Privacy Policy

1) Introduction and Contact Details of the Controller

1.1

We are pleased that you are visiting our website and thank you for your interest. Below, we inform you about the handling of your personal data when using our website. Personal data is any data by which you can be personally identified.

1.2

The controller responsible for data processing on this website within the meaning of the General Data Protection Regulation (GDPR) is:

Mussa Ltd
Address: RM03, 24/F, HO KING COMM CTR, 2-16 FAYUEN ST, MONG KOK
Email: support@brigatte.de

The controller is the natural or legal person who alone or jointly with others determines the purposes and means of processing personal data.

2) Data Collection When Visiting Our Website

2.1 Server Log Files

When you use our website for informational purposes only (i.e., if you do not register or otherwise transmit information to us), we only collect data that your browser transmits to the page server (so-called “server log files”).

When you access our website, we collect the following technically necessary data:

The website visited
Date and time of access
Amount of data sent in bytes
Source/reference from which you accessed the page
Browser used
Operating system used
IP address (possibly in anonymized form)

Processing is carried out in accordance with Art. 6(1)(f) GDPR on the basis of our legitimate interest in improving the stability and functionality of our website. The data will not be passed on or otherwise used. However, we reserve the right to subsequently review the server log files if there are concrete indications of unlawful use.

2.2 SSL/TLS Encryption

For security reasons and to protect the transmission of personal data and other confidential content (e.g., orders or inquiries), this website uses SSL or TLS encryption. You can recognize an encrypted connection by the character string “https://” and the lock symbol in your browser line.

3) Hosting & Content Delivery Network

Shopify

We use the system of the following provider for hosting our website and displaying page content:

Shopify International Limited
Victoria Buildings, 2nd Floor
1-2 Haddington Road
Dublin 4, D04 XN32
Ireland

Data is also transferred to:
Shopify Inc.
150 Elgin St
Ottawa, ON K2P 1L4
Canada

All data collected on our website is processed on the provider’s servers. We have concluded a data processing agreement with the provider to ensure the protection of visitors’ data and to prohibit unauthorized disclosure to third parties.

For data transfers to Canada, an adequate level of data protection is ensured by an adequacy decision of the European Commission.

4) Cookies

We use cookies to make visiting our website attractive and to enable certain functions. Cookies are small text files stored on your device.

Some cookies are deleted automatically after closing your browser (“session cookies”), while others remain on your device for a longer period and allow page settings to be saved (“persistent cookies”). You can find the storage duration in your browser’s cookie settings overview.

If personal data is processed by individual cookies, processing takes place:

pursuant to Art. 6(1)(b) GDPR for contract performance,
pursuant to Art. 6(1)(a) GDPR if consent has been given, or
pursuant to Art. 6(1)(f) GDPR to safeguard our legitimate interest in optimal website functionality and user-friendly design.

You can configure your browser to inform you about the setting of cookies and decide individually on their acceptance or exclude cookies altogether.

Please note that functionality may be limited if cookies are not accepted.

5) Contacting Us

When contacting us (e.g., via contact form or email), personal data is processed solely for the purpose of handling and responding to your inquiry and only to the extent necessary.

The legal basis is our legitimate interest in responding to your inquiry pursuant to Art. 6(1)(f) GDPR. If your contact aims at concluding a contract, the additional legal basis is Art. 6(1)(b) GDPR.

Your data will be deleted once the matter has been conclusively clarified, provided there are no statutory retention obligations.

6) Use of Customer Data for Direct Marketing

6.1 Newsletter Subscription

If you subscribe to our email newsletter, we will regularly send you information about our offers.

Mandatory information for receiving the newsletter is your email address. Additional data is voluntary and used for personal addressing.

We use the double opt-in procedure. You will only receive newsletters after confirming your subscription via a verification link sent to your email address.

By activating the confirmation link, you give your consent pursuant to Art. 6(1)(a) GDPR. We store your IP address and the date/time of registration to prevent misuse.

You may unsubscribe at any time via the unsubscribe link in the newsletter or by contacting us. After unsubscribing, your email address will be deleted unless further use is legally permitted or consented to.

6.2 Klaviyo

Our newsletters are sent via:

Klaviyo, Inc.
125 Summer St., Ste 600
Boston, MA 02110
USA

On the basis of our legitimate interest (Art. 6(1)(f) GDPR), we pass your newsletter registration data to Klaviyo for dispatch.

With your express consent (Art. 6(1)(a) GDPR), Klaviyo performs statistical evaluations using web beacons or tracking pixels to measure open rates and interactions. Device information (e.g., IP address, browser type) may also be processed.

You may withdraw your consent at any time.

Klaviyo participates in the EU-US Data Privacy Framework, ensuring compliance with EU data protection standards.

6.3 Shopping Cart Reminders

If you abandon your purchase before completing your order, you may receive a one-time email reminder about your shopping cart contents.

The double opt-in procedure applies. Legal basis: Art. 6(1)(a) GDPR.

You may unsubscribe at any time. Your email address will then be deleted unless further processing is legally permitted.

7) Data Processing for Order Fulfillment

7.1

Personal data required for contract processing (delivery and payment) is transferred to the commissioned transport company and financial institution pursuant to Art. 6(1)(b) GDPR.

If we owe updates for goods with digital elements, we process your contact details pursuant to Art. 6(1)(c) GDPR.

7.3 Shipping Service Providers

We transfer your data (name, delivery address, and where necessary phone/email) exclusively for delivery purposes pursuant to Art. 6(1)(b) GDPR or based on consent pursuant to Art. 6(1)(a) GDPR.

Shipping providers include:

Deutsche Post AG, Germany
DHL Paket GmbH, Germany
DHL Express Germany GmbH, Germany
DPD Direct Parcel Distribution Austria GmbH, Austria
Österreichische Post AG, Austria

You may withdraw consent at any time.

7.4 Payment Service Providers

Depending on the selected payment method, payment data is transmitted pursuant to Art. 6(1)(b) GDPR to the respective provider.

Providers include:

Apple Pay (Apple Distribution International, Ireland)
EPS (PSA Payment Services Austria GmbH, Austria)
Google Pay (Google Ireland Limited, Ireland)
iDEAL (Currence Holding BV, Netherlands)
Klarna Bank AB, Sweden
PayPal (Europe) S.à r.l. et Cie, S.C.A., Luxembourg
PayPal Checkout
Shopify Payments (Shopify International Limited, Ireland)
Sofort (Klarna Bank AB, Sweden)
Stripe Payments Europe Ltd., Ireland
TWINT AG, Switzerland

Where required, credit checks may be carried out based on Art. 6(1)(f) GDPR (legitimate interest in assessing creditworthiness).

7.5 Sanctions List Screening

We reserve the right to compare order data with sanctions lists of the UN Security Council and the European Union.

Legal basis: Art. 6(1)(c) GDPR (legal obligation).

8) Web Analytics

Triple Whale Analytics

We use:

Triple Whale Inc.
7th Floor, Jaffa St 224
Jerusalem, Israel

The service collects pseudonymized visitor data using cookies and similar technologies (e.g., heatmaps).

Processing takes place only with your consent pursuant to Art. 6(1)(a) GDPR. You may withdraw consent at any time via the cookie consent tool.

Israel ensures adequate data protection based on an EU adequacy decision.

9) Website Functionalities

9.1 Google Web Fonts

Provided by Google Ireland Limited. Fonts are loaded via server connection, and browser information including IP address may be transmitted.

Processing takes place only with consent pursuant to Art. 6(1)(a) GDPR.

Google participates in the EU-US Data Privacy Framework.

9.2 Google reCAPTCHA

We use Google reCAPTCHA to prevent spam and automated abuse.

It processes IP address, browser data, and visit duration.

Processing is based on:

Consent (Art. 6(1)(a) GDPR), or
Legitimate interest in preventing misuse (Art. 6(1)(f) GDPR).

Google participates in the EU-US Data Privacy Framework.

10) Cookie Consent Tool

We use a cookie consent tool to obtain valid user consent for cookies requiring consent.

Technically necessary cookies store your preferences.

Processing is based on:

Art. 6(1)(f) GDPR (legitimate interest in compliant consent management), and
Art. 6(1)(c) GDPR (legal obligation).

11) Rights of the Data Subject

You have the following rights under GDPR:

Right of access (Art. 15)
Right to rectification (Art. 16)
Right to erasure (Art. 17)
Right to restriction (Art. 18)
Right to notification (Art. 19)
Right to data portability (Art. 20)
Right to withdraw consent (Art. 7(3))
Right to lodge a complaint (Art. 77)

Right to Object

If we process your personal data based on legitimate interests, you may object at any time for reasons arising from your particular situation (Art. 21 GDPR).

If data is processed for direct marketing, you may object at any time. In this case, processing for marketing purposes will cease.

12) Duration of Storage of Personal Data

The storage period depends on:

the respective legal basis,
the purpose of processing, and
statutory retention periods (e.g., commercial or tax law).

Data processed based on consent is stored until you withdraw consent.

Data processed for contractual purposes is stored according to statutory retention periods and deleted thereafter unless further storage is necessary.

Data processed based on legitimate interest is stored until you exercise your right to object unless overriding legitimate grounds exist.

If no other specific retention period applies, personal data will be deleted when it is no longer necessary for the purposes for which it was collected.

If you would like, I can also prepare a legally optimized UK-GDPR version or a version adapted for international (non-EU) operations.