Skip to main content
Norée
Sign in
Your cart

Your cart is empty.

Privacy Policy

Last updated: May 28, 2026

1. Controller

The controller responsible for the processing of personal data within the meaning of the GDPR is:

Karoxa LLC-FZ
US

As we are established outside the EU, we appoint an EU representative under Art. 27 GDPR upon request. Please contact us at [email protected].

2. Categories of data we process

  • Order data: name, billing and shipping address, email, phone, order contents, order history.
  • Payment data: payment method, transaction ID. Card numbers are processed exclusively by our payment processor; we do not store full card numbers.
  • Account data (if you register): email, hashed password, saved addresses, VAT-ID if any.
  • Communications: content of support requests, reviews, callback requests.
  • Usage data: truncated IP address, date/time, browser type, referrer, pages visited.

3. Legal basis and purposes

  • Performance of contract (Art. 6 (1)(b) GDPR): processing your order including shipping, payment, invoicing, complaints and withdrawals.
  • Legal obligation (Art. 6 (1)(c) GDPR): retention of invoices for 10 years under German tax law, VAT and IOSS reporting.
  • Legitimate interest (Art. 6 (1)(f) GDPR): operating and securing the shop, fraud prevention, pseudonymised reach measurement.
  • Consent (Art. 6 (1)(a) GDPR): analytics and marketing cookies, newsletter (double opt-in).

4. Recipients / processors

We disclose data only to the following categories of recipients where necessary to perform the contract or on the basis of your consent:

  • Payment processing: Stripe Payments Europe Ltd., Ireland.
  • Shipping: the carrier engaged for the relevant order (DHL, DPD, FedEx, etc.) and our EU fulfilment / returns partner.
  • Hosting & infrastructure: our EU-region hosting provider and, where used, Cloudflare, Inc. as CDN and security provider.
  • Transactional email: our email delivery provider (e.g. Postmark, SES or Resend).
  • Error monitoring: Sentry (where enabled) for technical stability monitoring.
  • Tax representative: our IOSS intermediary in the EU for monthly import VAT reporting.

Data processing agreements under Art. 28 GDPR are in place with all processors. Transfers outside the EU/EEA rely on EU Standard Contractual Clauses and supplementary safeguards.

5. Cookies and similar technologies

We use only strictly necessary cookies (cart, login, CSRF protection) without requiring consent. Analytics and marketing cookies are set only after you have given consent via our cookie banner. You can change your choice at any time via the Cookie settings link in the footer.

6. Retention

  • Order data / invoices: 10 years (German statutory retention).
  • Account data: until deletion of your account.
  • Support correspondence: up to 3 years.
  • Cookie consent: 180 days, then re-prompted.

7. Your rights

You have the right to access (Art. 15), rectification (Art. 16), erasure (Art. 17), restriction (Art. 18), data portability (Art. 20) and objection (Art. 21), and you may withdraw any consent at any time (Art. 7 (3) GDPR). Please send requests to [email protected]. We respond within 30 days.

You also have the right to lodge a complaint with a data protection supervisory authority — in Germany, typically the authority of the federal state where you reside.

8. Obligation to provide data

To enter into a contract you must provide certain data (name, address, email, payment details). Without this data we cannot process your order.

9. No automated individual decision-making

We do not carry out automated decision-making including profiling within the meaning of Art. 22 GDPR.