. 2 Nr. 2 TDDDG (Telecommunications Digital Services Data Protection Act), as they are strictly necessary for the provision of the service you have explicitly requested. Art. 6 Abs. 1 lit. f DSGVO serves as the legal basis for the personal data contained in these cookies.

Optional analytics cookies are only set with your explicit consent (§ 25 Abs. 1 TDDDG in conjunction with Art. 6 Abs. 1 lit. a DSGVO).

Cookie Overview

Cookie / StoragePurposeStorage DurationCategory
_medusa_cache_idRegional assignment24 hoursNecessary
_medusa_cart_idShopping cart assignment7 daysNecessary
_medusa_jwtAuthentication session7 daysNecessary
_medusa_localeLanguage setting1 yearNecessary
welanda_cookie_consent (localStorage)Storage of your cookie preferences12 monthsNecessary
_pending_order_cart_idPayment return assignment10 minutesNecessary
product-reviews-* (sessionStorage)Caching of product reviewsSessionNecessary
Umami Analytics (Script)Anonymous website analyticsSessionAnalytics

Cookie Consent (Consent Management)

When you first visit our website, a cookie banner is displayed through which you can grant or decline consent for the use of optional cookies. Your decision is stored in your browser's localStorage and read on each page visit. Consent is additionally logged anonymously with a SHA256 hash on our server (proof of consent pursuant to DSGVO). You can change your cookie settings at any time via the cookie button (bottom right) or the “Cookie Settings” link in the footer. After 12 months, you will be asked for your consent again.

5. Server Log Files

The provider of the pages automatically collects and stores information in so-called server log files, which your browser automatically transmits to us. These are:

  • Browser type and browser version
  • Operating system used
  • Referrer URL
  • Hostname of the accessing computer
  • Time of the server request
  • IP address

The legal basis is Art. 6 Abs. 1 lit. f DSGVO (legitimate interest in the secure and stable provision of the website). The data is not merged with other data sources. The log files are automatically deleted after 14 days.

6. E-Commerce: Shopping Cart and Customer Account

Shopping Cart and Contract Processing

We collect, process, and use personal customer and contract data for the establishment, content arrangement, and modification of our contractual relationships. When placing an order, the following data is processed in particular:

  • Name and address (delivery and billing address)
  • Email address
  • Ordered products, quantities, and prices
  • Personalisation data (texts and graphics for the engraving)
  • Payment information (forwarded to the payment service provider)

The legal basis is Art. 6 Abs. 1 lit. b DSGVO (performance of a contract). Order data is stored in accordance with statutory retention obligations (6 or 10 years) and then deleted.

Customer Account

You have the option to create a customer account with us. Upon registration, the following data is stored:

  • First and last name
  • Email address
  • Password (stored encrypted)
  • Address data (after first entry)

After registration, your order history and saved addresses are additionally stored in your account to facilitate reorders and order tracking.

The legal basis for processing is Art. 6 Abs. 1 lit. b DSGVO (performance of a contract and pre-contractual measures). Creating a customer account is voluntary; ordering as a guest is also possible.

You may have your customer account deleted at any time. Please contact contact@welanda.com. After deletion of the account, your data will be deleted unless statutory retention obligations apply.

7. Personalisation Editor and Uploads

Description and Scope

Our personalisation editor allows you to upload your own texts and graphics (images, logos) that will be applied to your product via laser engraving. In the course of personalisation, the following data is processed:

  • Texts entered by you (e.g. names, dedications)
  • Image files uploaded by you (PNG, JPEG, SVG, HEIC)
  • Selected font, scaling, and positioning

Note on image metadata: Uploaded image files may contain metadata (EXIF data), such as location information, camera data, or creation date. We recommend removing the metadata from your images before uploading if you do not wish to disclose this information. Our image processing pipeline automatically removes EXIF data during processing.

Storage and Storage Duration

All uploaded files and personalisation data are stored exclusively on our own server (VPS at Netcup, Germany). No data is transmitted to third-party CDNs or cloud storage services.

The storage duration of your uploads depends on the processing purpose:

  • During the order: Your personalisation data is processed for order fulfilment and transmitted to our production facility.
  • After delivery: Uploads and engraving data are retained for a period of 6 months after delivery in order to process any complaints.
  • After expiry of the period: The data is automatically and irrevocably deleted.

Your personalisation data is used exclusively for order fulfilment (Art. 6 Abs. 1 lit. b DSGVO). It is not used for advertising purposes, published, or disclosed to third parties.

Automated Image Processing (AI-assisted)

Transparency notice pursuant to Art. 13 Abs. 2 lit. f DSGVO and Art. 50 KI-Verordnung (AI Act):

To improve engraving results, we use AI-assisted image processing. The open-source tool rembg is used to automatically remove the background of uploaded images. Processing takes place exclusively on our own server in Germany. No data is transmitted to external AI services, cloud APIs, or third parties.

The AI processing serves exclusively for the technical preparation of your image for laser engraving and has no influence on decisions that affect you as a person. No profiling takes place.

8. Payment Processing

Payment Processing (Mollie)

For payment processing, we use the payment service provider Mollie B.V., Keizersgracht 126, 1015 CW Amsterdam, Netherlands. When selecting a payment method, the data required for payment processing (name, address, bank details or credit card data, invoice amount, currency, transaction number) is transmitted to Mollie. Processing is based on Art. 6 Abs. 1 lit. b DSGVO (performance of a contract). For more information:https://www.mollie.com/de/privacy

Payment Processing (PayPal)

Alternatively, we offer payment via PayPal (Europe) S.à r.l. et Cie, S.C.A., 22-24 Boulevard Royal, L-2449 Luxembourg. When selecting PayPal, the data required for payment processing is transmitted to PayPal. Processing is based on Art. 6 Abs. 1 lit. b DSGVO.

For certain payment types (e.g. purchase on account, instalment payments), PayPal may obtain a credit report from credit reference agencies. PayPal uses the result of the credit check regarding the statistical probability of non-payment to decide on the provision of the respective payment method. The legal basis for the credit check is Art. 6 Abs. 1 lit. f DSGVO (legitimate interest in protection against default). For more information:https://www.paypal.com/de/webapps/mpp/ua/privacy-full

VAT ID Validation (VIES)

For the validation of VAT identification numbers in intra-Community supplies, we use the VIES service of the European Commission (ec.europa.eu/taxation_customs/vies). Only the entered VAT ID number is transmitted to the EU server. Processing is based on Art. 6(1)(b) GDPR (contract performance) and Art. 6(1)(c) GDPR (compliance with legal obligations under § 18e UStG).

Data Transfer upon Contract Conclusion

We only transfer personal data to third parties if this is necessary within the framework of contract processing, for example to the shipping company commissioned with the delivery or the company commissioned with payment processing.

9. Shipping and Logistics

For the shipment of ordered goods, we use the services of DHL (Deutsche Post DHL Group, Charles-de-Gaulle-Straße 20, 53113 Bonn) and/or DPD (DPD Deutschland GmbH, Wailandtstraße 1, 63741 Aschaffenburg).

The data required for delivery is transmitted to the respective shipping service provider:

  • Name and address of the recipient
  • Phone number if applicable (for delivery notification)
  • Email address (for shipment tracking and parcel notifications)

The transmission of the email address to the shipping service provider is based on Art. 6 Abs. 1 lit. b DSGVO (performance of a contract), as notification of the shipping status is an essential part of the purchase transaction. The shipping service provider may use your email address to send you parcel notifications and delivery information regarding your order.

For more information, please refer to the privacy policies ofDHLandDPD.

10. Web Analytics (Umami)

This website uses Umami Analytics, a privacy-friendly, self-hosted web analytics software. Umami is operated on our own server and no data is transmitted to third parties.

Umami works without cookies (cookie-less tracking) and does not use fingerprinting. IP addresses are not stored but are only used anonymously to identify unique visitors within a session and are then discarded. Umami respects the Do Not Track setting of your browser.

Umami collects anonymous usage statistics such as page views, dwell time, and device types used. No personal profiles are created.

Despite its privacy-friendly design, Umami is only activated on our website when you give your explicit consent via our cookie banner (Art. 6 Abs. 1 lit. a DSGVO). If you revoke or do not give consent, the analytics script will not be loaded.

11. Error Tracking and Performance Monitoring (Sentry)

For the automatic detection and logging of technical errors and performance issues, we use the service Sentry. The provider is Functional Software Inc., 132 Hawthorne Street, San Francisco, CA 94107, USA.

In the event of an error, Sentry automatically captures technical information required for diagnosing and resolving the issue. The following data is processed:

  • Anonymized IP address (the full IP address is removed before transmission)
  • Browser and device information (user agent, screen resolution)
  • Error messages and stack traces (technical error details)
  • URL of the affected page
  • Timestamp of the error

Sentry does not set any cookies and does not create user profiles. The collection of personal data (such as email addresses or names) is explicitly disabled in our configuration (sendDefaultPii: false). IP addresses are anonymized before transmission via a beforeSend hook.

Processing is based on Art. 6 Abs. 1 lit. f DSGVO (legitimate interest). Our legitimate interest lies in ensuring the technical reliability and stability of our online offering. Error data is stored in accordance with our Sentry configuration for 90 days and then automatically deleted.

Data is transmitted to servers of Sentry (Functional Software Inc.) in the USA. The transfer is based on the EU-US Data Privacy Framework or EU Standard Contractual Clauses (Art. 46 Abs. 2 lit. c DSGVO). For more information, please refer to Sentry's privacy policy:https://sentry.io/privacy/

You may object to the processing of your data by Sentry at any time (Art. 21 DSGVO). Please contact contact@welanda.com. Additionally, you can prevent data collection by Sentry by disabling JavaScript in your browser. However, this may limit the functionality of our website.

12. Contact Form

If you send us enquiries via the contact form, your details from the form (name, email address, subject, message, order number if applicable) are stored by us for the purpose of processing your enquiry and in the event of follow-up questions. Processing is based on Art. 6 Abs. 1 lit. b DSGVO (performance of a contract) or Art. 6 Abs. 1 lit. f DSGVO (legitimate interest in responding to your enquiry). The data is deleted as soon as it is no longer required for the purpose of its collection.

13. Newsletter

You have the option to subscribe to our newsletter. For this we require your email address and optionally your name. Registration uses a double opt-in procedure: after signing up you will receive a confirmation email with a link you must click. Only then will you be added to the mailing list.

Processing is based on your consent pursuant to Art. 6(1)(a) GDPR. You may revoke your consent at any time by using the unsubscribe link in every newsletter email or via our unsubscribe page. The lawfulness of processing carried out before the revocation remains unaffected.

We use the open-source software Listmonk on our own server in Germany for sending and managing the newsletter. Your data is not shared with third parties. For email delivery, the service Brevo (Sendinblue GmbH, Cologne) is used as an SMTP relay; only the email is transported, no storage by Brevo takes place.

13a. Back-in-Stock Notification

For out-of-stock products, we offer you the option to receive a one-time email notification as soon as your desired product is back in stock. For this purpose, we collect your email address and information about the desired product (product name, variant, SKU).

Processing is carried out exclusively on the basis of your consent pursuant to Art. 6(1)(a) GDPR. After the notification email is sent, your data will be automatically and irrevocably deleted. You may revoke your consent at any time before the email is sent by contacting us at contact@welanda.com.

For email delivery, we use the self-hosted open-source software Listmonk on our own server in Germany. Your data is not shared with third parties.

14. Social Media

Our website contains links to our social media profiles on Instagram and TikTok. These are simple links (not social media plugins) that do not transmit any data to the platforms as long as you do not click on them. Only when you click will you be redirected to the respective platform, where their privacy policy applies. The links open in a new tab.

15. Your Rights

You have the following rights with regard to the personal data concerning you:

  • Right of access (Art. 15 DSGVO) - You may request information about your data stored by us.
  • Right to rectification (Art. 16 DSGVO) - You may request the correction of inaccurate data.
  • Right to erasure (Art. 17 DSGVO) - You may request the deletion of your data, provided no statutory retention obligations apply.
  • Right to restriction of processing (Art. 18 DSGVO) - You may request the restriction of processing.
  • Right to data portability (Art. 20 DSGVO) - You may receive your data in a structured, machine-readable format.

Right to Object (Art. 21 DSGVO)

Insofar as we process your personal data on the basis of legitimate interests pursuant to Art. 6 Abs. 1 lit. f DSGVO, you have the right to object to the processing pursuant to Art. 21 DSGVO.

If you object, we will no longer process your personal data unless we can demonstrate compelling legitimate grounds for the processing which override your interests, rights, and freedoms. To exercise your right to object, an email to contact@welanda.com is sufficient.

Revocation of Your Consent (Art. 7 Abs. 3 DSGVO)

Insofar as we process your data on the basis of consent, you have the right to revoke this consent at any time with effect for the future. The lawfulness of the processing carried out on the basis of the consent until the revocation remains unaffected. For cookie consents, please use the cookie button (bottom right) or the “Cookie Settings” link in the footer.

Right to Lodge a Complaint with the Supervisory Authority

You have the right to lodge a complaint with a data protection supervisory authority about our processing of your personal data. The responsible supervisory authority is:

Bayerisches Landesamt für Datenschutzaufsicht (BayLDA)
Promenade 18
91522 Ansbach
https://www.lda.bayern.de

Last updated: March 2026