By clicking "Allow all", you consent to the storage of cookies on your device to improve site navigation, analyze site usage, and support our marketing efforts. Learn more
Settings
Decline
Allow all
51%
Updated 25 April 2026
Privacy Policy

We take the protection of your data seriously. This privacy policy informs you which personal data we collect when you use starks.design, the purposes for which we process it, and what rights you have. The legal basis is the General Data Protection Regulation (GDPR) and the German Federal Data Protection Act (BDSG).

01 Controller

The controller responsible for data processing within the meaning of Art. 4 No. 7 GDPR is:

Viktor Stark
Starks.Design
Reinhartserstrasse 18A
87437 Kempten
Germany

Phone: +49 175 5502447
Email: info@starks.design

A data protection officer is not legally required.

02 Definitions

We use the terms of the GDPR throughout this policy. The most important ones in short:

  • Personal data: any information relating to an identifiable person (e.g. name, email, IP address).
  • Processing: any operation involving personal data (collecting, storing, using, deleting).
  • Controller: the entity that decides on the purposes and means of processing.
  • Processor: a service provider that processes data on our behalf.
  • Consent: your freely given, informed agreement to a specific processing operation.

03 General information on data processing

We process personal data only where there is a legal basis for doing so. Specifically, we rely on:

  • Art. 6(1)(a) GDPR — your consent (e.g. for non-essential cookies, newsletter where offered).
  • Art. 6(1)(b) GDPR — performance of a contract or pre-contractual measures (orders, customer account, delivery of digital products).
  • Art. 6(1)(c) GDPR — compliance with legal obligations (tax and commercial law).
  • Art. 6(1)(f) GDPR — legitimate interests (e.g. IT security, prevention of misuse).

We retain your data only for as long as necessary for the respective purpose or as required by statutory retention obligations.

04 Server logs

When you access our website or our API, technical information is automatically recorded in server logs. The following data is processed:

  • IP address
  • date and time of the request
  • requested URL and HTTP status code
  • amount of data transferred
  • user agent (browser, operating system)
  • referrer URL

This processing serves to ensure operation, analyse errors and defend against attacks. The legal basis is Art. 6(1)(f) GDPR (legitimate interest in stable and secure operation).

The logs are processed by our API host Vercel (see Section 11) and deleted after 30 days at the latest, unless a specific security incident justifies longer retention.

05 Cookies and local storage

We use cookies and comparable technologies (e.g. browser local storage) to keep the website functional and to save your preferences.

Strictly necessary cookies

These are required for the website to work (e.g. shopping cart, login session, CSRF protection, storage of your cookie choices). The legal basis is Section 25(2) TDDDG (technically necessary) as well as Art. 6(1)(b) and (f) GDPR. No consent is required.

Cookies requiring consent

If we use cookies or comparable technologies that are not strictly necessary, we will obtain your consent in advance via our own cookie banner (Section 25(1) TDDDG, Art. 6(1)(a) GDPR).

You can change your cookie settings at any time via the cookie banner on the website or withdraw your consent with effect for the future. Your choices are stored in your browser's local storage.

To improve our website, we use Microsoft Clarity (session analysis, heatmaps) — only with your consent given via the cookie banner (details in section 12). We do not use Google Analytics, Meta Pixel or comparable marketing trackers.

06 Customer account and authentication

To purchase and use digital products, you can create a customer account. We process your email address, password (stored encrypted, never in clear text), display name (if provided), login timestamps and session tokens.

Providing your email address is required to set up the customer account and to perform the contract; without it the account cannot be created and the purchase contract cannot be processed. Further details (e.g. display name) are optional.

The legal basis is Art. 6(1)(b) GDPR (performance of contract). The customer account is hosted by our processor Supabase Inc. (registered office: 970 Toa Payoh North #07-04, Singapore 318992). The database and all account data are stored exclusively in the EU region West EU (Paris, France). For any access by Supabase outside the EU, EU Standard Contractual Clauses (SCC) under Art. 46(2)(c) GDPR are in place as a safeguard. A data processing agreement under Art. 28 GDPR has been concluded.

Supabase privacy policy: https://supabase.com/privacy

You can have your account deleted at any time. Your data will then be removed in compliance with statutory retention periods.

07 Order processing

When you place an order we process the data required for performance of the contract:

  • first and last name
  • billing address
  • email address
  • for B2B customers: company name and VAT identification number (to verify the conditions for the reverse charge procedure under Section 13b UStG)
  • ordered products, order number, order date
  • issued license keys and license type (Personal, Commercial, Extended)

The legal basis is Art. 6(1)(b) GDPR (performance of contract) and Art. 6(1)(c) GDPR (tax obligations). Order data and invoices are stored at Supabase (see Section 6). Invoices are additionally retained for 10 years in accordance with Section 147 AO and Section 257 HGB.

08 Payment processing

Payments are processed via the payment service provider Stripe:

Stripe Payments Europe Ltd
1 Grand Canal Street Lower
Grand Canal Dock
Dublin 2, Ireland

Depending on the payment method, the following data is transmitted to Stripe: name, email address, billing address, order amount, order number and payment data (e.g. card number, IBAN, PayPal account). Full payment data is entered directly with Stripe; we do not store any credit card or bank account detailsourselves.

The legal basis is Art. 6(1)(b) GDPR (performance of contract). Processing takes place within the EU; Stripe acts as an independent controller and/or processor.

Stripe privacy policy: https://stripe.com/privacy

09 Email delivery

Transactional emails (e.g. order confirmations, invoices, download links, password resets, license information) are sent via the service Resend:

Resend, Inc.
2261 Market Street #5039
San Francisco, CA 94114, USA

We process your email address, the time of dispatch and the content and status of the email (delivered, opened, failed). The legal basis is Art. 6(1)(b) GDPR (performance of contract) as well as Art. 6(1)(f) GDPR (ensuring deliverability).

As Resend is based in the USA, data is transferred to a third country. The transfer is safeguarded by EU Standard Contractual Clauses (SCC). For details see Section 16.

Resend privacy policy: https://resend.com/legal/privacy-policy

10 File storage, downloads and video

We store and deliver the digital products (templates, brand kits, LUTs, presets, fonts, workshop materials) as well as all files provided for download or streaming — including workshop videos (HLS streams) — via Cloudflare R2: Cloudflare, Inc., 101 Townsend Street, San Francisco, CA 94107, USA. We use EU jurisdiction buckets exclusively; the files are stored within the EU. We process file accesses, IP address and timestamp for the purpose of delivering the content. Access to protected content is restricted to authorised purchasers via time-limited, signed URLs.

Legal basis: Art. 6(1)(b) GDPR. Safeguard for the transfer to the US parent company: EU Standard Contractual Clauses under Art. 46(2)(c) GDPR.

Cloudflare privacy policy: https://www.cloudflare.com/privacypolicy

11 Hosting and content delivery

Our website consists of two components:

Webflow (frontend and CMS)

The frontend of starks.design is hosted by Webflow:

Webflow, Inc.
398 11th Street, Floor 2
San Francisco, CA 94103, USA

When you access the website, Webflow processes technical connection data (in particular IP address) to deliver the content via the CDN. The legal basis is Art. 6(1)(f) GDPR (legitimate interest in performant and secure operation).

Safeguard: EU Standard Contractual Clauses.

Webflow privacy policy: https://webflow.com/legal/eu-privacy-policy

Vercel (API hosting)

Our API (api.starks.design) runs on:

Vercel, Inc.
440 N Barranca Avenue #4133
Covina, CA 91723, USA

Region: Frankfurt (eu-central-1). We process all data required to provide the API (requests, IP address, headers, logs).

Safeguard: EU Standard Contractual Clauses.

Vercel privacy policy: https://vercel.com/legal/privacy-policy

12 Microsoft Clarity

We use Microsoft Clarity, a service provided by Microsoft Corporation (One Microsoft Way, Redmond, WA 98052, USA; controller in the EU: Microsoft Ireland Operations Ltd., One Microsoft Place, South County Business Park, Leopardstown, Dublin 18, Ireland). Clarity analyses usage behaviour using session recordings and heatmaps (mouse, click and scroll behaviour, pages visited, truncated IP address, device and browser data). Form field inputs are automatically masked and not recorded.

Purpose: improving the structure and user guidance of the website.

Legal basis: Art. 6(1)(a) GDPR in conjunction with Section 25(1) TDDDG (consent). Collection takes place exclusively after your explicit consent via the cookie banner (category “Analytics”) and can be withdrawn there at any time with effect for the future. Alternatively, you can opt out at https://clarity.microsoft.com/opt-out.

Retention period: session recordings are stored by Microsoft for 90 days.

Transfer to the USA: Microsoft Corporation is certified under the EU-U.S. Data Privacy Framework (DPF) (adequacy decision of the European Commission of 10 July 2023); EU Standard Contractual Clauses (Art. 46(2)(c) GDPR) apply additionally as a supplementary safeguard.

Microsoft privacy information: https://privacy.microsoft.com/en-us/privacystatement

13 Cloudflare Web Analytics

For reach measurement we use Cloudflare Web Analytics, a service provided by Cloudflare, Inc. (101 Townsend Street, San Francisco, CA 94107, USA). Cloudflare Web Analytics works without cookies and without cross-device tracking or fingerprinting. Only aggregated, anonymised data is collected (pages visited, referrer, approximate location at country level, browser and device type). The analytics script does not store information on your device nor read any from it; no individually identifiable usage profiles are created.

As no information within the meaning of Section 25(1) TDDDG is stored on or read from your device, no consent under Section 25 TDDDG is required. The legal basis for the processing is Art. 6(1)(f) GDPR (legitimate interest in privacy-friendly reach measurement without personal profiles). Safeguard for the US transfer: EU Standard Contractual Clauses. Cloudflare privacy policy: https://www.cloudflare.com/privacypolicy

14 Newsletter and free downloads

If you subscribe to our newsletter or request a free download (freebie), we process your email address and, where applicable, your name. Registration follows the double opt-in procedure: after signing up, you receive an email with a confirmation link; only after your confirmation do we add you to the distribution list.

Legal basis for sending the newsletter: Art. 6(1)(a) GDPR (consent). Legal basis for logging the registration time, confirmation time and IP address: Art. 6(1)(f) GDPR (legitimate interest in being able to prove your consent).

You can unsubscribe at any time via the unsubscribe link in every email or by message to info@starks.design. Dispatch takes place via our service provider Resend (see Section 9).

15 Contact by email

If you contact us by email (e.g. at info@starks.design), we process the data you provide (name, email address, content of your message) solely to handle your enquiry. Our email mailbox is operated by Heinlein Hosting GmbH (mailbox.org), Schwedter Straße 8/9A, 10119 Berlin, Germany; the data is processed exclusively on servers in Germany.

Legal basis: Art. 6(1)(b) GDPR for contract-related enquiries, Art. 6(1)(f) GDPR (legitimate interest in handling enquiries) otherwise. Data from contact enquiries is deleted once the enquiry has been conclusively dealt with, at the latest after three years — unless statutory retention periods apply.

16 Third country transfers and safeguards

Some of the service providers used have their corporate seat in the USA (Webflow, Vercel, Resend, Cloudflare, Microsoft/Clarity). Our database (Supabase) is operated in the EU (Paris, France) and our file storage (Cloudflare R2) is kept in EU jurisdiction buckets — to that extent no transfer of personal data to a third country takes place.

Where a transfer to the USA does take place, we base it on the following safeguards under Chapter V GDPR:

  • EU Standard Contractual Clauses (SCC) under Implementing Decision (EU) 2021/914 — for all US providers.
  • EU-U.S. Data Privacy Framework (DPF) — additionally for those US providers certified under the European Commission's adequacy decision of 10 July 2023. You can check whether a provider is certified at https://www.dataprivacyframework.gov/list.
  • In addition, technical and organisational safeguards (encryption in transit and at rest, pseudonymisation where possible).

You can request a copy of the applicable safeguards at info@starks.design.

17 Retention period and deletion

We retain personal data only for as long as necessary for the stated purposes or as required by statutory obligations:

  • Server logs: up to 30 days, then automatically deleted.
  • Customer account: until deletion by you or up to 3 years after the last activity.
  • Order data and invoices: 10 years (Section 147 AO, Section 257 HGB).
  • Contract-related correspondence: 6 years (Section 257 HGB).
  • Newsletter: until you unsubscribe; the consent documentation (timestamp, IP address) is kept for up to 3 years after unsubscription (proof of consent).
  • Contact enquiries: up to 3 years after conclusive handling, unless contractual or statutory periods apply for longer.
  • Cookie consents: until withdrawal, max. 12 months, then renewed consent.
  • License keys: permanently, as long as the license is valid and you have an account.
  • Microsoft Clarity: 90 days (session recordings).

Once the respective period has expired, data is deleted or anonymised.

18 Your rights

Under the GDPR you have the following rights:

  • Right of access (Art. 15 GDPR) — to the personal data stored about you.
  • Right to rectification (Art. 16 GDPR) — of inaccurate or incomplete data.
  • Right to erasure (Art. 17 GDPR) — of your data, unless a statutory retention obligation applies.
  • Right to restriction of processing (Art. 18 GDPR).
  • Right to data portability (Art. 20 GDPR) — to receive your data in a structured, commonly used, machine-readable format.
  • Right to object (Art. 21 GDPR) — to processing based on legitimate interests.
  • Right to withdraw consent (Art. 7(3) GDPR) — with effect for the future, without affecting the lawfulness of processing carried out so far.
  • No automated individual decision-making (Art. 22 GDPR) — In principle, we do not make decisions based solely on automated processing that produce legal effects. Exception — fraud prevention: our payment service provider Stripe uses Stripe Radar for automated risk assessment of payment transactions (Art. 22(2)(b) GDPR — necessary for entering into and performing the purchase contract). You have the right to obtain that the decision is not based solely on automated processing, as well as the right to express your point of view and to contest the decision (Art. 22(3) GDPR). Contact: info@starks.design.

To exercise your rights, an informal message to info@starks.design is sufficient.

19 Right to lodge a complaint with a supervisory authority

You have the right to lodge a complaint with a data protection supervisory authority if you consider that the processing of your data infringes the GDPR (Art. 77 GDPR).

The competent authority for us is:

Bavarian State Office for Data Protection Supervision (BayLDA)
Promenade 18
91522 Ansbach
Germany
Phone: +49 981 180093-0
Email: poststelle@lda.bayern.de
Web: https://www.lda.bayern.de

You may also contact any other supervisory authority of your choice, in particular at your habitual residence.

20 SSL encryption

For security reasons and to protect the transmission of confidential content, this website uses SSL/TLS encryption. You can recognise an encrypted connection by the fact that the address bar of your browser changes from http:// to https:// and by the lock symbol in your browser bar.

When SSL/TLS encryption is enabled, the data you transmit to us cannot be read by third parties.

21 Changes to this privacy policy

We reserve the right to amend this privacy policy if the legal situation, our services or the processors used change. The version published on this page applies. We will notify you of material changes via the website or by email.

If you have any questions about data protection, you can reach us at any time at info@starks.design.

main

Home

About

Work

Service

Shop

Blog

Contact

Benutzer

Sign out

Dashboard

Sign up

Legal

Imprint

Terms and Conditions

License Terms

Right of Withdrawal

Privacy Policy

Mandatory Information

Bärtiger Mann mit Lächeln, schwarzem Hemd
starks.design
Rot-pinkes Dreieck mit weißem Inneren

made with ❤️ for your 👵🏻 by viktor stark

©2026 Starks.design

9:00:24 CET