Privacy Notice

This Privacy Notice is effective from 24 November, 2025 

SCOPE AND LEGAL BASIS 

(1) In InkPoster we respect your privacy and are committed to protecting your personal data while you running the website https://inkposter.eu/en (sometimes referred to as “website”, “online shop” or “online offer”). This Privacy Notice (“Notice” or “Privacy Notice”) will help you to understand who we are, how and what for we collect, use and store your personal data, how we keep your data secured, as well as your privacy rights and our commitments to comply with them. This Notice is provided in a layered format so you can click through to the specific areas set out below. 

(2) This Notice does NOT apply to: 

(3) We will notify you whenever we update this Notice by posting a new version on this page and identifying the date of update. In the event of substantial changes to this Notice, we will take additional steps to ensure you are aware of them. We also ensure the visibility and accessibility of this Notice by publishing and communicating it on all communication channels.

(4) Our services are not aimed at children under 14 years. We do not knowingly collect information from children under the age of 14. If you have not reached the age limit, do not use the services and do not provide us with your personal data. If you are a parent or guardian of a child below the age limit and you learn that your child has provided us personal data, please contact us at privacy@inkposter.de and insist on exercising your rights of access, correction, cancellation and/or opposition.

(5) This Privacy Notice was drafted in accordance with the Italian Legislative Decree No. 196 of 30 June 2003 (Personal Data Protection Code), as amended and supplemented by Legislative Decree No. 101 of 10 August 2018 and Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data (GDPR). 

(6) With regard to the terms used, such as “personal data” or their “processing”, we refer to the definitions from Article 4 of the General Data Protection Regulation (GDPR). 

(7) The term “user” includes all categories of persons affected by data processing. These include our business partners, customers, interested parties and other visitors to our online offering. The terms used, such as “user”, are to be understood as gender-neutral. 

 POCKETBOOK JOINT PROCESSING STATEMENT 

(1) This Notice applies to ultimate holding Swiss company Pocketbook International SA and subsidiary Pocketbook Readers GmbH, as well as business units (sometimes may be referred to as either “InkPoster”, “PocketBook”, “Group”, “us,” “we,” or “our”). 

(2) Pocketbook Readers GmbH and Pocketbook International SA are both companies in the Pocketbook Group of companies and work together to provide you with online offer https://inkposter.eu/it, purchasing and delivering of InkPoster’s products and services, providing you with partnering services, guarantee and repairment services for our products, as well as responding to your requests when you exercise your data protection rights and submit DSARs. This is achieved, in part, by sharing your personal information with us when you run this website and share your personal data. 

(3) We have prepared a Pocketbook Joint Processing Statement as the integral part hereof. To find more, please navigate to section Section 9 Pocketbook Joint Processing Statement below (“Statement”). This Statement describes the relationship between Pocketbook Readers GmbH and Pocketbook International SA, our roles and responsibilities in connection with the processing of your information and our data protection responsibilities for your personal data that is shared between us. 

(4) For the purposes of data protection laws, Pocketbook Readers GmbH and Pocketbook International SA are “joint controllers” of the processing of your personal information described in Statement below. This means that both businesses work together to decide why and how your personal information is processed. It also means that we are jointly responsible to you under the GDPR. 

JOINT CONTROLLERS 

We have a dedicated communication channel with which you can request more information about processing of your personal data. If you have any questions, comments or complaints regarding how we handle information about you, or if you want to assert any of your rights under the General Data Protection Regulation (“GDPR”), please send an email to privacy@inkposter.de. 

(1) Personal data, or personal information, means any information about an individual from which that person can be identified. It does not include data where the identity has been removed (anonymous data). 

(2) The users' personal data processed includes: 

Hereinafter, sometimes referred to as “personal information”, “data”. 

(3) The processing of users’ personal data takes place in particular for the following purposes: 

(4) We only process users’ personal data in compliance with the relevant data protection regulations. This means that user data will only be processed if there is legal permission. This is particularly the case if data processing is necessary or required by law to fulfill our contractual services (e.g. to process orders) as well as our online services, if the user has given their consent or is based on our legitimate interests. The legitimate interests include analysis, optimization, security and the economical and user-friendly operation of our online offering. 

(5) We would like to point out that the legal basis for the consent is Article 6 Paragraph 1 Sentence 1 Letter a) and Article 7 GDPR, the legal basis for processing to fulfill our services and carry out contractual or pre-contractual measures Art. 6 Paragraph 1 Sentence 1 Letter b) GDPR, the legal basis for processing to fulfill our legal obligations Art. 6 Paragraph 1 Sentence 1 Letter c) GDPR and the legal basis for safeguarding our legitimate interests is Article 6 Paragraph 1 Sentence 1 Letter f) GDPR. By following this Notice in details, you will find out all processing activities we carry out, what personal information we collect, use and store, what are the purposes of collection and legal basis we rely on, with whom we share your personal data and legitimacy of transferring your data, as well as what rights do you have towards your personal data and how to exercise them. 

(6) You are not legally obliged to provide us with your personal data. However, if you do not provide this information, we will not be able to provide you with certain services, including our online offer. Note that we do not request and collect any sensitive data (such as information about your health, religion, etc.), unless you voluntarily provide us with. If you believe you have unintentionally provided with sensitive data, please request us and we will remove your sensitive data.

It is essential to provide us with complete and accurate information when you purchase products on this website or requests other related services, it is your responsibility to ensure that information you submit does not violate any third party’s rights. You should keep your data up to date and inform us of any significant changes to it. 

(7) While interacting with our online offer, we also collect, store and use your cookies data, meaning usage and technical data, identification and identifiable data. We have strong commitments to ensure compliance with privacy laws, hence we have integrated and placed Cookie Consent Management Tool by EU provider. To find out more, please jump into Sections 3 and 4 below. 

(1) Collection of access data and log files. Based on our legitimate interests within the meaning of Article 6 Paragraph 1 Sentence 1 Letter f) GDPR, we collect data about every access to the server on which this service is located (so-called server log files). This data is technically necessary to display the respective website to you and to ensure stability and security. The access data includes, in particular, the name of the website accessed, file, date and time of access, amount of data transferred, notification of successful access, browser type and version, the user's operating system, the website previously visited and the IP address. 

Log file information is stored for security reasons (e.g. to investigate acts of abuse or fraud) for a maximum of ninety days and then deleted. Data whose further storage is necessary for evidentiary purposes is excluded from deletion until the respective incident has been finally clarified.

(2) Registration and provision of contractual services. The use of our products and services, in particular the purchase of InkPoster products via our online shop, requires the creation of a customer account. This can be revoked at any time by notifying us, for example by email.

As part of the registration process, the required mandatory information (name, email address and password) is collected and stored in the customer account. As part of the login process, the user's email address and password are collected. Furthermore, the date and time as well as the user's IP address are stored at the time of registration and login. 

If necessary, when purchasing the product, the user's address and, if applicable, their credit card details (in pseudonymous form, see section 3 paragraph 2 of this privacy notice) are collected and the customer account is stored. Furthermore, other voluntarily provided data, such as the user's telephone number or different delivery addresses, may also be stored there. 

In the customer account, the user can view and manage their orders, the devices they use or, if they add products from our online offering to their wish list, their wish list. The same applies to his personal data. 

(3) We process the user's data for the purpose of fulfilling our contractual obligations and services in accordance with Article 6 Paragraph 1 Sentence 1 Letter b) GDPR. The legal basis for registering in our online shop is Article 6 Paragraph 1 Sentence 1 Letter a) GDPR. The storage of the technical and usage data when registering and logging in is based on our legitimate interests, as well as the user's protection against misuse and other unauthorized use as well as for any support requests in accordance with Art. 6 Para. 1 Sentence 1 lit. f) GDPR. 

(4) The above-mentioned data will be deleted as soon as they are no longer required to achieve the purpose for which they were collected. If users have canceled their customer account, the data relating to the customer account will be deleted, unless their retention is required for legal reasons (Art. 6 Para. 1 S. 1 lit. c) GDPR). It is the user's responsibility to secure their data if the customer account is terminated. Furthermore, we delete the data on the occasion of the initiation and fulfillment of the contract after the expiry of statutory warranty and comparable obligations, ie, generally after 3 years, unless the data is stored in the user's customer account or for legal reasons of archiving must be retained (e.g. for tax purposes usually 10 years, Art. 6 Para. 1 Sentence 1 Letter c) GDPR). The technical and usage data during registration and login are stored for a maximum of 90 days for security reasons and for support requests and then deleted. 

WHAT COOKIES DO WE USE 

(1) We use certain technologies, including so-called cookies, on various pages for our online offering. Cookies are small text files or other storage notes that store information on the user's device and read information from the device. This is primarily information about a user during or after a visit to our online offering. The information stored may include, for example, the language settings, login status, shopping cart contents or the user's wish list. Cookies can also be used for the purposes of the functionality, security and comfort of our online offering, to create analyzes of visitor flows or for marketing purposes.

(2) Types of cookies: Cookies are categorized according to the storage period (session cookies or permanent cookies), the provider (first-party or third-party cookies) and the purpose of use. Users can find further information about the categories mentioned and the respective assignment of the cookies we use in the Cookie Consent Management Tool we use. 

(3) Consent: Unless unnecessary in exceptional cases, we obtain users' consent before using cookies. However, consent is not necessary if the storage and reading of the information is absolutely necessary in order to provide users with a telemedia service they have expressly requested (our online offering). These cookies are categorized as “strictly necessary” cookies in the Cookie Consent Management Tool, appearing on the website. 

(4) Data protection legal basis: The data protection legal basis on which we process personal data using cookies depends on whether we ask the user for consent. If this applies and consent is given, the legal basis for processing the data is Article 6 Paragraph 1 Sentence 1 Letter a) GDPR. Otherwise, the data processed using cookies will be processed on the basis of our legitimate interests in accordance with Article 6 Paragraph 1 Sentence 1 Letter f) GDPR. Unless the user has given the necessary consent, cookies that are absolutely necessary for the operation of our online offering are used. We clarify the purposes for which we process cookies in this privacy notice. 

(5) Revocation/objection: If users have consented to the use of the technologies in accordance with Article 6 Paragraph 1 Sentence 1 Letter a) GDPR, they can change and revoke their consent at any time using the cookie icon on the home page: Cookie Consent Management Tool. Users can also object to the processing in accordance with the legal requirements of Article 21 GDPR. Users can also declare their objection using their browser settings. 

(6) Cookie Consent Management Tool: We use the CookieScript tool for our online offering to inform users about the use of cookies and other technologies and to obtain their consent, if necessary, to their use and to the processing of their personal data through these technologies, to manage and document. This is necessary in accordance with Article 6 Paragraph 1 Sentence 1 Letter c) GDPR in order to fulfill our legal obligation in accordance with Article 7 Paragraph 1 GDPR to be able to prove the consent of the users. CookieScript is an offer from the provider Objectis Ltd. (Laisves st. 60, LT-05120 Vilnius, Lithuania, Company registration number: 304037472). CookieScript stores information about the categories of cookies used within our online offering and whether users have given or withdrawn their consent to the use of the individual categories. The data is stored in a cookie (so-called opt-in cookie) in order to be able to assign the consent to a user or their device. The duration of storage of the consent is 1 year. Here, a pseudonymous user identifier is created and stored with the time of consent, information about the scope of the consent (e.g. which categories of cookies and/or service providers) as well as the browser, system and device used.

(7) Specific cookies used: Users can find details about the cookies used within our online offering, in particular information about the type and functionality of the cookies, the storage period and the respective provider, in the Cookie Consent Management Tool we use. 

(1) Product Reviews. You can submit product reviews in our online shop. Your review will be published with your specified name for the respective product. We recommend using a pseudonym instead of your real name. Providing your username and your review is required; all other information is voluntary. If you leave a review, we continue to store your Contact and Usage data, which we delete after 90 days. The storage is necessary for us to be able to defend ourselves against liability claims in the event of possible publication of illegal content. The legal basis is Article 6 Paragraph 1 Sentence 1 Letters b) and f) GDPR. Reviews are checked before publication. We reserve the right to delete comments if they are criticized by third parties as being unlawful. Otherwise, the personal information provided as part of the evaluation and the content details remain permanently stored until the user objects. 

For collecting and displaying reviews, we use the Loox Review service, provided by Loox Online Ltd., Kibbutz Glil Yam, Israel (“Loox”). Loox processes personal data such as your name (or pseudonym), review content, rating, and optionally photos you upload. The processing of personal data is based on Article 6(1)(f) GDPR, with our legitimate interest being the improvement of our products and services and the associated communication with our customers (Recital 47 GDPR). 

(1) If, as part of our processing, we disclose data to other people and companies (contract processors or third parties), transmit it to them or otherwise grant them access to the data, this only takes place on the basis of legal permission. This applies, for example, if the data is transmitted to third parties, such as to the shipping service providers and after-sales services in accordance with Article 6 Paragraph 1 Sentence 1 Letter b) GDPR, as this is necessary to fulfill the contract if you have consented to this, a legal obligation or on the basis of our legitimate interests (e.g. when using agents, web hosts, etc.). 

(2) We use Shopify, an e-commerce platform on which our website is hosted and operated, provided by Shopify International Limited, 2nd Floor Victoria Buildings, 1-2 Haddington Road, Dublin 4, D04 XN32, Ireland (“Shopify”). 

Shopify uses cookies and similar technologies that are stored on your device to enable the operation of our website and, if you consent, to analyze your usage. Information generated by these cookies about your use of our website may be transferred to Shopify Inc., based in Canada, and stored there. Canada benefits from an adequacy decision of the European Commission pursuant to Article 45 GDPR. 

On our behalf, Shopify processes your personal data to operate the website, evaluate usage, compile reports on website activity, and provide related services in accordance with the Shopify Data Processing Addendum. 

Legal basis: 

You can withdraw your consent at any time with effect for the future via our Cookie Consent Management Tool. There you will also find details on each cookie used, including its provider, type, purpose, and storage duration. You can also prevent cookies from being stored by adjusting your browser settings accordingly. 

Further information can be found in Shopify’s Privacy Policy and Cookie Policy. 

(3) Within the framework of contractual relationships, in particular for the fulfilment of a user’s payment obligations, we use payment service providers (MultiSafepay) on the basis of Art. 6 para. 1 clause 1 lit. b) GDPR, which process the data required for the payment process (inventory data, bank data as well as contract, aggregate and recipient-related data). With one exception, however, these data are only processed by the payment service providers and stored by them. This means that we do not receive any account or credit card-related information, but only information with the payment confirmation or a payments failure information. Only in the case of payment by credit card (via MultiSafepay), when the user’s credit card data is collected for the first time, we will store it pseudonymously (by means of a hash function) in the user account for future order transactions. The user may object to this processing at any time by deleting his credit card in the personal area of the user account. Under certain circumstances, the user’s data may be transmitted by the payment service providers to credit agencies. Such transmission serves check identity and creditworthiness. For this purpose, we refer to the Terms and Conditions and the data protection information of the respective payment service providers, which can be accessed within the respective websites or transaction applications. To find more, visit Security and Legal following this link https://docs.multisafepay.com/docs/security-and-legal. There you will also find further information as well as notes on the assertion of rights of revocation, information and other data subject’s rights.

In addition to paragraph (2) of Section 5 hereof, MultiSafepay provides with ‘one click payment’, meaning that you as a cardholder can initiate a transaction where you don’t need to enter your card details as you have previously agreed to store your card details. At the checkout, you will have the option to store your debit or credit card details for future purchases, particularly in your account with us. In the event you select this option, the card information will be stored at the secure servers of MultiSafepay on behalf of us. You hereby authorize MultiSafepay to collect and store your debit or credit card information. In case you want to delete the debit or credit card details from account, you can log in to your customer account, go to Payment Details and delete the saved card. 

(3) In most cases, your data is processed within the territory of the European Economic Area (EEA). If we process data in a third country (i.e. outside the European Union or the European Economic Area) or if this occurs as part of the use of third-party services or the disclosure or transmission of data to third parties, this will only take place if the special requirements of Art. 44 ff. GDPR are met. The European Commission certifies that some third countries have an adequate level of data protection through so-called adequacy decisions. In other third countries, we ensure that data protection is sufficiently guaranteed. This is possible through binding corporate regulations, European Commission standard contractual clauses for the protection of personal data, EU-U.S. DPF, UK Extension to the EU-U.S. DPF, and Swiss-U.S. DPF Certification mechanism, and certificates or recognized codes of conduct. 

If we authorize third parties to process data on the basis of a so-called “order processing contract”, this is done on the basis of Art. 28 GDPR. 

When this is permitted by law and is necessary for the purposes outlined in Sections 3 and 4 above, we share your data with the following recipients outside the EEA: 

At Pocketbook, we are a united Group of companies, jointly responsible for compliance with data protection laws. We work together to ensure an effective and sufficient online offering of our products and services. As part of this collaborative effort, we may transmit your data to the employees within group departments of software development, IT services, and customer support (i.e., intra-group data sharing). Please note that certain of our departments are located outside the EU and EEA region. When we transmit your personal data for these purposes within the Pocketbook Group, we rely on Standard Contractual Clauses as approved by the European Commission (EU-US DPF) and confidentiality obligations, ensuring your data is handled with care and responsibility. 

We will disclose your Data with third-party processors working on our behalf and who will only use your personal data in accordance with our instructions (i.e., outside sharing). Any processors to whom your data is disclosed are legally and contractually required to take reasonable measures to protect the confidentiality and security of your data and may only use your data in compliance with applicable data privacy laws. 

If required by law, we may have an obligation to disclose your data to law enforcement, supervisory and other public authorities (i.e., obligatory disclosures). However, we undertake to reliably verify the legality, basis, competence, jurisdiction of such requests, containing any requirements regarding your data and your legal rights. 

(1) We take your security seriously and take reasonable steps to protect and secure your personal information. Following provisions of Art. 32 GDPR and taking into account state of the art, the implementation costs and the type, scope, circumstances, and purposes of the processing as well as the different probability of occurrence and severity of the risk for the rights and freedoms of natural persons, we have implemented adequate technical and organizational measures to protect your data against unauthorized, accidental, or unlawful destruction, loss, alteration, misuse, disclosure, access, and other unlawful forms of processing. 

(2) We have joint obligations to secure your data. We have established the Group’s data management policies to commit to privacy and security controls, as well as IT security policy and confidentiality statement; we also constantly monitor our data inventory to keep it updated. We have accurately performed and documented privacy impact assessments concerning certain operations and processing activities of our online offer to analyze and detect privacy risks towards your personal data. From time to time and when needed so, we perform security training and awareness sessions for the Group’s employees and contractors. 

(3) The security measures include the encrypted data transmission between your browser and our server. In addition, we have set up procedures that ensure the exercise of the rights of those affected, the deletion of data, and a response to threats to the data. 

(4) We limit access to your personal data to a genuine business need-to-know basis. Our personnel accessing your data act under our internal data protection rules and policies. Third parties will only process your personal information in an authorized manner, following our instructions and subject to a confidentiality duty. 

(5) Unfortunately, information transmitted via the Internet is not completely secure. Although we will do our best to protect your personal data, we cannot guarantee the security of your data transmitted online. Therefore, any transmission remains at your own risk. 

We have developed and implemented an internal Data Retention and Destruction Policy that governs processing activities and scenarios we have carefully developed for each specific activity, specific terms for keeping your data, the legal basis we rely on, and justifications, as well as data destruction methods when retention periods expire. Herewith, we are providing you with several examples of retention periods according to the purposes for which we collect, use, and store your personal data, as well as a legal basis we rely on: 

Upon expiration of data storage, we will securely destroy your data in accordance with Data Retention and Destruction Policy and applicable laws and regulations. 

If we seek to retain your personal data on file on the basis that a further opportunity may arise in future, we will inform you with the notice, seeking your explicit consent to retain your personal data for a fixed period on that basis. 

If you believe that we keep your data illegally, please send the respective notice request to privacy@inkposter.de. We will review your request at the earliest convenience and delete your data, unless we are required by law to keep it for a longer period, or unless we can demonstrate legitimate grounds for the processing which override the interests, rights and freedoms of you. If deletion is impossible, we will securely store your personal data and isolate it from any further processing until deletion is permitted. 

To the extent the respective legal requirements are met, you have the following rights: 

(1) You have the right to obtain confirmation from us as to whether personal data concerning you is being processed; if this is the case, you have the right to be informed of this personal data and the information specified in Art. 15 GDPR. 

(2) You have the right to ask us for correction of incorrect personal data concerning you and, if necessary, for completion of incomplete personal data (Art. 16 GDPR). 

(3) You have the right to request us for deletion of personal data relating to you immediately if one of the reasons listed in Art. 17 GDPR applies, for example, if the data is no longer needed for the purposes for which it was collected (right to deletion). 

(4) You have the right to request us for the restriction of processing if one of the conditions listed in Art. 18 GDPR applies, for example, if you have lodged an objection to processing, for the duration of the examination by us. 

(5) You have the right to object at any time to the processing of personal data concerning you for the purposes of direct marketing. You also have the right to object at any time to processing operations carried out pursuant to Art. 6 (1) clause 1 lit. e) or f) GDPR for reasons arising from your particular situation (Art. 21 GDPR). 

We will then no longer process the personal data for the purposes of direct advertising and otherwise only if we can prove compelling reasons for processing worthy of protection which outweigh your interests, rights and freedoms, or if the processing serves to assert, exercise or defend legal claims. 

Or use our dedicated channel for communication: privacy@inkposter.de 

We may need to request specific information from you to confirm your identity and ensure your right to access the information (or to exercise any of your other rights). 

You will not be expected to pay a fee to obtain your data unless we consider that your access request is unfounded or excessive. In these circumstances, we may charge you a reasonable fee or refuse to comply with your request. We may charge a reasonable fee if you request another copy of the information already provided to us. 

Date: 24 November 2025 

This Pocketbook Joint Processing Statement complements the Privacy Notice of https://inkposter.eu/it online offer.

We, Pocketbook Readers GmbH and Pocketbook International SA work closely together to provide you with this online offer available on https://inkposter.eu/it. In particular, we offer you InkPoster digital art posters, advertisement content, and after-sales and customer support services. As a result of this cooperation, we process your personal data jointly and bear joint responsibility. 

We do not perform all processing of your personal information as joint controllers, meaning that our business roles and responsibilities are distributed and depend on purposes, needs, influence, technical solutions, supply chain assurance, and allocation of duties among companies. Pocketbook Readers GmbH makes specific decisions regarding processing your personal information independently of Pocketbook International SA, for which Pocketbook Readers GmbH is solely responsible, and vice versa. Below, we provide specific business scenarios for allocating our responsibilities to clarify this statement. 

We provide you with information on fundamental aspects to guarantee your rights and consider the requirements of the EU General Data Protection Regulation (GDPR). 

How data controllers allocate their responsibilities towards my personal data? 

When we provide you with this online offer and other services under the brand name “InkPoster”, we rely on local legal and regulatory requirements, industry practices, accessibility of business supportive services, and, more importantly, when choosing reliable partners within EU/EEA establishment. 

Pocketbook International SA is parent company and has primary responsibility for the development, administration and troubleshooting of the present online offer. In essentials, Pocketbook International SA: 

Pocketbook’s International SA data protection responsibilities to you, therefore, include: 

PB Readers GmbH is an authorized distributor of products under the brand name “InkPoster” within EU region. PB Readers GmbH: 

What personal data controllers collect about me and for what purposes? 

To find out what data we collect, purposes of collection and what are legal grounds, please refer to Sections 2, 3, 4 of Privacy Notice. 

For how long shall my personal data be processed? 

Pocketbook Readers GmbH and Pocketbook International SA jointly envisage different scenarios and mechanics for determining data retention schedules. Both controllers have set the respective Data Retention and Destruction Policy. To find out more, please refer to Section 7 of the Privacy Notice. 

Who is my contact person for rights such as information or deletion? 

We have jointly agreed on how we will ensure your rights and specify in more detail which obligations each party will fulfill to comply with the GDPR. This relates to the exercise of data subjects' rights and fulfilling the information obligations under Articles 13-21 of the GDPR, as given in Section 8 of Privacy Notice. 

You can address each company involved individually regarding the processing of your data and assert your rights. 

You may request us by using contacts as given above, or you may also request us by using our dedicated channel for communication: privacy@inkposter.de. 

We may need to request specific information from you to confirm your identity and ensure your right to access the information (or to exercise any of your other rights).