Privacy Policy
Last updated: March 27, 2026
1. General Information and Principles
The protection of your personal data is a matter of great importance to us. We treat your personal data confidentially and in accordance with statutory data protection regulations—specifically the General Data Protection Regulation (GDPR), the Telecommunications and Telemedia Data Protection Act (TTDSG), and this Privacy Policy.
Various types of personal data are collected when you use our website. Personal data refers to any data that allows you to be personally identified—e.g., your name, address, email address, IP address, payment details, usage behavior, or location information. We collect and process data only to the extent necessary for the respective purposes (the principle of data minimization, Art. 5 Para. 1 lit. c GDPR). We do not engage in automated decision-making (including profiling within the meaning of Art. 22 GDPR) that produces legal effects concerning you.
This Privacy Policy explains what data we collect, how we use it, the legal basis for such processing, how long we retain the data, and what rights you have. By using our website, you consent to the processing of your data in accordance with this policy. If you do not agree to these terms, please refrain from using the website. We have drafted this policy based on Shopify guidelines and current EDPB guidelines (2026–2027 priorities: Transparency, Consent, AI, and Data Transfers).
2. Controller and Data Protection Officer
The Controller within the meaning of the GDPR is:
PonyCycle GmbH
Südring 8
63165 Mühlheim am Main
Germany
Represented by: Bo Chen
Email: shop@ponycycle.de (for general inquiries)
Phone: +49 175 5580708
Website: https://shopeu.ponycycle.com
We have not appointed a company Data Protection Officer (DPO). For inquiries regarding data protection matters, please contact us directly at datenschutz@ponycycle.de. We will process your inquiries free of charge and within one month. In cases of high volume, this period may be extended to two months, of which we will inform you.
3. Data Collection When Visiting the Website
When you access our website, information is automatically sent to our website's server by the browser used on your device. This information is temporarily stored in a so-called log file. The following information is collected automatically—without any action on your part—and stored until its automated deletion:
• IP address of the requesting computer (anonymized by truncating the last octets),
• Date and time of access,
• Name and URL of the accessed file,
• Website from which access is initiated (referrer URL),
• Browser used and, where applicable, the operating system of your computer, as well as the name of your access provider,
• Device information (e.g., model, screen size).
Purpose: To ensure a smooth connection setup, to facilitate convenient use of the website, to evaluate system security and stability, and for administrative purposes (e.g., fraud detection).
Legal Basis: Art. 6 Para. 1 lit. f GDPR (legitimate interest). Our legitimate interest prevails, as the processing is carried out in an anonymized form, making it impossible to draw any conclusions regarding your identity.
Retention Period: We delete personal data as soon as the purpose for which it was processed ceases to exist, provided that no statutory retention obligations preclude such deletion.
In the context of an order placed in our webshop, we process personal data such as your name, address, email address, and telephone number, as well as payment details. Purpose of Processing: The processing is carried out for the purpose of executing and fulfilling the contract (ordering, shipping, payment, and invoicing). Legal Basis: Art. 6 Para. 1 lit. b GDPR (Contractual Performance).
The data is stored for as long as it is necessary to fulfill the contractual purpose. Furthermore, the data is retained in accordance with statutory retention obligations. Once the respective purpose ceases to exist—or following the expiration of statutory retention periods—the data is deleted, provided that no further statutory obligations or legitimate interests preclude such deletion.
If you create a customer account, we store the data contained therein for as long as the account remains active. Legal Basis: Art. 6 Para. 1 lit. b GDPR (Contractual Performance). Retention Period: The data is stored until you delete your customer account. Statutory retention obligations remain unaffected.
As a general rule, personal data is deleted as soon as the purpose for which it was processed ceases to exist, provided that no statutory retention obligations or legitimate interests (Art. 6 Para. 1 lit. f GDPR) preclude such deletion.
4. Hosting
We use Shopify (Shopify International Ltd., Victoria Buildings, 2nd Floor, 1–2 Haddington Road, Dublin 4, D04 XN32, Ireland) as the platform and hosting provider for our online shop. Shopify processes our personal data on our behalf. We have concluded a data processing agreement with this service provider to ensure the functionality, security, and stability of the website.
This includes technical data such as IP addresses, device and browser information, as well as—in the event of an order—contractual data (e.g., name, address, email, payment and order details).
Legal basis: Art. 6 para. 1 lit. b GDPR (performance of a contract) and Art. 6 para. 1 lit. f GDPR (legitimate interest in the secure and efficient operation of our online shop). Further information can be found in Shopify’s Privacy Policy.
5. Cookies and Consent Management
Our website uses cookies and similar technologies (e.g., Local Storage, pixels). Cookies are small text files that are stored on your device and contain information. We distinguish between:
• Technically necessary cookies: For basic functions (e.g., shopping cart, session). Legal basis: Art. 6 para. 1 lit. f GDPR (legitimate interest).
• Analytics and marketing cookies: For statistics, personalization, and advertising (see Sections 6–7). Legal basis: Art. 6 para. 1 lit. a GDPR (consent).
We use a consent management tool that allows you to grant your consent to the use of cookies and similar technologies in a granular manner and to revoke it at any time.
You may revoke or adjust your consent at any time via the cookie settings on our website.
Absent your consent, generally only technically necessary cookies—which are required for the operation of the website—are deployed. For technically non-essential cookies, as well as analytics and marketing services, we obtain your consent via our consent management tool.
Detailed information regarding the cookies we use (including their purposes, providers, and retention periods) can be found directly in our cookie banner or in the cookie settings.
6. Web Analytics and Marketing Tools
a) Google Analytics 4
Provider: Google Ireland Limited, Gordon House, Barrow Street, Dublin 4, Ireland.
Google Analytics enables us to analyze the usage of our website and to optimize our services. In this process, personal data—such as IP address (truncated), user behavior, device information, and approximate location data—may be processed.
Use is based exclusively on your consent (Art. 6 para. 1 lit. a GDPR). You may revoke or adjust your consent at any time via the cookie settings on our website.
Further information can be found in Google’s Privacy Policy: https://policies.google.com/privacy
Further information regarding data transfers to third countries can be found in the section "10. International Data Transfers."
b) Meta Pixel (Facebook Pixel)
Provider: Meta Platforms Ireland Limited, Merrion Road, Dublin 4, D04 X2K5, Ireland.
With the help of the Meta Pixel, we can track user behavior after they have been redirected to our website by clicking on a Meta advertisement. This allows us to evaluate the effectiveness of our advertisements and to optimize our marketing measures (e.g., remarketing). In this process, personal data—such as user behavior and interactions (e.g., page views or events)—may be processed.
Use is based exclusively on your consent (Art. 6 para. 1 lit. a GDPR). You may revoke or adjust your consent at any time via the cookie settings on our website.
Further information can be found in Meta’s Privacy Policy: https://www.facebook.com/privacy/policy
Further information regarding data transfers to third countries can be found in the section "10. International Data Transfers."
c) Google Ads
Provider: Google Ireland Limited, Gordon House, Barrow Street, Dublin 4, Ireland.
We use Google Ads to display online advertisements and to measure the effectiveness of our advertising campaigns (conversion tracking and, where applicable, remarketing). In this process, personal data such as IP addresses, device information, and usage behavior may be processed.
This usage is based exclusively on your consent (Art. 6 para. 1 lit. a GDPR). You may revoke or adjust your consent at any time via the cookie settings on our website.
Further information can be found in Meta’s Privacy Policy: https://www.facebook.com/privacy/policy
Further information regarding data transfers to third countries can be found in the section "10. International Data Transfers."
7. Email Marketing
Provider: Klaviyo Inc., 125 Summer Street, Boston, MA 02111, USA.
When you subscribe to our newsletter, we process your email address as well as any other data you voluntarily provide (e.g., your name). In addition, technical data (e.g., IP address and timestamp) is recorded in order to document the double opt-in procedure.
Purpose of processing: Sending newsletters and—provided you have consented to this—analyzing user behavior (e.g., opens and clicks) to optimize our content.
Legal basis: Art. 6 para. 1 lit. a GDPR (Consent).
Revocation of consent: We store your data for the purpose of sending newsletters until you revoke your consent. You may revoke your consent to receive the newsletter at any time, without providing a reason. This can be done via the unsubscribe link located at the end of every newsletter. Upon unsubscribing, your email address will be immediately removed from our mailing list, provided that no statutory retention obligations or legitimate interests (e.g., the need to prove your prior consent) prevent this.
Further information can be found in Klaviyo’s Privacy Policy: https://www.klaviyo.com/legal/privacy-policy
Further information regarding data transfers to third countries can be found in the section "10. International Data Transfers."
8. Payment Providers
To process payments in our webshop, we utilize the following payment service providers:
• PayPal: PayPal (Europe) S.à r.l. et Cie, S.C.A., Luxembourg. Further information: https://www.paypal.com/de/webapps/mpp/ua/privacy-full
• Klarna: Klarna Bank AB, Sweden. Klarna processes data partly as an independent data controller (e.g., for credit checks). Further information: https://www.klarna.com/de/datenschutz/
• Shopify Payments: Payment service provided by the Shopify platform; payment processing is carried out via third-party providers (e.g., Stripe Payments Europe Ltd., Ireland; further information: https://stripe.com/de/privacy).
Data processed: Name, address, contact information, and payment data (depending on the selected payment method). Purpose of processing: Processing of payments in the context of contract fulfillment. Legal basis: Art. 6 Para. 1 lit. b GDPR (contract fulfillment).
"Retention period:
The data is stored for as long as it is necessary for contract fulfillment and for compliance with statutory retention obligations (particularly under the German Commercial Code [HGB] and the German Fiscal Code [AO]). Upon expiration of the respective periods, the data is deleted, provided that no further statutory obligations or legitimate interests preclude such deletion."
Further information regarding data transfers to third countries can be found in the section "10. International Data Transfers."
9. Data Sharing
We share data only if:
• You have given your consent (Art. 6 para. 1 lit. a GDPR),
• It is necessary for the fulfillment of a contract (Art. 6 para. 1 lit. b GDPR; e.g., shipping service providers such as DHL),
• It is required by law (Art. 6 para. 1 lit. c GDPR),
• It is necessary for the defense of legal claims (Art. 6 para. 1 lit. f GDPR).
We use this data for advertising purposes only with your consent. Recipients: Hosting providers (Shopify), analytics tools, payment providers (see above). We conclude Data Processing Agreements (DPAs) with all processors (Art. 28 GDPR).
10. International Data Transfers
Insofar as personal data is transferred to third countries, we ensure—by means of appropriate safeguards—that an adequate level of data protection is guaranteed.
In the context of your use of our services and external providers (e.g., hosting, payment, analytics, or marketing services), personal data may be transferred to countries outside the European Union or the European Economic Area (third countries), particularly to the USA.
Transfers to the USA are carried out on the basis of Standard Contractual Clauses (SCCs) issued by the European Commission, as well as supplementary technical and organizational measures. Where applicable, additional assessments (e.g., Transfer Impact Assessments) are conducted.
These measures are intended to ensure that a level of data protection is guaranteed that is comparable to that within the EU.
We wish to point out that an equivalent level of data protection may not exist in third countries, and, in particular, access by government authorities cannot be ruled out. Further information can be found in the respective privacy policies of the service providers utilized.
11. Data Security
We implement appropriate technical and organizational measures to protect your personal data against unauthorized access, loss, or misuse. This includes, among other things, the encryption of data transmission using SSL/TLS. Our security measures are regularly reviewed and adjusted as necessary. Nevertheless, absolute data protection cannot be guaranteed, as security vulnerabilities on the Internet can, in principle, never be completely ruled out. In the event of a personal data breach, we will report it immediately to the competent supervisory authority and inform the affected individuals, insofar as required by law and provided that there is a high risk to their rights and freedoms.
12. Data Protection for Children
We do not knowingly collect data from persons under the age of 16. In the event of any suspicion, we will delete such data immediately. Parents may contact us. If consent is required for individuals under the age of 16, we will request parental consent.
13. Your Rights as a Data Subject
You have the following rights regarding the processing of your personal data:
• Right of access to the data we process, the purposes of processing, the recipients, etc. (Art. 15 GDPR),
• Right to rectification of inaccurate or incomplete data (Art. 16 GDPR),
• Right to erasure (the "right to be forgotten," Art. 17 GDPR),
• Right to restriction of processing (Art. 18 GDPR),
• Notification obligation – We will communicate any rectification, erasure, or restriction of processing to all recipients to whom your data has been disclosed, and will inform you of these recipients upon request (Art. 19 GDPR),
• Right to data portability – You have the right to receive your data in a commonly used, machine-readable format (Art. 20 GDPR),
• Right to object to processing (Art. 21 GDPR),
• Right to withdraw your consent – You may withdraw any consent you have granted at any time with effect for the future, without affecting the lawfulness of the processing carried out prior to such withdrawal (Art. 7 Para. 3 GDPR).
Exercising your rights: You may assert your rights at any time by sending an email to datenschutz@ponycycle.de. We reserve the right to request additional information should we have doubts regarding your identity. We will review your request and typically respond within one month (Art. 12 Para. 3 GDPR).
14. Right to lodge a complaint
You have the right to lodge a complaint with the supervisory authority (Art. 77 GDPR): The Hessian Commissioner for Data Protection and Freedom of Information (Der Hessische Beauftragte für Datenschutz und Informationsfreiheit), Postfach 3163, 65021 Wiesbaden, Germany. Website: https://datenschutz.hessen.de. Email: poststelle@datenschutz.hessen.de.
15. Changes to this Privacy Policy
We update this Privacy Policy as necessary—for instance, due to changes in the law or the introduction of new services and features.
The current version will be published on this website. Where required, we will also inform you via appropriate channels (e.g., by means of a notice on the website or via email to newsletter subscribers).
Please review this Privacy Policy at regular intervals to stay informed of any potential changes.
To the extent permitted by law, your continued use of the website following the entry into force of such changes shall constitute your acknowledgment of the updated version.