Privacy policy
Last updated: January 2, 2026
General overview
Welcome to our website at www.decofunplay.com. We appreciate your interest in our company and take the protection of your personal data very seriously. Your privacy matters a lot to us, and we want you to feel confident about how we manage your personal data. Whether you are just browsing or collaborating with us as a business partner, we treat your information with care and respect. This Privacy Policy applies to all online offerings provided by DecoFunPlay GmbH, including our website, subsidiary domains, and our official social media profiles.
This privacy policy is designed especially for our business-to-business relationships. It covers details like your name, business contact information, and company data such as VAT numbers and IP addresses. Even though this is business-related, we protect it just like personal data, following the rules set out by the EU General Data Protection Regulation (GDPR) and the German Federal Data Protection Act (BDSG).
We are committed to processing your data responsibly and keeping it confidential. In this policy, we explain what kinds of personal data we collect, why we collect it, and the legal reasons we are allowed to use it. We also let you know if we ever need to share your data with third parties, and most importantly, we outline your rights under data protection laws and how you can exercise them.
"Personal data" is any information relating to an identified or identifiable person (Art. 4 No. 1 GDPR). This includes information such as a name, address, email address, or even IP addresses and location data that can be combined to identify a person.
Data Controller and Data Protection Officer (DPO):
The responsible party for data processing on this Website is:
DecoFunPlay GmbH
Legal Representative: Peter Magnus Tyrén
Address: Alter Wall 32, 20457 Hamburg
Email: data-protection@decofunplay.com
Phone: +49 (0) 4080 9031 9112
For any questions regarding data protection in connection with our products or the use of our website, you can contact our data protection officer at any time. We expressly point out that when using this email address, the content will not be exclusively viewed by our data protection officer.
Your Rights as a Data Subject Under the GDPR
We care deeply about your privacy and want you to feel confident and in control of your personal data. Under the General Data Protection Regulation (GDPR), you have several important rights—outlined in Articles 15 to 22—that help you decide how your data is used.
1. Right of Access (Art. 15 GDPR)
You can request confirmation of whether we process your personal data and receive a copy of that data.
2. Right to Rectification (Art. 16 GDPR)
If your data is inaccurate or incomplete, you can ask us to correct it.
3. Right to Erasure (Art. 17 GDPR)
You may request deletion of your data if it is no longer necessary for the purposes we collected it.
4. Right to Restriction of Processing (Art. 18 GDPR)
You can ask us to limit processing, for example, if you contest the accuracy of your data or object to its use.
5. Right to Data Portability (Art. 20 GDPR)
You have the right to receive your data in a structured, machine-readable format and transfer it to another provider.
6. Right to Object (Art. 21 GDPR)
You may object to processing based on legitimate interests or for direct marketing purposes.
7. Right to Withdraw Consent (Art. 7 (3) GDPR)
If you have given consent for data processing, you can withdraw it at any time. This will not affect any processing that occurred before your withdrawal.
8. Right to Lodge a Complaint (Art. 77 GDPR)
If you believe your data protection rights have been violated, you can file a complaint with your local data protection authority.
If you’d like to exercise any of these rights, ask questions, or withdraw your consent, just reach out to us at: data-protection@decofunplay.com. We will respond within one month (extendable by two months for complex requests under Art. 12(3) GDPR). Withdrawing consent will not affect prior processing but may limit service access.
Your Right to Object
You have the right to object to how your data is being used in two key situations:
1. Direct Marketing (Art. 6 (1) (f) GDPR)
If we are using your data for marketing or related profiling, you can opt out anytime—no explanation needed. Once you do, we will stop using your data for those purposes.
2. Legitimate Interests (Art. 6 (1) (f) GDPR)
If we are processing your data to support our business interests, you can object based on your personal situation. We will carefully review your request and only continue if there are strong legal reasons that outweigh your concerns.
For direct marketing, you have the right to object to this data processing at any time without giving reasons via data-protection@decofunplay.com. For legitimate interests, please provide your reasons, and we will assess and respond promptly.
Purposes and Legal Bases for Data Processing (Art. 6 (1) (a), (b) and (f) GDPR)
We want to be transparent about how and why we use your personal data. Everything we do is in line with the EU’s General Data Protection Regulation (GDPR), the Telecommunications and Telemedia Data Protection Act (TTDSG), and other relevant data protection laws. The primary legal basis for processing is Article 6 of the GDPR, which permits processing for the following purposes:
We use your personal data to:
- Verify business credentials and ensure compliance with applicable laws.
- Communicate with business contacts to manage contracts and transactions.
- Provide customer service and support.
- Send marketing communications.
- Secure our systems against unauthorized access or cyberattacks.
If your consent involves special categories of personal data (as defined in Art. 9(1) GDPR), we will clearly explain the implications and ensure lawful processing only when necessary and justified. You can opt out of marketing communications at any time.
Legitimate Interests (Art. 6 (1) (f) GDPR)
We also process data when it is in our legitimate interest to do so, including:
- Verifying VAT numbers or business credentials during a transaction.
- Conducting tailored marketing campaigns based on prior interactions to maintain and strengthen business relationships.
- Securing our IT systems against unauthorized access, malware, and cyberattacks.
- Preventing fraud and ensuring compliance with anti-money laundering laws.
We always aim to strike a fair balance between our business needs and your privacy rights.
Disclosure to Third Parties
We never sell or rent your personal data. We only share your information under the following conditions:
- With your consent
- When required by law (e.g., regulatory authorities or law enforcement)
- With trusted service providers who support our operations (e.g., Shopify, Business Central)
Internally, only authorized personnel who need your data to fulfill contractual or legal duties will access it.
Externally, we may share data with:
- Shipping providers for order fulfillment (DPD)
- Payment processors for secure transactions
- IT and analytics providers for website functionality and performance
- Credit check agencies, where applicable
All our service providers follow strict data protection agreements and manage your information in full compliance with the GDPR.
Recipients of the Data / Categories of Recipients
Within our company, we ensure that only those people who need your data to fulfill contractual and legal obligations receive it. In many cases, service providers support our departments in fulfilling their tasks. These service providers assist with tasks such as credit checks, data analysis, order fulfillment, etc. The necessary data protection agreements have been concluded with all service providers.
To process shipping orders with DPD, the recipient’s name, address, telephone number, and email address are recorded. This data is forwarded to DPD for shipping purposes. Once the data is submitted, the recipient will receive a shipping confirmation email from DPD with shipment tracking information.
All our service providers follow strict data protection agreements and manage your information in full compliance with the GDPR.
International Data Transfers
Data will only be transferred to third countries (outside the European Union or the European Economic Area) if this is technically necessary, required to perform the contractual relationship, required by law, or if you have given us your consent. Please note that this consent concerns data processing outside the EU/EEA. For example, your data may be processed in the USA, where the EU level of data protection cannot currently be guaranteed due to access by authorities, a lack of legal remedies, and limited data subject rights. These transfers are based on:
- Adequacy decisions by the European Commission
- Standard Contractual Clauses (SCCs) approved by the European Commission.
- Additional safeguards such as encryption and access controls
Third country transfer to Google
If you have given us your consent to use Google services (see Conversion Tracking and Remarketing with Google Ads (Art. 6 (1) (a) EU GDPR), we will transmit data to Google. The data will be transmitted as part of order processing on the basis of the standard data protection clauses, please click the following link for more information: https://privacy.google.com/businesses/processorterms/mccs/.
Third country transfer to Shopify
We use Shopify as our payment processor. In the course of providing its services, Shopify may process your personal data in the United States and other jurisdictions outside the European Economic Area (EEA).
Transfers to Shopify are carried out in accordance with Art. 46 GDPR, which provide appropriate safeguards for international data transfers. please click the following link for more information:
https://www.shopify.com/de/legal/privacy/app-users
Credit Check
Under certain circumstances, we reserve the right to obtain identity and credit information from specialized service providers. We conduct credit checks when necessary to assess whether a user is creditworthy and likely to fulfill purchase agreements concluded with us. This assessment is based on our legitimate interest in minimizing financial risk, which constitutes a lawful basis for data processing under Art. 6(1)(f) GDPR.
You may request a copy of these safeguards by contacting: data-protection@decofunplay.com
Data Retention Policy
We retain your personal data only for as long as necessary to fulfill the purposes for which it was collected, or as required by applicable laws and regulations. This includes obligations under the EU GDPR, the German Commercial Code, and the German Fiscal Code.
Typical Retention Periods:
- Your order history is kept for up to 7 years to meet accounting and tax obligations.
- Contact form submissions are stored for up to 1 year after our last conversation.
- Analytics data has been retained for up to 2 years to help us improve your experience on our website.
We may retain data beyond these periods under the conditions below:
- If you have given us explicit consent
- In the event of legal disputes, data may be needed as evidence within statutory limitation periods (typically 3 years, but up to 30 years in exceptional cases)
Once the relevant retention period expires, your data will be securely deleted via anonymization or erasure. For questions or requests regarding data retention and deletion, please contact us at:
data-protection@decofunplay.com
Data Breach Notifications
We take data security seriously, but if something ever goes wrong and your personal data is compromised, we will act quickly. As required by Article 33 of the GDPR, we will notify the appropriate supervisory authority within 72 hours. If the breach could seriously affect your rights or freedoms, we will also reach out to you directly without delay to let you know what happened and what steps we are taking.
For questions or concerns, please contact us at: data-protection@decofunplay.com.
Website Hosting and Create Log Files
Our site is hosted by Shopify Inc., with a DPA (Art. 28). When you visit our website, we automatically collect and store data related to your usage. This includes your IP address, geo-location information, the URLs you visit, the duration of your stay, the operating system and browser you use, and the volume of data transferred. We process this information to detect unauthorized access attempts, particularly those made by bots, which have become increasingly common. Without this data, we would be unable to properly analyze user behavior or ensure a secure and optimized shopping experience.
The collection of this data is essential to maintain the availability and functionality of our website. It also allows us to anonymously analyze and evaluate how users interact with our services, helping us to continuously improve and develop our offerings. More detailed information about the technologies used for this purpose can be found in the sections about cookies below.
Your IP address is stored in log files only for a limited period, strictly as long as necessary to ensure security. To further protect your privacy, we hash your IP address, which means it is anonymized and cannot be traced back to your specific connection or device.
Registration / Customer Account (Art. 6 (1) (a) and (b) GDPR)
Some parts of our website are reserved just for registered users. Since we are a B2B company, we collect details related to business contacts and representatives. This includes your first and last name, company name and registration info, business address, email, phone number, VAT number, and billing details.
Creating an account makes your experience smoother. You will be able to place orders faster, view your order history, manage your addresses, and track your purchases with ease.
When you register, we will also save your IP address along with the date and time of registration. Your password is encrypted and completely hidden. If you ever forget it, just use the “Forgot your password” link. And please, never share your password with us. You’re always free to update or delete your account anytime by heading to “My Account” or email to: data-protection@decofunplay.com.
We treat all this data with the same level of care as personal data under the GDPR, especially when it relates to identifiable individuals. Everything we collect is used strictly for business purposes like fulfilling orders, managing your account, and staying compliant with legal requirements.
Shopping and Order Processing (Art. 6 (1) (a) and (b) GDPR)
When you place an order, we collect the essentials: your name, billing and delivery addresses, email address, and payment details. Your payment info is handled securely by trusted payment processors (e.g., Shopify), and we only share your name and address with our shipping partner to ensure your order gets to you safely.
Cookies and Privacy Preferences
When you visit our website for the first time, you will see a cookie banner asking for your permission to use non-essential cookies. This is part of our commitment to privacy and follows the rules of the TTDSG. We use a compliant Cookie Consent Management Platform (CMP). You can change your cookie settings anytime by clicking the “Cookie Preferences” link at the bottom of our site or adjusting your browser settings.
Types of Cookies we use:
· Essential Cookies
These keep our website running smoothly, helping with things like shopping carts, secure logins, and navigation. These are active only during your session and do not require your consent.
· Analytics Cookies
These help us understand how people use our site so we can make it better. They are stored for up to 6 months.
· Marketing Cookies
These allow us to show you personalized ads and promotional content based on your interests. They remain active for up to 12 months.
Please note: if you block certain cookies, some parts of our website might not work as well, and you might miss out on some features.
Children’s Data Protection (Art. 8 GDPR)
Our website and services are designed for adults. We do not knowingly collect personal data from children. If you are under 16, please note that parental consent is required and kindly contact us for verification.
If we ever discover that we have accidentally collected data from a child, we will delete it right away. We also encourage parents and guardians to stay involved in their children’s online activities. If you believe your child has submitted personal data to us, please contact us at data-protection@decofunplay.com to request a review or deletion of the data.
Complaints
If you have concerns about how we process your personal data, you have the right to file a complaint with the supervisory authority. In Germany, you can contact HmbBfDI or any EU supervisory authorities.
Der Hamburgische Beauftragte für Datenschutz und Informationsfreiheit (HmbBfDI)
Ludwig-Erhard-Str 22, 7. OG, 20459 Hamburg
Phone: +49 (0) 4042 8544 040
Email: mailbox@datenschutz.hamburg.de