Privacy Policy

Below we inform you about the handling of your personal data (“data”) when visiting our website www.heikemucha.de (“website”). In detail:

1. Controller

The controller within the meaning of the General Data Protection Regulation (GDPR) is:

Heike Mucha
Behringstraße 44a
22763 Hamburg
Phone: +49 172427501
E-mail: leather@heikemucha.de

2. Personal Data

Personal data means any information relating to an identified or identifiable natural person (“data subject”). A person is considered identifiable if they can be identified directly or indirectly, in particular by reference to an identifier. Such identifiers may include, for example, a name, identification number, location data, online identifier, or one or more factors specific to the physical, physiological, genetic, mental, economic, cultural, or social identity of that person.

3. Purposes of Data Processing and Legal Bases

We are committed to complying with all applicable data protection regulations in handling the data of visitors to our website. We process data only to the extent necessary and legally permissible under data protection law, for example to enable the use of the website, to fulfill contractual purposes, or where you have consented to data processing. In detail:

3.1 Informational Use of the Website

You may visit our website without providing personal information. If you use our website solely for informational purposes and do not register, log in, or otherwise transmit information about yourself to us, we do not collect any personal data. An exception applies to data transmitted by your browser in order to enable your visit to the website.

3.2 Technical Provision of the Website

For the technical provision of the website, it is necessary for us to process certain automatically transmitted information so that your browser can display our website and you can use it. This information is automatically collected each time our website is accessed and stored in our server log files. This information relates to the computer system of the accessing device.

We collect the following information:

IP address, browser type/version (e.g. Internet Explorer 6.0),
Browser language (e.g. German),
Operating system used (e.g. Windows XP),
Internal resolution of the browser window,
Screen resolution,
JavaScript activation,
Java enabled/disabled,
Color depth and time of access.

Processing is carried out in accordance with Art. 6 para. 1 lit. f GDPR on the basis of our legitimate interest in improving the stability and functionality of our website. The data will not be disclosed or used for any other purpose.

We use a service provider for the hosting and provision of the website who processes your personal data while you browse. This provider performs its services itself or through selected subcontractors exclusively on servers within the European Union. We have concluded a data processing agreement with the provider that ensures the protection of our website visitors’ data and prohibits unauthorized disclosure to third parties.

3.3 Inquiries

In order to process and respond to inquiries that you send to us, for example via email, we process the data you provide in this context. This includes your name and email address so that we can respond to you, as well as any other information you provide as part of your message.

We process your data to respond to your inquiries on the following legal bases:

If your contact request relates to a contract to which you are a party or to pre-contractual measures, the legal basis is Art. 6 para. 1 lit. b GDPR.
To safeguard our legitimate interests pursuant to Art. 6 para. 1 lit. f GDPR; our legitimate interest lies in appropriately responding to customer inquiries.

3.4 Compliance with Legal Obligations

We also process your personal data in order to fulfill other legal obligations imposed on us by law or authorities in connection with your visit to our website and our business relationship. This includes in particular commercial, trade, or tax retention obligations as well as legal enforcement and criminal prosecution.

We process your personal data on the following legal basis: fulfillment of a legal obligation pursuant to Art. 6 para. 1 lit. c GDPR in conjunction with commercial, trade, or tax laws insofar as we are obliged to record and retain your data, as well as in conjunction with other applicable legal provisions or official orders (e.g. under criminal law).

3.5 Enforcement of Legal Claims

We also process your personal data in order to assert our rights and enforce legal claims. Likewise, we process your personal data in order to defend ourselves against legal claims. Finally, we process your personal data insofar as this is necessary to prevent or prosecute criminal offenses.

We process your personal data for these purposes on the following legal basis:

To safeguard our legitimate interests pursuant to Art. 6 para. 1 lit. f GDPR, insofar as we assert legal claims, defend ourselves in legal disputes, or prevent or investigate criminal offenses.

4. Links

Some sections of our website contain links to third-party websites. These websites are subject to their own privacy policies. We are not responsible for their operation, including their data handling practices. If you send information to or through such third-party websites, you should review their privacy policies before providing them with information that can be associated with you.

5. Instagram (Social Media)

Privacy Policy for Our Instagram Presence

We operate a business profile on the Instagram platform in order to present our company and our products (leather goods) and to communicate with customers and interested parties.

5.1 Controller

The controller for data processing within the meaning of the General Data Protection Regulation (GDPR) is:

Controller pursuant to Section 5 DDG:

Heike Mucha
Behringstraße 44a, 22763 Hamburg
leather@heikemucha.de
Phone: +49 1724275071

5.2 Joint Responsibility

When visiting our Instagram profile, personal data is processed by Meta/Instagram. We have only limited influence over this data processing.

Instagram is operated in the EU by:

Meta Platforms Ireland Ltd.
4 Grand Canal Square
Grand Canal Harbour
Dublin 2
Ireland

For certain processing activities (particularly in connection with so-called “Instagram Insights”), joint controllership exists between us and Meta pursuant to Art. 26 GDPR.

5.3 Processing of Personal Data

When visiting our Instagram profile, Instagram processes, among other things:

IP address
Device information
Interactions with our profile (likes, comments, messages)
Profile information
If applicable, additional usage data

If you communicate with us via Instagram (e.g. through direct messages), we process the data you provide for the purpose of:

Processing your inquiry
Customer communication
Initiating or executing contracts

6. Recipients of the Data

Only those internal departments or organizational units, as well as other companies affiliated with us under corporate law, receive your data insofar as this is necessary to fulfill our contractual and legal obligations or where we require the data in the context of pursuing our legitimate interests.

Your personal data will only be disclosed or otherwise transferred to third parties if this is necessary for providing our services on the website, for contract execution, or for billing purposes. As part of order processing, the service providers we use (such as carriers, logistics providers, or banks) receive the necessary data for order and contract processing. The transmitted data may only be used by our service providers for fulfilling their respective tasks. Any other use of the information is not permitted and does not occur with any of the service providers commissioned by us.

The legal bases for these transfers are Art. 6 para. 1 lit. b and lit. f GDPR. Transfers based on Art. 6 para. 1 lit. f GDPR may only take place insofar as this is necessary to safeguard our legitimate interests or those of third parties and provided that the interests or fundamental rights and freedoms of the data subject requiring protection of personal data do not prevail.

Furthermore, your data may be disclosed to external recipients if we are obliged to provide information, report, or transfer data in order to comply with legal obligations, or to external service providers acting on our behalf as processors or performing functions for us (e.g. IT service providers, software providers, data centers, document destruction services, or courier services). Apart from this, we only disclose your data with your consent.

7. Transfer of Your Data to Third Countries

We do not transfer your personal data to countries outside the EU or to international organizations.

8. Storage of Data

8.1 Informational Use of the Website

When using our website solely for informational purposes, we store your data only for the duration of your visit to the website. Once you leave our website, your data is deleted immediately.

8.2 Processing of Data Outside the Website

If you contact us via email or telephone, we store your data for as long as necessary to respond to your inquiry. This also includes the initiation of a contract (pre-contractual relationship) and the execution of a contract. We store your data for the duration of the contractual relationship or until the respective purpose of processing no longer applies.

In addition, we store your personal data until the expiration of any legal claims arising from the relationship with you in order to use them as evidence if necessary. The limitation period is generally between 1 and 3 years but may also extend up to 30 years. Upon expiration of the limitation period, we delete your personal data unless a statutory retention obligation exists, for example under the German Commercial Code (§§ 238, 257 para. 4 HGB) or the German Fiscal Code (§ 147 para. 3, 4 AO). Such retention obligations may range from two to ten years.

9. Your Rights as a Data Subject

You may assert the rights listed below at any time against the entity named in Section 1.

9.1 Right of Access

Pursuant to Art. 15 GDPR, you are entitled at any time to obtain free information about, among other things, the data we process about you, the purposes of processing, categories of recipients, the planned storage duration, or, in the case of transfers to third countries, the appropriate safeguards. You also have the right to receive a copy of your data.

9.2 Right to Rectification, Erasure, Restriction of Processing

If the data processed by us is inaccurate, incomplete, or unlawfully processed, you may request that we correct, supplement, restrict the processing of, or delete your data within the legally permissible scope pursuant to Arts. 16, 17, and 18 GDPR.

The right to erasure does not exist, among other things, if the processing of personal data is necessary for:
(i) exercising the right to freedom of expression and information,
(ii) compliance with a legal obligation to which we are subject (e.g. statutory retention obligations), or
(iii) the establishment, exercise, or defense of legal claims.

9.3 Right to Data Portability

If you have provided us with your data on the basis of your consent or within the framework of an existing contractual relationship, we will provide you with this data in a structured, commonly used, and machine-readable format upon request or – where technically feasible – transmit it to a third party designated by you.

9.4 Right to Object

If we process your data on the basis of a legitimate interest, you may object to this processing for reasons arising from your particular situation pursuant to Art. 21 GDPR. The right to object only exists within the limits set out in Art. 21 GDPR. Furthermore, our interests may override the termination of processing, so that we may continue to process your personal data despite your objection.

9.5 Right to Lodge a Complaint

If you have questions, suggestions, or criticism, you may contact the data protection officer named in Section 2.

You are also entitled, under the conditions of Art. 77 GDPR, to lodge a complaint with a supervisory authority, in particular in the Member State of your residence, workplace, or the place of the alleged infringement, if you believe that the processing of your data violates the GDPR. The right to lodge a complaint exists without prejudice to any other administrative or judicial remedy.

The supervisory authority responsible for us is:

The Hamburg Commissioner for Data Protection and Freedom of Information
Ludwig-Erhard-Str. 22, 7th Floor
20459 Hamburg
Phone: 040 / 428 54 – 4040
Fax: 040 / 428 54 – 4000
E-mail: mailbox@datenschutz.hamburg.de

10. Obligation to Provide Data

In principle, you are not obliged to provide us with your data. However, if you do not do so, we may not be able to respond to your inquiries.

11. Automated Decision-Making / Profiling

Automated decision-making does not take place.

12. Consent / Right of Withdrawal

If you grant or have granted us consent to collect, process, or use your data, you may revoke this consent at any time with effect for the future by contacting the entity named in Section 1. An email is sufficient.

You also have the right, on grounds relating to your particular situation, to object at any time to the processing of your data by us carried out on the basis of Art. 6 para. 1 lit. e GDPR (processing in the public interest) or Art. 6 para. 1 lit. f GDPR (legitimate interest of the controller). In this case, we will no longer process your data unless we can demonstrate compelling legitimate grounds for the processing which override your interests, rights, and freedoms, or unless the processing serves the establishment, exercise, or defense of legal claims.

Changes

We reserve the right to amend this Privacy Policy at any time. Any changes will be announced by publishing the amended Privacy Policy on our website. Unless otherwise stated, such changes shall take effect immediately. Therefore, please review this Privacy Policy regularly to view the latest version.

Hamburg, June 2026