Privacy policy
Privacy Policy
Last updated: June 2026
Controller within the meaning of the GDPR: Louise Wittlich, Wiesengrund 10, 66625 Nohfelden, Germany. Email: info@louiselouise.com, Phone: +33 6 18 11 56 83.
1. Scope
This privacy policy informs users of louiselouise.com, in accordance with the General Data Protection Regulation (GDPR), the German Federal Data Protection Act (BDSG) and the German Telecommunications-Telemedia Data Protection Act (TTDSG), about the nature, scope and purpose of the collection and use of personal data.
Use of this website is generally possible without providing personal data. Where personal data is collected, this is done on a voluntary basis or to the extent required by law.
2. Your rights at a glance
As a data subject, you have the following rights:
• Right of access to your stored data (Art. 15 GDPR).
• Right to rectification of inaccurate data (Art. 16 GDPR).
• Right to erasure ('right to be forgotten'), subject to statutory retention obligations (Art. 17 GDPR).
• Right to restriction of processing (Art. 18 GDPR).
• Right to data portability (Art. 20 GDPR).
• Right to object to processing based on legitimate interest, in particular for marketing purposes (Art. 21 GDPR).
• Right to withdraw any consent given at any time with effect for the future (Art. 7(3) GDPR).
• Right to lodge a complaint with a supervisory authority (Art. 77 GDPR) — contact details at the end of this document.
To exercise your rights, contact us at: info@louiselouise.com.
3. Access data and server log files
Each time this website is accessed, our server automatically records information sent by your browser: IP address of the requesting device, date and time of access, URL accessed, referrer URL (previously visited page), browser and operating system used, and the amount of data transferred.
Legal basis: Art. 6(1)(f) GDPR. Our legitimate interest lies in the security and improvement of the website. These data do not allow us to identify you personally and are not used for this purpose.
Retention period: 7 days with IP address; then 24 additional days without IP address; then automatic deletion.
4. Hosting by Shopify
This website is hosted on the Shopify platform. Provider: Shopify International Limited, 2nd Floor Victoria Buildings, 1-2 Haddington Road, Dublin 4, D04 XN32, Ireland (https://www.shopify.com/). Shopify processes on our behalf the technical access data and order data required to provide the website and process orders. Data may be processed outside the EU; Shopify relies on the EU-US Data Privacy Framework and standard contractual clauses of the European Commission.
Legal basis: Art. 6(1)(b) and (f) GDPR. Further information: https://www.shopify.com/legal/privacy
5. Cookies and similar technologies
louiselouise.com uses cookies and similar technologies. We distinguish two categories:
• Strictly necessary cookies: essential for the website to function (e.g. shopping cart, session management, security). Legal basis: Art. 6(1)(f) GDPR in conjunction with Section 25(2) TTDSG; no prior consent required.
• Non-essential cookies (analytics, marketing, social media): only set after you have actively consented via our cookie consent banner. Legal basis: Art. 6(1)(a) GDPR in conjunction with Section 25(1) TTDSG.
You can withdraw or modify your consent at any time via [insert link / cookie management icon]. Without your consent, no non-essential cookies are set and no data is transmitted to the third-party providers mentioned below.
6. Order processing and payments
When you make a booking or purchase on louiselouise.com, we process the data required for this: name, billing and delivery address, email, phone number (optional), payment data and order details.
Legal basis: Art. 6(1)(b) GDPR (performance of a contract).
Retention period: until the expiry of statutory and contractual warranty rights; data relevant under commercial and tax law is retained for the statutory periods (generally 10 years from conclusion of contract).
Shopify Payments / Stripe
Payment processing is carried out via Shopify Payments, a service of Shopify International Limited. Shopify Payments uses Stripe Payments Europe Limited, 1 Grand Canal Street Lower, Grand Canal Dock, Dublin, D02 H210, Ireland, as a technical sub-processor. Credit card data is entered and processed exclusively within the Shopify/Stripe system; we have no access to this data. Legal basis: Art. 6(1)(b) GDPR.
PayPal
If you choose PayPal as your payment method, the data required for processing (name, invoice amount, address) is transmitted to PayPal (Europe) S.à.r.l. et Cie, S.C.A., 22-24 Boulevard Royal, L-2449 Luxembourg. Further information: https://www.paypal.com/de/webapps/mpp/ua/privacy-full. Legal basis: Art. 6(1)(b) GDPR.
7. Customer account
You may optionally create a password-protected customer account. The data stored there (name, email, order history) is used exclusively for the management of your orders. Legal basis: Art. 6(1)(b) GDPR. The account can be deleted at any time.
8. Contact form and direct contact
When you contact us via the contact form or by email, the data transmitted (name, email address, message content) is stored to process your enquiry. No transmission to third parties takes place. Legal basis: Art. 6(1)(f) GDPR (legitimate interest in processing enquiries) or Art. 6(1)(b) GDPR if the enquiry is aimed at concluding a contract. Retention period: until the enquiry has been fully processed; longer where legal retention obligations apply.
9. Newsletter (Klaviyo)
You can subscribe to our newsletter, through which we inform you about make-up tips, courses and offers. We use Klaviyo, Inc., 125 Summer Street, Boston, MA 02110, USA (https://www.klaviyo.com).
When you subscribe, we store your email address, your name (optional), as well as the IP address and timestamp of registration (as proof of consent). Klaviyo uses tracking pixels in emails sent to determine whether and when an email was opened and which links were clicked. This data is used to optimise our newsletter. Legal basis: Art. 6(1)(a) GDPR (consent).
Klaviyo processes data in the USA; basis for third-country transfer: EU-US Data Privacy Framework and standard contractual clauses. Klaviyo privacy policy: https://www.klaviyo.com/legal/privacy/privacy-notice
You can withdraw your consent at any time via the unsubscribe link in each email or by contacting us. Withdrawal does not affect the lawfulness of processing carried out up to that point.
10. Google Analytics (GA4)
We use Google Analytics 4 (GA4), a web analytics service provided by Google Ireland Limited, Gordon House, Barrow Street, Dublin 4, Ireland (for processing in the USA: Google LLC, 1600 Amphitheatre Parkway, Mountain View, CA 94043, USA).
Google Analytics is only activated after you have given consent via our cookie banner. Legal basis: Art. 6(1)(a) GDPR in conjunction with Section 25(1) TTDSG.
GA4 collects information about your browsing behaviour (pages visited, time spent, click paths, etc.). IP addresses are anonymised before any storage. This data is used to analyse and improve our offering.
Transfer of data to the USA: Google LLC is certified under the EU-US Data Privacy Framework; standard contractual clauses apply on a subsidiary basis.
You can withdraw your consent at any time via our cookie management tool. You can also install the Google Analytics opt-out browser add-on at: https://tools.google.com/dlpage/gaoptout. Further information: https://support.google.com/analytics/answer/6004245?hl=en
11. Google Ads and conversion tracking
We use Google Ads and its conversion tracking feature, a service of Google Ireland Limited / Google LLC (addresses above).
Google Ads is only activated after you have given consent via our cookie banner. Legal basis: Art. 6(1)(a) GDPR in conjunction with Section 25(1) TTDSG.
When you click on one of our Google ads and then access a specific page of our website, Google places a conversion cookie (valid for 30 days). This cookie allows Google and us to verify whether a conversion (e.g. a booking) has taken place. No personal identification is possible.
Transfer of data to the USA: Google LLC is certified under the EU-US Data Privacy Framework; standard contractual clauses apply on a subsidiary basis. You can withdraw your consent at any time via our cookie management tool.
12. Facebook and Instagram plugin (Meta)
We use social plugins from Facebook and Instagram on our website, operated by Meta Platforms Ireland Limited, 4 Grand Canal Square, Dublin 2, Ireland.
These plugins are only loaded after you have given consent via our cookie banner. Legal basis: Art. 6(1)(a) GDPR in conjunction with Section 25(1) TTDSG. Without consent, no connection is established with Meta's servers.
After consent, your browser establishes a direct connection to Meta's servers; Meta may then record your visit to this page and, if you are logged in, link it to your Facebook or Instagram account. Information: https://www.facebook.com/privacy/policy/ and https://help.instagram.com/155833707900388
Transfer of data to the USA: Meta Platforms, Inc. is certified under the EU-US Data Privacy Framework.
13. YouTube
We embed YouTube videos on our website, a service of YouTube LLC (subsidiary of Google LLC). Provider in the EU: Google Ireland Limited, Gordon House, Barrow Street, Dublin 4, Ireland.
YouTube videos are only loaded after you have given consent via our cookie banner, using privacy-enhanced mode where technically possible. Legal basis: Art. 6(1)(a) GDPR in conjunction with Section 25(1) TTDSG.
After consent, your browser establishes a connection to YouTube's servers; your IP address and information about pages visited are transmitted, among other data. Transfer of data to the USA: Google LLC is certified under the EU-US Data Privacy Framework. Google/YouTube privacy policy: https://policies.google.com/privacy
14. Pinterest
We use features of Pinterest, a service of Pinterest Europe Limited, 2nd Floor, Palmerston House, Fenian Street, Dublin 2, Ireland (for the USA: Pinterest, Inc., 505 Brannan Street, San Francisco, CA 94107).
Pinterest content and buttons are only loaded after you have given consent via our cookie banner. Legal basis: Art. 6(1)(a) GDPR in conjunction with Section 25(1) TTDSG. Without consent, no connection is established with Pinterest's servers.
After consent, Pinterest may record your visit and, if you are logged in, link it to your account. Pinterest privacy policy: https://policy.pinterest.com/en/privacy-policy. You can withdraw your consent at any time via our cookie management tool.
15. Disclosure of data to third parties
Your personal data is only disclosed to third parties to the extent necessary for the performance of the contract (e.g. logistics companies, payment service providers), if you have consented, if we are legally obliged to do so, or if we have a legitimate interest in doing so (e.g. to enforce our rights). Our service providers are contractually bound to confidentiality and may only process your data in accordance with our instructions.
16. International data transfers
Some of the service providers we use (in particular Google, Meta, Klaviyo, Pinterest) process data in the USA. Transfer to third countries is based on the EU-US Data Privacy Framework (where providers are certified) and, on a subsidiary basis, on standard contractual clauses of the European Commission pursuant to Art. 46(2)(c) GDPR.
17. Retention periods
We store personal data only for as long as necessary for the relevant purpose or as required by statutory retention obligations. Specifically:
• Server log files: 7 days with IP address; then 24 additional days without IP address.
• Order data: until expiry of the statutory warranty period; then up to 10 years for commercial and tax law purposes.
• Contact enquiries: until fully processed; up to 3 years where legally relevant.
• Newsletter data: until withdrawal of consent, then deletion within 30 days.
• Cookie consents: 12 months (renewed on next visit).
18. Children's privacy
Our offering is not directed at children under the age of 16. We do not knowingly collect personal data from persons under the age of 16. If, as a parent or guardian, you become aware that a child under 16 has provided us with data, please contact us at info@louiselouise.com so that we can delete this data without delay.
19. Competent supervisory authority
You have the right to lodge a complaint with a supervisory authority if you believe that the processing of your personal data violates the GDPR (Art. 77 GDPR). The authority responsible for Louise Wittlich (louiselouise.com) is:
Landesbeauftragte für Datenschutz und Informationsfreiheit – Unabhängiges Datenschutzzentrum Saarland (UDS)
Fritz-Dobisch-Straße 12, 66111 Saarbrücken, Germany
Phone: +49 681 94781-0 · Email: poststelle@datenschutz.saarland.de · www.datenschutz.saarland.de
20. Changes to this privacy policy
We reserve the right to update this privacy policy as necessary — for example in the event of changes in the legal situation, our services or the technologies we use. The version published on this site at the time of your visit shall apply. In the event of material changes, we will notify you in an appropriate manner.