Privacy Policy

Last updated: March 2026

The German version of this privacy policy is the legally binding version.

1. Data Controller

Data controller within the meaning of the GDPR:

Tung Nguyen

Brettacher Straße 5

70437 Stuttgart

Email: contact@maporo.art

2. Overview of Data Processing

We process personal data only to the extent necessary to provide our online shop and services.

Types of data processed

  • Identity data (name, address)
  • Payment data (via Stripe, see section 6)
  • Usage data (pages visited, access times)
  • Communication data (email address)
  • Map data (selected map area, coordinates, design options)

3. Legal Basis

  • Contract performance (Art. 6(1)(b) GDPR) — processing to fulfill your order
  • Legitimate interests (Art. 6(1)(f) GDPR) — operation and security of the shop
  • Consent (Art. 6(1)(a) GDPR) — where you have given us consent
  • Legal obligation (Art. 6(1)(c) GDPR) — e.g. tax retention obligations

4. Cookies

We use only strictly necessary cookies:

CookiePurposeDuration
maporo_localeStores your language and currency preference1 year

No tracking, analytics, or advertising cookies are used. No data is transmitted to advertising platforms.

5. Hosting and Infrastructure

Our website and related services (image processing, data storage) are operated by cloud hosting providers in the USA. Server logs are processed in this context (IP address, timestamp, requested URL). Legal basis: Art. 6(1)(f) GDPR. Standard Contractual Clauses pursuant to Art. 46(2)(c) GDPR ensure an adequate level of data protection.

6. Payment Processing

Payment processing is handled by an external payment service provider based in the USA. Your payment data (e.g. credit card number, bank details) is processed directly by the payment provider. We do not receive complete payment data, only a confirmation of payment. Legal basis: Art. 6(1)(b) GDPR (contract performance).

7. Database and Storage

Order data, delivery addresses, poster previews, and final poster files are stored with a cloud database and storage provider. Legal basis: Art. 6(1)(b) GDPR (contract performance).

8. Map Service

Map tiles are loaded from an external map service provider based in the USA for the editor display. Your IP address is transmitted to the provider in this process. Legal basis: Art. 6(1)(b) GDPR (necessary for product creation). Standard Contractual Clauses ensure an adequate level of data protection.

9. Print Fulfillment

The production and shipping of your ordered posters is handled by an external print fulfillment partner. The data necessary to fulfill your order is transmitted (name, delivery address, order details). Legal basis: Art. 6(1)(b) GDPR (contract performance).

10. Fonts

All fonts are served locally from our own server (self-hosting). No connections to Google Fonts or other external font services are made. This ensures that no personal data is transmitted to third-party font providers.

11. SSL/TLS Encryption

This site uses SSL or TLS encryption for security reasons. You can recognize an encrypted connection by the browser address bar changing from “http://” to “https://” and the lock icon in your browser bar. When SSL/TLS encryption is active, the data you transmit to us cannot be read by third parties.

12. Contact via Email

If you contact us by email, your details (email address, name if provided, and content of your enquiry) will be stored by us to process your request. This data will be deleted once storage is no longer necessary, or processing will be restricted if statutory retention obligations apply. Legal basis: Art. 6(1)(b) GDPR (pre-contractual measures) or Art. 6(1)(f) GDPR (legitimate interest in responding).

13. Data Retention

We store personal data only for as long as necessary for the respective purpose:

  • Order data — 10 years (statutory retention obligation under German commercial/tax law)
  • Invoice data — 10 years (tax retention obligation)
  • Poster files — 30 days after dispatch, then automatically deleted
  • Server logs — max. 30 days
  • Email correspondence — until final processing, max. 6 months
  • Map configurations — not stored in a personally identifiable manner

After the respective period expires, data is routinely deleted unless a statutory retention obligation requires otherwise.

14. Automated Decision-Making

No automated decision-making including profiling within the meaning of Art. 22 GDPR takes place. We do not use algorithms that automatically make decisions with legal effect concerning you.

15. Your Rights

Under the GDPR, you have the following rights:

  • Right of access (Art. 15 GDPR) — what data is stored about you
  • Right to rectification (Art. 16 GDPR) — correction of inaccurate data
  • Right to erasure (Art. 17 GDPR) — deletion of your data
  • Right to restriction (Art. 18 GDPR) — restriction of processing
  • Right to data portability (Art. 20 GDPR) — receiving your data in machine-readable format
  • Right to object (Art. 21 GDPR) — objection to processing

To exercise your rights, contact us at: contact@maporo.art

16. Right to Complain

You have the right to lodge a complaint with a data protection supervisory authority regarding the processing of your personal data.

17. Changes

We reserve the right to update this privacy policy to ensure it always complies with current legal requirements or to implement changes to our services. The updated privacy policy will apply to your next visit.