PRIVACY POLICY
Bunker Schutzraum Systeme Deutschland-Defence GmbH (BSSD-Defence)
www.bunker-bssd.de
Stand: April 2026
1. Responsible person and contact
The controller responsible for the processing of personal data on this website within the meaning of the General Data Protection Regulation (GDPR) is:
| Bunker Schutzraum Systeme Deutschland-Defence GmbH (BSSD-Defence)
Am Kupfergraben 6a, 10117 Berlin Commercial Register: Charlottenburg District Court (Berlin), HRB 203918 B Telephone: 030 / 959 994 830 Email: verkauf@bunker-bssd.de Website: www.bunker-bssd.de |
For questions regarding data protection, please contact us by email at: verkauf@bunker-bssd.de
Note: A legally required data protection officer has not been appointed at present. Should an obligation to appoint one arise pursuant to Section 38 of the German Federal Data Protection Act (BDSG), they will be reachable at the above address and their name will be published on this page.
2. Overview of data processing
This privacy policy informs you, in accordance with Articles 13 and 14 of the GDPR, about the type, scope, and purpose of the processing of personal data on our website www.bunker-bssd.de. Personal data is any information relating to an identified or identifiable natural person (Article 4 No. 1 GDPR).
We process personal data exclusively on the basis of the legal grounds specified in Article 6 of the GDPR. The following overview shows all relevant processing operations:
| Purpose | Legal basis | Recipient/ Third country |
| Website visit/ Server logs | Article 6 paragraph 1 letter f GDPR (legitimate interest) | Hosting providers (EU) |
| Contact form | Article 6 paragraph 1 letter b/f GDPR | No third party |
| Order / Purchase | Article 6 paragraph 1 letter b GDPR | Shipping service provider, payment provider |
| Customer account | Article 6 paragraph 1 letter b GDPR | No third party |
| Credit check | Article 6 paragraph 1 letter f GDPR | Credit report agencies |
| Newsletter | Art. 6 Abs. 1 lit. a DSGVO | Newsletter service (EU/USA*) |
| Google Analytics 4 | Art. 6 Abs. 1 lit. a DSGVO | Google LLC, USA (SCCs*) |
| Google reCAPTCHA | Article 6 paragraph 1 letter f GDPR | Google LLC, USA (SCCs*) |
| Cloudflare Turnstile | Article 6 paragraph 1 letter f GDPR | Cloudflare Inc., USA (SCCs*) |
| PayPal | Article 6 paragraph 1 letter b GDPR | PayPal Europe, Luxemburg |
| Klarna | Article 6 paragraph 1 letter b GDPR | Klarna Bank AB, Sweden |
| Stripe | Article 6 paragraph 1 letter b GDPR | Stripe Payments Europe, IE / USA (SCCs*) |
| WooCommerce (Shop) | Article 6 paragraph 1 letter b GDPR | Automattic Inc., USA (SCCs*) |
| WPML (Multilingualism) | Article 6 paragraph 1 letter f GDPR | OnTheGoSystems, CH |
* Third-country transfers to the USA are based on standard contractual clauses pursuant to Art. 46 para. 2 lit. c GDPR (EU Standard Contractual Clauses, SCC 2021).
3. Hosting and server log files
Our website is hosted on servers of a hosting provider within the European Union. Each time our website is accessed, the following data is automatically stored in server log files:
- IP address of the accessing device
- Date and time of access
- URL of the requested page
- Referrer URL (previously visited page)
- Browser type, browser version and operating system
- HTTP status code
Important note: IP addresses are personal data according to Art. 4 No. 1 GDPR and the case law of the ECJ (C-582/14, Breyer).
Legal basis: Article 6(1)(f) GDPR (legitimate interest in ensuring technical operation and preventing attacks). Storage period: 7 days, after which automatic deletion. Data will only be disclosed to third parties in cases of concrete suspicion of unlawful use.
4. Cookies and Consent Management
4.1 What are cookies?
Cookies are small text files that are stored on your device when you visit a website. We distinguish between:
- Technically necessary cookies: Without these cookies, the website cannot function correctly (e.g., shopping cart, session management). These do not require consent (§ 25 para. 2 no. 2 TDDDG).
- Analytics and marketing cookies: These are only set after your prior, explicit consent (Section 25 Paragraph 1 TDDDG, Article 6 Paragraph 1 lit. a GDPR).
4.2 Consent Management (CMP)
On your first visit to our website, you will see a cookie banner that allows you to grant, restrict, or refuse your consent to the use of non-essential cookies. You can revoke your consent at any time with effect for the future via the “Cookie settings” link in the footer of our website
Legal basis: Art. 6 para. 1 lit. a GDPR, § 25 TDDDG. Your consent will be logged with a timestamp (obligation to provide evidence pursuant to Art. 7 para. 1 GDPR).
5. Making contact
When you contact us by email or via our contact form, we process the data you provide (name, email address, message content and other voluntary information) solely for the purpose of handling your request.
Legal basis: Article 6(1)(b) GDPR (pre-contractual measures/contract initiation) or Article 6(1)(f) GDPR (legitimate interest in communicating with prospective customers). Storage period: 3 years after final processing, unless a statutory retention obligation applies.
Note regarding forms: Our contact forms are secured with Google reCAPTCHA and/or Cloudflare Turnstile. See sections 12 and 13 for more information.
6. Ordering, contract processing and customer account
6.1 Purchase agreement
To process orders in our online shop, we process the following data:
- Contact details (name, address, email, telephone)
- Order details (products, quantities, prices)
- Payment data (payment method, transaction data — not full credit card text)
- Delivery data
Legal basis: Art. 6 para. 1 lit. b GDPR (contract conclusion and performance). Storage period: 10 years in accordance with § 147 AO, § 257 HGB (tax and commercial law retention obligations). Disclosure: to shipping service providers (where necessary) and payment providers (see sections 14–16).
6.2 Customer account
When you create a customer account, we store your registration data (email address, password hash, name, address) as well as the IP address and timestamp of the registration. Legal basis: Art. 6 para. 1 lit. b GDPR. The account can be deleted at any time; statutory retention obligations for transaction data remain unaffected.
6.3 Offer list and wish list
The use of the offer list and wish list is non-binding. Saved items are processed solely for the purpose of providing this function. Legal basis: Art. 6 para. 1 lit. f GDPR (legitimate interest in providing convenient shop functions).
7. Credit check
For selected payment methods (especially purchase on account), we transmit the following data to credit agencies for credit checks: name, address, date of birth (if provided), email address, order value and payment method.
Legal basis: Art. 6 para. 1 lit. f GDPR (legitimate interest of the provider in protecting against payment default). The credit check is carried out before the conclusion of the contract; the result influences the decision as to which payment methods are offered.
If a decision regarding the availability of payment methods is based on an automated scoring process, you have the right, pursuant to Article 22 of the GDPR, to request a human review of the decision, to express your point of view, and to contest the decision. Please contact us at: verkauf@bunker-bssd.de
In the event of late payment, we may, after prior notification, report relevant data to credit reference agencies (Art. 6 para. 1 lit. f GDPR). Your rights under Art. 15–21 GDPR remain unaffected.
8. Newsletter
With your explicit consent, you can subscribe to our newsletter. Registration uses a double opt-in process: After entering your email address, you will receive a confirmation email with an activation link. Your registration will only be activated after clicking this link.
When you register, we store the following information: email address, timestamp of registration and confirmation, and the IP address of the device used at the time of registration.
Legal basis: Art. 6 para. 1 lit. a GDPR (consent). You can withdraw your consent at any time, e.g., via the unsubscribe link in every newsletter or by sending a message to verkauf@bunker-bssd.de . The withdrawal does not affect the lawfulness of the processing carried out up to that point.
8.1 Newsletter Tracking
Our newsletters contain tracking pixels that allow us to see if and when a newsletter was opened and which links were clicked. This analysis helps us optimize our communication. Legal basis: Art. 6 para. 1 lit. a GDPR (consent, given separately). You can prevent tracking by disabling HTML display in your email program.
Newsletter service used: CleverReach. Transfers to third countries are based on standard contractual clauses pursuant to Art. 46 para. 2 lit. c GDPR.
9. Google Analytics 4
We use Google Analytics 4 (GA4), a web analytics service provided by Google LLC, 1600 Amphitheatre Parkway, Mountain View, CA 94043, USA, represented in the EU by Google Ireland Limited, Gordon House, Barrow Street, Dublin 4, Ireland.
GA4 uses event-based tracking and stores data about your behavior on our website (pages visited, time spent on site, clicks, conversions). Unlike Universal Analytics, GA4 does not store full IP addresses by default; IP addresses are shortened before storage within the EU.
GA4 uses cookies and transfers data to the USA. Legal basis: Art. 6 para. 1 lit. a GDPR (consent obtained via our cookie consent banner). Third-country transfer: Standard contractual clauses pursuant to Art. 46 para. 2 lit. c GDPR.
You can withdraw your consent at any time via our cookie settings. Alternatively: Browser add-on for deactivation: https://tools.google.com/dlpage/gaoptout
Google Privacy Policy: https://policies.google.com/privacy
10. Google reCAPTCHA
On our website we use Google reCAPTCHA, a service of Google LLC / Google Ireland Limited (addresses see section 9), to protect forms from automated access (bots).
When using reCAPTCHA, your IP address, browser and operating system information, as well as your interaction behavior on the page, are transmitted to Google servers, including in the USA.
Legal basis: Art. 6 para. 1 lit. f GDPR (legitimate interest in the security of our website and prevention of spam and abuse). Third-country transfer: Standard contractual clauses pursuant to Art. 46 para. 2 lit. c GDPR.
Google Privacy Policy: https://policies.google.com/privacy
11. Cloudflare Turnstile
In addition to or as an alternative to reCAPTCHA, we use Cloudflare Turnstile, a bot protection service provided by Cloudflare Inc., 101 Townsend St., San Francisco, CA 94107, USA, represented in the EU by Cloudflare Ireland Limited.
Cloudflare Turnstile analyzes user behavior on the site and transmits technical data (IP address, browser fingerprint, interaction data) to Cloudflare servers, possibly also in the USA.
Legal basis: Art. 6 para. 1 lit. f GDPR (legitimate interest in the security of our forms). Third-country transfer: Standard contractual clauses pursuant to Art. 46 para. 2 lit. c GDPR.
Cloudflare privacy policy: https://www.cloudflare.com/privacypolicy/
12. PayPal
When selecting PayPal as the payment method, data (name, address, email address, order details) will be transferred to PayPal (Europe) S.à.rl et Cie, SCA, 22–24 Boulevard Royal, L-2449 Luxembourg, for the processing of the transaction.
Legal basis: Article 6(1)(b) GDPR (contractual necessity). PayPal may transfer data to credit reference agencies; this is within PayPal’s area of responsibility.
PayPal privacy policy: https://www.paypal.com/de/webapps/mpp/ua/privacy-full
13. Klarna (incl. instant bank transfer)
When choosing the payment method Klarna (purchase on account, installment payment) or Klarna instant bank transfer, data (name, address, email, order details, bank details) will be transferred to Klarna Bank AB (publ), Sveavägen 46, 111 34 Stockholm, Sweden.
Klarna conducts a credit check; the decision regarding financing rests with Klarna. Legal basis: Art. 6 para. 1 lit. b GDPR (contractual necessity). As Klarna is based in Sweden (EU), no data transfer to a third country takes place.
Klarna privacy policy: https://www.klarna.com/de/datenschutz/
14. Stripe
When choosing Stripe Link or credit card payment via Stripe, payment data is transferred to Stripe Payments Europe, Limited, 1 Grand Canal Street Lower, Grand Canal Dock, Dublin, Ireland (parent company: Stripe Inc., 354 Oyster Point Blvd, South San Francisco, CA, USA).
Legal basis: Art. 6 para. 1 lit. b GDPR (contract performance). Transfer to third countries (USA): Standard contractual clauses pursuant to Art. 46 para. 2 lit. c GDPR.
Stripe privacy policy: https://stripe.com/de/privacy
15. WooCommerce
Our online shop is based on WooCommerce, a plugin from Automattic Inc., 60 29th Street #343, San Francisco, CA 94110, USA. WooCommerce processes order data locally on our server. Additionally, telemetry data (technical statistics on plugin usage) may be transmitted to Automattic.
Legal basis: Art. 6 para. 1 lit. b GDPR (shop operation as a contractual basis) and Art. 6 para. 1 lit. f GDPR (legitimate interest in technical operation). Third-country transfer to the USA: Standard contractual clauses pursuant to Art. 46 para. 2 lit. c GDPR.
Automattic privacy policy: https://automattic.com/privacy/
16. WPML (Multilingualism)
We use the WordPress Multilingual Plugin (WPML) from OnTheGoSystems Limited, 22 Yiu Shun Street, Chai Wan, Hong Kong (developed in Switzerland). WPML enables the multilingual display of our website. No personal user data is transferred to OnTheGoSystems.
Legal basis: Art. 6 para. 1 lit. f GDPR (legitimate interest in operating a multilingual website).
17. Third-country transfers (USA)
Several services we use transfer data to the USA. The USA does not have a level of data protection comparable to that of the EU. We ensure that these transfers take place exclusively on the basis of appropriate safeguards within the meaning of Article 46 GDPR, in particular on the basis of the Standard Contractual Clauses adopted by the EU Commission (SCC 2021, Decision (EU) 2021/914).
Providers who are additionally certified under the EU-US Data Privacy Framework (DPF, valid since July 2023) offer an additional layer of protection. The current list of certified providers can be viewed at https://www.dataprivacyframework.gov.
By using our website and consenting to the corresponding cookies, you declare your agreement to these transfers.
18. Storage duration
We only store personal data for as long as it is necessary for the respective purpose or as required by statutory retention periods. In summary:
| Data category | Storage duration | Legal basis for storage |
| Server log files | 7 days | Article 6 paragraph 1 letter f GDPR |
| Contact requests | 3 years | Article 6 paragraph 1 letter f GDPR |
| Order details / Invoices | 10 years | § 147 AO, § 257 HGB |
| Customer account | Until deletion + 3 years | Article 6 paragraph 1 letter b GDPR |
| Newsletter consent | Until further notice + 3 years | Article 7 paragraph 1 GDPR (proof) |
| Credit data | According to legal requirments | Article 6 paragraph 1 letter f GDPR |
| Proof of consent | 3 years | Article 7(1) GDPR |
19. Your rights as a data subject
You have the following rights with regard to your personal data:
| Art. 15 GDPR | Right to information: You can request a copy of the data stored about you. |
| Art. 16 GDPR | Right to rectification: You can request the correction of inaccurate data. |
| Art. 17 GDPR | Right to erasure: You can request the erasure of your data, provided there are no legal obligations to retain it. |
| Art. 18 GDPR | Restriction of processing: You can request the restriction of processing. |
| Art. 20 GDPR | Data portability: You can receive your data in a machine-readable format. |
| Art. 21 GDPR | Right to object: You can object to the processing on the basis of Art. 6 para. 1 lit. e or f GDPR. |
| Art. 7 Abs. 3 GDPR | Revocation: Consent can be revoked at any time with effect for the future. |
| Art. 77 GDPR | Right to lodge a complaint: You can lodge a complaint with the competent data protection supervisory authority. |
Competent supervisory authority for BSSD-Defence:
| Berlin Commissioner for Data Protection and Freedom of Information
Friedrichstr. 219, 10969 Berlin Telephone: +49 30 13889-0 Email: mailbox@datenschutz-berlin.de Website: www.datenschutz-berlin.de |
To exercise your rights, please contact us in writing or by email at: verkauf@bunker-bssd.de . We will respond to your request within 30 days in accordance with Article 12 Paragraph 3 GDPR.
20. Special right to object (Art. 21 GDPR)
Insofar as we process your data on the basis of Article 6(1)(f) GDPR (legitimate interest), you have the right to object at any time. We will then no longer process your data unless we can demonstrate compelling legitimate grounds which override your interests.
If we process your data for direct marketing (newsletter), you can object at any time; in this case, your data will no longer be processed for advertising purposes.
21. Data security
Our website uses SSL/TLS encryption (recognizable by the “https://” and the padlock symbol in the browser bar). We implement technical and organizational measures (TOM) in accordance with Article 32 GDPR to protect your data from unauthorized access, loss, or destruction. However, we cannot guarantee absolute security of transmission.
22. Updates and changes to this privacy policy
This privacy policy is current as of April 2026. We reserve the right to update this policy in the event of changes to the legal situation, our data processing practices, or technical circumstances. The most current version is always available at www.bunker-bssd.de/datenschutzerklaerung. We recommend checking this page regularly.
Bunker Shelter Systems Germany-Defence GmbH (BSSD-Defence) – Am Kupfergraben 6a, 10117 Berlin – Status: April 2026
