15% off most products! Free Shipping on orders over €100 or $250!LAUNCH15Shop now!
Privacy

What we know about you, and why.

Short version: only what we need to ship your order and answer your emails. The long version is below.

Last updated · May 23, 2026

What we collect

We only collect what's necessary to fulfil an order and keep your account working:

  • Account & order data — name, email, shipping and billing address, phone (optional), order history, locale preference.
  • Payment data — handled by Stripe. We never see or store your card details; we only receive a token and the last four digits.
  • Email events — delivery, open, and bounce events from transactional emails (order confirmations, password resets).
  • Technical data — IP address, user agent, and a session cookie when you visit the site. We use this only for security and to keep your cart attached to you.

Why we collect it

Legal basis under GDPR Art. 6(1): performance of a contract (b) for order fulfilment, legitimate interest (f) for fraud prevention and service security, and consent (a) where required (e.g. marketing emails, if any).

Sub-processors

We use the following services to run the shop. Each receives only the data needed to do its job:

  • Stripe (Ireland / USA) — payment processing.
  • Resend (USA) — transactional email delivery.
  • Neon (USA) — Postgres database hosting.
  • Render (USA) — backend application hosting.
  • Vercel (USA) — storefront hosting and AI Gateway (used for build-time translation of email templates — no customer data flows through this).
  • Amazon Web Services (S3) (Stockholm, EU) — product image storage.
  • Cloudflare (USA) — DNS and CDN.

Where data is processed outside the EU/EEA, transfers rely on Standard Contractual Clauses or other valid safeguards under GDPR Chapter V.

Cookies & local storage

We use a small set of first-party cookies and local storage entries:

  • Cart cookie — keeps your cart attached to you between visits.
  • Locale cookie — remembers your language and region choice.
  • Auth session — set after you log in, cleared when you log out.

We don't use third-party tracking, advertising, or analytics cookies. If that ever changes, we'll ask for your consent first.

Retention

We keep account and order data for as long as your account exists. If you ask us to delete your account, we anonymise personal data on your orders within 30 days, except where we're legally required to retain invoices (10 years under German tax law).

Your rights

You have the right under GDPR to:

  • Access the personal data we hold about you (Art. 15)
  • Correct inaccurate data (Art. 16)
  • Delete your data, subject to retention obligations (Art. 17)
  • Restrict or object to processing (Art. 18, 21)
  • Receive your data in a portable format (Art. 20)
  • Lodge a complaint with a supervisory authority (Art. 77) — in Germany, the data protection authority of your federal state.

Contact

To exercise any of these rights or ask anything else, email mail@thebrickapple.com. We'll respond within a month, usually much faster.

Operator details are on the imprint page.

Still stuck?

Send us a message — we read every note.
Read the FAQ