Privacy Policy

Last updated: April 2026

Gretels Gold GmbH (hereinafter: “Gretels Gold” or “we”) takes the protection of personal data very seriously. The following explains what data we process, when, and for what purposes in connection with the provision of our website.

1. Controller

The controller pursuant to Art. 4 (7) of the European General Data Protection Regulation (GDPR) is:

Gretels Gold GmbH
Aispachstraße 18
72764 Reutlingen
Deutschland

Phone: +49 160 7115071
Email: info@gretelsgold.de

You can reach us at any time regarding data protection matters using the contact details provided here.

2. Legal Basis, Purpose, and Retention Period for the Processing of Personal Data

a. Website Visits

Each time our website is accessed, our system automatically collects the following data and information from the computer system of the accessing device:

• Browser type and version used
• Operating system of the user
• Date and time of access
• Internet service provider of the user
• IP address of the user
• Volume of data transmitted
• Notification of successful retrieval
• Website from which the user’s system accessed our website
• Website accessed by the user’s system via our website

The legal basis for the temporary processing of this information is Art. 6 (1) lit. f GDPR. The temporary storage of this data is necessary to enable the user to make full use of the website. In particular, the user’s IP address must be stored for the duration of the session. The data also serves us for the technical optimisation of the website and to ensure the security of our information technology systems. These purposes also constitute our legitimate interest in processing the data, Art. 6 (1) lit. f GDPR.

The data is generally deleted as soon as it is no longer required for the purpose for which it was collected. In the case of data collected for the provision of the website, this is the case when the respective session has ended. Log file information is stored for security purposes (e.g. to investigate misuse or fraudulent activities) for a maximum of 7 days and then deleted. Data whose further retention is required for evidentiary purposes is exempt from deletion until the final clarification of the respective incident.

b. Contact

If you send us a message, e.g. via email, we process the following data provided by you: name, email address and, where applicable, further personal data that you include in your message to us.

The legal basis for the collection of data in the context of contact enquiries is Art. 6 (1) sentence 1 lit. b GDPR (processing is necessary for the performance of a contract with the data subject) where a contractual relationship is intended or already exists. The legal basis is Art. 6 (1) sentence 1 lit. f GDPR (processing is necessary to protect our legitimate interests) where no contractual relationship exists or is intended, e.g. where the contact is of a general nature. In the latter case, our legitimate interest lies in responding to your enquiry in an appropriate manner.

The data is deleted as soon as it is no longer required for the purpose for which it was collected or for documentation purposes. Mandatory statutory provisions — in particular retention periods — remain unaffected.

c. Use of Cookies

When you use our website, we only use cookies to store your selected language preference, to check whether cookies have been set, and to manage caching. The purpose of using these cookies, which are necessary for the operation of the website, is to enable the proper and meaningful use of our website. We do not use analytics or marketing cookies.

Cookies are small text files that store information about your use of our website (e.g. pages visited, number of visits, visit times, time spent on individual pages, browser used, operating system used, etc.) on your computer or device, provided you allow this through your browser settings. Cookies cannot execute programmes or transmit viruses to your computer.

The legal basis for the processing of information from technically necessary cookies is Section 25 (2) No. 2 of the Act on Data Protection and Privacy in Telecommunications and Digital Services (TDDDG). Where personal data — in particular your IP address — is processed in connection with the use of technically necessary cookies, the legal basis for processing is Art. 6 (1) sentence 1 lit. f GDPR (processing is necessary to protect our legitimate interests). We have a legitimate interest in being able to offer our website visitors a properly functioning, user-friendly and up-to-date website. Basic functions of our website cannot be provided without the use of cookies. These purposes also constitute our legitimate interest.

These cookies are generally deleted after a maximum of 2 days. Only the cookies for language settings are deleted after one year.

d. Social Media Channels

We maintain a so-called fan page / account on Instagram in order to provide you with information about our company and our projects within social networks, as well as to offer you additional ways to contact us and find out about our services. The following explains what data we and the respective social network process about you in connection with the access and use of our fan page / account.

You do not need to be a member of the respective social network to view the content of our social media presence. As such, no user account for the respective social network is required. Please note, however, that social networks collect and store data from website visitors without a user account when the respective social network is accessed (e.g. technical data to display the website to you) and use cookies and similar technologies, over which we have no influence. For details, please refer to Instagram’s privacy policy.

When you use our account on the Instagram social media platform, we and Meta Platforms Ireland Limited, 4 Grand Canal Square, Dublin 2, Ireland are jointly responsible for the processing of personal data of users.

(1) Processing by Gretels Gold

If you wish to interact with the content on our Instagram page, e.g. comment on, share or like our posts, and/or wish to contact us via messenger functions, prior registration with the respective social network and the provision of personal data is required.

When you interact with us via the respective social network, we generally process your username through which you contact us and may store further data provided by you, to the extent necessary for processing/responding to your enquiry. The legal basis for this is Art. 6 (1) sentence 1 lit. f GDPR (processing is necessary to protect the legitimate interests of the controller). Our legitimate interest lies in responding to your contact request.

Unless a more specific retention period has been stated elsewhere in this privacy policy, your personal data will remain with us until the purpose for the data processing no longer applies. If you assert a legitimate request for deletion or withdraw your consent to data processing, your data will be deleted unless we have other legally permissible reasons for storing your personal data (e.g. tax or commercial law retention periods); in the latter case, deletion will take place after these reasons cease to apply.

(2) Processing by Meta Platforms Ireland

We have no influence over the data processing carried out by Meta Platforms Ireland in connection with your use of the platform. To the best of our knowledge, your data is stored and processed in particular in connection with the provision of Instagram, and furthermore for the analysis of user behaviour (using cookies, pixels/web beacons and similar technologies), on the basis of which interest-based advertising is served both within and outside of Instagram. It cannot be excluded that your data may be stored outside the EU/EEA and passed on to third parties in this context.

Information on the exact scope and purposes of the processing of your personal data, the retention period/deletion, and policies on the use of cookies and similar technologies in connection with registration and use of social networks can be found in the privacy policy/cookie guidelines of Meta Platforms Ireland. You will also find information there about your rights and options for objection.

We recommend that you assert your data protection rights to access, rectification, deletion, restriction of processing, objection, and data portability directly with Meta Platforms Ireland, 4 Grand Canal Square, Dublin 2, Ireland, insofar as the data processing is carried out by the social networks.

3. Data Transfer

Like any company, we use service providers who provide us with web hosting services. In this context, we transfer your personal data to our web host IONOS SE, Elgendorfer Str. 57, 56410 Montabaur.

In particular when offering our Instagram account jointly with Meta Platforms Ireland Limited, it cannot be excluded — due to the corporate affiliations of Meta Platforms Ireland Limited — that personal data may be transferred to third countries outside the EU/EEA (in particular to the USA). In these third countries, there is generally no level of data security comparable to that within the EU/EEA. To ensure an adequate level of data protection, we ensure that the social media platforms we select are certified under the EU-US Data Privacy Framework Agreement and/or conclude so-called EU standard contractual clauses, under which the respective platform undertakes to comply with standards established by the EU Commission in order to protect your personal data. We also select social media platforms based on whether they provide additional guarantees, such as acquired protection certificates and/or evidence of additional and appropriate technical and organisational measures to protect your personal data (e.g. encryption of data). The company Meta Platforms, Inc., affiliated with Meta Platforms Ireland, is certified under the EU-US Data Privacy Framework Agreement.

4. Absence of Automated Decision-Making

We would like to inform you that you will not be subject to a decision based solely on automated processing — including profiling — which produces legal effects concerning you or similarly significantly affects you.

5. No Obligation to Provide Personal Data

The provision of personal data is neither legally nor contractually required and is not necessary for the conclusion of a contract. You are therefore not obliged to provide personal data. However, in order to use our website (see the description of the respective services in Section 2), the provision of the personal data required for this purpose is necessary.

6. Rights of the Data Subject

You have the following rights with respect to the personal data concerning you:

• Right of access (Art. 15 GDPR)
• Right to rectification (Art. 16 GDPR)
• Right to erasure (Art. 17 GDPR; “right to be forgotten”)
• Right to restriction of processing (Art. 18 GDPR)
• Right to object to processing (Art. 21 GDPR)
• Right to data portability (Art. 20 GDPR)

You also have the right to lodge a complaint with a data protection supervisory authority in the member state of your place of residence, place of work, or place of the alleged infringement regarding the processing of your personal data by us, if you consider that the processing of your personal data is unlawful.

Where you have given us your consent to the processing of your data, you may withdraw this consent at any time with effect for the future. The lawfulness of the processing of your data up to the point of withdrawal remains unaffected. To exercise your rights or for any other data protection concerns, you may contact us at any time using the contact details listed in Section 1 above and/or those provided in our legal notice.

We would additionally like to point out that where the processing of your personal data is based on legitimate interests within the scope of the balancing of interests pursuant to Art. 6 (1) sentence 1 lit. f GDPR, you have the right to object to the processing of your personal data at any time.