Last updated: May 2026
1. Introduction and Controller Details
1.1 We are pleased that you are visiting our website and thank you for your interest. The following information explains how we handle your personal data when you use our website. Personal data means any information that can be used to identify you personally.
1.2 The controller responsible for data processing on this website within the meaning of the General Data Protection Regulation (GDPR / DSGVO) is:
Aurora Flow — F. Sayao Ludwig-Jahn-Str. 10 47533 Kleve, Germany Email: hello@theauroraflow.shop
The controller is the natural or legal person who, alone or jointly with others, determines the purposes and means of processing personal data.
2. Data Collection When You Visit Our Website
2.1 When you visit our website purely for informational purposes — without registering or providing information in any other way — we only collect data that your browser transmits to our server (so-called server log files). When you access our website, we collect the following data, which is technically necessary for us to display the website:
Processing takes place pursuant to Art. 6(1)(f) GDPR on the basis of our legitimate interest in improving the stability and functionality of our website. The data is not passed on or used in any other way. We reserve the right to review server log files retrospectively if there are concrete indications of unlawful use.
2.2 This website uses SSL/TLS encryption for security reasons and to protect the transmission of personal data and other confidential content. You can recognise an encrypted connection by the string "https://" and the padlock symbol in your browser bar.
3. Hosting and Content Delivery Network
3.1 Shopify
For hosting our website and displaying page content, we use the system of the following provider: Shopify International Limited, Victoria Buildings, 2nd Floor, 1-2 Haddington Road, Dublin 4, D04 XN32, Ireland.
Data is also transferred to: Shopify Inc., 150 Elgin St, Ottawa, ON K2P 1L4, Canada.
All data collected on our website is processed on the provider's servers. We have concluded a data processing agreement with the provider, which ensures the protection of our site visitors' data and prohibits unauthorised disclosure to third parties.
For data transfers to Canada, an adequate level of data protection is guaranteed by an adequacy decision of the European Commission.
3.2 AWS CloudFront
We use a content delivery network provided by: Amazon Web Services, Inc., 410 Terry Avenue North, Seattle, WA 98109, USA.
This service enables us to deliver large media files such as graphics, page content, or scripts more quickly via a network of regionally distributed servers. Processing takes place to safeguard our legitimate interest in improving the stability and functionality of our website pursuant to Art. 6(1)(f) GDPR. We have concluded a data processing agreement with the provider.
For data transfers to the USA, the provider has joined the EU-US Data Privacy Framework, which ensures compliance with the European level of data protection on the basis of an adequacy decision by the European Commission.
4. Cookies
To make the visit to our website appealing and to enable certain functions, we use cookies — small text files stored on your device. Some cookies are automatically deleted when you close your browser (so-called session cookies); others remain on your device for longer and allow page settings to be saved (so-called persistent cookies).
Where cookies process personal data, this is done pursuant to Art. 6(1)(b) GDPR for the performance of a contract, pursuant to Art. 6(1)(a) GDPR where consent has been given, or pursuant to Art. 6(1)(f) GDPR to safeguard our legitimate interests in the best possible functionality of the website.
You can configure your browser to inform you about the setting of cookies and to decide individually whether to accept them, or to exclude cookies in certain cases or in general. Please note that if you do not accept cookies, the functionality of our website may be limited.
5. Contact
5.1 Contact Form and Email
When you contact us via our contact form or by email, the personal data you provide is processed exclusively for the purpose of handling and responding to your enquiry, and only to the extent necessary for this purpose.
The legal basis for processing this data is our legitimate interest in responding to your enquiry pursuant to Art. 6(1)(f) GDPR. If your contact is aimed at concluding a contract, the additional legal basis is Art. 6(1)(b) GDPR. Your data will be deleted once the matter in question has been conclusively resolved, provided no statutory retention obligations apply.
6. Customer Account and Order Processing
6.1 Customer Account
Pursuant to Art. 6(1)(b) GDPR, personal data is collected and processed to the extent necessary when you open a customer account and provide us with information accordingly. The data required for account creation can be found in the input mask of the relevant form on our website. Deletion of your customer account is possible at any time by contacting us at hello@theauroraflow.shop.
6.2 Order Processing
To the extent necessary for the processing of your order for delivery and payment purposes, the personal data we collect is passed on to the contracted logistics provider and payment institution pursuant to Art. 6(1)(b) GDPR.
We work with the following shipping service provider for order fulfilment. Certain personal data is transmitted to this provider as described below:
DHL Paket GmbH, Sträßchensweg 10, 53113 Bonn, Germany. We pass on your email address and/or telephone number to DHL prior to delivery for the purpose of delivery coordination, where you have given your express consent during the ordering process pursuant to Art. 6(1)(a) GDPR. Otherwise, only the recipient's name and delivery address are passed on for the purpose of delivery pursuant to Art. 6(1)(b) GDPR.
7. Payment Processing
The following payment service providers are available on this website. Data processing by each provider is governed by their own privacy policies. We do not store or have access to your full payment details.
Shopify Payments — Shopify International Limited, Victoria Buildings, 1-2 Haddington Road, Dublin 4, D04 XN32, Ireland. When you select a payment method via this provider, the payment data communicated during the ordering process is passed on pursuant to Art. 6(1)(b) GDPR, exclusively for the purpose of payment processing.
PayPal — PayPal (Europe) S.à r.l. et Cie, S.C.A., 22-24 Boulevard Royal, L-2449 Luxembourg. Payment data is passed on pursuant to Art. 6(1)(b) GDPR. Where PayPal offers deferred payment methods, a credit check may be performed pursuant to Art. 6(1)(f) GDPR.
Klarna — Klarna Bank AB, Sveavägen 46, 111 34 Stockholm, Sweden. For deferred payment methods, personal data including name, address, date of birth, and email may be processed for creditworthiness checks pursuant to Art. 6(1)(f) GDPR.
Sofort / Klarna Sofort — SOFORT GmbH, Theresienhöhe 12, 80339 Munich, Germany. Payment data is transmitted for the purpose of processing the transaction pursuant to Art. 6(1)(b) GDPR.
Apple Pay — Apple Distribution International, Hollyhill Industrial Estate, Hollyhill, Cork, Ireland. Payment data is processed in encrypted form pursuant to Art. 6(1)(b) GDPR. Apple retains only anonymised transaction data.
Google Pay — Google Ireland Limited, Gordon House, 4 Barrow St, Dublin, D04 E5W5, Ireland. Payment data is transmitted pursuant to Art. 6(1)(b) GDPR. Data may also be transferred to Google LLC, USA. For US transfers, the provider has joined the EU-US Data Privacy Framework.
Shop Pay — Shopify International Limited (as above). Payment data is processed pursuant to Art. 6(1)(b) GDPR.
American Express — American Express Europe S.A., Theodor-Heuss-Allee 112, 60486 Frankfurt am Main, Germany. Card payment data is transmitted pursuant to Art. 6(1)(b) GDPR.
Visa / Mastercard — Processed via Shopify Payments. Card data is transmitted pursuant to Art. 6(1)(b) GDPR and is not stored by us.
8. Email Newsletter and Marketing Communications
8.1 Newsletter Signup
If you subscribe to our email newsletter, we will regularly send you information about our products and offers. The only mandatory field for sending the newsletter is your email address. Additional information is voluntary and used to address you personally.
We use the double opt-in procedure to ensure you only receive the newsletter after explicitly confirming your subscription via a verification link sent to the provided email address.
By activating the confirmation link, you grant us your consent for the use of your personal data pursuant to Art. 6(1)(a) GDPR. We store the IP address recorded by your Internet service provider as well as the date and time of registration to allow potential misuse of your email address to be detected at a later date.
You may unsubscribe at any time using the unsubscribe link in any newsletter or by contacting us.
8.2 Newsletter Sending via Shopify Email
Our email newsletters are sent via the following provider: Shopify International Limited, Victoria Buildings, 2nd Floor, 1-2 Haddington Road, Dublin 4, D04 XN32, Ireland. Data is also transferred to Shopify Inc., Ottawa, Canada.
On the basis of our legitimate interest in effective and user-friendly newsletter marketing, we pass on your registration data to this provider pursuant to Art. 6(1)(f) GDPR for the purpose of sending newsletters on our behalf.
Subject to your express consent pursuant to Art. 6(1)(a) GDPR, the provider may also perform statistical analysis of newsletter campaigns via web beacons or tracking pixels, which can measure open rates and specific interactions. You may withdraw your consent to newsletter tracking at any time with effect for the future.
8.3 Abandoned Cart Reminders
If you begin a purchase on our website but do not complete your order, you may receive a one-time reminder email about the contents of your cart. The only mandatory field for this reminder is your email address. We use the double opt-in procedure, meaning a reminder will only be sent after explicit confirmation via a verification link. Your consent may be withdrawn at any time.
9. Web Analytics
9.1 Google Analytics (GA4)
This website uses Google Analytics, a web analytics service provided by Google Ireland Limited, Gordon House, 4 Barrow St, Dublin, D04 E5W5, Ireland.
Using cookies and comparable technologies, Google Analytics collects and stores pseudonymised visitor data including device information, IP address, browser data, and behavioural data, in order to analyse usage patterns and create pseudonymised usage profiles. This allows us to understand how visitors interact with our website and to improve it accordingly.
All processing described above, in particular the reading or storing of information on your device, only takes place if you have given us your express consent pursuant to Art. 6(1)(a) GDPR. You may withdraw your consent at any time with effect for the future by disabling this service in the Cookie Consent Tool provided on our website.
We have concluded a data processing agreement with Google. For data transfers to the USA, Google has joined the EU-US Data Privacy Framework.
Google's privacy policy: https://policies.google.com/privacy
9.2 Microsoft Clarity
This website uses Microsoft Clarity, a behavioural analytics service provided by Microsoft Ireland Operations Limited, One Microsoft Place, South County Business Park, Leopardstown, Dublin 18, Ireland.
Microsoft Clarity records anonymised user interactions including mouse movements, clicks, and scrolling behaviour (heatmaps and session replays) to help us understand how visitors use our website and to improve user experience. The pseudonymisation process fundamentally excludes direct personal identification.
All processing takes place only with your express consent pursuant to Art. 6(1)(a) GDPR. You may withdraw consent at any time via the Cookie Consent Tool.
Data may also be transferred to Microsoft Corporation, USA. For US transfers, Microsoft has joined the EU-US Data Privacy Framework.
Microsoft's privacy policy: https://privacy.microsoft.com/privacystatement
10. Retargeting, Remarketing, and Conversion Tracking
10.1 Meta Pixel (Facebook / Instagram)
This website uses the Meta Pixel provided by Meta Platforms Ireland Limited, 4 Grand Canal Square, Dublin 2, Ireland.
The Meta Pixel enables us to track conversions, build custom audiences, and serve targeted advertisements to users who have previously visited our website via Facebook and/or Instagram. When a user clicks on one of our ads, a URL parameter is added which is then stored in the user's browser via a cookie set by our website.
This allows Meta to identify visitors to our website as a target group for the display of advertisements, and allows us to measure which actions users take after clicking on our ads (conversion tracking). The data collected is anonymous to us and does not allow us to draw conclusions about the identity of individual users. However, it is stored and processed by Meta, allowing it to be connected to user profiles.
All processing takes place only with your express consent pursuant to Art. 6(1)(a) GDPR. You may withdraw consent at any time via the Cookie Consent Tool.
We have concluded a data processing agreement with Meta. For US data transfers, Meta has joined the EU-US Data Privacy Framework.
Meta's privacy policy: https://www.facebook.com/privacy/policy/
10.2 Pinterest Tag
This website uses the Pinterest Tag provided by Pinterest Europe Ltd., Palmerston House, 2nd Floor, Fenian Street, Dublin 2, Ireland.
The Pinterest Tag enables us to track the actions users take after viewing or clicking on a Pinterest advertisement, and to build custom audiences for retargeting campaigns on Pinterest. When users visit our website, the tag sends pseudonymised event data to Pinterest's servers.
All processing takes place only with your express consent pursuant to Art. 6(1)(a) GDPR. You may withdraw consent at any time via the Cookie Consent Tool.
Data may also be transferred to Pinterest Inc., USA. For US transfers, Pinterest relies on Standard Contractual Clauses of the European Commission.
Pinterest's privacy policy: https://policy.pinterest.com/privacy-policy
10.3 Google Ads Conversion Tracking
This website uses Google Ads and the associated conversion tracking service provided by Google Ireland Limited, Gordon House, 4 Barrow St, Dublin, D04 E5W5, Ireland.
When a user clicks on a Google ad placed by us, a conversion tracking cookie is set. These cookies lose their validity after 30 days and are not used for personal identification. If the user visits certain pages of our website and the cookie has not yet expired, we and Google can recognise that the user clicked on the ad and was redirected to our website.
All processing takes place only with your express consent pursuant to Art. 6(1)(a) GDPR. You may withdraw consent at any time via the Cookie Consent Tool. A permanent opt-out is also available via: https://www.google.com/settings/ads/plugin
For US transfers, Google has joined the EU-US Data Privacy Framework.
11. Page Functionality
11.1 Google Web Fonts
This site uses web fonts for consistent typography, provided by Google Ireland Limited, Gordon House, 4 Barrow St, Dublin, D04 E5W5, Ireland. When a page is accessed, your browser loads the required fonts into its cache and establishes a direct connection to the provider's servers, transmitting certain browser information including your IP address. Data may also be transferred to Google LLC, USA.
Processing takes place only with your express consent pursuant to Art. 6(1)(a) GDPR. If your browser does not support web fonts, a default font from your device will be used. For US transfers, Google has joined the EU-US Data Privacy Framework.
11.2 Google reCAPTCHA
This website uses the CAPTCHA service provided by Google Ireland Limited, Gordon House, 4 Barrow St, Dublin, D04 E5W5, Ireland.
This service verifies whether an input is made by a human or by automated and machine processing, and blocks spam and automated attacks. To do so, the provider collects the IP address of the device used, browser and operating system type, and the date and duration of the visit.
Processing takes place pursuant to Art. 6(1)(f) GDPR on the basis of our legitimate interest in preventing misuse and spam. We have concluded a data processing agreement with Google. For US transfers, Google has joined the EU-US Data Privacy Framework.
12. Customer Reviews
This website uses a review verification and publishing service. When you submit a review, your name, email address, order date, and order number are processed to verify the authenticity of your review and ensure it relates to a genuine transaction. Processing takes place pursuant to Art. 6(1)(f) GDPR on the basis of our legitimate interest in ensuring authentic customer reviews and preventing review abuse.
13. Cookie Consent Tool
This website uses a Cookie Consent Tool to obtain valid user consent for cookies and cookie-based applications that require consent. When you visit the site, the tool is displayed as an interactive interface allowing you to grant or withhold consent for individual cookie categories.
Only technically necessary cookies are set without consent. All other cookies and tracking services are only activated if you have expressly consented via the tool.
The tool itself sets technically necessary cookies to store your preferences. Personal user data is generally not processed. Where IP addresses are processed for the purpose of storing or logging cookie settings, this takes place pursuant to Art. 6(1)(f) GDPR and Art. 6(1)(c) GDPR.
14. Data Subject Rights
14.1 Under applicable data protection law, you have the following rights with respect to the processing of your personal data:
To exercise any of these rights, contact us at: hello@theauroraflow.shop
14.2 Right to lodge a complaint You have the right to lodge a complaint with your competent data protection supervisory authority. For our location in North Rhine-Westphalia, this is:
Landesbeauftragte für Datenschutz und Informationsfreiheit Nordrhein-Westfalen (LDI NRW) Kavalleriestraße 2–4, 40213 Düsseldorf https://www.ldi.nrw.de
14.3 RIGHT TO OBJECT
WHERE WE PROCESS YOUR PERSONAL DATA ON THE BASIS OF A BALANCING OF INTERESTS PURSUANT TO ART. 6(1)(f) GDPR, YOU HAVE THE RIGHT TO OBJECT TO SUCH PROCESSING AT ANY TIME ON GROUNDS RELATING TO YOUR PARTICULAR SITUATION, WITH EFFECT FOR THE FUTURE.
IF YOU EXERCISE YOUR RIGHT TO OBJECT, WE WILL CEASE PROCESSING THE DATA IN QUESTION, UNLESS WE CAN DEMONSTRATE COMPELLING LEGITIMATE GROUNDS FOR PROCESSING WHICH OVERRIDE YOUR INTERESTS, RIGHTS AND FREEDOMS, OR THE PROCESSING SERVES THE ESTABLISHMENT, EXERCISE OR DEFENCE OF LEGAL CLAIMS.
WHERE YOUR PERSONAL DATA IS PROCESSED FOR DIRECT MARKETING PURPOSES, YOU HAVE THE RIGHT TO OBJECT AT ANY TIME. IF YOU OBJECT, WE WILL CEASE PROCESSING YOUR DATA FOR SUCH PURPOSES.
15. Retention Periods
The retention period for personal data is determined by the applicable legal basis, the processing purpose, and, where relevant, any applicable statutory retention periods (e.g. commercial and tax law retention obligations of 10 years under §257 HGB / §147 AO).
Personal data processed on the basis of consent (Art. 6(1)(a) GDPR) is retained until consent is withdrawn.
Personal data processed on the basis of a contract (Art. 6(1)(b) GDPR) is retained for as long as necessary for the performance of the contract and for the duration of applicable statutory retention periods.
Personal data processed on the basis of legitimate interests (Art. 6(1)(f) GDPR) is retained until you exercise your right to object pursuant to Art. 21(1) GDPR, unless we can demonstrate compelling legitimate grounds for continued processing.
Personal data processed for direct marketing purposes is retained until you exercise your right to object pursuant to Art. 21(2) GDPR.