Overview
We take the protection of personal data seriously. This policy explains how Shopkeep Studio ("we", "us") processes personal data when you visit this website and when we contact businesses about our services.
Who is responsible (data controller)
Shopkeep StudioContact: [email protected]
Shopkeep Studio is an independent web studio operated from Germany. Full controller contact details are available on request by email. We have not appointed a Data Protection Officer, as we are not legally required to.
Visiting this website
Hosting & server logs
This site is hosted on Cloudflare Pages (Cloudflare, Inc.). When you load a page, Cloudflare automatically processes technical data needed to deliver it and to keep the service secure — including your IP address, the requested page, browser type, and the date and time of the request. This is necessary to operate the website and is based on our legitimate interest in a secure, functioning site (Art. 6(1)(f) GDPR).
Cloudflare is a US provider and may process this data on servers outside the EU. Such transfers are covered by the EU Standard Contractual Clauses and Cloudflare's data-protection framework commitments. See Cloudflare's privacy policy: cloudflare.com/privacypolicy.
Fonts & assets
All fonts and scripts are served from this website itself. We do not load fonts, analytics, tracking pixels, or advertising from third parties, and this site sets no cookies.
Contacting us by email
If you email us, we process the address and the content of your message to reply and to handle your request. The legal basis is our legitimate interest in responding (Art. 6(1)(f) GDPR), or — where your message concerns a possible contract — the performance of pre-contractual steps (Art. 6(1)(b) GDPR). We keep such correspondence only as long as needed to deal with it and to meet any legal retention obligations.
Business outreach
Part of what we do is introduce our web-design service to local businesses in the United States that do not appear to have a website. To do this we process a limited amount of business contact data. Because a business email or a sole trader's details can relate to an identifiable person, GDPR can apply, so we explain it here.
What data, and where it comes from
- Business name, trade/category, and public address;
- A publicly listed business contact email address, where one is available;
- Whether the business appears to already have a website.
We collect this from publicly available sources — for example OpenStreetMap and publicly listed business information. We do not buy contact lists, and we do not process special categories of data.
Why, and on what legal basis
We use this data to send a single, personalised introduction to businesses that may benefit from a website, offering a free preview. The legal basis is our legitimate interest in direct B2B outreach for our services (Art. 6(1)(f) GDPR). We have weighed this against the recipient's interests: we contact businesses (not consumers) at their business address, about a service relevant to their trade, once, with a clear and free opt-out. We target US recipients only.
Opting out
You can opt out at any time — simply reply to the email and say so, or write to [email protected]. We will stop contacting you and add your address to a suppression list so it is not contacted again.
How long we keep it
We keep outreach contact data only as long as needed for the outreach and any follow-up you welcome, and we delete it when it is no longer needed or on request. If you opt out, we retain the minimum needed (your email address on a suppression list) purely to make sure we do not contact you again.
Service providers we use
- Cloudflare, Inc. — website hosting and security (see above).
- Amazon Web Services (Amazon SES) — sending our outreach and reply-handling email. AWS processes the recipient address and message content on our behalf as a processor.
These providers act on our instructions under data-processing agreements. Where they process data outside the EU, appropriate safeguards (such as EU Standard Contractual Clauses) are in place.
Your rights
Under the GDPR you have the right to:
- Access — ask what data we hold about you (Art. 15);
- Rectification — have inaccurate data corrected (Art. 16);
- Erasure — have your data deleted (Art. 17);
- Restriction — limit how we use it (Art. 18);
- Data portability — receive your data in a portable form (Art. 20);
- Object — object to processing based on legitimate interest, including direct marketing, at any time (Art. 21). If you object to direct marketing, we stop.
To exercise any of these, email [email protected]. You also have the right to complain to a supervisory authority — in Germany, the data-protection authority of the federal state in which the controller is established.
Contact & changes
For any privacy question, contact us at [email protected].
We may update this policy as our service changes; the current version always lives at this address.
Last updated: 10 July 2026