Last updated: 250917

This Privacy Policy explains how Oskar Zaworski, trading as “Dreamcollector Studios” (“we”, “us”, “our”) collects, uses, and shares personal data when you visit or make a purchase from our Shopify store and related pages (the “Site”).
Controller (Art. 4(7) GDPR):
Dreamcollector Studios

Oskar Zaworski
Uffelner Str. 140, 49479 ibbenbüren, Germany
Email: contact@dreamcollectorstudios.de

If we operate under additional trading names (e.g., “Jurassic Journey”), this Policy applies to those names as well where we act as controller.

1. Personal data we process and purposes/legal bases

1.1 Informational visits / server logs

When you visit the Site without creating an account or placing an order, our servers automatically process the following data (server log files): visited page/URL, date and time, amount of data transferred, referrer URL, browser and OS, IP address (possibly shortened).
Purpose/Legal basis: technical provision, stability, security and optimization of the Site (Art. 6(1)(f) GDPR).

1.2 TLS encryption

We use HTTPS/TLS to secure transmission of personal and confidential content (e.g., orders, contact requests).

1.3 Cookies and consent

We use cookies and similar technologies. Some are necessary; others (analytics/marketing) require your prior consent via our Cookie-Consent-Tool. You can withdraw consent at any time in the tool. Browser settings can block cookies; the Site may then function with limitations.
Legal bases: Art. 6(1)(c) GDPR (compliance where required), Art. 6(1)(a) (consent), Art. 6(1)(f) (legitimate interests for strictly necessary cookies).

1.4 Contacting us (email/contact form)

We process the data you provide solely to answer your inquiry.
Legal bases: Art. 6(1)(f) GDPR (our interest in responding); Art. 6(1)(b) GDPR where the request relates to a contract.

1.5 Comments/reviews (if enabled)

If you leave a public comment/review, we store your comment, chosen display name, timestamp, and IP address (security/abuse prevention). We may need your email to contact you if third parties claim a rights violation. We reserve the right to remove unlawful content.
Legal bases: Art. 6(1)(b) and (f) GDPR.

1.6 Customer account

If you register, we process the required data to create and manage your account. You may request deletion at any time (unless retention is required by law).
Legal basis: Art. 6(1)(b) GDPR.

1.7 Direct marketing

Newsletter (double opt-in): we send updates only after you confirm via verification link. We log IP, date, and time of signup to evidence consent. You may unsubscribe at any time.
Back-in-stock alerts (double opt-in) and cart reminders (double opt-in) operate similarly.
Legal basis: Art. 6(1)(a) GDPR.

1.8 Orders and fulfilment (including uploads for personalization)

We process identity, contact, shipping/billing details, order contents, and payment metadata to fulfil your order and provide legally required updates for products with digital elements. If you email us image files for product personalization, we use them only to create the item and delete them after fulfilment unless law requires longer retention or you consent to extended use.
We share data with logistics and payment providers as necessary (see §3).
Legal bases: Art. 6(1)(b) GDPR (contract), Art. 6(1)(c) GDPR (legal obligations), Art. 6(1)(f) GDPR (operational needs).

2. Analytics, online marketing, and third-party services (subject to consent)

• Google Analytics (GA4) including optional Demographics and Google Signals for cross-device reports. IPs are truncated; we’ve set event data retention to 2 months. You can withdraw consent anytime via the Cookie-Consent-Tool.
• YouTube embeds: loading a video may set cookies and transmit your IP and viewing data to Google/YouTube.
• Facebook Login/Connect (if used): Single Sign-On; only with your explicit consent.
• Trusted Shops Trustbadge and idealo logo/badges: to display ratings and/or a trustmark.
• Google Maps embeds (store/location map).
• Adobe Fonts (Typekit) and Google Web Fonts: when loaded, the provider receives your IP and browser data.
  For all optional tools, data only loads after consent via our Cookie-Consent-Tool (except strictly necessary items).

3. Payments, payment screening, shipping

Depending on your selection at checkout, we transfer necessary data to the chosen provider strictly for payment processing and (where applicable) credit checks/fraud prevention. Providers may include:
Amazon Pay (Luxembourg); Apple Pay; Barzahlen/viacash (Cash Payment Solutions GmbH, with NordFinanz Bank AG); Billie GmbH; giropay / paydirekt GmbH; Google Pay; ipayment (1&1 Internet AG); Ivy GmbH; Klarna Bank AB (incl. SOFORT); Masterpayment LTD; Mollie B.V.; PAYONE GmbH; secupay AG; Stripe Payments Europe Ltd.; PayPal (Europe) S.à r.l. et Cie including PayPal Checkout and local methods supported by PayPal (e.g., Sofort, iDEAL, giropay, Bancontact, BLIK, eps, MyBank, Przelewy24); DHL Paket GmbH (shipping notifications where you consent).
Where a provider runs a creditworthiness/identity check (e.g., invoice/installments), this occurs under Art. 6(1)(f) GDPR (our legitimate interest in risk management) and/or Art. 6(1)(b) GDPR (pre-contract steps). Details appear in the provider’s own privacy notices.

4. International transfers

Where data is transferred outside the EEA: (i) to countries with an adequacy decision (e.g., EU-US Data Privacy Framework participants), or (ii) under Standard Contractual Clauses with supplementary measures as needed.

5. Retention

We store personal data only as long as necessary for the stated purposes or as required by law. Examples:

• Contract/transaction data: statutory retention periods (e.g., tax/commercial law).
• Analytics cookies/events: per current tool settings (e.g., GA4 2 months).
• Newsletter records: until you unsubscribe + a reasonable period to evidence compliance.

6. Your rights (GDPR)

Access (Art. 15), rectification (Art. 16), erasure (Art. 17), restriction (Art. 18), portability (Art. 20), and objection (Art. 21). You can withdraw consent at any time (Art. 7(3)). You also have the right to lodge a complaint with a supervisory authority in your habitual residence, place of work, or where the alleged infringement occurred.

6.1 Right to object (Art. 21 GDPR)

If we process your data based on legitimate interests, you may object on grounds relating to your situation. If you object to processing for direct marketing, we will stop processing for that purpose.

7. U.S. state privacy disclosures & Global Privacy Control (GPC)

Some sharing for cross-site targeted advertising may be deemed “sale”, “sharing” or “targeted advertising” under certain U.S. state laws. Depending on your location, you may opt out of these activities via our Cookie-Consent-Tool or by contacting us. If you visit our Site with GPC enabled, we will treat it as a relevant opt-out for that browser/device in applicable jurisdictions.

8. Children

Our products are collectors’ items, not toys (14+). The Site is not intended for children under 13.

9. Changes

We may update this Policy from time to time. The latest version applies.