Privacy Policy
Last updated: March 14, 2026
1. Controller
The controller responsible for data processing on this website and through the Stickerdrop WhatsApp service is:
oneninetynine labs
Robin Weissgerber
Hanna-Kirchner-Strasse 24
64823 Gross-Umstadt, Germany
Email: legal@199labs.tech
2. Data we collect
2.1 WhatsApp service
When you interact with Stickerdrop via WhatsApp, we collect:
- Phone number — your WhatsApp phone number in E.164 format, used as your identity
- Display name — your WhatsApp profile name (if available)
- Sticker images — images you send for printing
- Message content — text messages exchanged during the ordering conversation
- Shipping address — name, street, city, postal code, and country you provide for delivery
- Timestamps — when messages are sent and received
2.2 Payment data
Payment is processed by Stripe. We do not store your credit card details. We receive from Stripe: payment status, transaction ID, and the amount paid.
2.3 Website
This website does not use cookies by default. If analytics services (Google Analytics or Plausible) are enabled, they may collect anonymized usage data such as page views, referral source, and device type. No personal data is collected through the website unless you voluntarily submit your email address via the newsletter form.
3. Purpose and legal basis
| Purpose | Legal basis |
|---|---|
| Processing your sticker order | Art. 6(1)(b) GDPR — contract fulfillment |
| Sending order status notifications | Art. 6(1)(b) GDPR — contract fulfillment |
| Payment processing | Art. 6(1)(b) GDPR — contract fulfillment |
| Retaining order records for tax purposes | Art. 6(1)(c) GDPR — legal obligation (AO §147) |
| Newsletter subscription | Art. 6(1)(a) GDPR — your consent |
4. Third-party processors
We share your data with the following service providers, solely for the purposes described:
| Provider | Purpose | Location | Safeguard |
|---|---|---|---|
| Meta (WhatsApp Cloud API) | Message delivery | EU/US | EU-US Data Privacy Framework |
| Stripe | Payment processing | EU/US | EU-US Data Privacy Framework |
| Prodigi | Sticker printing & shipping | UK | UK GDPR adequacy decision |
| Cloudflare (R2) | Image storage | EU/US | EU-US Data Privacy Framework |
| Railway | Application hosting | US | EU-US Data Privacy Framework |
5. Data retention
- Order data (order details, invoices, shipping address) — 10 years, as required by German tax law (AO §147)
- Conversation data (message logs) — deleted after 90 days
- Sticker images — deleted 30 days after order completion
- Newsletter email — until you unsubscribe
6. Your rights
Under the GDPR, you have the right to:
- Access — request a copy of the personal data we hold about you
- Rectification — correct inaccurate data
- Erasure — request deletion of your data (subject to legal retention requirements)
- Restriction — limit how we process your data
- Data portability — receive your data in a structured, machine-readable format
- Objection — object to processing based on legitimate interest
- Withdraw consent — where processing is based on consent, you may withdraw it at any time
To exercise any of these rights, contact us at legal@199labs.tech.
7. Supervisory authority
You have the right to lodge a complaint with a data protection supervisory authority. The competent authority for us is:
Der Hessische Beauftragte für Datenschutz und Informationsfreiheit (HBDI)
Postfach 3163
65021 Wiesbaden, Germany
https://datenschutz.hessen.de
8. Automated decision-making
We do not use automated decision-making or profiling as defined by Art. 22 GDPR.
9. Changes to this policy
We may update this privacy policy from time to time. The latest version will always be available on this page with the “Last updated” date above.