Data Policy

Updated: 01.01.2024

Thank you for your interest in our website/our company.

Your trust is important to us! That is why we guarantee the greatest possible security and the protection of all personal data. Our data protection practices comply with the EU General Data Protection Regulation (GDPR), the Federal Data Protection Act (BDSG n.f.) and the Telemedia Act (TMG).

Your contact for data protection

The data controller as defined in the GDPR, the data protection acts, as well as in the provisions of Member States of the European Union is:

Atelier Muff
Patrik & Bele Muff GbR
Am Kosttor 2
80331 München

Competent supervisory authority in Bavaria:
Bayerischer Landesbeauftragter für den Datenschutz
Postfach 22 12 19, 80502 Munich
Wagmüllerstraße 18
80538 Munich

Tel.: 089 212672 – 0
Fax: 089 212672 – 50

1. Definitions

To ensure simple and comprehensable readability of our privacy policy, we would like to explain the terms according to GDPR Art. 4 in advance.

a) Personal Data

Personal data means any information relating to an identified or identifiable natural person (hereinafter referred to as the “data subject”). Identifiable refers to a person who can be identified directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person.

b) Data Subject

The data subject is any identified or identifiable natural person whose personal data is processed by the data controller.

c) Processing

Processing means any operation or set of operations which is performed on personal data or on sets of personal data, whether or not by automated means, such as collection, recording, organisation, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, deletion or destruction.

d) Restriction of Processing

Restriction of processing is the marking of personal data stored in order to limit its future processing.

e) Profiling

Profiling means any form of automated processing of personal data consisting of the use of personal data to evaluate certain personal aspects relating to a natural person, in particular to analyse or predict aspects concerning that natural person’s performance at work, economic situation, health, personal preferences, interests, reliability, behaviour, location or movements.

f) Pseudonymisation

Pseudonymisation means the processing of personal data in such a manner that the personal data can no longer be attributed to a specific data subject without the use of additional information, provided that such additional information is kept separately and is subject to technical and organisational measures to ensure that the personal data is not attributed to an identified or identifiable natural person.

g) Controller or person responsible for the processing

The data controller or the person responsible for processing means the natural or legal person, public authority, agency or any other body which alone or jointly with others determines the purposes and means of the processing of personal data. Where the purposes and means of such processing are determined by Union law or by the law of the Member States, provision may be made for the controller to be designated in accordance with Union law or the law of the Member States.

h) Processor

A processor is a natural or legal person, public authority, agency or other body which processes personal data on behalf of the controller.

i) Recipient

The recipient means a natural or legal person, public authority, agency or another body to which the personal data is disclosed, whether a third party or not. However, authorities which may be entitled to receive personal data under Union law or the law of the Member States within the framework of a particular investigation mandate shall not be regarded as recipients.

j) Third Party

Third party means a natural or legal person, public authority, agency or body other than the data subject, controller, processor and persons who, under the direct authority of the controller or processor, are authorised to process personal data.

k) Consent

Consent is any statement of intent voluntarily and unambiguously given by the data subject in an informed and unambiguous manner in the form of a statement or other unambiguous confirming act that indicates to the data subject that they have consented to the processing of their personal data.

2. General Data Collection / Processing

When you access our website, a series of general data and information from data subjects are collected. The data collected includes:

– Browser type and version
– Origin of the user when the page is accessed
– Date and time
– Internet provider
– Operating system
– Internet or service provider
– Other security data

This data and information are stored in the server’s log files. This process is used to provide law enforcement authorities with the information necessary for law enforcement in the event of a cyber-attack and to ensure the permanent functionality of our information technology systems and the technology on our website. To achieve an optimal level of protection, in particular, with regard to ensure the processing personal data, the data of the server log files is stored anonymously. After the communication process has ended, the data is evaluated for statistical purposes. Moreover, personal data (e.g. your name, your email address etc.) will only be transmitted if you expressly and knowingly provide us with such information for specific purposes. It will only be processed, stored and forwarded to the extent necessary for the respective purpose or your consent exists.

3. Cookies

This website uses cookies. Cookies are small text information that are stored as a file in your terminal via your browser. Cookies are not fundamentally disadvantageous but allow the website operator to provide a more user-friendly service. Cookies can be used to clearly recognize and identify users.

Of course, you as the data subject can also view our website without cookies. Internet browsers are normally configured to accept cookies. Alternatively, you can also use software that deletes cookies. You can disable or reject the use of cookies at any time via your browser settings. Please refer to your Internet browser’s help feature to learn how you can change these settings. Please note that some of our website features may not work if you have disabled the use of cookies.

4. Use of our Online Shop

If you would like to order from our online shop, it is necessary to enter your personal data or apply it from the existing customer account. We require the data you provide to process your order. The information required to process the order is marked separately; any additional information is optional.

a) Customer Account

If you are purchasing a product from Atelier Muff or are using a service for the first time, we will set up a password-protected customer account in which you can view and manage your master data and other data.

b) Duration of storage of your data

We are obligated by commercial and tax law to store your address, payment, and order data for a period of ten years. However, after two years we limit the processing of your data, that is, your data will only be used to comply with legal obligations.

c) Data Security

Credit card information is not stored but collected and processed directly by our payment service. We secure our website and other systems using technical and organisational measures against loss, destruction, access, modification or processing your data by unauthorised persons. To prevent unauthorised access to your personal data by third parties, especially financial data, the order process is encrypted using TLS technology.

5. Email

If you send us an email, this data will be saved. Insofar as this website affords any user the opportunity to enter personal or business information such as their e-mail address, name, postal address, or the like, such information and its appropriate processing to contact the data subject shall be deemed to have been provided voluntarily by such user. We will not disclose your personal information to third parties.

6. External Links

This website contains so-called “external links” to other websites, upon whose contents and for any data collection the data controller of the website has no influence. For this reason, the data controller cannot accept any liability for the content and data collection of these websites.

7. Data Transfer

Your data will only be passed on to our employees or other service providers who support us with order processing in individual processing steps as part of the order process. This information will naturally not be passed on beyond that.

8. Storage duration of personal data

The storage duration of personal data depends on the respective retention period. After the deadline has expired, the data will be deleted, unless it serves consent, contract fulfilment or contract initiation.

9. Routine deletion and blocking of personal data

Personal data is only processed in the context of the intended use. The data controller processes and stores personal data of the data subject only for this period. The routine deletion or blocking of personal data takes place when the legal requirements regarding the retention period (storage period) and the storage purpose of the data controller no longer exist.

10. Rights of the data subject

Data subjects have the right to request confirmation from the data controller as to whether personal data relating to you is processed.

a) Right to information

According to the General Data Protection Regulation and the Federal Data Protection Act, you have the right to free information about your stored data.

  • The purpose of the processing
  • The categories of personal data that are processed
  • The recipients or categories of recipients to whom the personal data has been or will be disclosed,in particular recipients in third countries or international organisations
  • Where possible, the envisaged period for which the personal data will be stored, or, if not possible, the criteria used to determine that period
  • The existence of a right to correction or deletion of the personal data concerning you or of a restriction of the processing by the data controller or of a right to object to such processing
  • The right to lodge a complaint with a supervisory authority if the personal data is not collected from the data subject: any available information about the origin of the data
  • The existence of any automated decision-making processes, including profiling, as defined in Art. 22 para.1 and 4, GDPR and — at least in these cases — meaningful information on the logic involved and the scope and intended effects of such processing for the data subject

b) Right to rectification

The data subject has the right to request that the data controller correct any incorrect personal data. Taking into account the purposes of the processing, the data subject has the right to request the completion of incomplete personal data, including by means of a supplementary declaration.

c) Right to erasure (‘Right to be forgotten’)

The data subject has the right to ask the data controller to immediately delete the personal data concerned if:

  • The personal data is no longer necessary for the purposes for which it was collected or otherwise processed.
  • The data subject shall withdraw the consent on which the processing referred to in Article 6 para. 1 letter a or Article 9 para. 2 letter a was based and there is no other legal basis for processing.
  • The data subject shall oppose processing in accordance with Article 21 para. 1 and there are no overriding legitimate grounds for processing or the data subject shall oppose processing in accordance with Article 21 para 2.
  • The personal data has been unlawfully processed.
  • The personal data must be deleted in compliance with the obligations under European Union or Member State law to which the data controller is subject.
  • The personal data has been collected in relation to information society services provided in accordance with Article 8 para 1 GDPR.

If the reasons given above apply, one of our employees will comply with the request to delete the personal data. The data controller will take appropriate measures (also of a technical nature) within the scope and taking into account the available technical measures. Other data controllers (data processing by third parties) will also be informed of the deletion.

d) Right to restriction of processing

The data subject shall have the right to require the data controller to restrict processing if one of the following conditions is met:

  • the accuracy of the personal data is contested by the data subject, for a period enabling the data controller to verify the accuracy of the personal data,
  • the processing is unlawful, and the data subject refuses to delete the personal data and instead requests a restriction on the use of the personal data;
  • the data controller no longer needs the personal data for the purposes of processing, but it is required by the data subject for the establishment, exercise or defence of legal claims, or
  • the data subject has lodged an objection to the processing referred to in Article 21 para. 1, pending determination of whether the legitimate grounds of the data controller prevail over those of the data subject.

If the above conditions are met, an employee may then restrict the processing restricted.

e) The right to data portability

The data subject has the right to receive the personal data concerning him/her which he/she has provided to a data controller in a structured, current and machine-readable format and to transmit this data to another data controller without interference by the data controller to whom the personal data has been provided, provided that:

  • the processing is based on consent pursuant to Article 6 paragraph 1 letter a or Article 9 paragraph 2 letter a or on the basis of a contract pursuant to Article 6 paragraph 1 letter b and
  • the processing is carried out using automated procedures.

In exercising his/her right to data transferability, the data subject shall have the right to have the personal data transferred directly by a data controller to another data controller, where technically feasible. The data subject can contact one of our employees regarding data portability.

f) Right to object

The data subject shall have the right to object at any time to the processing of personal data relating to him/her on the basis of Article 6 para. 1 letters e or f for reasons arising from his/her particular situation, including profiling based on those provisions.

The data controller will no longer process the personal data unless it can demonstrate compelling legitimate grounds for processing which outweigh the interests, rights and freedoms of the data subject, or the processing is for the purpose of enforcing, pursuing or defending legal claims.

Where personal data is processed for direct marketing purposes, the data subject shall have the right to object at any time to the processing of personal data concerning him/her for the purposes of such advertising, including profiling in so far as it is related to such direct marketing. If the data subject objects to processing for direct marketing purposes, the personal data will no longer be processed for these purposes.

The data subject must be expressly informed of the aforementioned right at the latest at the time of the first communication with him/her; this information must be provided in an intelligible form separate from other information.

In the context of the use of information society services, notwithstanding Directive 2002/58/EC, the data subject may exercise his right of opposition by means of automated procedures using technical specifications.

The data subject shall have the right to object to the processing of personal data relating to him/her for scientific or historical research purposes or for statistical purposes in accordance with Article 89 para. 1 for reasons arising from his/her particular situation, unless such processing is necessary for the performance of a task in the public interest.

g) Automated decisions on a case-by-case basis, including profiling

Every data subject has the right not to be subjected to a decision based solely on automated processing – including profiling – that has legal bearing on him/her or that significantly affects him/her in a similar manner. This does not apply if the decision:

  • is necessary for entering into, or for the performance of, a contract between the data subject and a data controller,
  • is authorised by Union or Member State law to which the data controller is subject and which also lays down suitable measures to safeguard the rights and freedoms of the data subject and legitimate interests or
  • is made with the express consent of the data subject.

If you wish to assert rights relating to automated decisions, you can contact one of our employees.

11. Lawfulness of data processing

For us, the legal basis for the lawful processing of personal data may arise from the consent of the data subject.

This may also be based on the fact that the processing is necessary for the fulfilment of a contract to which the data subject is party or in order to fulfil contractual requirements at the request of the data subject prior to entering into a contract.

In rare cases, legality may arise if the processing is necessary to fulfil a legal obligation to which the controller is subject.

Moreover, the processing is permitted to protect the vital interests of the data subject or another natural person.

Personal data may also be processed if it is necessary to safeguard the legitimate interests of the data controller or a third party, unless the interests or fundamental rights and freedoms of the data subject that require the protection of personal data outweigh them.

12. Changes to our privacy policies

We reserve the right to modify this privacy policy so that it always meets the current legal requirements or to include changes to our services in the privacy policy, such as the introduction of new services. Any subsequent website access will then be subject to the terms of the new privacy policy.

13. Data protection for the use of Facebook

We use Facebook technologies on our website. is a service provided by Meta Platforms Ireland Ltd., 1601 S. California Ave, Palo Alto, CA 94304, USA. In the EU, this service is also operated by Meta Platforms Ireland Ltd., 4 Grand Canal Square, Dublin 2, Ireland, hereinafter both referred to as “Facebook.”

It is certified according to the EU-US Privacy Shield

Facebook guarantees that it will follow the EU’s data protection regulations when processing data in the United States.

Our legal basis relates to Art. 6 para. 1 lit. f) GDPR due to the quality improvement of our website. Further information about the assignment of personal data and the transfer of information via plug-ins and their respective functions is available from Facebook at:

If the plug-in is in use or you have the Facebook page open at the same time, data will be collected from you. This affects the pages you visit and our website. It is therefore necessary for technical reasons that Facebook processes your IP address and the type and duration (including date and time) of your stay.

Facebook collects information and assigns the personal data to your user account. Another option for data collection and processing is the “Like” button. By using the “Like” button, data may be published on the Facebook platform.

To prevent data from being collected when you visit our website, you must prevent the use of add-ons and Facebook plug-ins in your Internet browser and must not be logged into Facebook or use any Facebook applications.

Further information about the collection and use of data as well as your rights and protection options in Facebook’s privacy policy found at

14. Data protection for the use of Instagram

To advertise our products and services as well as to communicate with interested parties or customers, we have a presence on the Instagram platform.

On this social media platform, we are jointly responsible with Meta Platforms Ireland Ltd., 4 Grand Canal Square, Grand Canal Harbor, Dublin 2, Ireland.

The data protection officer of Instagram can be reached via this contact form:

We have defined the joint responsibility in an agreement regarding the respective obligations within the meaning of the GDPR. This agreement, which sets out the reciprocal obligations, is available at the following link:

The legal basis for the processing of the resulting and subsequently disclosed personal data is Art. 6 para. 1 lit. f) GDPR. Our legitimate interest lies in the analysis, communication, sales, and promotion of our products and services.

The legal basis may also be your consent per Art. 6 para. 1 lit. a) GDPR granted to the platform operator. Per Art. 7 para. 3 GDPR, you may revoke this consent with the platform operator at any time with future effect.

When accessing our online presence on the Instagram platform, Facebook Ireland Ltd. as the operator of the platform in the EU will process your data (e.g. personal information, IP address, etc.).

This data of the user is used for statistical information on the use of our company presence on Instagram. Meta Platforms Ireland Ltd. uses this data for market research and advertising purposes as well as for the creation of user profiles. Based on these profiles, Meta Platforms Ireland Ltd. can provide advertising both within and outside of Instagram based on your interests. If you are logged into Instagram at the time you access our site, Meta Platforms Ireland Ltd. will also link this data to your user account.

If you contact us via Instagram, the personal data your provide at that time will be used to process the request. We will delete this data once we have completely responded to your query, unless there are legal obligations to retain the data, such as for subsequent fulfilment of contracts.

Meta Platforms Ireland Ltd. might also set cookies when processing your data.

If you do not agree to this processing, you have the option of preventing the installation of cookies by making the appropriate settings in your browser. Cookies that have already been saved can also be deleted at any time. The instructions to do this depend on the browser and system being used. For Flash cookies, the processing cannot be prevented by the settings in your browser, but instead by making the appropriate settings in your Flash player. If you prevent or restrict the installation of cookies, not all of the functions of Facebook may be fully usable.

Details on the processing activities, their suppression, and the deletion of the data processed by Instagram can be found in its privacy policy:

It cannot be excluded that the processing by Meta Platforms Ireland Ltd. will also take place in the United States by Meta Platforms Ireland Ltd., 1601 Willow Road, Menlo Park, California 94025.

Meta Platforms Ireland Ltd. has submitted to the EU-US Privacy Shield, thereby complying with the data protection requirements of the EU when processing data in the USA.

15. User account & registration

If you have set up a user account on this page, the information you provide will be saved for the duration of the usage relationship. With regard to the required mandatory information, we refer to the pre-contractual or contractual fulfilment for the purpose of customer care. For this, we store the IP address and time. This data will not be transferred to any third party.

During the registration process, consent is obtained through processing.

a) Purpose

If you purchase a product from Atelier Muff, we will set up a password-protected direct online access to your master data stored in our customer account. You can view and, if necessary, manage the following data in your customer account:

  • Current news (e.g. current information about new versions, new products, update reports, downloads)
  • User data (title, name, email address, telephone, fax, preferred language, change of password, …)
  • Company data (customer number, company name, company type, telephone, fax, email address, website, VAT ID number, address, …)
  • Manage users (overview of company users, admin rights assignment)
  • Authorization files (option to download all authorization files of the company)
  • Purchased products (overview of purchased products with assignment)
  • Offers (overview of offers received, PDF download, accessible only for users with admin rights)
  • Invoices (overview of invoices received and PDF download)
  • Vouchers (overview of vouchers received, expiry date, amount, status, redemption date)

b) Closing the customer account

If you as a customer do not want a password-protected customer account, you can of course close it at any time. Please send us a request in text form (e.g. email, fax, letter) to our contact address.

c) Data Security

Access to your customer account is only possible after entering your personal password. You should keep your access information confidential and close the browser window when you have finished your session with us, especially if you share your computer with others.

In order to prevent unauthorized access by third parties to your personal data, the connection is encrypted using TLS technology.

16. Newsletter

If you register for our free newsletter, the data requested from you for this purpose, i.e. your email address and, optionally, your name and address, will be sent to us. We also store the IP address of your computer and the date and time of your registration. During the registration process, we will obtain your consent to receive this newsletter and the type of content it will offer, with reference made to this privacy policy. The data collected will be used exclusively to send the newsletter and will not be passed on to third parties.

The legal basis is Art. 6 para. 1 lit. a) GDPR.

You may revoke your prior consent to receive this newsletter under Art. 7 para. 3 GDPR with future effect. All you have to do is inform us that you are revoking your consent or click on the unsubscribe link contained in each newsletter.

17. Google Fonts

We use Google Fonts on our website to display external fonts. This is a service provided by Google Inc., 1600 Amphitheatre Parkway, Mountain View, CA 94043 (hereinafter: Google).

Through certification according to the EU-US Privacy Shield

Google guarantees that it will follow the EU’s data protection regulations when processing data in the United States. To enable the display of certain fonts on our website, a connection to the Google server in the USA is established whenever our website is accessed.

The legal basis is Art. 6 para. 1 lit. f) GDPR. Our legitimate interest lies in the optimization and economic operation of our site.

When you access our site, a connection to Google is established from which Google can identify the site from which your request has been sent and to which IP address the fonts are being transmitted for display.

Google offers detailed information at

in particular on options for preventing the use of data.

18. Data protection for the use of Google analytics

We use Google Analytics on our website. This is a web analytics service provided by Google Inc., 1600 Amphitheatre Parkway, Mountain View, CA 94043 (hereinafter: Google).

Through certification according to the EU-US Privacy Shield

Google guarantees that it will follow the EU’s data protection regulations when processing data in the United States. The Google Analytics service is used to analyse how our website is used. The legal basis is Art. 6 para. 1 lit. f) GDPR. Our legitimate interest lies in the analysis, optimization, and economic operation of our site.

Usage and user-related information, such as IP address, place, time, or frequency of your visits to our website will be transmitted to a Google server in the United States and stored there. However, we use Google Analytics with the so-called anonymization function. whereby Google truncates the IP address within the EU or the EEA before it is transmitted to the US.

The data collected in this way is in turn used by Google to provide us with an evaluation of visits to our website and what visitors do once there. This data can also be used to provide other services related to the use of our website and of the Internet in general.

Google states that it will not connect your IP address to other data. In addition, Google provides further information with regard to its data protection practices at

including options you can exercise to prevent such use of your data.

In addition, at

Google provides a so-called deactivation add-on along with further information on this. This add-on can be installed on the most popular browsers and offers you further control over the data that Google collects when you visit our website. The add-on informs Google Analytics’ JavaScript (ga.js) that no information about the website visit should be transmitted to Google Analytics. However, this does not prevent information from being transmitted to us or to other web analytics services Whether and which other web analysis services are used by us is of course also explained in this privacy policy.

19. Privacy policy for the open street maps

For directions on our site, we use OpenStreetMap, a service of the OpenStreetMap Foundation, St John’s Innovation Centre, Cowley Road, Cambridge, CB4 0WS, United Kingdom, hereinafter referred to as “OpenStreetMap”.

When you access one of our Internet pages that includes the OpenStreetMap service, OpenStreetMap stores a cookie on your terminal device via your browser. This processes your user settings and user data for the purpose of displaying the page or guaranteeing the functionality of the OpenStreetMap service. Through this processing, OpenStreetMap can recognize the website from which your request has been sent and to which IP address the directions should be transmitted.

The legal basis is Art. 6 para. 1 lit. f) GDPR. Our legitimate interest lies in the optimization and economic operation of our site.

If you do not agree to this processing, you have the option of preventing the installation of cookies by making the appropriate settings in your browser. Further details can be found in the section about cookies above.

OpenStreetMap offers further information about its data collection and processing as well your rights and your options for protecting your privacy at:

20. Application and use of PayPal

The data controller has integrated components from PayPal on this website. PayPal is an online payment service provider. Payments are processed via so-called PayPal accounts, which are virtual private or business accounts. In addition, PayPal provides the option of processing virtual payments via credit cards if a user does not have a PayPal account. A PayPal account is managed via an email address, which is why there is no classic account number. PayPal makes it possible to initiate online payments to third parties or to receive payments. PayPal also acts as a trustee and provides buyer protection services.

The European operating company of PayPal is PayPal (Europe) S.à.r.l. & Cie.S.C.A. 22-24 Boulevard Royal, 2449 Luxembourg, Luxembourg.

If the data subject selects “PayPal” as a payment option during the order process in our online shop, data of the data subject will be automatically transmitted to PayPal. By selecting this payment option, the data subject consents to the transfer of personal data required for payment processing.

The personal data transmitted to PayPal is usually first name, last name, address, email address, IP address, telephone number, mobile phone number, or other data required for payment processing. Personal data in connection with the order in question are also necessary to process the purchase contract.

The purpose of this data transfer is to process payments and prevent fraud. The data controller will transfer personal data to Novalnet AG in particular if there is a legitimate interest for the transfer. Personal data exchanged between PayPal and the controller may be transferred by PayPal to credit reference agencies. The purpose of this transfer is to verify identity and creditworthiness.

21. Application and use of Stripe

If you choose a method of payment from the payment service provider Stripe, payment is processed by the payment service provider Stripe Payments Europe Ltd, 1 Grand Canal Street Lower, Grand Canal Dock, Dublin, Ireland, to whom we pass on information about the order (name, address, account number, bank code, possibly credit card number, invoice amount, currency and transaction number) within the framework of the order process in accordance with Art. 6, para. 1 lit. b) GDPR.

The data of the person concerned will only be passed on for the purpose of payment processing with the payment service provider Stripe Payments Europe Ltd. and only insofar as it is necessary for this. You can find more information on Stripe’s data protection at the URL