Privacy Policy

1. Introduction

1.1 This Privacy Policy explains how LeBRA ApS ("LeBRA", "we", "us" or "our") collects and processes personal data when you use our website at lebra.eu (the "Home Page"), subscribe to our newsletter, place an order, or otherwise interact with us.

1.2 LeBRA ApS is the data controller responsible for the personal data processed as described in this policy. This policy informs you how your personal data is processed and on what legal bases; it does not seek your consent by your use of the website. Where we rely on consent, it is requested separately and may be withdrawn at any time.

1.3 This policy should be read together with our Cookies Policy, which explains how we use cookies and similar technologies.

2. Data Controller

2.1 The data controller for your personal data is:

  • LeBRA ApS
  • Hovedporten 3E, ST., 2650 Hvidovre, Denmark
  • CVR (company registration) no.: 46231023
  • Email: contact@lebra.eu

2.2 For questions about privacy and the processing of your personal data, please contact us at contact@lebra.eu, or via the contact details above.

2.3 We have not appointed a Data Protection Officer, as we are not legally required to do so. For data-protection matters, you can reach us at contact@lebra.eu.

3. Processing of Personal Data

3.1 Using the website without signing up

3.1.1 You can browse the Home Page without providing personal data. We use cookies and similar technologies; disabling non-essential cookies may reduce some functionality of the website.

3.1.2 Subject to your cookie choices, we may process technical information such as your IP address, browser and device information, the pages you visit and the time spent on them. For full details, see our Cookies Policy.

3.1.3 The placement and reading of cookies is governed by the ePrivacy rules as implemented by the Danish cookie order; consent for non-essential cookies is obtained through our cookie-consent tool (Consentmo). GDPR Article 6 then governs any further processing of the data read. On this basis:

  • Strictly necessary cookies, and operating and securing the website, rely on our legitimate interest / necessity (GDPR Article 6(1)(f)) and require no consent;
  • All non-essential cookies (including analytics and marketing/pixels) rely on your consent (GDPR Article 6(1)(a)).

3.2 Placing an order

3.2.1 When you place an order, we process the data necessary to fulfil it, including your name, billing and delivery address, email address, phone number, country, order details and payment-related information.

3.2.2 We process this data to: (a) administer our relationship with you and manage your order; (b) deliver your order; (c) handle payments, returns, exchanges and refunds; (d) provide customer service; (e) improve our products and services; and (f) where you have agreed, tailor our communications and marketing.

3.2.3 Each purpose is matched to a legal basis as follows:

  • (a)–(d) administering our relationship with you, delivering your order, handling payments/returns/exchanges/refunds, and providing customer service: performance of a contract with you (GDPR Article 6(1)(b));
  • retaining order, invoicing and transaction records for bookkeeping and tax purposes: compliance with our legal obligations (GDPR Article 6(1)(c));
  • (e) improving our products and services: our legitimate interest in developing and improving our offering and business (GDPR Article 6(1)(f));
  • (f) tailoring our communications and marketing: your consent (GDPR Article 6(1)(a)).

3.2.4 To fulfil your order, we share relevant data with third parties acting on our behalf, including our e-commerce platform (Shopify), our payment processor Shopify Payments, our shipping and fulfilment platform (Shipmondo), and our carriers (DHL, UPS, GLS and DAO, where available). Card and payment details are collected and processed directly by Shopify Payments under the PCI-DSS standard with 3D Secure; LeBRA does not store full card numbers.

3.2.5 After your purchase, we may share your name, email address and order information with our reviews provider, Loox, so that it can invite you to review your purchase and so that we can display product reviews (including photo reviews) on the Home Page. This is based on our legitimate interest in collecting and displaying genuine customer feedback (GDPR Article 6(1)(f)); you may object at any time, and any review-invitation email includes an opt-out.

3.3 Newsletter and contact

3.3.1 If you sign up for our newsletter or contact us, we process data such as your name, email address and, where relevant, your activity and engagement with our communications.

3.3.2 We process this data to send you newsletters and marketing you have asked to receive, to respond to your enquiries, and to tailor our marketing where you have agreed.

3.3.3 The legal bases are:

  • sending newsletters and marketing, and behavioural/marketing cookies: your consent (GDPR Article 6(1)(a)). You can withdraw your marketing consent at any time using the unsubscribe link in any marketing email or by contacting us;
  • responding to enquiries that relate to an order or to steps taken at your request before entering into a contract: performance of a contract or pre-contractual steps (GDPR Article 6(1)(b));
  • responding to general or other enquiries: our legitimate interest in handling and answering your enquiry (GDPR Article 6(1)(f)).

3.3.4 We use Klaviyo to manage and send our newsletters and marketing communications. Subject to your cookie consent, we also use website-analytics and advertising-measurement tools — Google Analytics 4 (GA4) and the Meta (Facebook) Pixel — across all markets to understand how the Home Page is used and to measure our marketing.

4. Data Processors and Transfers to Third Countries

4.1 We share personal data with carefully selected third parties who process data on our behalf ("data processors"). We have entered into data-processing agreements with these processors requiring them to process personal data only on our instructions and to keep it secure.

4.2 Our data processors include:

  • Shopify — e-commerce platform hosting the website and processing orders (including Shopify Markets for multi-currency);
  • Shopify Payments — payment processing;
  • Shipmondo — shipping, label generation and tracking;
  • DHL, UPS, GLS and DAO — delivery carriers (where available);
  • Klaviyo — email marketing and newsletters;
  • Google Analytics 4 (GA4) and the Meta (Facebook) Pixel — website analytics and advertising measurement;
  • Loox — product reviews (including photo reviews);
  • Consentmo — cookie-consent management.

4.2.1 We keep this list up to date as our service providers change.

4.3 Some of our processors may transfer personal data to countries outside the EU/EEA. Where this happens, we ensure an appropriate level of protection in accordance with the GDPR by relying on the European Commission's Standard Contractual Clauses and/or an applicable European Commission adequacy decision. A copy of the relevant safeguards is available on request via the privacy contact in section 2.

4.4 Our e-commerce platform, Shopify, may transfer personal data outside the EU/EEA, including to Canada and the United States. Where it does, the transfer is safeguarded by the European Commission's Standard Contractual Clauses and/or an applicable adequacy decision. Please refer to Shopify's Data Processing Addendum for the current transfer mechanisms.

5. Retention Periods

5.1 We retain personal data only for as long as it is necessary for the purposes for which it was collected, after which it is deleted or anonymised.

5.2 Information required for bookkeeping purposes, such as invoicing and transaction records, is retained for 5 years from the end of the relevant financial year, in accordance with the Danish Bookkeeping Act (Bogføringsloven).

5.3 Marketing-consent and newsletter data is retained until you withdraw your consent or unsubscribe, after which it is removed from our marketing lists.

5.4 Other personal data is deleted or anonymised when it is no longer necessary for the purposes described in this policy.

6. Your Rights

6.1 Under the GDPR, you have the following rights in relation to your personal data:

  • the right of access to your personal data;
  • the right to rectification of inaccurate or incomplete data;
  • the right to erasure ("the right to be forgotten");
  • the right to restriction of processing;
  • the right to object to processing, including the right to object at any time to processing of your personal data for direct-marketing purposes (including any related profiling);
  • the right to data portability;
  • the right to withdraw consent at any time, where processing is based on consent;
  • the right not to be subject to a decision based solely on automated processing, including profiling, that produces legal effects concerning you or similarly significantly affects you (GDPR Article 22). We do not carry out solely-automated decision-making that produces legal or similarly significant effects on you;
  • the right to lodge a complaint with a supervisory authority (see section 6.3).

6.2 To exercise any of these rights, please contact us at contact@lebra.eu. We will respond within the time limits set out in the GDPR. Withdrawing consent does not affect the lawfulness of processing carried out before the withdrawal.

6.3 If you are dissatisfied with how we process your personal data, you have the right to lodge a complaint with the Danish Data Protection Agency (Datatilsynet):

7. Security

7.1 We implement appropriate technical and organisational measures to protect personal data against unauthorised access, loss, alteration or disclosure, and we require our processors to do the same, such as encrypted (HTTPS/TLS) connections, access controls, and the use of vetted processors who are contractually required to protect your data.

8. Children

8.1 Our website and services are not directed to children, and we do not knowingly collect personal data from children under the age of 13 (the age of digital consent in Denmark). If you believe a child has provided us with personal data, please contact us at contact@lebra.eu so we can delete it.

9. Changes to this Privacy Policy

9.1 We may update this Privacy Policy from time to time. The current version is always available on this page, and material changes will be communicated where appropriate.

9.2 This Privacy Policy was last updated on 16 June 2026.