1) Introduction and Contact Details of the Controller

1.1 We are delighted that you are visiting our website and thank you for your interest. In the following, we inform you about the handling of your personal data when using our online shop. Personal data is any data with which you can be personally identified.

1.2 The controller for data processing on this website in terms of the General Data Protection Regulation (GDPR) is:

Purple Spices L.A.B. UG (haftungsbeschränkt) Lichtburgring 12, 13355 Berlin, Germany Phone: +49 163 7084285 E-Mail: hello@purplespices.com

The controller for the processing of personal data is the natural or legal person who alone or jointly with others determines the purposes and means of the processing of personal data.

2) Data Collection When Visiting Our Website

2.1 When merely using our website for informational purposes, i.e. if you do not register or otherwise transmit information to us, we only collect data that your browser transmits to the page server (so-called "server log files"). When you access our website, we collect the following data, which is technically necessary for us to display the website to you:

• Visited website
• Date and time of access
• Amount of data sent in bytes
• Source/referrer from which you reached the page
• Browser used
• Operating system used
• IP address used (possibly in anonymized form)

Processing is carried out in accordance with Art. 6 para. 1 lit. f GDPR on the basis of our legitimate interest in improving the stability and functionality of our website. No transfer or other use of the data takes place. We reserve the right to retrospectively check the server log files if there are concrete indications of illegal use.

2.2 This website uses SSL or TLS encryption for security reasons and to protect the transmission of personal data and other confidential content (e.g. orders or inquiries to the controller). You can recognize an encrypted connection by the string "https://" and the lock symbol in your browser line.

3) Hosting – Shopify

For the hosting of our online shop and the display of page content, we use the platform of the following provider:

Shopify International Limited, Victoria Buildings, 2nd Floor, 1-2 Haddington Road, Dublin 4, D04 XN32, Ireland ("Shopify")

Data is also transferred to: Shopify Inc., 150 Elgin St, Ottawa, ON K2P 1L4, Canada.

All data collected on our website is processed on the provider's servers. We have concluded a data processing agreement with the provider, which ensures the protection of our site visitors' data and prohibits unauthorized disclosure to third parties. When data is transferred to Canada, an adequate level of data protection is ensured by an adequacy decision of the European Commission.

In addition, we use certain advanced Shopify features that involve data from your interactions with our shop. To the extent that Shopify acts as an independent data controller in this context, you can find more information in Shopify's Privacy Policy for Consumers at https://www.shopify.com/legal/privacy and in the Shopify Privacy Portal at https://privacy.shopify.com.

4) Cookies

To make visiting our website attractive and to enable the use of certain functions, we use cookies – small text files that are stored on your device. Some of these cookies are automatically deleted after closing the browser (so-called "session cookies"), while others remain on your device for a longer period and enable the storage of page settings (so-called "persistent cookies").

If personal data is also processed by individual cookies used by us, the processing is carried out in accordance with Art. 6 para. 1 lit. b GDPR either for the performance of the contract, in accordance with Art. 6 para. 1 lit. a GDPR in the case of a granted consent, or in accordance with Art. 6 para. 1 lit. f GDPR to safeguard our legitimate interests in the best possible functionality of the website and a customer-friendly and effective design of the site visit.

You can set your browser so that you are informed about the setting of cookies and can decide individually whether to accept them or to exclude the acceptance of cookies for certain cases or in general. Please note that if you do not accept cookies, the functionality of our website may be limited.

5) Contacting Us

5.1 When you contact us (e.g. by email), personal data will be processed – exclusively for the purpose of processing and answering your request and only to the extent necessary for this purpose.

The legal basis for the processing of this data is our legitimate interest in answering your request in accordance with Art. 6 para. 1 lit. f GDPR. If your contact aims at concluding a contract, an additional legal basis for the processing is Art. 6 para. 1 lit. b GDPR. Your data will be deleted when it can be inferred from the circumstances that the matter in question has been conclusively clarified and provided that no legal retention obligations prevent this.

6) Use of Customer Data for Direct Marketing

6.1 Email Newsletter

If you subscribe to our newsletter, we will use your email address based on your explicit consent in accordance with Art. 6 para. 1 lit. a GDPR to regularly send you information about our products and offers via email. We use the so-called double opt-in procedure, which ensures that you only receive a notification after you have explicitly confirmed your consent by clicking on a verification link sent to the email address provided.

You can unsubscribe from the newsletter at any time by using the unsubscribe link in our emails or by contacting us directly at hello@purplespices.com. After unsubscribing, your email address will be immediately deleted from our newsletter distribution list, unless you have expressly consented to further use or we reserve the right to further data use that is legally permitted and about which we inform you in this declaration.

6.2 Email Advertising to Existing Customers

If you have purchased from us and have not objected, we may send you direct marketing emails for similar products from our range based on our legitimate interest in accordance with Art. 6 para. 1 lit. f GDPR in conjunction with Section 7 para. 3 UWG. You can object to this use of your email address at any time by sending a message to hello@purplespices.com, without incurring any costs other than the transmission costs according to the basic tariffs.

6.3 Advertising by Mail

Based on our legitimate interest in personalized direct advertising, we reserve the right to use your first and last name as well as your postal address in accordance with Art. 6 para. 1 lit. f GDPR for sending interesting offers and information about our products by mail. You can object to the storage and use of your data for this purpose at any time.

7) Data Processing for Order Fulfillment

7.1 To the extent necessary for contract fulfillment for delivery and payment purposes, the personal data collected by us will be passed on to the commissioned transport company and the commissioned payment service provider in accordance with Art. 6 para. 1 lit. b GDPR.

7.2 Disclosure of Personal Data to Shipping Service Providers

For the delivery of your order, we pass on your name and delivery address to the shipping service provider commissioned by us exclusively for the purpose of goods delivery in accordance with Art. 6 para. 1 lit. b GDPR. If you have given your explicit consent in the order process in accordance with Art. 6 para. 1 lit. a GDPR, we will also pass on your email address and/or telephone number to the shipping service provider for the purpose of coordinating a delivery date or announcing the delivery. Consent can be revoked at any time with effect for the future.

7.3 Use of Payment Service Providers

Shopify Payments

For payment processing via Shopify Payments, we use the payment service provider Shopify International Limited, Victoria Buildings, 2nd Floor, 1-2 Haddington Road, Dublin 4, D04 XN32, Ireland. If you select a payment method for which you pay in advance (e.g. credit card payment), your payment data provided during the ordering process (including name, address, bank and payment card information, currency, and transaction number) as well as information about the content of your order will be passed on to this provider in accordance with Art. 6 para. 1 lit. b GDPR. The transfer of your data is exclusively for the purpose of payment processing and only to the extent necessary for this.

8) Third-Party Websites and Links

Our online shop may contain links to websites operated by third parties and not under our control. If you follow links to such websites, you should review their privacy and security policies. We assume no responsibility for the privacy or security of such websites, including the accuracy or reliability of the information provided there. The inclusion of such links does not imply endorsement of the content of these websites or their operators.

9) Children's Data

Our online shop is not intended for use by children under 16, and we do not knowingly collect personal data from minors. If you, as a parent or guardian, discover that a child has provided us with personal data, please contact hello@purplespices.com. We will then delete this data immediately.

10) Security and Retention of Your Data

We take appropriate technical and organizational security measures to protect your personal data from unauthorized access, loss, destruction, or misuse. Please note that no security measures are perfect or impenetrable, and therefore we cannot guarantee absolute security. We recommend that you do not use insecure channels when transmitting sensitive information.

How long we retain your personal data depends on various factors. These include, in particular:

• whether we need the data for contract fulfillment or to manage your customer account,
• whether there are legal retention obligations (e.g., tax retention periods of up to 10 years according to Section 147 AO or commercial law periods according to Section 257 HGB),
• whether the data is necessary for the assertion, exercise, or defense of legal claims.

11) Your Rights as a Data Subject

You have the following rights regarding your personal data:

• Right of access (Art. 15 GDPR): You can request access to the personal data stored about you and information about its processing.
• Right to rectification (Art. 16 GDPR): You can request the immediate rectification of inaccurate personal data concerning you.
• Right to erasure (Art. 17 GDPR): You can request the erasure of your personal data under certain conditions.
• Right to restriction of processing (Art. 18 GDPR): You can request the restriction of the processing of your data under certain conditions.
• Right to data portability (Art. 20 GDPR): You can receive a copy of the personal data you have provided in a structured, commonly used, and machine-readable format and request that we transmit this data to another controller.
• Right to object (Art. 21 GDPR): You can object to the processing of your personal data, which is carried out on the basis of our legitimate interests in accordance with Art. 6 para. 1 lit. f GDPR, at any time. Unless there are compelling legitimate grounds for the processing that outweigh your interests, we will cease processing after your objection.
• Right to withdraw consent (Art. 7 para. 3 GDPR): If we process your data on the basis of consent, you can withdraw this at any time with effect for the future. The lawfulness of the processing carried out before the withdrawal remains unaffected.

These rights are not absolute and may be limited under certain circumstances. To exercise your rights, please contact us using the contact details provided below. We may request proof to verify your identity. We will respond to your requests promptly, at the latest within one month, within the framework of applicable law. There will be no disadvantages for you as a result of exercising these rights.

12) Right to Lodge a Complaint with the Supervisory Authority

If you believe that the processing of your personal data violates the GDPR, you have the right to lodge a complaint with a data protection supervisory authority. The supervisory authority responsible for us is:

Berliner Beauftragte für Datenschutz und Informationsfreiheit Friedrichstraße 219, 10969 Berlin Phone: +49 30 13889-0 E-Mail: mailbox@datenschutz-berlin.de Website: https://www.datenschutz-berlin.de

A complete list of data protection supervisory authorities in the European Economic Area can be found at: https://edpb.europa.eu/about-edpb/about-edpb/members_de

13) International Data Transfers

In the context of using our online shop, your personal data may be transferred, stored, and processed outside the European Economic Area (EEA), particularly in the USA and Canada. For transfers to third countries outside the EEA, we rely on appropriate safeguards in accordance with Art. 46 GDPR, in particular the standard contractual clauses of the European Commission, or on adequacy decisions of the European Commission (e.g., for Canada), which ensure a level of protection equivalent to European data protection law.

14) Changes to this Privacy Policy

We may update this Privacy Policy from time to time to reflect, for example, changes to our practices or for other operational, legal, or regulatory reasons. We will post the revised Privacy Policy on this website and update the "Last Updated" date accordingly. For material changes, we will inform you as required by law.

15) Contact

If you have any questions about our privacy practices or this Privacy Policy, or if you wish to exercise any of your rights, please contact us:

Purple Spices L.A.B. UG (haftungsbeschränkt) Lichtburgring 12, 13355 Berlin, Germany Phone: +49 163 7084285 E-Mail: hello@purplespices.com

In the sense of applicable data protection laws, we are the data controller for your personal data.