Privacy Policy

Settings — 2026-04-21

1. Data Controller

The data controller responsible for processing your personal data is the operator of this online store ("we", "us"). We process personal data in accordance with the EU General Data Protection Regulation (GDPR – Regulation 2016/679) and applicable national data protection laws of all EU/EEA Member States, including Austria, Belgium, Bulgaria, Croatia, Cyprus, Czech Republic, Denmark, Estonia, Finland, France, Germany, Greece, Hungary, Ireland, Italy, Latvia, Lithuania, Luxembourg, Malta, Netherlands, Poland, Portugal, Romania, Slovakia, Slovenia, Spain, Sweden, and the EEA states of Iceland, Liechtenstein, and Norway.

2. Personal Data We Collect

• Account data: name, email address, hashed password.
• Order data: delivery address, phone number, order history, payment reference.
• Technical data: IP address, browser type, device type, preferred language, cookie identifiers.
• Usage data: pages visited, search queries, items viewed.

3. Legal Basis for Processing (GDPR Art. 6)

• Art. 6(1)(b) – Contract: processing necessary to fulfil your purchase order and manage your account.
• Art. 6(1)(c) – Legal obligation: tax reporting, anti-fraud requirements, food safety traceability (Regulation EC 178/2002).
• Art. 6(1)(a) – Consent: marketing emails, analytics cookies, and any processing requiring explicit opt-in.
• Art. 6(1)(f) – Legitimate interest: fraud prevention, service improvement, anonymised analytics.

4. Data Sharing & Transfers

We may share data with: payment processors (Stripe), delivery carriers, and hosting providers. All sub-processors are GDPR-compliant or located in countries with an adequacy decision (Art. 45) or bound by Standard Contractual Clauses (Art. 46). We do not sell personal data.

5. Data Retention

Account data is retained for the duration of your account. Order records are kept for the legally required period (typically 7–10 years depending on national tax law). Marketing consent records are kept until withdrawal. Technical logs are deleted after 90 days.

6. Your Rights (GDPR Art. 15–22)

You have the right to:

• Access your personal data (Art. 15)
• Rectification of inaccurate data (Art. 16)
• Erasure ("right to be forgotten") (Art. 17)
• Restriction of processing (Art. 18)
• Data portability (Art. 20)
• Object to processing (Art. 21)
• Not be subject to solely automated decisions (Art. 22)

To exercise any right, contact us at privacy@store.example. We will respond within 30 days. You also have the right to lodge a complaint with your national supervisory authority.

7. Cookies

We use strictly necessary cookies (session, CSRF protection) without consent. Analytics and marketing cookies require your explicit opt-in via our cookie banner, in compliance with the ePrivacy Directive (2002/58/EC) and national implementations across all EU Member States.

8. Scandinavian-Specific Provisions

Sweden: Processing complies with the Swedish Authority for Privacy Protection (IMY) guidelines. Denmark: Compliant with the Danish Data Protection Act (Databeskyttelsesloven). Finland: Processing follows the Data Protection Act (Tietosuojalaki 1050/2018). Norway (EEA): We comply with the Norwegian Personal Data Act (Personopplysningsloven) and Datatilsynet guidance.

9. Security

We implement encryption in transit (TLS 1.2+), at-rest encryption for databases, access control, regular security audits, and incident response procedures in accordance with GDPR Art. 32.

10. Changes

We may update this policy periodically. Material changes will be communicated by email or an in-app notification at least 14 days before they take effect.