UNCUT
No cookies. No tracking. No hidden cameras.
We take data privacy seriously — and we mean it. Here you’ll find out what data we collect, why we do it, and most importantly: what we DON’T do.
ZERO TRACKING. ZERO COOKIES. ZERO BULLSHIT.
This website uses no analytics tools, no tracking pixels, no advertising cookies. We don’t even know if you’re reading this. And that’s a good thing.
CURLYHEAD Media GmbH
Doblhoffgasse 7, Top 6A
1010 Vienna, Austria
Managing Director: Bernhard Wolfgang See
Email: office@curlyheadmedia.com
Phone: +43 699 13133114
Company Register: FN 612823k
VAT ID: ATU80011602
Court: Commercial Court of Vienna
Plot twist: The controller is actually in control.
We use no cookies. None. Zero. Nada.
No Google Analytics. No Meta Pixel. No TikTok Pixel. No Hotjar. No Mouseflow. No nothing.
That’s why you don’t need to click away a cookie banner on our site. You’re welcome.
The best cookie banner is the one you don’t need.
This website is hosted by Vercel Inc. (San Francisco, USA). When you visit our site, technical data is automatically transmitted:
This data is processed by Vercel for the technical operation and security of the website. Legal basis: Art. 6(1)(f) GDPR (legitimate interest in a secure web presence).
Vercel is certified under the EU-U.S. Data Privacy Framework. More info: vercel.com/legal/privacy-policy
Yes, server logs exist. But honestly, nobody reads them.
When you reach out via our contact form or email, we process:
Purpose: Processing your inquiry and communicating with you.
Legal basis: Art. 6(1)(b) GDPR (pre-contractual measures) and Art. 6(1)(f) GDPR (legitimate interest in responding to inquiries).
Storage period: Until your inquiry is fully processed, then according to statutory retention periods (max. 7 years).
We read every message. Really. Even the ones with emojis.
When you order from our shop, we process:
Purpose: Contract fulfillment, delivery, invoicing, statutory retention obligations.
Legal basis: Art. 6(1)(b) GDPR (contract performance) and Art. 6(1)(c) GDPR (legal obligation, e.g. tax law).
Storage period: Order data is retained for 7 years per Austrian tax law. Then deleted.
Our shop database is operated by Supabase Inc. (USA, eu-central-1 Region Frankfurt). Supabase is certified under the EU-U.S. Data Privacy Framework.
We treat your order data like our film negatives: safely stored.
For payment processing, we use Stripe Inc. (San Francisco, USA).
During checkout, your payment data (credit card number, expiry date, CVC) is transmitted directly to Stripe and processed there. We have no access to your full credit card details — we only see a confirmation of whether the payment was successful.
Stripe is PCI DSS Level 1 certified (highest security level for payment providers) and certified under the EU-U.S. Data Privacy Framework.
Legal basis: Art. 6(1)(b) GDPR (contract performance).
More info: stripe.com/at/privacy
We can’t see your credit card details. Even if we wanted to.
When you write a product review, we process:
For verified purchases, we additionally link the review to your order to mark it as a “verified purchase.”
Purpose: Product reviews for other customers, quality assurance.
Legal basis: Art. 6(1)(f) GDPR (legitimate interest in authentic reviews).
Reviews are stored in our Supabase database. You can request deletion of your review at any time.
Stars speak louder than words. But we’ll take both.
When you use our inquiry form to rent equipment, we process:
Purpose: Processing your rental inquiry, creating quotes.
Legal basis: Art. 6(1)(b) GDPR (pre-contractual measures).
Your equipment taste stays between us.
For sending transactional emails (order confirmations, review invitations), we use Resend Inc. (USA).
Resend processes your email address and email content solely for delivery purposes. There is no email marketing — we don’t send newsletters, no promo emails, no “hey, you left something in your cart” emails.
Legal basis: Art. 6(1)(b) GDPR (contract performance).
More info: resend.com/legal/privacy-policy
We don’t spam. Not even a little.
On some pages, we embed videos:
youtube-nocookie.com). YouTube only sets cookies when you actually play the video.?dnt=1). Vimeo respects this setting and won’t track you.Legal basis: Art. 6(1)(f) GDPR (legitimate interest in presenting our work).
Note: When playing a video, a connection to YouTube/Vimeo servers is established. Your IP address may be transmitted.
No-cookie mode: Because films have enough drama already.
We use your browser’s localStorage for purely functional purposes:
curlyhead-cart): So your cart persists when you reload the page.curlyhead-game): For our Easter egg game on the crew page.This data is stored exclusively in your browser and is never transmitted to our servers. You can delete it anytime in your browser settings.
localStorage is technically not a cookie and therefore not subject to cookie regulations. We mention it anyway because transparency isn’t a bonus — it’s the default.
Your cart stays with you. Literally.
We use Google Fonts (Inter) — but self-hosted via Next.js. This means:
Our second font (Bebas Neue) is also locally embedded.
Google Fonts without Google. It’s possible.
You have the following rights at any time:
To exercise your rights, simply write to: office@curlyheadmedia.com
We’ll respond within 30 days. Promise.
Your data, your rules.
If you believe your data is being processed in violation of the GDPR, you have the right to lodge a complaint with a supervisory authority.
Responsible for us:
Österreichische Datenschutzbehörde (Austrian Data Protection Authority)
Barichgasse 40–42
1030 Vienna
www.dsb.gv.at
Email: dsb@dsb.gv.at
We hope it never comes to this. But good to know, right?
We reserve the right to update this privacy policy as needed — e.g. when our services or legal requirements change.
The current version is always available on this page.
Last updated: March 2026
Sequels are sometimes better than the original.
A privacy-friendly production by
CURLYHEAD Media GmbH
Doblhoffgasse 7/6A, 1010 Vienna
All information without guarantee. Subject to change.