B2B
Search
CART(0)

Currently, your bag is empty.

Privacy policy

Introduction and Controller

This Privacy Policy applies to the website of Lupine Lighting Systems GmbH at lupinelights.com. We process personal data exclusively in accordance with the General Data Protection Regulation (GDPR), the German Federal Data Protection Act (BDSG), and the German Telecommunications Digital Services Data Protection Act (TDDDG).

Lupine Lighting Systems GmbH
Im Zwiesel 9
92318 Neumarkt
Germany
E-mail: info@lupinelights.com

Categories of Personal Data

When you visit and use our website, we process the following categories of personal data:

  • IP address and device information
  • Browser, access, and usage data
  • Contact details, for example name, e-mail address, postal address, and telephone number
  • Order and payment data, for example billing address, delivery address, and purchase history
  • Communication content, for example entries made via the contact form or by e-mail
  • Consent preferences, for example cookie and consent settings
  • Conversion and interaction data within the scope of analytics and advertising services
  • Hashed identifiers, where processed within the scope of enhanced conversions or customer match and following granted consent

We process personal data for the following purposes and on the basis of the following legal bases:

  • Provision, security, and technical optimization of the website
    Legal basis: Art. 6(1)(f) GDPR (legitimate interest)
  • Processing of orders and performance of contracts
    Legal basis: Art. 6(1)(b) GDPR
  • Responding to inquiries and communication
    Legal basis: Art. 6(1)(b), (f) or (a) GDPR (depending on the context)
  • Fulfillment of legal obligations
    Legal basis: Art. 6(1)(c) GDPR
  • Web analytics, reach measurement, conversion measurement, remarketing
    Legal basis: Art. 6(1)(a) GDPR in conjunction with § 25 TDDDG (consent)
  • Assertion, exercise, or defense of legal claims
    Legal basis: Art. 6(1)(f) GDPR

Cookies and Tracking Technologies

We use cookies and similar technologies on our website. Insofar as information is stored on or read from your device in the process, this is done on the basis of § 25 TDDDG.

  • Technically necessary technologies are strictly required for the operation of the website, shopping cart functions, security, load balancing, or the management of your consents and are used without consent.
  • Analytics, marketing, and personalization technologies are used exclusively on the basis of your express consent pursuant to Art. 6(1)(a) GDPR in conjunction with § 25 TDDDG.

You can adjust or withdraw your consent at any time with effect for the future via our consent management tool. The lawfulness of the processing carried out up to the withdrawal remains unaffected.

Cookiebot (Consent Management)

We use the consent management tool "Cookiebot" to obtain, manage, and document your consents to the storage of cookies as well as to the use of certain technologies. Cookiebot sets a technically necessary cookie to store your consent preferences and to enable proof of granted or withdrawn consents.

Within the scope of using Cookiebot, in particular your IP address, information about your browser and device, the time of your declaration of consent, and your consent ID may be processed.

Legal basis:
Art. 6(1)(c) GDPR (fulfillment of legal obligations) as well as Art. 6(1)(f) GDPR (legitimate interest in a legally compliant consent management)

Provider:
Usercentrics A/S
Havnegade 39
1058 Kopenhagen
Dänemark
https://www.cookiebot.com/de/privacy-policy/

Third-Party Services Used

Withdrawal button (Revoq)

Within the scope of the electronic exercise of the right of withdrawal via the function provided in our online shop ("withdrawal button"), we process personal data that is necessary for processing the declaration. This includes in particular your name, your contact information, and details of the relevant contract (e.g. order number).

The processing is carried out on the basis of Art. 6(1)(b) GDPR for the purpose of carrying out the withdrawal and the associated communication. The data is stored only for as long as is necessary for processing the withdrawal and complying with statutory retention obligations.

To provide the withdrawal function, we use the service Revoq from the provider BuschBytes (Hofstraße 2–4, 51061 Köln, Germany). The processing is carried out on our behalf on the basis of a data processing agreement pursuant to Art. 28 GDPR. The data is hosted exclusively on servers within the European Union (Germany, the Netherlands, Ireland); no transfer to third countries takes place.

Google Tag Manager

We use Google Tag Manager for the technical management and delivery of website tags. Google Tag Manager itself does not set any cookies and does not process personal data for its own purposes. It merely ensures that other tags and scripts are loaded. Services requiring consent are only activated in accordance with your consent settings.

Provider:
Google Ireland Limited
Gordon House, Barrow Street
Dublin 4, Irland
https://policies.google.com/privacy

Google Analytics 4

We use Google Analytics 4 for the statistical evaluation of the use of our website. In this process, pages visited, device information, interactions, and approximate location data may be recorded. The IP address is anonymized before storage; IP anonymization is enabled by default. Data may be stored on servers in the USA. Google has submitted to the EU Standard Contractual Clauses and is certified under the EU-US Data Privacy Framework.

Legal basis:
Art. 6(1)(a) GDPR in conjunction with § 25 TDDDG (consent)

Provider:
Google Ireland Limited
Gordon House, Barrow Street
Dublin 4, Irland
https://policies.google.com/privacy

Opt-out:
https://tools.google.com/dlpage/gaoptout

Google Ads – Conversion Tracking and Remarketing

We use Google Ads to draw attention to products and offers as well as to measure the effectiveness of advertising measures. Through conversion tracking, it is recorded whether a defined action, for example a purchase, was carried out after a click on an advertisement. With remarketing, interest-based advertising may be displayed to users on other websites of the Google network.

Legal basis:
Art. 6(1)(a) GDPR in conjunction with § 25 TDDDG (consent)

Provider:
Google Ireland Limited
Gordon House, Barrow Street
Dublin 4, Irland
https://policies.google.com/privacy

Google Ads – Enhanced Conversions

Insofar as you have consented, we use the "Enhanced Conversions" function within the scope of Google Ads. In this process, data provided by you during an order or inquiry, for example e-mail address, name, address, or telephone number, is unilaterally hashed (SHA-256) before being transmitted to Google. The hashed data serves to more accurately attribute conversions to advertisements.

Legal basis:
Art. 6(1)(a) GDPR in conjunction with § 25 TDDDG (consent)

Provider:
Google Ireland Limited
Gordon House, Barrow Street
Dublin 4, Irland
https://policies.google.com/privacy

Google Ads – Customer Match

Insofar as we use this function and you have consented, we transmit e-mail addresses in hashed form to Google in order to specifically address existing customers in Google services or to exclude them from campaigns. The data is used exclusively for audience building.

Legal basis:
Art. 6(1)(a) GDPR (consent)

Provider:
Google Ireland Limited
Gordon House, Barrow Street
Dublin 4, Irland
https://policies.google.com/privacy

Microsoft Advertising (UET)

We use Microsoft Advertising with Universal Event Tracking (UET) to analyze the use of our website after a click on a Microsoft advertisement, to measure conversions, and to build remarketing audiences.

Legal basis:
Art. 6(1)(a) GDPR in conjunction with § 25 TDDDG (consent)

Provider:
Microsoft Ireland Operations Limited
One Microsoft Place
South County Business Park, Leopardstown
Dublin 18, Irland
https://privacy.microsoft.com/de-de/privacystatement

Microsoft Advertising – Enhanced Conversions

Insofar as this function is enabled, first-party data such as e-mail address or telephone number may be processed within the scope of Microsoft Advertising in encrypted, i.e. hashed form, in order to record conversions more accurately.

Legal basis:
Art. 6(1)(a) GDPR in conjunction with § 25 TDDDG (consent)

Provider:
Microsoft Ireland Operations Limited
One Microsoft Place
South County Business Park, Leopardstown
Dublin 18, Irland
https://privacy.microsoft.com/de-de/privacystatement

Microsoft Clarity

We use Microsoft Clarity to analyze usage behavior on our website. In this process, behavioral metrics, heatmaps, and session replays are used to analyze how users interact with the website. Clicks, scrolling behavior, mouse movements, page views, technical errors, as well as content of DOM elements may be recorded. Privacy-sensitive content is masked in the process.

We have concluded a data processing agreement (DPA) with Microsoft Clarity pursuant to Art. 28 GDPR.

Legal basis:
Art. 6(1)(a) GDPR in conjunction with § 25 TDDDG (consent)

Provider:
Microsoft Ireland Operations Limited
One Microsoft Place
South County Business Park, Leopardstown
Dublin 18, Irland
https://privacy.microsoft.com/de-de/privacystatement

Server-Side Tagging (Server-Side Tracking)

Insofar as we use server-side tagging, tracking requests are first processed via a server controlled by us and subsequently – depending on the configuration – forwarded to connected analytics and advertising platforms. This enables a more privacy-compliant delivery of tracking data, as the direct communication between the browser and third-party providers is reduced.

For server-side hosting we use Stape. We have concluded a data processing agreement (DPA) with Stape pursuant to Art. 28 GDPR.

Legal basis:
Art. 6(1)(a) GDPR in conjunction with § 25 TDDDG (consent)

Provider (Hosting):
Stape Europe OÜ
Harju maakond, Tallinn, Lasnamäe linnaosa
Sepapaja tn 6, 15551
Estland
https://stape.io/eu-privacy-notice

ClickCease – Click Fraud Prevention

We use ClickCease to detect and reduce invalid clicks (click fraud / ad fraud) on our advertisements. In this process, technical information and usage data, including IP addresses, click data, and device information, are processed in order to identify and exclude suspicious access.

Since ClickCease is based in Israel, which has an EU adequacy decision, there is a suitable basis for the third-country transfer. We have concluded a data processing agreement with ClickCease.

Legal basis:
Art. 6(1)(a) GDPR in conjunction with § 25 TDDDG (consent)

Provider:
Cheq Ai Technologies (2018) Ltd dba ClickCease.com
HaArba'a St 18
Tel Aviv-Yafo
Israel
https://clickcease.com/privacy.html

Embedded Content and Social Plugins

Insofar as embedded content or plugins from external providers are used on our website, the retrieval of this content may result in the processing of personal data, in particular the IP address and technical usage data, by the respective provider. Use only takes place insofar as the respective integration is technically necessary or you have consented.

Vimeo

Insofar as we embed videos from Vimeo, your browser establishes a connection to Vimeo servers when playing them. In this process, IP address, browser information, and usage data may be processed.

Provider:
Vimeo, Inc.
555 West 18th Street
New York, NY 10011
USA
https://vimeo.com/privacy

YouTube

Insofar as we embed YouTube videos, your browser establishes a connection to Google servers when playing them. Where possible, we use the extended data protection mode, which triggers data storage by YouTube only upon active playback of the video.

Provider:
Google Ireland Limited
Gordon House, Barrow Street
Dublin 4, Irland
https://policies.google.com/privacy

Google Maps

Insofar as we embed Google Maps map material, your browser establishes a connection to Google servers. In this process, IP address, location reference, and usage data may be processed.

Provider:
Google Ireland Limited
Gordon House, Barrow Street
Dublin 4, Irland
https://policies.google.com/privacy

Meta (Facebook) Plugins

Insofar as we embed social plugins or other content from Meta services, a connection to Meta servers may be established when retrieving this content. In this process, IP address, browser information, and interaction data may be processed.

Provider:
Meta Platforms Ireland Limited
4 Grand Canal Square
Dublin 2
Irland
https://facebook.com/privacy/policy

Data Transfers to Third Countries

When using individual services, in particular Google, Microsoft, Meta, Vimeo, Stape, or ClickCease, personal data may be transferred to countries outside the European Economic Area (EEA), in particular to the USA.

Insofar as no adequacy decision of the EU Commission exists, we base third-country transfers on appropriate safeguards, in particular on the Standard Contractual Clauses of the European Commission pursuant to Art. 46(2)(c) GDPR, supplemented by necessary technical and organizational protective measures.

Providers certified under the EU-US Data Privacy Framework (DPF), for example Google LLC or Microsoft Corporation, may transfer data to the USA on the basis of the adequacy decision of the European Commission of 10 July 2023.

Retention Periods

We store personal data only for as long as is necessary for the respective processing purposes or as long as legal retention obligations exist.

  • Order and transaction data (invoices, payment receipts): 10 years pursuant to § 147 AO, § 257 HGB
  • Communication data (e-mails, contact form entries): 3 years after completion of the communication, unless longer retention is required
  • User data from customer accounts: until deletion of the account or a legitimate deletion request, plus an appropriate transition period
  • Marketing consent and withdrawal records: for the duration of statutory limitation periods to demonstrate compliance
  • Cookie and consent records: in accordance with legal requirements and technically necessary proof periods

After expiry of the respective period, data is deleted or anonymized, insofar as no legal retention obligation or legitimate interests in retention preclude this.

Your Rights as a Data Subject

You have the following rights vis-à-vis us pursuant to the GDPR:

  • Right of access (Art. 15 GDPR): You can request information about the data stored about you.
  • Right to rectification (Art. 16 GDPR): You can request the correction of inaccurate data or the completion of incomplete data.
  • Right to erasure (Art. 17 GDPR): You can request the erasure of your data, insofar as no legal retention obligations preclude this.
  • Right to restriction of processing (Art. 18 GDPR): Under certain conditions, you can request the restriction of processing.
  • Right to data portability (Art. 20 GDPR): You can request the release of your data in a structured, machine-readable format.
  • Right to object (Art. 21 GDPR): You can object to processing based on legitimate interests at any time. In the case of objection to direct marketing, processing will be discontinued without further review.
  • Right to withdraw consent (Art. 7(3) GDPR): You can withdraw a granted consent at any time with effect for the future, without the lawfulness of the processing carried out until then being affected.

To exercise your rights, you can contact:

Lupine Lighting Systems GmbH
Im Zwiesel 9
92318 Neumarkt
Germany
E-mail: info@lupinelights.com

Right to Lodge a Complaint with the Supervisory Authority

You have the right to lodge a complaint with a data protection supervisory authority, in particular in the Member State of your habitual residence, your place of work, or the place of the alleged data protection infringement (Art. 77 GDPR).

Supervisory authority responsible for our company:
Bayerisches Landesamt für Datenschutzaufsicht (BayLDA)
Promenade 18
91522 Ansbach
https://www.baylda.de

Changes to This Privacy Policy

We reserve the right to adjust this Privacy Policy with effect for the future, in particular in the event of changes to our website, the use of new technologies, or changes to the legal framework. We recommend reviewing this policy regularly. The respective current version is available on our website.

Last updated: 14 April 2026