Privacy policy
Privacy policy
Last updated: 18 June 2026
1. Controller
Walter Häfner GmbH
Ostring 1
97688 Bad Kissingen
Germany
Email: info@elektro-haefner.de
Phone: 0971/2468
Managing directors authorised to represent the company: Sabine Häfner, Christoph Kohlhepp
2. Scope
This privacy policy informs you about the nature, scope and purposes of the processing of personal data when you visit our website lightnox.de, including our online shop and all related functions. This includes in particular customer account, order processing, payment processing, shipping, contact, newsletter, reviews, analytics and marketing functions.
3. Hosting and shop operation with Shopify
We use the services of Shopify Inc. and affiliated companies for the operation, presentation and infrastructure of our shop. Shopify processes personal data on our behalf pursuant to Art. 28 GDPR.
Depending on the service used, personal data may be transferred to third countries, in particular Canada or the USA. Shopify uses appropriate safeguards for this, for example EU standard contractual clauses or comparable protection mechanisms.
Legal bases: Art. 6(1)(b) GDPR for contract performance and pre-contractual measures, and Art. 6(1)(f) GDPR for the operation, security, stability and technical provision of our online shop.
4. Access data and server logs
When our website is accessed, technical data is processed automatically. This may include in particular IP address, date and time of access, content accessed, referrer URL, browser type, operating system, device data and similar technical information.
Processing takes place to ensure stability, security, prevention of misuse and error analysis. The legal basis is Art. 6(1)(f) GDPR.
5. Customer account and login with Google
You can create and use a customer account either with email address and password or via “Sign in with Google”. When using Google login, we receive from Google in particular the verified email address, the publicly stored name and a Google-specific user ID.
We use this data exclusively for registration, login and administration of your customer account.
- Legal bases: calling the Google service and data transfer: Art. 6(1)(a) GDPR; account creation and account use: Art. 6(1)(b) GDPR.
- Voluntary nature: use of Google login is voluntary. You can alternatively use the classic login by email and password.
- Withdrawal: you may withdraw consent at any time for the future and remove access in your Google account.
6. Contract processing and orders
To process orders, we process the data you provide. This includes in particular name, billing address, delivery address, email address, telephone number, ordered products, payment information, order information and communication data.
Processing takes place to carry out pre-contractual measures and to fulfil the purchase contract. The legal basis is Art. 6(1)(b) GDPR.
We regularly store data relevant under commercial and tax law for 6 or 10 years in accordance with statutory retention obligations.
7. Payment processing
We use the following payment services: PayPal, Klarna, Apple Pay, Google Pay and credit card providers via Shopify Payments.
The data required for payment processing is transmitted to the respective payment provider for contract performance pursuant to Art. 6(1)(b) GDPR. The respective payment providers are generally independent controllers within the meaning of the GDPR.
8. Shipping service providers
Shipping is carried out with DHL, DPD, UPS and GLS. For delivery, we transmit the necessary address and contact data to the respective shipping service provider.
The legal basis is Art. 6(1)(b) GDPR. Optional shipping notifications are only sent where consent exists or where they are necessary for contract processing.
9. Contact
If you contact us by form, email, telephone or otherwise, we process your information to handle the enquiry and, where applicable, to initiate a contract.
The legal bases are Art. 6(1)(b) GDPR for contract-related enquiries and Art. 6(1)(f) GDPR for general communication and customer service.
10. Newsletter
We use the Shopify newsletter. Registration is voluntary and usually takes place via double opt-in. For sending the newsletter, we process in particular your email address and, where applicable, your name and technical confirmation data.
The legal basis is your consent pursuant to Art. 6(1)(a) GDPR. You can unsubscribe at any time using the unsubscribe link in the respective email.
11. Reviews
11.1 Product reviews with Judge.me
We use Judge.me for product reviews. If you submit a review or receive a review request, Judge.me processes, depending on the function, in particular email address, order and product references and review content.
The legal bases are Art. 6(1)(a) GDPR where consent is given and Art. 6(1)(b) GDPR for product- or order-related communication. Judge.me may be used as a processor.
11.2 Service and shop reviews with ProvenExpert
Where applicable, we use widgets or badges from ProvenExpert to display our overall reviews. When such content is loaded, technical data such as IP address, browser and device information may be processed.
The legal basis is Art. 6(1)(f) GDPR for presentation and trust-building. Where consent via the consent banner is required, processing is based on Art. 6(1)(a) GDPR.
12. Live chat
We use Shopify Live Chat for customer communication. The content you enter and technical usage data are processed.
The legal bases are Art. 6(1)(f) GDPR for fast customer support and Art. 6(1)(b) GDPR for contract-related enquiries.
13. Cookies and consent management
We use cookies and similar technologies. Technically necessary cookies serve the operation, security, shopping cart function, checkout and login to the customer account.
The legal bases for technically necessary cookies are Art. 6(1)(f) GDPR and/or Art. 6(1)(b) GDPR.
For non-essential analytics and marketing technologies, we obtain your consent via the tool Tinycookie. The legal basis is Art. 6(1)(a) GDPR. You can change or withdraw your selection at any time via the consent banner.
14. Web analytics and marketing
14.1 Google Analytics 4
We use Google Analytics 4 to measure reach and analyse the use of our shop, only where consent has been given. The provider is Google Ireland Ltd.
In particular, usage data, device and browser information, IP address, referrer URL, online identifiers and event data may be processed. Data may be transferred to third countries, in particular the USA.
Google uses suitable safeguards for this, such as the EU-US Data Privacy Framework or EU standard contractual clauses. The legal basis is Art. 6(1)(a) GDPR.
14.2 Google Ads conversion tracking
We use Google Ads Conversion Tracking to measure the success of our advertising campaigns, only where consent has been given.
Cookies, online identifiers, conversion data, device and browser information and IP addresses may be processed. The legal basis is Art. 6(1)(a) GDPR.
14.3 Google Consent Mode, IP-based signals and Google data processing
We use or support Google Consent Mode to transmit the selection made in the consent banner to Google. Consent signals for analytics, ad storage, user data for advertising purposes and ad personalisation may be transmitted to Google. Google tags adapt their behaviour according to the transmitted consent.
When Google services such as Google Analytics 4, Google Ads, conversion tracking, remarketing, enhanced conversions and Customer Match are used, personal data and automatically transmitted information may be processed depending on your consent and the respective settings. This may include in particular IP address, device and browser information, referrer URL, usage data, online identifiers and consent signals.
Depending on the service, settings and contractual basis, Google may process data as a processor or as an independent controller in accordance with the applicable Google privacy and data processing terms.
Further information on how Google uses data from websites or apps can be found at: https://policies.google.com/technologies/partner-sites.
14.4 Meta Pixel
We use the Meta Pixel to display and measure advertising on Facebook and Instagram, only where consent has been given. The provider is Meta Platforms Ireland Ltd.
In particular, usage data, device information, online identifiers and event data may be processed. Data may be transferred to the USA. The legal basis is Art. 6(1)(a) GDPR.
14.5 Google Ads enhanced conversions and Customer Match
We also use the Google Ads Enhanced Conversions and Customer Match functions of Google Ireland Ltd. These functions enable improved success measurement, attribution and optimisation of our Google Ads campaigns.
Certain customer data that you have provided to us in connection with a purchase, enquiry or other interaction, in particular email address, telephone number, name or address, may be hashed using a one-way hashing process before being transmitted to Google.
Google may use this data within the respective Google services for matching, conversion measurement, fraud prevention and, where corresponding consent exists, to improve ad measurement and personalisation. The plain-text data is not directly disclosed to Google.
Processing takes place, where required, on the basis of your consent pursuant to Art. 6(1)(a) GDPR. Depending on the service, settings and contractual basis, Google processes data as a processor or as an independent controller in accordance with the applicable Google privacy and data processing terms.
A transfer to third countries, in particular the USA, may take place. Google uses suitable safeguards such as the EU-US Data Privacy Framework and/or EU standard contractual clauses. You can withdraw your consent at any time via the consent banner.
14.6 Server-side tracking with Littledata
We use the service Littledata to collect analytics and marketing data from our Shopify shop more reliably from a technical perspective and to transmit it to connected services such as Google Analytics, Google Ads and, where applicable, Meta.
Littledata supports server-side tracking, attribution of orders to marketing channels and improved measurement of the success of our advertising campaigns.
Depending on use, technical usage data, order and cart information, product interactions, device and browser information and data provided by you such as email address or telephone number may be processed. Where required, data for enhanced conversion measurements is transmitted in pseudonymised or hashed form.
Processing takes place only where corresponding consent has been given via our consent banner. The legal basis is Art. 6(1)(a) GDPR. Littledata takes into account the consent decisions made via Shopify Customer Privacy or our consent management. You may withdraw your consent at any time via the consent banner.
Littledata may be used as a technical service provider or processor. A transfer to third countries cannot be excluded depending on the connected target system and service provider. In this case, suitable safeguards such as EU standard contractual clauses or comparable protection mechanisms are used.
15. Social media links
We link to our presences on Facebook, Instagram and Pinterest. When you click such a link, you leave our website. The privacy policies of the respective provider then apply.
16. Recipients and categories of personal data
Depending on your use of our shop, personal data may be transmitted in particular to the following categories of recipients:
- IT, hosting and shop services, in particular Shopify
- analytics and tracking service providers, in particular Littledata and connected services such as Google Analytics, Google Ads and Meta
- payment services such as PayPal, Klarna, Apple Pay, Google Pay, credit card providers and Shopify Payments
- shipping service providers such as DHL, DPD, UPS and GLS
- review, communication and marketing services such as Judge.me, ProvenExpert, Google and Meta
- internal recipients such as customer service, accounting and management
- tax advisers, authorities or other bodies where a legal obligation exists
17. Transfers to third countries
When certain services are used, in particular Google, Meta, Shopify groups or connected analytics and marketing services, personal data may be transferred to third countries outside the EU or EEA.
Suitable safeguards are used, for example EU standard contractual clauses, the EU-US Data Privacy Framework or comparable protection mechanisms.
18. Storage period
We process personal data only for as long as is necessary for the respective purposes. Statutory retention periods, in particular under commercial and tax law, remain unaffected.
After expiry of the respective periods, the data is deleted or anonymised in accordance with statutory requirements.
19. Obligation to provide personal data
Certain information is required for contract processing, ordering, payment and delivery. Without this information, we cannot conclude or fulfil the contract.
The use of analytics and marketing functions as well as social login functions is voluntary.
20. No automated decision-making
We do not use exclusively automated decisions with legal effect concerning you and no profiling within the meaning of Art. 22 GDPR.
21. Your rights
Subject to the statutory requirements, you have the following rights:
- right of access pursuant to Art. 15 GDPR
- right to rectification pursuant to Art. 16 GDPR
- right to erasure pursuant to Art. 17 GDPR
- right to restriction of processing pursuant to Art. 18 GDPR
- right to data portability pursuant to Art. 20 GDPR
- right to object pursuant to Art. 21 GDPR
- right to withdraw consent given with effect for the future
22. Right to object under Art. 21 GDPR
You may object at any time, on grounds relating to your particular situation, to processing based on Art. 6(1)(f) GDPR.
In the case of direct marketing, there is a general right to object. If you object to processing for direct marketing purposes, your personal data will no longer be processed for these purposes.
23. Right to lodge a complaint
You have the right to lodge a complaint with a data protection supervisory authority, in particular in the EU Member State of your residence, workplace or the place of the alleged infringement.
For us in Germany, the competent data protection supervisory authority in the Free State of Bavaria is among the relevant authorities.
24. Security
Our website uses SSL/TLS encryption. We take appropriate technical and organisational measures to protect your personal data against loss, misuse, unauthorised access, alteration or disclosure.
25. Changes to this privacy policy
We adapt this privacy policy as needed to legal, technical or business developments. The current version is available on this page at any time.

