1. Controller and Contact for Data Processing

The controller for the processing of personal data within the meaning of the General Data Protection Regulation (GDPR) is:

We process personal data as the responsible party within the meaning of Art. 4 No. 7 GDPR and are responsible for ensuring that your data are processed in accordance with applicable data protection law.

We have not appointed a dedicated data protection officer, as there is no statutory obligation to do so pursuant to Art. 37 GDPR.

2. Purposes and Legal Bases for Data Processing

We process personal data in accordance with the principle of data minimisation. We deliberately refrain from tracking, analytics tools, and marketing cookies. On our website, only technically necessary data are processed.

Performance of a contract and pre-contractual obligations (Art. 6(1)(b) GDPR)

• Service provision: Processing of email addresses for handling the purchase of Thortokens and for generating and providing Thorname and QR code.
• Communication: Use of contact data and the content of enquiries to provide support and inform you about the status of your order.
• Payment processing: Payment information is processed exclusively via external payment service providers (e.g. Stripe or BTCPayServer). We do not store sensitive payment data. Billing-relevant transaction data (payment ID, amount, timestamp) are stored in accordance with statutory obligations.

Compliance with legal obligations (Art. 6(1)(c) GDPR)

• Compliance with commercial and tax law obligations, e.g. retention of invoicing and accounting records.
• Compliance with other statutory documentation or evidence obligations.

Legitimate interests (Art. 6(1)(f) GDPR)

• Ensuring IT security and uninterrupted operation of our website.
• Prevention of misuse and fraud, e.g. by validating Thortokens.
• Technical error analysis and system stability.

Consent (Art. 6(1)(a) GDPR)

Where you expressly agree, we process personal data on the basis of your consent for the following purposes:

• Notification of the availability of a Thorshop near a location you specify.
• Processing and confirmation of the corresponding request.

Consent is given voluntarily and may be withdrawn at any time with effect for the future.

3. Data Collected When You Visit Our Website

Automatically collected data

Details on scope and retention period will be added shortly.

When you access our website, certain data are automatically collected by our IT systems. These are technically necessary to provide the website and to ensure its security and stability:

• IP address of the accessing device
• Date and time of access
• Pages or content accessed
• Browser type and version
• Operating system used
• Technical security and access data

No user profiles are created, no cross-visit tracking takes place, and no profiling occurs. No permanent storage in server log files is performed — processing takes place exclusively on a short-term basis in system memory.

Legal basis: Art. 6(1)(f) GDPR (legitimate interest in technically providing, securing, and fault-analysing the website).

Technically necessary cookies and similar technologies

Specific information will be added shortly.

Our website uses only technically necessary cookies and comparable local storage mechanisms:

• Session cookies to provide basic functions
• Local storage mechanisms (e.g. to remember your language preference)

Legal basis: Art. 6(1)(f) GDPR (legitimate interest in the functional and secure provision of our website).

Data you provide to us directly

We only process personal data when you actively and voluntarily provide it to us. This includes in particular:

• Email address (e.g. for orders, Thortoken redemption, or support requests)
• Phone number (optional, e.g. for support)
• Usernames or identifiers (e.g. Threema ID, Session ID, messenger username)
• Content of requests submitted via email, form, or messenger services
• Voluntary information provided in connection with notification requests

For cryptocurrency payments, payment processing is handled via infrastructure operated by us on our own servers. No payment data are transmitted to external payment service providers. Only your email address and blockchain-typical technical data such as wallet addresses and transaction IDs (TX-IDs) are processed. Please note that blockchain transactions are generally publicly visible.

Legal basis: Art. 6(1)(b) GDPR (performance of a contract) or Art. 6(1)(a) GDPR (consent), depending on context.

4. Who Receives My Data?

Your data are treated by us as confidential. Disclosure only takes place where it is necessary to operate our website and provide our service, or where we are legally required to do so. No disclosure for advertising purposes or sale of data takes place.

Internal recipients

Access to personal data is limited exclusively to the operators of Thorpaket, and only to the extent necessary for processing orders, providing the service, or handling enquiries.

External recipients

We work with selected service providers who process data exclusively on our behalf and only to the extent necessary (data processing agreements pursuant to Art. 28 GDPR):

• Cloudflare, Inc. and Hetzner Online GmbH — Website delivery, security, and server operations (Finland, EU). All inputs you make on the website are received via Cloudflare and forwarded to our Hetzner servers for further processing.
• Proton AG and "mail resend" (Plus Five Five, Inc.) — Sending and receiving emails for order processing, notifications, and support requests.
• Stripe Payments Europe, Ltd. and PayPal — Processing of payment and billing information. We do not receive access to full credit card or account data.
• Communication services (support): Signal, Telegram, WhatsApp, Threema, Session, X — Please note that when using these services, data may be processed by the respective providers, including outside the European Union.

Disclosure to third parties and authorities

Personal data are only disclosed to third parties where we are legally required to do so or where an official or judicial order exists. Disclosure is always limited to the necessary scope.

5. Processing Outside the EU and EEA

Some of our technical service providers use internationally distributed infrastructure. As a result, in individual cases data may also be processed outside the European Union.

• Server operations: Our central servers are located in Finland (EU). The essential functions of our service are processed entirely within the EU.
• Website delivery and security: We use Cloudflare to deliver and secure our website. Technical access data are processed in data centres geographically close to the respective user.
• Payment processing: Payment processing is handled by Stripe Payments Europe Ltd. (Ireland). In this context, individual data may be transferred to third countries (e.g. the USA). Stripe uses appropriate safeguards pursuant to the GDPR, in particular EU standard contractual clauses.

6. How Long Is My Data Stored?

We store data only for as long as is necessary to provide our services or to fulfil statutory obligations.

Storage during use of our service

During use of our service, only technically necessary data are processed:

• Thortoken status and time of use
• Generated Thornames (pseudonymous identifiers)
• Process status information
• Timestamp of parcel handover
• Partner / shop ID of the respective partner shop

Statutory retention obligations (10 years)

Certain data are stored in audit-proof form for 10 years pursuant to statutory requirements (§ 147 AO, § 257 HGB):

Even where individual data (e.g. an email address) must be stored for legal reasons, these are strictly separated from usage and service data so that a direct link between a person and specific use of the service is not provided for at the system level.

Technical notification and log data

• Stored for technical purposes only
• Automatically deleted after a maximum of 90 days

Backups and data security

• Daily backups of the entire system
• Backups retained for 7 days
• Automatically deleted after that period

7. Your Rights at a Glance

Under the GDPR you have the following rights:

• Access (Art. 15 GDPR)

  You may request information about which personal data we process about you.

• Rectification (Art. 16 GDPR)

  You may request the correction of inaccurate or incomplete data.

• Erasure (Art. 17 GDPR)

  You may request the deletion of your data, provided no statutory retention obligations apply.

• Restriction of processing (Art. 18 GDPR)

  You have the right to request that the processing of your data be restricted under certain conditions.

• Objection (Art. 21 GDPR)

  You may object to the processing of your data where it is based on legitimate interests.

• Withdrawal of consent (Art. 7(3) GDPR)

  You may withdraw any consent given at any time with effect for the future.

• Data portability (Art. 20 GDPR)

  You may request that we provide you with the data you have supplied in a structured, commonly used format.

• Complaint to a supervisory authority (Art. 77 GDPR)

  You have the right to lodge a complaint with a data protection supervisory authority.

8. Contact and Supervisory Authority

Contact for questions or to exercise your rights

Data protection supervisory authority for Hamburg

If you feel that we are not handling your data correctly, please let us know directly — we want to resolve the issue. You also have the right to contact the competent supervisory authority: