Privacy Policy · Datenschutzerklärung
Art. 13 GDPR · BDSG · TDDDG · Version: 1 July 2026 · v1.0
1 · Controller
Controller: ShipFarmy GmbH (address as in the Impressum). Data protection contact: [EMAIL_PRIVACY].
2 · Processing activities
We process personal data in accordance with the GDPR and BDSG. The following sets out the processing activities with purposes, legal bases and storage periods.
| Activity | Purpose | Legal basis | Retention |
|---|---|---|---|
| Server log files | Provision and security of the website (IP, time, browser) | Art. 6(1)(f) GDPR (legitimate interest) | typically 7–30 days |
| Contact & Navi | Handling enquiries and interactions with the AI assistant Navi | Art. 6(1)(b)/(f) GDPR | until resolved + retention |
| User account | Registration and management of platform access | Art. 6(1)(b) GDPR | duration of account |
| Transaction & logistics | Order, delivery and settlement processing; traceability | Art. 6(1)(b)/(c) GDPR | statutory periods |
| Payment (Stripe) | Payment processing via the payment service provider | Art. 6(1)(b) GDPR | per PSP |
| Newsletter/marketing | Direct marketing to business contacts | Art. 6(1)(a)/(f) GDPR; § 7 UWG | until withdrawal |
| Applicant data | Conducting recruitment procedures | § 26 BDSG; Art. 6(1)(b) GDPR | 6 months after rejection |
3 · Recipients & processors
Recipients and processors: hosting ([HOSTING_PROVIDER]), e-mail service ([EMAIL_SERVICE]), support ([SUPPORT_TOOL]), payment service provider (Stripe Payments Europe Ltd.) and the AI provider for the Navi assistant (Anthropic PBC, USA). Art. 28 GDPR contracts are in place with all processors.
4 · Third-country transfers
Third-country transfers: where recipients are located outside the EU/EEA — in particular the AI provider (Anthropic PBC, USA) and, where applicable, hosting or support services — transfers occur only on the basis of appropriate safeguards under Art. 44 et seq. GDPR: EU Standard Contractual Clauses (Art. 46) with supplementary measures and, where the recipient is certified, the EU-US Data Privacy Framework (adequacy decision, Art. 45).
5 · AI & automated decisions
AI and automated decisions: the AI systems used — including the Navi assistant and any further AI-assisted features — are labelled as AI (Art. 50 AI Act, applicable from 2 August 2026). Inputs to Navi are processed to generate the response and transmitted for that purpose to the AI provider (processor, sections 2.3–2.4); please do not enter unnecessary personal or confidential data. A solely automated decision with legal effect within the meaning of Art. 22 GDPR does not take place without an appropriate legal basis and safeguards (in particular the right to human intervention).
6 · DAC7 notice
DAC7 notice: as a reporting platform operator we process and transmit certain seller data to the Federal Central Tax Office (§ 22 PStTG). Affected sellers are informed separately.
7 · Retention
Retention: commercially and fiscally relevant records are retained for up to ten (10) years under § 147 AO and § 257 HGB.
8 · Cookies
Cookies: see the cookie notice (section 4) and the consent banner. Non-essential cookies are set only with consent (§ 25 TDDDG).
9 · Your rights
Your rights: access (Art. 15), rectification (Art. 16), erasure (Art. 17), restriction (Art. 18), portability (Art. 20), objection (Art. 21) and withdrawal of consent (Art. 7(3)). Right to lodge a complaint with a supervisory authority, e.g. the Berlin Commissioner for Data Protection and Freedom of Information.
10 · Security & changes
Security: we take appropriate technical and organisational measures (Art. 32 GDPR). Changes: this policy may be updated; the published version applies. Version: 1 July 2026.