Elektronikhandel Michael Gräf
Breitscheidstraße 84, 70176 Stuttgart
Germany
Phone: 0174 3292357
E-Mail: info@ampario.de
VAT ID according to § 27a UStG: DE311588656
When visiting our website, the following data is automatically collected by the web server (server log files):
This data is technically required to deliver the website and ensure security. Legal basis: Art. 6(1)(f) GDPR (legitimate interest). Log files are automatically deleted after 14 days.
During registration, we collect: name, email address, password (stored encrypted), account type (private/business), and if applicable company name, business address, and VAT ID. Processing is based on contract fulfillment (Art. 6(1)(b) GDPR).
When creating listings, title, description, images, price, location, and category are stored and publicly displayed. For orders, we store order and payment information for contract processing. Messages between users are stored to enable communication. Legal basis: Art. 6(1)(b) GDPR (contract fulfillment).
This website uses technically necessary cookies and optional anonymous usage statistics. No marketing cookies or advertising trackers are used.
| Cookie | Purpose | Duration |
|---|---|---|
| authjs.session-token | Session cookie (login) | Session end / 30 days |
| authjs.csrf-token | CSRF protection (form security) | Session end |
| authjs.callback-url | Redirect after login | Session end |
| amp_sid | Anonymous session ID for page view deduplication (prevents multiple counting) | 24 hours |
The cookies listed above are required for the operation of the platform and cannot be disabled. Legal basis: Art. 6(1)(f) GDPR (legitimate interest) and § 25(2) TDDDG (technically necessary cookies are exempt from consent requirements).
The key "ampario-cookie-consent" is stored in the browser's localStorage to record whether usage statistics were accepted or declined. When accepted, a random session ID is also stored in sessionStorage (key "__ops_sid"), which only exists for the duration of the browser tab and cannot be associated with any person. These values contain no personal data and can be deleted via browser settings.
Payment processing is handled by Stripe, Inc. (354 Oyster Point Blvd, South San Francisco, CA 94080, USA). When using Stripe, payment data is processed directly by Stripe. We do not receive complete credit card data. Stripe is PCI DSS Level 1 certified.
For sellers, Stripe Connect is used. Additional data for identity verification is collected and processed directly by Stripe. Legal basis: Art. 6(1)(b) GDPR (contract fulfillment).
More information: stripe.com/privacy
We use Resend (Resend, Inc., San Francisco, USA) for sending transactional emails (registration confirmation, password reset, order notifications). Your email address is transmitted to Resend for this purpose. Legal basis: Art. 6(1)(b) GDPR (contract fulfillment).
Our website is hosted by Vercel Inc. (440 N Barranca Ave #4133, Covina, CA 91723, USA). Vercel processes the access data mentioned in section 2. A data processing agreement according to Art. 28 GDPR is in place with Vercel.
Platform data is stored in a PostgreSQL database at Neon Inc. (100 Bush St, Suite 1600, San Francisco, CA 94104, USA). The database is located in the EU-Central-1 region (Frankfurt). Neon processes data under a data processing agreement according to Art. 28 GDPR. Legal basis: Art. 6(1)(b) GDPR (contract fulfillment).
Uploaded images are stored via Vercel Blob. Images are publicly accessible via URL and associated with listings. Legal basis: Art. 6(1)(b) GDPR (contract fulfillment).
Through the use of the following service providers, personal data is transferred to the USA:
| Service | Purpose | Transfer Legal Basis |
|---|---|---|
| Stripe, Inc. | Payment processing | EU-US Data Privacy Framework |
| Resend, Inc. | Email delivery | EU-US Data Privacy Framework |
| Vercel Inc. | Hosting + image storage | EU-US Data Privacy Framework |
| Neon Inc. | Database (EU region) | EU-US Data Privacy Framework |
Data transfers are based on the EU-US Data Privacy Framework (adequacy decision by the EU Commission pursuant to Art. 45 GDPR). All mentioned service providers are certified under the EU-US DPF.
We offer an optional browser extension (Chrome/Edge) that allows users to import listings from third-party platforms (e.g. Kleinanzeigen) directly to Ampario.
The extension only accesses third-party platform websites when actively triggered by the user. Listing data (title, description, price, image URLs, location, category, listing ID) is extracted and transmitted encrypted (HTTPS) to Ampario servers. No login credentials of third-party platforms are collected or stored. Legal basis: Art. 6(1)(a) GDPR (consent).
The extension is distributed via the Chrome Web Store (Google LLC). Google's privacy policy additionally applies.
| Data Category | Retention Period |
|---|---|
| Server log files | 14 days |
| Account data after deletion | 30 days (recovery period), then complete deletion |
| Orders and invoices | 10 years (statutory retention obligation per § 147 AO, § 257 HGB) |
| Messages between users | Until account deletion of both parties |
| Listings | Until deletion by the user or account deletion |
| Stripe payment data | Per Stripe policies |
| Usage statistics (raw data) | 30 days |
| Usage statistics (aggregated) | 90 days |
When consented via the cookie notice, we collect anonymous usage data to improve the platform. The following data is collected:
The collected data is used exclusively to improve our services. We analyze which features are used and where users encounter difficulties in order to improve usability.
Art. 6(1)(a) GDPR (consent). Analytics are only activated after your explicit consent via the cookie notice.
No IP addresses are stored, no cookies are set, and no profiling is performed. A random session ID (UUID in sessionStorage) is generated per browser tab, which cannot be associated with any person and only exists for the duration of the tab.
Data is processed on our own server in Germany (Hetzner, Nuremberg) and is not shared with third parties. No external analytics services (e.g. Google Analytics), social media plugins, or advertising trackers are used.
Raw data (individual events) is deleted after 30 days. Aggregated statistics are automatically deleted after 90 days.
You can deactivate analytics at any time by selecting "Necessary only" in the cookie notice. If you have already consented, you can withdraw your consent by deleting the "ampario-cookie-consent" key in your browser settings (site data / localStorage) or setting it to "declined". The page will then display the cookie notice again on your next visit.
You have the following rights regarding your personal data at all times:
To exercise your rights, contact info@ampario.de.
You have the right to lodge a complaint with a data protection supervisory authority about the processing of your personal data. Responsible supervisory authority:
State Commissioner for Data Protection and Freedom of Information Baden-Württemberg
Lautenschlagerstraße 20, 70173 Stuttgart
www.baden-wuerttemberg.datenschutz.de
When using the Express Pickup service, the following additional data is processed:
Legal basis: Art. 6(1)(b) GDPR (contract fulfillment). The IBAN is stored encrypted using AES-256-GCM and only decrypted for payouts. Location data is not shared with third parties. Express transport data is retained for 10 years (statutory retention obligation for accounting records per § 147 AO).
This privacy policy is currently valid. Changes may become necessary due to further development of the website or changed legal requirements.
Last updated: March 2026