Privacy policy
Information on the protection of your personal data
1. Privacy at a glance
General information
The following notes provide a simple overview of what happens to your personal data when you visit this website. Personal data is any data that can be used to identify you personally.
Who is responsible for data collection on this website?
Data processing on this website is carried out by the website operator. You can find their contact details in the legal notice on this website.
How do we collect your data?
Your data is collected on the one hand by you communicating it to us. This may be data that you enter into a contact form, for example. Other data is collected automatically or with your consent when you visit the website by our IT systems. This is mainly technical data (e.g. internet browser, operating system or time of page access).
What do we use your data for?
Some of the data is collected to ensure the website is provided without errors. Other data may be used to analyse your user behaviour.
2. Controller
The controller for data processing on this website is:
CHUMOTION Physiotherapie
Leopoldstraße 42
80802 München
Deutschland
Phone: +49 89 1234 5678
Email: info@chumotion.de
3. Hosting
We host the contents of our website with external providers.
The personal data collected on this website is stored on the servers of the host. This may include IP addresses, contact requests, meta and communication data, contract data, contact data, names, website accesses and other data generated via a website.
External hosting takes place for the purpose of contract fulfilment with our potential and existing customers (Art. 6 (1) lit. b GDPR) and in the interest of secure, fast and efficient provision of our online offering by a professional provider (Art. 6 (1) lit. f GDPR).
4. Data collection on this website
Server log files
The provider of the pages automatically collects and stores information in so-called server log files, which your browser automatically transmits to us. These are:
- Browser type and browser version
- Operating system used
- Referrer URL
- Hostname of the accessing computer
- Time of the server request
- IP address
This data is not merged with other data sources.
Contact form
If you send us enquiries via the contact form, your details from the enquiry form including the contact data you provide there will be stored by us for the purpose of processing the enquiry and for follow-up questions. We do not pass on this data without your consent.
Enquiry by email
If you contact us by email, your enquiry including all personal data resulting from it (name, enquiry) will be stored and processed by us for the purpose of processing your concern. We do not pass on this data without your consent.
Registration on this website
You can create a customer account on this website to place orders, store addresses and view your order history. When you register we collect the following data:
- Email address (mandatory — used as login)
- Password (stored encrypted with bcrypt; never visible to us in plain text)
- First and last name (optional)
- For business customers additionally: company name, VAT ID, company address, company phone
- Language preference (for transactional emails)
Double opt-in: after signing up you receive an email with a confirmation link. Only after clicking it your email address counts as verified. The confirmation token is valid for 24 hours.
Automatic customer-record linkage: For each account we internally create a customer record (debtor container) that ties together later orders, addresses and payment terms. For private customers this container is not publicly visible.
Consent evidence: we store the timestamp of your terms acceptance (termsAcceptedAt) as well as the version of the terms and the privacy policy in force at that time (termsVersion, privacyVersion), so that the wording in effect can be proved in case of dispute (Art. 7 (1) GDPR).
5. Cookies and local storage
We use strictly necessary cookies and equivalent local storage (e.g. browser localStorage). These are required exclusively to provide the shop functions (e.g. cart, login, saved addresses) and are only set by your active use — no consent is required under § 25 (2) (2) TDDDG.
Additionally, with your consent we collect anonymised usage data (see section 8). A complete list of the local storage entries used, with their purpose and retention, can be found in our cookie settings.
We use the following categories:
- Required storage: For cart, login, favourites, shipping defaults and storing your cookie choice. Only set as a result of your active interaction.
- Analytics: Anonymised click and order events on our own servers — no Google Analytics, no transfer to third parties. Details in section 8.
We store your consent with a version number and a timestamp. If the cookie statement changes or 12 months elapse, you will be asked again.
6. E-commerce and payment providers
Processing of customer and contract data
We collect, process and use personal customer and contract data for the purpose of establishing, structuring and amending our contractual relationships. This includes delivery and billing address, contact data, order positions, quantities and prices, as well as — for business customers — VAT ID and company data (Art. 6 (1) (b) GDPR).
Evidence of contract conclusion
With every order we additionally store the timestamp of your express terms acceptance (termsAcceptedAt), the version of the terms (termsVersion) and — for consumers — the version of the right of withdrawal notice (withdrawalInfoVersion). These fields serve as evidence under § 312j BGB and Art. 7 (1) GDPR.
Retention periods
We retain order data and invoices for the statutory retention periods: 10 years for invoices and accounting documents (§ 147 (1) (1), (4) AO), 6 years for commercial letters (§ 257 HGB). After expiry the data is deleted, provided no statutory obstacles apply.
Transfer of data on conclusion of contract
We only transfer personal data to third parties if necessary for contract processing — e.g. to the shipping service provider (name + delivery address) or to the payment service provider you have chosen.
Payment services
We offer payment by bank transfer (prepayment), purchase on invoice and — if activated — Stripe (credit card, SEPA, Klarna, Apple Pay, Google Pay) and PayPal. For online payments your payment data is processed directly by the respective payment service provider; we only receive the status of the transaction. The privacy notices of the payment service providers apply in addition.
7. Newsletter
If you subscribe to our newsletter we need your email address and — optionally — first and last name. Sign-up uses the double opt-in procedure: you first receive a confirmation email; only after you click the link in it are you added to the mailing list. The confirmation link is valid for 72 hours; if not confirmed we automatically delete the entry.
To prove your consent (Art. 7 (1) GDPR) we log: sign-up timestamp, IP address, user agent, version of the consent text (consentTextVersion) and the timestamp of confirmation. This data is not publicly visible and is only used as evidence in case of complaints.
You can revoke your newsletter consent at any time via the unsubscribe link in every newsletter email. After revocation we keep your email address on an internal suppression list for up to 12 months (Art. 17 (3) (e) GDPR) so that you are not accidentally contacted again. After that the record is fully deleted.
Confirmation and newsletter emails are sent through Resend (third-country notice see section 9). A daily clean-up job removes unconfirmed sign-ups and records whose revocation was more than 12 months ago.
You can request a complete copy of the data stored for your newsletter sign-up or its immediate deletion at any time: Start newsletter data request. The request is verified via a confirmation link; the action is then carried out automatically.
8. First-party web analytics
With your consent (cookie banner category "Analytics") we record anonymised click, search and order events to improve the shop. The following data is processed in particular: session identifier (sessionId), event type (e.g. product view, add to cart, search, order), product identifier, browser, device type, language.
Your IP address is hashed with a daily-rotating salt before storage and is no longer traceable to you afterwards. Processing takes place exclusively on our own servers; no transfer to Google Analytics, Meta, TikTok or any other third-party services takes place.
Raw data is automatically deleted after 90 days (clean-up job running daily); aggregated statistics remain in pseudonymised form and cannot be linked back to individuals.
Legal basis: consent under Art. 6 (1) (a) GDPR + § 25 (1) TDDDG. You can revoke your consent at any time via the cookie settings — no further events will then be recorded.
9. Transfer to processors
We do not transfer your data to third parties for purposes other than those listed here. We disclose data when:
- You have given your express consent
- Processing is necessary to perform a contract with you
- Processing is necessary to fulfil a legal obligation (e.g. accounting, tax law)
- Processing is necessary to protect legitimate interests
We use the following processors (Art. 28 GDPR):
- Resend Inc., USA — transactional emails and newsletter. Transfer to the USA on the basis of standard contractual clauses (Art. 46 (2) (c) GDPR). Data processed: email address, recipient name, email content.
- Stripe Payments Europe Ltd., Ireland — payment processing (if activated) for credit card, SEPA, Klarna, Apple Pay, Google Pay. Data processed: payment token, amount, order number; no full card data stored on our side.
- PayPal (Europe) S.à r.l. et Cie, S.C.A., Luxembourg — payment processing (if activated). Data processed: PayPal order ID, amount, recipient address.
- Shipping providers (e.g. UPS, DHL) — delivery of orders. Data processed: recipient name, delivery address, phone number for delivery notifications if applicable.
10. Your rights
You have the following rights with regard to your personal data:
- Right of access (Art. 15 GDPR) — You can request information about your personal data processed by us.
- Right of rectification (Art. 16 GDPR) — You can request the correction of incorrect data.
- Right of erasure (Art. 17 GDPR) — You can request the deletion of your data, provided no retention obligations apply.
- Right of restriction (Art. 18 GDPR) — You can request the restriction of processing.
- Right of data portability (Art. 20 GDPR) — You can receive your data in a structured, commonly used, machine-readable format.
- Right of objection (Art. 21 GDPR) — You can object to the processing of your data, in particular if based on legitimate interests.
A self-service for data access and deletion is available for newsletter data. For all other requests please contact us using the contact details in the imprint.
You also have the right to lodge a complaint about the processing of your data with a data protection supervisory authority. The competent authority for us is the Bavarian Data Protection Authority (BayLDA), Promenade 18, 91522 Ansbach, Germany.
Validity and changes to this privacy policy
This privacy policy is currently valid and dated 25 May 2026. Due to the further development of our website and offers or due to changed legal or official requirements, it may become necessary to amend this privacy policy.