Privacy Policy
Privacy Policy
This Privacy Policy describes how Villimae registered in , (hereinafter referred to as "we", "us", or "our") collects, uses, discloses, and protects personal data when you visit our Shopify webshop Villimae or make purchases. We are committed to protecting your privacy and the security of your personal data in accordance with the General Data Protection Regulation (GDPR) of the European Union, the Personal Information Protection and Electronic Documents Act (PIPEDA) of Canada, and Quebec's Act respecting the protection of personal information in the private sector (Law 25).
By using our services, you agree to the terms of this Privacy Policy. We encourage you to read this policy carefully.
1. Who are we and how can you contact us?
Data Protection Officer (DPO) / Person Responsible for the Protection of Personal Information (Law 25):
For questions about this Privacy Policy or to exercise your rights, you can contact our Data Protection Officer / Person Responsible for the Protection of Personal Information via:
The Management
Email: info@villimae.com
2. What personal data do we collect?
We collect various types of personal data, depending on your interaction with our webshop:
•Identification and contact details: Name, address, email address, phone number, date of birth (if relevant for age verification). This also includes your IP address and other online identifiers.
•Payment details: Credit card details, bank account numbers, and other payment information. This data is processed by secure payment service providers, and we do not store full payment card details ourselves.
•Order details: Products you have purchased, order history, shipping preferences.
•Account details: Username, password (encrypted), account preferences.
•Communication data: Correspondence with us via email, chat, contact forms, or social media.
•Technical data: IP address, browser type and version, time zone setting, operating system and platform, and other technology on the devices you use to access this website.
•Usage data: Information about how you use our website, products, and services, including click behavior, pages visited, duration of visit.
•Marketing and communication preferences: Your preferences for receiving marketing from us and our third parties.
3. How do we collect your personal data?
We collect personal data in the following ways:
•Directly from you: When you create an account, place an order, subscribe to our newsletter, contact us, participate in surveys or contests.
•Through automated technologies or interactions: When you visit our website, we may automatically collect technical data and usage data using cookies, server logs, and other similar technologies. See section 8 for more information about cookies.
•From third parties or publicly available sources: We may receive personal data from third parties, such as technical data from analytics providers (e.g., Google Analytics), contact, financial, and transaction data from payment and delivery services (e.g., PayPal, Shopify Payments, PostNL, Canada Post), and identity and contact data from data brokers or aggregators.
4. Why do we collect your personal data and on what legal basis?
We only use your personal data when the law allows us to. The most common purposes and legal bases are:
|
Purpose of processing
|
Legal basis (GDPR)
|
Explanation (PIPEDA & Law 25)
|
|
Performance of a contract (e.g., processing orders, delivering products, customer account management)
|
Art. 6(1)(b) GDPR (Necessary for the performance of a contract)
|
Collection, use, and disclosure of personal data are necessary for delivering the requested products or services. Consent is implicitly obtained when placing an order.
|
|
Compliance with legal obligations (e.g., tax obligations, accounting, fraud prevention)
|
Art. 6(1)(c) GDPR (Necessary for compliance with a legal obligation)
|
We are legally obliged to retain certain data and provide it to authorities.
|
|
Legitimate interest (e.g., improving our services, marketing, website security, website usage analysis)
|
Art. 6(1)(f) GDPR (Necessary for the purposes of the legitimate interests pursued by us or by a third party, except where such interests are overridden by your interests)
|
We have a legitimate interest in optimizing our business operations, offering relevant products, and protecting our systems. Your rights and freedoms are always respected. For marketing to existing customers, this applies as a legitimate interest, provided you can easily unsubscribe.
|
|
Consent (e.g., sending newsletters, placing non-essential cookies, specific marketing activities)
|
Art. 6(1)(a) GDPR (You have given consent to the processing of your personal data for one or more specific purposes)
|
For specific purposes for which no other legal basis exists, we ask for your explicit, informed, and unambiguous consent. You have the right to withdraw your consent at any time. Under Law 25, consent is required for the collection, use, and disclosure of sensitive personal data and for the use of tracking technologies.
|
We will only use your personal data for the purposes for which we collected it, unless we reasonably consider that we need to use it for another reason and that reason is compatible with the original purpose. If we need to use your personal data for an unrelated purpose, we will notify you and explain the legal basis.
5. With whom do we share your personal data?
We may share your personal data with the following categories of recipients:
•Shopify Inc.: As a platform provider, Shopify processes data on our behalf. We have a Data Processing Addendum (DPA) with Shopify. More information about Shopify's privacy practices can be found in their privacy policy: https://www.shopify.com/legal/privacy and https://www.shopify.com/legal/privacy/consumers.
•Payment service providers: For processing payments, we share data with providers such as PayPal, Stripe, etc. These parties are responsible for protecting your payment data. We enter into data processing agreements where necessary.
•PayPal: For payments via PayPal, your data is shared with PayPal (Europe) S.à r.l. et Cie, S.C.A. (22-24 Boulevard Royal, L-2449 Luxembourg). This is done on the basis of Art. 6(1)(b) GDPR for the execution of the payment. PayPal may perform a credit check based on their legitimate interest (Art. 6(1)(f) GDPR).
•Shipping and logistics partners: To deliver your orders, we share your name, address, and contact details with shipping companies such as PostNL, Canada Post, DHL, FedEx, etc.
•Marketing and analytics services: We use services such as Google Analytics, Facebook Pixel, and Google Ads for website analysis and targeted advertising. These parties may collect data via cookies and similar technologies. We enter into data processing agreements where necessary.
•IT service providers: For hosting, maintenance, and support of our systems.
•Professional advisors: Lawyers, accountants, bankers, insurers who provide professional services to us.
•Government authorities: If legally required or necessary for the protection of our rights.
We require all third parties to respect the security of your personal data and to treat it in accordance with the law. We do not allow our third-party service providers to use your personal data for their own purposes and only permit them to process your personal data for specified purposes and in accordance with our instructions and a valid data processing agreement.
6. International transfer of personal data
As we are acompany serving the Canadian market and using global service providers such as Shopify and Google, your personal data may be transferred to and stored in countries outside the European Economic Area (EEA) and Canada, including the United States. These countries may not have the same data protection laws as or Canada.
We ensure that your personal data is adequately protected by implementing at least one of the following safeguards:
•Adequacy decisions: Transfers to countries recognized by the European Commission as providing an adequate level of protection for personal data (e.g., Canada for commercial organizations covered by PIPEDA).
•Standard Contractual Clauses (SCCs): We enter into model contractual clauses approved by the European Commission and/or relevant Canadian authorities with data recipients outside the EEA and Canada. These clauses oblige the recipient to protect personal data according to European and/or Canadian standards.
•Data Privacy Framework (DPF): For transfers to the United States, if the recipient is certified under the EU-U.S. Data Privacy Framework and/or the UK Extension to the EU-U.S. Data Privacy Framework. The previous Privacy Shield is no longer valid.
If you would like more information about the specific mechanisms we use when transferring your personal data outside the EEA or Canada, please contact us using the contact details in section 1.
7. Cookies and similar technologies
Our webshop uses cookies and similar technologies (such as pixels and tags) to improve your browsing experience, analyze website usage, and personalize marketing activities. Cookies are small text files placed on your device when you visit our website.
We distinguish the following types of cookies:
•Necessary cookies: These cookies are essential for the functioning of the website and enable you to navigate the website and use its features (e.g., shopping cart functionality, secure login). No consent is required for these.
•Analytical cookies: These cookies collect information about how visitors use our website, such as which pages are visited most often and whether error messages occur. This data helps us improve the website. We ask for your consent for these cookies, unless they are fully anonymized and have no impact on your privacy (e.g., anonymized Google Analytics).
•Marketing and tracking cookies: These cookies are used to track your browsing behavior across different websites and build a profile of your interests. They are used to show you relevant advertisements and measure the effectiveness of our marketing campaigns. We ask for your explicit consent for these cookies.
Your consent for cookies (Cookie Consent Management)
Upon your first visit to our website, you will be asked to set your cookie preferences via a cookie banner. You have the option to consent to all cookies, accept only necessary cookies, or manage your preferences in detail. You can change your cookie preferences at any time via the cookie webpage.
Cookies used by Shopify and third parties:
Our Shopify webshop uses various cookies, both from Shopify itself and from integrated apps and services. A detailed list of the cookies we use, including their purpose, retention period, and whether they are from third parties, is available.
Examples of third parties that may place cookies:
•Google Analytics (GA4): For analyzing website traffic and behavior. We use GA4 with IP anonymization. More information: https://support.google.com/analytics/answer/6004245
•Facebook Pixel: For measuring the effectiveness of Facebook ads and showing relevant ads to website visitors. More information: https://www.facebook.com/policy/cookies/
•Google Ads (formerly AdWords) Remarketing: For showing targeted ads based on your previous interactions with our website. More information: https://policies.google.com/technologies/ads
8. Your rights
You have various rights regarding your personal data. We respect these rights and will handle your requests in accordance with applicable law.
Rights under GDPR (for residents of the EEA):
•Right of access (Art. 15 GDPR): You have the right to obtain confirmation as to whether or not personal data concerning you are being processed, and, where that is the case, access to the personal data and additional information about the processing.
•Right to rectification (Art. 16 GDPR): You have the right to have inaccurate personal data concerning you rectified and to have incomplete personal data completed.
•Right to erasure (right to be forgotten) (Art. 17 GDPR): You have the right to obtain the erasure of personal data concerning you under certain conditions (e.g., if the data are no longer necessary for the purposes for which they were collected).
•Right to restriction of processing (Art. 18 GDPR): You have the right to obtain restriction of processing of your personal data under certain conditions (e.g., if the accuracy of the data is contested).
•Right to data portability (Art. 20 GDPR): You have the right to receive the personal data concerning you, which you have provided to us, in a structured, commonly used and machine-readable format and have the right to transmit those data to another controller.
•Right to object (Art. 21 GDPR): You have the right to object to the processing of your personal data on grounds relating to your particular situation, or for direct marketing purposes.
•Right to withdraw consent (Art. 7(3) GDPR): Where processing is based on your consent, you have the right to withdraw your consent at any time, without affecting the lawfulness of processing based on consent before its withdrawal.
•Right to lodge a complaint with a supervisory authority (Art. 77 GDPR): You have the right to lodge a complaint with the (or any other relevant supervisory authority in the EEA) if you believe your rights under the GDPR have been infringed.
Rights under PIPEDA (for residents of Canada, outside Quebec):
•Right of access: You have the right to request access to the personal information we hold about you and to challenge its accuracy and completeness.
•Right to correction: You may request correction of inaccurate or incomplete personal information.
•Right to withdraw consent: You may withdraw your consent to the collection, use, and disclosure of your personal information, subject to legal or contractual restrictions and reasonable notice.
•Right to lodge a complaint: You have the right to lodge a complaint with the Office of the Privacy Commissioner of Canada (OPC) if you believe your privacy rights under PIPEDA have been infringed.
Rights under Law 25 (for residents of Quebec):
•Right of access and rectification: You have the right to access your personal information and to have it corrected if it is inaccurate, incomplete, or ambiguous, or if its collection, disclosure, or retention is not authorized by law.
•Right to withdraw consent: You may withdraw your consent to the communication and use of your personal information.
•Right to de-indexation: You may demand that links to your personal information be removed from search results if the dissemination of that information causes you prejudice or contravenes the law or a court order.
•Right to data portability: You have the right to receive your personal information in a structured and commonly used format and to transmit it to another organization.
•Right to information about automated decision-making: You have the right to be informed about the use of automated decision-making and the logic behind it, and to have the decision reviewed.
•Right to lodge a complaint: You have the right to lodge a complaint with the Commission d'accès à l'information (CAI) of Quebec if you believe your privacy rights under Law 25 have been infringed.
How to exercise your rights:
To exercise any of these rights, please contact us using the contact details in section 1. We will process your request within the statutory deadlines and inform you about the status of your request. We may ask you to verify your identity before processing your request.
9. Data retention
We retain your personal data no longer than is strictly necessary for the purposes for which it was collected, including for the purposes of satisfying any legal, accounting, or reporting requirements. The specific retention periods depend on the type of data and the purpose of processing:
•Order data: Retained as long as necessary for the performance of the contract and thereafter for legal tax and administrative obligations (similar periods in Canada).
•Customer account data: Retained as long as your account is active. After inactivity or deletion of your account, certain data may still be retained for legal purposes.
•Marketing consents: Retained as long as you do not withdraw your consent and thereafter for a short period to demonstrate that we have fulfilled our obligations.
•Communication data: Retained as long as necessary to handle your questions or complaints.
•Cookies: Retention periods vary per cookie. Please refer to our detailed cookie overview page for specific information.
After the retention period, your personal data will be securely deleted or anonymized so that it can no longer be linked to you.
10. Security of your personal data
We have implemented appropriate technical and organizational security measures to protect your personal data against accidental loss, unauthorized access, use, alteration, or disclosure. These measures include, but are not limited to:
•Pseudonymization and encryption: Where possible, personal data is pseudonymized or encrypted.
•Access control: Only authorized personnel have access to personal data, based on a 'need-to-know' principle.
•Physical security: Our systems and servers are protected against unauthorized physical access.
•Secure communication: Our website uses SSL/TLS encryption to secure communication between your browser and our servers.
•Regular audits and updates: We regularly review and update our security measures to ensure continuous protection.
Despite our efforts, no method of transmission over the Internet or electronic storage is 100% secure. We cannot guarantee the absolute security of your personal data. In the event of a data breach, we will follow legal procedures, including notification to the relevant supervisory authorities and, if necessary, to the affected individuals.
11. Data breach notification
In the event of a data breach that is likely to result in a high risk to your rights and freedoms, we will notify you without undue delay, unless otherwise provided by law. We will also notify the relevant supervisory authorities, Office of the Privacy Commissioner of Canada, Commission d'accès à l'information in Quebec) in accordance with applicable law.
12. Changes to this Privacy Policy
We may update this Privacy Policy from time to time to reflect changes in our practices or for legal, regulatory, or operational reasons. We will notify you of material changes by posting the updated policy on our website and updating the "Last Updated" date at the top of this policy. We encourage you to review this policy periodically for updates.
13. Contact
If you have any questions about this Privacy Policy or wish to exercise any of your rights, please contact us at:
References: