Privacy Policy

The controller responsible for processing your personal data is:

VanThunder (sole proprietorship)
Owner: Marvin Schubert
c/o Impressumservice Dein-Impressum
Stettiner Straße 41
35410 Hungen
Germany

Email: info@purelvl.com
Phone: 06183 8039368
Website: purelvl.com

If you have questions about data protection, exercising your rights, or data requests, please contact us at:

Email: info@purelvl.com
(Subject: “Data protection”)

Depending on your usage, we process in particular the following categories of personal data:

a) Master data

• Name, email address
• Billing address, country
• Access data (password is stored only in encrypted/hardened form; never in plaintext)

b) Contract and transaction data

• Order and payment process (e.g. order number, product, price, timestamp)
• Order history
• Invoices (PDF)
• Digital delivery status (e.g. “key revealed/displayed” where technically implemented)

c) Usage and device data

• IP address
• Date/time, pages/files accessed, referrer URL
• Browser type, operating system, user agent
• Technical identifiers (e.g. session ID), where required

d) Consent data

• Cookie banner decision (categories, timestamp)
• Proof/logging of consent (e.g. timestamp, technical identifier)

e) Communication data

• Content of your messages to us (email/support), including attachments where applicable

4.1 Hosting (IONOS VPS)
Our website is operated on a virtual private server (VPS) at a hosting provider. In the context of hosting, data required for website provision and security is processed (in particular server log files).

4.2 Server log files
Whenever you access the website, the server automatically records information transmitted by your browser. This includes, for example:

• IP address
• Date and time of the request
• Requested page/file
• Referrer URL
• Browser/OS/user agent

Purpose: technical provision, error analysis, misuse and attack detection, system security.
Legal basis: Art. 6(1)(f) GDPR (legitimate interest in secure and stable operations).
Retention: usually up to 7 days, then deletion/anonymization unless longer retention is required for security reasons.

When you create a customer account, we process the necessary data (e.g. name, email, password hash) in order to:

• provide your account,
• assign orders,
• deliver digital content, and
• provide support.

Legal basis: Art. 6(1)(b) GDPR (contractual/pre-contractual performance).
Retention: until account deletion or after prolonged inactivity (regularly after 3 years), unless legal retention obligations apply.

For orders, we process the data required to perform the contract, in particular:

• Order data, billing data
• Delivered digital content/keys and delivery status
• Communication related to the order

Purposes: contract conclusion, digital content provision, invoicing, support, assertion/defense of claims.

Legal bases:

• Art. 6(1)(b) GDPR (contract performance)
• Art. 6(1)(c) GDPR (legal obligations, e.g. tax documentation)
• Art. 6(1)(f) GDPR (fraud prevention, IT security, assertion/defense of claims)

We offer payments via the payment service provider Stripe.

Within payment processing, the following data is transmitted to Stripe and/or processed by Stripe:

• Name, email address
• Billing address/country
• Order information (e.g. amount, currency, order number)
• Payment data (e.g. card/bank details) is processed by Stripe; as a rule, we do not store full card/bank details.

Legal basis: Art. 6(1)(b) GDPR (contract performance/payment processing). Stripe may also process data for fraud prevention and security.

Note on Stripe's role:
Stripe processes data as a payment service provider partly under its own data protection responsibility (e.g. compliance, risk checks) and/or as a service provider. For details, please refer to Stripe's privacy notices.

Stripe privacy notice (URL):
https://stripe.com/privacy

Invoice and tax-relevant data is stored due to statutory retention obligations.

Typical retention periods:

• Invoices/accounting records: regularly 8 years (tax law requirements)
• VAT records (e.g. Section 22 UStG): still 10 years
• Commercial and business correspondence: regularly 6 years

(The concrete period depends on the specific document type and applicable legal obligation.)

Legal basis: Art. 6(1)(c) GDPR (legal obligation).

If you contact us (e.g. by email), we process your information including your message in order to handle your request.

Legal bases:

• Art. 6(1)(b) GDPR (support/pre-contractual or contractual processing)
• Art. 6(1)(f) GDPR (general inquiries, efficient communication)

Retention: as long as needed for handling and, where applicable, documentation; beyond that only within legal obligations or for assertion/defense of claims.

If we offer a newsletter and you subscribe, we process your email address (and, where applicable, name) to send you the newsletter.

Legal basis: Art. 6(1)(a) GDPR (consent).
Unsubscribe/withdrawal: at any time via the unsubscribe link in the newsletter or by email to info@purelvl.com (subject: “Unsubscribe newsletter”).
Proof: we may store subscription and confirmation timestamps in order to prove consent.

11.1 General
Our website uses cookies and similar technologies to provide functions, store settings, and, with your consent, enable analytics/reach measurement.

11.2 Legal bases

• Technically necessary cookies/technologies: based on our legitimate interests (Art. 6(1)(f) GDPR) and, where applicable, Section 25(2) TDDDG (strictly necessary).
• Optional cookies (e.g. analytics): only with your consent (Art. 6(1)(a) GDPR) and Section 25(1) TDDDG.

11.3 Examples of technically necessary cookies

• Session cookie (e.g. “sveltekit_session”) for login/session control
• CSRF token (e.g. “sveltekit_csrf”) for security functions
• Cookie/localStorage entries storing your cookie preferences

11.4 Change cookie settings
You can adjust or withdraw your consent at any time via cookie settings (footer link “Cookie settings”).

If you consent to the “Analytics” category, we use Matomo for statistical analysis of website usage. Matomo is operated by us (self-hosted); analytics data is not transferred to Matomo as an external provider.

Typical data:

• Shortened/anonymized IP address (if enabled)
• Pages visited, dwell time, click paths (only with consent)
• Browser/OS (in aggregated form)

Typical cookies: _pk_id, _pk_ses (examples)

Legal basis: Art. 6(1)(a) GDPR (consent) and Section 25(1) TDDDG.
Withdrawal: at any time via cookie settings.

We use service providers that process personal data on our behalf (Art. 28 GDPR), in particular:

• Hosting/server operations (VPS)
• IT/security services (where used)

We also use Stripe as a payment service provider (see Section 7).

We disclose data only if:

• this is required for contract fulfillment,
• you have given consent,
• there is a legal obligation, or
• we have a legitimate interest and no overriding interests oppose this.

If service providers process data outside the EU/EEA (e.g. in connection with Stripe), this is done only where legal requirements are met, in particular:

• an adequacy decision by the EU Commission (e.g. EU-US Data Privacy Framework, where applicable), and/or
• EU Standard Contractual Clauses (SCCs) and, where applicable, additional safeguards.

Details are available in the privacy notices of the respective provider (e.g. Stripe).

Unless otherwise stated in this privacy policy, we store personal data:

• as long as required for the relevant purpose,
• until you withdraw consent (for consent-based processes),
• until statutory retention periods expire,
• or as long as claims may be asserted (statutory limitation periods).

You have the following rights where legal requirements are met:

• Access (Art. 15 GDPR)
• Rectification (Art. 16 GDPR)
• Erasure (Art. 17 GDPR)
• Restriction of processing (Art. 18 GDPR)
• Data portability (Art. 20 GDPR)
• Objection to processing based on legitimate interests (Art. 21 GDPR)
• Withdrawal of consent (Art. 7(3) GDPR) with effect for the future
• Right to lodge a complaint with a supervisory authority (Art. 77 GDPR)

Competent supervisory authority (including for Hesse):
The Hessian Commissioner for Data Protection and Freedom of Information
Website: https://datenschutz.hessen.de

Certain data is required for contract conclusion and performance (e.g. email, billing data). Without this data, we generally cannot process an order.

As a rule, we do not make exclusively automated decisions with legal effect within the meaning of Art. 22 GDPR.

However, within payment processing there may be automated risk checks by payment providers (e.g. Stripe), which can decline a payment or trigger additional checks. You can contact us at any time if you have questions.

We implement appropriate technical and organizational measures (Art. 32 GDPR) to protect your data, e.g.:

• TLS/HTTPS encryption
• Access restrictions and authorization concepts
• Password storage only as hash (no plaintext)
• Protection against CSRF, rate limiting (login/API)
• Regular updates and security checks

We update this privacy policy if legal requirements, technology, or our processing activities change. The current version is available at purelvl.com.

As of: February 17, 2026