Data Policy

1. Introduction

This website is operated by: Galerie Roche e.K.

It is very important to us to handle our website visitors' data responsibly and to protect it in the best possible way. For this reason, we make every effort to comply with the requirements of the GDPR.

Below we explain how we process your data on our website in the clearest possible way.

2. General Information

2.1 Processing of personal data and other terms

Data protection applies to the processing of personal data. Personal data means all data that can be used to identify you personally. Processing means any operation performed on such data.

Further legal definitions can be found in Art. 4 GDPR.

2.2 Applicable regulations

The legal framework for data protection is determined in particular by the GDPR, the BDSG and the TDDDG.

2.3 Controller

The controller responsible for data processing on this website is:

Galerie Roche e.K.
Fedelhören 30
D-28203 Bremen
Deutschland

Tel: + 49 (0) 421 / 32 37 47
Fax: + 49 (0) 421 / 32 81 07
Email: contact@galerieroche.de

2.4 Data Protection Officer

The data protection contact is the Business Director:

Sonia Roche
Galerie Roche e.K.
Email: contact@galerieroche.de

2.5 General processing of data on this website

Some data is collected automatically in order to provide the website technically. Further personal data is processed only when necessary or when you provide it to us voluntarily.

2.6 Your rights

You have the right to access, rectification, erasure, restriction of processing, data portability and objection to the processing of your personal data. You may also withdraw consent at any time with effect for the future and lodge a complaint with a data protection supervisory authority.

2.7 Transfer and deletion

Personal data is transferred only where there is a legal basis for doing so. We delete data as soon as the purpose of processing no longer applies and no statutory retention obligations prevent deletion.

2.8 Hosting

This website is hosted externally. Personal data collected on this website is stored on the host's servers. This concerns in particular technically necessary access data and server log files.

External hosting is used for the secure, fast and reliable provision of our website.

The legal basis is Art. 6(1)(f) GDPR and, where consent is required for cookies or similar technologies, Art. 6(1)(a) GDPR in conjunction with Section 25 TDDDG.

Our host processes only such data as is necessary to fulfil its contractual duties and acts as a processor.

We use the following host:

Netlify

2.9 Legal basis

Personal data is processed exclusively on the basis of the applicable statutory permissions, in particular Art. 6(1)(a), (b), (c) and (f) GDPR.

3. What Happens on Our Website

By visiting our website, personal data relating to you may be processed.

We use SSL or TLS encryption to protect this data.

3.1 Data collection when accessing the website

When the website is accessed, information is automatically stored in server log files. This may include in particular:

• browser type and browser version
• operating system used
• referrer URL
• hostname of the accessing device
• time of the server request
• IP address

This data is required to provide the website securely and reliably, to troubleshoot errors and to detect misuse. The legal basis is Art. 6(1)(f) GDPR.

3.2 Cookies

3.2.1 General information

This website uses cookies and similar technologies. They may be used to enable certain website functions and to carry out analytics or marketing measures.

Our consent tool provides information about the cookies and services used on this website.

3.2.2 Rejecting cookies

You can manage all technically unnecessary cookies directly via our consent tool. You can also block or delete cookies through your browser settings.

3.2.3 Technically necessary cookies

Technically necessary cookies are used to ensure the correct and lawful operation of the website. The legal basis is Art. 6(1)(f) GDPR or, where applicable, Art. 6(1)(c) GDPR.

3.2.4 Technically unnecessary cookies

Analytics and marketing cookies are used only with your consent. The legal basis is Art. 6(1)(a) GDPR in conjunction with Section 25 TDDDG.

3.3 Contact

There are no forms on this website. If you contact us by email or telephone, we process the data you provide solely for the purpose of handling your request.

The legal basis is Art. 6(1)(b) GDPR where the request relates to the initiation or performance of a contract, otherwise Art. 6(1)(f) GDPR.

3.4 Consent Management Tool

3.4.1 Usercentrics

To ensure that only cookies and technologies with a valid legal basis are used on our website, we use the Usercentrics consent management tool.

Usercentrics is used to obtain, manage and document consent for the storage of certain cookies or the use of certain technologies.

When this website is accessed, it is stored whether and to what extent consent has been granted or withdrawn.

The legal basis is Art. 6(1)(c) GDPR and, where applicable, Section 25 TDDDG.

3.5 Analytics and Tracking Tools

3.5.1 Google Analytics

We use Google Analytics provided by Google Ireland Limited, Gordon House, Barrow Street, Dublin 4, Ireland.

Google Analytics records the behaviour of visitors on our website. In particular, truncated IP address, browser and device information, referrer URL, visited pages, time spent, click behaviour, location data and timestamps may be processed.

The data is processed for analysing user behaviour, improving our website and optimising our marketing activities.

The legal basis is Art. 6(1)(a) GDPR in conjunction with Section 25 TDDDG. Google Analytics is used only with your consent.

Transfers of data to the United States cannot be excluded.

Further information: https://policies.google.com/privacy?hl=de

3.5.2 Google Tag Manager

We use Google Tag Manager provided by Google Ireland Limited, Gordon House, Barrow Street, Dublin 4, Ireland.

Google Tag Manager is used for the technical administration and deployment of tags and services. As a rule, it does not store cookies itself, but it may technically trigger the processing of the IP address.

The legal basis is Art. 6(1)(f) GDPR or, where consent-based services are controlled through Tag Manager, your consent under Art. 6(1)(a) GDPR in conjunction with Section 25 TDDDG.

Further information: https://policies.google.com/privacy?hl=en

3.5.3 Google Search Console

We use Google Search Console provided by Google Ireland Limited, Gordon House, Barrow Street, Dublin 4, Ireland.

Google Search Console allows us to analyse how our website appears in Google Search, identify technical issues and improve visibility.

Google may process performance information, clicks, access data and technical errors. Google Search Console itself does not set cookies on our website.

The legal basis is Art. 6(1)(f) GDPR.

Further information: https://policies.google.com/privacy

3.5.4 Meta Pixel

We use Meta Pixel on this website. The provider is Meta Platforms Ireland Limited, 4 Grand Canal Square, Grand Canal Harbour, Dublin 2, Ireland.

Meta Pixel enables us to understand visitor behaviour after users have been redirected to our website via a Facebook or Instagram advertisement. This allows us to measure and optimise the effectiveness of our advertising.

In particular, IP address, device information, visited pages, interactions and further usage data may be processed. The collected data may also be transferred to the United States and other third countries.

The legal basis is Art. 6(1)(a) GDPR in conjunction with Section 25 TDDDG. Meta Pixel is used only with your consent.

Further information: https://de-de.facebook.com/about/privacy/

3.6 Social Media Profiles

In addition to our website, we maintain a presence on social networks in order to present our business and offer ways to get in touch with us.

3.6.1 Facebook

We maintain a Facebook page. The provider is Meta Platforms Ireland Limited, 4 Grand Canal Square, Grand Canal Harbour, Dublin 2, Ireland.

If you visit our Facebook page or interact with it, publicly visible profile data, comments, messages and other interactions may be processed.

Meta also provides us with so-called Page Insights, i.e. aggregated statistical evaluations of the use of our page. To the extent that personal data is processed in this context, joint controllership with Meta may apply.

The legal basis for our processing is Art. 6(1)(f) GDPR and, in the case of contract-related inquiries, Art. 6(1)(b) GDPR.

Further information: https://www.facebook.com/privacy/center/

3.6.2 Instagram

We maintain an Instagram profile. The provider is Meta Platforms Ireland Limited, 4 Grand Canal Square, Grand Canal Harbour, Dublin 2, Ireland.

If you visit our Instagram profile or interact with us there, publicly visible profile data, comments, direct messages and other interactions may be processed.

Meta also provides us with Insights, i.e. aggregated statistical information on the use of our profile and content. To the extent that personal data is processed in this context, joint controllership with Meta may apply.

The legal basis for our processing is Art. 6(1)(f) GDPR and, in the case of contract-related inquiries, Art. 6(1)(b) GDPR.

Further information: https://privacycenter.instagram.com/policy/

3.6.3 Google Business Profile

We maintain a Google Business Profile. The provider is Google Ireland Limited, Gordon House, Barrow Street, Dublin 4, Ireland.

If you visit our Google Business Profile, leave reviews or interact with us via Google, Google and we may process the transmitted data.

We process in particular published profile data, reviews, comments and messages to the extent required to present our business and communicate with users.

The legal basis is Art. 6(1)(f) GDPR.

Further information: https://policies.google.com/privacy?hl=de

4. What Else Is Important

Finally, we would like to provide you with more detailed information about your rights.

You have the right of access under Art. 15 GDPR, the right to rectification under Art. 16 GDPR, the right to erasure under Art. 17 GDPR, the right to restriction of processing under Art. 18 GDPR, the right to data portability under Art. 20 GDPR and the right to object under Art. 21 GDPR.

Where processing is based on your consent, you may withdraw that consent at any time with effect for the future.

Regardless of this, you have the right to lodge a complaint with a data protection supervisory authority if you believe that the processing of your personal data is not lawful.

4.1 Revocation of your consent to data processing

Many data processing operations are possible only with your express consent. You may revoke consent already given at any time with effect for the future. The lawfulness of the processing carried out until the revocation remains unaffected.

4.2 Right to object to the collection of data in special cases and to direct advertising

If data processing is carried out on the basis of Art. 6(1)(e) or (f) GDPR, you have the right to object at any time, on grounds relating to your particular situation, to the processing of your personal data. This also applies to profiling based on those provisions.

If you object, we will no longer process your personal data unless we can demonstrate compelling legitimate grounds for the processing which override your interests, rights and freedoms, or the processing serves the establishment, exercise or defence of legal claims.

If your personal data is processed for direct advertising purposes, you have the right to object at any time to processing for such advertising. This also applies to profiling insofar as it is related to such direct advertising.

4.3 Right to lodge a complaint with the competent supervisory authority

In the event of infringements of the GDPR, you have the right to lodge a complaint with a supervisory authority, in particular in the member state of your habitual residence, your place of work or the place of the alleged infringement.

4.4 Right to data portability

You have the right to receive data that we process automatically on the basis of your consent or in fulfilment of a contract in a commonly used, machine-readable format, or to have it transmitted to a third party. If you request the direct transfer to another controller, this will be done only where technically feasible.

4.5 Information about, rectification and erasure of data

Within the scope of the applicable legal provisions, you have the right at any time to obtain information free of charge about your stored personal data, its origin and recipients and the purpose of the data processing. You may also have the right to rectification or erasure of this data.

4.6 Right to restriction of processing

You have the right to request restriction of the processing of your personal data. This applies in particular if you contest the accuracy of your data, if the processing is unlawful, if we no longer need the data but you require it for the establishment, exercise or defence of legal claims, or if you have objected pursuant to Art. 21(1) GDPR.

If the processing of your personal data has been restricted, such data may, apart from being stored, be processed only with your consent or for the establishment, exercise or defence of legal claims or for the protection of the rights of another natural or legal person or for reasons of important public interest.

4.7 SSL and/or TLS encryption

For security reasons and to protect the transmission of confidential content, this website uses SSL and/or TLS encryption. You can recognise an encrypted connection by the browser address changing from “http://” to “https://” and by the lock symbol in your browser bar.

If SSL or TLS encryption is activated, the data you transmit to us cannot be read by third parties.

5. What If the GDPR Is Abolished Tomorrow or Other Changes Take Place?

This Privacy Policy is current as of April 2026.

It may become necessary to amend this Privacy Policy as a result of the further development of our website or due to changes in legal, regulatory or technical requirements.

The version available on our website at the time of your visit shall apply.