Privacy Policy
This Privacy Policy explains how we collect and process your personal data in accordance with the EU General Data Protection Regulation (GDPR).
Last updated: 11 September 2025
On this page
1. Data Controller
The data controller is identified in our Legal Notice / Impressum.
Contact (privacy): privacy@octolock.com
2. Summary of Processing
- Orders and payments: Credit/debit card checkouts are fully handled by Stripe. For anonymous Bitcoin/Cash orders, we collect only what is necessary to deliver your order (shipping details and, for Bitcoin, a wallet address) and create a Stripe invoice record for reconciliation.
3. Categories of Data We Process
3.1 Orders and Payments
- Stripe-managed card payments: All customer and payment details are collected and processed by Stripe on our behalf. We receive the Checkout Session ID, payment status, totals and any metadata we provided (e.g., product ID/name). We do not receive or store full card numbers.
- Anonymous Bitcoin/Cash orders: For delivery we collect shipping details (name and address fields) and, for Bitcoin, your wallet address. We create a Stripe customer/invoice to record the order with metadata including order ID. We do not auto‑charge these invoices.
4. Purposes and Legal Bases (Art. 6 GDPR)
- Contract (Art. 6(1)(b)): Processing orders, delivering products and handling payments.
- Legitimate interests (Art. 6(1)(f)): Fraud prevention and service usage logs.
- Consent (Art. 6(1)(a)): Where required by law for non-essential cookies or marketing communications. Currently, we do not use advertising or analytics cookies.
- Legal obligation (Art. 6(1)(c)): Tax and accounting record keeping in relation to orders.
5. Cookies, Local Storage and Similar Technologies
- No marketing/analytics cookies: We do not use third‑party analytics or advertising trackers.
6. Recipients and International Transfers
- Stripe, Inc. (EU/US): Payment processing and invoicing. Data may be transferred outside the EEA. Stripe implements appropriate safeguards, including Standard Contractual Clauses.
Links: Stripe Privacy Policy
7. Retention
- Order and invoicing data: retained in line with statutory accounting/tax obligations (generally 6–10 years in the EU, depending on jurisdiction).
- Security logs: retained as necessary for fraud prevention and abuse detection, and then deleted or anonymised.
8. Your Rights
Under the GDPR you have the right to access, rectify, erase, restrict or object to processing, and to data portability. Where processing is based on consent, you may withdraw consent at any time without affecting the lawfulness of processing based on consent before its withdrawal.
To exercise your rights, contact us at privacy@octolock.com. You also have the right to lodge a complaint with your local supervisory authority.
9. Children
Our services are not directed to children under 16. We do not knowingly collect personal data from children. If you believe a child has provided us with personal data, please contact us and we will take appropriate action.
10. Changes to this Policy
We may update this Privacy Policy from time to time to reflect changes to our processing or legal requirements. We will post the updated version on this page with a new "Last updated" date.