Privacy Policy

We take the protection of your personal data very seriously and treat your data confidentially in accordance with statutory data protection regulations (GDPR, BDSG, TDDDG/TTDSG and the revised Swiss FADP for visitors from Switzerland) and this privacy policy.

This policy explains which personal data we collect on curacap.biz, how we use it and what rights you have.

Personal data is any data that can be used to personally identify you (e.g. name, email address, IP address).

The controller for the data processing on this website is:

CuraCap GmbH · Semmelweisstrasse 19 · 79576 Weil am Rhein · Germany · represented by Dr. Holger Scheib · Phone +41 79 916 22 28 · Email info@curacap.biz

HRB 722090, Local Court of Freiburg im Breisgau · VAT ID DE331512302

Affiliated entity: CuraCap Schweiz GmbH · Schänzlistrasse 37 · 2545 Selzach · Switzerland · UID CHE-158.321.901.

This website is hosted by Vercel Inc., 340 S Lemon Ave #4133, Walnut, CA 91789, USA. Each request creates technical log data (IP address, date/time, requested URL, HTTP status code, transferred data volume, referrer, user agent).

Delivery is performed primarily through the Vercel Edge Network in Frankfurt am Main, Germany. In individual cases, transfers to third countries (in particular the USA) may occur.

Legal basis: Art. 6 (1) lit. f GDPR (legitimate interest in stable, secure provisioning of the website). A data processing agreement under Art. 28 GDPR and EU Standard Contractual Clauses under Art. 46 GDPR are in place with Vercel.

Retention period: maximum 30 days, then automatically anonymised.

We use only technically necessary cookies / local storage entries on this website and — only after your explicit consent — cookies and pixels for analytics and marketing purposes.

Strictly necessary storage (no consent required under § 25 (2) No. 2 TDDDG): language preference (local storage), consent status (local storage key curacap:tracking-consent).

Consent-based storage (§ 25 (1) TDDDG in conjunction with Art. 6 (1) lit. a GDPR): Google Analytics 4 (cookies _ga, _ga_*, retention up to 14 months), Meta Pixel (cookies _fbp, _fbc, retention up to 90 days), Google Ads Conversion Tracking (cookie _gcl_au, retention up to 90 days).

You can withdraw your consent at any time with effect for the future. To do so, click the “Cookie settings” link in the footer or delete the local storage entry curacap:tracking-consent in your browser. Withdrawing consent does not affect the lawfulness of processing carried out before withdrawal.

After your consent, this website uses Google Analytics 4, a web analytics service provided by Google Ireland Limited (Gordon House, Barrow Street, Dublin 4, Ireland; parent company: Google LLC, USA).

Google Analytics uses cookies and similar technologies to analyse your use of the website (pages visited, time on page, scroll depth, interactions with controls, device and browser data, approximate location at city/region level).

We have enabled IP anonymisation (anonymize_ip); the IP is truncated before storage and not merged with other data. We use Google Consent Mode v2; before consent is granted, only aggregated, non-personal pings are transmitted to Google.

Transfers to the USA may occur. Google is certified under the EU-US Data Privacy Framework (Art. 45 GDPR). Additionally, EU Standard Contractual Clauses (Art. 46 GDPR) and a data processing agreement (Art. 28 GDPR) are in place.

Legal basis: Art. 6 (1) lit. a GDPR. Retention period: 14 months (Google-side). You can also opt out of Google Analytics tracking using the browser add-on at https://tools.google.com/dlpage/gaoptout

After your consent, this website uses the Meta Pixel of Meta Platforms Ireland Ltd. (4 Grand Canal Square, Grand Canal Harbour, Dublin 2, Ireland).

The Meta Pixel allows us to track user behaviour after they have clicked on a Facebook or Instagram ad and been redirected to our website, to measure the effectiveness of ads, and to build Custom Audiences and Lookalike Audiences.

Device and browser information, IP address, referrer, pages visited, scroll depth, time on page and interactions with call-to-action elements are processed and transferred to Meta in the USA. Meta is certified under the EU-US Data Privacy Framework.

We have entered into a Joint Controller Addendum under Art. 26 GDPR with Meta, available at https://www.facebook.com/legal/controller_addendum.

Legal basis: Art. 6 (1) lit. a GDPR. Retention of cookies set: up to 90 days.

After your consent, we use Google Ads Conversion Tracking of Google Ireland Limited to measure the effectiveness of our advertisements (e.g. whether you reach a specific goal on the website after clicking on an ad).

Google Ads sets a cookie (_gcl_au) on your device. Conversion clicks, click ID, timestamp and a reference to the ad are recorded. We only receive statistical evaluations from Google; we cannot identify you personally.

Transfers to the USA may occur (see section 5).

Legal basis: Art. 6 (1) lit. a GDPR. Retention period: up to 90 days.

When you contact us by email or via a contact form, your details (in particular name, email address and content of the request) will be stored for the purpose of processing your request and for any follow-up questions.

Legal basis: Art. 6 (1) lit. b GDPR (pre-contractual measures) or Art. 6 (1) lit. f GDPR (legitimate interest in efficient request processing).

We use HighLevel LLC (GoHighLevel, 400 N Saint Paul St, Suite 920, Dallas, TX 75201, USA) for contact form and newsletter processing. HighLevel is certified under the EU-US Data Privacy Framework; a data processing agreement and EU Standard Contractual Clauses are in place.

Retention period: your request data will be deleted as soon as it is no longer required for the purpose of its collection, generally after 36 months. Mandatory statutory retention obligations (in particular under commercial and tax law) remain unaffected.

If you subscribe to our newsletter, we process your email address and any further voluntarily provided data exclusively for sending the newsletter. Subscription is via double opt-in.

Legal basis: Art. 6 (1) lit. a GDPR. You can withdraw your consent at any time, e.g. via the unsubscribe link in every newsletter.

Mailing service provider: HighLevel LLC (see section 8). Mailing statistics (open and click rates) are evaluated on an aggregated level to optimise the newsletter.

When you place an order on curacap.biz, we process the data necessary to fulfill the contract (name, shipping address, email, optional phone number, order details). Legal basis: Art. 6 (1) lit. b GDPR (contract performance) and Art. 6 (1) lit. c GDPR (statutory retention).

Payment processing: Stripe Payments Europe Ltd. (1 Grand Canal Street Lower, Dublin 2, Ireland). Stripe processes payment data directly; sensitive card/bank data never reaches our server. A data processing agreement (Art. 28 GDPR) is in place. Stripe privacy notice: https://stripe.com/en/privacy

Shipping logistics: Amazon EU SARL (38 avenue John F. Kennedy, L-1855 Luxembourg) and affiliated Amazon entities. We use Amazon Multi-Channel Fulfillment (MCF) to ship orders from our German FBA warehouse. We forward name, shipping address and order details via the Amazon Selling Partner API. Shipments are sent in neutral packaging. Amazon privacy notice: https://www.amazon.de/gp/help/customer/display.html?nodeId=201909010

Order confirmation and shipping notification emails are sent via Resend Inc. (2261 Market Street #5039, San Francisco, CA 94114, USA). Transmitted: recipient email, order number and order details. Resend is covered by EU Standard Contractual Clauses (Art. 46 GDPR).

Retention of order data: 10 years for invoices and tax-relevant records (§ 257 HGB, § 147 AO); 36 months for other order-related data.

Recipients of your personal data are: Vercel Inc. (hosting + database), Stripe Payments Europe Ltd. (payment processing), Amazon EU SARL and affiliated Amazon entities (MCF shipping logistics), Resend Inc. (transactional email), Google Ireland Ltd. / Google LLC (Analytics, Ads), Meta Platforms Ireland Ltd. / Meta Platforms Inc. (Pixel), HighLevel LLC (contact form & newsletter).

Transfers to third countries (in particular the USA) take place exclusively on the basis of an adequacy decision (EU-US Data Privacy Framework, Art. 45 GDPR) and/or EU Standard Contractual Clauses (Art. 46 GDPR) and supplementary technical and organisational measures.

We do not sell your personal data.

You have the right at any time to access (Art. 15 GDPR), rectification (Art. 16), erasure (Art. 17), restriction of processing (Art. 18), data portability (Art. 20), and to object to processing based on legitimate interest (Art. 21).

For processing based on consent, you can withdraw your consent at any time with effect for the future (Art. 7 (3) GDPR). The lawfulness of processing carried out before withdrawal is not affected.

An informal message to info@curacap.biz is sufficient to exercise your rights.

You also have the right to lodge a complaint with a data protection supervisory authority. Competent for us: The State Commissioner for Data Protection and Freedom of Information of Baden-Württemberg, Königstrasse 10a, 70173 Stuttgart, Germany, https://www.baden-wuerttemberg.datenschutz.de

For visitors residing in Switzerland, the revised Swiss Federal Act on Data Protection (revFADP) applies in addition. Its terms and obligations largely correspond to the GDPR.

Controller within the meaning of Art. 5 lit. j revFADP is CuraCap GmbH (see above). The contact point for Swiss requests is the affiliated company CuraCap Schweiz GmbH, Schänzlistrasse 37, 2545 Selzach (independent legal entity, UID CHE-158.321.901).

You have the following rights vis-à-vis the controller: right of access (Art. 25 revFADP), right to data release and portability (Art. 28 revFADP), right to rectification (Art. 32 revFADP), as well as the right to lodge a complaint with the Federal Data Protection and Information Commissioner (FDPIC, Feldeggweg 1, 3003 Bern, Switzerland, www.edoeb.admin.ch).

We use TLS encryption (HTTPS) for all data transmissions between your browser and our servers. Personal data is only stored for as long as necessary to achieve the stated purposes or as required by statutory retention obligations (in particular § 257 HGB, § 147 AO).

Specific retention periods can be found in the respective sections above.

We adapt this privacy policy in case of changes to our data processing or legal requirements. The current version published on this page is always authoritative.