Last updated: April 2026

This Privacy Policy explains how Zulumaps (“Zulumaps”, “we”, “us”, “our”) collects, uses, and protects personal data when you visit zulumaps.com (the “Site”) or place an order with us. We process personal data in accordance with the EU General Data Protection Regulation (GDPR), the German Federal Data Protection Act (BDSG), and the German Telecommunications Digital Services Data Protection Act (TTDSG / TDDDG).

1. Data Controller

The controller responsible for personal data processing under Art. 4(7) GDPR is:

Marco Enzmann, Englschalkinger Str 10, Munich, Germany

Email: privacy@zulumaps.com Website: https://zulumaps.com

We have not appointed a Data Protection Officer because we are not legally required to do so under Art. 37 GDPR and § 38 BDSG.

2. Overview of What We Collect and Why

We only process personal data that is necessary to operate the Site, fulfill your orders, communicate with you, and comply with our legal obligations. The sections below explain each processing activity in detail, including the legal basis under Art. 6 GDPR and the retention period.

We do not require account registration. All purchases are made via guest checkout.

3. Visiting the Site (Server Log Files)

When you visit zulumaps.com, our hosting infrastructure automatically processes technical data sent by your browser, including:

• IP address (anonymized where feasible)
• Date and time of the request
• Browser type and version
• Operating system
• Referrer URL
• Pages accessed

 

Purpose: to enable the technical delivery of the Site, to ensure stability and security, and to detect and prevent misuse. Legal basis: Art. 6(1)(f) GDPR (legitimate interest in a secure and functional website). Retention: server logs are deleted or anonymized after a maximum of 30 days, unless retention is required to investigate a specific security incident.

The Site runs on the WooCommerce platform. Hosting is provided by ALL-INKL.COM — Neue Medien Münnich, Hauptstraße 68, 02742 Friedersdorf, Germany, with whom we have entered a data processing agreement under Art. 28 GDPR. ALL-INKL.COM operates its servers in Germany. More information: https://all-inkl.com/datenschutzinformationen/.

4. Placing an Order

To process your order, we collect:

• First and last name
• Email address
• Shipping address
• Billing address and payment data (handled directly by our payment providers — see Section 8)
• The customization details for your map print (location, design choices, custom text, etc.)

 

Purpose: to perform the purchase contract — process payment, produce your personalized print, ship it to you, and provide post-purchase support. Legal basis: Art. 6(1)(b) GDPR (performance of a contract). Storage of invoice and tax-relevant data is additionally based on Art. 6(1)(c) GDPR (legal obligation under § 147 AO and § 257 HGB). Retention:

 

• Order and invoice data is retained for 10 years after the end of the calendar year of the transaction, as required by German tax and commercial law.
• Customization content (map data, custom text) is stored for the same period as part of the order record so that we can identify and resolve disputes, returns, or reprints, and so we can demonstrate what was delivered.
• Shipping address details are shared with our fulfillment partner only as needed (see Section 7).

5. Communicating with Customer Support

If you contact us at support@zulumaps.com or privacy@zulumaps.com, we process the email address you write from, the contents of your message, and any details you choose to share.

Purpose: to respond to your inquiry and document the conversation. Legal basis: Art. 6(1)(b) GDPR where the inquiry relates to a contract or pre-contractual steps; otherwise Art. 6(1)(f) GDPR (legitimate interest in answering inquiries). Retention: correspondence is retained as long as needed to handle the matter, and afterward in line with statutory retention rules (typically up to 3 years for general inquiries, longer where tax-relevant).

6. Newsletter and Marketing Emails

We send marketing emails (product updates, offers, new designs) only to people who have actively subscribed, either via the dedicated newsletter form on the Site or via an opt-in checkbox during checkout.

We use the double opt-in procedure: after submitting the form, you receive a confirmation email and must click the link inside before you are added to our mailing list. Until you confirm, you receive no marketing messages. We log the timestamps of your subscription and confirmation as proof of consent.

Purpose: to send promotional content, news, and offers from Zulumaps. Legal basis: Art. 6(1)(a) GDPR (your consent), in conjunction with § 7(2) UWG. Retention: your email address and consent records are stored as long as you remain subscribed. After you unsubscribe, we retain proof of your prior consent and unsubscribe request for up to 3 years to defend against potential claims (Art. 6(1)(f) GDPR).

You can withdraw your consent at any time, with effect for the future, by clicking the unsubscribe link in any of our emails or by contacting privacy@zulumaps.com. Withdrawal does not affect the lawfulness of processing carried out before withdrawal.

Abandoned Cart Reminders

If you enter your email address during checkout but do not complete the purchase, we may send you a reminder email (a so-called “abandoned cart” message) — but only if you have given separate, explicit consent for this when entering your details.

 

Legal basis: Art. 6(1)(a) GDPR (your consent). Retention: the underlying email address is deleted from the abandoned-cart system after a short period (no later than 30 days) if no purchase is made.

Email Service Provider — Brevo

We send marketing and transactional emails using Brevo (Sendinblue GmbH, Köpenicker Straße 126, 10179 Berlin, Germany; parent company Sendinblue SAS, France). Brevo processes your email address, name, click and open behavior, and the messages we send to you, on our behalf as a processor under Art. 28 GDPR. Brevo is based in the EU. More information: https://www.brevo.com/legal/privacypolicy/.

7. Order Fulfillment — Gelato

To produce and ship your personalized prints, we transmit the necessary data to our print-on-demand fulfillment partner:

 

Gelato ASA, Vippetangen Kai, 0150 Oslo, Norway.

 

The data transmitted includes your name, shipping address, the product specification, and the customization content (map data, custom text). Gelato then forwards production to one of its local printing partners closest to your shipping address. Gelato acts as our processor under Art. 28 GDPR.

 

Legal basis: Art. 6(1)(b) GDPR (performance of the contract). Retention: Gelato retains data only as long as necessary to produce and dispatch the order, plus any periods required by their own legal obligations. Cross-border transfers: Gelato may use sub-processors outside the EU/EEA. Where this occurs, transfers are protected by appropriate safeguards under Art. 46 GDPR (typically Standard Contractual Clauses). More information: https://www.gelato.com/legal/privacy-policy.

8. Product Configurators — Third-Party Services

To create your personalized prints, the Site provides interactive configurators (Map Editor, Star Map Editor, and Music Map Editor). These configurators rely on the third-party services listed below. They are strictly necessary for the configurators to function and process technical data (in particular your IP address) on the basis of Art. 6(1)(b) GDPR (performance of the contract / pre-contractual steps) and, where indicated, Art. 6(1)(f) GDPR (legitimate interest in providing a functioning product configurator).

Map Tiles — Protomaps

The visual map data (streets, buildings, parks, water) is provided by Protomaps. To shield your IP address from the upstream provider, our server acts as a proxy: your browser requests tiles from zulumaps.com, and our server forwards the request to Protomaps. As a result, Protomaps does not directly receive your IP address — only ours. The map data is published by Protomaps under an open license and is based on data from the OpenStreetMap project (https://www.openstreetmap.org/copyright). More information about Protomaps: https://protomaps.com/privacy.

Location Search — Photon (Komoot)

When you type into the location search field of the Map Editor or the Star Map Editor, your search query is sent directly to the Photon geocoding service operated by Komoot GmbH, Karl-Liebknecht-Str. 1, 10178 Berlin, Germany. Photon receives your search input and your IP address in order to return matching place suggestions. Legal basis: Art. 6(1)(b) GDPR (pre-contractual steps — selecting the location for your print). More information: https://www.komoot.com/privacy.

Song Search and Audio Previews — Apple iTunes Search API

The Music Map Editor allows you to search for songs and generates a visual based on a short audio preview of the selected track. To do this, your search query and your IP address are sent to the iTunes Search API operated by Apple Distribution International Limited, Hollyhill Industrial Estate, Hollyhill, Cork, Ireland (parent: Apple Inc., Cupertino, USA). When you select a song, your browser additionally downloads a 30-second audio preview file from Apple’s servers and analyzes it locally in your browser to generate the visual artwork. We do not receive or store the audio file ourselves. Legal basis: Art. 6(1)(b) GDPR (pre-contractual steps — selecting the song for your print). Cross-border transfers: data may be transferred to the United States. Safeguards include the EU-US Data Privacy Framework (Apple is certified) and Standard Contractual Clauses. More information: https://www.apple.com/legal/privacy/.

JavaScript Library Delivery — Cloudflare CDN (unpkg / cdnjs)

To deliver the JavaScript libraries used by the configurators (in particular MapLibre GL JS for the Map Editor and html2canvas for the Music Map Editor), our pages reference the unpkg and cdnjs content delivery networks, both operated by Cloudflare, Inc., 101 Townsend St, San Francisco, CA 94107, USA. When a configurator loads, your browser requests these script files from Cloudflare, which receives your IP address. Cross-border transfers: transfers to the USA are protected by Standard Contractual Clauses and, where applicable, the EU-US Data Privacy Framework. More information: https://www.cloudflare.com/privacypolicy/.

Star Map Data

The Star Map Editor uses public-domain astronomical catalog data (star positions and constellation lines) which is hosted directly on our own servers. No third-party request is made for the astronomy data itself. Calculations of how the night sky appeared at the date, time, and location you choose are performed entirely in your browser; this data is not sent to any external service.

9. Open Source Credits

We gratefully acknowledge the following open-source projects, datasets, and free services that make our product configurators possible. None of these projects endorses Zulumaps; we mention them here in the spirit of attribution and transparency:

 

• MapLibre GL JS — open-source map rendering engine (BSD 3-Clause License). https://maplibre.org

 

• Protomaps — open-source map tiles and basemap (Apache 2.0 License). https://protomaps.com

 

• OpenStreetMap — collaborative map data, used as the source for our maps (© OpenStreetMap contributors, Open Database License). https://www.openstreetmap.org/copyright

 

• Photon by Komoot — open-source geocoder providing free location search. https://photon.komoot.io

 

• html2canvas — open-source screenshot library (MIT License). https://html2canvas.hertzen.com

 

• Apple iTunes Search API — used for free song metadata and audio previews. https://developer.apple.com

 

• Stellarium / IAU star and constellation data — public-domain astronomical reference data used in the Star Map Editor.

 

Brand names, trademarks, and song or album titles displayed in the configurators are the property of their respective owners and are used for descriptive identification only.

10. Payment Processing

When you pay for your order, payment data is processed directly by the payment provider you select. We do not see or store your full card or PayPal credentials; we receive only the confirmation of payment along with the data needed to link the payment to your order.

Stripe

Card payments are processed by Stripe Payments Europe Ltd., 1 Grand Canal Street Lower, Grand Canal Dock, Dublin, Ireland (parent: Stripe, Inc., USA). Stripe processes the card data, billing address, transaction amount, IP address, and fraud-detection signals as an independent controller for fraud prevention and as our processor for the payment transaction itself.

 

Legal basis: Art. 6(1)(b) GDPR (contract performance) and Art. 6(1)(f) GDPR (legitimate interest in fraud prevention). Cross-border transfers: Stripe may transfer data to the United States. Safeguards include the EU-US Data Privacy Framework (Stripe is certified) and Standard Contractual Clauses. More information: https://stripe.com/privacy.

PayPal

If you choose PayPal, payment is processed by PayPal (Europe) S.à r.l. et Cie, S.C.A., 22-24 Boulevard Royal, L-2449 Luxembourg. We transmit your name, address, email, order details, and amount to PayPal. PayPal acts as an independent controller for the payment transaction.

 

Legal basis: Art. 6(1)(b) GDPR. More information: https://www.paypal.com/de/legalhub/privacy-full.

11. Cookies and Consent Management

The Site uses cookies and similar technologies. A cookie is a small text file stored on your device when you visit a website.

 

We distinguish between:

 

• Strictly necessary cookies — required for the Site to function (e.g., shopping cart, session management, security, cookie-consent state). These are set on the basis of § 25(2) TTDSG and Art. 6(1)(f) GDPR. No consent is required.

 

• Functional, statistical, and marketing cookies — set only after you have given active consent through our cookie banner. The legal basis is § 25(1) TTDSG and Art. 6(1)(a) GDPR.

 

We use the Complianz consent management plugin to record, manage, and document your consent choices. Non-essential cookies and tracking scripts are blocked by default and only loaded after you opt in. You can withdraw or change your consent at any time by clicking the cookie settings link in the footer of the Site.

 

A full, up-to-date list of cookies, their purposes, providers, and storage durations is available in our cookie banner / cookie statement.

12. Web Analytics and Advertising

Subject to your consent via our cookie banner (Art. 6(1)(a) GDPR / § 25(1) TTDSG), we use the following third-party services. If you do not consent, these services are not loaded.

Google Analytics

We use Google Analytics 4, a service provided by Google Ireland Limited, Gordon House, Barrow Street, Dublin 4, Ireland (parent: Google LLC, USA). Google Analytics uses cookies and similar identifiers to analyze how visitors use the Site (pages visited, session duration, traffic source, approximate geographic location based on IP address). IP addresses are truncated within the EU before further processing.

 

Purpose: to understand and improve how visitors use the Site. Cross-border transfers: data may be transferred to the United States, protected by the EU-US Data Privacy Framework (Google is certified) and Standard Contractual Clauses. Retention: as configured in our Google Analytics property (default: 14 months). More information: https://policies.google.com/privacy. Opt-out browser add-on: https://tools.google.com/dlpage/gaoptout.

Google Ads (with Conversion Tracking and Remarketing)

We use Google Ads (Google Ireland Limited) to display advertising and to measure the effectiveness of our campaigns. When you reach the Site through a Google Ads click, a conversion-tracking cookie is set; this allows Google to report whether the click led to a purchase. We may also use remarketing to show ads to previous visitors on Google’s network.

 

Purpose: to measure ad performance and to address relevant audiences. Cross-border transfers: see Google Analytics above. More information: https://policies.google.com/technologies/ads.

Meta Pixel and Meta Ads

We use the Meta Pixel provided by Meta Platforms Ireland Limited, 4 Grand Canal Square, Dublin 2, Ireland (parent: Meta Platforms, Inc., USA). The Pixel allows us to measure the effectiveness of our Facebook and Instagram advertising, to build custom audiences, and to address visitors with retargeting ads. The Pixel processes information about your visit, including pages viewed, actions taken (e.g., add-to-cart, purchase), device information, and IP address.

 

Where the Pixel processes personal data, Meta and Zulumaps act as joint controllers for the collection and transmission stage under Art. 26 GDPR. We have entered the joint-controller arrangement provided by Meta. Beyond that stage, Meta processes the data as an independent controller.

 

Cross-border transfers: Meta may transfer data to the United States, protected by the EU-US Data Privacy Framework (Meta is certified) and Standard Contractual Clauses. More information: https://www.facebook.com/privacy/policy/ and https://www.facebook.com/legal/controller_addendum.

TikTok Pixel and TikTok Ads

We use the TikTok Pixel provided by TikTok Technology Limited, 10 Earlsfort Terrace, Dublin, D02 T380, Ireland (with affiliates including TikTok Information Technologies UK Limited and ByteDance Ltd.). The Pixel measures the effectiveness of TikTok advertising and supports retargeting. It processes IP address, device data, browser data, and event data (e.g., page views, purchases).

 

Cross-border transfers: TikTok may transfer data outside the EU/EEA, including to countries that do not offer an adequacy decision. Safeguards include Standard Contractual Clauses. We note that supervisory authorities continue to review TikTok’s transfer practices, and you should consider this when choosing whether to consent. More information: https://www.tiktok.com/legal/page/eea/privacy-policy/en.

13. Data Sharing — Summary

We share personal data only with the categories of recipients listed below, and only to the extent necessary:

 

• Our fulfillment partner Gelato (and its sub-processors) to produce and ship orders.

 

• Payment providers (Stripe, PayPal) to process payments.

 

• Our email service provider Brevo to send transactional and marketing emails.

 

• Configurator providers (Protomaps, Komoot/Photon, Apple iTunes Search API, Cloudflare CDN) to render the interactive editors and provide location and song search — strictly for technical operation of the configurators.

 

• Analytics and advertising providers (Google, Meta, TikTok), only with your consent.

 

• Our hosting and IT service providers (e.g., the WordPress/WooCommerce hosting infrastructure and Complianz), under Art. 28 GDPR processor agreements.

 

• Tax advisors, accountants, and auditors under their own legal duties of confidentiality.

 

• Public authorities and courts where we are legally required to disclose data.

 

We do not sell personal data.

14. Transfers Outside the EU/EEA

Some of the providers listed above are based outside the EU/EEA, in particular in the United States. Where personal data is transferred to such “third countries,” we ensure an adequate level of protection via:

 

• the EU-US Data Privacy Framework (for certified U.S. recipients such as Google, Meta, and Stripe), recognized as adequate by the European Commission under Art. 45 GDPR; and/or

 

• Standard Contractual Clauses approved by the European Commission under Art. 46(2) GDPR, supplemented by additional technical and organizational measures where appropriate.

 

You can request a copy of the safeguards in place by contacting privacy@zulumaps.com.

15. Your Rights as a Data Subject

Under the GDPR, you have the following rights regarding your personal data:

• Right of access (Art. 15 GDPR) — to confirm what data we hold about you and obtain a copy.
• Right to rectification (Art. 16 GDPR) — to have inaccurate or incomplete data corrected.
• Right to erasure (Art. 17 GDPR) — to have your data deleted, subject to legal retention obligations.
• Right to restriction of processing (Art. 18 GDPR).
• Right to data portability (Art. 20 GDPR) — to receive certain data in a structured, machine-readable format.
• Right to object (Art. 21 GDPR) — in particular against processing based on legitimate interests, including direct marketing.
• Right to withdraw consent (Art. 7(3) GDPR) — at any time, with effect for the future.

 

To exercise any of these rights, contact us at privacy@zulumaps.com. We will respond within the deadlines set by Art. 12 GDPR (generally one month).

 

You also have the right to lodge a complaint with a data protection supervisory authority (Art. 77 GDPR). The competent authority for Zulumaps is:

 

Bayerisches Landesamt für Datenschutzaufsicht (BayLDA) Promenade 18, 91522 Ansbach, Germany https://www.lda.bayern.de

16. Data Security

We use appropriate technical and organizational measures to protect your data against accidental or unlawful loss, alteration, disclosure, or access. These include encrypted (TLS/SSL) connections to the Site, access controls, and processor agreements with all our service providers under Art. 28 GDPR.

No transmission over the internet can be guaranteed to be 100% secure, but we work continuously to keep our protection measures up to date.

17. Children

The Site is directed at adults. We do not knowingly process personal data of children under 16. If you believe a child has submitted data to us, please contact privacy@zulumaps.com so we can delete it.

18. Automated Decision-Making

We do not use automated decision-making within the meaning of Art. 22 GDPR (i.e., decisions producing legal effects on you taken solely by automated means).

19. Changes to This Policy

We may update this Privacy Policy from time to time to reflect changes in our services, providers, or applicable law. The current version is always available on the Site. Where changes are material, we will inform you by appropriate means (e.g., notice on the Site or, where relevant, by email).

 

Contact

Zulumaps, Marco Enzmann, Englschalkinger Str. 10, Munich, Germany Email: privacy@zulumaps.com Website: https://zulumaps.com