Version: February 2026
- Controller and Contact Details
The controller responsible for data processing within the meaning of the General Data Protection Regulation (GDPR) is:
cie. toula limnaios GmbH
Eberswalder Str. 10
10437 Berlin
Germany
Telephone: +49 (0)30 440 44 731
Email: info@toula.de
Commercial Register: HRB 216537
Managing Directors: Toula Limnaios and Ralf R. Ollertz
If you have questions regarding data protection or the processing of your personal data, you may contact us at datenschutz@toula.de.
Our appointed Data Protection Officer is:
Paul Tinsley - General Information
We process personal data only insofar as this is necessary to provide our website, our ticket shop, our cultural programmes and related services, and to fulfil our legal and contractual obligations.
Personal data means any information relating to an identified or identifiable natural person.
The scope of this policy covers visitors to our website toula.de, users of our ticket webshop, newsletter subscribers, customers purchasing merchandise such as books, posters or tote bags, and individuals who contact us by email or via contact forms.
We process personal data in accordance with the GDPR and applicable German data protection law. - Categories of Personal Data
Depending on the context of your interaction with us, we may process the following categories of personal data:
– Name and surname
– Email address
– Postal address
– Telephone number
– Account login details
– Order history and transaction data
– Payment information processed via external payment providers
– IP address
– Browser type, operating system and language
– Usage data such as pages accessed, time spent on pages and interaction logs
– Approximate location derived from IP address
We do not collect more data than is necessary for the respective purpose. - Purposes and Legal Bases of Processing
We process personal data for clearly defined purposes and on specific legal grounds.
When you purchase tickets or merchandise via our webshop, we process your data for the performance of a contract pursuant to Article 6(1)(b) GDPR. This includes order processing, payment handling, invoicing, delivery of digital or physical products and management of customer accounts.
When you contact us by email or via a contact form, we process your data to respond to your enquiry. The legal basis is Article 6(1)(b) GDPR where the enquiry relates to a contract or pre-contractual measure, or Article 6(1)(f) GDPR where we have a legitimate interest in handling general enquiries efficiently and securely.
If you subscribe to our newsletter, we process your email address on the basis of your consent pursuant to Article 6(1)(a) GDPR. We use a double opt-in procedure. You may withdraw your consent at any time by using the unsubscribe link included in each newsletter.
Our newsletter is sent using Brevo GmbH, a German-based service provider. Brevo acts as a processor under a data processing agreement and may process your data only in accordance with our instructions.
We process technical data such as IP addresses and browser information to ensure the secure and stable operation of our website. The legal basis for this is Article 6(1)(f) GDPR. Our legitimate interest lies in maintaining the security, integrity and functionality of our systems. - Analytics and Security Services
We use Matomo, a web analytics tool. Where possible, IP addresses are anonymised before analysis. The purpose of this processing is to understand how our website is used and to improve content and usability. The legal basis is Article 6(1)(f) GDPR. Our legitimate interest lies in the optimisation and effective presentation of our online presence.
To protect our website against automated abuse and malicious activity, we use Google reCAPTCHA. This service is provided by Google Ireland Limited. In this context, technical data such as IP address, browser information and device characteristics may be transmitted to Google. The legal basis is Article 6(1)(f) GDPR. Our legitimate interest lies in protecting our website from misuse.
If Google Maps is embedded on our website, personal data such as IP address may be transmitted to Google when the map is loaded. This processing is based on Article 6(1)(f) GDPR, our legitimate interest being the user-friendly presentation of location information. - Payment Providers
Payments in our webshop are processed via external payment providers such as Stripe and PayPal. When selecting one of these payment methods, the data required for payment processing is transmitted directly to the respective provider. We do not store full payment card details. The legal basis for this processing is Article 6(1)(b) GDPR. - Cookies and Consent
Our website uses cookies and similar technologies. Some cookies are technically necessary to operate the website. Others serve analytical or functional purposes.
When you first visit our website, you are presented with a consent banner allowing you to accept or reject non-essential cookies. You may adjust your preferences at any time.
The legal basis for processing data via non-essential cookies is your consent under Article 6(1)(a) GDPR. Essential cookies are processed on the basis of Article 6(1)(f) GDPR. - Recipients of Data
Within our organisation, access to personal data is limited to persons who require it to fulfil their professional duties.
We use external service providers for hosting, newsletter distribution, IT support and payment processing. These service providers act as processors under Article 28 GDPR and are contractually bound to confidentiality and data protection obligations.
We may also disclose personal data to public authorities where required by law. - International Data Transfers
Where personal data is transferred to countries outside the European Union or the European Economic Area, this is done only if appropriate safeguards are in place. These safeguards may include adequacy decisions by the European Commission or the use of Standard Contractual Clauses pursuant to Article 46 GDPR. - Storage Duration
We store personal data only for as long as necessary to fulfil the purpose for which it was collected or to comply with statutory retention obligations. Commercial and tax law may require us to retain certain data for several years. After expiry of retention periods, the data is deleted or anonymised. - Data Security
We implement appropriate technical and organisational measures to protect personal data against accidental or unlawful destruction, loss, alteration, unauthorised disclosure or access. These measures include encryption where appropriate, access restrictions, regular system updates and internal security procedures. - Data Subject Rights
You have the following rights under the GDPR:
– The right to obtain information about the personal data we process about you (Article 15 GDPR)
– The right to rectification of inaccurate or incomplete data (Article 16 GDPR)
– The right to erasure under certain conditions (Article 17 GDPR)
– The right to restriction of processing (Article 18 GDPR)
– The right to data portability (Article 20 GDPR)
– The right to object to processing based on legitimate interests (Article 21 GDPR)
– The right to withdraw consent at any time with effect for the future (Article 7(3) GDPR)
You also have the right to lodge a complaint with a supervisory authority, in particular the competent data protection authority in Berlin.
To exercise your rights, please contact us at datenschutz@toula.de. We may request proof of identity to ensure that personal data is not disclosed to unauthorised persons. - Data Breach Procedures
In the event of a personal data breach that is likely to result in a risk to the rights and freedoms of natural persons, we will notify the competent supervisory authority without undue delay and, where required, inform affected individuals in accordance with Article 33 and 34 GDPR. - Amendments
We reserve the right to amend this privacy policy where necessary to reflect changes in legal requirements or in our processing activities. The current version is always available on our website.