Privacy policy

Privacy Policy

Last updated: April 26, 2026

This Privacy Policy describes how Wanna? Clothing ("the Site", "we", "us", or "our") collects, uses, and discloses your personal information when you visit, use our services, or make a purchase from wannaclothing.com (the "Site") or otherwise communicate with us regarding the Site (collectively, the "Services").

Controller of Data Processing

Wanna? Clothing by Morivo GbR Dr.-Max-Straße 68 82031 Grünwald Germany

📧 Email: morivogbr@gmail.com

Changes to This Privacy Policy

We may update this Privacy Policy from time to time, including to reflect changes to our practices or for other operational, legal, or regulatory reasons. We will post the revised Privacy Policy on the Site, update the "Last updated" date, and take any other steps required by applicable law.

1. What Personal Information We Collect

The types of personal information we obtain about you depend on how you interact with our Site and use our Services.

Information You Provide Directly

  • Contact Details – Name, address, phone number, email
  • Order Information – Name, billing address, shipping address, payment confirmation, contact details
  • Custom QR Code Order Data – When you order a personalized QR code product, you provide:
    • Instagram links or usernames
    • Snapchat usernames
    • WhatsApp phone numbers
    • PayPal links or usernames
    • Custom URLs (for "Custom" QR option)
    This data is used to:
    1. Generate your personalized QR code and short-link
    2. For Instagram orders only: Optionally follow your Instagram account from our official @wannacommunity profile (see Section 2 — Community Engagement for details)
  • Shopping Information – Items viewed, added to cart, purchased, or saved
  • Customer Support Information – Information you provide in inquiries

Information We Automatically Collect When QR Codes Are Scanned

When someone scans a QR code from one of our products, we automatically collect limited, anonymized analytics data through our redirect service at go.wannaclothing.com:

  • Country and approximate region/city (derived from IP address, no precise location)
  • Device type category (iOS, Android, Desktop, Other)
  • Anonymized device fingerprint – A SHA-256 hash of (truncated IP + User-Agent), shortened to 16 characters. This hash:
    • Does NOT contain personal data
    • Cannot be reversed to identify the user
    • Is used only to count unique devices for fraud prevention and aggregate statistics
  • Timestamp of the scan
  • Referrer URL (if available — the page or app from which the scan originated)
  • Event type ("view" or "click")

We do not collect or store:

  • Full IP addresses
  • Full User-Agent strings
  • GPS coordinates
  • Cookies on the redirect service
  • Names or email addresses of scanners

Cookies

We use cookies and similar tracking technologies on our website to enhance your browsing experience, analyze site traffic, and support our marketing efforts. Below is an overview of the cookies we use and their purposes.

The redirect service (go.wannaclothing.com) does not set any cookies.

The main website (wannaclothing.com) uses cookies as required by Shopify for cart functionality and order processing. See the Cookie Banner on the Site for details.

What are cookies?
Cookies are small text files stored on your device when you visit a website. They help us recognize your browser and remember certain information about your visit.

Types of cookies we use
Essential cookies These cookies are necessary for the website to function and cannot be switched off. They are usually set in response to actions you take, such as setting your privacy preferences, logging in, or filling in forms.

Analytics & performance cookies

Google Analytics (GA4) — Tracks website traffic, user behavior, and conversion data to help us understand how visitors interact with our store.
Marketing & advertising cookies

Meta (Facebook & Instagram) — Used to deliver personalized ads, measure ad performance, and build custom audiences based on your activity on our site (Meta Pixel).

TikTok — Used to track conversions from TikTok ads and deliver targeted advertising to users on TikTok (TikTok Pixel).

Google Ads — Used for remarketing and conversion tracking across Google's advertising network.

Functional cookies
Shopify — Our e-commerce platform sets cookies to support shopping cart functionality, checkout, fraud prevention, and session management.

Third-party cookies
Some cookies are placed by third-party services that appear on our pages. We do not control these cookies and recommend reviewing the privacy policies of the respective third parties.

Managing cookies
You can control and/or delete cookies at any time through your browser settings. You can also opt out of interest-based advertising via:

Cookie consent
As a visitor from the EU, you will be asked for your consent before non-essential cookies are placed on your device, in accordance with the General Data Protection Regulation (GDPR) and the ePrivacy Directive.

2. How We Use Your Personal Information (Legal Basis)

Under GDPR Article 6, we process personal data on the following legal bases:

Performing the Contract (Art. 6(1)(b) GDPR)

  • Processing payments, fulfilling orders, arranging shipping, handling returns
  • Generating personalized QR codes from your provided social media handles
  • Creating short-links via our redirect service for QR codes on products
  • Providing customer support

Legitimate Interest (Art. 6(1)(f) GDPR)

  • Anonymized scan analytics for service improvement and fraud prevention
  • Security measures (preventing abuse, scanning patterns)
  • Aggregate business intelligence (which platforms are popular, etc.)
  • Community building through manual social media follows (see below)

The processing of anonymized scan data is in our legitimate interest as it allows us to maintain and improve our services. The data is fully anonymized and cannot be linked back to individual users.

Community Engagement on Social Media

When you place a custom QR code order using your Instagram handle, our @wannacommunity Instagram account may follow your profile. This serves to build a community of customers around our brand.

This action:

  • Is performed manually by our team (not by automated bots or tools)
  • Is performed only once, around the time of your order
  • Does NOT require you to follow us back
  • Can be blocked or undone by you directly in Instagram at any time

If you prefer that we do not follow your account, please note this in your order comments or contact us at morivogbr@gmail.com.

We do not perform similar follow actions on other platforms (Snapchat, WhatsApp, etc.) — only Instagram.

Legal basis: Legitimate interest under Art. 6(1)(f) GDPR — building a direct relationship with customers who have explicitly engaged with our brand by purchasing a QR-code product.

Consent (Art. 6(1)(a) GDPR)

  • Marketing emails (only sent if you opt in)
  • Personalization features beyond what's required for the contract

You can withdraw consent at any time without affecting prior processing.

Legal Obligation (Art. 6(1)(c) GDPR)

  • Tax records and invoicing (retained for 10 years per German Abgabenordnung)
  • Compliance with regulatory requirements

3. Who We Share Personal Information With

We share information only with the following categories of recipients, as necessary:

Service Providers (Auftragsverarbeiter / Data Processors)

We use the following service providers, all of whom are bound by data processing agreements (Auftragsverarbeitungsverträge — AVV) where applicable:

Provider Purpose Location Data Shared
Shopify Inc. E-commerce platform, order management Canada / EU Order details, contact info
Cloudflare Inc. Hosting of redirect service (go.wannaclothing.com), DNS, CDN, D1 Database EU (Western Europe region) for D1 / Global Edge Short-link mapping, anonymized scan data
Render Inc. Hosting of QR code generation service USA QR code generation data, short-lived
Gelato AG Print-on-demand fulfillment Norway / Global Order details, design files
Dropbox Inc. Backup of generated QR code files USA QR code image files
Microsoft 365 Email infrastructure (support@wannaclothing.com) EU Email correspondence
GoDaddy Domain registration USA Registrant info (legally required)
Payment Processors (e.g., PayPal, Stripe via Shopify) Payment processing Various Payment-related data only

International Data Transfers

Some service providers (Render, Dropbox, GoDaddy, parts of Cloudflare's global edge) are located outside the EU. Transfers to these providers are based on:

  • EU Standard Contractual Clauses (SCCs) for US-based providers
  • Adequacy decisions where applicable (e.g., Shopify Canada via the EU-Canada adequacy decision)
  • EU-US Data Privacy Framework for certified US providers

Sales

We do NOT sell your personal information to any third party.

We do NOT use your social media handles (Instagram, Snapchat, WhatsApp, PayPal) for any purpose other than:

  1. Generating your QR code order
  2. The optional Instagram community follow described in Section 2

4. Your Rights Under GDPR

You have the following rights regarding your personal data:

  • Right of Access (Art. 15 GDPR) – You may request information about what data we have about you

  • Right to Rectification (Art. 16 GDPR) – You may request correction of inaccurate data

  • Right to Erasure / "Right to be Forgotten" (Art. 17 GDPR) – You may request deletion of your data

  • Right to Restriction of Processing (Art. 18 GDPR) – You may request that we limit how we process your data

  • Right to Data Portability (Art. 20 GDPR) – You may request your data in a portable, machine-readable format

  • Right to Object (Art. 21 GDPR) – You may object to processing based on legitimate interest (including the Instagram community follow)

  • Right to Withdraw Consent – Where processing is based on consent, you may withdraw it at any time

  • Right to Lodge a Complaint – You may complain to a supervisory authority. The competent authority for our processing is:

    Bayerisches Landesamt für Datenschutzaufsicht (BayLDA) Promenade 18, 91522 Ansbach, Germany https://www.lda.bayern.de

How to Exercise Your Rights

To exercise any of these rights, contact us at: morivogbr@gmail.com

We will respond within one month of receipt of your request.

Special Note on Anonymized Scan Data

Because scan analytics are fully anonymized (no IP, no full User-Agent, no cookies), we may be unable to identify which specific scan events relate to you, and therefore unable to delete or export them on an individual basis. This is a feature of our privacy-by-design approach: by not linking scans to identities, we minimize what we know about you.

5. Data Retention

We retain personal data for the following periods:

Data Category Retention Period Legal Basis
Order details (name, address, payment) 10 years German tax law (§147 AO)
Customer support correspondence 3 years after last contact Statutory limitation period
Custom QR code source data (Instagram/Snapchat/etc. handles) Stored as long as the QR code's short-link is active. Customers can request deletion at any time, which deactivates the short-link. Contract performance
Short-link mapping (in Cloudflare D1) Stored as long as the corresponding shirt may be in use. Default: indefinitely, but subject to deletion request. Contract performance
Anonymized scan analytics Indefinitely (fully anonymized) Legitimate interest
Marketing email subscribers Until unsubscribed Consent
Tax records 10 years German tax law


6. Security Measures

We take appropriate technical and organizational measures to protect your data:

  • Encrypted transit: All data transfers use HTTPS/TLS 1.3
  • Encrypted storage: Sensitive data at rest is encrypted by our service providers
  • Access controls: Only authorized personnel have access to personal data
  • Anonymization by design: Scan analytics are anonymized at collection, not after
  • No tracking cookies on the redirect service
  • Regular security reviews of our infrastructure

Despite these measures, no security system is fully impenetrable. In case of a data breach, we will inform affected individuals and the supervisory authority within 72 hours of becoming aware, as required by Art. 33-34 GDPR.

7. Children's Privacy

Our Services are not directed to children under 16. We do not knowingly collect personal information from children. If you believe a child has provided us with personal information, please contact us and we will delete it.

8. Contact

For all data protection questions, requests, or complaints:

📧 Email: morivogbr@gmail.com 📍 Address: Dr.-Max-Straße 68, 82031 Grünwald, Germany