Privacy Policy
1. Controller
The controller responsible for processing personal data on this website within the meaning of the General Data Protection Regulation (GDPR) is:
Linda Wolters
trading as Liltheria
Am Landhaus 46
59555 Lippstadt
Germany
Email: shop@liltheria.com
2. General information and legal bases
We process personal data only where this is necessary to provide this website and our services, perform or prepare a contract, comply with a legal obligation, protect a legitimate interest, or where you have given consent.
Depending on the purpose, processing is based in particular on:
- Article 6(1)(b) GDPR for enquiries made before entering into a contract and for performing orders and commissions;
- Article 6(1)(c) GDPR for statutory accounting, tax and commercial-law obligations;
- Article 6(1)(f) GDPR for the secure, reliable and efficient operation of this website and for responding to general enquiries; and
- Article 6(1)(a) GDPR where we expressly request consent.
Where information is stored on or read from your device, Section 25 of the German Telecommunications Digital Services Data Protection Act (TDDDG) also applies. Storage or access that is strictly necessary to provide a service expressly requested by you is based on Section 25(2) TDDDG. Optional technologies will be used only with consent.
3. Hosting and server log files
This website is hosted using services provided by Hostinger. According to the current Data Processing Addendum, the contracting entity may be Hostinger International Ltd., 61 Lordou Vironos Street, 6023 Larnaca, Cyprus, or another Hostinger entity identified in the hosting contract.
This website is hosted by Hostinger International Ltd., 61 Lordou Vironos Street, 6023 Larnaca, Cyprus.
When you access the website, the hosting systems may process technical log data such as:
- IP address;
- date and time of the request;
- requested URL and transferred data volume;
- referrer URL;
- browser, operating system and device information;
- host name and access provider; and
- HTTP status and error information.
This processing is necessary to deliver the website, maintain technical security, investigate misuse and ensure stability. The legal basis is Article 6(1)(f) GDPR. Log data is deleted or anonymised when it is no longer required for these purposes, unless an incident requires longer preservation or statutory obligations apply.
We have entered into the applicable data-processing terms with the hosting provider. Hostinger may use authorised subprocessors and, where required, safeguards such as the European Commission’s Standard Contractual Clauses for transfers outside the EEA.
Hostinger privacy information: https://www.hostinger.com/legal/privacy-policy
Hostinger Data Processing Addendum: https://www.hostinger.com/legal/dpa
4. Encrypted transmission
This website uses TLS encryption. You can recognise an encrypted connection by the https:// address and the lock symbol in your browser. Encryption protects data transmitted between your browser and our server against unauthorised access in transit.
5. WordPress, WooCommerce and technically necessary storage
The website is operated with WordPress and WooCommerce. These applications run on our hosting environment. WooCommerce processes information needed to provide the shop, shopping cart, checkout, customer accounts, digital downloads and order administration.
The shop may use technically necessary cookies or comparable browser storage, including identifiers used to remember cart contents, maintain a shop session, display a store notice, secure forms or keep a logged-in user session. Depending on the interaction, these may include for example:
woocommerce_cart_hashandwoocommerce_items_in_cart;wp_woocommerce_session_*;- WooCommerce cart-fragment storage;
- WordPress login and test cookies for registered or administrative users; and
- security-related session values.
These technologies are used only where required to provide the shop or a function requested by you. The legal basis for device access is Section 25(2) TDDDG and the legal basis for subsequent processing is Article 6(1)(b) or Article 6(1)(f) GDPR.
WooCommerce Order Attribution/Sourcebuster is currently disabled. We do not currently use website analytics or advertising tracking. If this changes, this Privacy Policy and the consent mechanism must be updated before the relevant technology is activated.
6. Orders, customer accounts and digital products
When you place an order or create a customer account, we process the data required to handle the transaction. Depending on the order, this may include:
- name, billing and delivery address;
- email address and telephone number;
- customer-account and login information;
- ordered products, quantities, prices and discounts;
- payment method, payment status and transaction reference;
- IP address and technical order information;
- correspondence, cancellation, refund and support information; and
- download permissions and download activity for digital products.
The data is processed to operate the cart and checkout, accept and fulfil orders, deliver physical products, provide digital files, handle payments, communicate about the order, manage returns or refunds and defend or establish legal claims. The legal basis is Article 6(1)(b) GDPR. Accounting and transaction records required by law are processed under Article 6(1)(c) GDPR.
Customer-account data is retained until the account is deleted, subject to statutory retention obligations. Order, invoice and business correspondence data is retained for the periods required under applicable German commercial and tax law; depending on the record type, these periods are generally six to ten years. Data no longer required is deleted or restricted.
7. Payment providers
At checkout you may be offered one or more external payment services. The selected payment provider receives the information required to initiate, process, verify and support the payment. This may include your name, billing address, email address, order total, currency, transaction identifiers, device information and fraud-prevention data.
The legal basis for transmitting payment data is Article 6(1)(b) GDPR. Payment providers may also process data under their own legal obligations and as independent controllers, for example for fraud prevention, identity verification, regulatory compliance and dispute handling.
PayPal
PayPal services for customers in the EEA are provided by PayPal (Europe) S.à r.l. et Cie, S.C.A., 22–24 Boulevard Royal, L-2449 Luxembourg. If you select PayPal, the data necessary for payment is transmitted to PayPal. PayPal may use affiliated companies and service providers in other countries in accordance with its privacy terms.
PayPal privacy information: https://www.paypal.com/de/legalhub/paypal/privacy-full
WooPayments and Stripe
WooPayments is a payment service offered within the WooCommerce ecosystem and uses payment infrastructure provided by Stripe. Payment and fraud-prevention information may therefore be processed by Automattic/WooCommerce entities and Stripe entities, including Stripe Payments Europe, Limited, Ireland, and affiliated service providers. Depending on the payment method, Stripe may set payment-security cookies such as _stripe_mid and _stripe_sid.
WooCommerce payment privacy information: https://woocommerce.com/document/privacy-payments/
Automattic privacy information: https://automattic.com/privacy/
Stripe privacy information: https://stripe.com/de/privacy
Where data is transferred outside the EEA, the provider is responsible for using a valid transfer mechanism such as an adequacy decision, an applicable EU–US Data Privacy Framework certification or Standard Contractual Clauses.
8. Shipping and delivery
For physical orders, we transmit the delivery information required to ship the order to the selected carrier. This generally includes the recipient’s name and delivery address and, only where required for delivery notification, email address or telephone number. The legal basis is Article 6(1)(b) GDPR.
Current carrier(s): [ADD THE SHIPPING PROVIDER(S), FOR EXAMPLE DEUTSCHE POST/DHL, AND LINK THEIR PRIVACY INFORMATION.]
No shipping data is transmitted for purely digital orders.
9. Contact by email
If you contact us by email, we process your email address, name where provided, the content of your message, attachments and the related communication metadata. The data is used to respond to your request and to manage any resulting business relationship.
The legal basis is Article 6(1)(b) GDPR where your message concerns a potential or existing contract and Article 6(1)(f) GDPR for other legitimate correspondence. Email delivery is handled through the configured Hostinger email/SMTP infrastructure.
Enquiries that do not lead to a contract should be deleted when they are no longer required, normally no later than six months after the matter has been concluded, unless consent, a dispute or a statutory obligation justifies longer retention.
10. Commission enquiry form
The Commission enquiry form processes the information you submit, including:
- name and email address;
- optional social-media profile or website;
- requested finish, size and intended use;
- content classification such as SFW, NSFW or gore;
- number of characters and preferred deadline;
- your project description and reference links;
- confirmation of being at least 18 years old for NSFW enquiries; and
- acceptance of the Commission terms and privacy notice.
The form sends the enquiry to us by email through the configured mail transport. The current form does not store the enquiry as a separate WordPress database record and does not accept direct file uploads.
Processing is based on Article 6(1)(b) GDPR because it is necessary to review your request, prepare a quote and take steps before entering into a contract. Security logging and abuse prevention are based on Article 6(1)(f) GDPR.
Please do not submit sensitive personal information about yourself or another person unless it is strictly necessary and you are legally permitted to provide it. Reference material involving identifiable third parties should be shared only with their permission or another valid legal basis.
Enquiries that do not result in a commission should be deleted no later than six months after the enquiry has been declined or concluded, unless a dispute or legal obligation requires longer storage. If a commission is booked, the relevant correspondence becomes part of the contractual records and is retained as described under “Orders, customer accounts and digital products”.
11. Transactional emails
WordPress and WooCommerce send transactional messages such as order confirmations, payment-status messages, password-reset emails and Commission-form notifications. These messages are required to provide the requested account, order or enquiry function. They are sent through our configured SMTP/email infrastructure. The legal basis is Article 6(1)(b) GDPR and, for security notices, Article 6(1)(f) GDPR.
12. External links and social-media profiles
This website contains ordinary links to external services and sales platforms, which may include Instagram, Threads, TikTok, Patreon, Gumroad, book retailers, course platforms and RhinoShield. No social-media feed or tracking pixel is currently embedded by the Liltheria theme. A connection to the external provider is established only when you click a link or otherwise use that provider’s service. The provider then processes data under its own privacy policy.
Please review the privacy information of the respective external service before using it. We are not responsible for the independent processing carried out by external platforms.
13. Local fonts and icons
The fonts and design icons used by the Liltheria theme are stored locally on our hosting server. Loading the visual design therefore does not require a connection to Google Fonts or another font CDN.
14. Recipients and international transfers
Personal data is disclosed only where necessary to operate the website, respond to enquiries, fulfil a contract, process payments, ship an order, comply with law or protect legal claims. Recipients may include:
- hosting and email providers;
- payment providers and financial institutions;
- shipping providers;
- tax, accounting or legal advisers;
- public authorities where disclosure is legally required; and
- technical service providers acting under appropriate contractual safeguards.
Some providers or their subprocessors may process data outside the EEA. In those cases, transfers must be based on an adequacy decision, an applicable certification framework, Standard Contractual Clauses or another lawful safeguard under Chapter V GDPR.
15. Retention
We retain personal data only for as long as required for the purpose for which it was collected. We then delete or anonymise it unless statutory retention duties, pending claims, fraud prevention or another valid legal basis requires continued storage. Specific retention information is provided in the relevant sections above.
16. Your rights
Subject to the applicable legal requirements, you have the right to:
- request access to your personal data under Article 15 GDPR;
- request rectification under Article 16 GDPR;
- request erasure under Article 17 GDPR;
- request restriction of processing under Article 18 GDPR;
- receive data in a portable format under Article 20 GDPR;
- object to processing based on Article 6(1)(e) or (f) GDPR under Article 21 GDPR; and
- withdraw consent at any time with effect for the future under Article 7(3) GDPR.
You also have the right to lodge a complaint with a data-protection supervisory authority. The authority responsible for North Rhine-Westphalia is:
Landesbeauftragte für Datenschutz und Informationsfreiheit Nordrhein-Westfalen (LDI NRW)
Kavalleriestraße 2–4
40213 Düsseldorf
Germany
Website: https://www.ldi.nrw.de/
To exercise your rights, contact shop@liltheria.com. We may need to verify your identity before responding.
17. Automated decision-making
We do not make decisions that produce legal or similarly significant effects based solely on automated processing. Payment providers may carry out their own automated fraud or risk assessments under their respective privacy information.
18. Security and changes to this policy
We use appropriate technical and organisational measures designed to protect personal data against accidental or unlawful destruction, loss, alteration, disclosure or access. No internet transmission or storage system can guarantee absolute security.
We may update this Privacy Policy when our website, services, providers or legal obligations change. The current version published on this website applies.
Last updated: 4 July 2026