About Me

General

We are delighted that you are interested in our business. It is generally possible to use our website without providing any personal data. However, if a data subject wishes to use specific services offered by our company via our website, it may be necessary to process personal data. If the processing of personal data is necessary and there is no legal basis for such processing, we generally obtain the consent of the data subject.
With the following privacy policy, we would like to inform you about the types of personal data (hereinafter also referred to as ‘data’) we process, for what purposes and to what extent. The privacy policy applies to all processing of personal data carried out by us, both in the context of providing our services and, in particular, on our websites, as well as within external online presences, such as our social media profiles (hereinafter collectively referred to as ‘online offering’).

Responsible party
Maria Jose Benitez Recalde
Eschersheimer Str. 21,
12099 Berlin
Email address: contact@selva-berlin.com
Legal notice: https://selva-berlin.com/imprint

Types of data processed
- Inventory data (e.g. names, addresses).
- Contact data (e.g. email, telephone numbers).
- Financial data: (e.g. payment information, credit card details).
- Usage data (e.g. websites visited, interest in content, access times).
- Technical data: (e.g. IP address, browser type, device information and cookies).

Categories of data subjects
Visitors and users of the online offering (hereinafter, we also refer to the data subjects collectively as ‘users’).

Purposes of processing
- Provision of the online offering, its functions and content.
- Responding to contact enquiries and communicating with users.
- Security measures.
- Reach measurement/marketing

Relevant legal bases
In accordance with Art. 13 GDPR, we hereby inform you of the legal bases for our data processing. If the legal basis is not mentioned in the privacy policy, the following applies:

The legal basis for obtaining consent is Article 6(1)(a) and Article 7 GDPR, the legal basis for processing for the performance of our services and the implementation of contractual measures as well as responding to enquiries is Article 6(1)(b) GDPR, the legal basis for processing to fulfil our legal obligations is Art. 6 para. 1 lit. c GDPR, and the legal basis for processing to safeguard our legitimate interests is Art. 6 para. 1 lit. f GDPR. In the event that vital interests of the data subject or another natural person require the processing of personal data, Art. 6 para. 1 lit. d GDPR serves as the legal basis.
National data protection regulations in Germany: In addition to the data protection regulations of the GDPR, national regulations on data protection apply in Germany. These include, in particular, the Act on the Protection against Misuse of Personal Data in Data Processing (Federal Data Protection Act – BDSG).

Security measures

In accordance with legal requirements, we take appropriate technical and organisational measures to ensure a level of protection appropriate to the risk, taking into account the state of the art, implementation costs, the nature, scope, circumstances and purposes of processing, as well as the varying likelihood and severity of threats to the rights and freedoms of natural persons.
These measures include, in particular, ensuring the confidentiality, integrity and availability of data by controlling physical and electronic access to the data as well as access, input, transfer, availability and separation relating to it. Furthermore, we have established procedures to ensure that the rights of data subjects are exercised, data is deleted and responses are made to data threats. Moreover, we take the protection of personal data into account as early as the development or selection of hardware, software and procedures in accordance with the principle of data protection, through technology design and data protection-friendly default settings.

Securing online connections with TLS/SSL encryption technology (HTTPS): We use TLS/SSL encryption technology to protect user data transmitted via our online services from unauthorised access. Secure Sockets Layer (SSL) and Transport Layer Security (TLS) are the cornerstones of secure data transmission on the Internet. These technologies encrypt the information transmitted between the website or app and the user's browser (or between two servers), protecting the data from unauthorised access. TLS, as the more advanced and secure version of SSL, ensures that all data transmissions meet the highest security standards. When a website is secured by an SSL/TLS certificate, this is indicated by the display of HTTPS in the URL. This serves as an indicator to users that their data is being transmitted securely and encrypted.

Transfer of personal data

If, in the course of our processing, we disclose data to other persons and companies (processors or third parties), transfer it to them or otherwise grant them access to the data, this will only be done on the basis of a legal permission (e.g. if the transfer of data to third parties, such as payment service providers, is necessary for the performance of a contract in accordance with Art. 6 para. 1 lit. b GDPR) you have given your consent, a legal obligation requires it, or it is based on our legitimate interests (e.g. when using agents, web hosts, etc.).
If we commission third parties to process data on the basis of a so-called ‘contract processing agreement’, this is done on the basis of Art. 28 GDPR.

General information on data storage and deletion

We delete personal data that we process in accordance with legal requirements as soon as the underlying consents are revoked or there are no further legal grounds for processing. This applies to cases in which the original purpose of processing no longer applies or the data is no longer required. Exceptions to this rule exist if legal obligations or special interests require longer storage or archiving of the data.
In particular, data that must be retained for commercial or tax law reasons or whose storage is necessary for legal prosecution or to protect the rights of other natural or legal persons must be archived accordingly.
Our data protection information contains additional information on the storage and deletion of data that applies specifically to certain processing procedures.

If there are several specifications regarding the retention period or deletion deadlines for a date, the longest period shall always apply. We process data that is no longer required for its original purpose but is retained due to legal requirements or other reasons exclusively for the reasons that justify its retention.
Retention and deletion of data: The following general periods apply to storage and archiving under German law:

10 years – retention period for books and records, annual financial statements, inventories, management reports, opening balance sheets and the work instructions and other organisational documents necessary for their understanding (Section 147 (1) No. 1 in conjunction with (3) AO, § 14b (1) UStG, § 257 (1) No. 1 in conjunction with (4) HGB).
8 years – Accounting documents, such as invoices and expense receipts (Section 147 (1) No. 4 and 4a in conjunction with (3) sentence 1 AO and Section 257 (1) No. 4 in conjunction with (4) HGB).
6 years - Other business documents: commercial or business letters received, copies of commercial or business letters sent, other documents relevant to taxation, e.g. hourly wage slips, operating statements, calculation documents, price tags, but also payroll documents, unless they are already accounting documents, and cash register receipts (Section 147 (1) Nos. 2, 3, 5 in conjunction with (3) AO, Section 257 (1) Nos. 2 and 3 in conjunction with (4) HGB).
3 years - Data that is necessary to consider potential warranty and damage claims or similar contractual claims and rights, as well as to process related enquiries, based on previous business experience and customary industry practices, is stored for the duration of the regular statutory limitation period of three years (Sections 195, 199 BGB).

Order processing in the online shop and database

We process our customers' data as part of the ordering process in our online shop to enable them to select and order the chosen products and services, as well as to pay for and deliver or execute them.

The data processed includes inventory data, communication data, contract data and payment data, and the persons affected by the processing include our customers, interested parties and other business partners. The processing is carried out for the purpose of providing contractual services within the framework of operating an online shop, billing, delivery and customer services. We use session cookies to store the contents of the shopping basket.

Processing is carried out on the basis of Art. 6 (1) (b) (execution of order processes) and (c) (legally required archiving) GDPR. The information marked as required is necessary for the justification and fulfilment of the contract. We only disclose the data to third parties in the context of delivery, payment or within the scope of legal permissions and obligations to legal advisors and authorities. The data will only be processed in third countries if this is necessary for the fulfilment of the contract.
Deletion takes place after the expiry of statutory warranty and comparable obligations; the necessity of storing the data is reviewed every three years. in the case of statutory archiving obligations, deletion takes place after their expiry (end of commercial law (6 years) and tax law (10 years) retention obligations) is necessary (e.g. at the customer's request upon delivery or payment).

Our website uses the services of Supabase, Inc., 970 Toa Payoh North, #07-04, Singapore 318992, to provide databases, authentication and other backend functions. This may involve the processing of personal data, such as your IP address, device information, log data and the data you enter via our website (e.g. email address).

The processing is carried out in order to provide our website in a functional and secure manner (Art. 6(1)(f) GDPR – legitimate interest) and to fulfil the contract if the data is necessary for the use of our services (Art. 6(1)(b) GDPR).

Supabase processes Selvas data on servers within the EU/EEA. In this case, appropriate safeguards are used in accordance with Art. 46 GDPR (e.g. EU standard contractual clauses) to ensure an adequate level of data protection. For more information, please refer to Supabase's privacy policy: https://supabase.com/privacy

External payment service provider

We use Stripe as an external payment service provider, through whose platforms users, and we, can carry out payment transactions. The data processed by the payment service providers includes inventory data, such as name and address, bank details, such as account numbers or credit card numbers, passwords, TANs and checksums, as well as contract, sum and recipient-related information. This information is necessary to carry out the transactions. However, the data entered is only processed and stored by the payment service providers. This means that we do not receive any account or credit card-related information, but only information confirming or denying the payment. Under certain circumstances, the data may be transmitted by the payment service providers to credit agencies. The purpose of this transmission is to verify identity and creditworthiness. For more information, please refer to the terms and conditions and privacy policy of the payment service providers. (https://stripe.com/at/privacy)

Provision of online services and web hosting

The hosting services we use serve to provide the following services: infrastructure and platform services, computing capacity, storage space and database services, security services and technical maintenance services, which we use for the purpose of operating this online service.

In doing so, we or our hosting provider process inventory data, contact data, content data, contract data, usage data, meta and communication data of customers, interested parties and visitors to this online service on the basis of our legitimate interests in the efficient and secure provision of this online service in accordance with Art. 6 para. 1 lit. f GDPR in conjunction with Art. 28 GDPR (conclusion of a data processing agreement).

For these hosting services, we use Cloudflare Germany GmbH, Rosenthal 7, ℅ Mindspace, 80331 Munich (https://www.cloudflare.com/privacypolicy).

Email delivery service provider

We use Mailgun to send emails. Mailgun is a service that can be used to organise and analyse email delivery (product purchase process). The data you enter (email address) is stored on Mailgun's European servers.

Data processing is based on your consent. You can revoke this consent at any time.
For more details, please refer to Mailgun's privacy policy at: https://www.mailgun.com/legal/privacy-policy/

Use of cookies

Our website uses cookies. Cookies are small text files that are stored on your device. They enable certain functions (e.g. shopping basket, login) or serve to analyse user behaviour.
We use both technically necessary cookies, which are required for the operation of the website, and – with your consent – optional cookies for statistical and marketing purposes.

Session cookies are automatically deleted at the end of your browser session.
Permanent cookies remain stored on your device until you delete them, or they expire automatically.
Third-party cookies are set by third-party providers (e.g. analysis or advertising services).

The legal basis for the use of technically necessary cookies is Art. 6(1)(f) GDPR (legitimate interest in a secure and functional website). For all other cookies, we obtain your consent in advance in accordance with Art. 6 (1) (a) GDPR, which you can revoke at any time (e.g. via our cookie consent tool or in the privacy settings of your browser).

You can generally prevent cookies from being set in your browser settings or delete cookies that have already been stored. Please note that this may restrict the functionality of the website.

Newsletters and electronic notifications

We send newsletters, emails and other electronic notifications (hereinafter referred to as ‘newsletters’) only with the consent of the recipients or on the basis of legal permission. The contents of the newsletter are based on the respective description in the registration form.

To subscribe to the newsletter, it is usually sufficient to provide your email address. Optionally, we ask for your name so that we can address you personally. Registration is carried out using a double opt-in procedure: after registering, you will receive an email in which you must confirm your registration. Your registration is only effective after this confirmation.

The registration process (e.g. IP address, time of registration and confirmation) is logged on the basis of our legitimate interest (Art. 6 (1) (f) GDPR) in order to be able to prove that the registration was carried out correctly.

Our newsletters are sent via ‘Mailgun’, a service provided by Sinch Email, 112 E. Pecan St. #1135, San Antonio, TX 78205, USA. Your email address and other data required for sending the newsletter are stored on Mailgun's European servers. Mailgun uses this information exclusively for sending and statistically evaluating the newsletters on our behalf. Further information on data protection at Mailgun can be found at: https://www.mailgun.com/privacy-policy.

You can unsubscribe from the newsletter at any time using the unsubscribe link included in each email, or by notifying us. After unsubscribing, we will store your email address for up to three years on the basis of our legitimate interests (Art. 6 (1) (f) GDPR) in order to be able to prove that consent was previously given. The processing of this data is limited to this purpose and will be deleted after the expiry of the period. Upon request, you can request immediate deletion, provided you confirm the former existence of consent.

Web analysis, monitoring and optimisation

We use web analysis and optimisation tools to evaluate the use of our website, detect errors and make our online offering more user-friendly. This may involve processing information about visitor behaviour (e.g. pages viewed, click paths, length of stay), technical data (e.g. device type, browser, operating system) as well as time data and approximate location data.

Processing is pseudonymised, i.e. we do not store any clear data such as name or email address in the analysis profiles. To protect your privacy, we also use IP masking, which shortens your IP address before it is stored.

This data is processed on the basis of your consent in accordance with Art. 6 (1) (a) GDPR (e.g. via our cookie consent tool). You can revoke your consent at any time or prevent storage by adjusting your browser settings accordingly.

Google Analytics

We use Google Analytics, a web analytics service provided by Google Ireland Limited, Gordon House, Barrow Street, Dublin 4, Ireland. Google Analytics uses cookies to create pseudonymous usage profiles and evaluate information about the use of our website. Google does not store the full IP addresses of EU users, but truncates them before processing.

Purpose of processing: Reach measurement, analysis of user behaviour, optimisation of the website.
Legal basis: Consent (Art. 6(1)(a) GDPR).
Data transfer to third countries: Google may transfer data to the United States. The transfer is based on the standard contractual clauses and the Data Privacy Framework.

Further information:
Privacy policy: https://policies.google.com/privacy
Data processing agreement: https://business.safety.google/adsprocessorterms/
Opt-out option: https://tools.google.com/dlpage/gaoptout?hl=en

Google Tag Manager

We use Google Tag Manager to centrally manage website tags. Tag Manager itself does not create user profiles or store any analysis or tracking data. It is only used to integrate other services such as Google Analytics. Here too, processing is based on your consent (Art. 6(1)(a) GDPR). Further information can be found in Google's privacy policy: https://policies.google.com/privacy.

Google Fonts

Our website uses ‘Google Fonts’, a service provided by Google Ireland Limited, Gordon House, Barrow Street, Dublin 4, Ireland, to display fonts uniformly. When you visit our website, your browser downloads the required fonts directly from Google's servers so that they are displayed correctly.

In doing so, your IP address and technical information (e.g. browser type, operating system, language settings, screen resolution) are transmitted to Google in order to provide the fonts. According to Google, IP addresses of EU users are not logged or stored. The logged data (e.g. requested fonts, user agent, referrer URL) is only used by Google in aggregated form to compile statistics on the popularity of fonts and to optimise the service.

The use of Google Fonts is based on our legitimate interest (Art. 6(1)(f) GDPR) in the technically secure, efficient and visually uniform provision of fonts and the improvement of loading times.

Google may process data on servers in the United States. Data is transferred on the basis of the EU–US Data Privacy Framework and the Standard Contractual Clauses, which ensure an adequate level of data protection.

Further information can be found here: Website: https://fonts.google.com/

Technical details: https://developers.google.com/fonts/faq/privacy

Rights of data subjects

As a data subject, you have various rights under the GDPR, which arise in particular from Articles 15 to 21 GDPR:

Right to object: You have the right to object at any time, on grounds relating to your particular situation, to the processing of personal data concerning you which is carried out on the basis of Article 6(1)(e) or (f) GDPR; this also applies to profiling based on these provisions. If the personal data concerning you is processed for direct marketing purposes, you have the right to object at any time to the processing of personal data concerning you for the purpose of such marketing; this also applies to profiling insofar as it is related to such direct marketing.
Right to withdraw consent: You have the right to withdraw your consent at any time.
Right to information: You have the right to request confirmation whether data concerning you is being processed and to obtain information about this data, as well as further information and a copy of the data in accordance with the statutory provisions.
Right to rectification: In accordance with legal requirements, you have the right to request the completion of data concerning you or the correction of incorrect data concerning you.
Right to erasure and restriction of processing: In accordance with legal requirements, you have the right to request that data concerning you be erased immediately or, alternatively, in accordance with legal requirements, to request a restriction on the processing of the data.
Right to data portability: You have the right to receive data concerning you that you have provided to us in a structured, commonly used and machine-readable format in accordance with legal requirements, or to request that it be transferred to another controller.
Complaint to supervisory authority: Without prejudice to any other administrative or judicial remedy, you have the right to lodge a complaint with a supervisory authority, in particular in the Member State of your habitual residence, place of work or place of the alleged infringement, if you consider that the processing of personal data concerning you infringes the provisions of the GDPR.

Changes and updates

We reserve the right to change this privacy policy when updating our website or changing our data processing procedures. We therefore recommend that you read our privacy policy regularly to be aware of any changes. This privacy policy was last updated on 20 September 2025.

Cart