Privacy Policy
1. Privacy at a Glance
General Information
The following information provides a simple overview of what happens to your personal data when you visit my website. Personal data is any data that can be used to personally identify you. For detailed information on the subject of data protection, please refer to my privacy policy below.
Data Collection on This Website
Who is responsible for data collection on this website?
Data processing on this website is carried out by the website operator. You can find my contact details under “Data Controller” below and in the imprint.
How do I collect your data?
Your data is collected in part when you provide it to me directly — for example by placing an order, registering an account, subscribing to the newsletter, applying for wholesale access, or sending a withdrawal request. Other data is collected automatically by my IT systems when you visit the website (mainly technical data such as browser, operating system, and time of the page request).
What do I use your data for?
Some data is collected to ensure the proper functioning of the website. Other data is used to process your orders, deliver goods, send you transactional emails, and — if you have explicitly consented — to send you the newsletter.
What rights do you have regarding your data?
You have the right to obtain information about the origin, recipients, and purpose of your stored personal data free of charge at any time. You also have the right to request the correction, restriction, or deletion of this data, as well as data portability and to lodge a complaint with the competent supervisory authority. For all such requests, please contact me at the address below.
2. General Notes and Mandatory Information
Data Protection
I take the protection of your personal data very seriously. I treat your personal data confidentially and in accordance with the applicable data protection regulations (in particular the GDPR) and this privacy policy. Please note that data transmission over the internet (e.g. when communicating by email) may be subject to security vulnerabilities. Complete protection of data against access by third parties is not possible.
Data Controller
Into Endless Chaos Records
Tobias Praast-Engelmann
An der alten Mittelstrasse 2
06686 Lützen
Germany
Email: info@intoendlesschaos.de
Storage Duration
Unless a more specific storage period is mentioned in this privacy policy, your personal data will remain with me until the purpose for which it was collected no longer applies. If you submit a justified deletion request or revoke your consent for data processing, your data will be deleted unless I have other legally permissible reasons to retain it (e.g. retention periods under tax or commercial law — typically 6 to 10 years for invoices and order data).
SSL/TLS Encryption
For security reasons and to protect the transmission of confidential content, this site uses SSL/TLS encryption. You can recognise an encrypted connection by the “https://” in the address bar of your browser and the lock icon. When SSL/TLS encryption is active, the data you transmit cannot be read by third parties.
Your Rights under the GDPR
You have the right to free information about your stored personal data, its origin and recipients, and the purpose of data processing (Art. 15 GDPR), as well as a right to correction (Art. 16), deletion (Art. 17), restriction of processing (Art. 18), data portability (Art. 20), and to object to processing based on legitimate interests (Art. 21). You also have the right to lodge a complaint with a supervisory authority (Art. 77 GDPR). The competent authority for me is the data protection authority of Saxony-Anhalt.
3. Data Collection on This Website
Cookies
This website uses only technically necessary cookies (no advertising or tracking cookies). They are used for example to keep your shopping cart, to preserve your login session, to remember whether you have wholesale access, and to enable a maintenance-bypass for previewing changes. The legal basis is Art. 6 (1) (b) GDPR (performance of a contract) and Art. 6 (1) (f) GDPR (legitimate interest in a functional website). Authentication cookies are set by my auth provider (Supabase). No third-party tracking or advertising cookies are placed.
Server Log Files
The website provider (Vercel, see “Hosting” below) automatically collects and stores information in server log files which your browser transmits. These are:
- Browser type and version
- Operating system
- Referrer URL
- Hostname of the accessing device
- Time of the server request
- IP address
This data is not merged with other data sources. Collection is based on Art. 6 (1) (f) GDPR — my legitimate interest in the technically error-free presentation and optimisation of the website.
Contact by Email
If you contact me by email, your message and the contact data you provide (email address, name) will be stored by me to process the request. The legal basis is Art. 6 (1) (b) GDPR (for inquiries related to a contract) or Art. 6 (1) (f) GDPR (for other inquiries). Your data is not passed on without your consent and will be deleted once the request is fully resolved, unless legal retention obligations apply.
No Web Analytics or Tracking
This website does not use Google Analytics, Matomo, Meta Pixel, or any similar visitor analytics or advertising tools. There is no tracking of your behaviour across pages and no profiling. Fonts (Cinzel, Cormorant Garamond) are self-hosted via Next.js and are not loaded from Google's servers.
4. Hosting, Database and Authentication
Hosting (Vercel)
This website is hosted by Vercel Inc., 440 N Barranca Ave #4133, Covina, CA 91723, USA. When you visit this website, Vercel processes connection data including your IP address. Vercel may transfer data to the USA. The transfer is based on EU Standard Contractual Clauses (Art. 46 GDPR). Vercel is certified under the EU-US Data Privacy Framework. The use of Vercel is based on Art. 6 (1) (f) GDPR — my legitimate interest in a reliable, performant presentation of the shop.
Privacy policy: vercel.com/legal/privacy-policy
Database and Authentication (Supabase)
Customer data, orders, addresses, cart contents, newsletter subscriptions and user accounts are stored in a PostgreSQL database operated by Supabase Inc., 970 Toa Payoh North #07-04, Singapore 318992. The data is hosted in the EU region (Frankfurt, Germany). Authentication (login, password reset, session management) is also handled by Supabase. Use is based on Art. 6 (1) (b) GDPR (performance of a contract) for orders and account data, and Art. 6 (1) (a) GDPR (consent) for the newsletter list. A data processing agreement (Art. 28 GDPR) is in place.
Privacy policy: supabase.com/privacy
5. Customer Account and Order Processing
When you place an order or create a customer account, I collect the following data: name, billing and shipping address, email address, optionally a phone number, order history, and your selected payment method. The data is needed to fulfil the contract and is stored on the basis of Art. 6 (1) (b) GDPR. After full execution of the contract, the data is restricted in further processing and stored for the duration of the legal retention periods under tax and commercial law (typically 6–10 years).
You can view, change or delete the data of your customer account in the account section at any time. Deletion of the account is possible at any time; order data linked to invoices is retained until the legal retention periods expire and is then deleted.
6. Payment Processing
All electronic payments are processed by Mollie B.V., Keizersgracht 126, 1015 CW Amsterdam, Netherlands (“Mollie”). Depending on the payment method you choose at checkout, Mollie shares the data required to settle the payment with the corresponding payment service. Personal data transmitted to Mollie typically includes name, address, email address, order amount, order ID, and bank/card details depending on the chosen method. Use of Mollie is based on Art. 6 (1) (b) GDPR (performance of a contract). A data processing agreement (Art. 28 GDPR) is in place.
Mollie's privacy policy: mollie.com/privacy
Payment Methods Available via Mollie
The following methods may be processed via Mollie. The actual selection depends on your country and order amount:
- Bank transfer / advance payment (“Vorkasse”)
- Credit and debit card
- iDEAL (NL)
- Bancontact (BE)
- EPS (AT)
- Przelewy24 (PL)
- PayPal — PayPal (Europe) S.à r.l. et Cie, S.C.A., 22-24 Boulevard Royal, L-2449 Luxembourg
- Apple Pay — Apple Inc., One Apple Park Way, Cupertino, CA 95014, USA
- Google Pay — Google Ireland Ltd., Gordon House, Barrow Street, Dublin 4, Ireland
- Klarna Pay later / Klarna Slice it — Klarna Bank AB, Sveavägen 46, 111 34 Stockholm, Sweden
When you choose PayPal, Apple Pay, Google Pay or Klarna, the respective provider's terms and privacy policy additionally apply. For Klarna, a creditworthiness check may be carried out. Data may be transferred to third countries (USA) on the basis of EU Standard Contractual Clauses (Art. 46 GDPR) where the providers are certified under the EU-US Data Privacy Framework where applicable.
7. Shipping
DHL
For shipments within Germany and to many international destinations I use Deutsche Post DHL (Deutsche Post AG, Charles-de-Gaulle-Straße 20, 53113 Bonn, Germany). Your delivery address (name, street, postal code, city, country) and order reference are transmitted to DHL for the creation of the shipping label. The legal basis is Art. 6 (1) (b) GDPR (performance of a contract).
Privacy policy: dhl.de
Asendia
For light international shipments (typically up to 2 kg) I use Asendia Germany GmbH, Niederlassung Köln, Konrad-Zuse-Platz 11, 53227 Bonn, Germany. The same delivery data as for DHL is transmitted. Legal basis: Art. 6 (1) (b) GDPR.
Privacy policy: asendia.com/privacy-policy
8. Email Delivery (Resend)
Transactional and marketing emails (order confirmations, shipping notifications, withdrawal confirmations, cart-abandonment reminders, newsletter campaigns, wholesale-related emails, gift card delivery) are sent via Resend Inc., 2261 Market Street #5039, San Francisco, CA 94114, USA. Your email address and the relevant message content are processed by Resend on my behalf under a data processing agreement (Art. 28 GDPR). Data may be transferred to the USA on the basis of EU Standard Contractual Clauses (Art. 46 GDPR).
Resend stores limited delivery metadata (timestamps, delivery status, message ID) for diagnostics. Use is based on Art. 6 (1) (b) GDPR (transactional mails) and Art. 6 (1) (a) GDPR (newsletter, see below).
Privacy policy: resend.com/legal/privacy-policy
9. Newsletter
If you would like to receive my newsletter, I need your email address and confirmation that you consent to receiving it. The newsletter uses a double-opt-in procedure: after signing up you receive a confirmation email and must click the confirmation link before being added to the active list. The legal basis is your consent under Art. 6 (1) (a) GDPR.
I store your email address, the date and time of your subscription and confirmation, and (when applicable) the list type (general newsletter or wholesale partners) until you unsubscribe. Each newsletter contains an unsubscribe link; alternatively you can revoke your consent at any time by emailing me. Revocation does not affect the legality of processing already carried out.
The newsletter may contain links with tracking parameters used purely for attribution of clicks within campaign-level statistics; no individual user profiles are created.
10. Wholesale (B2B) Registration
When you apply for wholesale access, I collect the following data: company name, contact name, email, billing address, country, and (for EU companies outside Germany) your VAT identification number. I verify the validity of the VAT ID through the European Commission's VIES service (free, read-only). VIES processes the VAT ID and country code only; no personal data is stored by VIES on my behalf.
Legal basis: Art. 6 (1) (b) GDPR (pre-contractual measures and contract performance) and Art. 6 (1) (c) GDPR (legal obligation to verify VAT ID for intra-EU B2B transactions).
11. Cart Abandonment Reminders
If you start a checkout while logged in, or enter your email during checkout, and do not complete the order, I may send you up to two reminder emails (typically a few hours and ~24 hours later) with a link to resume your cart. For logged-in customers this is based on Art. 6 (1) (f) GDPR (legitimate interest in completing initiated transactions); for first-time guest checkouts this is treated as the same legitimate interest in line with § 7 (3) UWG. You can object to these reminders at any time by replying to the email or by contacting me at the address above. Each reminder also contains an unsubscribe link.
12. Online Withdrawal Process
When you submit a withdrawal request through the online withdrawal form, I collect and process the following personal data:
- Your name
- Your email address
- Your order number
- Reason for withdrawal (if voluntarily provided)
This data is processed solely for the purpose of handling your withdrawal request in accordance with your statutory right of withdrawal (Art. 6 (1) (b) GDPR — performance of a contract, and Art. 6 (1) (c) GDPR — legal obligation). I store this data for the duration required by commercial and tax law retention periods. Upon submission you receive an automated confirmation email (sent via Resend, see section 8).
13. Scheduled Tasks (QStash)
For internal scheduling of operational tasks (e.g. activating or deactivating sales at a specific time, triggering cart-abandonment reminders) I use Upstash QStash (Upstash, Inc., 651 N Broad St, Suite 206, Middletown, DE 19709, USA; EU region). The payloads contain only internal identifiers (e.g. product ID, cart ID), not your personal data. Data may be transferred to the USA on the basis of EU Standard Contractual Clauses. Legal basis: Art. 6 (1) (f) GDPR (legitimate interest in reliable shop operations).
14. Error Reporting
When an unexpected technical error occurs in the website or backend, an automated diagnostic email is sent to me via Resend. This email may include the URL of the affected page, error details, browser information, and — if you are logged in — your user ID and email address, so I can reproduce and fix the problem. Legal basis: Art. 6 (1) (f) GDPR (legitimate interest in IT security and the operability of the shop). The reports are deleted as soon as the analysis is complete.
Last updated: 9 May 2026