1. Data Controller

Data controller within the meaning of the GDPR:

Tung Nguyen

Brettacher Straße 5

70437 Stuttgart

Email: contact@maporo.art

2. Overview of Data Processing

We process personal data only to the extent necessary to provide our online shop and services.

Types of data processed

• Identity data (name, address)
• Payment data (via Stripe, see section 6)
• Usage data (pages visited, access times)
• Communication data (email address)
• Map data (selected map area, coordinates, design options)

3. Legal Basis

• Contract performance (Art. 6(1)(b) GDPR) — processing to fulfill your order
• Legitimate interests (Art. 6(1)(f) GDPR) — operation and security of the shop
• Consent (Art. 6(1)(a) GDPR) — where you have given us consent
• Legal obligation (Art. 6(1)(c) GDPR) — e.g. tax retention obligations

4. Cookies

We use only strictly necessary cookies:

No tracking, analytics, or advertising cookies are used. No data is transmitted to advertising platforms.

5. Hosting and Infrastructure

Our website is hosted by Vercel Inc. (San Francisco, USA). Image processing services run on Railway Corp. (San Francisco, USA). Server logs are processed in this context (IP address, timestamp, requested URL). Legal basis: Art. 6(1)(f) GDPR. Standard Contractual Clauses pursuant to Art. 46(2)(c) GDPR ensure an adequate level of data protection.

For error detection and resolution, we use Sentry (Functional Software Inc., San Francisco, USA). Technical error data (error messages, browser type, anonymized usage data) is processed. Legal basis: Art. 6(1)(f) GDPR (legitimate interest in service stability).

6. Payment Processing

Payment processing is handled by Stripe Inc. (San Francisco, USA). Your payment data (e.g. credit card number, bank details) is processed directly by Stripe. We do not receive complete payment data, only a confirmation of payment. Legal basis: Art. 6(1)(b) GDPR (contract performance).

7. Database and Storage

Order data, delivery addresses, poster previews, and final poster files are stored with Supabase Inc. (San Francisco, USA). Legal basis: Art. 6(1)(b) GDPR (contract performance).

8. Map Service

Map tiles are loaded from Mapbox Inc. (San Francisco, USA) for the editor display. Your IP address is transmitted to Mapbox in this process. Legal basis: Art. 6(1)(b) GDPR (necessary for product creation). Standard Contractual Clauses ensure an adequate level of data protection.

9. Print Fulfillment

The production and shipping of your ordered posters is handled by Gelato AS (Oslo, Norway). The data necessary to fulfill your order is transmitted (name, delivery address, order details). Legal basis: Art. 6(1)(b) GDPR (contract performance).

10. Fonts

All fonts are served locally from our own server (self-hosting). No connections to Google Fonts or other external font services are made. This ensures that no personal data is transmitted to third-party font providers.

11. SSL/TLS Encryption

This site uses SSL or TLS encryption for security reasons. You can recognize an encrypted connection by the browser address bar changing from “http://” to “https://” and the lock icon in your browser bar. When SSL/TLS encryption is active, the data you transmit to us cannot be read by third parties.

12. Newsletter and Email Delivery

We use Resend Inc. (San Francisco, USA) for sending order confirmations and newsletter emails. Your email address is transmitted to Resend for this purpose. Newsletter delivery only occurs with your explicit consent (Art. 6(1)(a) GDPR). Order confirmations are sent on the basis of contract performance (Art. 6(1)(b) GDPR). Standard Contractual Clauses ensure an adequate level of data protection. You can unsubscribe from the newsletter at any time.

13. Contact via Email

If you contact us by email, your details (email address, name if provided, and content of your enquiry) will be stored by us to process your request. This data will be deleted once storage is no longer necessary, or processing will be restricted if statutory retention obligations apply. Legal basis: Art. 6(1)(b) GDPR (pre-contractual measures) or Art. 6(1)(f) GDPR (legitimate interest in responding).

14. Data Retention

We store personal data only for as long as necessary for the respective purpose:

• Order data — 10 years (statutory retention obligation under German commercial/tax law)
• Invoice data — 10 years (tax retention obligation)
• Poster files — 30 days after dispatch, then automatically deleted
• Server logs — max. 30 days
• Email correspondence — until final processing, max. 6 months
• Map configurations — not stored in a personally identifiable manner

After the respective period expires, data is routinely deleted unless a statutory retention obligation requires otherwise.

15. Automated Decision-Making

No automated decision-making including profiling within the meaning of Art. 22 GDPR takes place. We do not use algorithms that automatically make decisions with legal effect concerning you.

16. Your Rights

Under the GDPR, you have the following rights:

• Right of access (Art. 15 GDPR) — what data is stored about you
• Right to rectification (Art. 16 GDPR) — correction of inaccurate data
• Right to erasure (Art. 17 GDPR) — deletion of your data
• Right to restriction (Art. 18 GDPR) — restriction of processing
• Right to data portability (Art. 20 GDPR) — receiving your data in machine-readable format
• Right to object (Art. 21 GDPR) — objection to processing

To exercise your rights, contact us at: contact@maporo.art

17. Right to Complain

You have the right to lodge a complaint with a data protection supervisory authority regarding the processing of your personal data.

18. Changes

We reserve the right to update this privacy policy to ensure it always complies with current legal requirements or to implement changes to our services. The updated privacy policy will apply to your next visit.