Privacy policy

Last updated: June 21, 2025

1. Introduction

This Privacy Policy explains how we, as the data controller under the General Data Protection Regulation (GDPR), collect, use, and protect your personal data when you use our online store.

Although our website is intended for international customers, our business is operated from Germany and subject to German and EU data protection law (especially GDPR and the German Telecommunications Telemedia Data Protection Act – TTDSG).

2. Controller Information

The controller responsible for the processing of personal data is:

The Model Car Project
Ludwig-Erhard-Straße 18, c/o IP-Management #43310
20459 Hamburg, Germany
Email: service@themodelcarproject.com

3. Data Categories and Purposes of Processing

We process the following categories of data:

• Identification data (name, address, email, phone)
• Order and payment data
• Account login data (if registered)
• Technical data (IP address, device info, browser type)
• Usage data and preferences (via cookies or tracking tools)

We use this data to:

• Fulfill and deliver your orders
• Provide customer support
• Maintain and secure our website
• Conduct analytics and improve services
• Comply with legal obligations
• Send newsletters and marketing material (only with consent)

4. Legal Basis for Processing (Article 6 GDPR)

• Art. 6(1)(b) GDPR – For fulfilling a contract (e.g., processing and shipping your orders)
• Art. 6(1)(c) GDPR – For fulfilling legal obligations (e.g., tax or trade regulations)
• Art. 6(1)(f) GDPR – For legitimate interests (e.g., fraud prevention, business analytics)
• Art. 6(1)(a) GDPR – Based on your consent (e.g., for marketing or non-essential cookies)

5. Shopify and Data Sharing

Our store is hosted on Shopify Inc., 151 O’Connor Street, Ottawa, Ontario, K2P 2L8, Canada. Shopify acts as a data processor on our behalf (according to Art. 28 GDPR). We have concluded a Data Processing Agreement (DPA) with Shopify.

Shopify may also process your personal data for its own legitimate interests (such as product improvement, fraud prevention, or internal analytics). In these cases, Shopify acts as a separate controller. You can find more information in Shopify’s Privacy Policy: https://www.shopify.com/legal/privacy

6. Use of Third-Party Services and Payment Providers

We use external service providers to operate our online shop securely and efficiently. These include payment processors, hosting and CDN services, and fraud prevention tools. We ensure data processing agreements (DPAs) are in place with all relevant vendors in accordance with Article 28 GDPR. The use of these services may involve the transfer of personal data to countries outside the EU/EEA. Where applicable, we rely on the EU Standard Contractual Clauses (SCCs) or adequacy decisions to ensure lawful data transfers.

6.1 Cookie Consent Tool

We use a cookie consent management platform to comply with our legal obligations under Art. 6(1)(c) GDPR and § 25 TTDSG. When you first visit our website, you are presented with a cookie banner that allows you to accept or reject non-essential cookies. Your preferences are stored using a technically necessary cookie.

This involves processing the following data: your consent decision, timestamp, IP address (shortened/anonymized), and browser information. Legal basis: Art. 6(1)(c) GDPR (compliance with legal obligation). This tool helps us manage and document user consents in accordance with GDPR requirements.

6.2 DHL (Shipping Provider)

We use DHL Paket GmbH, Sträßchensweg 10, 53113 Bonn, Germany, to deliver your orders. For this purpose, we transmit your name, shipping address, and where applicable, your email address or phone number (for tracking and delivery coordination) to DHL.

The transmission of data is necessary to fulfill the purchase contract (Art. 6(1)(b) GDPR). DHL processes the data under its own responsibility. More information: DHL Privacy Policy

Cloudflare

We use Cloudflare Inc., 101 Townsend St, San Francisco, CA 94107, USA, to deliver content and enhance the security of our website (CDN, firewall, DDoS protection). Cloudflare processes your IP address and technical data upon each visit. Legal basis: Art. 6(1)(f) GDPR (legitimate interest in secure and fast website performance). A DPA and EU Standard Contractual Clauses are in place with Cloudflare. More: Cloudflare Privacy Policy.

Apple Pay

We offer Apple Pay via Apple Distribution International Ltd., Hollyhill Industrial Estate, Hollyhill, Cork, Ireland. Apple processes payment data (e.g., credit card number, billing info) directly on your device using its own encryption. Legal basis: Art. 6(1)(b) GDPR. Apple acts as a data controller. More: Apple Privacy Policy.

Google Pay

If you choose Google Pay, your payment will be processed by Google Ireland Ltd., Gordon House, Barrow Street, Dublin 4, Ireland. We transmit transaction-relevant data (e.g. purchase total, merchant ID) to Google for payment processing. Legal basis: Art. 6(1)(b) GDPR. More: Google Privacy Policy.

PayPal

We use PayPal (Europe) S.à.r.l. et Cie, S.C.A., 22-24 Boulevard Royal, L-2449 Luxembourg. When you select PayPal, personal data such as email address, shipping and billing address, IP address, and order information are transmitted to PayPal to process the payment. PayPal acts as a controller under GDPR. Legal basis: Art. 6(1)(b) GDPR. DPA available if necessary. More: PayPal Privacy Policy.

Klarna

For Klarna payments (invoice or installment), we use Klarna AB (publ), Sveavägen 46, 111 34 Stockholm, Sweden. Klarna collects personal data to assess your creditworthiness and process the transaction. We transmit personal data such as name, address, email, and purchase details. Legal basis: Art. 6(1)(b) and Art. 6(1)(f) GDPR. Klarna acts as a controller. More: Klarna Privacy Policy.

Shopify Payments, VISA & Mastercard

We use Shopify Payments operated by Shopify Payments (Ireland) Ltd., 2nd Floor, 1-2 Victoria Buildings, Haddington Road, Dublin 4, D04 XN32, Ireland. Shopify processes payments via acquiring banks and card schemes such as VISA and Mastercard. Your data (e.g. cardholder name, card number, billing address) is processed to fulfill transactions. Legal basis: Art. 6(1)(b) GDPR. Shopify’s data transfers outside the EEA are protected by SCCs. More: Shopify Privacy Policy.

Mastercard & VISA

Credit card payments are handled by the respective card networks – Mastercard Europe SA, Chaussée de Tervuren 198A, B-1410 Waterloo, Belgium and Visa Europe Services Inc., London Branch, 1 Sheldon Square, London W2 6TT, United Kingdom. These companies act as independent controllers. Legal basis: Art. 6(1)(b) GDPR.

• Mastercard Privacy Policy
• VISA Privacy Policy

7. International Data Transfers

Personal data may be transferred to Shopify and its service providers in third countries, such as Canada or the United States. Shopify uses the EU-approved Standard Contractual Clauses (SCCs) to ensure a level of protection equivalent to EU data protection law.

8. Cookies and Tracking Technologies (TTDSG §25)

We use cookies and similar technologies to enable core functionalities (e.g., shopping cart), analyze usage patterns, and deliver personalized advertising.

Non-essential cookies (e.g., for marketing or analytics) are only set with your explicit consent in accordance with Art. 6(1)(a) GDPR and § 25 TTDSG.

You can manage your cookie preferences at any time via our Cookie Settings or through the banner shown when you first visit our website.

9. Retention Periods

We store your personal data only for as long as necessary for the purposes mentioned in this Privacy Policy or as required by law (e.g., 6–10 years for commercial/tax records).

10. Your Rights under the GDPR

You have the following rights:

• Right of access to your personal data (Art. 15 GDPR)
• Right to rectification (Art. 16 GDPR)
• Right to erasure (“right to be forgotten”, Art. 17 GDPR)
• Right to restriction of processing (Art. 18 GDPR)
• Right to data portability (Art. 20 GDPR)
• Right to object to data processing (Art. 21 GDPR)
• Right to withdraw consent at any time (Art. 7(3) GDPR)
• Right to lodge a complaint with a supervisory authority (Art. 77 GDPR)

To exercise any of these rights, please contact us at service@themodelcarproject.com.

11. Automated Decision-Making and Profiling

We do not use your personal data for automated decision-making or profiling that produces legal effects or similarly significant consequences.

12. Data Security

We use appropriate technical and organizational measures (TOMs) to protect your data from unauthorized access, disclosure, alteration, or destruction.

13. Complaint to the Data Protection Authority

If you believe that the processing of your personal data violates applicable law, you have the right to lodge a complaint with a supervisory authority, particularly in the EU Member State of your habitual residence, place of work or place of the alleged infringement. In Germany, you can contact:

Federal Commissioner for Data Protection and Freedom of Information (BfDI)
Website: https://www.bfdi.bund.de

14. Updates

We may update this Privacy Policy from time to time to reflect changes in legal, technical, or business developments. The date of the latest update is indicated at the top.