Privacy Policy

  1. Controller

Surfish

Email: surfish@surfish.eu

The party named above is the controller within the meaning of the GDPR (and, where applicable, the Swiss DPA/revFADP).

  1. Hosting and Provision of the Online Shop (Shopify)

Our shop is operated through the service provider Shopify. Provider: Shopify International Ltd., 2nd Floor, 1 2 Victoria Buildings, Haddington Road, Dublin 4, D04 XN32, Ireland; Shopify Inc., 151 O'Connor Street, Ground Floor, Ottawa, ON K2P 2L8, Canada.

Shopify processes personal data (e.g. order, customer, payment, and log data) on our behalf in order to provide the shop. This may involve transfers to third countries (in particular Canada/USA). Shopify uses, among other things, Standard Contractual Clauses (SCCs) and other safeguards to ensure an adequate level of data protection. Details can be found in Shopify's own privacy policy.

Legal basis: Art. 6(1)(b) GDPR (contract/order processing) and Art. 6(1)(f) GDPR (legitimate interest in secure and efficient shop operation).

  1. Access Data and Server Logs

When you visit our website, technical data is automatically collected (IP address, date/time, URL, referrer URL, user agent, and any error codes). This log data is used for security, error analysis, and stable service delivery.

Legal basis: Art. 6(1)(f) GDPR (legitimate interest in security/operation). Storage period: Log data is deleted by the host according to system based retention periods.

  1. Cookies and Consent Management

We use cookies and similar technologies (e.g. local storage) to operate the website (strictly necessary), to compile statistics, and where applicable to provide marketing functions. Cookies that are not strictly necessary are only set with your consent via a consent banner.

Necessary: e.g. shopping cart, checkout, CSRF protection

Statistics (optional): e.g. analysis of website usage

Marketing (optional): e.g. remarketing/ads

Legal basis: Art. 6(1)(c) GDPR (compliance with legal obligations regarding consent), Art. 6(1)(f) GDPR (legitimate interest in operationally necessary cookies), Art. 6(1)(a) GDPR (consent for statistics/marketing). You can change or withdraw your consent at any time via the consent banner.

  1. Orders and Customer Account

When you place an order, we process the data you provide (e.g. name, address, email, ordered products) to process the contract, for communication, and for invoicing/tax purposes. You can optionally create a customer account; you can change or delete the data stored there in your account at any time.

Legal basis: Art. 6(1)(b) GDPR (contract), Art. 6(1)(c) GDPR (legal obligations, e.g. retention requirements), Art. 6(1)(f) GDPR (fraud prevention/IT security). Storage period: statutory retention periods (e.g. commercial/tax law: generally 6 to 10 years).

  1. Payment

We offer the following payment methods: credit card (Visa, Mastercard, American Express), PayPal, Klarna (invoice and installments), instant bank transfer, Apple Pay, Google Pay. Depending on the method chosen, payment data is transmitted directly to the respective payment service provider. These providers are independent controllers within the meaning of the GDPR.

Legal basis: Art. 6(1)(b) GDPR (contract/payment processing). Please refer to the privacy notices of the respective providers (these process, among other things, payment/transaction data, verification data for fraud prevention, and in some cases creditworthiness data in the case of Klarna).

  1. Shipping and Logistics

To deliver your order, we transmit the necessary data (name, delivery address, and where applicable email/phone number for shipping notifications) to our shipping provider, DHL.

Legal basis: Art. 6(1)(b) GDPR (contract/shipping processing), Art. 6(1)(f) GDPR (information about delivery/tracking).

  1. Contact Inquiries and Support

If you contact us (e.g. by email or contact form), we process the information you provide to handle your inquiry and any follow up questions.

Legal basis: Art. 6(1)(b) GDPR (pre contractual/contractual communication) or Art. 6(1)(f) GDPR (legitimate interest in efficient communication). Storage period: inquiries are deleted once they have been fully handled, unless legal obligations require otherwise.

  1. Newsletter

When you sign up for our newsletter, we store your email address and, where applicable, your name. Signup follows the double opt in procedure; you can unsubscribe at any time (e.g. via the unsubscribe link).

Legal basis: Art. 6(1)(a) GDPR (consent). Proof of consent: we log the time of signup/confirmation and your IP address (Art. 6(1)(c) in conjunction with Art. 7 GDPR).

  1. Web Analytics and Marketing

If activated, we use analytics and marketing tools (e.g. Shopify Analytics, Google Analytics, Meta Pixel) to evaluate the use of our website and to improve or promote our offering. Cookies and similar technologies may be used in this process; data may be transferred to third countries (SCCs/other safeguards).

Legal basis: Art. 6(1)(a) GDPR (consent). You can withdraw your consent at any time (consent banner).

(If you do not use GA/Pixel, remove this section.)

  1. Data Security

We use technical and organizational measures (including SSL/TLS encryption) to protect your data against loss, misuse, or unauthorized access. Our service providers are carefully selected and bound by data processing agreements.

  1. Transfers to Third Countries

Where service providers process data outside the EU/EEA (e.g. Canada/USA), we ensure an adequate level of data protection through recognized safeguards, in particular EU Standard Contractual Clauses (SCCs).

  1. Retention Period

We only process personal data for as long as is necessary for the purposes stated above or as required by statutory retention periods. After that, the data is deleted or anonymized.

  1. Your Rights (Data Subject Rights)

You have the right to

access the data we hold about you,

correction of inaccurate data,

erasure ("right to be forgotten"),

restriction of processing,

data portability,

object to processing based on Art. 6(1)(f) GDPR,

withdraw any consent given, with effect for the future.

To exercise your rights, simply send a message to surfish@surfish.eu. You also have the right to lodge a complaint with a supervisory authority (in particular in your member state).

  1. Swiss Data Protection Law (revFADP)

For users residing in Switzerland, the revised Swiss Federal Act on Data Protection (revFADP) also applies. We process personal data according to the purposes and legal bases described above; for transfers abroad, we ensure an adequate level of protection (e.g. via SCCs). Requests can be sent to surfish@surfish.eu.

  1. Minors

Our offering is not directed at children under 16 years of age. Where required, we obtain consent from a parent or legal guardian.

  1. Changes to This Privacy Policy

We update this privacy policy whenever necessary due to technical changes, the use of new services, or legal requirements. The version currently published on this page applies.

Last updated: 09/01/2025