Privacy Policy

Effective: 03 May 2026

§ 1 Preliminary remarks and scope

This privacy notice informs you about the type, scope and purpose of the processing of personal data in connection with the website owntheorder.com, the partner portal operated there, and the white-label ordering software offered under the brand OwnTheOrder (the "Service").

This notice applies to all visitors of the website, all business Partners holding an account in the Service, and to the processing of end-customer data that arises within a Partner shop. The individual end-customer shops operated by Partners under their own domain are subject to the privacy notice of the respective Partner, who acts as the data controller there.

Applicable laws are the General Data Protection Regulation (Regulation (EU) 2016/679, "GDPR") and the German Federal Data Protection Act (BDSG).

§ 2 Controller

The controller within the meaning of Art. 4 No. 7 GDPR is:

4unit SI GmbH
Jahnstraße 36
34582 Borken (Hesse), Germany
Phone: +49 5682 73 48 26
Email: info@4unit.com

4unit SI GmbH is currently not legally obliged to appoint a data protection officer pursuant to Art. 37 GDPR. For data protection requests, please contact the email address above.

§ 3 Definitions

The terms "personal data", "controller", "processor", "processing", "data subject" and "consent" are used in line with the definitions in Art. 4 GDPR. Specifically for this Service:

  • Partner: business customer holding an account in the Service whose data is processed by 4unit SI GmbH as a controller.
  • End Customer: natural person placing an order with a Partner via the Partner's shop; their data is processed by 4unit SI GmbH exclusively as a processor on behalf of the respective Partner.

§ 4 General legal bases

Unless otherwise stated, the processing of your data is based on one of the following legal bases:

  • Art. 6(1)(a) GDPR – consent;
  • Art. 6(1)(b) GDPR – performance of a contract or pre-contractual measures;
  • Art. 6(1)(c) GDPR – compliance with a legal obligation (in particular commercial and tax retention obligations);
  • Art. 6(1)(f) GDPR – legitimate interest, in particular in the secure and stable operation of the Service and protection against abuse;
  • Art. 28 GDPR – processing on behalf (for end-customer data of the Partner shops).

§ 5 Website access and log files

Each access to the website causes the server to record the following data in a log file for a maximum of seven days: IP address of the requesting device, date and time, accessed URL, HTTP status code, transferred data volume, browser identifier (User-Agent) and operating system.

This processing serves the technical provision of the website, error analysis and protection against attacks (rate-limiting, detection of suspicious patterns). Legal basis is Art. 6(1)(f) GDPR; the legitimate interest lies in the secure operation of the Service. The log data is not linked to your person and not analysed for marketing purposes.

§ 6 Cookies and similar technologies

The Service uses only strictly necessary cookies. No consent under § 25(1) TTDSG is required because the cookies are mandatory for the proper function (§ 25(2) No. 2 TTDSG). The following cookies are set in particular:

  • JSESSIONID: session cookie identifying the login session. Properties: HttpOnly, Secure (HTTPS only), SameSite=Lax. Lifetime: until browser is closed or session ends (15 minutes inactivity in the admin area).
  • XSRF-TOKEN: protection against Cross-Site Request Forgery (Spring Security). Properties: HttpOnly, Secure, SameSite=Lax. Lifetime: session.
  • locale: stores the selected language (DE/TR/EN/FR). Lifetime: 12 months.

No tracking, analytics or advertising cookies are used. No services such as Google Analytics, Meta Pixel, TikTok Pixel or comparable trackers are integrated. Further details can be found in our Cookies.

§ 7 Partner registration and contract handling

When you register a Partner account, the following data categories are processed: first and last name, email address (also login name), phone number, password (stored as a BCrypt hash, never in clear text), company name, business address, tax and commercial register numbers, bank details (IBAN, BIC) as well as data on the authorised representative (name, position, date of birth, ID number, private address, contact).

This data is processed for the initiation and performance of the SaaS contract, identification toward payment service providers, invoicing and the fulfilment of legal obligations (in particular § 14 UStG, § 147 AO). Legal basis is Art. 6(1)(b) and (c) GDPR.

During onboarding, a check against relevant sanctions lists is performed. This check is carried out by the respective payment service provider (see § 10) under its own responsibility; 4unit SI GmbH only forwards the necessary master and representative data to the payment service provider.

§ 8 Subscription billing and platform fee

For monthly billing of the chosen Plan, accounting and payment data are generated (invoice number, line items, amount, tax rate, due date, payment method, payment status). Documents are kept in line with statutory retention periods (10 years according to § 147(3) AO and § 257 HGB).

The platform fee for end-customer orders is not invoiced separately, but automatically retained via the payment service provider (Stripe Connect: application_fee_amount, Iyzico: subMerchantPrice). Aggregated figures are visible in the partner dashboard.

§ 9 End-customer orders (processing on behalf of the Partner)

When an End Customer places an order in a Partner's shop, the following categories are processed in our system on behalf of the Partner: name, delivery/billing address, email, phone, time of order, basket content, chosen payment method, payment status, delivery time and, where applicable, comments. For registered End Customers in addition: customer ID, BCrypt hash of the password, language and address book entries, order history.

The controller within the meaning of the GDPR for this processing is the respective Partner. 4unit SI GmbH acts only as a processor for this data within the meaning of Art. 28 GDPR; the processing is carried out on instruction on the basis of a separate data processing agreement (DPA) which becomes effective upon acceptance of the terms.

§ 10 Payment processing via Stripe Connect and Iyzico

For end-customer payments, a checkout window (iframe) provided by the respective payment service provider is embedded into the shop. Full cardholder data (PAN, CVC, expiry date) is captured exclusively in the End Customer's browser on the PCI-DSS-compliant infrastructure of the payment service provider and transmitted to its servers. This data is never received or stored by 4unit SI GmbH. Only non-sensitive tokens are stored on 4unit SI GmbH's servers (PaymentMethod / transaction ID, card brand, last four digits, expiry month).

Integrated payment service providers:

  • Stripe Payments Europe Ltd., 1 Grand Canal Street Lower, Grand Canal Dock, Dublin, Ireland (German market, Stripe Connect). Categories processed: first/last name and email of End Customer, order amount, Partner's Stripe account data, IP address for risk assessment. Privacy policy: https://stripe.com/privacy.
  • Iyzico Ödeme Hizmetleri A.Ş., Maslak Mahallesi, Sümer Sokak, No: 4, Daire: 7-12, 34485 Sarıyer/İstanbul, Turkey (Turkish market, sub-merchant model). Categories processed: first/last name and email of End Customer, basket items with subMerchantPrice, sub-merchant master data of the Partner. Privacy policy: https://www.iyzico.com/gizlilik-politikasi.
  • PayPal (Europe) S.à r.l. et Cie, S.C.A., 22-24 Boulevard Royal, 2449 Luxembourg (only if activated by the Partner, in marketplace mode). Privacy policy: https://www.paypal.com/de/legalhub/privacy-full.

Identity verification (KYC), anti-money laundering and sanctions screenings as well as chargeback procedures are the sole responsibility of the respective payment service provider. Legal basis for the transmission is Art. 6(1)(b) GDPR (contract performance) and Art. 6(1)(c) GDPR (legal obligations).

§ 11 Email sending and verification

During registration we send a verification link to the email address provided. The token itself is stored on our side only as a SHA-256 hash; only the recipient of the email knows its clear-text value. The token expires automatically after 24 hours.

In addition, transactional emails are sent (invoices, contract signature, reminders, security alerts). Newsletters or commercial mass mailings are not sent by 4unit SI GmbH. An SMTP service provider located in the EU is used for sending (processor within the meaning of Art. 28 GDPR; the specific provider is available on request via the email address in § 2).

§ 12 Address geocoding (Nominatim)

To compute delivery ranges and to display locations on a map, address data is transmitted server-side to the geocoding service Nominatim of the OpenStreetMap Foundation, St John's Innovation Centre, Cowley Road, Cambridge CB4 0WS, United Kingdom. Only the address string to be checked is transmitted; no End Customer IP address reaches Nominatim because the requests originate from the server. Privacy policy: https://wiki.osmfoundation.org/wiki/Privacy_Policy. Legal basis: Art. 6(1)(b) GDPR.

§ 13 Domain provisioning (Plesk)

If a Partner chooses a subdomain assigned by 4unit SI GmbH, internal requests are sent to a Plesk-based hosting server of 4unit SI GmbH to set up this subdomain (domain name, partner identifier, chosen SSL certificate). No end-customer data is transmitted to this subsystem. Access to Plesk is logged in an internal audit log.

§ 14 Hosting and processors

The Service is operated in a data centre within the European Union. A data processing agreement under Art. 28 GDPR exists with the hoster. The database (MariaDB / MySQL) is held encrypted in the same data centre; backups are also kept encrypted within the EU.

A complete list of processors used is available on request via the email address in § 2.

§ 15 Third-country transfers

Personal data is transferred to countries outside the European Economic Area only in the following technically necessary cases:

  • Iyzico processes data in Turkey. The transfer is based on Standard Contractual Clauses pursuant to Art. 46(2)(c) GDPR.
  • Stripe may transfer data within its corporate group to the United States. Stripe is certified under the EU–US Data Privacy Framework (Art. 45 GDPR in conjunction with Implementing Decision (EU) 2023/1795); supplementary Standard Contractual Clauses apply.
  • PayPal: comparable to Stripe (US corporate group, Standard Contractual Clauses where not covered by an adequacy decision).

Apart from these three cases, no data is transferred to third countries. No US cloud providers are used for hosting or analytics purposes.

§ 16 Storage period

Personal data is not stored longer than necessary for the respective purpose. Specific periods:

  • Server log files: 7 days, then automated deletion.
  • Email verification token: 24 hours, then automated expiry.
  • Login sessions: 15 minutes inactivity in the admin area; for Partners until logout.
  • WebSocket tokens (JWT): 1 hour.
  • Partner master data: term of contract plus statutory retention periods.
  • Invoices, contracts, tax-relevant documents: 10 years after the end of the financial year (§ 147(3) AO, § 257 HGB).
  • End-customer order data under processing on behalf: per Partner's instruction, as a rule contract term + 3 years (limitation of warranty claims), or up to 10 years if the order is part of an invoice.
  • Support requests: 3 years after closure.
  • Audit logs of security-relevant access: 12 months.

After the respective period, the data is irrevocably deleted or anonymised. Longer storage takes place only where this is necessary to assert, exercise or defend legal claims.

§ 17 Technical and organisational security measures

4unit SI GmbH applies recognised state-of-the-art measures to protect your data, in particular:

  • Encrypted connection (TLS) for all access to website, dashboard and API; HTTPS is enforced.
  • Security cookies with the flags HttpOnly, Secure and SameSite=Lax.
  • Storage of passwords exclusively as BCrypt hash with individual salt; clear-text passwords are not stored.
  • Encryption of sensitive master data (in particular API keys and sub-merchant keys) at rest with AES-256 (CBC or GCM) and master key in protected configuration.
  • Role and permission system with minimum privileges (principle of least privilege).
  • Rate limiting (token-bucket method) against brute force and abuse attempts.
  • Cross-Site Request Forgery protection (CSRF token), Content Security Policy without external scripts or CDN integrations.
  • Daily, encrypted backups within the EU; tamper-evident retention for 30 days.
  • Logging of security-relevant events (logins, failed attempts, permission changes).

§ 18 Automated decisions, profiling

Automated decision-making within the meaning of Art. 22 GDPR with legal effect on data subjects does not take place. Profiling for the purpose of evaluating personal aspects is not implemented. The rate limiting described above serves exclusively to protect against abuse and at most leads to a short-term limitation of the request rate.

§ 19 Rights of the data subject

You have the following rights against us regarding the personal data concerning you:

  • Right of access (Art. 15 GDPR);
  • Right to rectification of inaccurate or incomplete data (Art. 16 GDPR);
  • Right to erasure ("right to be forgotten", Art. 17 GDPR), unless retention obligations apply;
  • Right to restriction of processing (Art. 18 GDPR);
  • Right to data portability in a structured, commonly used and machine-readable format (Art. 20 GDPR);
  • Right to object to processing based on legitimate interest (Art. 21 GDPR);
  • Withdrawal of a consent once given with effect for the future (Art. 7(3) GDPR).

If data of End Customers of a Partner shop is concerned, the first point of contact for exercising these rights is the respective Partner as controller. 4unit SI GmbH supports the Partner pursuant to Art. 28(3)(e) and (f) GDPR.

§ 20 Right to lodge a complaint

Without prejudice to other remedies, you have the right to lodge a complaint with a data protection supervisory authority. Competent for 4unit SI GmbH is:

Hessische Beauftragte für Datenschutz und Informationsfreiheit
Postfach 31 63
65021 Wiesbaden, Germany
Phone: +49 611 1408-0
Email: poststelle@datenschutz.hessen.de

§ 21 Obligation to provide data

Within the business relationship you must provide those personal data that are necessary for the establishment, performance and termination of the contractual relationship and for the fulfilment of the contractual and legal obligations associated with it. Without this data the contract usually cannot be concluded or continued.

§ 22 Changes to this privacy notice

We adjust this privacy notice when the legal situation, technical processes or data processing within the Service change. The current version is always available at owntheorder.com/privacy; the date at the top of this notice indicates the version in force.