Privacy Policy

Privacy information for my-order.download (website, merchant app, API)

Effective date: 01/30/2026 Version: 0.2 (Draft)
Note: This English version is a convenience translation. In case of discrepancies, the German version prevails.
TL;DR
  • No external tracking: no Google Analytics/marketing trackers; only Cloudflare Analytics.
  • Only necessary data: Merchant account data + order/product data required for delivery (data minimization).
  • Buyer data mostly on behalf of Merchants: Buyer email/download events are typically processed for the Merchant (DPA).
  • Technical cookies only: session/token/security – currently no cookie banner.
  • Infrastructure: Cloudflare (CDN/WAF/R2), Supabase (DB/Auth), Stripe (billing), Mailersend (emails).

1. Controller

The controller within the meaning of the GDPR is:

my-order.download (sole proprietorship)
Owner: Peter Faust
Schmittstr. 4, 53123 Bonn, Germany
Email: support@my-order.download
(Imprint: Imprint)

No data protection officer has been appointed.

2. Scope of this privacy policy

This privacy policy applies to:

  • Marketing/landing page (public website)
  • Merchant dashboard/app (login area)
  • API endpoints (e.g. /api/...)
  • technical protection mechanisms (e.g. CDN/WAF/Captcha)

For the download pages for Buyers, separate information is available: Buyer download privacy notice.

3. Categories of processed data

3.1 Merchant data (B2B)

  • master data: name, email, company, address, VAT ID
  • shop/platform data: shop name, platform, platform ID, configurations
  • product data (necessary & partly publicly visible): product IDs, titles, descriptions, images/thumbnails
  • contract/billing data: plan, billing period, status, Stripe references (e.g. customer/subscription IDs)

3.2 Order/transaction data (from platforms)

  • order ID, purchase date
  • products per order (product ID/title)
  • Buyer email address (where required for delivery/verification)
  • payment status if technically required for delivery

We follow the principle of data minimization and only ingest data required to provide the Service. In addition, publicly available product information (e.g. listing details and images) may be processed.

3.3 Technical data (website/app/download flows)

  • IP address, user agent, timestamps
  • token/session data (e.g. session cookies, token hashes)
  • download/security events (e.g. success/failure, counters, abuse indicators)
  • referrer may be transmitted as part of standard HTTP requests

4. Purposes of processing

  • providing the website/app and the technical infrastructure
  • contract performance towards Merchants (account, asset/order management, delivery)
  • delivery of digital content to Buyers (on behalf of the Merchant)
  • security & abuse prevention (bot/abuse protection, rate limiting, traceability)
  • billing & payment processing (via Stripe)
  • support & communication
  • error analysis / technical improvement (without external tracking tools; currently only Cloudflare Analytics)

Depending on the context, we process data based on the following legal bases:

  • Art. 6(1)(b) GDPR (contract / pre-contractual measures)
  • Art. 6(1)(f) GDPR (legitimate interests) – e.g. IT security, abuse prevention, system stability
  • Art. 6(1)(c) GDPR (legal obligation) – e.g. retention obligations for billing-relevant documents

Note on Buyer data: where we process Buyer data on behalf of a Merchant, this is typically done under a data processing agreement (Art. 28 GDPR).

6. Cookies / local storage (technical only)

We currently use only technically necessary cookies/storage mechanisms required for operation, security and login/download processes, e.g.:

  • session cookie for Merchant login
  • token/session mechanisms for download pages (e.g. session/token hashes)
  • security-related cookies/functions as part of Cloudflare WAF/bot protection/captcha

We currently use no external tracking or marketing cookies. Therefore, no cookie banner is currently planned. If this changes, we will adjust the consent logic accordingly.

7. Sub-processors / service providers

We use the following providers to operate the Service (names/regions may vary depending on setup – we keep this lean and transparent).

ProviderPurposeData categories (typical)Region
Cloudflare (CDN/WAF/R2/Captcha)delivery, DDoS/bot protection, performance, file storage (R2)IP/user agent, requests, security events, potentially download/session tokens, files (assets)EU (primarily), partly global edge routing
Supabase (Postgres/Auth)database, auth (Merchant login), app operationMerchant data, order/product data, token/session dataEU
Stripebilling/payment processingbilling/payment metadata, plan/subscription IDsdepends on Stripe setup (typically EU/US)
Mailersendsending delivery/verification emailsrecipient address (Buyer/Merchant), email content metadataUS (per current information)

8. Data processing agreement (DPA) – Buyer data in Merchant context

When delivering digital content, we process personal data of Buyers (e.g. Buyer email address, technical download events) on behalf of the respective Merchant.

  • the Merchant is typically the controller.
  • my-order.download acts as a processor.

The Merchant concludes a DPA under Art. 28 GDPR with us (see Terms/Annex).

9. Data transfers outside the EU/EEA

Where service providers process data outside the EU/EEA (e.g. Mailersend; and potentially support/operations processes of infrastructure providers), we ensure appropriate safeguards (e.g. contractual safeguards / standard contractual clauses) and limit data to what is necessary.

10. Retention / deletion

  • Merchant account data: at least until contract end; afterwards as needed for support/processing and within statutory obligations
  • billing-relevant data: retained according to statutory retention periods
  • order/Buyer/event data: where possible stored anonymized or hashed (among other things for abuse prevention and system stability)
  • “Delete now”: deletes entries and files; technically, residual data may remain in backups for normal cycles. A soft delete (e.g. product ID) may remain to be able to show the status “file deleted”.

11. Data security

  • transport encryption (TLS/HTTPS)
  • encryption at rest according to provider standards (Supabase/R2)
  • access control / least privilege
  • tenant separation
  • abuse protection measures (rate limits, bot protection, captcha)

12. Incident handling

In the event of security incidents, we act according to an incident process.
Where we act as a processor, we inform the Merchant without undue delay as soon as we become aware of a relevant incident and provide reasonable support.

13. Data subject rights

Data subjects have—subject to legal requirements—rights to access, rectification, deletion, restriction, data portability, objection and the right to lodge a complaint with a supervisory authority.

Buyer requests: the Merchant is the primary point of contact. You may still contact support@my-order.download; we will assist and forward requests to the Merchant if necessary.

14. Contact

Questions about data protection: support@my-order.download