With the following privacy policy, we would like to inform you about the types of your personal data (hereinafter also referred to in short as "data") that we process, for which purposes, and to what extent. This privacy policy applies to all processing of personal data carried out by us, both in the course of providing our services and in particular on our websites as well as within external online presences, such as our social media profiles (hereinafter collectively referred to as the "online offering").
The terms used are not gender-specific.
Last updated: June 2026
sentiments de vie UG (haftungsbeschränkt)
Bgm-Aurnhammer-Straße 3
86199 Augsburg
Bavaria, Germany
Authorized Managing Directors: Tarek Naim, Enam Hötzl
Email: info@sentimentsdevie.com Website: https://www.sentimentsdevie.com
The following overview summarizes the types of data processed and the purposes of their processing.
Types of data processed
Categories of data subjects
Purposes of processing
Legal bases under the GDPR:
National regulations in Germany: In addition to the GDPR, the German Federal Data Protection Act (BDSG) applies, which in particular contains special provisions on the right of access, the right to erasure, the right to object, and automated decision-making. For the storage of information on terminal equipment and access to information already stored there, the Act on Data Protection and the Protection of Privacy in Telecommunications and Digital Services (TDDDG) applies in addition, in particular Section 25 TDDDG. Furthermore, the data protection laws of the individual federal states may apply.
In accordance with the legal requirements, taking into account the state of the art and the respective processing risks, we take appropriate technical and organizational measures (TOMs) to ensure a level of protection appropriate to the risk. These include in particular:
If a website is secured by an SSL/TLS certificate, this is indicated by the display of HTTPS in the URL.
In the course of our processing activities, data is transferred to processors and other recipients. This concerns in particular:
In all cases, we conclude data processing agreements (DPAs) pursuant to Art. 28 GDPR with recipients acting as processors, or we rely on other appropriate safeguards.
Insofar as we transfer data to a third country (outside the EU/EEA), or this occurs in the course of using the services of third parties, this is done only in accordance with the legal requirements. Depending on the provider, we base the transfer on one of the following grounds:
The service providers we use are distributed as follows:
Further information on the DPF is available at https://www.dataprivacyframework.gov/. For the individual service providers (Sections 10–13), we provide information on the respective applicable transfer basis.
We erase personal data as soon as the purpose of processing no longer applies and no statutory retention obligations stand in the way.
Statutory retention periods (German law):
The period begins in each case at the end of the calendar year in which the event triggering the period occurred.
Under the GDPR (Art. 15–21), you have the following rights:
We operate an online shop for niche perfumes (D2C) and process personal data of our customers and prospective customers for the initiation, performance and processing of purchase contracts.
In particular, the following are processed: name, delivery address, email address, order information, payment data, and communication history.
Disclosure to shipping service providers: If goods are delivered by a transport service provider (e.g. DHL, DPD), we disclose the customer's email address and/or telephone number to the carrier before delivery of the goods, pursuant to Art. 6(1)(a) GDPR, for the purpose of coordinating a delivery date or for delivery notification, provided that express consent was given for this during the ordering process. Otherwise, for the purpose of delivery, we disclose pursuant to Art. 6(1)(b) GDPR only the recipient's name and the delivery address. In this case, prior coordination of the delivery date or a detailed status notification by the service provider is not possible.
Types of data processed: Inventory data; payment data; contact data; contract data; usage data; meta, communication and procedural data.
Data subjects: Service recipients and clients; prospective customers; business and contractual partners.
Legal bases: Performance of a contract and pre-contractual inquiries (Art. 6(1)(b) GDPR); consent for the disclosure of data for delivery notification (Art. 6(1)(a) GDPR); legal obligation (Art. 6(1)(c) GDPR); legitimate interests (Art. 6(1)(f) GDPR).
Retention and erasure: In accordance with Section 7; commercial and tax law retention periods remain unaffected.
For the processing of payments, we use the following payment service provider:
Stripe: Payment services (technical integration of online payment methods). Service provider: Stripe, Inc., 510 Townsend Street, San Francisco, CA 94103, USA. Website: https://stripe.com | Privacy policy: https://stripe.com/de/privacy. Legal basis for third-country transfer: EU-US Data Privacy Framework (DPF); Standard Contractual Clauses as an additional safeguard.
Payment transactions are carried out exclusively via encrypted connections. We do not receive any account or credit card data; only a confirmation or rejection of the payment is transmitted to us. The payment data entered is processed exclusively by Stripe and stored at Stripe.
Legal bases: Performance of a contract (Art. 6(1)(b) GDPR); legitimate interests (Art. 6(1)(f) GDPR).
We process user data in order to provide our online services. In doing so, we use the following service providers:
Vercel (Hosting & CDN) Service provider: Vercel Inc., 440 N Barranca Ave #4133, Covina, CA 91723, USA. Website: https://vercel.com | Privacy policy: https://vercel.com/legal/privacy-policy. Data protection contact (EU): Vercel Inc., Attn: Data Protection, c/o EDPO, Avenue Huart Hamoir 71, 1030 Brussels, Belgium. Legal basis for third-country transfer: EU-US Data Privacy Framework (DPF); Vercel Inc. is DPF-certified. Standard Contractual Clauses are included in the DPA as an additional safeguard. Note: We use Vercel in the EU region wherever possible.
Fonts and icons On our website, we embed fonts ("Google Fonts") from the provider Google Ireland Limited, Gordon House, Barrow Street, Dublin 4, Ireland. When a page is accessed, your browser loads the required fonts from a Google server (fonts.googleapis.com / fonts.gstatic.com) in order to display texts consistently. In doing so, your IP address is transmitted to Google; any onward transfer to Google LLC in the USA is safeguarded via the EU-US Data Privacy Framework (DPF). This embedding only takes place after you have given corresponding consent via our cookie banner.
Legal basis: Consent (Art. 6(1)(a) GDPR in conjunction with Section 25(1) TDDDG). Google's privacy policy: https://policies.google.com/privacy
Database & Authentication (Backend) For the planned provision of database and authentication functions (including for the user account and the "Le Cercle" loyalty program), we use a backend service. The specific provider, as well as the associated information on the place of processing, processing on behalf of the controller, and any third-country transfer, will be added with the official launch of these functions.
Sanity (Content Management System) Service provider: Sanity AS, Trondheimsveien 2, 0560 Oslo, Norway. Website: https://www.sanity.io | Privacy policy: https://www.sanity.io/legal/privacy. Legal basis: No third-country transfer. Norway is a member of the EEA; the processing is directly subject to the GDPR. A DPA pursuant to Art. 28 GDPR is in place; data processing takes place on European servers.
Email dispatch (Resend) The email services we use (transactional emails, newsletters) are handled via Resend. Service provider: Resend, Inc., 2261 Market Street #5039, San Francisco, CA 94114, USA. Website: https://resend.com | Privacy policy: https://resend.com/legal/privacy-policy. Legal basis for third-country transfer: EU-US Data Privacy Framework (DPF); Resend, Inc. has been DPF-certified since 13 March 2025. Standard Contractual Clauses are included in the DPA as an additional safeguard. Note: Emails are generally encrypted in transit, but not necessarily on the recipient's servers.
Server log files: Each time the site is accessed, server log files are automatically generated, which may contain the following: address and name of the page accessed, date and time of access, amount of data transferred, browser type and version, operating system, referrer URL, and IP address. This data is used for security purposes and to ensure operation and is erased or anonymized after no more than 30 days.
Types of data processed: Usage data; meta, communication and procedural data; log data; content data.
Data subjects: Users (website visitors, users of online services).
Legal bases: Legitimate interests (Art. 6(1)(f) GDPR); performance of a contract (Art. 6(1)(b) GDPR).
We use cookies and comparable technologies (e.g. LocalStorage). "Cookies" are small text files that are stored on the user's terminal device or that access information already stored there.
Cookie categories
Category
Purpose
Consent required
Necessary
Operation of the website, session management, authentication (session tokens via HttpOnly cookies or LocalStorage), Stripe checkout, security
No
Statistics
Measurement of website usage (Google Analytics, see Section 13)
Yes
Marketing
Personalized advertising measures
Yes
Technically necessary storage operations: The storage of session tokens (JWT) for login and the protected members' area of the "Le Cercle" loyalty program via our authentication service is technically strictly necessary in order to provide the service expressly requested by the user. These operations fall under the exception of Section 25(2) No. 2 TDDDG and are set without prior consent. The same applies to the Stripe checkout and security-relevant cookies.
Consent management: For all cookies requiring consent (statistics, marketing), we obtain informed, voluntary and active consent via a consent banner in accordance with Section 25(1) TDDDG in conjunction with Art. 6(1)(a) GDPR (no pre-selected options). At the first level of the banner, the options "Accept all" and "Reject all" are available on an equal footing — equally ranked in design, color, contrast and accessibility, and without any design-based influence ("nudging"). Scripts requiring consent (e.g. Google Analytics) are only loaded after consent has been actively given.
Storage duration:
Withdrawal: Users can withdraw consent at any time via the cookie banner as well as via the data protection settings of their browser.
Legal bases: Consent (Art. 6(1)(a) GDPR in conjunction with Section 25(1) TDDDG); for technically necessary storage operations, Section 25(2) No. 2 TDDDG, as well as legitimate interests (Art. 6(1)(f) GDPR).
For statistical reach measurement, we use Google Analytics. Service provider (EU): Google Ireland Limited, Gordon House, Barrow Street, Dublin 4, Ireland. Any onward transfers to Google LLC (USA) are safeguarded via the EU-US Data Privacy Framework (DPF). Privacy policy: https://policies.google.com/privacy
Google Analytics is loaded exclusively after prior active consent via our cookie banner. In particular, shortened IP addresses, click paths and device metadata are processed.
We use Google Consent Mode v2 from Google Ireland Limited in order to ensure compliance with the data protection requirements of the Digital Markets Act (DMA). This consent mode transmits the decision made by the user in the cookie banner to the Google services we use. We operate Consent Mode exclusively in the so-called "Basic Mode." This ensures that Google tags are only loaded, and personal data is only transmitted to Google, once active consent has been given via our cookie banner. If consent is refused, no data transmission to Google takes place.
Types of data processed: Usage data; meta, communication and procedural data.
Data subjects: Users (website visitors).
Legal basis: Consent (Art. 6(1)(a) GDPR in conjunction with Section 25(1) TDDDG).
Users can create an account on our website (Le Cercle membership). In the course of registration, the required mandatory information is collected and processed on the basis of the performance of contractual obligations. In particular, the following are processed: email address, password (stored in encrypted form), optional shipping address (for the loyalty program gift), date of joining, and IP address at the time of registration.
User profiles are not publicly accessible. IP addresses are stored for the prevention of misuse. The technical provision of the account and the protected members' area takes place via our authentication service; the session tokens required for this are technically necessary (Section 25(2) No. 2 TDDDG). If the account is terminated, user data is erased, provided that no statutory retention obligations stand in the way.
Types of data processed: Inventory data; contact data; usage data; log data.
Data subjects: Users.
Legal bases: Performance of a contract (Art. 6(1)(b) GDPR); legitimate interests (Art. 6(1)(f) GDPR).
When contacting us (e.g. by email or contact form), we process the information of the inquiring persons insofar as this is necessary to respond to the inquiries and any requested measures.
Types of data processed: Contact data; content data; meta, communication and procedural data.
Data subjects: Communication partners.
Retention and erasure: Inquiries are erased after they have been fully processed, provided that no statutory retention obligations exist.
Legal bases: Performance of a contract and pre-contractual inquiries (Art. 6(1)(b) GDPR); legitimate interests (Art. 6(1)(f) GDPR).
We send newsletters and email notifications exclusively with the consent of the recipients (Art. 6(1)(a) GDPR in conjunction with Section 7(2) No. 3 UWG).
Registration procedure: We use a double opt-in procedure. After registering, you receive a confirmation email, via the link in which you must actively confirm your registration. As proof of consent (Art. 7(1) GDPR), we log the registration with a timestamp, email address, and the IP address used at the time of confirmation.
Email dispatch: Newsletters are sent via Resend (see Section 11).
Unsubscribing: You can unsubscribe from the newsletter at any time via the unsubscribe link in every email or by contacting us. We store unsubscribed email addresses for up to 3 years on the basis of legitimate interests (proof of consent previously given).
Types of data processed: Inventory data; contact data; meta, communication and procedural data.
Data subjects: Communication partners; prospective customers.
Legal bases: Consent (Art. 6(1)(a) GDPR).
We process personal data for the purposes of promotional communication by email, post or other channels on the basis of consent or legitimate interests (e.g. direct advertising to existing customers pursuant to Section 7(3) UWG).
Recipients have the right to object to the processing at any time. After an objection or withdrawal, the data necessary for providing proof is stored for up to 3 years after the end of the year of unsubscribing; its processing is limited to this purpose.
Legal bases: Consent (Art. 6(1)(a) GDPR); legitimate interests (Art. 6(1)(f) GDPR).
We maintain profiles within social networks in order to communicate with users registered there and to provide information about our products. When our profiles are accessed, personal data of the users is processed by the respective platform operator (e.g. usage behavior, interactions, device and metadata). This processing partly takes place outside our sphere of influence and may be associated with a transfer to third countries (in particular the USA).
Insofar as we decide jointly with the respective platform operator on the purposes and means of processing (e.g. in the case of aggregated statistics/insights functions), there is joint controllership pursuant to Art. 26 GDPR. The essential content of the respective joint controllership agreement, as well as the data protection notices of the platform operators, are listed below:
Users can assert their rights (access, erasure, etc.) both vis-à-vis us and vis-à-vis the respective platform operator. We point out that effective exercise of data subject rights is in some cases only possible via the platform operator, as only the operator has access to the respective user data.
Types of data processed: Inventory data; contact data; content data; usage data; meta, communication and procedural data.
Data subjects: Users; communication partners.
Legal bases: Legitimate interests (Art. 6(1)(f) GDPR); consent (Art. 6(1)(a) GDPR), insofar as such consent has been given vis-à-vis the platform operator.
We reserve the right to adapt this privacy policy if processing procedures or legal requirements change. We recommend that you review the content of this privacy policy regularly. Insofar as a change requires your consent or an individual notification is required, we will inform you separately.