Privacy policy

Date: 2025-09-23

1. About This Policy

This Privacy Policy applies to all users of selfrose.store (“we”, “us”, “our”) and details how we collect, use, store, protect, and share your personal data across all interactions with our website—including browsing products, creating an account, placing orders, contacting support, or engaging with marketing content. We adhere strictly to the EU General Data Protection Regulation (GDPR), California Consumer Privacy Act (CCPA), and other regional data protection laws (e.g., Virginia Consumer Data Protection Act, UK Data Protection Act) to safeguard your privacy rights and ensure transparent, ethical data handling.

“Personal data” refers to any information that can identify you directly or indirectly, such as your full name, email address, postal address, phone number, payment details (e.g., last 4 digits of a credit card), browsing history (e.g., which product pages you visit), device information (IP address, browser type/version, operating system, device model), and preferences (e.g., saved shipping addresses, marketing opt-ins).

This policy does not cover third-party websites, apps, or services linked from our site (e.g., social media platforms like Instagram, payment gateways like PayPal, or analytics tools like Google Analytics). We encourage you to review the privacy policies of these third parties independently before interacting with them, as we have no control over their data practices.

2. Data Controller & Contact Information

The data controller responsible for managing your personal data is the operator of selfrose.store. For any privacy-related inquiries, requests (e.g., accessing your data, updating information, withdrawing consent), or complaints, please contact our dedicated privacy team using the following channels:

  • Email: service@selfrose.store (subject line: “Privacy Inquiry”)
  • Postal Address (if applicable): [selfrose.store Official Address]
  • Response Commitment: We acknowledge all privacy requests within 1 business day and aim to resolve them within 30 days. For complex requests (e.g., large-scale data exports, disputes involving multiple data points), we may extend this timeline by up to 2 months, but we will notify you of the delay in writing and provide regular updates (at least every 2 weeks) until resolution.

3. What Personal Data We Collect

We collect personal data only for specific, legitimate purposes and do not gather more information than necessary. The types of data we collect depend on how you interact with our site:

3.1 Data Collected When Browsing (No Registration Required)

When you visit our site to view products (e.g., home decor, lifestyle items, kitchenware) without creating an account or making a purchase, we automatically collect technical data from your browser. This data is essential to maintain site functionality, optimize performance, and ensure security. The collected data includes:

  • IP Address: To identify your general geographic region (e.g., state or city) for service optimization (e.g., matching you to nearby shipping carriers to reduce delivery times) and detect fraudulent activity (e.g., blocking login attempts from known high-risk IP ranges).
  • Visit Date & Time: To analyze peak traffic periods (e.g., weekends vs. weekday evenings) and allocate server resources (e.g., increasing bandwidth during sales events to avoid downtime).
  • Pages Viewed & Links Clicked: To understand which products (e.g., “ceramic vases” or “mid-century coasters”) are most popular, refine site navigation (e.g., adding a “Top Viewed” section to the homepage), and fix broken links or underperforming pages.
  • Amount of Data Transmitted: To troubleshoot loading issues for users with limited bandwidth (e.g., optimizing image sizes for mobile users on 4G networks).
  • Browser Type/Version, Operating System, & Device Model: To ensure the site is compatible with your device (e.g., delivering responsive design for smartphones vs. desktop computers) and resolve technical bugs (e.g., fixing display errors for users on Safari 17.1 or Android 14).
  • Referral Source: To track how you found our site (e.g., via a Google search for “handmade candles,” a social media post, or a third-party blog) and evaluate the effectiveness of our marketing channels (e.g., investing more in high-performing referral sources).

This collection is based on Article 6(1)(f) GDPR (our legitimate interest in maintaining a functional, secure, and user-friendly website) and CCPA Section 1798.100 (reasonable business purposes for operating and improving the site).

3.2 Data Collected for Account Registration

If you create a customer account to save preferences, track orders, or streamline future purchases, we collect voluntarily provided data that you choose to share. Account registration is optional—you can still make purchases as a guest—but an account enhances your user experience by eliminating the need to re-enter information for future orders. The collected data includes:

  • Full Name: To personalize your account dashboard (e.g., “Welcome back, [Name]”) and ensure order details (e.g., delivery address) match your identity (reducing the risk of fraudulent orders being shipped to unauthorized addresses).
  • Email Address: To send account confirmations (verifying your email ownership and activating your account), password reset links (if you forget your login credentials), and order updates (e.g., “Your order has been dispatched”).
  • Password: Stored in encrypted form using industry-standard hashing technology (e.g., bcrypt with a high work factor). We never access or store your raw password—even our internal teams cannot view it.
  • Optional Phone Number: For SMS delivery notifications (e.g., “Your package will arrive today between 2–4 PM”) if you explicitly opt in during registration. You can disable SMS notifications anytime via your account settings.
  • Communication Preferences: Whether you want to receive marketing emails (e.g., sale alerts, new product launches) or SMS promotions. This opt-in is separate from transactional communications (e.g., order receipts) and can be revoked at any time.
  • Optional Profile Details: Information like your preferred product categories (e.g., “sustainable home goods”) or style preferences (e.g., “minimalist decor”), which you may provide to receive personalized product recommendations (e.g., “Based on your love for sustainable items, check out our bamboo kitchenware collection”).

3.3 Data Collected for Purchases

When you place an order on our site, we collect transactional data necessary to process, fulfill, and track your purchase. This data is required to meet our contractual obligation to deliver your order and comply with financial regulations. The collected data includes:

  • Delivery Address: Full address (including apartment numbers, building names, and postal codes) to ensure your product is shipped to the correct location. You may also provide special instructions (e.g., “Leave package at front door” or “Deliver after 5 PM”) to assist the carrier.
  • Billing Address: To verify your payment method (e.g., ensuring the address matches the one on file with your credit card issuer, a key step in preventing credit card fraud) and comply with anti-money laundering laws.
  • Order Details: Product name, model number, quantity, price, and any customizations (e.g., “engraved wooden tray with ‘Family’” or “blue linen cushion cover”). This helps us fulfill your order accurately and resolve issues like missing items.
  • Payment Method Identifiers: Last 4 digits of a credit card, PayPal ID, or Apple Pay token. We never store full credit card details—all payment processing is handled by PCI DSS (Payment Card Industry Data Security Standard)-compliant third-party providers (e.g., Stripe, PayPal), who encrypt and secure your financial data.
  • Order Notes: Any additional requests you provide (e.g., “Gift wrap this item” or “Include a handwritten note: ‘Happy Anniversary!’”) to personalize your order.
  • Payment Status: Whether the order is “pending,” “paid,” “refunded,” or “partially refunded” to track transaction progress and resolve payment disputes.

This collection is based on Article 6(1)(b) GDPR (necessary to fulfill our contractual obligation to deliver your purchased products) and CCPA Section 1798.100 (fulfilling customer contracts and complying with financial regulations).

3.4 Data Collected When Contacting Us

If you reach out to our customer support team via email, contact form, or social media (e.g., to ask about product dimensions, report a delivery delay, or request a return), we collect support-related data to resolve your inquiry efficiently:

  • Your Name & Contact Information: Email address or phone number (if provided) to identify you (e.g., linking your inquiry to your order history) and respond to your request (e.g., sending a follow-up email with answers or a tracking number).
  • Inquiry Details: Order number (if applicable), product issue (e.g., “damaged ceramic mug”), and any relevant context (e.g., “Package arrived with a cracked handle”). This helps us avoid redundant questions and speed up resolution.
  • Attachments: Photos of damaged products, screenshots of site errors (e.g., a frozen checkout page), or copies of order confirmations. These visual aids verify your concern and eliminate misunderstandings (e.g., distinguishing between manufacturing defects and shipping damage).
  • Communication History: A record of all messages exchanged (e.g., your initial inquiry and our responses) to ensure consistency if you follow up later (e.g., “You mentioned a replacement mug—here’s the tracking number for your new order”).

We retain this data only until your inquiry is fully resolved (typically 30 days after the last communication) to ensure follow-up support if needed (e.g., checking if a replacement item arrived safely).

3.5 Data Collected via Cookies & Tracking Technologies

We use cookies, web pixels, and similar tracking technologies to enhance your user experience, analyze site performance, and deliver personalized content. A “cookie” is a small text file stored on your device that recognizes your browser and remembers preferences. We categorize cookies as follows:

Cookie Type Purpose Legal Basis
Strictly Necessary Cookies Enable core site functionality (e.g., remembering items in your cart, enabling login, maintaining session continuity). Cannot be disabled. Article 6(1)(f) GDPR (legitimate interest)
Functional Cookies Remember your preferences (e.g., saved shipping address, language setting, currency selection) to avoid re-entering information for future visits. Article 6(1)(f) GDPR (legitimate interest)
Performance/Analytics Cookies Collect anonymous data on site usage (e.g., how long users spend on a product page, bounce rate, which features are used most) to improve site design and performance. Consent (if required by law) or Article 6(1)(f) GDPR
Marketing Cookies Track your interactions with our marketing (e.g., whether you clicked a sale email link, viewed a social media ad) to deliver targeted promotions (e.g., “You viewed this candle—save 15%”) and measure campaign effectiveness. Explicit consent (required by GDPR/CCPA)

You can manage cookie preferences via your browser settings (e.g., Chrome, Safari, Firefox) or our site’s “Manage Cookies” link in the footer. Disabling non-essential cookies (e.g., marketing cookies) will not affect basic site functionality but may limit personalized features (e.g., targeted ads or custom recommendations).

We also use web pixels (small, invisible images embedded in emails or web pages) to track actions like email opens (e.g., “Did the user open our Black Friday sale email?”) or purchase conversions (e.g., “Did the user buy a product after clicking an ad?”). This data is aggregated and anonymized unless you have provided consent to link it to your personal data.

4. How We Use Your Personal Data

We use your personal data exclusively for the purposes it was collected and do not use it for unstated purposes without your explicit consent. Key uses include:

4.1 Fulfilling Orders & Providing Services

  • Process Payments: Share your billing address and payment identifiers (e.g., last 4 digits of a credit card) with PCI DSS-compliant payment providers (e.g., Stripe, PayPal) to verify funds, process transactions, and prevent payment fraud.
  • Arrange Shipping: Share your name, delivery address, and order number with our shipping carriers (e.g., UPS, FedEx) to ensure timely delivery and enable package tracking. If you opted in to SMS notifications, we may share your phone number with the carrier to send delivery updates.
  • Send Order Updates: Notify you via email or SMS (if opted in) about order status changes, including “Order Confirmed,” “Dispatched,” “Out for Delivery,” and “Delivered.” These communications are essential to keep you informed and resolve issues (e.g., missed deliveries) quickly.
  • Resolve Order Issues: Use your order history and support communications to address problems like missing items, incorrect products, or delivery delays (e.g., initiating a carrier investigation for a lost package or sending a replacement for a damaged item).
  • Fulfill Special Requests: Use order notes (e.g., “gift wrap”) to personalize your order (e.g., including a gift receipt instead of a pricing receipt or adding a handwritten message).

4.2 Managing Your Account

  • Maintain Your Profile: Update your saved preferences (e.g., default shipping address, communication opt-ins) and store your order history (so you can reorder favorite products quickly or track past purchases for warranty claims).
  • Secure Your Account: Use IP address and device data to detect unauthorized access (e.g., a login attempt from a device you’ve never used or a location you don’t frequent) and send security alerts (e.g., “We noticed a login from California—was this you?”).
  • Provide Password Reset Functionality: Send password reset links to your registered email address if you forget your password or request a change.
  • Personalize Recommendations: Use optional profile details (e.g., preferred product categories) to suggest products you may like (e.g., “Based on your past purchases of sustainable decor, check out our new bamboo planters”).

4.3 Improving Our Website & Products

  • Analyze Aggregated, Anonymized Data: Combine browsing and purchase data (removing identifiers like names or email addresses) to identify trends (e.g., “60% of users view dining sets before sofas”) and optimize site layout (e.g., moving popular categories to the homepage or simplifying the checkout process).
  • Test New Features: Roll out beta tools (e.g., virtual room planners, product comparison tools) to a subset of users and use their feedback to refine functionality (e.g., adding more furniture styles to the planner or fixing a bug in the comparison tool).
  • Fix Technical Issues: Use browser/device data to resolve bugs (e.g., “Users on Android 14 cannot add items to cart”) and improve site speed (e.g., compressing images to reduce loading time for mobile users).
  • Evaluate Content Effectiveness: Track how users interact with product descriptions, images, and videos (e.g., “Do users who watch the product video stay longer on the page or are more likely to purchase?”) to enhance content quality (e.g., adding more videos for top-selling items or rewriting unclear descriptions).

4.4 Communicating With You

  • Transactional Emails: Send non-marketing communications required to fulfill our contract, such as account confirmations, order receipts, delivery notifications, and refund confirmations. These emails are not optional but are essential for keeping you informed about your interactions with us.
  • Marketing Communications: Send emails about seasonal sales (e.g., “Black Friday: 20% off all home decor”), new product launches (e.g., “Introducing our fall candle collection”), or exclusive offers (e.g., “10% off your next order for loyal customers”)—only if you opt in during account registration or via the site’s cookie banner. You can unsubscribe from marketing emails anytime by clicking the “Unsubscribe” link in the email or updating your account preferences.
  • SMS Promotions: Send text messages about flash sales (e.g., “Last 24 hours: 15% off mugs”) or urgent updates (e.g., “Your backorder is now in stock”)—only if you explicitly opted in to SMS communications. You can opt out by replying “STOP” to any SMS or updating your account settings.
  • Customer Support Follow-Ups: Send a brief survey (e.g., “How did we handle your damaged product request?”) after resolving your inquiry to improve our support quality. We may also send reminders (e.g., “Your return authorization expires in 3 days”) to help you complete pending actions.

4.5 Ensuring Security & Compliance

  • Detect and Prevent Fraud: Use IP address, billing/delivery address matching, order frequency, and payment history to flag suspicious activity (e.g., multiple large orders from the same IP address with different billing addresses, or a credit card used to purchase high-value items from a new account). We may also use third-party fraud detection tools (e.g., Signifyd) to verify the legitimacy of orders.
  • Comply with Legal Obligations: Retain order and payment records for 7 years to meet U.S. tax and accounting requirements (e.g., responding to IRS audits) and disclose data if required by law (e.g., court orders, subpoenas, or requests from law enforcement agencies).
  • Resolve Disputes: Use your order history and communication records to address customer complaints (e.g., “You claimed the product was damaged—here’s the photo you provided”) or defend against false claims (e.g., “The order was delivered to your address, as confirmed by the carrier’s signature”).

5. How We Share Your Personal Data

We never sell your personal data to third parties for marketing purposes—this includes sharing your email address, phone number, or browsing history with advertisers, data brokers, or other businesses for their own marketing. We only share your data with trusted partners who assist us in providing services, and these partners are bound by strict contractual obligations to protect your data and use it only as instructed by us. Key sharing scenarios include:

5.1 Payment Service Providers

We share your billing address, order amount, and payment identifiers (e.g., last 4 digits of a credit card) with PCI DSS-compliant payment providers (e.g., Stripe, PayPal) to process payments securely. These providers use your data only for transaction processing (e.g., verifying funds, charging your card, or issuing refunds) and do not retain it for longer than necessary (typically 30 days after the transaction is complete). They may also use your data to detect payment fraud (e.g., flagging a stolen credit card) but will not share it with third parties without your consent.

5.2 Shipping & Logistics Partners

We share your name, delivery address, and order number with our shipping carriers (e.g., UPS, FedEx, DHL) to deliver your product. If you opted in to delivery notifications, we may also share your email address or phone number with the carrier to send updates (e.g., “Your package is 2 stops away”). Carriers are prohibited from using your data for any purpose other than delivering your order (e.g., they cannot add you to their marketing lists) and must delete your data once delivery is confirmed.

If you request special delivery services (e.g., white-glove furniture delivery or signature confirmation), we may share additional details (e.g., product weight, dimensions, or assembly requirements) with the logistics partner to ensure proper handling.

5.3 Technical Service Providers

We share anonymized browsing data (e.g., pages viewed, device type, aggregated traffic trends) with our website hosting, security, and analytics partners (e.g., AWS for hosting, Sucuri for security, Google Analytics for analytics). These partners use the data to:

  • Maintain Site Performance: Hosting providers ensure our server stays online and scales to handle traffic spikes (e.g., during sales events).
  • Detect Cyber Threats: Security providers block DDoS attacks, malware, and unauthorized access attempts (e.g., brute-force login attacks).
  • Improve User Experience: Analytics partners help us understand how users navigate the site (e.g., “What percentage of users abandon the checkout page?”) and identify areas for improvement (e.g., simplifying form fields to reduce abandonment).

Anonymized data cannot be linked to individual users—identifiers like IP addresses are truncated or hashed to prevent identification. For example, Google Analytics may receive your IP address but will truncate it (e.g., “192.168.1.XXX”) to avoid linking it to your identity.

5.4 Marketing Service Providers

If you have opted in to marketing communications, we may share your email address or phone number with trusted marketing partners (e.g., Mailchimp for email campaigns, Twilio for SMS) to send targeted promotions. These partners are contractually required to:

  • Use your data only to execute our marketing campaigns (e.g., sending our sale emails, not their own).
  • Protect your data with security measures (e.g., encrypting email lists or storing phone numbers in secure servers).
  • Honor your opt-out requests (e.g., removing you from our email list within 7 days of receiving an unsubscribe request).

We may also share aggregated, anonymized marketing data (e.g., “50% of users who clicked the ad purchased a vase”) with advertising platforms (e.g., Google Ads, Facebook Ads) to optimize campaign performance—but this data does not include personal identifiers.

5.5 Legal & Regulatory Authorities

We may disclose your personal data if required by law (e.g., to comply with a court order, tax audit, or anti-fraud investigation) or to protect our legitimate interests (e.g., investigating fraudulent orders, defending against legal claims, or preventing harm to users or our business). We only disclose the minimum amount of data necessary to fulfill the request and will notify you of the disclosure unless prohibited by law (e.g., a sealed court order or a request related to an ongoing criminal investigation).

For example, if a law enforcement agency requests data about a fraudulent order placed using your email address, we may share your order history and billing address—but not your payment details—if required by a valid subpoena.

6. Data Security & Retention

6.1 Data Security Measures

We use technical and organizational measures to protect your personal data from unauthorized access, disclosure, alteration, or destruction:

  • Encryption: All data transmitted between your browser and our server (e.g., account registration, payment details, support messages) is encrypted using SSL/TLS 1.3 technology—the industry standard for secure online communications. This ensures that even if data is intercepted during transmission, it cannot be read without the encryption key.
  • Secure Storage: Sensitive data (e.g., encrypted passwords, order records, payment identifiers) is stored on servers with restricted physical access (e.g., data centers with 24/7 security guards, biometric entry systems, and video surveillance) and digital access controls (e.g., multi-factor authentication for authorized staff, role-based access limits—only customer support teams can view order details, not marketing teams).
  • Regular Audits: We conduct quarterly security audits and penetration testing (by independent third-party firms like HackerOne) to identify and fix vulnerabilities (e.g., weak password policies, unpatched server software, or misconfigured firewalls). We also perform annual PCI DSS compliance audits to ensure our payment processing meets global security standards.
  • Employee Training: All staff receive annual data protection training to ensure they understand their responsibilities (e.g., not sharing customer data with unauthorized individuals, recognizing phishing attempts, or reporting security breaches) and comply with privacy laws. Employees who handle sensitive data (e.g., customer support, finance) undergo additional background checks and role-specific security training.
  • Data Breach Response Plan: We maintain a detailed plan to respond to data breaches, including steps to contain the breach (e.g., isolating affected servers), assess the impact (e.g., identifying which users’ data was exposed), notify affected users and regulators (as required by GDPR/CCPA), and remediate the issue (e.g., fixing the vulnerability that caused the breach). In the event of a breach that poses a risk to your rights (e.g., unauthorized access to your email address and order history), we will notify you within 72 hours of discovery and provide steps to protect yourself (e.g., resetting your password, monitoring for identity theft).

While we take every reasonable step to secure your data, no system is 100% secure. We cannot guarantee that unauthorized third parties will never be able to bypass our security measures and access your personal data. However, we will take all commercially reasonable steps to mitigate such risks and notify you promptly if a breach occurs.

6.2 Data Retention Periods

We retain your personal data only as long as necessary to fulfill the purposes for which it was collected, plus any additional time required by law:

  • Account Data: Retained while your account is active. If you close your account, we delete all account data (e.g., name, email, saved addresses, profile preferences) within 30 days—unless legal obligations (e.g., tax records) require longer retention.
  • Order Data: Retained for 7 years to comply with U.S. tax and accounting laws (e.g., IRS requirements for retaining sales records). After 7 years, we anonymize the data (remove all identifiers like your name, email, or address) so it can no longer be linked to you. Anonymized order data may be retained indefinitely for business analytics (e.g., tracking long-term sales trends or optimizing inventory).
  • Browsing Data: Anonymized or deleted within 3 months of your last visit. Cookie data is retained for the duration specified in the cookie (e.g., strictly necessary cookies expire when you close your browser; marketing cookies expire after 12 months).
  • Support Inquiry Data: Deleted 30 days after your inquiry is resolved. If the inquiry involves a legal dispute (e.g., a refund claim or a complaint about a defective product), we may retain the data until the dispute is finalized (e.g., until a court judgment is issued or a settlement is reached).
  • Marketing Data: Retained only as long as you remain opted in to marketing communications. If you opt out, we delete your email address/phone number from our marketing lists within 7 days—but may retain a record of your opt-out (e.g., a hashed version of your email) to avoid re-adding you to lists in the future.

If you request erasure of your data (via the “Right to Erasure” in Section 7), we will delete or anonymize it within 14 business days—unless we are required by law to retain it (e.g., order records for tax purposes). In such cases, we will “block” the data (restrict access to authorized staff only) until the legal retention period expires, after which it will be deleted.

7. Your Privacy Rights

Under GDPR, CCPA, and other regional laws, you have the following rights regarding your personal data. To exercise these rights, email service@selfrose.store with proof of identity (e.g., a copy of your order confirmation email, a photo of your government-issued ID with sensitive details redacted, or a response to a security question linked to your account):

7.1 Right to Access

You can request a copy of all personal data we hold about you, including details of:

  • What data we collected (e.g., your email address, order history, browsing activity).
  • When and how it was collected (e.g., “Collected via account registration on 2025-01-15” or “Collected via cookies during your visit on 2025-03-20”).
  • How we used and shared it (e.g., “Used to send order updates; shared with UPS for shipping”).
  • The retention period for the data (e.g., “Retained until 2032 for tax compliance”).

We will provide this data in a machine-readable format (e.g., CSV, JSON) if requested, free of charge for the first request. For subsequent requests within a 12-month period, we may charge a reasonable fee to cover administrative costs (e.g., $10 per request).

7.2 Right to Rectification

If your personal data is inaccurate or incomplete (e.g., an outdated delivery address, misspelled name, or incorrect phone number), you can request to correct it. We will update your data within 7 business days of verifying your request and notify you once the changes are made. For example, if your last name was misspelled in your account, we will correct it and update all linked records (e.g., order receipts, shipping labels, or support tickets) to ensure consistency.

7.3 Right to Erasure (“Right to Be Forgotten”)

You can request that we delete your personal data if:

  • It is no longer necessary for the purpose for which it was collected (e.g., your account is inactive and you have no pending orders or unresolved inquiries).
  • You withdraw consent for data use (e.g., you opted out of marketing emails and there is no other legal basis for processing your email address).
  • You object to processing (and your rights override our legitimate interests—e.g., you object to us using your browsing data to improve the site, and we cannot demonstrate a compelling reason to continue).
  • The data was collected unlawfully (e.g., we collected your phone number without your consent).

We will confirm deletion within 14 business days—unless legal retention obligations apply (e.g., tax records), in which case we will block the data instead of deleting it. If we have shared your data with third parties (e.g., a shipping carrier or marketing provider), we will notify them to delete your data (if possible) or stop using it.

7.4 Right to Restriction of Processing

You can request to limit how we use your data if:

  • You dispute the accuracy of the data (we will restrict processing until we verify its correctness—e.g., you claim your address is outdated, so we stop using it for shipping until we confirm the new address).
  • Processing is unlawful (but you do not want the data deleted—e.g., we collected your data without consent, but you need it to prove a purchase).
  • We no longer need the data, but you need it for legal claims (e.g., you are suing us over a damaged product and need your order history as evidence).

While processing is restricted, we will only use your data with your consent or for legal purposes (e.g., defending against a lawsuit). We will notify you when the restriction is lifted (e.g., once we verify the accuracy of your data).

7.5 Right to Data Portability

You can request to receive your personal data in a structured, machine-readable format (e.g., CSV, JSON) so you can transfer it to another service provider (e.g., another online home goods store). This applies to data you provided to us (e.g., your name, email, order history) and data processed based on your consent or a contract (e.g., purchase data).

We will provide this data within 14 business days of your request. If technically feasible, you can also request that we transfer the data directly to the other service provider (e.g., “Send my order history to XYZ Home Decor”).

7.6 Right to Object

You can object to the processing of your data for:

  • Marketing Purposes: We will stop processing immediately—no need to provide a reason. This includes opting out of marketing emails, SMS, and targeted ads. You can exercise this right via the “Unsubscribe” link in emails, replying “STOP” to SMS, or updating your account preferences.
  • Processing Based on Legitimate Interests: If we process your data based on our legitimate interests (e.g., using your browsing data to improve the site), you can object by providing a reason why the processing harms your interests. We will review your request and stop processing if your rights override our interests (e.g., if the processing causes you anxiety from targeted ads). If we continue processing, we will provide a written explanation of our compelling legitimate interests.

7.7 Right to Withdraw Consent

If you previously consented to data processing (e.g., for marketing emails, SMS notifications, or cookie use), you can withdraw consent at any time. Withdrawal does not affect the legality of processing before consent was withdrawn (e.g., marketing emails sent before you opted out are still lawful).

To withdraw consent:

  • Marketing Emails: Click the “Unsubscribe” link in any marketing email or update your account preferences.
  • SMS Notifications: Reply “STOP” to any SMS or contact us via email.
  • Cookies: Use the “Manage Cookies” link in the site footer to disable non-essential cookies (e.g., marketing or analytics cookies).

We will confirm receipt of your consent withdrawal within 3 business days and stop processing your data for the relevant purpose within 7 days.

7.8 Right to Lodge a Complaint

If you believe we have violated your privacy rights (e.g., we processed your data without consent, failed to respond to your access request, or a data breach exposed your sensitive information), you have the right to lodge a complaint with a data protection supervisory authority in your country:

  • EU Residents: Contact your local data protection authority (e.g., CNIL in France, ICO in the UK, BfDI in Germany).
  • California Residents: Contact the California Attorney General’s Office or the California Privacy Protection Agency (CPPA).
  • Other U.S. Residents: Contact the Federal Trade Commission (FTC) or your state’s attorney general’s office.

You do not need to notify us before lodging a complaint, but we encourage you to contact us first to resolve the issue informally—we are committed to addressing your concerns quickly.

8. Changes to This Policy

We may update this Privacy Policy to reflect changes in legal requirements (e.g., new state or federal privacy laws), website features (e.g., adding a loyalty program that collects additional data), or data processing practices (e.g., switching to a new payment provider or discontinuing a marketing tool). When we make changes:

  • We will post the revised policy on our site with a new “Last Updated” date prominently displayed at the top.
  • We will notify account holders of material changes (e.g., new data collection practices, changes to how we share data, or updates to your privacy rights) via email at least 7 days before the changes take effect. The email will include a summary of the key changes and a link to the full revised policy.
  • For non-material changes (e.g., minor updates to contact information, clarifications to existing provisions), we will post the revised policy on the site without additional notification.

Your continued use of selfrose.store after the revised policy is posted constitutes acceptance of the changes. We encourage you to review this policy periodically (e.g., every 6 months) to stay informed about how we protect your data.

9. Children’s Privacy

We do not intentionally collect personal data from children under the age of 13 (or the age of majority in your jurisdiction, if higher). Our website is not directed at children, and we require parents or legal guardians to ensure children do not provide personal data on our site. If we become aware that we have collected personal data from a child without parental consent, we will delete the data within 7 business days and notify the parent or guardian (if contact information is available) to explain the steps taken.

If you believe your child has provided personal data on our site, please contact us at service@selfrose.store