KNISTR
Data Privacy & Legal Notice
Legal Notice:
KNISTR GmbH is a company with its registered office in Hamburg. It is registered in the commercial register of the Local Court of Hamburg under the number HRB 103195.
The managing directors are:
Michael Bregulla
Jochen Hahn
KNISTR GmbH
Hugh-Greene-Weg 2
22529 Hamburg
Telephone: 040 734404-01
E-Mail:Website: hello@knistr.com
Website: knistr.com
VAT identification number: DE 259 170 160
Concept and design of header graphics:
KNISTR GmbH
Privacy Policy — KNISTR Loyalty App:
1. Controller
Controller within the meaning of data protection laws: KNISTR GmbH, Hugh-Greene-Weg 2, 22529 Hamburg
Legal representatives: Managing Directors: Jochen Hahn, Michael Bregulla
Data Protection Officer: Data Protection Officer of KNISTR GmbH, Hugh-Greene-Weg 2, 22529 Hamburg, privacy@knistr.com
2. Scope
This Privacy Policy describes what personal data is collected, processed, and used through the use of the KNISTR Loyalty App (“App“), how this data is protected, and what rights data subjects have. The App is installed on Shopify stores and, as part of its functionality, processes both store data and data of end customers (customers of the respective store). Where the App is installed in a Shopify store, KNISTR GmbH acts as a data processor on behalf of the respective store operator. End customers should primarily consult the privacy policy of the respective store. In particular, KNISTR GmbH has no independent legal basis for processing personal data in this context, and the respective store operator is solely responsible for the exercise of data subject rights.
3. Data We Process / Data Categories
Depending on the configuration and use, we collect and process in particular the following categories of personal data:
| Categories of personal data processed: | Personal data processed: | Purpose of processing: | Legal basis: | Retention period: |
| Account data of a Shopify merchant | First name, last name, email address, postal address, phone number | Performance of contract | Art. 6(1)(b) GDPR | For the duration of the contractual relationship (until uninstallation) and thereafter in accordance with statutory retention periods (accounting records are generally retained for 10 years, business correspondence for 6 years, all other information is generally deleted upon expiry of the statutory warranty period). |
| Device information of a Shopify merchant | Browser and operating system | For the execution of technical processes (error diagnosis, security, fraud detection). |
Art. 6(1)(f) GDPR; § 25(2) TDDDG (German Telecommunications and Digital Services Data Protection Act) The legitimate interest in the temporary storage of log data (server log files) and session cookie information lies in our interest in the efficient and secure provision of our App. |
· 7 days · Where further retention is required for evidentiary purposes, deletion takes place after final resolution of the incident · Session cookies are deleted automatically at the end of the browser session |
| Contact data of a Shopify merchant | Email address and, where applicable, the name of the contact person | Individual direct marketing and offering of additional services and features tailored to the Shopify merchant |
Art. 6(1)(f) GDPR The legitimate interest in using contact data available to us by virtue of the contractual relationship to inform merchants about further relevant offers and services. |
Data is generally stored for the duration of the contractual relationship (see above under “Account data of a Shopify merchant”), Use for direct marketing purposes only takes place for as long as the Shopify merchant does not object to such use. |
The provision of data is neither legally nor contractually required; however, it is not possible for store operators to conclude a contract without providing this data. Whether use of the respective store is possible without providing data via the respective Loyalty App depends on the settings and requirements of the respective store operator.
4. Disclosure / Categories of Recipients
Personal data is disclosed in particular to the following recipients for the purpose of providing our App:
- Shopify International Limited (as the platform through which the App was installed):
- As our App is designed for use on the Shopify e-commerce platform, data is processed via Shopify’s infrastructure. The provider is Shopify International Limited, Victoria Buildings, 2nd Floor, 1-2 Haddington Road, Dublin 4, D04 XN32, Ireland.
When you install and use our App, data (e.g. store information, order data, or customer data, depending on the App’s scope of functionality) is transmitted to Shopify. This data is processed to provide the App’s functionality and to ensure security. Shopify may also transfer data to its parent company Shopify Inc. in Canada and to locations in the USA. Canada is recognised as a third country with an adequate level of data protection (adequacy decision of the EU Commission). For transfers to the USA and other third countries, Shopify uses Standard Contractual Clauses approved by the EU Commission. Further information about data processing by Shopify can be found at:
- shopify.com/de/legal/privacy/merchants (Privacy Policy for Merchants) and
- shopify.com/de/legal/privacy/consumers (Privacy Policy for Consumers/Store Customers)
Legal basis: Processing is carried out on the basis of Art. 6(1)(b) GDPR (performance of contract, where the App is required for the use of the store) and on the basis of our legitimate interest in a seamless integration into the Shopify ecosystem pursuant to Art. 6(1)(f) GDPR.
- Hosting and Infrastructure Provider:
- We host our App’s data with the cloud provider Amazon Web Services (AWS). The provider is Amazon Web Services EMEA SARL, 38 Avenue John F. Kennedy, 1855 Luxembourg.
Data is stored exclusively in the AWS Region Frankfurt (Germany) stored. This ensures that data processing takes place within the European Union.
Legal basis: The use of AWS is based on Art. 6(1)(f) GDPR. We have a legitimate interest in the most reliable and secure presentation and provision of our App.
Data Processing Agreement: We have concluded a Data Processing Addendum with AWS, which guarantees compliance with European data protection standards.
5. Transfers to Third Countries
We transfer personal data to recipients in countries outside the EU/EEA (third countries).
| Recipient | Country | Purpose | Legal basis |
| Shopify Inc. | Canada / USA | Platform infrastructure | Adequacy decision / SCCs |
| Klaviyo Inc. | USA | Email delivery (optional) | EU-U.S. Data Privacy Framework / SCCs |
6. Data Processing Agreement (DPA)
We process personal data as a data processor within the meaning of Art. 28 GDPR on behalf of the respective store operator (merchant). The details of this processing, including the technical and organisational measures, are governed by a Data Processing Agreement (DPA) The agreement enters into force automatically upon installation of the App and acceptance of our Terms of Service by the store operator. The current text of the DPA can be accessed and downloaded at any time at [LINK TO DPA].
7. TLS Encryption
For security reasons and to protect the transmission of confidential content, such as enquiries or loyalty data that you send to us as the App operator, our App uses TLS encryption (Transport Layer Security).
8. Rights of Data Subjects
Data subjects have – to the extent provided by law – the rights of access, rectification, erasure, restriction of processing, data portability, and objection to processing. To exercise these rights, please contact the controller named above or the respective store operator (as the App typically processes store data on behalf of the merchant).
Statutory Rights of Data Subjects:
Right of access
You have the right to obtain information about the personal data being processed. This includes information about the purposes of processing, the categories of personal data, the recipients or categories of recipients (in particular in third countries), and, where possible, the envisaged retention period and the provision of a copy of the data.
Legal basis: Art. 15 GDPR.
Right to rectification You have the right to obtain without undue delay the rectification of inaccurate personal data and the completion of incomplete personal data.
Legal basis: Art. 16 GDPR
Right to erasure (“right to be forgotten”)
You have the right to request the erasure of personal data where the conditions of Art. 17 GDPR are met (e.g. where the purpose has ceased to exist, where an underlying consent has been withdrawn, or where processing is unlawful), provided no statutory retention obligations preclude erasure.
Legal basis: Art. 17 GDPR
Right to restriction of processing
You have the right to request restriction of processing where the conditions of Art. 18 GDPR are met (e.g. where the accuracy of the data is contested, for the duration of verification by the controller).
Legal basis: Art. 18 GDPR
Right to object Where data processing is based on a legitimate interest (Art. 6(1)(f) GDPR), you have the right to object at any time to the processing on grounds relating to your particular situation.
Legal basis: Art. 21 GDPR
Right to data portability
You have the right to receive the personal data you have provided in a structured, commonly used and machine-readable format, or to request transmission to another controller, where processing is based on consent or a contract and is carried out by automated means.
Legal basis: Art. 20 GDPR
Right to lodge a complaint with a supervisory authority Without prejudice to any other administrative or judicial remedy, you have the right to lodge a complaint with a competent data protection supervisory authority if you believe that the processing of personal data infringes the GDPR.
This right may be exercised, for example, before the supervisory authority competent for KNISTR GmbH: The Hamburg Commissioner for Data Protection and Freedom of Information (Hamburgischer Beauftragter für Datenschutz und Informationsfreiheit), Ludwig-Erhard-Str. 22, 7th floor, 20459 Hamburg; https://datenschutz-hamburg.de.
Legal basis: Art. 57(1)(f), Art. 77 GDPR
Right to withdraw consent
Any consent given to the processing of personal data may be withdrawn at any time with effect for the future. Withdrawal does not affect the lawfulness of processing carried out prior to withdrawal.
Legal basis: Art. 7(3) GDPR
To exercise your statutory rights as a data subject or for questions regarding data processing, please send a written message to the address given above or by email to privacy@knistr.com gerichtet werden.
9. Right to Object / Direct Marketing
Where personal data is processed for the purpose of direct marketing, you have the right to object at any time to processing for such marketing purposes. This also applies to profiling insofar as it is related to such direct marketing. In the event of an objection, the personal data will no longer be used for these purposes. The objection may be made informally, for example via the unsubscribe link in marketing communications or by email.
10. Changes to this Privacy Policy
In order to adapt to changes in the legal framework or changes to the service and data processing, the provider reserves the right to update this Privacy Policy. The current version can be accessed via the App documentation or within the Shopify App Store.
11. No Automated Decision-Making (Profiling)
No automated individual decision-making within the meaning of Art. 22 GDPR takes place that produces legal effects concerning data subjects or similarly significantly affects them. The calculation of bonus points and the assignment of rewards are based solely on the rules configured by the merchant in the system and on actual purchasing activity.
As of
15th April 2026
GEMEINSAM ZIELE ERREICHEN