Privacy Policy

I. Introduction and Definitions

By operating our website at https://www.fcsp-shop.com/de_DE/index.html (hereinafter referred to as the "website"), we process personal data. This data is treated confidentially and processed in accordance with applicable law – in particular the General Data Protection Regulation (GDPR), the German Federal Data Protection Act (BDSG) and the Telecommunications and Telemedia Data Protection Act (TTDSG). This privacy policy is intended to inform you about what personal data we collect, for what purposes and on what legal basis we use it, and to whom we may disclose it. We will also explain what rights you have to protect and enforce your data privacy.

2.1 Personal Data "Personal data" means any information relating to an identified or identifiable natural person (Art. 4(1) GDPR). Information about an identified person may include, for example, their name or email address. Data is also considered personal where the identity of the person is not immediately apparent but can be determined by combining one's own or third-party information. A person may be identifiable via their address or bank details, date of birth or username, IP addresses and/or location data. All information that in any way allows conclusions to be drawn about a specific person is relevant here. 2.2 Processing "Processing" within the meaning of Art. 4(2) GDPR means any operation carried out in connection with personal data. This includes in particular the collection, recording, organisation, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure, transmission, dissemination or any other form of making available, alignment or combination, restriction, erasure or destruction of personal data.

II. Controller and Data Protection Officer

Company: FC St. Pauli Merchandising GmbH & Co. KG ("we") Legal representative: Wilken Engelbracht, Martin Urban Address: Harald-Stender-Platz 1, 20359 Hamburg Phone: +49 40 317 874 888 Email: info@fcsp-shop.com

Company: HABEWI GmbH & Co. KG Legal representative: General partner HABEWI Beteiligungs GmbH, represented by Arne Platzbecker (Managing Director) Address: Palmaille 96, 22767 Hamburg Phone: +49 40 46008966 Fax: +49 40 46008977 Email: datenschutz@habewi.de

III. Processing Framework

5. PROCESSING FRAMEWORK: WEBSITE In the context of the website, we process the personal data listed individually in Section IV below. We only process data that you actively provide on the website (e.g. by completing forms) or that you automatically make available when using our services. Your data is processed exclusively by us and is generally not sold, lent or passed on to third parties. Where we use external service providers to assist with the processing of your personal data, this is done within the framework of so-called commissioned processing (Auftragsverarbeitung), in which we as the client have the right to issue instructions to our processors. We use external service providers for hosting, maintenance and upkeep of our website. We host our website with the external provider Amazon Web Services AWS (Amazon Web Services, Inc., 410 Terry Avenue North, Seattle WA 98109, USA) at the data centre location in Frankfurt, Germany. Where further external service providers are used for individual processing activities listed in Section IV, they will be named there. As a general rule, we do not transfer data to third countries and do not plan to do so. We will inform you of any exceptions to this principle in the processing activities described below. Any transfer of data to third countries will be made on the basis of the so-called EU Standard Contractual Clauses.

IV. Individual Processing Activities

6.1 Description of Processing Each time the website is accessed, we automatically collect information that your browser transmits to our server. This includes the following data: · IP address · Browser software used, including version and language · Operating system · The website from which visitors arrived at our website (referrer) · Pages visited · Date and time · Internet service provider · Country and location This data is also stored in log files. The IP address is stored in truncated form. 6.2 Purpose Ensuring the functionality, stability and security of the website, as well as optimisation. 6.3 Legal basis Art. 6(1)(f) GDPR 6.4 Retention period Deleted after 30 days or at the end of the session.

7.1 Description of Processing You can create a customer account (name, address, email, password). 7.2 Purpose Providing the customer account. 7.3 Legal basis Art. 6(1)(b) GDPR 7.4 Retention period Until deletion or withdrawal.

8.1 Description Orders can be placed as a guest or as a registered user. Mandatory fields are required. Payment via PayPal or credit card. Shipping via DHL. 8.2 Purpose Contract fulfilment. 8.3 Legal basis Art. 6(1)(b) GDPR 8.4 Retention period 10 years as required by law; restricted access after 2 years.

9.1 Description of Processing Our website uses cookies. Cookies are small text files that are stored on the user's device when they visit a website. Cookies contain information that enables a device to be recognised and, where applicable, certain website functions to be used. We distinguish between our own cookies and third-party cookies. Our website uses both "session cookies" and "persistent cookies". Session cookies are deleted when you close your browser. Persistent cookies remain stored for a longer period. In addition to cookies, we also use other tracking technologies such as pixels or fingerprinting. Technically necessary cookies do not require consent. All other cookies are only set after your consent has been given. To manage consent, we use "Usercentrics" (Usercentrics GmbH, Munich). The tool stores your selection in a cookie. You can view the specific cookies used in the consent management tool. 9.2 Purpose Improving user-friendliness and functionality. 9.3 Legal basis Art. 6(1)(f) GDPR (technically necessary) Art. 6(1)(a) GDPR (consent) 9.4 Retention period Cookies are deleted after the session or after a defined period. You can manage or delete cookies in your browser. 9.5 Recipients Third-party providers may receive data. See the consent management tool for details.

10.1 Description When you contact us by email, we process your data. 10.2 Purpose Processing your enquiry. 10.3 Legal basis Art. 6(1)(f) GDPR, or Art. 6(1)(b) where the enquiry relates to a contract. 10.4 Retention period Deleted upon conclusion of the communication.

11.1 Description The newsletter is only sent following registration (double opt-in). IP address, date and time are stored for documentation purposes. Existing customers may also receive the newsletter without a separate registration. 11.2 Purpose Sending information and promotional content. 11.3 Legal basis Art. 6(1)(a) GDPR (consent) Art. 6(1)(f) GDPR (existing customers) 11.4 Retention period Until unsubscription. 11.5 Recipients HubSpot (USA) as service provider.

12.1 Description Our website uses links to Facebook, Instagram, Twitter and YouTube. Social plugins are used in some cases (two-click solution). When activated, data (e.g. IP address) is transmitted and may be linked to user accounts. We operate our own profiles on these networks. Interactions (likes, comments, etc.) are visible to us. Facebook and Instagram provide us with anonymised statistics ("Insights"). The networks create user profiles for advertising purposes. 12.3 Purpose Corporate communications and reach analysis. 12.4 Legal basis Art. 6(1)(f) GDPR Art. 6(1)(a) GDPR (where consent is given) 12.5 Withdrawal Consents can be withdrawn at any time. 12.6 Recipients Meta (Facebook/Instagram), Twitter, YouTube (Google) Data processing also takes place in the USA.

13.1 Description of Processing The homepage of our website contains a "Social Feed" displaying selected posts from our social media channels (Facebook, Instagram, Twitter, YouTube). This content is first cached on our server and then embedded locally. As a result, no direct data transfer to social networks takes place. 13.2 Purpose Displaying current content from our social media channels. 13.3 Legal basis Art. 6(1)(f) GDPR 13.4 Recipients Use of the feed may result in redirection to social networks (see Section 12).

14.1 Description of Processing Our website uses Google Analytics (Google LLC, USA). Google Analytics uses cookies that enable analysis of usage. We use IP anonymisation. Data collected includes: - Number of visitors - Origin - Pages visited - Click behaviour Data is generally transferred to servers in the USA. 14.2 Purpose Analysis and optimisation of our online offering. 14.3 Legal basis Art. 6(1)(a) GDPR (consent) 14.4 Retention period / Withdrawal Data is deleted after 14 months. Consent can be withdrawn at any time. 14.5 Recipients Google LLC (USA)

15.1 Description Integration of fonts from Google. Your IP address may be transmitted to Google in the process. 15.2 Purpose Display of fonts. 15.3 Legal basis Art. 6(1)(f) GDPR 15.4 Recipients Google (USA)

16.1 Description Integration of fonts from Adobe. 16.2 Purpose Improved display. 16.3 Legal basis Art. 6(1)(f) GDPR 16.4 Recipients Adobe (USA)

Icons are hosted locally. No data is transferred to third parties.

Fonts are stored locally to avoid external requests.

19.1 Description Videos are embedded in enhanced privacy mode. Data is only transferred to Google when a video is played. 19.2 Purpose Display of videos. 19.3 Legal basis Art. 6(1)(a) GDPR 19.4 Withdrawal Possible via the consent management tool. 19.5 Recipients Google / YouTube (USA)

20.1 Description Integration of maps from Google. Your IP address is transmitted in the process. 20.2 Purpose Display of maps. 20.3 Legal basis Art. 6(1)(a) GDPR 20.4 Withdrawal Possible via the consent management tool. 20.5 Recipients Google (USA)

21.1 Description of Processing Our website uses the "Facebook Pixel" service provided by Meta. This enables us to display targeted advertising and measure its effectiveness. When you visit our website, a connection to Facebook is established. Facebook may set cookies and associate the visit with your user account. 21.2 Purpose Targeted advertising and effectiveness analysis. 21.3 Legal basis Art. 6(1)(a) GDPR (consent) 21.4 Withdrawal Possible via the consent management tool or Facebook settings. 21.5 Recipients Meta (USA)

22.1 Description Use of the TikTok Pixel for advertising and analysis. 22.2 Purpose Targeted advertising. 22.3 Legal basis Art. 6(1)(a) GDPR 22.4 Withdrawal Possible via the consent management tool. 22.5 Recipients TikTok (third countries)

23.1 Description Use of Google Ads to display advertising and measure performance. Cookies record interactions and enable remarketing. 23.2 Purpose Advertising and analysis. 23.3 Legal basis Art. 6(1)(a) GDPR 23.4 Withdrawal Possible via the consent management tool or Google settings. 23.5 Recipients Google (USA)

Used to manage website tags. The Tag Manager itself does not process any personal data.

25.1 Description Protection against spam through analysis of user behaviour. 25.2 Purpose Website security. 25.3 Legal basis Art. 6(1)(f) GDPR 25.4 Recipients Google (USA)

26.1 Description Use of CDNs (e.g. Cloudflare) for faster delivery of content. 26.2 Purpose Performance and security. 26.3 Legal basis Art. 6(1)(f) GDPR 26.4 Recipients Cloudflare (USA)

V. Security Measures

27. Security Measures Our website uses SSL/TLS encryption. This is indicated by the padlock symbol in the browser address bar.

VI. Your Rights

28. Data Subject Rights 28.1 Right of Access You have the right to obtain information about the data stored about you. 28.2 Right to Rectification Inaccurate data can be corrected. 28.3 Right to Erasure You can request the deletion of your data. 28.4 Right to Restriction of Processing Processing can be restricted. 28.5 Right to Data Portability Data can be provided in a machine-readable format. 28.6 Right to Withdraw Consent Consents can be withdrawn at any time. 28.7 Right to Lodge a Complaint You have the right to lodge a complaint with a supervisory authority. 28.8 Automated Decision-Making No profiling takes place. 28.9 Right to Object You can object to the processing of your data, in particular in the case of direct marketing.