Privacy Policy

1. Data controller and contact information

The controller responsible for personal data described in this policy is:

For privacy-related requests, including access or deletion, use the email above. We may ask you to verify your identity before fulfilling a request. If you reside in the European Economic Area, you may also contact your local supervisory authority; a list of EU authorities is published by the European Data Protection Board.

2. Categories of personal data

Depending on your interaction, we may process:

• Identity and contact details: full name, email address, postal address if you supply it, and similar identifiers you voluntarily provide.
• Communication content: free-text messages submitted through forms, email threads, or chat transcripts when available.
• Transaction metadata: order identifiers, product names, shipping status summaries, and payment confirmation tokens from our payment processor (we do not store full payment card numbers when our processor tokenizes them).
• Technical data: IP address, browser type and version, device type, operating system, referring URL, and approximate location derived from IP.
• Usage data: pages viewed, approximate time on page, scroll depth where measured, and diagnostic events that help us fix errors.
• Cookie data: as described in our Cookie Policy, subject to your consent where required.

3. Purposes and lawful bases under GDPR

We process personal data for transparent purposes and on documented lawful bases:

• Website delivery and security (Art. 6(1)(f) legitimate interests): hosting, TLS encryption, bot mitigation, rate limiting, and incident logging.
• Contractual and pre-contractual steps (Art. 6(1)(b)): answering product inquiries, processing orders you place, and coordinating shipments.
• Legal obligations (Art. 6(1)(c)): tax, accounting, consumer protection, and responding to lawful requests from public authorities.
• Consent (Art. 6(1)(a)): optional analytics and marketing cookies, newsletters if you subscribe, and certain surveys.
• Legitimate interests balanced against your rights (Art. 6(1)(f)): improving site usability, aggregate performance analytics where cookies are not required, and fraud analytics tied to payments.

Where we rely on legitimate interests, you may object under GDPR Article 21; we will assess your objection in line with applicable law.

4. United States privacy disclosures

Residents of Colorado and other U.S. states with comprehensive privacy laws may have rights to access, correct, delete, or obtain a copy of personal data, and to opt out of certain processing such as targeted advertising or profiling in defined circumstances. We do not sell personal data for money as defined by the Colorado Privacy Act. To exercise rights, email us; we will verify your request in a reasonable manner.

You may designate an authorized agent where state law allows, subject to verification and proof of authorization.

5. Retention periods

We keep personal data only as long as necessary for the purposes above:

• Marketing preferences and suppression lists: until you withdraw consent or object, plus a short period to demonstrate compliance.
• Customer inquiries: typically up to twenty-four months unless a dispute or legal hold requires longer retention.
• Orders and accounting: for the duration required by tax, commercial, and product safety regulations applicable in the jurisdictions where we operate.
• Security logs: on a rolling basis, generally not longer than twelve months unless needed for investigations.
• Anonymized or aggregated datasets: may be retained without a fixed limit if they no longer identify individuals.

6. International transfers

Our infrastructure and subprocessors may be located in the United States or other countries. When we transfer personal data from the EEA, UK, or Switzerland to countries not subject to an adequacy decision, we implement appropriate safeguards such as Standard Contractual Clauses approved by the European Commission, supplemented by technical and organizational measures where required by regulators.

7. Security measures

We apply layered controls including HTTPS transport encryption, role-based access, least-privilege credentials, vendor due diligence, backups, and periodic review of access logs. No system is perfectly secure; we encourage you to use unique passwords and protect your devices.

8. Your rights

Depending on your location, you may have rights to access, rectify, erase, restrict processing, object, withdraw consent, and data portability. You may lodge a complaint with a supervisory authority. We respond within one month for GDPR requests unless complexity requires an extension, in which case we will notify you.

9. Children

This website is not directed to children under sixteen, and we do not knowingly collect personal data from children. If you believe we have collected such data, contact us and we will delete it promptly where verification allows.

10. Changes to this policy

We may update this Privacy Policy to reflect legal, technical, or business developments. The “Effective as of” date at the top will change when revisions are material. Continued use of the site after updates constitutes notice where permitted by law; additional consent will be sought when required.