DEANZANE
Commission

Legal · Privacy

Privacy Policy.

Effective date: April 2026 · Last updated: 29 April 2026

Cookie Settings
Contents
01

Controller

Company
DEANZANE UG (haftungsbeschränkt)
Address
Boxhagener Straße 110, 10245 Berlin, Germany
Represented by
Vladislav Bröckel, LL.B.
Email
studio[at]deanzane.com
DPO
Not legally required (Art. 37 GDPR — no large-scale processing)
02

General

We process personal data only to the extent necessary to provide a functioning website and our services. Processing is based on the user's consent (Art. 6(1)(a) GDPR) or where permitted by law (Art. 6(1)(b), (c) and (f) GDPR).

PurposeLegal basisDetails
Website operation & securityArt. 6(1)(f) — legitimate interestStability and protection against misuse
Contract / pre-contractualArt. 6(1)(b)Processing enquiries and orders
Legal obligationsArt. 6(1)(c)Retention duties under commercial and tax law
Analytics & marketingArt. 6(1)(a) — consentGoogle Analytics & Shopify — only after explicit consent
03

Server logs

Each visit automatically collects:

  • IP address of the requesting device (anonymised)
  • Date and time of access
  • Name and URL of the file retrieved
  • Referring URL (referrer)
  • Browser type, version and operating system

Legal basis: Art. 6(1)(f) GDPR. Stored max. 30 days, then deleted or anonymised.

04

Contact

Name, email and message are stored to process your enquiry. Legal basis: Art. 6(1)(b) and (f) GDPR. Deleted after the enquiry is resolved, at the latest after 3 years.

DataLegal basisRetention
Name, email, messageArt. 6(1)(b), (f)Max. 3 years
05

Cookies & browser storage

Non-essential cookies are only set after your explicit consent. Manage your preferences at any time on the Cookie Settings page.

Necessary — Art. 6(1)(f) GDPR — no consent required

NameProviderExpiresFlagsPurpose
__cf_bmCloudflare~30 minSecure · HttpOnlyBot management & DDoS protection
__dplLovable1 daySecure · SameSite=LaxDeployment routing & version pinning
session-idportfolio.deanzane.comSessionSecureSession state & access control
Transfer to USA (Cloudflare): Standard Contractual Clauses per Art. 46(2)(c) GDPR · cloudflare.com/privacypolicy

Statistics — Art. 6(1)(a) GDPR — consent required

NameProviderExpiresPurpose
_gaGoogle Analytics13 monthsDistinguishes unique users and calculates visitor statistics. Set on .deanzane.com.
_ga_B7LDSSZXQYGoogle Analytics13 monthsSession persistence (Measurement ID: G-B7LDSSZXQY). Set on .deanzane.com.
Google Ireland Ltd., Gordon House, Barrow Street, Dublin 4. DPA per Art. 28 GDPR. Transfer to USA via SCC Art. 46(2)(c) GDPR. IP anonymisation enabled. Retention: 14 months. policies.google.com/privacy

Marketing — Art. 6(1)(a) GDPR — consent required

NameProviderExpiresPurpose
_shopify_yShopify1 yearVisitor tracking across the deanzane.com Shopify store. Conversion tracking & visitor identification. Set on .deanzane.com. SameSite=Lax.
Shopify International Ltd., 1st Floor, One Dockland Central, Dublin 1. DPA per Art. 28 GDPR. Transfer to USA via SCC Art. 46(2)(c) GDPR. shopify.com/legal/privacy

Preferences — Art. 6(1)(f) GDPR — no consent required

KeyStorageExpiresPurpose
deanzane-cookie-consentlocalStoragePersistentRecords consent decision per category + timestamp. Required under Art. 7 GDPR.
06

Hosting

Hosted via Lovable (GPT Engineer AB), delivered via Cloudflare CDN. DPAs in place per Art. 28 GDPR with both providers. Servers within EU/EEA. Transfers to Cloudflare in the USA based on SCC Art. 46(2)(c) GDPR.

07

Recipients & processors

Personal data is shared only where necessary. DPAs per Art. 28 GDPR are in place with all processors listed below.

ProviderCountryTransfer basisRole
Cloudflare, Inc.USASCC Art. 46(2)(c)CDN, DDoS protection, bot management
Lovable / GPT Engineer ABEU/SEEU adequacy / DPAWebsite hosting & deployment
Google Ireland Ltd.IE/USASCC Art. 46(2)(c)Google Analytics — website statistics
Shopify International Ltd.IE/USASCC Art. 46(2)(c)E-commerce platform & visitor tracking
07a

Third-Party Services: How Your Data Is Processed

The following describes in detail how each third-party service used on this website processes your personal data, on what legal basis, for what specific purpose, and what rights you have directly against each provider.

A · Google Analytics (Google Ireland Ltd.)

Provider
Google Ireland Ltd., Gordon House, Barrow Street, Dublin 4, Ireland
Parent company
Google LLC, 1600 Amphitheatre Parkway, Mountain View, CA 94043, USA
Role (GDPR)
Joint controller (Google Ads Data Processing Terms apply). For US transfers, Google LLC acts as data importer under SCCs (EU Commission Decision C(2021)914).

Data collected when Statistics cookies are enabled:

  • Anonymised IP address (last octet removed before storage — no full IP is stored)
  • Browser type, version, language and screen resolution
  • Operating system and device type
  • Pages visited, time on page, scroll depth and click interactions
  • Traffic source (direct, referral, organic search, campaign)
  • Session start and end time, session duration
  • New vs. returning visitor status
  • Geographic region (country and city level, derived from anonymised IP)

What is NOT collected:

  • Full IP addresses (anonymisation is enabled)
  • Names, email addresses or any directly identifying information
  • Payment or financial data
  • Data from logged-in Google accounts (no User-ID feature is enabled)
NameExpiresPurpose
_ga13 monthsRandom, anonymous Client ID to distinguish unique users. Domain: .deanzane.com. No Secure flag. No SameSite attribute.
_ga_B7LDSSZXQY13 monthsSession state for Measurement ID G-B7LDSSZXQY. Domain: .deanzane.com.

Purpose & legal basis. Understand how visitors interact with the site to improve content and usability. Legal basis: Art. 6(1)(a) GDPR — explicit consent via the Cookie Settings page. You can withdraw consent at any time; this stops further data collection but does not retroactively delete data already sent to Google.

Retention. 14 months in Google Analytics, then automatically deleted. Aggregated, non-personal reporting data may be retained longer.

Third-country transfer. Data may be transferred to Google LLC servers in the USA. Basis: Standard Contractual Clauses (SCCs) per Art. 46(2)(c) GDPR (Commission Decision C(2021)914, 4 June 2021). Additional safeguards under the Google Analytics Data Processing Amendment.

Your rights against Google directly. Opt out via the Cookie Settings page on this site (preferred), install the Google Analytics Opt-out Browser Add-on, or adjust your Google account ad personalisation settings.

tools.google.com/dlpage/gaoptout · myaccount.google.com/data-and-privacy · policies.google.com/privacy · marketingplatform.google.com/about/analytics/terms

B · Shopify (Shopify International Ltd.)

Provider
Shopify International Ltd., 1st Floor, One Dockland Central, Guild Street, Dublin 1, Ireland
Parent company
Shopify Inc., 151 O'Connor Street, Ground Floor, Ottawa, Ontario, K2P 2L8, Canada
Role (GDPR)
Independent controller for data processed through Shopify on deanzane.com. DPA per Art. 28 GDPR in place between DEANZANE UG and Shopify International Ltd.

The Shopify cookie _shopify_y is set on .deanzane.com when Marketing cookies are enabled. It collects:

  • A pseudonymous visitor identifier (randomly generated, not linked to a name)
  • Pages visited on deanzane.com and portfolio.deanzane.com
  • Referral source and UTM campaign parameters
  • Browser fingerprint signals (browser type, screen size, language)
  • Time of visit, session duration, pages per session
  • Whether the visitor has previously visited the Shopify store on deanzane.com
  • Conversion events (product views, add-to-cart, purchase completions on deanzane.com — NOT on portfolio.deanzane.com)
NameExpiresFlagsPurpose
_shopify_y1 yearSameSite=Lax · no Secure flagPseudonymous UUID used internally by Shopify. Cannot identify you as an individual without additional data held solely by Shopify. Domain: .deanzane.com.

Purpose. Link your visit on portfolio.deanzane.com to your behaviour on the deanzane.com Shopify store. Enables cross-domain conversion attribution, visitor analytics for the Shopify store owner (DEANZANE UG), and detection of returning visitors. Legal basis: Art. 6(1)(a) GDPR — explicit consent via Cookie Settings.

Third-country transfer. Data may be transferred to Shopify Inc. servers in the USA and Canada. USA: SCCs per Art. 46(2)(c) GDPR. Canada benefits from an EU adequacy decision (Commission Decision 2002/2/EC).

Your rights against Shopify directly. Opt out via the Cookie Settings page on this site, or submit a data subject request directly to Shopify.

privacy.shopify.com · shopify.com/legal/privacy

C · Cloudflare (Cloudflare, Inc.)

Provider
Cloudflare, Inc., 101 Townsend Street, San Francisco, CA 94107, USA
European representative
Cloudflare Portugal, Lda.
Role (GDPR)
Data processor on behalf of DEANZANE UG. DPA per Art. 28 GDPR in place. Cloudflare processes data only on our documented instructions and may not use it for its own purposes.

Every HTTP request to portfolio.deanzane.com passes through Cloudflare's network. Cloudflare processes:

  • Your full IP address (used for routing and security; not stored beyond the session by Cloudflare on our behalf)
  • HTTP request headers (User-Agent, Accept-Language, Referer)
  • Request URL and query parameters
  • TLS/SSL handshake data
  • Cloudflare threat score (risk classification derived from IP reputation signals — not stored as personal data)
NameExpiresFlagsPurpose
__cf_bm~30 min (session-scoped)Secure · HttpOnlyBot Management cookie. Distinguishes automated bot traffic from human visitors via behavioural signals. Encrypted; cannot be decoded outside Cloudflare's infrastructure. No SameSite attribute.

Purpose. Protection against DDoS attacks, credential stuffing, brute-force attempts, malicious bots and scraping; CDN caching for faster page loads. Legal basis: Art. 6(1)(f) GDPR — legitimate interest in operating a secure, available and performant website. No consent required for __cf_bm (strictly necessary).

Third-country transfer. Data is transferred to Cloudflare servers in the USA. Basis: SCCs per Art. 46(2)(c) GDPR. Cloudflare is also certified under the EU-U.S. Data Privacy Framework (DPF).

Your rights. Because Cloudflare acts as our processor, data subject requests must be submitted to us at studio[at]deanzane.com. We coordinate with Cloudflare to fulfil your request.

cloudflare.com/privacypolicy

D · Lovable / GPT Engineer AB

Provider
GPT Engineer AB (trading as Lovable), Sveavägen 9, 111 57 Stockholm, Sweden
Role (GDPR)
Data processor. DPA per Art. 28 GDPR in place. Lovable hosts the website infrastructure and processes personal data only to provide hosting services.

Data processed:

  • Server access logs containing IP addresses, request paths and timestamps (retained for up to 30 days for operational purposes)
  • The __dpl cookie (1 day) is used internally by Lovable's infrastructure to route requests to the correct deployment version of the site. It contains a deployment identifier and no personal data beyond what is technically required for routing.

Purpose. Hosting, build and deployment infrastructure for portfolio.deanzane.com. Processing is limited to what is technically necessary to operate the hosting service. Legal basis: Art. 6(1)(f) GDPR — legitimate interest. No consent required for __dpl (strictly necessary).

Third-country transfer. Lovable's primary infrastructure is located within the EU/EEA (Sweden). No transfers to third countries for standard hosting operations.

lovable.dev/privacy
08

Third-country transfers

Transfers outside the EEA (Cloudflare, Google Analytics, Shopify — USA) are based on Standard Contractual Clauses per Art. 46(2)(c) GDPR. Details in Section 07.

09

Retention

Data categoryRetentionReason
Server logsMax. 30 daysSecurity monitoring
Session cookiesUntil session endsTechnical necessity
Consent records (localStorage)Until browser clearedProof of consent, Art. 7 GDPR
Google Analytics data14 monthsPer Google DPA (IP anonymised)
Shopify tracking data1 year (cookie expiry)Per Shopify DPA
Contact enquiriesMax. 3 yearsStatute of limitations
Tax-relevant records10 years§ 147 AO / applicable law
10

Your rights

Contact studio[at]deanzane.com to exercise any right. We respond within 30 days.

Art. 15Access

Copy of all personal data we process about you.

Art. 16Rectification

Correct inaccurate or incomplete data.

Art. 17Erasure

Deletion where no legal retention obligation applies.

Art. 18Restriction

Limit processing in certain circumstances.

Art. 20Portability

Data in structured, machine-readable format.

Art. 21Object

Object to legitimate-interest processing at any time.

Art. 7(3)Withdraw consent

Withdraw via Cookie Settings page at any time.

Art. 77Complaint

Lodge complaint with your supervisory authority.

Berliner Beauftragte für Datenschutz und Informationsfreiheit · Alt-Moabit 59–61 · 10555 Berlin · mailbox@datenschutz-berlin.de
11

Security

SSL/TLS encryption on all connections. Cloudflare network protection against unauthorised access.

12

Automated decisions & profiling

We do not use automated decision-making or profiling within the meaning of Art. 22 GDPR.

13

Changes

We may update this Privacy Policy to reflect legal or service changes. The version at the time of your visit applies. Last updated: April 2026.