Skip to Content

Privacy Policy


Last updated: 12.07.2026

1. Controller

The controller responsible for data processing on this website is:

rosslight GmbH

Friedrich-Barnewitz-Straße 8
18119 Rostock
Germany

Represented by Managing Director:
Malte Rosskamp

Phone: +49 157 33276396
Email: malte.rosskamp@rosslight.de

Registration Number: HRB 16367

 

2. General Information

We process personal data only where this is necessary to provide our websites and services, communicate with customers and interested parties, process orders, fulfil contractual obligations, or protect our legitimate interests.

Personal data is any information relating to an identified or identifiable natural person. This includes, for example, names, email addresses, telephone numbers, postal addresses, IP addresses, account information and the content of messages.

The legal bases referred to in this privacy policy are based on the General Data Protection Regulation, or GDPR.

Data is processed only: 

  • to perform a contract (Art. 6(1)(b) GDPR), 
  • on the basis of consent (Art. 6(1)(a) GDPR), 
  • to comply with legal obligations (Art. 6(1)(c) GDPR), 
  • or based on legitimate interests (Art. 6(1)(f) GDPR).

 

3. Access Data, Website Platform and Hosting

3.1 Server log files

When you visit our website, certain technical data is automatically transmitted by your browser and recorded by the systems used to provide the website.

This may include:

  • IP address;
  • date and time of access;
  • requested page or file;
  • amount of data transferred;
  • referrer URL;
  • browser type and browser version;
  • operating system;
  • language and device settings;
  • access status and error messages.

This data is processed to deliver the website, ensure system security and stability, detect technical problems and investigate possible misuse.

The legal basis is Article 6(1)(f) GDPR. Our legitimate interest is the secure, stable and technically reliable operation of our website.

Server log data is generally deleted after no more than 14 days unless longer storage is required to investigate a specific security incident, misuse or legal claim.

3.2 Hosting and website platform: Odoo.sh

We use Odoo and the Odoo.sh hosting platform to operate our website, online shop, customer accounts, contact management, order processing and related business functions.

The service provider is:

Odoo S.A.
Chaussée de Namur 40
1367 Grand-Rosière
Belgium

The information processed using Odoo may include:

  • website access and server-log data;
  • contact and inquiry information;
  • customer and account information;
  • order, invoice and delivery information;
  • communication with customers and interested parties;
  • technical and security information;
  • cookie-consent information.

Our Odoo.sh environment is hosted in a European hosting region.

Odoo processes information on our behalf as a processor where it provides hosting and platform services.

Depending on the relevant activity, processing is based on:

  • Article 6(1)(b) GDPR, where processing is necessary to provide requested services, manage an account, process an inquiry relating to a contract or perform a contract;
  • Article 6(1)(c) GDPR, where processing is required to meet statutory obligations;
  • Article 6(1)(f) GDPR, based on our legitimate interest in securely and efficiently operating our website and business systems.

 

4. Contacting Us and Contact Forms

You may contact us by telephone, email or through a contact form on our website.

When you use our contact form, we may process:

  • name;
  • telephone number;
  • email address;
  • company name;
  • subject;
  • the content of your question or message;
  • date and time of the inquiry;
  • technical information required to transmit and protect the form.

We process this information to respond to your inquiry, communicate with you and, where applicable, prepare, establish or perform a contractual relationship.

Where your inquiry relates to a possible or existing contract, the legal basis is Article 6(1)(b) GDPR.

For general inquiries that do not relate to a contract, the legal basis is Article 6(1)(f) GDPR. Our legitimate interest is responding to inquiries concerning our company, products and services.

Where you have given separate consent for a particular form of processing, the legal basis is Article 6(1)(a) GDPR.

The information submitted through the contact form is stored and managed in our Odoo system.

We retain inquiries for as long as necessary to process and document the matter. After the matter has been completed, the information is deleted unless statutory retention obligations, limitation periods or the need to establish, exercise or defend legal claims require longer retention.

Fields marked as mandatory are required to process your inquiry. Other information is voluntary.

 

5. Customer Accounts

Creating and using a customer account

You may create a customer account on our website. A customer account allows you, for example, to manage your contact and delivery information, review orders and use account-related functions.

When a customer account is created or used, we may process:

  • first name and surname;
  • email address;
  • company information, where provided;
  • billing and delivery addresses;
  • telephone number, where provided;
  • account identifier;
  • password hash;
  • authentication information;
  • account settings;
  • order history;
  • login and security information;
  • date and time of registration and account activity.

Passwords are not stored in plain text. They are stored in the form of cryptographic password hashes.

The legal basis for processing account information is Article 6(1)(b) GDPR where the account is created or used for orders, contractual services or pre-contractual activities.

Where an account is created independently of a specific contract, processing is also based on Article 6(1)(f) GDPR. Our legitimate interest is providing customers with a convenient and secure method of managing their information, inquiries and orders.

Information required to create the account must be provided in order to use the account functions. Creating a customer account is not required where an order can be placed using a guest-checkout function.

Two-factor authentication and passkeys

Depending on the account settings and technical availability, users may secure their account using two-factor authentication or a passkey.

When these functions are used, we process the authentication information necessary to register and verify the additional authentication method. Depending on the method used, this may include:

  • a pseudonymous authentication identifier;
  • public cryptographic keys;
  • information about the authentication method;
  • registration and last-use timestamps;
  • technical security and verification information.

Private passkey keys and biometric information used to unlock a passkey generally remain on the user’s device or with the operating-system or passkey provider. We do not receive the biometric information used locally to unlock the passkey.

Processing is based on Article 6(1)(b) GDPR where authentication is necessary to provide the customer account and Article 6(1)(f) GDPR based on our legitimate interest in protecting accounts, customer information and our systems against unauthorized access.

Login and security information

For security purposes, we may process login times, failed login attempts, IP addresses, device or browser information and security events.

The legal basis is Article 6(1)(f) GDPR. Our legitimate interest is preventing unauthorized access, fraud, misuse and attacks against customer accounts and our systems.

Security information is generally retained only for as long as necessary to identify and investigate security events. Where no security incident has occurred, such data is normally deleted or anonymized after a limited period. Information may be retained for longer where necessary to investigate misuse, secure an account or establish, exercise or defend legal claims.

Account deletion

You may request deletion of your customer account or use an available account-deletion function.

When an account is deleted, information used exclusively for the account is deleted or anonymized unless continued retention is necessary to:

  • perform an existing contract;
  • process outstanding orders, payments, returns or disputes;
  • comply with commercial, accounting or tax retention obligations;
  • prevent fraud or misuse;
  • establish, exercise or defend legal claims.

Order, invoice and payment information subject to statutory retention obligations is not automatically deleted when the customer account is deleted. Such information is restricted and retained only for the applicable statutory purpose and retention period.

Sign-in with Microsoft

Where offered, you may sign in to our website using your Microsoft account.

The service is provided by:

Microsoft Ireland Operations Limited
One Microsoft Place
South County Business Park
Leopardstown
Dublin 18
Ireland

When you choose Microsoft sign-in, you are redirected to Microsoft. Microsoft authenticates your identity and transmits the information required to create or connect your customer account.

Depending on your Microsoft account, the permissions requested and the configuration of the service, this information may include:

  • a unique Microsoft account identifier;
  • name;
  • email address;
  • authentication confirmation;
  • basic account or profile information;
  • technical connection and security information.

We do not receive your Microsoft password.

The legal basis for processing is Article 6(1)(b) GDPR where Microsoft sign-in is used to create or access an account required for contractual services. In other cases, the legal basis is Article 6(1)(f) GDPR. Our legitimate interest is providing a convenient and secure login method.

The use of Microsoft sign-in is voluntary. You may use another available login method instead.

Microsoft processes information under its own responsibility when providing and securing the Microsoft account and authentication service. Microsoft may also process information in the United States or other countries outside the European Economic Area. Such transfers may be based on an adequacy decision, including the EU–US Data Privacy Framework where applicable, or on the European Commission’s Standard Contractual Clauses.

 

6. Cookies and Similar Technologies

Our website uses cookies and similar browser-storage technologies.

Some technologies are strictly necessary to provide the website and functions expressly requested by you. These may be used for:

  • session management;
  • security;
  • login and authentication;
  • language selection;
  • shopping-cart functionality;
  • checkout functionality;
  • customer-account functions;
  • remembering your cookie choices.

The storage of or access to information on your device for strictly necessary technologies is based on Section 25(2) TDDDG.

Where information from these technologies constitutes personal data, subsequent processing is based on Article 6(1)(b) GDPR where it is necessary to provide a service requested by you. Otherwise, processing is based on Article 6(1)(f) GDPR and our legitimate interest in securely and reliably providing the website.

Technologies that are not strictly necessary, particularly marketing technologies and external media, are activated only after you have given consent.

The storage of or access to information on your device in these cases is based on your consent under Section 25(1) TDDDG. The associated processing of personal data is based on Article 6(1)(a) GDPR.

You may withdraw your consent at any time with effect for the future by reopening the cookie settings and changing your selection. Withdrawing consent does not affect the lawfulness of processing carried out before withdrawal.

Further information about the technologies used, their providers, purposes and storage periods is available in our Cookie Policy and cookie settings.

6.1 Meta Pixel

With your consent, we use the Meta Pixel provided by:

Meta Platforms Ireland Limited
Merrion Road
Dublin 4
D04 X2K5
Ireland

The Meta Pixel allows us to:

  • measure the effectiveness of advertisements on Facebook and Instagram;
  • understand whether visitors interact with our website after viewing or clicking an advertisement;
  • measure events and conversions;
  • create or refine advertising target groups;
  • display advertisements that are more relevant to particular audiences.

Depending on how you use our website, the following information may be processed:

  • IP address;
  • browser and device information;
  • pages visited;
  • date and time of the visit;
  • referrer information;
  • pseudonymous cookie and advertising identifiers;
  • interactions with products, forms, shopping carts and orders;
  • information indicating whether an advertisement led to a visit or conversion.

Where configured, events transmitted to Meta may include viewing a product, adding a product to a shopping cart, starting checkout or completing a purchase.

We do not intentionally transmit the contents of contact-form messages, passwords or payment-card details to Meta.

The Meta Pixel and associated marketing technologies are activated only after you have given consent through the cookie settings.

The storage of or access to information on your device is based on your consent under Section 25(1) TDDDG. The subsequent processing of personal data is based on Article 6(1)(a) GDPR.

You may withdraw your consent at any time with effect for the future through the cookie settings.

For the collection and transmission of event data to Meta, rosslight GmbH and Meta Platforms Ireland Limited may act as joint controllers in accordance with Article 26 GDPR. Meta is responsible for subsequent processing within Meta’s services.

Meta may associate the information with a Facebook or Instagram account, particularly where you are logged in to a Meta service.

Meta may process information in the United States and other countries outside the European Economic Area. Where required, such transfers are based on an adequacy decision, including the EU-US Data Privacy Framework where applicable, or another transfer mechanism in accordance with Chapter V GDPR.

Further information is available in Meta’s privacy information.

6.2 Embedded YouTube Videos

Our website may contain videos embedded from YouTube.

The provider is:

Google Ireland Limited
Gordon House
Barrow Street
Dublin 4
Ireland

Embedded YouTube content is treated as external media and is loaded only after you have given consent or actively chosen to load the content.

Before consent is given, we endeavour not to establish a connection to YouTube merely because you visit a page containing an embedded video.

When you consent to or load a YouTube video, information may be transmitted to Google and YouTube. This may include:

  • IP address;
  • browser and device information;
  • date and time of access;
  • the page on which the video is embedded;
  • referrer information;
  • interactions with the video;
  • cookie or device identifiers;
  • information associated with a Google account where you are logged in.

YouTube may use cookies or similar technologies and may associate the information with other Google services.

Where technically possible, we use YouTube’s privacy-enhanced embedding mode. This reduces certain processing before interaction with a video but does not completely exclude data processing by Google after the video is loaded.

The storage of or access to information on your device is based on your consent under Section 25(1) TDDDG. The processing of personal data is based on Article 6(1)(a) GDPR.

You may withdraw your consent at any time with effect for the future through the cookie settings.

Google may process information in the United States and other countries outside the European Economic Area. Where required, transfers are based on an adequacy decision, including the EU-US Data Privacy Framework where applicable, or another transfer mechanism in accordance with Chapter V GDPR.

Further information is available in Google’s privacy information.

 

7. Order Processing

When you place an order through our website, we process the information required to conclude and perform the purchase contract.

This may include:

  • name and contact information;
  • billing address;
  • delivery address;
  • company and tax information;
  • products and quantities ordered;
  • order value;
  • selected payment method;
  • payment and transaction status;
  • order and invoice numbers;
  • information concerning refunds, cancellations, returns or payment disputes.

Mandatory information is identified during checkout. Without the required information, we cannot conclude or perform the purchase contract.

The legal basis is Article 6(1)(b) GDPR.

Where we are legally required to retain invoices, transaction records or other accounting documents, processing is also based on Article 6(1)(c) GDPR.

7.1 Stripe

Where you select a payment method processed through Stripe, the information necessary to process the payment is transmitted to:

Stripe Payments Europe, Limited
1 Grand Canal Street Lower
Grand Canal Dock
Dublin
Ireland

The information transmitted may include:

  • name;
  • email address;
  • billing and delivery address;
  • order amount and currency;
  • order and invoice number;
  • selected payment method;
  • payment details entered in Stripe’s payment interface;
  • IP address and device information;
  • authentication, fraud-prevention and security information.

The legal basis for transmitting this information is Article 6(1)(b) GDPR because payment processing is necessary to perform the purchase contract.

Stripe processes certain information on our behalf and certain information under its own responsibility, particularly where processing is necessary to comply with financial, regulatory, anti-money-laundering, authentication, fraud-prevention or security obligations.

Stripe may process information outside the European Economic Area. Any required transfer takes place in accordance with Chapter V GDPR.

We do not receive complete credit-card numbers from Stripe.

Further information is available in Stripe’s privacy information.

 

8. Social-Media Links

Our website contains links to our profiles on services such as:

  • LinkedIn;
  • Instagram;
  • YouTube.

These are ordinary links and not social-media plugins. Merely visiting a page containing these links does not, to our knowledge, automatically establish a connection to the respective social-media provider through the link itself.

A connection to the provider is established when you click the relevant link. The provider may then receive information including your IP address, browser information and the fact that you accessed its website from our website.

If you are logged in to the relevant service, the provider may associate your visit with your user account.

The subsequent processing is carried out under the responsibility of the respective social-media provider and is governed by that provider’s privacy information.

 

9. Retention and deletion

We retain personal data only for as long as necessary for the respective purpose or for as long as retention is required or permitted by law.

The applicable retention period depends on the type of information and may be determined by:

  • the duration and processing of an inquiry;
  • the existence and duration of a customer account;
  • the initiation, performance and termination of a contract;
  • warranty and return periods;
  • statutory accounting, commercial and tax-retention obligations;
  • contractual and statutory limitation periods;
  • payment, fraud-prevention and security requirements;
  • the need to establish, exercise or defend legal claims;
  • the withdrawal of consent;
  • an effective objection to processing;
  • security and incident-investigation requirements.

Contact-form inquiries are retained until the inquiry has been completed and no further communication is reasonably expected. They may be retained for a longer period where they relate to a contractual relationship, are subject to a legal retention requirement, or are required for legal claims.

Customer-account information is generally retained for the duration of the account. Account deletion does not affect information that must continue to be retained in connection with orders, invoices, payments, deliveries, warranties or statutory obligations.

Order, invoice and accounting information is retained for the periods required by applicable commercial and tax law.

Consent records may be retained for as long as necessary to demonstrate that valid consent was obtained and to establish, exercise or defend legal claims.

Technical access logs are generally deleted after 14 days unless they are required for investigating a security incident or misuse.

When the relevant purpose no longer applies and no legal basis requires continued retention, personal data is deleted or anonymized.

Data deleted from active systems may remain temporarily in protected Odoo.sh backups until the applicable backup rotation period expires. Backup copies are used only for restoration, security and business-continuity purposes and are removed through the regular backup-rotation process.

 

10. Your Rights

You may contact us using the details provided above to exercise your rights under the General Data Protection Regulation.

In particular, you may have the right to:

  • obtain information about the personal data we process concerning you in accordance with Article 15 GDPR;
  • request the correction of inaccurate or incomplete personal data in accordance with Article 16 GDPR;
  • request the erasure of your personal data under the conditions set out in Article 17 GDPR;
  • request the restriction of processing under the conditions set out in Article 18 GDPR;
  • receive personal data that you have provided to us in a structured, commonly used and machine-readable format in accordance with Article 20 GDPR.

Where processing is based on your consent, you may withdraw that consent at any time with effect for the future. The withdrawal of consent does not affect the lawfulness of processing carried out before the withdrawal.

Please note that, depending on the circumstances, we may no longer be able to process your request or provide a requested service after consent has been withdrawn.

You also have the right, under Article 21 GDPR, to object at any time, on grounds relating to your particular situation, to the processing of your personal data where that processing is based on Article 6(1)(e) or Article 6(1)(f) GDPR.

If you object, we will no longer process the personal data concerned unless we can demonstrate compelling legitimate grounds for the processing that override your interests, rights and freedoms, or unless the processing is necessary for the establishment, exercise or defence of legal claims.

You also have the right to lodge a complaint with a data-protection supervisory authority.

The supervisory authority generally responsible for rosslight GmbH is:

Der Landesbeauftragte für Datenschutz und Informationsfreiheit Mecklenburg-Vorpommern

Schloss Schwerin
Lennéstraße 1
19053 Schwerin
Germany

Telephone: +49 385 59494 0
Email: info@datenschutz-mv.de

 

11. Security

We use appropriate technical and organizational measures to protect personal data against:

  • unauthorized access;
  • accidental or unlawful disclosure;
  • alteration;
  • loss;
  • destruction;
  • misuse.

These measures include, where appropriate:

  • encrypted transmission;
  • role-based access permissions;
  • individual user accounts;
  • administrative access controls;
  • system updates;
  • backups;
  • logging and monitoring;
  • restricted access to CRM, customer and order information.

Security measures are reviewed and adjusted according to the nature, scope and risks of the processing.

 

12. Changes to this privacy policy

We may update this privacy policy where our websites, services, legal obligations or data-processing activities change.

The current version is available on our websites. The date of the most recent revision is stated at the beginning of this policy.