The General Data Protection Regulation (GDPR)
GDPR is a regulation that expands on individuals’ rights to access and control their personal data.
Right now the regulation only applies to companies that handle the personal data of residents in the European Economic Area (EEA). Although we do not ship to customers in the EEA at this time, we believe in data protection and privacy and strive to offer our customers the same rights afforded by GDPR to control their personal data regardless of location. These include the rights to request:
- Deletion (also known as erasure or redaction) of personal data
- Correction (rectification) of incomplete or inaccurate personal data
- Access to personal data
- An export of personal data in a common, portable format
We will facilitate requests to exercise these rights, generally within one month. For all GDPR data requests, please contact us at firstname.lastname@example.org.
Please note that under GDPR, any information relating to an identified or identifiable person is considered personal data. This does not include information that is purely financial and cannot be linked to an individual. When you request an erasure, your personal information (such as name and address) will be redacted from our records. Anonymized, non-personal financial data such as revenue information and order details will remain in tact for accounting and tax purposes. Order details retained include the gateway used to process payment, time of sale, amount paid, currency, subtotal, shipping cost, taxes added, shipping method, item quantity, item name, SKU, and payment method. We will also transmit your erasure request to all third-party apps installed on our site at the time of the request to similarly redact or anonymize personal data they might have access to. We will notify you when the redaction is complete.
By default, we will not erase personal data if the customer has made an order in the last 6 months (180 days), in case a chargeback occurs. If a request for erasure is submitted during that time frame, then it will be logged as pending, and the data will be automatically erased once this time has passed. If you make another purchase after your information has been redacted, a new customer account will be created.
Once an erasure has been initiated, there is a 10-day buffer period during which it can still be cancelled. To cancel your pending erasure request, please contact us immediately. We cannot guarantee cancellation without at least 24-hours notice prior to the expiration of the 10-day grace period.
Customers visiting our store typically provide personal data directly to us when initiating orders so that we may fulfill those orders. Elements of personal data we commonly collect include:
- Shipping and billing addresses
- Email or phone number
- IP address
- Credit card number
Our web host is Level 1 PCI-DSS compliant and uses third-party data centers with industry-standard certifications including Tier III, ISO 27001 and PCI-DSS. They have implemented a cross-functional technical and organizational data protection program that is integrated with their information security program. The data protection program includes a designated Data Protection Officer who reports to senior management, as well as individuals from Internal Security, Legal, Legal Operations, Production Security and Processing Integrity teams. Measures taken include:
- Anonymizing and encrypting personal data
- Ensuring confidentiality, integrity, availability, and resilience of processing systems
- Restricting who may access personal data
- Ensuring availability and access to personal data in the event of a physical or technical incident
- Performing regular testing, assessments, and evaluation of technical and organizational security measures