Privacy Policy
This Privacy Policy explains how we process personal data when you visit this website and use our online services — in particular, when you purchase a voucher, use the contact form, exercise your right of withdrawal, or book an appointment with the partner studio. We process as little data as possible and use no tracking cookies. The German version of this Privacy Policy at /datenschutz/ is the legally binding original; this English version is provided for the convenience of non-German-speaking visitors. In case of conflict, the German text governs.
Controller
BEAUTYSHOTS HamburgBeerenweg 1E
22761 Hamburg-Altona
Email: hamburg@beauty-shots.de
Phone: +49 40 18 00 88 0
Authorized representative: Alexander Kirsch-Clayton (Managing Member)
Hosting, CDN, and server log files
This website is hosted on servers operated by Hetzner Online GmbH (Industriestr. 25, 91710 Gunzenhausen) in Falkenstein, Germany. For content delivery and protection against attacks, we additionally use Cloudflare, Inc. (101 Townsend St, San Francisco, USA) as a content-delivery network. When you visit, server log files store your IP address, access timestamp, referrer URL, user-agent, and the URL accessed for a maximum of 14 days. The legal basis is Art. 6(1)(f) GDPR (legitimate interest in security and stability). Data-processing agreements under Art. 28 GDPR are in place with both providers; data transfers to the United States rely on the EU-US Data Privacy Framework and, additionally, the EU Standard Contractual Clauses (Art. 46(2)(c) GDPR).
Cookies
This website only sets technically necessary session cookies. We do not use any tracking, marketing, or analytics cookies. When you spin the wheel of fortune, a short-lived cookie is set to limit repeat play; further cookies inside third-party iframes (Stripe, Landbot, etermin) appear only when you open the corresponding iframe and are set by that provider — see the sections below.
Contact form
When you use our contact form or the "Quick Info" short-inquiry modal, we process the data you enter (salutation, name, email, phone, subject, message) along with your IP address and the time of submission for spam prevention. The legal basis is Art. 6(1)(b) GDPR (initiation of a contractual relationship); deletion takes place after 12 months at the latest unless statutory retention duties apply. The notification email is sent via the email service provider Resend (Plus Five Five, Inc., USA; EU region Ireland) — a data-processing agreement is in place; transfer to the United States relies on the EU-US Data Privacy Framework and the EU Standard Contractual Clauses. Privacy policy: resend.com/legal.
Bot protection for forms (Cloudflare Turnstile)
On our form pages (contact form, Quick Info, online withdrawal, wheel of fortune), Cloudflare Turnstile silently checks whether the request comes from a real browser. To do so, Cloudflare processes your IP address along with commonly available browser signals (user-agent, screen size, behavioral cues). No cookies are set and no cross-site profiles are built. On pages without a form, the widget is not loaded. The legal basis is Art. 6(1)(f) GDPR (legitimate interest in protecting our forms from automated abuse); transfer to the United States relies on the EU-US Data Privacy Framework and the EU Standard Contractual Clauses.
Voucher purchase and payment processing
When you buy a voucher, we process the order data you enter (salutation, name, email, phone, billing address, chosen shoot, optional preferred slot, optional promo code) to perform the contract (Art. 6(1)(b) GDPR) and to comply with tax and commercial-law retention duties (Art. 6(1)(c) GDPR in conjunction with § 147 AO, § 14b UStG, § 257 HGB). This involves the following processing: Payment processing via Stripe Payments Europe, Ltd. (Dublin, Ireland) — you enter your payment data directly in the embedded Stripe widget; the data does not pass through our server (privacy: stripe.com/privacy); Confirmation email with four PDF attachments (voucher, invoice, Terms, Right-of-Withdrawal notice) delivered via Resend (see "Contact form"); storage of your order data in an internal order ledger on our own server in Falkenstein; and — unless you purchased a gift voucher — transfer to a Google Sheet that we share with the partner studio in Hamburg for the operational coordination of your shoot (provider: Google Ireland Limited, Dublin; advertising or content analysis by Google is excluded). Gift purchases are excluded from this Sheet; only the redeeming recipient is entered when they book a slot. Data-processing agreements under Art. 28 GDPR are in place with Stripe, Resend, and Google; transfers to the United States rely on the EU-US Data Privacy Framework and, additionally, the EU Standard Contractual Clauses (Art. 46(2)(c) GDPR). Invoices are retained for 10 years (§ 147 AO); voucher data is kept until redeemed or until the 3-year limitation period under § 195 BGB expires.
Online withdrawal (§ 356a BGB)
Via the electronic withdrawal function at /en/withdrawal/, consumers can withdraw from their contract. We process the data you enter (name, email, voucher code or order number, optional order date, optional note) along with your IP address, user-agent, and time of receipt for identification and spam prevention. An acknowledgment to you and an internal notification to us are delivered via Resend. The legal basis is Art. 6(1)(c) GDPR in conjunction with § 356a BGB. Withdrawal declarations are retained for at least three years to evidence compliance with these statutory duties.
Wheel of fortune
On /en/wheel-of-fortune/ we offer a wheel-of-fortune game that hands out a discount code for future orders. To prevent spam and limit repeat plays, we store a hash of your IP address along with a short-lived browser cookie. If you win, we forward the first name and email address you entered to Stripe (to generate a personalized promo code) and via a Zapier webhook in Zapier's EU region (Frankfurt) into our internal customer tracking (provider: Zapier, Inc., USA). The legal basis is your consent under Art. 6(1)(a) GDPR; you can withdraw consent at any time with effect for the future by emailing hamburg@beauty-shots.de. Data transfers to the United States rely on the EU-US Data Privacy Framework and the EU Standard Contractual Clauses.
Voucher redemption
When you redeem a voucher via /en/redeem/, we process the data you enter (voucher code, security code / PIN where applicable, salutation, first and last name, email, phone, preferred slot, optional message) to perform the voucher contract and to prepare the shoot. The legal basis is Art. 6(1)(b) GDPR. Processing happens directly on our server in Falkenstein — no third-party iframe is loaded. We then forward the data needed to execute the appointment to our slot provider (see "Appointment booking with the partner studio (etermin)") and into a Google Sheet shared with the partner studio (see "Data transfer to Google Sheets").
Appointment booking with the partner studio (etermin)
The actual photo session is performed by a legally independent partner studio in Hamburg, which uses the booking platform of etermin GmbH (Wagrainerstraße 35, 4840 Vöcklabruck, Austria) for appointments. On /en/booking/, the partner studio's booking page is loaded as an iframe from etermin.net in your browser; the data you enter there (in particular name, email, phone, preferred slot) is processed by etermin under the responsibility of the partner studio and etermin. We — BEAUTYSHOTS Hamburg — are not a party to that booking relationship. Privacy policy: etermin.net/datenschutz.
Website Analytics
We use GoatCounter (self-hosted on our own server in Falkenstein) to collect anonymized, aggregated usage statistics such as page views and referrers. No IP addresses, cookies, or any other personal data are stored or transferred to third parties. For more information, visit https://www.goatcounter.com/
No other trackers
Aside from the cookie-free traffic measurement described above, we do not use Google Analytics, Facebook Pixel, Matomo, Tag Manager, or any other third-party trackers that set cookies or build user profiles.
Your rights under the GDPR
You have the right of access (Art. 15 GDPR), rectification (Art. 16), erasure (Art. 17), restriction of processing (Art. 18), data portability (Art. 20), and objection (Art. 21). An email to hamburg@beauty-shots.de is sufficient. You also have the right to lodge a complaint with a data-protection supervisory authority — for complaints against BEAUTYSHOTS Hamburg, the competent authority is the Hamburgische Beauftragte für Datenschutz und Informationsfreiheit (datenschutz-hamburg.de).
Last updated
This Privacy Policy was last updated on 2 May 2026. Any material future changes will be announced on this page.