Privacy Policy

Last updated: June 2026

This Privacy Policy explains how GuitarPoint GmbH (the controller within the meaning of the General Data Protection Regulation (GDPR)) processes personal data collected when you use our website www.guitarpoint.de and informs you of your rights as a data subject.

1. Controller and Contact Details

The controller responsible for all data processing activities carried out through our website is:

GuitarPoint GmbH Hanauer Landstraße 417 60314 Frankfurt am Main Germany

Phone: +49 69 33995657
E-mail: [email protected]

If you have any questions regarding data protection or wish to exercise your rights as a data subject, you can contact our Data Protection Officer at: [email protected]

2. General Information on Data Processing

As a general rule, we process the personal data of our users only to the extent necessary to provide a functional website and our content and services, or where you have given your consent.

Legal Basis

Depending on the purpose of processing, we rely on the following legal bases:

  • Art. 6 (1) (a) GDPR – Consent (e.g. for marketing and analytics cookies, newsletters)
  • Art. 6 (1) (b) GDPR – Performance of a contract and pre-contractual measures (e.g. order processing, customer account, purchase and sale of instruments)
  • Art. 6 (1) (c) GDPR – Compliance with legal obligations (e.g. commercial and tax retention requirements)
  • Art. 6 (1) (f) GDPR – Legitimate interests (e.g. website security and stability, fraud prevention)

The storage of information on your device or access to such information (cookies and similar technologies) is additionally governed by Section 25 of the German Telecommunications Digital Services Data Protection Act (TDDDG). Access that is not technically necessary requires your consent (Section 25 (1) TDDDG), whereas strictly necessary access is permitted without consent pursuant to Section 25 (2) No. 2 TDDDG.

Storage Period and Deletion

Personal data will be deleted or blocked as soon as the purpose for which it was stored no longer applies and no statutory retention obligations (particularly under German commercial and tax law: 6 or 10 years) prevent deletion. Where possible, specific retention periods are stated in the relevant processing activities.

Transfers to Third Countries

Where we use service providers based in the United States (e.g. Google, Cloudflare, PayPal), data transfers are carried out on the basis of the European Commission’s adequacy decision regarding the EU-U.S. Data Privacy Framework (DPF), provided that the respective provider is certified under the DPF, and additionally on the basis of the Standard Contractual Clauses (Art. 46 (2) (c) GDPR).

3. Provision of the Website and Log Files

Whenever our website is accessed, our system automatically collects data and information from the accessing device, including:

  • Browser type and browser version
  • User’s operating system
  • IP address
  • Date and time of access
  • Referrer URL (the website from which you accessed ours)
  • Requested page, access status/HTTP status code and amount of data transferred

This data is stored in our system log files. The storage is necessary for delivering the website, ensuring its functionality and maintaining the security of our information technology systems. The legal basis is Art. 6 (1) (f) GDPR. Log files are deleted or anonymised no later than seven days after collection.

The collection of data for providing the website and its storage in log files is essential for operating the website. Therefore, users have no right to object to this processing.

4. Content Delivery Network and Security Services (Cloudflare)

We use the Content Delivery Network (CDN) and security services provided by Cloudflare, Inc., 101 Townsend St., San Francisco, CA 94107, USA (for Europe: Cloudflare Germany GmbH, Rosental 7, 80331 Munich, Germany). Cloudflare is used to accelerate the delivery of our website and to protect it against attacks (e.g. DDoS attacks) and automated access (bots).

For this purpose, all data traffic between your browser and our website is routed through Cloudflare’s infrastructure. In particular, Cloudflare processes your IP address and technical connection data. Cloudflare uses the technically necessary cookie cf_clearance to identify trusted visitors.

The legal basis is our legitimate interest in the secure, stable and efficient operation of our website (Art. 6 (1) (f) GDPR) as well as Section 25 (2) No. 2 TDDDG with regard to the aforementioned cookie. We have concluded a Data Processing Agreement (DPA) with Cloudflare. Cloudflare is certified under the EU-U.S. Data Privacy Framework.

Further information: https://www.cloudflare.com/privacypolicy/

5. Cookies and Consent Management

5.1 What Are Cookies?

Cookies are small text files that are stored on your device by your web browser. We also use similar technologies such as Local Storage and tracking pixels. We distinguish between the following categories:

  • Strictly necessary cookies, which are essential for the operation of our website and its core functions (such as the shopping cart, checkout process and language selection). The legal basis is Art. 6 (1) (f) GDPR together with Section 25 (2) No. 2 TDDDG. These cookies cannot be disabled because they are required for the proper functioning of the website.
  • Optional cookies used for analytics, marketing and enhanced functionality. These cookies are only placed after you have given your consent through our cookie consent banner. The legal basis is Art. 6 (1) (a) GDPR together with Section 25 (1) TDDDG.

5.2 Consent Management with Borlabs Cookie

We use the consent management platform Borlabs Cookie (Borlabs GmbH, Rübenkamp 32, 22305 Hamburg, Germany) to obtain and manage your cookie preferences. Borlabs Cookie stores your consent choices in technically necessary cookies (borlabs-cookie and borlabs-cookie-gcs) on your device. No personal data is transmitted to Borlabs. The storage of your consent preferences serves as proof of your consent in accordance with Art. 7 (1) GDPR and is based on Art. 6 (1) (c) and (f) GDPR together with Section 25 (2) No. 2 TDDDG.

5.3 Withdrawing Your Consent

You may withdraw or update your consent at any time with future effect by reopening the “Cookie Settings” via the corresponding link on our website [NOTE: Insert Borlabs shortcode/link]. You can also delete or block cookies at any time through your browser settings. Please note that disabling cookies may affect the functionality of certain parts of our website.

5.4 Overview of the Main Cookies

CookieProvider / PurposeCategoryRetention Period
borlabs-cookie, borlabs-cookie-gcsStores your cookie consent preferencesEssential60 days
cf_clearanceCloudflare – security and bot protectionEssential1 year
pll_languagePolylang – stores your language preferenceEssential1 year
woocommerce_cart_hash, woocommerce_items_in_cart, wp_woocommerce_session_*WooCommerce – shopping cart and session managementEssentialSession or 2 days
wc_prl_recently_viewedWooCommerce – recently viewed productsEssential / Functional1 day
_gcl_auGoogle Ads – conversion trackingMarketing (Consent)90 days
_ga, _ga*Google Analytics – website analyticsAnalytics (Consent)Up to 2 years
sbjs_* (sbjs_first, sbjs_current, sbjs_session etc.)WooCommerce Order Attribution – identifies the source of an orderAnalytics / Marketing (Consent)Session

6. Online Shop, Customer Account and Order Processing

6.1 Orders

When you place an order through our online shop, we process the personal data you provide, including your name, postal address, email address, telephone number (where applicable), order details and payment information, for the purpose of fulfilling the purchase contract. The legal basis is Art. 6 (1) (b) GDPR. Invoice-related information is retained for the statutory retention periods required under German commercial and tax law (Sections 257 HGB and 147 AO), generally six or ten years.

6.2 Customer Account / Registration

You may create a customer account on our website. During registration we collect your first and last name, postal address, email address and, optionally, your company name and telephone number. The processing is based on Art. 6 (1) (b) GDPR for the performance of the customer relationship or, where applicable, your consent under Art. 6 (1) (a) GDPR. You may request deletion of your customer account at any time by sending an informal email to [email protected]. Statutory retention obligations remain unaffected.

6.3 Shipping Service Provider

To deliver your order, we share the information necessary for shipping (such as your name, delivery address and, where applicable, your email address and telephone number for shipment notifications) with our logistics partner UPS (United Parcel Service Deutschland S.à r.l. & Co. OHG, Görlitzer Str. 1, 41460 Neuss, Germany). The legal basis is Art. 6 (1) (b) GDPR.

6.4 Payment Service Providers

Depending on the payment method you select, your payment details will be transferred to the respective payment service provider. This processing is necessary for the performance of the purchase contract and is based on Art. 6 (1) (b) GDPR. We currently offer the following payment methods:

  • PayPal (PayPal (Europe) S.à r.l. et Cie, S.C.A., 22–24 Boulevard Royal, L-2449 Luxembourg): When paying with PayPal, you will be redirected to PayPal’s secure payment platform. PayPal’s own Privacy Policy applies, which is available at https://www.paypal.com/de/legalhub/privacy-full. PayPal may perform its own creditworthiness assessments where permitted by law.
  • Credit Card (Mastercard, Visa and American Express), as well as giropay and SEPA Direct Debit: Payments are processed through our payment service provider [NOTE: Please specify the actual payment provider, e.g. Stripe, Mollie or PayPal Plus].

6.5 Order Attribution (WooCommerce Order Attribution)

Our WooCommerce shop uses Sourcebuster cookies (sbjs_*) to identify how visitors arrived at our website (for example via a search engine, online advertisement or direct visit) and to associate this information with a subsequent purchase. Information collected may include the referring website, landing page, UTM parameters and browser information. This functionality is used solely to measure the effectiveness of our marketing activities and is activated only with your prior consent pursuant to Art. 6 (1) (a) GDPR and Section 25 (1) TDDDG. You may withdraw your consent at any time through the Cookie Settings.

7. Google reCAPTCHA (Checkout Only)

To protect our checkout process against fraud and automated abuse, we use Google reCAPTCHA, a service provided by Google Ireland Limited, Gordon House, Barrow Street, Dublin 4, Ireland (“Google”). reCAPTCHA is used exclusively on the checkout page to verify whether data entered on the website originates from a human user or an automated system.

For this purpose, reCAPTCHA analyses various types of information, including your IP address, the time spent on the page, mouse movements, and browser and device information. This information is transmitted to Google and may also be processed on servers located in the United States. Google LLC is certified under the EU-U.S. Data Privacy Framework.

The legal basis for this processing is our legitimate interest in protecting our ordering and payment processes against misuse and fraud in accordance with Art. 6 (1) (f) GDPR. Access to your device is strictly necessary to provide the secure checkout service you have explicitly requested and is therefore permitted under Section 25 (2) No. 2 TDDDG. For this reason, Google reCAPTCHA is loaded only during the checkout process and not elsewhere on our website.

Further information is available at:
https://policies.google.com/privacy
https://policies.google.com/terms

Right to object: Where processing is based on Art. 6 (1) (f) GDPR, you have the right to object at any time, on grounds relating to your particular situation, in accordance with Art. 21 GDPR.

8. Website Analytics and Online Marketing (Subject to Your Consent)

The services described in this section are used only if you have given your consent via our cookie banner in accordance with Art. 6 (1) (a) GDPR and Section 25 (1) TDDDG. You may withdraw your consent at any time with future effect through the Cookie Settings.

8.1 Google Tag Manager

We use Google Tag Manager, a tag management solution provided by Google Ireland Limited. Google Tag Manager enables us to manage and deploy website tags such as Google Analytics and Google Ads. Google Tag Manager itself does not store cookies or create user profiles. However, it may trigger other tags that process personal data. These tags are activated only in accordance with your consent preferences.

8.2 Google Consent Mode

We use Google Consent Mode (Version 2). This technology communicates your consent choices (including consent for ad_storage, ad_user_data, ad_personalization, and analytics_storage) to Google’s services. Google tags adjust their behaviour according to your preferences. Without your consent, no marketing or analytics cookies are stored on your device. [NOTE: If Advanced Consent Mode is enabled, add: “Where Advanced Consent Mode is used, Google may receive anonymised, cookieless signals (‘pings’) without persistent identifiers in order to model website traffic.” Omit this sentence if Basic Consent Mode is configured.]

8.3 Google Analytics 4

We use Google Analytics 4, a web analytics service provided by Google Ireland Limited. Google Analytics uses cookies and similar technologies to analyse how visitors use our website. The information generated is generally transmitted to Google’s servers for processing and may also be transferred to the United States. Google LLC is certified under the EU-U.S. Data Privacy Framework.

Google Analytics 4 does not permanently log IP addresses. They are used only for approximate geolocation and are then discarded. We use the aggregated reports provided by Google Analytics to better understand how visitors use our website and to improve our products and services. Data is retained for the period configured in our Google Analytics account [NOTE: Please specify the configured retention period, typically 14 months].

The legal basis is your consent pursuant to Art. 6 (1) (a) GDPR and Section 25 (1) TDDDG. We have entered into a Data Processing Agreement (DPA) with Google.

Further information: https://policies.google.com/privacy

8.4 Google Ads and Conversion Tracking

We use Google Ads to advertise our products and services and make use of Google’s Conversion Tracking feature. When you click on one of our advertisements, Google places a cookie (including _gcl_au) on your device. This allows us to measure whether certain actions—such as completing a purchase—are performed after clicking on one of our advertisements. We receive aggregated statistics only and cannot personally identify individual users.

The legal basis is your consent pursuant to Art. 6 (1) (a) GDPR and Section 25 (1) TDDDG. Data may be transferred to the United States. Google LLC is certified under the EU-U.S. Data Privacy Framework.

Further information: https://policies.google.com/technologies/ads

9. Additional Features and Services

9.1 Language Selection (Polylang)

We use the Polylang plugin to provide our website in multiple languages. Your preferred language is stored in the technically necessary pll_language cookie. The legal basis is Art. 6 (1) (f) GDPR together with Section 25 (2) No. 2 TDDDG.

9.2 Product Search (ElasticPress)

Our online shop uses ElasticPress to provide a fast and efficient product search. [NOTE: Please verify whether ElasticPress is self-hosted or operated via ElasticPress.io (10up Inc., USA). If ElasticPress.io is used, add: “Search queries are transmitted to servers operated by 10up Inc. The legal basis is our legitimate interest in providing an efficient search function pursuant to Art. 6 (1) (f) GDPR. A Data Processing Agreement has been concluded with the provider.” If ElasticPress is self-hosted, this section may be shortened accordingly.]

9.3 Wishlist

You may save products to your personal wishlist. If you do not have a customer account, your wishlist is associated with your browser by means of a cookie or your current session. If you have a customer account, your wishlist is stored within your account. The legal basis is Art. 6 (1) (b) or, where applicable, Art. 6 (1) (f) GDPR.

10. Contact by Email and Purchase Enquiries

You may contact us using the email addresses or telephone numbers provided on our website, for example if you have questions about our products or wish to offer an instrument for purchase. In doing so, we process the personal data you provide, such as your name, contact details, information about the instrument and, where applicable, photographs, solely for the purpose of handling your enquiry.

The legal basis is our legitimate interest in responding to enquiries pursuant to Art. 6 (1) (f) GDPR. Where your enquiry is aimed at entering into a contract (for example, the purchase or sale of an instrument), the legal basis is Art. 6 (1) (b) GDPR. Your personal data will be deleted once your enquiry has been fully processed, unless statutory retention obligations require otherwise.

11. Newsletter

You may subscribe to our free newsletter via our website. When you subscribe, we process your email address as well as your IP address and the date and time of your registration in order to document your subscription.

Subscriptions are processed using the double opt-in procedure. After registering, you will receive an email asking you to confirm your subscription before you begin receiving newsletters. [NOTE: Please verify that the double opt-in procedure is implemented and specify the newsletter service provider (e.g. Mailchimp, Brevo or CleverReach). If applicable, include information regarding data processing agreements and international data transfers.]

The legal basis is your consent pursuant to Art. 6 (1) (a) GDPR. If you have previously purchased goods from us, we may also send you information about similar products based on Section 7 (3) of the German Unfair Competition Act (UWG), provided that you have not objected to receiving such communications. You may object to this use of your email address at any time.

You can unsubscribe from our newsletter at any time by using the unsubscribe link included in every newsletter or by contacting us at [email protected]. Unsubscribing will also withdraw your consent for future newsletter communications.

12. Embedded YouTube Videos

Some pages of our website contain embedded videos provided by YouTube, a service of Google Ireland Limited. [NOTE: We recommend using YouTube’s enhanced privacy mode or a two-click solution via the Borlabs Content Blocker. The following wording assumes this configuration.] Videos are embedded using a two-click solution. A connection to Google’s or YouTube’s servers is established only after you actively start a video and thereby give your consent. At that point, information such as your IP address and the page you visited is transmitted to Google.

If you are logged into your Google account while viewing a video, Google may associate your visit with your account. If you wish to avoid this, please sign out of your Google account before playing embedded videos.

The legal basis is your consent pursuant to Art. 6 (1) (a) GDPR and Section 25 (1) TDDDG.

Further information: https://policies.google.com/privacy

13. Links to Social Media Platforms

Our website contains links to our profiles on various social media platforms, including Facebook, Instagram, YouTube and X (formerly Twitter). These are standard hyperlinks only. No personal data is transmitted to these platforms simply by visiting our website.

Data is transferred only after you actively click one of these links and are redirected to the respective platform. Once you leave our website, the privacy policies of the respective platform operator apply:

  • Facebook & Instagram
    Meta Platforms Ireland Limited
    Merrion Road, Dublin 4, Ireland
    https://www.facebook.com/privacy/policy/
    https://privacycenter.instagram.com/policy/
  • YouTube
    Google Ireland Limited
    https://policies.google.com/privacy
  • X (formerly Twitter)
    Twitter International Unlimited Company
    One Cumberland Place, Dublin 1, Ireland
    https://x.com/privacy

14. Data Security

We implement appropriate technical and organisational measures to protect your personal data against accidental or unlawful destruction, loss, alteration, unauthorised disclosure or access.

All data transmitted through our website is encrypted using Transport Layer Security (TLS/SSL), which can be identified by the “https://” prefix and the padlock symbol displayed in your browser. Our systems are regularly updated and maintained in accordance with current industry standards. Nevertheless, no method of transmitting data over the Internet can be guaranteed to be completely secure.

15. Your Rights

Under the General Data Protection Regulation (GDPR), you have the following rights with regard to the processing of your personal data:

  • Right of access (Art. 15 GDPR) – to obtain information about the personal data we process about you, including its origin, recipients and the purposes of processing.
  • Right to rectification (Art. 16 GDPR) – to request the correction of inaccurate or incomplete personal data.
  • Right to erasure (Art. 17 GDPR) – to request deletion of your personal data, provided that no statutory retention obligations apply.
  • Right to restriction of processing (Art. 18 GDPR).
  • Right to data portability (Art. 20 GDPR) – to receive the personal data you have provided to us in a structured, commonly used and machine-readable format, or to request its transmission to another controller where technically feasible.
  • Right to withdraw consent (Art. 7 (3) GDPR) – where processing is based on your consent, you may withdraw it at any time with effect for the future.
  • Right to object (Art. 21 GDPR) – where processing is based on Art. 6 (1) (e) or (f) GDPR, you may object at any time on grounds relating to your particular situation. Where personal data is processed for direct marketing purposes, you have the right to object at any time without providing any reason.
  • Right not to be subject to automated decision-making (Art. 22 GDPR), including profiling, where the legal requirements are met.

To exercise any of your rights, simply contact us at [email protected] or [email protected].

Right to lodge a complaint: Without prejudice to any other administrative or judicial remedy, you have the right to lodge a complaint with a supervisory authority in accordance with Art. 77 GDPR, in particular in the Member State of your habitual residence, your place of work or the place of the alleged infringement.

The supervisory authority responsible for our company is:

The Hessian Commissioner for Data Protection and Freedom of Information
P.O. Box 3163
65021 Wiesbaden
Germany
https://datenschutz.hessen.de

16. Changes to This Privacy Policy

We may update this Privacy Policy from time to time to reflect changes to our services, applicable legal requirements or our data processing practices. The latest version will always be available on this page.

This Privacy Policy was last updated in June 2026.