Privacy Policy

Privacy Policy

1. Controller

The controller in the sense of the General Data Protection Regulation (GDPR) is:

Stern Performance Parts UG (haftungsbeschränkt)
Lentföhrdener Straße 27
24640 Schmalfeld
Germany
Represented by the Managing Director Kevin Pazukow
Phone: +49 176 61927918
Email: mail@sternperformance.de

2. Data Protection Officer

A data protection officer is not required by law. For questions regarding data protection, please contact the controller using the contact details provided above.

3. General Information on Data Processing

We generally process personal data of our users only to the extent necessary for the provision of a functional website as well as our content and services. The processing of personal data of our users regularly occurs only with the user's consent. An exception applies in cases where prior consent cannot be obtained for factual reasons and the processing of the data is permitted by legal regulations.

Insofar as consent from the data subject is obtained for processing operations of personal data, Art. 6 para. 1 lit. a GDPR serves as the legal basis. When processing personal data required for the performance of a contract to which the data subject is a party, Art. 6 para. 1 lit. b GDPR serves as the legal basis. Insofar as processing of personal data is necessary to fulfill a legal obligation to which our company is subject, Art. 6 para. 1 lit. c GDPR serves as the legal basis. If processing is necessary to protect a legitimate interest of our company or a third party, and the interests, fundamental rights, and freedoms of the data subject do not override the former interest, Art. 6 para. 1 lit. f GDPR serves as the legal basis for processing.

4. Hosting via Shopify

Our online shop is hosted by Shopify International Limited, Victoria Buildings, 2nd Floor, 1–2 Haddington Road, Dublin 4, D04 XN32, Ireland (hereinafter "Shopify"). When you access our online shop, personal data (in particular IP address, browser type, operating system, referrer URL, time of request) is processed in server log files. This processing is necessary to deliver the website, ensure its functionality and security. The legal basis is Art. 6 para. 1 lit. f GDPR (legitimate interest in stable and secure operation of the website).

Shopify may transfer personal data to countries outside the EU, in particular to the parent company Shopify Inc., 150 Elgin Street, Ottawa, Ontario, Canada, as well as to sub-processors in the USA. For data transfer to Canada, an adequacy decision by the European Commission exists. For data transfers to the USA, Shopify relies on the EU-US Data Privacy Framework and, where necessary, on standard contractual clauses of the European Commission in accordance with Art. 46 para. 2 lit. c GDPR. We have concluded a data processing agreement (Data Processing Addendum) with Shopify. Further information can be found in Shopify's privacy policy at https://www.shopify.com/legal/privacy.

5. Server Log Files

When you access our website, information is automatically stored in so-called server log files, which your browser transmits to Shopify as a hosting service provider. These are:

  • IP address of the requesting computer
  • Date and time of access
  • Name and URL of the retrieved file
  • Amount of data transferred
  • Message whether the retrieval was successful
  • Identification data of the browser and operating system used
  • Referrer URL (the previously visited page)

The legal basis is Art. 6 para. 1 lit. f GDPR. The data is collected to ensure a trouble-free connection to the website, to guarantee user-friendliness, to evaluate system security and stability, and for other administrative purposes. The log files are deleted as soon as they are no longer required for these purposes, but at the latest after seven days. Storage beyond this period is possible; in this case, the IP addresses of the users are deleted or anonymized so that assignment to the calling client is no longer possible.

6. Cookies and Consent Management with Keksly

Our website uses cookies and similar technologies (e.g., data stored in the browser). A cookie is a small text file that is placed on your device when you visit our website. Cookies serve, among other things, to store the shopping cart, account login, language settings, and your consent preferences.

For managing your consent, we use the Consent Management Platform (CMP) Keksly. The Keksly scripts are delivered via Shopify's Content Delivery Network and executed in your browser upon the first visit to our website. Through the Keksly consent banner, you can give, refuse, or subsequently adjust your consent to the individual cookie categories. Your decision will be stored for a limited period in a technically necessary cookie as well as in your browser's local storage.

We distinguish the following services and categories:

  • Necessary: Absolutely essential for the operation of the shop (e.g., shopping cart, login, language selection, consent storage). These are set without consent (legal basis Art. 6 para. 1 lit. b and lit. f GDPR, § 25 para. 2 no. 2 TDDDG).
  • Statistics (Shopify Analytics, Google Analytics 4): Allow us to anonymously analyze the use of our shop to improve performance. Requires your consent.
  • Usage Analysis (Contentsquare/Hotjar): Pseudonymized recording of clicks, scrolling and mouse movements, as well as heatmaps for optimizing usability. Texts are masked by default. Requires your consent.
  • Instagram Feed: Embedding of the Instagram feed on individual pages of our shop. Loads content and cookies from instagram.com (Meta Platforms Ireland Limited). Requires your consent.
  • TikTok Feed: Embedding of the TikTok feed on individual pages of our shop. Loads content and cookies from tiktok.com (TikTok Technology Limited). Requires your consent.
  • Marketing: Can be used in the future for personalizing advertising, for retargeting, and conversion tracking. Requires your consent.

Cookies and tracking technologies requiring consent will only be loaded after your active consent in the Keksly banner. The legal basis for this is Art. 6 para. 1 lit. a GDPR in conjunction with § 25 para. 1 TDDDG (Telecommunications and Digital Services Data Protection Act).

You can revoke or adjust your consent at any time by accessing the cookie settings via the link "Cookie Settings" in the footer of our website. Additionally, you can generally prevent the setting of cookies or delete already set cookies through your browser settings.

7. Processing in the Context of Order Fulfillment

When you place an order, we process the data you provide at checkout (in particular, name, address, email address, telephone number, payment data, order data) for the purpose of contract execution (order processing, payment processing, shipping, customer communication). The legal basis is Art. 6 para. 1 lit. b GDPR. Insofar as a legal retention obligation exists (in particular commercial and tax law obligations according to §§ 147 AO, 257 HGB), we store the data for the duration of the respective retention period (usually ten years) on the basis of Art. 6 para. 1 lit. c GDPR.

8. Customer Account

In our shop, you have the option to set up a customer account. Your data will be stored in the customer account according to the functions provided by Shopify (in particular Shopify Customer Accounts) to facilitate future orders and provide an overview of your order history. Registration is done either traditionally with a password or via a one-time link sent by email (so-called "Magic Link"). Setting up and using the customer account is voluntary. The legal basis is Art. 6 para. 1 lit. b GDPR. You can have your customer account deleted at any time by contacting us by email. Legal retention obligations remain unaffected.

9. Contact Form and Email Contact

You can communicate your concerns to us via the contact form provided on our website or by sending an email to us. We process the data you provide (in particular name, email address, and content of your message) exclusively for processing your inquiry. The legal basis for an inquiry aimed at concluding or executing a contract is Art. 6 para. 1 lit. b GDPR; otherwise, Art. 6 para. 1 lit. f GDPR (legitimate interest in responding to inquiries). Your inquiry and the communication exchanged for it will be deleted as soon as they are no longer required for processing, unless there are legal retention obligations preventing deletion.

10. Payment Service Providers

10.1 Shopify Payments

For payment by credit card, Apple Pay, or Google Pay, processing is handled by Shopify Payments, provided by Shopify International Payments Limited, Victoria Buildings, 2nd Floor, 1–2 Haddington Road, Dublin 4, Ireland. Shopify uses the services of the payment service provider Stripe Payments Europe Limited, 1 Grand Canal Street Lower, Dublin 2, Ireland, for this purpose. The data entered during payment processing (e.g., card number, validity, security code, name of the cardholder) are transmitted directly to the payment service provider and processed exclusively by them. The transfer of your data is for the purpose of contract fulfillment based on Art. 6 para. 1 lit. b GDPR. Further information can be found in the privacy policies of Shopify and Stripe at https://www.shopify.com/legal/privacy and https://stripe.com/de/privacy.

10.2 PayPal

For payment via PayPal, processing is handled by PayPal (Europe) S.à r.l. et Cie, S.C.A., 22–24 Boulevard Royal, L-2449 Luxembourg. The transfer of your data (name, email address, billing address, phone number, order and payment data) takes place for the purpose of payment processing based on Art. 6 para. 1 lit. b GDPR. Further information can be found in PayPal's privacy policy at https://www.paypal.com/de/webapps/mpp/ua/privacy-full.

10.3 Klarna

If you choose a payment method from Klarna (Sofortüberweisung, invoice purchase, installment purchase), payment processing is handled by Klarna Bank AB (publ.), Sveavägen 46, 111 34 Stockholm, Sweden. To check your identity and creditworthiness, Klarna performs a credit check for invoice purchase and installment purchase payment methods based on mathematical-statistical procedures; for this, Klarna transmits data to credit agencies. Further information on the credit agencies used and data processing by Klarna can be found in Klarna's privacy policy at https://www.klarna.com/de/datenschutz/. The transfer of your data to Klarna is for payment processing and – for invoice and installment purchases – for credit assessment; the legal basis is Art. 6 para. 1 lit. b and lit. f GDPR (legitimate interest in secure processing and risk minimization for advance payments).

10.4 SEPA Bank Transfer (Prepayment)

For prepayment by SEPA bank transfer, we process the payment data you provide (in particular name, purpose of transfer, transfer amount) as well as the information transmitted to us by the bank for payment processing on the basis of Art. 6 para. 1 lit. b GDPR.

11. Shipping Processing with DHL

To deliver your order, we transmit your delivery data (name, delivery address, if applicable email address or telephone number for shipment notification) to DHL Paket GmbH, Sträßchensweg 10, 53113 Bonn. This data transfer takes place for the performance of the contract on the basis of Art. 6 para. 1 lit. b GDPR. If you provide your email address for a shipping notification, the transfer takes place on the basis of your consent according to Art. 6 para. 1 lit. a GDPR. Further information on data protection at DHL can be found at https://www.dhl.de/de/privatkunden/footer/datenschutzerklaerung.html.

12. Accounting with Lexware Office

For accounting and the creation of tax-relevant documents, we transmit order data (in particular billing and delivery address, order items, payment data, and invoice amounts) to the accounting software Lexware Office, operated by Haufe Service Center GmbH, Munzinger Straße 9, 79111 Freiburg, Germany. The data transfer takes place automatically via an official Shopify app integration. The legal basis for the processing is Art. 6 para. 1 lit. c GDPR in conjunction with § 147 AO and § 257 HGB (commercial and tax retention obligations). We have concluded a data processing agreement with the provider in accordance with Art. 28 GDPR. Further information on data protection can be found at https://www.lexware.de/datenschutz/.

13. Shopify's Own Analysis (only with consent)

As the shop operator, Shopify provides us with analysis functions that include information about page views, orders, conversion rates, and other key figures. This data is processed in aggregated form and serves us for evaluating and improving our offering. If cookies or similar technologies that are not strictly necessary are used for this purpose, processing will only take place after your consent in the Keksly banner. The legal basis is Art. 6 para. 1 lit. a GDPR in conjunction with § 25 para. 1 TDDDG.

14. Web Analysis with Google Analytics 4 (only with consent)

If you have consented to the "Statistics" category in the Keksly banner, we use Google Analytics 4, a web analysis service of Google Ireland Limited, Gordon House, Barrow Street, Dublin 4, Ireland (hereinafter "Google"). Google Analytics uses cookies and similar technologies that enable an analysis of your use of our shop. The information generated by the cookie about your use of this shop (including your truncated IP address) is transmitted to a Google server in Europe and stored there; a transfer to servers in the USA by Google cannot be ruled out. We have activated IP anonymization, so your IP address will be truncated by Google within the EU or EEA beforehand. Google will use this information on our behalf to evaluate your use of the shop, compile reports on website activities, and provide us with other services related to website use.

We use Google Consent Mode v2: Without your consent, no cookies or pseudonymous identifiers are set; in this case, Google only receives aggregated, non-personal signals (so-called "cookieless pings"). Full data collection is only enabled with your consent in the Keksly banner.

The legal basis is your consent according to Art. 6 para. 1 lit. a GDPR in conjunction with § 25 para. 1 TDDDG. We have concluded a data processing agreement with Google. Google is also certified under the EU-US Data Privacy Framework, so a transfer to the USA is supported on this basis. Standard contractual clauses are agreed as an additional protective measure. Further information can be found in Google's privacy policy at https://policies.google.com/privacy.

15. Usage Analysis with Contentsquare (Hotjar) (only with consent)

If you have consented to the "Usage Analysis (Contentsquare)" category in the Keksly banner, we use the service Hotjar, a web analysis service of Hotjar Ltd., Level 2, St Julian's Business Centre, 3, Elia Zammit Street, St Julian's STJ 1000, Malta (Hotjar belongs to the Contentsquare SAS group of companies, 7 Rue de Madrid, 75008 Paris, France; hereinafter jointly "Contentsquare").

Contentsquare helps us to better understand the use of our shop by evaluating click, scroll, and mouse movements, as well as page views, in the form of pseudonymized heatmaps and session recordings. For this purpose, the following data is processed in particular:

  • Device and browser information (device type, screen size, browser, operating system, language setting)
  • Truncated IP address (Hotjar stores IP addresses exclusively anonymized)
  • Visited URLs as well as dwell time and sequence of page views
  • Mouse pointer movements, clicks, and scrolling behavior
  • A pseudonymous user ID stored in a cookie on your device

We have configured Contentsquare so that all texts (product information, form entries, search fields) are masked by default and not recorded ("Mask only text"). Entries with personal references such as email addresses, credit card numbers, and keyboard inputs are additionally automatically anonymized by Contentsquare. Images and media files may still be visible in pseudonymous recordings, provided they do not contain personal data. It is generally not possible for Contentsquare to identify individual users through this.

Data processing by Contentsquare takes place on servers within the European Union (Ireland). Transfers to third countries do not generally occur; insofar as sub-processors located in third countries are involved, standard contractual clauses of the European Commission in accordance with Art. 46 (2) lit. c GDPR are agreed as safeguards. We have concluded a data processing agreement with Hotjar Ltd. in accordance with Art. 28 GDPR.

The legal basis is your consent according to Art. 6 (1) lit. a GDPR in conjunction with § 25 (1) TDDDG. You can revoke your consent at any time by accessing the cookie settings in the footer of our website and deselecting the category "Usage Analysis (Contentsquare)".

The data collected by Contentsquare is automatically deleted after 365 days. Further information on data protection at Contentsquare/Hotjar can be found in Hotjar's privacy policy at https://www.hotjar.com/legal/policies/privacy/ and in Contentsquare's general Privacy Statement at https://contentsquare.com/privacy-and-security-policies/.

16. Integration of social network content (only with consent)

16.1 Instagram Feed Integration

On individual pages of our shop, we integrate the Instagram feed of our profile. This is provided via a Shopify app, which reloads content directly from the servers of Meta Platforms Ireland Limited, Merrion Road, Dublin 4, D04 X2K5, Ireland (hereinafter "Instagram"). When the corresponding page is accessed, personal data (in particular IP address, browser information, possibly cookies) is transmitted to Instagram. If you are logged in to Instagram, Instagram can assign the page view to your user profile.

The integration only takes place after your consent in the Keksly banner (category "Instagram Feed"). The legal basis is Art. 6 (1) lit. a GDPR in conjunction with § 25 (1) TDDDG. A data transfer to the USA cannot be ruled out; Meta is certified under the EU-US Data Privacy Framework. Further information can be found in Instagram's data protection notices at https://privacycenter.instagram.com/policy.

16.2 TikTok Feed Integration

On individual pages of our shop, we integrate the TikTok feed of our profile. This is provided via a Shopify app, which reloads content directly from the servers of TikTok Technology Limited, 10 Earlsfort Terrace, Dublin, D02 T380, Ireland (hereinafter "TikTok"). When the corresponding page is accessed, personal data (in particular IP address, browser information, possibly cookies) is transmitted to TikTok. If you are logged in to TikTok, TikTok can assign the page view to your user profile.

The integration only takes place after your consent in the Keksly banner (category "TikTok Feed"). The legal basis is Art. 6 (1) lit. a GDPR in conjunction with § 25 (1) TDDDG. TikTok may transfer data to affiliated companies outside the EU, particularly to the United Kingdom, Singapore, and the People's Republic of China; as safeguards, standard contractual clauses of the European Commission in accordance with Art. 46 (2) lit. c GDPR are agreed. Further information can be found in TikTok's data protection notices at https://www.tiktok.com/legal/page/eea/privacy-policy/de-DE.

17. Social Media Profiles (pure linking)

On our website, we link to our presences on the following social networks in the form of icons or buttons:

  • Instagram, operated by Meta Platforms Ireland Limited, Merrion Road, Dublin 4, D04 X2K5, Ireland
  • Facebook, operated by Meta Platforms Ireland Limited, Merrion Road, Dublin 4, D04 X2K5, Ireland
  • TikTok, operated by TikTok Technology Limited, 10 Earlsfort Terrace, Dublin, D02 T380, Ireland

These icons are purely links (so-called link-only solutions); no plugins from the respective providers are integrated via these icons. Data is only transferred to the providers when you click on the corresponding link and are redirected to the respective platform. The respective provider is responsible for data processing on the platforms after clicking on the link. Information on how your data is handled can be found in the privacy policies of the respective providers:

18. Data Transfer to Third Countries

Some of the processing operations described above involve a transfer of data to third countries, particularly to the USA. The bases for these data transfers are:

  • Insofar as the recipient is certified under the EU-US Data Privacy Framework (which is currently the case particularly for Shopify, Google and Meta), the transfer is based on the adequacy decision of the European Commission of July 10, 2023, in accordance with Art. 45 GDPR.
  • Additionally and subsidiarily, standard contractual clauses of the European Commission in accordance with Art. 46 (2) lit. c GDPR are agreed with the aforementioned service providers.
  • The transfer to Canada (Shopify Inc.) is based on the adequacy decision of the European Commission for Canada according to Art. 45 GDPR.

Further information on the respective safeguards can be requested from us at any time.

19. Storage Duration

Personal data is stored only as long as it is necessary to achieve the respective processing purposes. Insofar as legal retention obligations exist (especially under HGB and AO), the relevant data will be stored for the duration of the respective retention period and then deleted or anonymized. Data from web analysis and marketing services will be deleted or anonymized as soon as they are no longer required for the purposes of processing, but at the latest after the retention periods applicable to the respective services.

20. Your Rights as a Data Subject

You have the following rights regarding your personal data:

  • Right of access (Art. 15 GDPR)
  • Right to rectification (Art. 16 GDPR)
  • Right to erasure (Art. 17 GDPR)
  • Right to restriction of processing (Art. 18 GDPR)
  • Right to data portability (Art. 20 GDPR)
  • Right to object to processing (Art. 21 GDPR)
  • Right to withdraw consent at any time with effect for the future (Art. 7 (3) GDPR)

To exercise your rights, a simple notification to the contact details mentioned in Section 1 is sufficient.

21. Right to object to direct marketing

Insofar as we process your personal data for direct marketing purposes, you have the right to object at any time to the processing of personal data concerning you for the purpose of such advertising; this also applies to profiling, insofar as it is related to such direct marketing. If you object to processing for direct marketing purposes, we will no longer process your personal data for these purposes (Art. 21 (2) and (3) GDPR).

22. Right to lodge a complaint with the supervisory authority

Without prejudice to any other administrative or judicial remedy, you have the right to lodge a complaint with a supervisory authority, in particular in the Member State of your habitual residence, your place of work or the place of the alleged infringement, in accordance with Art. 77 GDPR. The competent supervisory authority for us is:

Unabhängiges Landeszentrum für Datenschutz Schleswig-Holstein
Holstenstraße 98
24103 Kiel
Telephone: +49 431 988-1200
E-mail: mail@datenschutzzentrum.de
Website: https://www.datenschutzzentrum.de

23. Data Security

Our website uses TLS/SSL encryption during page visits and when establishing a connection to servers. Payment processing via Shopify Payments and other payment service providers also takes place exclusively encrypted. We take appropriate technical and organizational measures to protect your data against accidental or intentional manipulation, partial or complete loss, destruction, or unauthorized access by third parties. Our security measures are continuously improved in line with technological developments.

24. Topicality and amendment of this privacy policy

This privacy policy is currently valid and was last updated on 12.05.2026. Due to the further development of our website and offerings or due to changed legal or official requirements, it may become necessary to amend this privacy policy. The current privacy policy can be accessed at any time on this page.

As of: 12.05.2026