Privacy Policy

2. What Data We Collect

We collect personal data in several ways when you interact with our website and services:

2.1 Information You Provide

• Account Information: Name, email address, password (encrypted), phone number
• Order Information: Billing address, shipping address, payment method (processed securely by payment providers)
• Communication Data: Messages you send us, support tickets, feedback
• Newsletter Data: Email address (if you subscribe)

2.2 Information Collected Automatically

• Device Information: IP address, browser type and version, operating system, device identifiers
• Usage Data: Pages viewed, time spent on pages, clicks, navigation paths, search queries
• Location Data: Country, region, city (derived from IP address via Cloudflare)
• Cookie Data: Session cookies, preference cookies, analytics cookies (see our Cookie Policy)

2.3 Information from Third Parties

• Payment Providers: Transaction confirmations and fraud prevention data
• Shipping Providers: Delivery confirmations and tracking updates

3. Legal Basis for Processing

We process your personal data under the following legal bases according to GDPR Article 6:

4. How We Use Your Data

We use your personal data for the following purposes:

• To process and fulfill your orders
• To communicate about your orders and provide customer support
• To send important product updates and safety information
• To improve our website and services through analytics
• To prevent fraud and ensure security
• To comply with legal obligations (tax, accounting, consumer protection)
• To send marketing communications (only with your consent)

5. Data Sharing and Processors

We share your data only with trusted service providers who help us operate our business. All processors are bound by data processing agreements ensuring GDPR compliance:

5.1 Categories of Recipients

We share your personal data only with trusted service providers who assist us in operating our business. These include:

• Business operations partners: To manage platform operations, customer service, and business processes
• E-commerce service providers: To process orders and payments
• Technical infrastructure providers: To maintain website and system operations
• Analytics providers: To understand website usage and improve our services
• Customer support providers: To handle inquiries and dispute resolution
• Communication service providers: To send order confirmations and updates
• Fulfillment partners: To pack and ship your orders
• Professional service providers: Such as lawyers and accountants, bound by confidentiality

Some of these service providers may be located outside the EEA, including in the United States and Canada. We ensure appropriate safeguards are in place for all international data transfers as described in Section 6 below.

5.2 Other Disclosures

We may also share your data with:

• Affiliated companies for operational and technical support purposes
• Fulfillment partners to process and ship your orders
• Professional advisors bound by confidentiality obligations
• Law enforcement when required by legal proceedings
• Relevant parties to protect our rights or safety
• Third parties when you have given explicit consent
• Successors in connection with a business transfer or acquisition

All parties with whom we share data are contractually required to protect your information in accordance with this Privacy Policy and applicable law.

6. International Data Transfers

Some of our service providers are located outside the European Economic Area (EEA). We ensure appropriate safeguards are in place:

• EU-US Data Privacy Framework: For US providers certified under the framework
• Standard Contractual Clauses (SCCs): EU Commission-approved contracts for data transfers
• Adequacy Decisions: For countries deemed adequate by the EU (e.g., Canada for Shopify)

For transfers to the UAE (Nostalgia L.L.C-FZ), we use Standard Contractual Clauses with additional security measures.

7. Data Retention

We retain your personal data only as long as necessary for the purposes described in this policy:

8. Your Rights

Under GDPR, you have the following rights regarding your personal data:

• Access: Request a copy of your personal data
• Rectification: Correct inaccurate or incomplete data
• Erasure: Request deletion of your data ("right to be forgotten")
• Restriction: Limit how we process your data
• Portability: Receive your data in a machine-readable format
• Objection: Object to processing based on legitimate interests
• Automated Decision-Making: Not be subject to purely automated decisions
• Consent Withdrawal: Withdraw consent at any time (for consent-based processing)

To exercise these rights, contact us through our support center . We will respond within 30 days. You may need to verify your identity.

Complaints: You have the right to lodge a complaint with your local data protection authority. In Romania, this is the National Supervisory Authority for Personal Data Processing (ANSPDCP).

9. US State Privacy Rights

This section applies to residents of US states with comprehensive privacy laws, including California, Colorado, Connecticut, Delaware, Iowa, Maryland, Minnesota, Montana, Nebraska, Nevada, New Hampshire, New Jersey, Oregon, Tennessee, Texas, Utah, and Virginia.

9.1 Sale and Sharing of Personal Information

We do not sell or share your personal information. We do not exchange your personal data for monetary or other valuable consideration, nor do we share it for cross-context behavioral advertising purposes.

9.2 Categories of Personal Information

In the preceding 12 months, we have collected the following categories of personal information:

9.3 Your Rights

Depending on your state of residence, you may have the following rights:

• Right to Know: Request disclosure of personal information we have collected, used, or disclosed about you
• Right to Delete: Request deletion of your personal information, subject to certain exceptions
• Right to Correct: Request correction of inaccurate personal information
• Right to Opt-Out: Opt out of the sale or sharing of personal information (we do not sell or share, so this does not apply)
• Right to Non-Discrimination: We will not discriminate against you for exercising your privacy rights

9.4 How to Exercise Your Rights

To submit a request, contact us through our support center . We will verify your identity by matching information you provide with information we have on file. You may designate an authorized agent to make a request on your behalf by providing written authorization.

We will respond to verifiable requests within 45 days. If we require more time (up to an additional 45 days), we will notify you of the reason and extension period.

9.5 Appeals

If we deny your request, you may appeal by contacting us with "Privacy Appeal" in the subject line. If your appeal is denied, you may contact your state's Attorney General.

10. Automated Decision-Making

We use limited automated decision-making for fraud prevention and security:

• Our payment processor (Shopify) uses automated fraud detection to flag suspicious transactions
• Cloudflare may automatically block malicious traffic or DDoS attacks
• These systems may temporarily restrict access pending human review

You have the right to request human review of any automated decision that significantly affects you. Contact us through our support center to request manual review.

11. Data Security

We implement appropriate technical and organizational measures to protect your personal data:

• Encryption of data in transit (TLS/SSL) and at rest
• Access controls and authentication
• Regular security assessments and updates
• Employee training on data protection
• Incident response procedures

However, no method of transmission over the internet is 100% secure. We cannot guarantee absolute security.

12. Children's Privacy

Our services are not directed to individuals under 16 years of age. We do not knowingly collect personal data from children under 16. If you are a parent or guardian and believe your child has provided us with personal data, please contact us at our support center .

13. Cookies and Tracking

We use cookies and similar technologies to enhance your experience. These include:

13.1 Essential Cookies

Required for website functionality (shopping cart, user sessions)

13.2 Analytics Cookies

Help us understand how visitors use our site (Google Analytics)

13.3 Preference Cookies

Remember your settings and preferences

You can manage cookie preferences through your browser settings. Note that disabling certain cookies may affect website functionality.

Do Not Track: We do not currently respond to Do Not Track browser signals, as there is no industry standard for compliance.

14. Changes to This Policy

We may update this Privacy Policy from time to time. Changes will be effective immediately upon posting to this page with an updated "Last updated" date.

For material changes affecting how we process customer data, we will notify existing customers who have made purchases within the last 12 months via their order email address.

We encourage you to review this policy before making a purchase. Your use of our website after changes are posted constitutes acceptance of the updated policy.

15. Contact Information

For privacy-related questions or to exercise your rights, contact us at:

Email: support.epilogue.co
Data Protection Contact: support.epilogue.co

Postal Address: