Privacy policy
Privacy Policy
Last updated: May 7, 2026
Neorbis & Co. (referred to as “we”, “us”, or “our”) respects your privacy. This Privacy Policy explains how we collect, use, store, and protect your personal information when you visit our website https://shop.neorbis.net/, place an order, or interact with us. This policy applies to customers in the United States (including California), the United Kingdom, and the European Union (including Germany) . Where different legal rules apply by region, we have clearly indicated them below.
For customers in the European Union, Germany, and the United Kingdom: We comply with the UK GDPR and/or EU General Data Protection Regulation (GDPR), as applicable, and the German Federal Data Protection Act (BDSG) for German customers. Your data protection rights are described below.
For customers in the United States: We comply with applicable state privacy laws, including the California Consumer Privacy Act (CCPA), as amended by the California Privacy Rights Act (CPRA) effective January 1, 2026, and other relevant state laws where we do business.
1. Information We Collect
We may collect the following categories of personal information when you interact with our website:
A. Information You Provide to Us
-
Identity and Contact Data: Name, billing address, shipping address, email address, telephone number.
-
Order Data: Products purchased, order history, and preferences.
-
Payment Information: Credit/debit card details, PayPal account information, or other payment method details. Payment processing is handled by our secure payment processors; we do not store full payment card details on our own servers.
-
Communications: Information you provide when contacting customer support, subscribing to our newsletter, or completing surveys.
B. Information We Collect Automatically
-
Technical Data: IP address, browser type and version, time zone setting, browser plug-in types and versions, operating system and platform, and device information.
-
Usage Data: Information about how you use our website, products, and services, including pages visited, time spent, clickstream data, and referral source.
-
Cookies and Tracking Technologies: We use cookies and similar tracking technologies to enhance your browsing experience, analyze website traffic, and serve personalized content. See Section 5 (Cookies) below for more details.
C. Sensitive Personal Information
We do not intentionally collect sensitive personal information (such as precise geolocation, health data, biometric data, or information about your racial or ethnic origin, political opinions, or religious beliefs). If you voluntarily provide such information, we will treat it in accordance with applicable legal requirements.
2. How We Use Your Information
We use your personal information for the following business purposes:
| Purpose | Legal Basis |
|---|---|
| To process and deliver your orders, including order confirmation, payment processing, shipping, and returns | Contract performance |
| To provide customer support and respond to your inquiries | Contract performance / Legitimate interests |
| To send order updates and status notifications (e.g., shipping confirmation, delivery updates) | Contract performance |
| To improve our products, website, and customer experience, including analytics and performance monitoring | Legitimate interests |
| To send marketing communications and promotional emails (only with your consent where required by law; you may opt out at any time) | Consent / Legitimate interests |
| To detect, prevent, and investigate fraud or security incidents | Legal obligation / Legitimate interests |
| To comply with legal obligations, including tax and record-keeping requirements | Legal obligation |
Legitimate Interests: Where we rely on legitimate interests as a legal basis, we balance those interests against your rights and freedoms and will only process your data where our interests are not overridden by your privacy rights. Examples include website security, fraud prevention, and direct marketing (where consent is not required under applicable law).
For California residents (CCPA/CPRA 2026): We do not “sell” or “share” your personal information for cross-context behavioral advertising in the traditional sense. However, to the extent that our use of third-party analytics or advertising cookies constitutes “selling” or “sharing” under the CCPA as amended effective January 1, 2026, you have the right to opt out of such use via the “Your Privacy Choices” link in our website footer.
3. Data Retention
We retain your personal information only for as long as necessary to fulfill the purposes outlined in this Privacy Policy, unless a longer retention period is required or permitted by law. Retention periods are determined based on the following criteria:
-
Order and transaction data: Retained for the duration of our business relationship plus the period required to comply with legal obligations (e.g., tax and accounting laws, which typically require 6–10 years of retention in the US, UK, and Germany).
-
Marketing data (with consent): Retained until you withdraw your consent or request deletion.
-
Account information: Retained as long as you maintain an account with us.
-
Website usage and analytics data: Retained for up to 26 months, or as otherwise specified in our cookie consent management platform.
When personal information is no longer needed, we securely delete or anonymize it.
4. Information Sharing and Disclosure
We do not sell, rent, or trade your personal information to third parties for monetary or other valuable consideration. We may share your personal information in the following circumstances:
| Recipient Category | Purpose | Legal Basis |
|---|---|---|
| Payment processors (e.g., Stripe, PayPal, Shopify Payments) | Processing payments, fraud detection | Contract performance / Legal obligation |
| Shipping carriers (e.g., DHL, UPS, FedEx, Royal Mail, Deutsche Post) | Delivering orders to you | Contract performance |
| IT service providers (e.g., hosting, cloud storage, analytics) | Website operation, data storage, security | Legitimate interests / Contract performance |
| Marketing platforms (e.g., email service providers) | Sending marketing communications (with consent where required) | Consent / Legitimate interests |
| Law enforcement or regulatory authorities | Compliance with legal obligations, fraud prevention, or safety investigation | Legal obligation / Legitimate interests |
All third-party service providers are required to maintain appropriate security measures and are prohibited from using your personal information for any purpose other than providing the contracted services.
For California residents (CCPA 2026): We are required to disclose the categories of personal information we have collected, sources, business purposes, categories of third parties with whom we share information, and retention periods for each category. This information is summarized in this section and Section 1. Additionally, you have the right to request that we disclose to you the specific pieces of personal information we have collected about you. For more details on your rights, please see Section 9.
5. Cookies and Tracking Technologies
Our website uses cookies and similar tracking technologies (such as pixels, web beacons, and local storage) to enhance your experience, analyze website performance, and provide relevant marketing.
What are cookies? Cookies are small text files placed on your device when you visit a website. They help the website recognize your device and remember your preferences or actions over time.
Types of cookies we use:
| Cookie Category | Description | Example Purposes | Consent Required |
|---|---|---|---|
| Strictly Necessary Cookies | Essential for website functionality, cannot be disabled without affecting basic features | Shopping cart, login, checkout, security, load balancing | No consent required (exempt under EU/UK law) |
| Functional Cookies | Enhance website functionality (not strictly necessary) | Language preferences, region selection, saved settings | Yes (opt-in) |
| Analytics/Performance Cookies | Collect information about how visitors use the website, helping us improve | Google Analytics—page visits, click tracking, time on site | UK customers: No consent required from 5 Feb 2026 (opt-out available) — EU/Germany customers: Yes (opt-in) |
| Targeting/Advertising Cookies | Track browsing habits to deliver personalized advertising | Retargeting ads, social media pixels | Yes (opt-in) |
For UK customers: Under the Data (Use and Access) Act 2025 (DUAA), which took effect on 5 February 2026, cookies used solely for statistical or analytics purposes no longer require your prior consent, provided the data is used only by us (the website operator). We are required to provide you with clear information about the purpose of such cookies and give you the right to opt out free of charge. For all other cookies (functional, targeting, and advertising), your active consent remains required.
For EU and German customers: Under the EU ePrivacy Directive (implemented in Germany as the Telecommunications Telemedia Data Protection Act (TTDSG)), we must obtain your prior active consent before placing any non-essential cookies on your device. This includes analytics cookies, functional cookies (unless strictly necessary), and all advertising/targeting cookies. Consent must be freely given, specific, informed, and unambiguous, and you must be able to withdraw your consent as easily as you gave it.
For US customers: There is no federal cookie law in the US. However, several states (including California, Virginia, Colorado, Connecticut, and Utah) have privacy laws that may require certain disclosures or opt-out rights regarding tracking technologies, particularly where cookies are used for “cross-context behavioral advertising” (which may be considered “selling” or “sharing” under the CCPA). For residents of these states, we provide opt-out mechanisms as described in Section 9.
Cookie Consent Management:
When you first visit our website, a cookie consent banner will appear, allowing you to:
-
Accept all cookies
-
Reject non-essential cookies
-
Customize your cookie preferences by category
For German customers only: In accordance with German regulatory guidance (DSK), we will ask you to renew your cookie consent at reasonable intervals (typically every 6 to 12 months). You will be prompted to re-confirm your preferences at that time.
How to manage cookies: You can also manage cookies directly through your browser settings. Most browsers allow you to:
-
View what cookies are stored and delete them individually
-
Block third-party cookies
-
Block all cookies
-
Delete all cookies when you close your browser
Please note that disabling strictly necessary cookies may prevent certain features of our website from functioning properly (e.g., you may not be able to add items to your shopping cart or complete checkout).
6. International Data Transfers
Our business is based outside of the UK, EU, and US, and we may transfer your personal information across international borders for the purposes described in this policy. When we transfer your personal information, we implement appropriate safeguards to ensure your data is protected in accordance with applicable data protection laws.
For UK and EU/Germany customers:
-
Where we transfer your personal information to countries that have not been recognized by the UK government or the European Commission as providing an adequate level of data protection, we rely on appropriate safeguards such as Standard Contractual Clauses (SCCs) approved by the European Commission and/or the UK Information Commissioner‘s Office (ICO).
-
You have the right to request a copy of these safeguards by contacting us at [your email address] .
For US customers:
-
Your personal information may be transferred to and processed in countries other than the United States. When we engage in such transfers, we rely on appropriate safeguards consistent with applicable US law and contractual obligations.
7. Data Security
We take the security of your personal information seriously and implement appropriate technical and organizational measures to protect it against unauthorized access, accidental loss, alteration, disclosure, or destruction. These measures include:
-
Encryption: We use TLS (Transport Layer Security) encryption to protect data transmitted between your browser and our website. Payment information is encrypted during transmission.
-
Access Controls: Access to personal information is restricted to authorized personnel only, on a need-to-know basis, and requires authentication.
-
Secure Storage: Personal information is stored on secure servers with firewalls and regular security monitoring.
-
Third-party Security: Our payment processors and other service providers are contractually required to maintain appropriate security measures and comply with applicable data protection laws.
For California customers (CCPA 2026): We maintain written security procedures and practices that include reasonable security controls appropriate to the nature of the personal information we collect. We conduct regular security testing and maintain vendor management programs as required under the regulations effective January 1, 2026.
No method of transmission is 100% secure: While we strive to protect your personal information, please be aware that no security measures are perfect or impenetrable. We cannot guarantee the absolute security of your information transmitted to our website.
Data breach notification: In the event of a data breach that is likely to result in a risk to your rights and freedoms, we will notify you and the relevant supervisory authorities within the timeframes required by applicable law (72 hours for UK/EU GDPR, and as otherwise specified by state laws in the US).
8. Children‘s Privacy
Our website and products are not intended for individuals under the age of 18 (or the age of majority in your jurisdiction). We do not knowingly collect personal information from children under 18. If you are a parent or guardian and believe that your child has provided us with personal information without your consent, please contact us, and we will take steps to delete such information.
For California customers (CCPA): We do not have actual knowledge that we “sell” or “share” the personal information of consumers under 16 years of age. If you are a resident of California and under 18 years of age, and you have posted content or information on our website (where such functionality exists), you may request removal of such content by contacting us as set forth below. However, removal does not ensure complete or comprehensive removal of such content from our systems.
9. Your Privacy Rights
Depending on where you reside, you may have the following rights regarding your personal information:
A. Rights under UK GDPR and EU GDPR (for UK and EU/Germany customers)
Under the UK GDPR (for UK customers) and the EU GDPR (for customers in EU member states including Germany), you have the following rights:
| Right | Description |
|---|---|
| Right to Access | You have the right to request a copy of the personal information we hold about you, along with information about how we process it. |
| Right to Rectification | You have the right to request that we correct inaccurate or incomplete personal information. |
| Right to Erasure (“Right to be Forgotten”) | You have the right to request that we delete your personal information in certain circumstances (e.g., where it is no longer necessary for the purposes collected, or where you withdraw consent and there is no other legal basis for processing). |
| Right to Restriction of Processing | You have the right to request that we restrict the processing of your personal information in certain circumstances (e.g., while we verify its accuracy or where processing may be unlawful). |
| Right to Data Portability | You have the right to receive your personal information in a structured, commonly used, and machine-readable format and to transmit that data to another controller, where processing is based on consent or contract and carried out by automated means. |
| Right to Object | You have the right to object to processing of your personal information based on legitimate interests or for direct marketing purposes (including profiling related to such marketing). |
| Right to Withdraw Consent | Where processing is based on your consent, you have the right to withdraw that consent at any time. Withdrawal does not affect the lawfulness of processing based on consent before withdrawal. |
| Right to Lodge a Complaint | You have the right to lodge a complaint with a supervisory authority. In the UK, this is the Information Commissioner‘s Office (ICO). In Germany, this is the relevant state data protection authority (Landesbeauftragter für Datenschutz). |
These rights are not absolute and may be subject to exceptions under applicable law (e.g., where processing is necessary for compliance with a legal obligation or for the establishment, exercise, or defense of legal claims).
B. Rights under US State Privacy Laws (for US customers)
If you are a resident of a US state with a comprehensive privacy law, including but not limited to: California (CCPA/CPRA 2026), Virginia (VCDPA), Colorado (CPA), Connecticut (CTDPA), Utah (UCPA), and other states that have enacted effective privacy laws, you may have the following rights:
“Do Not Sell or Share My Personal Information” Opt-Out:
As required by California law (effective January 1, 2026), we provide a clear and conspicuous “Your Privacy Choices” link (with an approved opt-out icon) in our website footer. Clicking this link will direct you to a page where you can exercise your right to opt out of the “sale” or “sharing” of your personal information for cross-context behavioral advertising. This link consolidates both the “Do Not Sell or Share My Personal Information” and “Limit the Use of My Sensitive Personal Information” opt-out mechanisms as permitted by the updated CPRA regulations.
We also recognize and respond to Global Privacy Control (GPC) signals and other opt-out preference signals transmitted by your browser as a valid request to opt out of the “sale” or “sharing” of your personal information, as required by law.
C. How to Exercise Your Rights
To exercise any of your privacy rights, you may contact us:
-
By email: [your email address]
-
Subject line: “Privacy Request — [Your Name]”
Please include sufficient information to identify you (e.g., your name, email address associated with your account, order number) and specify the right you wish to exercise. We may need to verify your identity before processing your request, which may require you to provide additional information to confirm your identity (e.g., matching certain information you have previously provided to us). We will respond to your request within the timeframes required by applicable law:
-
UK/EU/Germany: Within one month (may be extended by two additional months for complex or multiple requests, with notice provided to you).
-
US state laws: Within 45 days (may be extended by an additional 45 days with notice to you).
Authorized Agent (California): If you are a California resident and wish to submit a request through an authorized agent, the agent must provide written permission signed by you to act on your behalf, and you may be required to verify your identity directly with us.
10. Marketing Communications and Opt-Out
We may send you marketing communications (including newsletters, promotional offers, and product updates) only where you have provided your consent (where required by law) or where we have a legitimate interest to do so (e.g., to inform existing customers of similar products or services).
Opt-Out Instructions: You may opt out of receiving marketing communications at any time by:
-
Clicking the “unsubscribe” link at the bottom of any marketing email, or
-
Contacting us at [your email address] with “Unsubscribe” in the subject line.
Transactional Communications: Please note that even if you opt out of marketing communications, we will continue to send you transactional or service-related communications (e.g., order confirmations, shipping notifications, customer support responses) as necessary to fulfill our obligations to you.
11. Links to Third-Party Websites
Our website may contain links to third-party websites, plug-ins, services, social networks, or applications. Clicking on those links or enabling those connections may allow third parties to collect or share data about you. We do not control these third-party websites and are not responsible for their privacy practices. We encourage you to read the privacy policy of every website you visit.
12. Changes to This Privacy Policy
We reserve the right to update or modify this Privacy Policy at any time. When we make changes, the “Last updated” date at the top of this policy will be revised. If we make material changes to this policy, we will notify you by prominently posting a notice on our website or, where required by law, by sending you an email notification. We encourage you to review this policy periodically to stay informed about how we are protecting your personal information.
Your continued use of our website after any changes to this Privacy Policy constitutes your acceptance of the revised policy. (For UK/EU customers, where changes affect your rights or require renewed consent, we will obtain your consent as required by law.)
13. Supervisory Authorities and Complaints
For UK customers: If you are not satisfied with our response to your privacy request, you have the right to lodge a complaint with the Information Commissioner‘s Office (ICO):
-
Website: https://ico.org.uk
-
Helpline: 0303 123 1113
-
Address: Information Commissioner’s Office, Wycliffe House, Water Lane, Wilmslow, Cheshire, SK9 5AF
For German customers: If you are not satisfied with our response to your privacy request, you have the right to lodge a complaint with the relevant state data protection authority (Landesbeauftragter für Datenschutz). The competent authority depends on your location in Germany. A list of all German state data protection authorities can be found at: https://www.bfdi.bund.de
For customers in other EU member states: You have the right to lodge a complaint with your local data protection supervisory authority.
For US customers (California): If you are a California resident and are not satisfied with our response to your privacy request, you have the right to contact the California Privacy Protection Agency (CPPA) or to pursue other legal remedies available under law.
14. Contact Us
If you have any questions, concerns, or requests regarding this Privacy Policy or our handling of your personal information, please contact us:
| Method | Details |
|---|---|
| Email: | service@neorbis.net |
| Response Time: | Within 24 hours on business days |
For data protection inquiries, you may address your communication to our Data Protection Officer (GDPR/UK GDPR) or our Privacy Compliance Officer (US).