Privacy Policy

As of November 2025

1. Responsible person

The controller responsible for data processing on this website is:

Benedict Menges OS
Friedrich-Ebert-Straße 54
04109 Leipzig
Germany

Telephone: 0176 62680289
Email: info@narrabelle.com
Website: www.narrabelle.com

2. General information on data processing

We process personal data only to the extent necessary for the provision of this website, for the fulfillment of contractual or pre-contractual obligations, for the optimization of our offer, or based on your consent.

Legal bases within the meaning of the GDPR include in particular:

Article 6 paragraph 1 letter a GDPR – Consent
Article 6 paragraph 1 letter b GDPR – Contract performance / pre-contractual measures
Article 6(1)(c) GDPR – legal obligation
Article 6 paragraph 1 letter f GDPR – legitimate interest

Our legitimate interests include, for example, the secure and efficient provision of this website, the analysis of website usage, and the economic marketing of our services.

3. Hosting and provisioning of the website (Shopify)

This website is powered by the Shopify e-commerce platform. The provider is:

Shopify International Limited
Victoria Buildings, 1-2 Haddington Road
Dublin 4, D04 XN32
Ireland

Shopify provides the technical infrastructure, the shop system, payment processing (if used), content management, and various security features. Shopify processes, among other things:

IP address
Date and time of access
Browser type and version
Operating system used
Referrer URL
visited pages / products
possibly further technical data

The processing is based on Art. 6 para. 1 lit. f GDPR (legitimate interest in a professional, secure and scalable provision of the website) and – insofar as orders, customer accounts and communication processes are concerned – Art. 6 para. 1 lit. b GDPR (performance of a contract).

Shopify may use sub-processors and Content Delivery Networks (CDNs) to provide the service, including servers located outside the EU (e.g., Canada, USA). Standard contractual clauses issued by the EU Commission are generally used to ensure an adequate level of data protection.

Further information: see Shopify's privacy policy at
https://www.shopify.com/de/legal/datenschutz

4. Use of cookies and consent management

We use cookies and similar technologies on our website.

Technically necessary cookies :
These are required to provide the basic functions of the website (e.g. shopping cart, login, language selection, security).
Legal basis: Art. 6 para. 1 lit. f GDPR or, in the case of contract fulfillment , lit. b .
Statistics, marketing and convenience cookies (e.g. GA4, marketing pixels, embedded media):
We will only use these if you have given your prior consent.
Legal basis: Art. 6 para. 1 lit. a GDPR .

Consent Management Tool

We use a consent management tool (GDPR/Privacy app in Shopify) to manage consents. This tool:

The website displays a cookie banner on your first visit.
It documents whether and for what you have consented,
It allows you to adjust or revoke your settings at any time.

The following data, among others, is processed:

IP address (shortened where possible)
Consent status and timestamp
Browser information and language
possibly an anonymous ID

The legal basis is Art. 6 para. 1 lit. c GDPR (legal obligation to provide proof of consent) in conjunction with Art. 6 para. 1 lit. f GDPR (efficient management of consent).

You can change your cookie settings at any time via the relevant link/switch ("Cookie settings" or similar) at the bottom of the page or in the banner menu.

5. Server log files

When you visit our website, Shopify and/or our web server automatically collect and store information in so-called server log files. This includes, for example:

IP address
Date and time of the request
URL accessed
Referrer URL
Browser type/version
operating system

This data is processed for security reasons (e.g. to detect attacks, misuse, fraud) and to ensure the stable operation of the website.

Legal basis: Art. 6 para. 1 lit. f GDPR .
The log files are usually automatically deleted after a reasonable period of time, unless further retention is required for evidentiary purposes.

6. Local fonts (web fonts)

We use fonts that are stored directly on our Shopify server or in our shop instance. Therefore, when our pages are accessed , no connection is established to external font servers (e.g., Google Fonts CDN).

Data processing is limited to standard browser communication with our server. The legal basis is Article 6(1)(f) GDPR (uniform and appealing presentation of our online services).

7. Contact (contact form / email)

If you contact us via contact form or email at info@narrabelle.com When you contact us, we process the data you provide, e.g.:

name
E-mail address
Message text
possibly other voluntarily submitted information

Purpose: Processing your request, answering questions, possibly initiating a contractual relationship.
Legal basis: Art. 6 para. 1 lit. b GDPR (pre-contractual measures) or Art. 6 para. 1 lit. f GDPR (our interest in efficient communication).

This data will only be stored for as long as is necessary to process your request or as required by statutory retention periods.

8. Newsletter / email communication via Brevo

We use the Brevo service (Sendinblue GmbH) for sending newsletters and certain email campaigns:

Sendinblue GmbH
Köpenicker Straße 126
10179 Berlin
Germany

Subscribe to the newsletter

When you subscribe to our newsletter, we process in particular:

E-mail address
(if applicable) Name
Date and time of registration
IP address at the time of registration (documentation of the double opt-in)

We use the double opt-in procedure for shipping:
After registering, you will receive an email in which you must confirm your registration. Only then will your address be added to the mailing list.

Legal basis: Art. 6 para. 1 lit. a GDPR (consent).

You can withdraw your consent at any time, e.g. via the unsubscribe link in the newsletter or by email to us. The lawfulness of the processing carried out until the withdrawal remains unaffected.

Newsletter tracking

Brevo allows us to perform statistical analyses (e.g., whether an email was opened or a link clicked). This can be done using tracking pixels or tracking links.

This analysis is carried out to improve the content of our newsletter and better tailor it to the interests of our subscribers. The legal basis for this is your consent to receive the newsletter in accordance with Article 6(1)(a) of the GDPR .

Further information:
https://www.brevo.com/de/legal/privacypolicy/

Brevo also processes some personal data in third countries. Appropriate safeguards (e.g., standard contractual clauses) are used to ensure an adequate level of data protection.

9. Google Tag Manager

We use Google Tag Manager to centrally manage scripts and services (e.g., Google Analytics, marketing pixels) via a single interface. The provider is:

Google Ireland Limited
Gordon House, Barrow Street
Dublin 4
Ireland

The Tag Manager itself does not create user profiles or perform any analysis. It merely triggers other tags . In doing so, technical data such as IP address, browser information, and timestamps may be collected and transmitted to Google.

Legal basis:

For technically necessary tags: Art. 6 para. 1 lit. f GDPR
For statistics and marketing tags: Your consent according to Art. 6 para. 1 lit. a GDPR via our consent tool.

More information:
https://policies.google.com/privacy

10. Google Analytics 4

We use Google Analytics 4 (GA4) to analyze the use of our website. Provider:

Google Ireland Limited
Gordon House, Barrow Street
Dublin 4
Ireland

Type of data

Google Analytics records, among other things:

IP address (usually shortened/anonymized)
Browser and device information
operating system
Source of origin (referrer)
Pages visited, time spent on the site
Interactions (e.g., clicks, scrolling, purchases, form completions)

We have configured Google Analytics to shorten IP addresses within the EU (IP anonymization). Google uses this information on our behalf to evaluate website usage, compile reports, and help us optimize our services.

Legal basis

Google Analytics is only activated after you have given your consent via the cookie banner. The legal basis is Art. 6 para. 1 lit. a GDPR .

You can withdraw your consent at any time for the future by adjusting your cookie settings via the banner or the corresponding link.

Third country transfer

Google may transfer data to the USA or other third countries. Standard contractual clauses are generally used for this purpose. Further information:
https://policies.google.com/privacy
https://policies.google.com/technologies/partner-sites

11. Google reCAPTCHA v3

To protect our forms from abuse and spam, we use Google reCAPTCHA v3 . Provider:

Google Ireland Limited
Gordon House, Barrow Street
Dublin 4
Ireland

reCAPTCHA analyzes the behavior of website visitors based on various characteristics (e.g., mouse movements, time spent on the page, and possibly cookies). This analysis begins automatically as soon as you load the page where reCAPTCHA is integrated.

Purpose: To distinguish between human and automated input (bots), to protect our systems and forms.
Legal basis: Art. 6 para. 1 lit. f GDPR (legitimate interest in the protection and security of our website).

Data may be transferred to Google servers in the USA. Further information:
https://policies.google.com/privacy
https://www.google.com/recaptcha/intro/

12. Meta Pixels (Facebook & Instagram)

We use the Meta Pixel to better control and measure advertising campaigns on Facebook and Instagram. Provider:

Meta Platforms Ireland Limited
4 Grand Canal Square
Grand Canal Harbour
Dublin 2
Ireland

The pixel enables Meta to identify visitors to our website as a target group for advertisements (so-called Custom Audiences) and to measure conversions (e.g. purchases or form completions that take place after clicking on an ad).

Data processed includes, among other things:

IP address
browser used
Referrer URL
Interactions on the website (e.g. page views, purchases)
Facebook/Instagram ID (if you are logged in)

The meta pixel will only be loaded after you have given your consent via the cookie banner.
Legal basis: Art. 6 para. 1 lit. a GDPR .

Meta may transfer data to the USA or other third countries. Meta's standard contractual clauses apply. Further information:
https://www.facebook.com/privacy/policy

You can also opt out of personalized advertising in your Facebook/Instagram account.

13th Pinterest Day

We use the Pinterest tag to measure the effectiveness of Pinterest campaigns and to target our advertising more effectively. Provider:

Pinterest Europe Ltd.
Palmerston House, 2nd Floor
Fenian Street
Dublin 2
Ireland

The following are processed, among other things:

IP address
Device information
Referrer URL
Pages accessed and actions performed (e.g., "Add to Cart", "Purchase")

The Pinterest tag will only be activated after you give your consent via the cookie banner.
Legal basis: Art. 6 para. 1 lit. a GDPR .

More information:
https://policy.pinterest.com/de/privacy-policy

14. TikTok Pixel

We use the TikTok Pixel to measure and optimize conversions and target audiences for advertising campaigns on TikTok. Provider:

TikTok Technology Limited
10 Earlsfort Terrace
Dublin, D02 T380
Ireland

The pixel captures, among other things:

IP address
Device information
Referrer URL
Website usage (e.g., viewed products, purchases)
Possibly your TikTok ID, if you are logged in.

The TikTok Pixel will only be activated if you agree via the cookie banner.
Legal basis: Art. 6 para. 1 lit. a GDPR .

TikTok may transfer data to third countries. More information:
https://www.tiktok.com/legal/page/eea/privacy-policy/de

15. YouTube videos

We embed YouTube videos on our website. Provider:

Google Ireland Limited
Gordon House, Barrow Street
Dublin 4
Ireland

The integration usually takes place in enhanced privacy mode , if available. However, when playing a video, a connection to YouTube servers may be established and data such as:

IP address
Device data
Referrer URL
page accessed
Possibly YouTube/Google login

be transmitted to YouTube.

Depending on your cookie settings, additional cookies may be set for statistical and marketing purposes.
The legal basis is your consent pursuant to Art. 6 para. 1 lit. a GDPR , given via the cookie banner or by explicitly playing the video (depending on the implementation).

More information:
https://policies.google.com/privacy

16. Social media profiles (Facebook, Instagram, Pinterest, TikTok)

We maintain public profiles on various social networks (e.g., Facebook, Instagram, Pinterest, TikTok). When you visit our profiles there, the privacy policies of the respective platform operators apply.

Data processing on our profiles is carried out, for example, for communication with visitors, for answering messages and comments, and for evaluating reach statistics (insights).

Legal basis: Art. 6 para. 1 lit. f GDPR (our interest in a modern external presentation and communication).

Further details:

Meta (Facebook/Instagram): https://www.facebook.com/privacy/policy
Pinterest: https://policy.pinterest.com/de/privacy-policy
TikTok: https://www.tiktok.com/legal/page/eea/privacy-policy/de

17. Storage duration

We only store personal data for as long as it is necessary for the respective purposes or as required by legal retention obligations.

Contract and billing data: according to commercial and tax law requirements (usually 6–10 years)
Newsletter data: until you withdraw your consent
Log files: usually a few weeks, unless further storage is necessary for evidentiary purposes.
Cookies: according to the duration specified in the cookie banner

The data will then be deleted or anonymized.

18. Your rights as a data subject

Within the framework of the legal provisions, you have the following rights:

Right of access (Art. 15 GDPR)
Right to rectification (Art. 16 GDPR)
Right to erasure (Art. 17 GDPR)
Right to restriction of processing (Art. 18 GDPR)
Right to data portability (Art. 20 GDPR)
Right to object to certain processing activities (Art. 21 GDPR)
Right to withdraw consent (Art. 7 para. 3 GDPR)

You can contact us at any time to exercise your rights:

Email: info@narrabelle.com

Right to lodge a complaint with a supervisory authority

You also have the right to lodge a complaint with a data protection supervisory authority if you believe that the processing of your personal data violates the GDPR.

The following person is usually responsible for us:

Saxon Data Protection Commissioner
Devrientstrasse 5
01067 Dresden
Germany

https://www.datenschutz.sachsen.de

19. No automated decision-making

We do not use exclusively automated decision-making within the meaning of Article 22 GDPR that has legal effect on you or similarly significantly affects you.