FINALSTICKER
Back to home

Privacy Policy

Note on legal references: references to "Art." refer to the EU General Data Protection Regulation (GDPR), which applies directly throughout the EU. References to "§" refer to German national laws (e.g. BDSG, TDDDG, UStG, AO), as the controller is based in Germany.

The protection of your personal data is important to us. Below we inform you in accordance with Articles 13 and 14 GDPR about which data we process when you use www.finalsticker.com (hereinafter "FINALSTICKER", "platform", "we"), for what purposes and on what legal basis. The General Data Protection Regulation (GDPR), the German Federal Data Protection Act (BDSG) and the German Telecommunications Digital Services Data Protection Act (TDDDG) apply.

1. Controller

The controller responsible for data processing on this platform within the meaning of Art. 4 No. 7 GDPR is:

FINALSTICKER, Owner: Chris Hamann
Unter den Eichen 6
49809 Lingen
Germany
Email: info@finalsticker.com

Further details can be found in our legal notice.

2. Data Protection Officer

We are not legally required to appoint a data protection officer and have therefore not appointed one. You can send data-protection requests and matters concerning the exercise of your rights to datenschutz@finalsticker.com or info@finalsticker.com.

3. General information and definitions

We process personal data only to the extent necessary to provide a functional platform as well as our content and services, where there is a legal obligation, or where you have given your consent. "Personal data" means any information relating to an identified or identifiable natural person. "Processing" means any operation performed on such data (e.g. collection, storage, use, transfer, deletion).

4. Hosting

We host our platform with a provider in Germany:

myLoc managed IT AG (brand "webtropia"), Am Gatherhof 44, 40472 Düsseldorf, Germany.

The provider processes, on our behalf, the data generated when using the platform (in particular the content data referred to in this policy as well as technical connection data). This is based on a data processing agreement pursuant to Art. 28 GDPR. The legal basis for the use is our legitimate interest in secure and efficient operation (Art. 6(1)(f) GDPR). The servers are located in Germany.

5. Provision of the platform and server log files

When you access the platform, the server automatically collects so-called server log files transmitted by your browser. These are:

  • IP address of the requesting device,
  • date and time of access,
  • the file/URL requested and the status code,
  • amount of data transferred,
  • browser type and version, operating system,
  • referrer URL.

This data is used for technical delivery, stability and security (e.g. to ward off attacks). The legal basis is Art. 6(1)(f) GDPR; our legitimate interest lies in secure and trouble-free operation. The log files are generally deleted or anonymised within 7 days, unless they are required for longer to preserve evidence in connection with a specific security incident.

6. DNS via Cloudflare

We use Cloudflare, Inc. (101 Townsend St, San Francisco, CA 94107, USA) to resolve our domain (DNS). Cloudflare is integrated solely as a DNS provider; no "proxy" or caching of visitor traffic via Cloudflare takes place. Technical request data is processed as part of DNS resolution. The legal basis is Art. 6(1)(f) GDPR (reliable availability of the platform). The data-protection agreements required for processing the technical DNS data are in place with Cloudflare. Any transfer to the USA is safeguarded by the EU Standard Contractual Clauses (see section 24).

7. SSL/TLS encryption

For security reasons, this platform uses TLS encryption. The certificates are obtained via Let's Encrypt (Internet Security Research Group); no personal user data is transmitted to third parties in this process. You can recognise an encrypted connection by the padlock symbol and "https://" in the address bar.

8. Cookies and local storage

We use exclusively technically necessary cookies, in particular a session cookie required for logging in and for the secure use of your account, as well as a cookie to store your language setting. These cookies are strictly necessary for operation; consent is not required for this (Section 25(2) No. 2 TDDDG, Art. 6(1)(f) GDPR).

In addition, we store individual convenience settings locally in your browser (local storage), e.g. the view last selected in the inventory. This data remains on your device and is not transmitted to us.

We do not currently use tracking, analytics or advertising cookies. Should consent-requiring services be added in future, we will obtain your express consent beforehand (Art. 6(1)(a) GDPR, Section 25(1) TDDDG) and adapt this policy.

Affiliate links / advertising: On individual pages (e.g. collection detail pages) we may link to relevant offers at partner shops such as eBay or Amazon; such links are marked as "advertisement". These are pure references (outbound links); we do not embed any partner scripts for this and do not set any cookies via these links. Only if you click such a link and visit the partner's site can the partner set its own cookies and process data in accordance with its own privacy policy. We may receive a commission for a referred purchase; we do not transmit any personal data about you to the partner via the link.

9. User account and registration

To use the full range of functions, you create a user account. In doing so and in the further course, we process:

  • username, e-mail address and password (stored only as a cryptographic hash),
  • first and last name,
  • language, country and selected currency,
  • times of registration and last activity.

The purpose is the provision and administration of your account as well as the handling of platform use. The legal basis is the performance of the user contract (Art. 6(1)(b) GDPR). To confirm your e-mail address, we send a verification e-mail.

10. Profile information (voluntary)

You can supplement your profile with voluntary information, such as a description ("About me"), gender, date of birth (including the option to display your age) and a profile picture (avatar). This information is voluntary and visible to other members. The legal basis is your consent by voluntarily entering it (Art. 6(1)(a) GDPR); you can change or remove it at any time in the settings (withdrawal with effect for the future).

Uploaded profile pictures are stored on our servers and processed to display your profile. The legal basis is your consent pursuant to Art. 6(1)(a) GDPR.

11. Address data and shipping

To ship traded or purchased items, we require your postal address (name, street, postal code, city, state if applicable, country). Your address is shown to the other person only after a trade or purchase has been concluded, so that shipping can take place. The legal basis is the performance of the contract (Art. 6(1)(b) GDPR). Without a complete address, trades and purchases cannot be completed.

Commercial sellers: If you classify yourself as a commercial seller, you are legally required to provide a provider identification (legal notice/imprint). The information you provide for this purpose (in particular company name, business address, contact details and – where applicable – VAT ID and register details) is displayed publicly as part of your sale offers so that buyers can view it. This concerns the business address you provide; the display of your private shipping address under paragraph 1 (only after a transaction has been concluded) remains unaffected. The legal basis is the fulfilment of a legal obligation (Art. 6(1)(c) GDPR) and your legitimate interest in promoting your offers (Art. 6(1)(f) GDPR). For private sellers, such information is not published.

12. Handling of trades and purchases

To handle trades and purchases, we process the collectibles involved, the items selected, reservations, price information, shipping details and the status of the transaction. The respective partners see the data of the other party required for the transaction. The legal basis is Art. 6(1)(b) GDPR. Important note: The actual payment and shipping take place directly between the members; FINALSTICKER does not process payments between trade/purchase partners and does not act as a seller/dealer of these items.

Marketplace listings: If, as a Premium member, you list your own items on the marketplace, we process and publish the item data you provide (title, description, condition, price, shipping details) as well as the item photos you upload. This content is publicly visible – including to visitors who are not logged in and via your public seller page. Interested parties can contact you via an enquiry; in doing so we process the resulting message history to facilitate the contact. We store a watchlist ("watched items") assigned to your account. The legal bases are the performance of pre-contractual measures or of the contract (Art. 6(1)(b) GDPR) and our legitimate interest in operating the marketplace (Art. 6(1)(f) GDPR).

Tax disclosure obligations (platform tax transparency): Insofar as we are legally required to do so as a platform operator (in particular under the German Platform Tax Transparency Act – PStTG, which implements the EU "DAC7" directive – above certain thresholds), we may be obliged to transmit certain data of selling members (including name, address, tax identification number and information on the sales achieved) to the competent tax authorities and to request the information required for this. The legal basis is the fulfilment of a legal obligation (Art. 6(1)(c) GDPR). This obligation may exist regardless of whether you classify yourself as a private or commercial seller.

13. Messages in the trade/purchase chat

Within a trade or purchase, you can exchange messages. These are stored and accessible to the respective parties in order to enable the transaction and make it traceable (e.g. in the event of disputes). The legal basis is Art. 6(1)(b) and (f) GDPR.

14. Ratings

After completed transactions, the parties involved can rate each other (star rating and optional comment). Ratings are linked to the respective profile and visible to other members; they serve to build trust within the community. The legal basis is our legitimate interest in a functioning, trustworthy trading system (Art. 6(1)(f) GDPR).

15. Activities and notifications

We maintain an activity history for your account (e.g. offers received, messages, completed transactions, ratings) to inform you of relevant events. If you have activated it in the settings, we additionally send e-mail notifications. The legal basis is Art. 6(1)(b) and (f) GDPR.

16. Online status

To improve the trade/purchase experience, we show other members whether you were recently online (based on your last page view). The legal basis is Art. 6(1)(f) GDPR. You can disable the display of your online status at any time in your settings (Account → Privacy); independently of this, you have the right to object under section 28.

17. Abuse prevention and disputes

To protect against abuse, where necessary we process internal notes, warnings, blocks and data on reported disputes (e.g. shipments not received). This data is only visible internally or to the administration. The legal basis is our legitimate interest in the security of the platform and the prevention of abuse (Art. 6(1)(f) GDPR).

Prevention of circumvention of blocks: If an account is blocked, we store normalised components of the stored address for this purpose (e.g. surname, street, house number, postal code, city and country in a standardised form) in order to detect whether the same person is circumventing the block via a new account or a change of address. This information is only kept for the duration of the block and is automatically removed after it ends. The legal basis is our legitimate interest in enforcing blocks and preventing abuse (Art. 6(1)(f) GDPR).

Reports of unlawful content: If you report content or behaviour to us (e.g. via the report function or the contact form), we process the details of your report, your contact data (where provided) and technical data such as your IP address in order to review and handle the report and to prevent misuse of the report function. The legal bases are the fulfilment of legal obligations (Art. 6(1)(c) GDPR, in particular under the German Digital Services Act or the EU Digital Services Act) and our legitimate interest in a secure platform (Art. 6(1)(f) GDPR).

18. Verification ("GetVerified")

You can have your account verified voluntarily in order to receive a trust badge. Only your name and/or address are checked; we do not require identity documents and do not process official ID data. For postal verification, we send a confirmation code to the address you have provided; for this purpose, we process an unchangeable snapshot of this address as well as the code. The purpose is to prove the accuracy of your information and to strengthen trust. The legal basis for processing your verification data and displaying the trust badge is your consent (Art. 6(1)(a) GDPR), which you may withdraw at any time with effect for the future. If you book the paid (postal) verification, we process the data required for its handling and billing in order to perform that contract (Art. 6(1)(b) GDPR). We store the snapshot of your address and the confirmation code for as long as the verification exists; if the verification status lapses (e.g. due to a change of your name or address or to a withdrawal) or you delete your account, this data is deleted.

19. Premium membership, payments and invoices

If you purchase a paid premium membership, we process the data required for processing (selected product, term, amount, currency) as well as an invoice record with a sequential invoice number, invoice/service date and an unchangeable snapshot of your billing address. The legal basis is the performance of the contract (Art. 6(1)(b) GDPR) as well as the fulfilment of tax and commercial retention obligations (Art. 6(1)(c) GDPR in conjunction with Section 14 of the German VAT Act, Sections 147 of the German Fiscal Code, GoBD). We retain invoice documents in accordance with the statutory periods (up to ten years).

Payments are processed by the payment service provider Stripe Payments Europe, Ltd., 1 Grand Canal Street Lower, Grand Canal Dock, Dublin, Ireland ("Stripe"). When you purchase a paid service, the data required for payment (in particular name, email address, billing address, payment-method data as well as amount and currency) is transmitted to and processed by Stripe. Payment details are entered directly with Stripe; in particular, we do not receive any full credit-card or debit-card numbers. The legal basis is Art. 6(1)(b) GDPR (performance of a contract). Where Stripe returns the payer’s name to us in connection with a payment, we use it solely for the voluntary identity check for our verification badge ("name verified"), provided you have requested verification. Stripe is part of a US group (Stripe, Inc.); details on the third-country transfer can be found in section 24. Further information: https://stripe.com/privacy.

20. Contact form and contacting us

If you write to us via the contact form or by e-mail, we process the information you provide (e.g. name, e-mail address, message) in order to handle your request. The legal basis is Art. 6(1)(b) GDPR (for contract-related enquiries) or (f) GDPR (for other matters). The data is deleted as soon as the request has been conclusively processed and no statutory retention obligations prevent this.

21. E-mail communication

We send transactional e-mails (e.g. registration confirmation, password reset, notices regarding trades/purchases, invoices) via our own mail server operated in Germany. We process incoming e-mails to our addresses in order to handle your request. We do not currently send a promotional newsletter; any such newsletter would only be sent with your express consent.

To ensure reliable delivery, we route outgoing e-mails via a dispatch service provider based in Germany and certified to ISO 27001 (VegaSystems GmbH & Co. KG, Paderborn) acting as a processor.

22. Minors

Our offer is aimed at persons aged 16 and over. Persons under 16 may only use the platform with the consent of their legal guardians and may only transmit personal data to us with their consent (Art. 8 GDPR). We do not knowingly process data of children under 16 without such consent. Legal guardians can contact us at any time if they become aware that data of a child has been transmitted to us without their consent; we will then delete it immediately.

23. Recipients and processors

Your data is only passed on to third parties to the extent necessary for the performance of the contract, where we are legally obliged to do so (e.g. towards authorities) or where you have consented. We currently use the following processors or service providers:

  • myLoc managed IT AG / webtropia (Germany) – hosting/server operation,
  • Cloudflare, Inc. (USA/EU) – DNS resolution,
  • Let's Encrypt / ISRG – issuance of TLS certificates (without user data),
  • Stripe Payments Europe, Ltd. (Ireland) – payment processing.
  • VegaSystems GmbH & Co. KG (Paderborn, Germany) – Sending of e-mails (mail relay).

As part of trades and purchases, the data required for processing (in particular name and address) is disclosed to the respective trade/purchase partners. This is part of the purpose of the contract (Art. 6(1)(b) GDPR).

24. Transfer to third countries

Insofar as data is transferred to providers based outside the EU/EEA (in particular Cloudflare, USA), this is done on the basis of appropriate safeguards, in particular the EU Standard Contractual Clauses (Art. 46(2)(c) GDPR) or an adequacy decision of the EU Commission, where applicable. On request, we will provide you with information on the safeguards in place.

When processing payments via Stripe, data may be transferred to the US parent company Stripe, Inc. (USA). Stripe, Inc. is certified under the EU-US Data Privacy Framework; in addition, EU Standard Contractual Clauses apply (Art. 46(2)(c) GDPR).

25. Storage period and deletion

We store personal data only for as long as is necessary for the stated purposes or as provided for by statutory retention periods. As long as your account exists, we process your account data for the duration of your membership; we do not delete your account automatically merely because of prolonged inactivity – however, we may remind you of your account after a longer period of inactivity. You can mark your account for deletion at any time in the settings; after a period of 7 days (within which you can revoke the deletion), your account is anonymised: we remove or overwrite your personal data (in particular name, e-mail address, address, profile information and profile picture), delete your private content (e.g. inventory and collections) and close any transactions still open. Contributions relating to other members – in particular ratings you have given as well as information on already completed trade/purchase transactions including the associated message history – are retained in anonymised form in order to preserve the meaningfulness of the rating system and the traceability of transactions (without any link to your clear data; your name then appears as "Deleted user"). This does not affect data that we are required to retain for legal reasons, in particular invoice documents; we retain such data in accordance with the statutory retention periods (up to ten years – see section 19) and block it from further processing.

26. Data security

We take technical and organisational measures to protect your data against loss, misuse and unauthorised access. These include, among others, continuous TLS encryption of the connection, storage of passwords exclusively as hashes, restrictive access rights, a firewall, protection against automated login attempts and server operation in a German data centre. Our measures are continuously adapted in line with technological developments.

27. Your rights as a data subject

Under the GDPR, you have the following rights:

  • access to the data stored about you (Art. 15),
  • rectification of inaccurate or incomplete data (Art. 16),
  • erasure (Art. 17),
  • restriction of processing (Art. 18),
  • data portability (Art. 20),
  • objection to certain processing operations (Art. 21, see section 28),
  • withdrawal of consent given, with effect for the future (Art. 7(3)).

To exercise your rights, an informal message to datenschutz@finalsticker.com is sufficient. Exercising them is generally free of charge for you.

28. Right to object (Art. 21 GDPR)

Insofar as we process personal data on the basis of our legitimate interest (Art. 6(1)(f) GDPR), you have the right to object at any time, on grounds relating to your particular situation, to this processing. We will then no longer process the data concerned unless we can demonstrate compelling legitimate grounds that override your interests, or the processing serves to assert, exercise or defend legal claims. You can send your objection informally to datenschutz@finalsticker.com.

29. Right to lodge a complaint with a supervisory authority

Without prejudice to any other legal remedy, you have the right to lodge a complaint with a data protection supervisory authority, in particular in the EU Member State of your residence, place of work or place of the alleged infringement. The authority responsible for us is:

The State Commissioner for Data Protection of Lower Saxony (LfD)
Prinzenstraße 5, 30159 Hannover, Germany
Telephone: +49 511 120-4500
E-mail: poststelle@lfd.niedersachsen.de
Website: www.lfd.niedersachsen.de

30. Necessity of provision

Certain data is necessary for use: without account and contact data, no user account can be maintained; without a complete address, trades and purchases cannot be handled. To that extent, provision is necessary for the performance of the contract; without it, the respective functions cannot be used. Voluntary profile information, on the other hand, is optional.

31. No automated decision-making

Automated decision-making or profiling with legal effect within the meaning of Art. 22 GDPR does not take place. Our trade/purchase suggestions are based solely on a comparison of the collections and wishes you have specified and serve exclusively to improve matching.

32. Changes to this Privacy Policy

We adapt this Privacy Policy if the legal situation or our processing changes (e.g. when introducing new functions such as online payment or advertising). The current version is always available on this page.

Last updated: 27.06.2026