Legal
Privacy.
Information pursuant to GDPR Art. 13 + 14 · Last updated 2026-05-14
1. Data Controller
Responsible for the processing of personal data on pgxwear.com within the meaning of the GDPR:
Cayan Oyman
Ramsenerstraße 43
78239 Rielasingen-Worblingen
Germany
Email: [email protected]
Phone: +49 152 27705449
2. General
We take the protection of your personal data seriously and treat your personal data confidentially and in accordance with statutory data protection regulations (in particular GDPR and BDSG / German Federal Data Protection Act). This Privacy Policy explains which data we collect when you use pgxwear.com, for what purpose, and on what legal basis.
Personal data is only processed insofar as this is necessary for providing our services or you have given consent. We do not process special categories of personal data (Art. 9 GDPR) for our business purposes — profile fields concerning health (e.g. HIV status) or sexual orientation are only collected with your explicit consent and only displayed to the extent you have released them.
3. Data Collection When Visiting the Website
3.1 Server Logs
When you access pgxwear.com, technical data is automatically transmitted to our server and stored in server log files:
- IP address (anonymized after 7 days)
- Date and time of access
- URL accessed / referring URL
- Browser type and version (User-Agent)
- Operating system
Legal basis: Art. 6 (1) (f) GDPR (legitimate interest in operating and securing the website).
Storage period: 7 days, then automatic deletion.
Processor: Hetzner Online GmbH (see Section 7).
3.2 Cookies
We use only technically necessary cookies. No analytics, marketing, or tracking cookies are used.
| Cookie | Purpose | Duration |
|---|---|---|
| PGX 18+ confirmation | Stores the age confirmation for NSFW profiles so the 18+ notice doesn't appear on every scan. | 90 days |
| Stripe (checkout) | Set by the payment provider Stripe during order processing. Necessary for secure payment processing. | Session / max. 12 months |
These cookies are technically required for the operation of the website and are therefore not subject to consent requirements (§25 (2) No. 2 TDDDG / German Telecommunications Digital Services Data Protection Act).
4. Data Collection at Order
When purchasing a PGX shirt, we collect the following data for contract processing:
- First and last name
- Delivery and billing address
- Email address
- Phone number (optional)
- Payment information (processed exclusively by Stripe — we do not store card data)
- Order details (slogan, Aperture variant, size)
Legal basis: Art. 6 (1) (b) GDPR (contract performance).
Storage period: Order information is deleted after statutory retention periods (10 years per §147 AO / German Fiscal Code for bookkeeping). On request, we delete non-mandatory data earlier.
5. Data Collection in the Profile Editor
After activating your shirt, you can create a profile that is displayed when your QR code is scanned. What data you enter there is your choice — all profile fields are optional.
Possible profile contents include:
- Name or pseudonym, pronouns, age, city
- Bio text (freely chosen)
- Lifestyle entries (drink, languages, music)
- Physical descriptions (optional, NSFW toggle per section)
- Social media handles (optional)
Profile contents are publicly displayed on pgxwear.com/u/your-slug as soon as someone scans your QR code — unless you restrict them via the 18+ protection or privacy settings.
Legal basis: Art. 6 (1) (a) GDPR (consent through active input); for special categories (e.g. health, sexual orientation) additionally Art. 9 (2) (a) GDPR (explicit consent).
Storage period: until you delete the data yourself or deactivate your profile. You can delete all profile data at any time in the editor or contact us at [email protected].
5.1 Avatar Generation (optional)
In the editor, you can optionally upload a selfie from which a stylized illustration avatar is generated for your profile. If you use this feature, your photo will be:
- transmitted to our server over an encrypted (TLS) connection,
- held only in memory during processing — we do not store the original selfie persistently on our servers,
- forwarded to our AI image-processing partner fal.ai (USA, see Section 7), which generates the illustration,
- discarded after generation is complete.
Only the resulting illustration is stored permanently — never the original photo. You can replace or delete the avatar at any time in the editor.
Legal basis: Art. 6 (1) (a) GDPR (consent through active upload). The photo is not used for biometric identification (no processing within the meaning of Art. 9 (1) GDPR).
Processor: fal.ai (USA) — transfer based on Standard Contractual Clauses (SCC) pursuant to Art. 46 (2) (c) GDPR. See Section 7 for details.
6. Email Signup (Coming-Soon List)
If you sign up on pgxwear.com for the launch notification, we store your email address to inform you about the sales start.
Legal basis: Art. 6 (1) (a) GDPR (consent).
Storage period: until sales start or until revocation of consent. Revocation possible at any time by email to [email protected].
7. Processors
We use the following service providers to operate pgxwear.com. Data processing agreements pursuant to Art. 28 GDPR exist with all providers. For providers outside the EU/EEA, Standard Contractual Clauses (SCC) are additionally used.
| Provider | Purpose | Location |
|---|---|---|
| Hetzner Online GmbH | Server hosting, website infrastructure | Germany (EU) |
| Cloudflare, Inc. | DNS, CDN, attack protection, email routing ([email protected]) | USA — SCC + DPA |
| Stripe Payments Europe Ltd. | Payment processing (card, Apple Pay, Google Pay, SEPA) | Ireland (EU); parent company in USA — SCC + DPA |
| ActiveCampaign LLC (Postmark) | Transactional email delivery (order confirmation, activation link) | USA — SCC + DPA |
| fal.ai (Features and Labels, Inc.) | AI image processing: generation of stylized illustration avatars from optionally uploaded selfies | USA — SCC + DPA |
| Gelato AS | Print-on-demand production and shipping of ordered shirts | Norway (EEA); production partners worldwide |
Data processing agreements and privacy notices of individual providers:
- Hetzner: hetzner.com/legal/privacy-policy
- Cloudflare: cloudflare.com/privacypolicy
- Stripe: stripe.com/privacy
- Postmark: postmarkapp.com/privacy-policy
- fal.ai: fal.ai/legal/privacy-policy
- Gelato: gelato.com/legal/privacy-policy
8. Third-Country Transfer
Some of our processors (Cloudflare, Stripe parent company, Postmark, fal.ai) are based in the USA. Transfer of personal data to the USA only takes place on the basis of:
- EU Commission Standard Contractual Clauses (Art. 46 (2) (c) GDPR) and/or
- self-certification of providers under the EU-US Data Privacy Framework (adequacy decision pursuant to Art. 45 GDPR).
9. Your Rights as a Data Subject
You have the following rights regarding personal data concerning you:
- Access (Art. 15 GDPR) — what data we process about you
- Rectification (Art. 16 GDPR) — if data is incorrect or incomplete
- Erasure (Art. 17 GDPR) — provided no statutory retention obligations apply
- Restriction of processing (Art. 18 GDPR)
- Data portability (Art. 20 GDPR) — receipt of your data in machine-readable format
- Objection to certain processing (Art. 21 GDPR)
- Withdrawal of consent given (Art. 7 (3) GDPR) — with effect for the future
To exercise your rights, an informal email to [email protected] is sufficient. We will respond within the statutory deadline of one month.
10. Right to Lodge a Complaint with the Supervisory Authority
You have the right to lodge a complaint with a data protection supervisory authority about the processing of your personal data (Art. 77 GDPR). The competent authority is:
State Commissioner for Data Protection and Freedom of Information Baden-Württemberg
Lautenschlagerstraße 20
70173 Stuttgart, Germany
baden-wuerttemberg.datenschutz.de
11. Data Security
We employ technical and organizational measures to protect your data against loss, misuse, and unauthorized access. Transmission is encrypted via TLS (HTTPS). Our servers are located in a certified data center in Germany (Hetzner). Payment data is not stored by us but processed directly by Stripe (PCI-DSS Level 1 certified).
12. Changes to this Privacy Policy
We reserve the right to adapt this Privacy Policy if legal framework conditions change or we expand our services. The current version is available at pgxwear.com/en/datenschutz. Material changes will additionally be announced on the website.