PRIVACY POLICY

Last updated: 29 June 2026

1. Data Controller

This website is operated by a sole entrepreneur.

Data Controller:
[Business Name]
[Full Name]
[Address]
[Email]
[VAT / Registration Number]

For the purposes of the General Data Protection Regulation (GDPR), the data controller is responsible for the processing of personal data described in this Privacy Policy.

2. Scope of This Policy

This Privacy Policy applies to personal data collected when you:

  • visit or browse the website
  • place an order
  • communicate with customer support
  • subscribe to marketing communications
  • otherwise interact with our services

3. Categories of Personal Data

We may process the following categories of personal data:

3.1 Identity and contact data

  • Full name
  • Email address
  • Phone number (if provided)

3.2 Order and transaction data

  • Products purchased
  • Order history
  • Billing address
  • Shipping address
  • Payment status and transaction identifiers

3.3 Payment data

Payments are processed directly by Stripe. We do not store full card details. Stripe may process:

  • card tokenized identifiers
  • billing details
  • fraud prevention metadata

3.4 Delivery data

For fulfillment purposes, we process:

  • name
  • shipping address
  • contact details (where required by carrier)

3.5 Technical and usage data

When you access the website, we may process:

  • IP address
  • browser type and version
  • device information
  • operating system
  • pages visited
  • timestamps
  • referrer URL

We use cookieless analytics via PostHog, meaning no analytics cookies are stored on your device.

4. Purposes and Legal Bases

We process personal data under the following legal bases:

Purpose

Data

Legal basis

Order processing and fulfillment

Identity, contact, order, payment, delivery data

Performance of contract

Payment processing

Payment data

Performance of contract

Shipping and delivery

Contact and address data

Performance of contract

Customer support

Contact, order data

Legitimate interests / contract

Fraud prevention & security

Technical, transaction data

Legitimate interests

Tax and accounting compliance

Order and billing data

Legal obligation

Website analytics (cookieless)

Technical usage data

Legitimate interests

Marketing communications

Email address, purchase history

Legitimate interests (soft opt-in)

5. Marketing Communications (Soft Opt-In)

If you purchase from us, we may use your email address to send marketing communications about similar products or services.

This is based on our legitimate interest in promoting our products to existing customers, where permitted under applicable law (including the EU ePrivacy Directive as implemented nationally).

You may opt out of marketing at any time by:

  • clicking the unsubscribe link in any email
  • or contacting us directly

Opting out does not affect transactional emails related to your order.

6. Service Providers (Data Processors)

We use the following third-party service providers to operate our business. Each provider processes personal data only as necessary to provide their services.

6.1 Vercel Inc.

Purpose: Hosting, CDN, infrastructure delivery, security logs
Data processed: IP address, request metadata, technical logs
Role: Data processor
Location: United States (with EU data transfer safeguards)
Privacy policy: https://vercel.com/legal/privacy-policy

6.2 Stripe Payments Europe Ltd.

Purpose: Payment processing, fraud detection, transaction handling
Data processed: Name, billing details, payment metadata, transaction information
Role: Independent controller / processor depending on context
Location: EU / US
Privacy policy: https://stripe.com/privacy

6.3 Brevo SAS

Purpose: Transactional emails, optional marketing emails
Data processed: Name, email address, order information, email engagement data
Role: Data processor
Location: EU / France
Privacy policy: https://www.brevo.com/legal/privacypolicy/

6.4 GLS General Logistics Systems B.V.

Purpose: Delivery and logistics services
Data processed: Name, shipping address, contact details, shipment reference data
Role: Independent controller / processor depending on region
Location: EU
Privacy policy: https://gls-group.com/privacy-policy/

6.5 PostHog Inc.

Purpose: Website analytics (cookieless tracking)
Data processed: Pseudonymised usage events, device/browser metadata, page interactions
Role: Data processor
Location: EU/US (depending on configuration)
Privacy policy: https://posthog.com/privacy

7. International Data Transfers

Some service providers (including Stripe, Vercel, and PostHog) may process personal data outside the European Economic Area (EEA).

Where such transfers occur, we rely on appropriate safeguards such as:

  • European Commission Standard Contractual Clauses (SCCs), and/or
  • adequacy decisions where applicable

8. Data Retention

We retain personal data only as long as necessary:

  • Order and billing records: up to 8 years (tax/accounting obligations)
  • Customer support communications: up to 24 months after resolution
  • Marketing data: until you unsubscribe or object
  • Analytics data: according to PostHog retention settings
  • Technical logs: typically up to 12 months for security purposes

9. Data Subject Rights

Under GDPR, you have the right to:

  • access your personal data
  • request correction of inaccurate data
  • request deletion of your data (“right to be forgotten”)
  • restrict processing
  • object to processing (including marketing)
  • data portability
  • withdraw consent (where applicable)
  • lodge a complaint with a supervisory authority

To exercise your rights, contact: [Email Address]

10. Security Measures

We implement appropriate technical and organizational measures to protect personal data, including:

  • encrypted connections (HTTPS/TLS)
  • access control restrictions
  • limited data access on a need-to-know basis
  • secure third-party processors
  • monitoring and logging for security events

11. Cookies and Tracking

We do not use tracking cookies for analytics purposes.

We use PostHog in cookieless mode, which does not store analytics cookies on your device.

Essential technical cookies or similar technologies may be used strictly for:

  • session handling
  • checkout functionality
  • security purposes

12. Automated Decision-Making

We do not use automated decision-making or profiling that produces legal or similarly significant effects on users.

13. Children

Our services are not directed at children under the age of 16 (or the applicable minimum age in your jurisdiction). We do not knowingly collect data from children.

14. Changes to This Policy

We may update this Privacy Policy from time to time to reflect legal, technical, or operational changes. The updated version will always be published on this page.

15. Contact

For any questions regarding this Privacy Policy or your personal data:

[Business Name]
[Full Name]
[Address]
[Email Address]