Privacy policy
Privacy Policy, of 8 June 2026
We take the protection of your personal data very seriously. We treat your personal data confidentially and in accordance with the statutory data protection regulations as well as this Privacy Policy.
1. Controller and contact
The controller for data processing is:
MBR Skin GmbH
Edelhofweg 8-9
08280 Aue-Bad Schlema
Telefon: +49 3772 39528-0
email: info@mbrskin.com
2. General information and scope
This Privacy Policy applies to the online shop and the website of MBR Skin GmbH (“Website” / “Shop”) as well as to the functions and services associated with them.
“Personal data” means any information relating to an identified or identifiable natural person (Art. 4(1) GDPR).
When you visit our Website, make a purchase or otherwise communicate with us, we process personal data. We herein below inform you which data we process for which purposes, on which legal basis and for which duration, and which rights you have.
3. Recipients, processing and transfers to third countries
Within our company, only those departments and employees who need your data for the relevant purposes have access to it.
In addition, we disclose personal data to service providers that support us in providing our services (e.g. hosting and shop system, payment processing, shipping and logistics, customer service, email dispatch, web analytics). Insofar as these service providers process data on our behalf and in accordance with our instructions, we have concluded data processing agreements with them pursuant to Art. 28 GDPR.
Transfers of your data to public authorities or government bodies only take place where required by mandatory legal provisions or on the basis of an official or court order.
Where data is transferred to countries outside the EU or the European Economic Area (EEA), this only occurs if an adequate level of data protection is ensured. We base such transfers on an adequacy decision of the European Commission (e.g. the EU‑U.S. Data Privacy Framework for appropriately certified recipients in the USA) or on appropriate safeguards within the meaning of Art. 46 GDPR, in particular the Standard Contractual Clauses of the European Commission, where applicable supplemented by additional protective measures. You can request a copy of the respective safeguards from us.
4. Hosting and shop system (Shopify)
Our Website and our online shop are hosted on the platform of the provider Shopify. The provider is Shopify International Limited, Victoria Buildings, 2nd Floor, 1‑2 Haddington Road, Dublin 4, D04 XN32, Ireland.
Shopify provides the technical infrastructure through which we operate our Shop (including the provision of the Website, management of products, orders and customer accounts, checkout). In this context, Shopify processes the personal data that arises in connection with visiting and using the shop (e.g. order, contact, usage and access data). A transfer to third countries (including Canada and the USA) may occur; such transfers are safeguarded by the mechanisms described in the section “Recipients, processing and transfers to third countries”.
The legal basis for the use of Shopify is our legitimate interest in the secure and efficient operation of our online shop (Art. 6(1)(f) GDPR) and, insofar as processing is carried out for the performance of contracts, Art. 6(1)(b) GDPR. Insofar as information that is not strictly technically necessary for the operation is stored on or accessed from your end device via the Shop, this only takes place with your consent (Sec. 25(1) TDDDG). We have concluded a data processing agreement with Shopify pursuant to Art. 28 GDPR.
Insofar as Shopify uses data from your interactions with our Shop, with other merchants and with Shopify in order to provide, secure and further develop the platform and its features, Shopify acts as an independent controller. For this processing, Shopify’s own privacy policy applies; you may address requests to exercise your rights in relation to this processing directly to Shopify.
Further information can be found in Shopify’s privacy policy: https://www.shopify.com/legal/privacy.
5. Provision of the Website and server log files
Each time our Website is accessed, information that your browser transmits to the server is automatically collected. This in particular includes:
· the IP address of the requesting end device
· date and time of access
· name and URL of the retrieved file as well as the transferred data volume
· the website from which the access originates (referrer URL)
· the browser used, the operating system and the name of your access provider
This data is technically required to display the Website to you, to ensure stability and security and to ward off attacks. The legal basis is our legitimate interest in the functionality and security of the Website (Art. 6(1)(f) GDPR). We do not combine this data with other data sources to identify you.
6. Cookies and consent management
Our Website uses cookies and similar technologies (e.g. information stored in your browser’s local storage). Cookies are small text files that are stored on your end device. They do not cause any damage and do not contain malware.
We distinguish between technically necessary cookies, which are required for the operation of the Website and the Shop (e.g. shopping cart, login status, security and language settings), and non‑necessary cookies (e.g. for statistics/analytics, marketing and the integration of third‑party content).
Technically necessary cookies are set without consent on the basis of Sec. 25(2) TDDDG; the related processing of personal data is based on Art. 6(1)(f) GDPR and – in the context of contract performance – on Art. 6(1)(b) GDPR. All non‑necessary cookies and technologies are only set or triggered after you have given your consent via our consent banner (Sec. 25(1) TDDDG in conjunction with Art. 6(1)(a) GDPR). You can withdraw or adjust your consent at any time with effect for the future by opening the cookie settings again via the link/reference to the cookie settings.
7. Customer account and registration
You can create a customer account in our Shop. In doing so, we process the data you provide (in particular name, address, email address and login data). The customer account makes ordering and managing your addresses and orders easier for you. The legal basis is Art. 6(1)(b) GDPR (performance of pre‑contractual measures and fulfilment of the contract). Creating a customer account is voluntary; you can also order as a guest.
We process the data stored in the customer account for as long as the account exists and then delete it, subject to statutory retention obligations (see section “Storage period and erasure”). You can request the deletion of your customer account at any time.
8. Order and contract performance
The legal basis for the processing of data required for contract performance (name, address, email address, ordered items, order and transaction data) is Art. 6(1)(b) GDPR. Providing a telephone number is voluntary; if you provide it, we process it to facilitate processing and communication in connection with your order on the basis of our legitimate interest (Art. 6(1)(f) GDPR). Insofar as we retain contract and invoice data due to commercial and tax law obligations, this is based on Art. 6(1)(c) GDPR.
For order processing we transfer data to the shipping and logistics service providers UPS and DHL as well as to the payment service provider, insofar as this is necessary for delivering the products. The transfer of payment data for processing the payment is described separately in the section “Payment service providers (Shopify Payments and PayPal)”.
9. Payment service providers (Shopify Payments and PayPal)
For payment processing in our Shop, we use Shopify Payments and – as an independent payment service provider – PayPal (PayPal (Europe) S.à r.l. et Cie, S.C.A., 22‑24 Boulevard Royal, L‑2449 Luxembourg) as payment service providers. Depending on the payment method you select, your payment data will be transmitted to Shopify Payments and – insofar as required for the chosen payment method – to the respective provider of that payment method and processed there. Your payment data is generally entered directly with the payment service provider; we do not receive full payment data (e.g. the complete credit card number).
The following payment methods are currently available via Shopify Payments:
· Credit and debit cards: Visa, Mastercard, American Express, Maestro, UnionPay
· Klarna and Sofortüberweisung (provider: Klarna Bank AB (publ), Sveavägen 46, 111 34 Stockholm, Sweden)
· Shop Pay (accelerated checkout by Shopify)
· Apple Pay (provider: Apple)
· Google Pay (provider: Google)
· eps transfer, iDEAL, Bancontact and TWINT
If you pay via PayPal, the data required for processing the payment is transferred to PayPal; details can be found at https://www.paypal.com/de/legalhub/paypal/privacy-full.
The processing of your payment data is carried out for the performance of the contract and the execution of the payment transaction (Art. 6(1)(b) GDPR) and, insofar as it concerns the prevention of fraud and ensuring the security of payments, on the basis of our legitimate interest (Art. 6(1)(f) GDPR). For certain payment methods, the respective provider may carry out a credit check; data processing in this respect is governed by the privacy policy of the respective provider. The respective providers are independently responsible for the processing of data carried out by them.
10. Contacting us
If you contact us by email, telephone or via a contact form, we process the data you provide (e.g. name, contact details, content of the enquiry) in order to process and respond to your enquiry. The legal basis is Art. 6(1)(b) GDPR if your enquiry is related to the performance of a contract or the implementation of pre‑contractual measures, and otherwise our legitimate interest in handling the enquiry (Art. 6(1)(f) GDPR). The data is deleted once the enquiry has been finally processed, subject to statutory retention obligations.
11. Newsletter and email marketing
You can subscribe to our newsletter, with which we inform you about offers, products and promotions. We use the double opt‑in procedure for registration: After you register, you will receive an email in which we ask you to confirm that you wish to receive the newsletter. This ensures that nobody can register you without your consent. The only mandatory information for sending the newsletter is your email address; further, separately marked details are voluntary.
The legal basis for sending the newsletter is your consent (Art. 6(1)(a) GDPR in conjunction with Sec. 7(2) UWG). To prove registration, we store the time of registration and confirmation as well as the IP address used. The legal basis is our legitimate interest in being able to demonstrate the consent given, since the burden of proof lies with us (Art. 6(1)(f) GDPR in conjunction with Art. 7(1) GDPR). You can withdraw your consent at any time with effect for the future, for example via the unsubscribe link in each newsletter or by sending us a message. The lawfulness of processing carried out up to the withdrawal remains unaffected. After you unsubscribe, we may store your email address in a blocking list in order to reliably prevent future mailings. The legal basis is our legitimate interest in permanently respecting your objection and preventing renewed promotional emails (Art. 6(1)(f) GDPR).
Insofar as we measure opening and click behaviour (success measurement) in connection with the newsletter, this is based on your separate consent. You can withdraw this consent at any time with effect for the future without having to unsubscribe from the newsletter entirely.
Advertising to existing customers: If you have purchased products from us and provided us with your email address in the process, we reserve the right to inform you by email about our own similar products. The basis for this is Sec. 7(3) UWG; no separate consent is required. You may object to this use at any time free of charge, without incurring any costs other than the transmission costs according to the basic tariffs. We draw your attention to the right to object when we collect the email address and in every marketing email.
12. Web analytics and marketing (Google Analytics, Google Tag Manager, Google Ads conversion tracking)
We use Google Analytics 4, a web analytics service of Google Ireland Limited, Gordon House, Barrow Street, Dublin 4, Ireland (“Google”). Google Analytics uses cookies and similar technologies that enable an analysis of your use of the Website (e.g. pages viewed, time spent on pages, approximate location, device used). The information generated thereby is transmitted to servers of Google and processed there. Google Analytics 4 uses IP addresses solely to derive coarse location information; According to Google, storage or logging of full IP addresses does not take place, as IP anonymisation in Google Analytics 4 is active by default and cannot be deactivated. A transfer to third countries (in particular USA) may occur and is safeguarded by the mechanisms described in the section “Recipients, processing and transfers to third countries”.
Google Analytics. We use Google Analytics exclusively on the basis of your consent (Art. 6(1)(a) GDPR in conjunction with Sec. 25(1) TDDDG). The service is only loaded after you have consented via our consent banner. You can withdraw your consent at any time with effect for the future by opening the cookie settings again. We have concluded a data processing agreement with Google pursuant to Art. 28 GDPR. The usage data collected via Google Analytics is automatically deleted after the retention period of 14 months that we have set has expired.
Google Tag Manager. We use Google Tag Manager on our Website. It is used to manage and trigger website tags (e.g. for analytics and marketing services). When Google Tag Manager is loaded, a script is executed on your end device; in the process, your IP address and device information may be transmitted to Google’s servers and a transfer to USA may occur, which is safeguarded by the mechanisms described in the section “Recipients, processing and transfers to third countries”. We use Google Tag Manager exclusively on the basis of your consent (Art. 6(1)(a) GDPR in conjunction with Sec. 25(1) TDDDG); it is only loaded after you have consented via our consent banner. You can withdraw your consent at any time with effect for the future by opening the cookie settings again.
Google Ads conversion tracking. We use the conversion tracking feature of Google Ads. This allows us to evaluate whether users have reached our Website via one of our Google ads and then carried out a predefined action there (e.g. a purchase). For this purpose, a cookie is set once you click on a Google ad; the information generated may be transmitted to Google’s servers – including in USA – and is safeguarded by the mechanisms described in the section “Recipients, processing and transfers to third countries”. We are not able to identify you personally in this context. We use conversion tracking exclusively on the basis of your consent (Art. 6(1)(a) GDPR in conjunction with Sec. 25(1) TDDDG) and have concluded a data processing agreement with Google pursuant to Art. 28 GDPR. You can withdraw your consent at any time with effect for the future by opening the cookie settings again.
We use Google Consent Mode v2 to manage consent. As long as you have not given consent, neither cookies nor data – including cookie‑less signals (so‑called pings) – are transmitted to Google; the relevant tags are only triggered after your consent.
Further information on data processing by Google can be found at: https://policies.google.com/privacy.
13. Social media links (Facebook, Instagram, LinkedIn)
On our Website, you will find links to our profiles on the social networks Facebook and Instagram (provider: Meta Platforms Ireland Limited, 4 Grand Canal Square, Grand Canal Harbour, Dublin 2, Ireland) as well as LinkedIn (provider: LinkedIn Ireland Unlimited Company, Wilton Plaza, Wilton Place, Dublin 2, Ireland). These links are implemented as simple icons; merely accessing our Website does not result in the transmission of personal data to these providers. Only when you click on such an icon will you be redirected to the respective platform. The subsequent processing of your data on the platform is the sole responsibility of the respective provider; its privacy notice applies.
14. Google Maps
We use the Google Maps map service to show you our location, for example, and to make it easier for you to find your way. The provider is Google Ireland Limited, Gordon House, Barrow Street, Dublin 4, Ireland (“Google”). When Google Maps is loaded, a connection to Google’s servers is established, and your IP address and, where applicable, further data are transmitted to Google. Google also processes this data for its own purposes and is therefore an independent controller with respect to such processing; for details, please refer to Google’s privacy policy (https://policies.google.com/privacy). A transfer to Google LLC in USA may occur and is safeguarded by the mechanisms described in the section “Recipients, processing and transfers to third countries”.
Google Maps is only embedded after you have given your consent (Art. 6(1)(a) GDPR in conjunction with Sec. 25(1) TDDDG). The map is only loaded after you have consented. You can withdraw your consent at any time with effect for the future by opening the cookie settings again.
15. Storage period and erasure
We process and store your personal data only for as long as is necessary to achieve the respective processing purpose or as long as statutory retention obligations require. After the purpose ceases to apply and any retention periods have expired, the data is routinely deleted or its processing is restricted.
For contract, invoice and booking data, statutory commercial and tax retention obligations apply (in particular under the German Commercial Code and the German Fiscal Code) of generally six, eight or ten years; Accounting records such as invoices must, since 1 January 2025, only be retained for eight years. During this period, we restrict processing to the fulfilment of the statutory obligations.
16. Data security
We take appropriate technical and organisational measures pursuant to Art. 32 GDPR to protect your data against loss, manipulation and unauthorised access and continuously adapt these measures to the state of the art.
Our Website uses TLS encryption. Please note that data transmission on the internet (e.g. when communicating by email) can have security gaps; complete protection against access by third parties is not possible.
17. Your rights as a data subject
Under the GDPR, you in particular have the following rights:
· Access (Art. 15 GDPR): You can request information about the personal data we process about you.
· Rectification (Art. 16 GDPR): You can request the correction of inaccurate data or the completion of your data.
· Erasure (Art. 17 GDPR): You can request the deletion of your data, subject to statutory retention obligations.
· Restriction of processing (Art. 18 GDPR): You can request that we restrict the processing of your data.
· Data portability (Art. 20 GDPR): You can request that we provide you with the data concerning you in a structured, commonly used and machine‑readable format or transfer it to another controller.
· Withdrawal of consent (Art. 7(3) GDPR): You can withdraw consent you have given at any time with effect for the future. The lawfulness of processing carried out up to the withdrawal remains unaffected.
· Objection (Art. 21 GDPR): Under the conditions of Art. 21 GDPR you can object to processing; details can be found in the separate section “Right to object (Art. 21 GDPR)”.
· Complaint (Art. 77 GDPR): You have the right to lodge a complaint with a data protection supervisory authority (see section “Right to lodge a complaint with a supervisory authority”).
To exercise your rights, a simple notification to the contact details above is sufficient.
18. Right to object (Art. 21 GDPR)
Where we process your personal data on the basis of legitimate interests (Art. 6(1)(f) GDPR), you have the right to object to this processing at any time, on grounds relating to your particular situation. We will then no longer process your data unless we can demonstrate compelling legitimate grounds for the processing which override your interests, rights and freedoms, or the processing serves to establish, exercise or defend legal claims.
Where we process your data for direct marketing purposes, you have the right to object to such processing at any time; this also applies to profiling to the extent that it is related to such direct marketing. If you object to processing for direct marketing purposes, your data will no longer be processed for these purposes.
19. Right to lodge a complaint with a supervisory authority
Without prejudice to any other administrative or judicial remedy, you have the right to lodge a complaint with a data protection supervisory authority, in particular in the Member State of your habitual residence, place of work or place of the alleged infringement. The following supervisory authority is responsible for MBR Skin GmbH:
The Saxon Commissioner for Data Protection and Transparency
Maternistraße 17, 01067 Dresden, Germany
(Postal address: Postfach 11 01 32, 01330 Dresden)
Telephone: +49 351 85471‑101
Email: post@sdtb.sachsen.de
Internet: http://www.datenschutz.sachsen.de
20. No automated decision‑making
No decision based solely on automated processing – including profiling – which produces legal effects concerning you or similarly significantly affects you (Art. 22 GDPR) takes place. Should individual payment providers use automated procedures in the context of credit checks, they will inform you thereof in their own privacy notices.
21. Current version and changes to this Privacy Policy
This Privacy Policy reflects the status indicated above. Due to the further development of our Website and our offers or due to changes in legal or regulatory requirements, it may become necessary to amend this Privacy Policy. The current Privacy Policy can be accessed on our Website at any time.