image description

Privacy Policy

This policy explains what personal data we collect when you use KRUNCH CREW Originals, why we collect it, who we share it with, and the rights you have over it. It applies to krunchcreworiginals.com and all of its subdomains (together, "the Website").

Who we are (data controller)

The Website is owned and operated by:

Insitderp Consulting v/ Kevin Lewis Hall, trading as KRUNCH CREW Originals
CVR no. 3438 6668
Matthaeusgade 48
1666
Copenhagen, Denmark
Email: [email protected]

We are the data controller for the personal data described in this policy.

What personal data we collect

We only collect data we need to run the shop and your account:

  • Account data — your name, email address, and password (stored hashed) when you register. Your email address is verified by a unique link.
  • Order data — your name, delivery address, contact details, and optionally phone number when you place an order, together with your order history.
  • Payment data — handled directly by our payment provider Stripe. We never see or store your full card details; we store only payment references and status.
  • Artist data — if you sell with us as an artist: payout account details and identity/tax information collected through Stripe Connect for verification (KYC) and payouts, including a tax identification number where required.
  • Content you provide — profile information, images, and messages you submit through the Website or send to support.
  • Technical data — server logs including the IP address, time, and page of each request, kept for security and troubleshooting.

You can visit the public parts of the Website without registering.

Why we process your data (legal bases)

Under the GDPR (Article 6), we process personal data on these grounds:

  • To perform our contract with you — creating and running your account, processing and delivering your orders, processing payments and refunds, and paying out artists.
  • Legal obligation — keeping accounting records of transactions as required by the Danish Bookkeeping Act, and meeting tax and payment-regulation requirements (including artist identity verification).
  • Legitimate interests — securing the Website against abuse and fraud (server logs), answering your support requests, and improving the service based on feedback.
  • Consent — optional communications such as web push notifications. Where we rely on consent, you can withdraw it at any time.

We do not use your data for automated decision-making or profiling, and we do not send marketing emails without your consent.

Do we use cookies?

We use only strictly necessary, first-party cookies — the small files your browser needs for the Website to function at all:

  • a session cookie that keeps you logged in and remembers your cart as you move between pages;
  • a CSRF token cookie (XSRF-TOKEN) that protects forms against cross-site request forgery; and
  • an optional "remember me" cookie if you choose to stay logged in.

That is the complete list. We do not use analytics, advertising, tracking, or social media cookies, and no third party sets or reads cookies through the Website.

Because strictly necessary cookies are exempt from the consent requirement under the Danish Cookie Order and the ePrivacy rules, no cookie consent is required to use the Website. The cookie notice you see on your first visit is informational: it tells you about these cookies and links to this section. Dismissing the notice is remembered locally in your browser's own storage — not in a cookie — so it simply doesn't reappear.

Push notifications

If you enable push notifications (for example, order updates), your browser creates a push subscription that we store to deliver messages to your device. Push is strictly opt-in and you can disable it at any time in your profile settings or your browser settings.

Who we share your data with

We do not sell, trade, or rent your personal data. We share it only with the service providers (data processors) we need to run the shop:

  • Stripe — secure payment processing, and identity verification and payouts for artists (Stripe Connect). Stripe is a US company; transfers are safeguarded by the EU–US Data Privacy Framework and Standard Contractual Clauses.
  • Printful — printing and delivering your orders. We share your name, delivery address, and optionally phone number. Printful fulfils orders from facilities in Europe and elsewhere depending on your location.
  • Cloudinary — hosting and delivery of images on the Website.
  • Mailgun (EU region) — sending transactional emails such as order confirmations.
  • Akamai/Linode (Frankfurt, Germany) — hosting of the Website and its database within the EU. Transfers to the US parent company, if any, are safeguarded by Standard Contractual Clauses.

We may also disclose data where required by law, to enforce our Terms of Service, or to protect the rights, property, or safety of us, our users, or others.

How long we keep your data

  • Server logs — no more than 90 days.
  • Account data — until you delete your account.
  • Order and payment records — 5 years from the end of the financial year, as required by the Danish Bookkeeping Act, even if you delete your account.
  • Artist verification and payout records — as long as required by payment regulations and tax law.

How we protect your data

Traffic to the Website is encrypted (HTTPS). Passwords are stored hashed. Your account supports two-factor authentication and browser session management under Profile settings, and we restrict internal access to personal data to what is necessary.

Your rights

Under the GDPR you have the right to:

  • access the personal data we hold about you;
  • rectify inaccurate data;
  • erase your data ("right to be forgotten"), subject to the retention obligations above;
  • restrict or object to processing based on our legitimate interests;
  • data portability — receive the data you provided in a machine-readable format; and
  • withdraw consent at any time, where processing is based on consent.

To exercise any of these rights, contact us at the email address above. We will respond within one month.

If you believe we process your data unlawfully, you have the right to lodge a complaint with the Danish Data Protection Agency, Datatilsynet, Carl Jacobsens Vej 35, 2500 Valby, Denmark.

Delete my account and user data

You may at any time delete your user account and personal data yourself under Profile settings on the Website. Before deleting, you can download a copy of your data (JSON) from the same section. For your security, deletion is completed via a confirmation link we email you, valid for 24 hours.

What happens then depends on whether you have order history:

  • No orders — your account and all of its data are permanently deleted right away.
  • With orders (or artist sales) — all of your personal data (name, email, address, phone, photos, gallery images and other content) is removed or overwritten immediately, and your gallery images are deleted from our image host. The order records themselves are kept in anonymized form — no longer connected to you as a person — for the 5-year bookkeeping period, and are then deleted automatically.

If you have pending artist payouts or an active subscription, these must be settled or cancelled before the deletion can complete.

Children

The Website is directed at people aged 13 or older, in line with the age limit for information society services under GDPR Article 8 as implemented in Denmark. If you are under 13, please do not create an account.

Changes to this policy

If we change this policy, we will post the updated version on this page with a new date. For significant changes we will notify registered users.

This document was last updated 3 July, 2026.

This website uses only strictly necessary cookies to ensure it works — no tracking, no analytics. More info