Privacy Policy – aberlemedia.com

This Privacy Policy explains how aberlemedia.com, operated by aberle-media GmbH and its affiliated companies (collectively "we", "us", or "our") collect, use, store, share, and protect personal data when you visit our website, use our shop, submit forms, or interact with our services. We are committed to compliance with applicable data protection laws worldwide, including:

EU General Data Protection Regulation (GDPR) & ePrivacy Directive (cookies/consent)
German BDSG and TTDSG (Telekommunikation-Telemedien-Datenschutz-Gesetz)
UK GDPR and UK Data Protection Act 2018
California Consumer Privacy Act / California Privacy Rights Act (CCPA/CPRA) and other US state laws (Virginia VCDPA, Colorado CPA, Connecticut CTDPA, Utah UCPA)
Brazil Lei Geral de Proteção de Dados (LGPD)
Canada Personal Information Protection and Electronic Documents Act (PIPEDA)
Switzerland Federal Act on Data Protection (FADP / nDSG)
Australia Privacy Act 1988 and Australian Privacy Principles (APPs)
Japan Act on the Protection of Personal Information (APPI)
South Korea Personal Information Protection Act (PIPA)
India Digital Personal Data Protection Act 2023 (DPDP Act)
China Personal Information Protection Law (PIPL) for visitors from the APAC region
Thailand Personal Data Protection Act (PDPA)

Which Law Applies to You?

This is a unified global privacy notice. Depending on your location, one or more of the laws listed above may apply to you in addition to this policy. Where local law grants you stronger protections, we honour those rights. EU/EEA and UK residents: GDPR/UK GDPR. California and other US state residents: CCPA/CPRA and applicable state privacy laws. Brazil: LGPD. Canada: PIPEDA. Switzerland: FADP. Australia: APPs. Japan, South Korea, India, China, Thailand: respective national laws as referenced in Section 7.

This policy is a simplified technical compliance template. It has not been reviewed by qualified legal counsel in every jurisdiction. For binding legal advice, consult a licensed privacy lawyer.

1. Data Controller & Responsible Entities

The primary data controller responsible for this website is:

aberle-media GmbH
Bäckerstr. 17, 67657 Kaiserslautern, Germany
Email: legal@aberle-media.com
Phone: +49 631 316 0971
Commercial register: HRB 30268, Amtsgericht Kaiserslautern
VAT ID: DE254185445
Managing Director: Peter Aberle

Depending on your location, data may also be processed by our regional affiliates:

IMH Group, Inc. – 8 The Green Ste B, Dover, DE 19901, United States (Americas)
Heritage Media Labs Co., Ltd. – 101 Sukhumvit Rd, Bang Chak, Phra Khanong, Bangkok 10260, Thailand (Rest of World)

Each regional entity processes data for inquiries and orders originating from its territory. aberle-media GmbH acts as the lead data controller for cross-border processing.

2. Data Protection Officer

For all data protection matters, you may contact our Data Protection Officer (DPO):

Data Protection Officer
aberle-media GmbH
Bäckerstr. 17, 67657 Kaiserslautern, Germany
Email: legal@aberle-media.com

3. Categories of Personal Data We Collect

3.1 Data You Provide Directly

Contact form: name, email, company, subject, message, address (street, city, postal code, state, country), optional inquiry cart items.
Licensing inquiries: name, email, company, phone, country, company type, territories, rights requested, message, address, license purpose.
Shop (when checkout is enabled): name, email, shipping/billing address, country, order items, payment reference (processed by payment provider — we do not store full card numbers), OSS/VAT-related tax data for EU orders.

3.2 Data Collected Automatically

Server logs: IP address (anonymized after 7 days), browser, OS, referral URL, pages visited, timestamps, HTTP status.
Device information: screen resolution, device type, browser language.
Analytics (with consent only): page views, session duration, approximate geography via Google Analytics 4.

3.3 Cookies & Local Storage

symfony_session: session management — strictly necessary — expires when browser closes.
am_lang: language preference — strictly necessary — 1 year.
am_cookie_consent: stores your cookie category preferences (JSON) — strictly necessary — 1 year.
am_theme (localStorage): light/dark theme — functional, no consent required.
_ga, _ga_* (Google Analytics): only set if you consent to analytics cookies.

Non-essential analytics cookies are blocked until you consent via our cookie banner. We respect Global Privacy Control (GPC) and Do Not Track signals where feasible.

3.4 Data We Do NOT Collect

We do not intentionally collect sensitive/special category data (health, biometric, racial/ethnic origin, etc.) except where you voluntarily include it in a message.
We do not knowingly collect data from children under 16 (or applicable local minimum age).
We do not sell or share personal information for cross-context behavioral advertising as defined under CCPA/CPRA.

3.5 Shop Account & Social Login

The shop offers email/password accounts and OAuth sign-in (Google, Facebook; Apple optional). When you use social login, the provider shares profile data (typically name, email, provider user ID) per their privacy policy. We use this only to create and manage your shop account and orders. Email registration stores credentials hashed on our servers. We do not post to your social profiles.

4. Purpose of Processing & Legal Basis

Purpose	Data Used	Legal Basis (GDPR Art. 6)	Retention
Contact inquiries	Name, email, company, message, address	Art. 6(1)(b) pre-contractual / Art. 6(1)(f) legitimate interest	3 years or until resolved
Licensing requests	Name, email, company, phone, territories, rights	Art. 6(1)(b) contract / pre-contractual	Business relationship + 6 years (tax)
Shop orders & fulfillment	Name, email, address, order data, tax (OSS)	Art. 6(1)(b) contract performance	10 years (tax/accounting, § 147 AO)
Website functionality	Session, language, consent cookie	Art. 6(1)(f) legitimate interest	Session / 1 year
Analytics (consent-based)	GA4 pseudonymous usage data	Art. 6(1)(a) consent	26 months (GA default) or until withdrawal
Spam & abuse prevention	IP, honeypot, CSRF, reCAPTCHA score	Art. 6(1)(f) legitimate interest	Session / as needed
Legal compliance	All data as required	Art. 6(1)(c) legal obligation	As required by law

5. Processors & Third-Party Services

5.1 Sub-processors & External Services

Service	Provider	Purpose	Data Transferred	Location
Web hosting	EU-based hosting provider	Website operation, database	All site data	Germany / EU
CDN / edge	Cloudflare / Bunny.net / jsDelivr	Static assets & uploads	IP, browser (HTTP)	Global
Google Analytics 4	Google LLC	Usage statistics (consent only)	Pseudonymous usage, IP (anonymized)	USA / global
Bot protection	Cloudflare Turnstile / Google reCAPTCHA	Spam protection on forms	IP, interaction data	USA / global
Google Fonts	Google LLC	Web fonts	IP (HTTP request)	USA / global
Kunaki	Kunaki LLC	On-demand DVD/Blu-ray fulfillment (Americas)	Name, address, order items	USA
Payment processor	TBD (checkout integration)	Payment processing	Payment metadata (no full PAN)	Per provider

We maintain data processing agreements (DPAs) or equivalent contractual safeguards with processors where required under GDPR Art. 28. Google services: policies.google.com/privacy.

5.2 International Data Transfers

Personal data may be transferred between our regional entities and to processors outside your country:

EU/EEA/UK ↔ USA: EU-US Data Privacy Framework, UK Extension, or Standard Contractual Clauses (SCCs).
EU/EEA ↔ Thailand: SCCs pursuant to Art. 46 GDPR.
Switzerland ↔ third countries: FADP Art. 16/17 with SCCs or adequacy decisions.

Regional inquiries are processed locally and shared only when necessary to fulfill your request.

5.3 Data Sharing

We do not sell or share personal data for third-party marketing. Data may be disclosed:

To regional affiliates for territory-relevant licensing or shop fulfillment.
To processors listed in Section 5.1 under contract.
When required by law, court order, or governmental authority.
To protect rights, safety, or property of users or aberle-media.

6. Data Retention & Deletion

Data Type	Retention Period	Basis
Contact messages	3 years after last communication	Legitimate interest / limitation periods
Licensing inquiries	Business relationship + 6 years	Tax law (§ 147 AO, § 257 HGB)
Shop orders & OSS tax records	10 years	EU VAT/OSS and commercial law
Server access logs	7 days then anonymized	Security
Analytics data (GA4)	Up to 26 months or until consent withdrawn	Consent
Cookie consent record	1 year	Proof of consent (ePrivacy)

After retention expires, data is deleted or irreversibly anonymized. You may request earlier deletion (Section 7).

7. Your Rights Under Data Protection Law

7.1 GDPR (EU/EEA Residents)

Under GDPR you have the right to:

Access (Art. 15): confirmation and copy of your data
Rectification (Art. 16): correct inaccurate data
Erasure (Art. 17): deletion where no legal retention applies
Restriction (Art. 18): limit processing in certain cases
Portability (Art. 20): receive data in machine-readable format
Object (Art. 21): object to legitimate-interest processing
Withdraw consent (Art. 7(3)): at any time without affecting prior lawful processing
Lodge a complaint (Art. 77) with a supervisory authority

7.2 UK GDPR (United Kingdom)

UK residents have substantially equivalent rights under UK GDPR and the Data Protection Act 2018. You may contact the ICO (ico.org.uk) if unsatisfied with our response.

7.3 CCPA/CPRA & US State Laws (California and others)

California residents and, where applicable, residents of Virginia, Colorado, Connecticut, and Utah have rights including:

Right to know what personal information is collected, used, and disclosed
Right to delete personal information (subject to exceptions)
Right to correct inaccurate information
Right to opt out of sale/sharing — we do not sell or share for cross-context behavioral advertising
Right to limit use of sensitive personal information — we do not collect sensitive PI as defined by CPRA
Right to non-discrimination for exercising privacy rights

Do Not Sell or Share: aberle-media does not sell personal information. To submit a request, email our DPO or use the link in our cookie banner if configured.

7.4 LGPD (Brazil)

Under Brazil's LGPD you may request:

Confirmation of processing, access, correction, anonymization, blocking, or deletion
Portability to another provider
Information on entities with whom data was shared
Revocation of consent

7.5 PIPEDA (Canada)

Canadian residents may access personal information, challenge accuracy, and withdraw consent (subject to legal restrictions). Contact our DPO; you may also complain to the Office of the Privacy Commissioner of Canada.

7.6 FADP (Switzerland)

Under the revised Swiss FADP (nDSG) you have rights of information, access, rectification, deletion, and data portability. Contact the Federal Data Protection and Information Commissioner (FDPIC) if needed.

7.7 Australian Privacy Act (APPs)

Australian residents may request access and correction under APP 12 and 13. Complaints may be lodged with the OAIC (oaic.gov.au).

7.8 PIPA (South Korea)

Under South Korea's PIPA you have rights to be informed, consent, access, correction, deletion, suspension of processing, and compensation for damages.

7.9 PDPA (Thailand)

Under Thailand's PDPA you may request access, correction, deletion, restriction, portability, and object to processing.

7.10 APPI (Japan)

Japan's APPI grants rights of disclosure, correction, suspension of use, and deletion. Contact our DPO for requests from Japan.

7.11 DPDP Act (India)

Under India's Digital Personal Data Protection Act, data principals may access, correct, erase, and nominate a representative. Grievances may be raised with our DPO.

7.12 PIPL (China / APAC visitors)

For visitors from mainland China and where PIPL applies, we process personal information based on consent, contract necessity, or other lawful bases under PIPL. Cross-border transfers use SCCs or other approved mechanisms where required.

7.13 How to Exercise Your Rights

Email: legal@aberle-media.com
Post: aberle-media GmbH, Bäckerstr. 17, 67657 Kaiserslautern, Germany

We respond within 30 days (GDPR/UK), 45 days (CCPA), or applicable local deadlines. Identity verification may be required. Requests are free unless manifestly unfounded or excessive.

8. Supervisory Authorities

You may lodge a complaint with a supervisory authority. Primary authority for aberle-media GmbH:

Der Landesbeauftragte für den Datenschutz und die Informationsfreiheit Rheinland-Pfalz (LfDI RLP)
Hintere Bleiche 34, 55116 Mainz, Germany
Phone: +49 (0) 6131 8920-0
Website: www.datenschutz.rlp.de

UK: Information Commissioner's Office (ICO), ico.org.uk

California: California Privacy Protection Agency (CPPA), cppa.ca.gov

9. Technical & Organizational Security Measures

We implement appropriate measures including:

TLS/HTTPS encryption in transit
Database encryption at rest where supported
Role-based admin access controls
CSRF protection on all forms
Honeypot and rate limiting against abuse
Server-side input validation
Security headers (CSP, HSTS, X-Frame-Options) via .htaccess
EU hosting for primary data storage
Data minimization in forms and logs

10. Cookie Policy

Under TTDSG § 25, ePrivacy, and similar laws, we classify cookies as follows:

Cookie / Storage	Purpose	Category	Duration	Consent
symfony_session	Session, CSRF	Essential	Session	Not required
am_lang	Language preference	Essential	1 year	Not required
am_cookie_consent	Consent preferences (JSON)	Essential	1 year	Not required
_ga / _ga_*	Google Analytics	Analytics	Up to 2 years	Required
am_theme (localStorage)	Theme preference	Functional	Persistent	Not required

Manage cookies anytime via Cookie Settings in the footer. Cookie Settings

We do not currently use:

Advertising or retargeting cookies
Social media tracking pixels
Third-party profiling without consent
Marketing cookies (category reserved for future use)

11. Shop-Specific Processing

When you purchase from our shop, we process order and delivery data to fulfill your purchase. EU orders: OSS VAT is calculated from your delivery country and retained for tax compliance (typically 10 years). Americas on-demand media may be fulfilled via Kunaki (IMH Group). Europe/Africa warehouse fulfillment via aberle-media GmbH. Asia-Pacific via Heritage Media Labs. Payment card data is handled by the payment processor; we receive only transaction references.

12. Children's Privacy

This website is not directed at children under 16 (or local minimum age). We do not knowingly collect children's data. Contact us to request deletion if you believe a child submitted data. legal@aberle-media.com

13. Automated Decision-Making & Profiling

We do not engage in automated decision-making with legal or similarly significant effects (GDPR Art. 22). reCAPTCHA scores are used only for spam prevention.

14. Data Breach Notification

If a breach likely risks your rights, we will:

Notify supervisory authorities within 72 hours where required (GDPR Art. 33).
Notify affected individuals without undue delay when high risk (Art. 34).
Document the breach and remedial actions.

15. Changes to This Policy

We may update this policy for legal or operational changes. Material updates will be announced on the website. The version and date below reflect the current revision.

Continued use after changes constitutes acceptance where permitted by law.

16. Contact for Data Protection

For privacy questions, data subject requests, or DPA inquiries:

aberle-media GmbH – Data Protection
Bäckerstr. 17, 67657 Kaiserslautern, Germany
Email: legal@aberle-media.com
Phone: +49 631 316 0971

Policy version: 2.0 · June 12, 2026