Privacy Policy

Controller within the meaning of the GDPR is:

TDF Labs GmbH Rosa-Bavarese-Str. 3 D-80639 Munich, Germany Phone: +49 151 68153269 Email: [email protected] Managing Director: Fei Liu

A Data Protection Officer has not been appointed, as the statutory thresholds under § 38 BDSG are not met. For data-protection enquiries, please contact us directly at [email protected].

(1) When you visit our website, the following data is automatically collected by our hosting provider and stored in server log files: - IP address (truncated after 7 days) - Date and time of the request - HTTP method and requested URL - HTTP status code and response size - Referrer URL (if provided) - User-agent string (browser and operating system)

(2) Legal basis: Art. 6 (1) (f) GDPR — our legitimate interest in operating a secure and stable website. Logs are retained for a maximum of 7 days and then deleted or anonymised, except where retention is required to investigate a specific security incident.

(3) Hosting: The website is hosted by Railway Corp., 2261 Market Street, Suite 4382, San Francisco, CA 94114, USA. A data processing agreement (Art. 28 GDPR) including EU Standard Contractual Clauses is in place to safeguard transfers.

(4) Anti-abuse: Public forms are protected by Cloudflare Turnstile (Cloudflare, Inc., 101 Townsend St., San Francisco, CA 94107, USA). Turnstile evaluates browser characteristics to detect automated abuse; no analytics or behavioural profiling occurs. Legal basis: Art. 6 (1) (f) GDPR.

We use cookies and similar storage technologies only where they are necessary for requested functions or where you have made an explicit privacy choice.

Current examples on the public site include: - peachme-locale: remembers your manually selected language for up to 12 months. - peachme-cart-session: is created after an active cart or checkout interaction so a guest cart can be continued for up to 30 days. - peachme-member-session: keeps a signed-in member session active for up to 30 days or until you sign out. - peachme-consent: stores your privacy settings when you save or update them in the privacy settings dialog for up to 6 months.

The public booking flow also offers an optional live Google Maps enhancement that stays disabled until you allow external media and services. Public lead forms may use Cloudflare Turnstile anti-abuse verification when configured; this protection is required to submit the form and is not controlled by the optional external media setting.

(1) When you place an order, we process the following data to perform the purchase contract: name, billing/shipping address, email, phone (optional), order details, and payment metadata. Legal basis: Art. 6 (1) (b) GDPR (contract performance).

(2) Payment processing is handled by Stripe Payments Europe, Ltd., 1 Grand Canal Street Lower, Grand Canal Dock, Dublin, Ireland ("Stripe"). Stripe receives the data necessary to process the payment (name, billing address, email, amount, and payment-method details). Card data is entered directly into Stripe's PCI-DSS-compliant infrastructure and is not stored on our servers. Stripe's privacy policy: https://stripe.com/privacy. Where Stripe transfers data to its US-based group companies, EU Standard Contractual Clauses apply.

(3) Transactional email is delivered through Brevo (Sendinblue SAS, 106 Boulevard Haussmann, 75008 Paris, France). Brevo processes the recipient's email address, name, and the content of the message solely for transactional delivery. Legal basis: Art. 6 (1) (b) and (f) GDPR.

(4) Tax retention: Invoices and order data must be retained for 10 years under § 147 AO and § 257 HGB. Until expiry of these periods, the right to erasure (Art. 17 GDPR) is restricted accordingly.

(1) To deliver your order, we transmit your shipping address, name, and (optionally) email/phone to our shipping partners: - Sendcloud B.V., Stationsplein 32, 5211 AP 's-Hertogenbosch, Netherlands — for label generation and tracking aggregation. Privacy policy: https://www.sendcloud.com/privacy-policy/ - DHL Paket (Deutsche Post AG, Charles-de-Gaulle-Str. 20, 53113 Bonn, Germany) — for physical delivery and tracking. Privacy policy: https://www.dhl.de/de/privatkunden/footer/datenschutz.html

(2) Legal basis: Art. 6 (1) (b) GDPR (contract performance). Email address and phone are passed on only if you have provided them, in order to receive delivery notifications and arrange handover; this is based on Art. 6 (1) (f) GDPR (legitimate interest in smooth delivery).

You have the following rights regarding your personal data: - Right of access (Art. 15 GDPR): obtain confirmation whether we process data about you, and a copy of that data. - Right to rectification (Art. 16 GDPR): have inaccurate data corrected. - Right to erasure (Art. 17 GDPR): have data deleted where the legal grounds allow. - Right to restriction (Art. 18 GDPR): require restriction of processing under specific conditions. - Right to data portability (Art. 20 GDPR): receive data you provided to us in a structured, machine-readable format. - Right to object (Art. 21 GDPR): object to processing based on legitimate interests at any time. - Right to withdraw consent (Art. 7 (3) GDPR): withdraw any consent at any time, without affecting the lawfulness of processing before withdrawal.

To exercise these rights, contact us at [email protected].

You also have the right to lodge a complaint with a data-protection supervisory authority. The authority competent for us is:

Bayerisches Landesamt für Datenschutzaufsicht (BayLDA) Promenade 18, 91522 Ansbach, Germany https://www.lda.bayern.de

For data protection inquiries, contact us at: [email protected]