PRIVACY POLICY
Last updated: 29 June 2026
1. Data Controller
This website is operated by a sole entrepreneur.
Data Controller:
[Business Name]
[Full Name]
[Address]
[Email]
[VAT / Registration Number]
For the purposes of the General Data Protection Regulation (GDPR), the data controller is responsible for the processing of personal data described in this Privacy Policy.
2. Scope of This Policy
This Privacy Policy applies to personal data collected when you:
- visit or browse the website
- place an order
- communicate with customer support
- subscribe to marketing communications
- otherwise interact with our services
3. Categories of Personal Data
We may process the following categories of personal data:
3.1 Identity and contact data
- Full name
- Email address
- Phone number (if provided)
3.2 Order and transaction data
- Products purchased
- Order history
- Billing address
- Shipping address
- Payment status and transaction identifiers
3.3 Payment data
Payments are processed directly by Stripe. We do not store full card details. Stripe may process:
- card tokenized identifiers
- billing details
- fraud prevention metadata
3.4 Delivery data
For fulfillment purposes, we process:
- name
- shipping address
- contact details (where required by carrier)
3.5 Technical and usage data
When you access the website, we may process:
- IP address
- browser type and version
- device information
- operating system
- pages visited
- timestamps
- referrer URL
We use cookieless analytics via PostHog, meaning no analytics cookies are stored on your device.
4. Purposes and Legal Bases
We process personal data under the following legal bases:
Purpose | Data | Legal basis |
|---|---|---|
Order processing and fulfillment | Identity, contact, order, payment, delivery data | Performance of contract |
Payment processing | Payment data | Performance of contract |
Shipping and delivery | Contact and address data | Performance of contract |
Customer support | Contact, order data | Legitimate interests / contract |
Fraud prevention & security | Technical, transaction data | Legitimate interests |
Tax and accounting compliance | Order and billing data | Legal obligation |
Website analytics (cookieless) | Technical usage data | Legitimate interests |
Marketing communications | Email address, purchase history | Legitimate interests (soft opt-in) |
5. Marketing Communications (Soft Opt-In)
If you purchase from us, we may use your email address to send marketing communications about similar products or services.
This is based on our legitimate interest in promoting our products to existing customers, where permitted under applicable law (including the EU ePrivacy Directive as implemented nationally).
You may opt out of marketing at any time by:
- clicking the unsubscribe link in any email
- or contacting us directly
Opting out does not affect transactional emails related to your order.
6. Service Providers (Data Processors)
We use the following third-party service providers to operate our business. Each provider processes personal data only as necessary to provide their services.
6.1 Vercel Inc.
Purpose: Hosting, CDN, infrastructure delivery, security logs
Data processed: IP address, request metadata, technical logs
Role: Data processor
Location: United States (with EU data transfer safeguards)
Privacy policy: https://vercel.com/legal/privacy-policy
6.2 Stripe Payments Europe Ltd.
Purpose: Payment processing, fraud detection, transaction handling
Data processed: Name, billing details, payment metadata, transaction information
Role: Independent controller / processor depending on context
Location: EU / US
Privacy policy: https://stripe.com/privacy
6.3 Brevo SAS
Purpose: Transactional emails, optional marketing emails
Data processed: Name, email address, order information, email engagement data
Role: Data processor
Location: EU / France
Privacy policy: https://www.brevo.com/legal/privacypolicy/
6.4 GLS General Logistics Systems B.V.
Purpose: Delivery and logistics services
Data processed: Name, shipping address, contact details, shipment reference data
Role: Independent controller / processor depending on region
Location: EU
Privacy policy: https://gls-group.com/privacy-policy/
6.5 PostHog Inc.
Purpose: Website analytics (cookieless tracking)
Data processed: Pseudonymised usage events, device/browser metadata, page interactions
Role: Data processor
Location: EU/US (depending on configuration)
Privacy policy: https://posthog.com/privacy
7. International Data Transfers
Some service providers (including Stripe, Vercel, and PostHog) may process personal data outside the European Economic Area (EEA).
Where such transfers occur, we rely on appropriate safeguards such as:
- European Commission Standard Contractual Clauses (SCCs), and/or
- adequacy decisions where applicable
8. Data Retention
We retain personal data only as long as necessary:
- Order and billing records: up to 8 years (tax/accounting obligations)
- Customer support communications: up to 24 months after resolution
- Marketing data: until you unsubscribe or object
- Analytics data: according to PostHog retention settings
- Technical logs: typically up to 12 months for security purposes
9. Data Subject Rights
Under GDPR, you have the right to:
- access your personal data
- request correction of inaccurate data
- request deletion of your data (“right to be forgotten”)
- restrict processing
- object to processing (including marketing)
- data portability
- withdraw consent (where applicable)
- lodge a complaint with a supervisory authority
To exercise your rights, contact: [Email Address]
10. Security Measures
We implement appropriate technical and organizational measures to protect personal data, including:
- encrypted connections (HTTPS/TLS)
- access control restrictions
- limited data access on a need-to-know basis
- secure third-party processors
- monitoring and logging for security events
11. Cookies and Tracking
We do not use tracking cookies for analytics purposes.
We use PostHog in cookieless mode, which does not store analytics cookies on your device.
Essential technical cookies or similar technologies may be used strictly for:
- session handling
- checkout functionality
- security purposes
12. Automated Decision-Making
We do not use automated decision-making or profiling that produces legal or similarly significant effects on users.
13. Children
Our services are not directed at children under the age of 16 (or the applicable minimum age in your jurisdiction). We do not knowingly collect data from children.
14. Changes to This Policy
We may update this Privacy Policy from time to time to reflect legal, technical, or operational changes. The updated version will always be published on this page.
15. Contact
For any questions regarding this Privacy Policy or your personal data:
[Business Name]
[Full Name]
[Address]
[Email Address]