Privacy Policy
1. Controller
The controller responsible for data processing on seastormboats.eu in the sense of the GDPR is:
Nautigo GmbH, Schleiderweg 62, 40789 Monheim am Rhein, Germany
E-mail: [email protected] · Phone: +49 2173 2640400
2. Overview
seastormboats.eu is a largely static information and configurator website and additionally offers the binding online purchase of configured boats (shopping cart, order and payment). The data processed in this context is explained in the sections "Order Processing", "Payment Processing via Stripe" and "E-mail Delivery via Resend". Otherwise, without your consent, only technically necessary data is processed; optional services – embedded YouTube videos, audience measurement with Google Analytics, and session analysis with Microsoft Clarity – are loaded only after your explicit consent.
Contact is made exclusively through external services (WhatsApp, phone, e-mail). These processing activities are explained in detail below.
3. Hosting via Cloudflare
This website is delivered via the content delivery network Cloudflare Pages of Cloudflare, Inc., 101 Townsend St, San Francisco, CA 94107, USA. When accessed, technically necessary access data (IP address, time of access, user agent, requested URL, referrer) are processed in Cloudflare's server logs. This processing is carried out to ensure website operation, to prevent attacks and to optimise delivery. The legal basis is Article 6(1)(f) GDPR (legitimate interest).
For the transfer of data to the USA, the EU Standard Contractual Clauses and Cloudflare's own protection measures apply. Details and privacy policy: cloudflare.com/de-de/privacypolicy.
4. Embedded YouTube Videos (Privacy-Enhanced Mode)
A test video from YouTube is embedded on the website. We use the enhanced privacy mode (domain youtube-nocookie.com) and load the video exclusively with your explicit consent via our consent banner. Before consent is given, no embed code is loaded and no data is transmitted to Google.
As soon as you enable the "External Content" category or the YouTube service and start the video, technical connection data (including IP address, browser/device information) are transmitted to Google Ireland Limited, Gordon House, Barrow Street, Dublin 4, Ireland. The legal basis is Article 6(1)(a) GDPR (consent).
You can withdraw your consent at any time for the future – via the link "Privacy Settings" in the footer of this website. Google's privacy policy: policies.google.com/privacy.
5. WhatsApp Contact
The website contains buttons that open a pre-filled chat to the WhatsApp number +49 151 21277699. Only after you actively click do you leave our website and are redirected to the WhatsApp application (Meta Platforms Ireland Ltd., 4 Grand Canal Square, Dublin 2, Ireland).
The WhatsApp conversation and associated data processing (phone number, profile picture, message content, device information) fall within Meta's responsibility. The legal basis for processing your inquiries is Article 6(1)(b) GDPR (pre-contractual measures) or Article 6(1)(f) GDPR (handling requests from interested parties). Meta's privacy policy: whatsapp.com/legal/privacy-policy-eea.
6. Fonts (self-hosted)
The fonts used Archivo and Sora are delivered directly from seastormboats.eu (self-hosted via npm package @fontsource). No connection to Google Fonts or other external font CDNs takes place.
7. Cookies, Local Storage, Tracking
Technically necessary, we set a single cookie called cc_cookie. It stores your consent decision (e.g. to enable external YouTube content or statistics measurement) and is set directly in the browser by the open-source library vanilla-cookieconsent. Without this cookie, you would have to make your selection again on each visit. Legal basis: § 25 subsection 2 number 2 TTDSG (absolutely required for the provision of the explicitly requested service).
Storage duration: 182 days. Content: technical information about your selection, an anonymous consent identifier (UUID), timestamp and language code. The consent cookie itself contains no personally identifiable tracking data.
Optional statistics and marketing services are loaded only after your explicit consent. With the "Statistics" category, Google Analytics 4 and Microsoft Clarity set additional cookies for audience and usage measurement (sections 8 and 8a). With the separate "Marketing" category, conversion and remarketing services are added – the Meta Pixel from Facebook/Instagram as well as Google Ads if applicable (section 9). Without the respective consent, neither statistics nor advertising measurement takes place. You can withdraw or modify your consent at any time via the link "Privacy Settings" in the footer.
8. Audience Measurement with Google Analytics 4
With your explicit consent we use Google Analytics 4 (GA4), a web analytics service of Google Ireland Limited, Gordon House, Barrow Street, Dublin 4, Ireland. GA4 helps us understand how this website is used (e.g. pages viewed, approximate geographic origin, device type) in order to improve our content and offering.
The analytics script is loaded exclusively after your consent via our consent banner. Only then are cookies (incl. _ga, _ga_<ID>) set and usage data transmitted to Google. GA4 does not store IP addresses permanently. Processing in the USA (Google LLC) is possible; this is based on the EU Standard Contractual Clauses and Google's certification under the EU-US Data Privacy Framework.
The legal basis is your consent pursuant to Article 6(1)(a) GDPR and § 25(1) TTDSG. You can withdraw your consent at any time with effect for the future via the link "Privacy Settings" in the footer; the GA4 cookies are then deleted. GA4 serves audience measurement only; no cross-device merging (Google Signals) takes place. Advertising and conversion measurement – only with separate consent – is described in the following section. More information: policies.google.com/privacy.
8a. Session Analysis with Microsoft Clarity
With your explicit consent to the "Statistics" category (service "Microsoft Clarity"), we use Microsoft Clarity, an analytics service of Microsoft Ireland Operations Limited, One Microsoft Place, South County Business Park, Leopardstown, Dublin 18, Ireland. Clarity helps us understand how this website is actually used: we evaluate pseudonymous session recordings (session replays) as well as click, scroll and movement heatmaps to improve usability and content.
Strictly conditional on consent: Before your consent, no Clarity script is loaded, no cookie is set, and no data contact with Microsoft is established. After your consent, Clarity sets the first-party cookies _clck and _clsk and collects pseudonymous interaction data (including mouse, click and scroll movements, pages visited, approximate origin, browser/device information). We operate Clarity in pure analytics mode: no advertising cookies are set by Microsoft and the data is not used for advertising purposes. Entries in form fields (e.g. during checkout) are masked by Clarity and are not recorded in plain text.
Processing in the USA (Microsoft Corporation) is possible; this is based on the EU Standard Contractual Clauses and Microsoft's certification under the EU-US Data Privacy Framework. The legal basis is your consent pursuant to Article 6(1)(a) GDPR and § 25(1) TTDSG. You can withdraw your consent at any time with effect for the future via the link "Privacy Settings" in the footer; the Clarity cookies are then deleted and no further session data is collected. More information: privacy.microsoft.com/privacystatement.
9. Marketing: Meta Pixel & Conversions API (Facebook/Instagram), Google Ads
With your explicit consent to the "Marketing" category, we integrate the Meta Pixel of Meta Platforms Ireland Limited, 4 Grand Canal Square, Dublin 2, Ireland. With it, we measure the success of our advertising on Facebook and Instagram (conversion tracking, especially completed purchases) and build remarketing audiences.
Strictly conditional on consent: Before your consent, no Meta script is loaded, no cookie is set, and no data contact with Meta is established. After your consent, the pixel sets the cookies _fbp and – when accessed via an advertisement – _fbc and transmits event and connection data (including visited pages, triggered actions such as cart/purchase, IP address, browser/device information) to Meta.
Conversions API (server-side): We confirm a completed purchase directly from our server to Meta. We transmit – where available – SHA-256 hashed (pseudonymised) information (e-mail address, name, billing address) as well as the cookie values _fbp/_fbc and order data (value, currency, model). Browser and server events carry the same identifier and are merged by Meta (deduplication) to prevent double counting.
Joint responsibility & third-country transfer: For the collection and transmission of data via the pixel, we and Meta are joint controllers pursuant to Article 26 GDPR (on the basis of the Meta Controller Addendum); the subsequent processing for its own purposes is the responsibility of Meta alone. Processing in the USA (Meta Platforms, Inc.) is possible; this is based on the EU Standard Contractual Clauses and Meta's certification under the EU-US Data Privacy Framework.
Under the same "Marketing" category, we may also – if enabled – use Google Ads (Google Ireland Limited) for conversion measurement and remarketing; advertising cookies (including _gcl_au) are set and the click identifier (GCLID) is stored. This also takes place exclusively after your consent.
The legal basis is your consent pursuant to Article 6(1)(a) GDPR and § 25(1) TTDSG. You can withdraw your consent at any time with effect for the future via the link "Privacy Settings" in the footer; the advertising cookies are then deleted and no further advertising signals are sent. Meta's privacy policy: facebook.com/privacy/policy · Google's: policies.google.com/privacy.
10. Order Processing and Online Purchase
On seastormboats.eu, configured boats can be purchased online with binding effect. To process your order, we process the data you provide: name, billing and delivery address, e-mail address as well as the order and configuration data (selected model, equipment, price). The legal basis is Article 6(1)(b) GDPR (performance of the purchase contract or carrying out pre-contractual measures).
The shopping cart is stored exclusively locally in your browser (local storage) and is only transmitted to us or the service providers named below when the order is submitted.
For tax and commercial law reasons, we are obliged to retain contract, payment and invoice data. The statutory retention periods are up to ten years (§ 147 AO, § 257 HGB); the legal basis in this respect is Article 6(1)(c) GDPR. After the periods expire, the data is deleted.
11. Payment Processing via Stripe
We process online payments via the payment service provider Stripe: Stripe Payments Europe, Ltd., 1 Grand Canal Street Lower, Grand Canal Dock, Dublin, Ireland (processing possibly together with Stripe, Inc., South San Francisco, CA, USA).
You enter your payment data directly with Stripe; we ourselves do not receive complete payment means data (e.g. the full card number). For payment processing, data such as name, e-mail address, billing address, order amount and technical data (incl. IP address) are transmitted to Stripe. Stripe processes this data to carry out the payment and to prevent fraud.
The legal basis is Article 6(1)(b) GDPR (performance of the contract) and Article 6(1)(f) GDPR (legitimate interest in fraud prevention and secure payment processing). For any processing in the USA, the EU Standard Contractual Clauses apply; Stripe is also certified under the EU-US Data Privacy Framework. More information: stripe.com/privacy.
12. E-mail Delivery via Resend
For sending transactional e-mails in connection with your order (order confirmation, invoice and internal notification), we use the service Resend of Resend, Inc., San Francisco, CA, USA. In this process, your e-mail address, your name and the content of the respective e-mail (order or invoice data) are transmitted to Resend in order to enable delivery.
The legal basis is Article 6(1)(b) GDPR (performance of the contract). A data processing agreement (Article 28 GDPR) exists with Resend; for the transfer to the USA, the EU Standard Contractual Clauses apply. Resend's privacy notice: resend.com/legal/privacy-policy.
13. Your Rights
You have the right at any time to request access (Article 15 GDPR), to rectification (Article 16 GDPR), to erasure (Article 17 GDPR), to restrict processing (Article 18 GDPR), to data portability (Article 20 GDPR) and to object (Article 21 GDPR).
You can withdraw any consent granted in the course of processing your request at any time with effect for the future.
You may also lodge a complaint with the supervisory authority responsible for us: State Commissioner for Data Protection and Freedom of Information North Rhine-Westphalia, Kavalleriestraße 2-4, 40213 Düsseldorf.
14. Status and Changes
This privacy policy was last updated on 7 July 2026. We reserve the right to adapt it in the event of technical or legal changes.