Privacy Policy
Version: May 2026 cie. toula limnaios GmbH · datenschutz@toula.de
1. Controller and Contact Details
The controller responsible for data processing within the meaning of the General Data Protection Regulation (GDPR) is:
cie. toula limnaios GmbH Eberswalder Str. 10 10437 Berlin, Germany Telephone: +49 (0)30 440 44 731 Email: info@toula.de Commercial Register: HRB 216537 Managing Directors: Toula Limnaios and Ralf R. Ollertz
If you have questions regarding data protection or the processing of your personal data, you may contact us at datenschutz@toula.de.
Our appointed Data Protection Officer is: Paul Tinsley
2. General Information
We process personal data only insofar as this is necessary to provide our website, our ticket shop, our cultural programmes and related services, and to fulfil our legal and contractual obligations. Personal data means any information relating to an identified or identifiable natural person.
The scope of this policy covers visitors to our website toula.de, users of our ticket webshop, newsletter subscribers, customers purchasing merchandise such as books, posters or tote bags, and individuals who contact us by email or via contact forms.
We process personal data in accordance with the GDPR and applicable German data protection law.
3. Categories of Personal Data
Depending on the context of your interaction with us, we may process the following categories of personal data:
- Name and surname
- Email address
- Postal address
- Telephone number
- Account login details
- Order history and transaction data
- Payment information processed via external payment providers
- IP address
- Browser type, operating system and language
- Usage data such as pages accessed, time spent on pages and interaction logs
- Approximate location derived from IP address
We do not collect more data than is necessary for the respective purpose.
4. Purposes and Legal Bases of Processing
We process personal data for clearly defined purposes and on specific legal grounds.
When you purchase tickets or merchandise via our webshop, we process your data for the performance of a contract pursuant to Article 6(1)(b) GDPR. This includes order processing, payment handling, invoicing, delivery of digital or physical products and management of customer accounts.
When you contact us by email or via a contact form, we process your data to respond to your enquiry. The legal basis is Article 6(1)(b) GDPR where the enquiry relates to a contract or pre-contractual measure, or Article 6(1)(f) GDPR where we have a legitimate interest in handling general enquiries efficiently and securely.
If you subscribe to our newsletter, we process your email address on the basis of your consent pursuant to Article 6(1)(a) GDPR. We use a double opt-in procedure. You may withdraw your consent at any time by using the unsubscribe link included in each newsletter.
Our newsletter is sent using Brevo GmbH, a German-based service provider. Brevo acts as a processor under a data processing agreement and may process your data only in accordance with our instructions.
We process technical data such as IP addresses and browser information to ensure the secure and stable operation of our website. The legal basis for this is Article 6(1)(f) GDPR.
5. Hosting
Our website is hosted on a self-managed server located on our own premises in Berlin. Network connectivity is provided by Deutsche Telekom AG (Telekom Business).
Server location: Berlin, Germany Server IP: 91.24.102.158
As part of hosting operations, technical access data (e.g. IP addresses, timestamps, pages accessed) may be stored in server log files for the purpose of ensuring security and the stable operation of the website. The legal basis is Article 6(1)(f) GDPR.
6. Analytics and Security Services
We use Matomo, a web analytics tool. Where possible, IP addresses are anonymised before analysis. The legal basis is Article 6(1)(f) GDPR.
To protect our website against automated abuse and malicious activity, we use Google reCAPTCHA (Google Ireland Limited). Technical data such as IP address and browser information may be transmitted to Google. The legal basis is Article 6(1)(f) GDPR.
If Google Maps is embedded on our website, personal data such as IP address may be transmitted to Google when the map is loaded. Legal basis: Article 6(1)(f) GDPR.
7. Payment Providers
Payments in our webshop are processed via external payment providers such as Stripe and PayPal. Data required for payment processing is transmitted directly to the respective provider. We do not store full payment card details. Legal basis: Article 6(1)(b) GDPR.
8. Cookies and Consent
Our websites use cookies and similar technologies. Technically necessary cookies are required for the operation of the website, including basic functions such as shopping cart and login. Other cookies are only set with your consent pursuant to Article 6(1)(a) GDPR. You may adjust your preferences at any time.
Cookies on ticket.toula.de: Our ticket shop sets only a technically necessary session cookie (SSESS…). This cookie is used by our Drupal content management system to manage your session during your visit (e.g. shopping cart, login state) and is deleted at the end of your session or when you close your browser. Because only technically necessary cookies are used on ticket.toula.de, consent is not required (§ 25(2) no. 2 TDDDG). Legal basis: Article 6(1)(f) GDPR.
9. Recipients of Data
Within our organisation, access to personal data is limited to persons who require it to fulfil their professional duties.
We use external service providers for hosting, newsletter distribution, IT support and payment processing. These service providers act as processors under Article 28 GDPR and are contractually bound to confidentiality and data protection obligations.
We may also disclose personal data to public authorities where required by law.
10. International Data Transfers
Where personal data is transferred to countries outside the EU or EEA, this is done only if appropriate safeguards are in place, such as adequacy decisions by the European Commission or Standard Contractual Clauses pursuant to Article 46 GDPR.
11. Storage Duration
We store personal data only for as long as necessary to fulfil the purpose for which it was collected or to comply with statutory retention obligations. Commercial and tax law may require us to retain certain data for several years. After expiry of retention periods, the data is deleted or anonymised.
12. Data Security
We implement appropriate technical and organisational measures to protect personal data against accidental or unlawful destruction, loss, alteration, unauthorised disclosure or access. These measures include encryption where appropriate, access restrictions, regular system updates and internal security procedures.
13. Data Subject Rights
You have the following rights under the GDPR:
- The right to obtain information about the personal data we process about you (Article 15 GDPR)
- The right to rectification of inaccurate or incomplete data (Article 16 GDPR)
- The right to erasure under certain conditions (Article 17 GDPR)
- The right to restriction of processing (Article 18 GDPR)
- The right to data portability (Article 20 GDPR)
- The right to object to processing based on legitimate interests (Article 21 GDPR)
- The right to withdraw consent at any time with effect for the future (Article 7(3) GDPR)
You also have the right to lodge a complaint with a supervisory authority, in particular the competent data protection authority in Berlin.
To exercise your rights, please contact us at datenschutz@toula.de. We may request proof of identity to ensure that personal data is not disclosed to unauthorised persons.
14. Data Breach Procedures
In the event of a personal data breach that is likely to result in a risk to the rights and freedoms of natural persons, we will notify the competent supervisory authority without undue delay and, where required, inform affected individuals in accordance with Article 33 and 34 GDPR.
15. Amendments
We reserve the right to amend this privacy policy where necessary to reflect changes in legal requirements or in our processing activities. The current version is always available on our website.