Privacy Policy
Privacy Policy
1. INFORMATION ABOUT THE CONTROLLER AND DATA COLLECTION
1.1 Controller Information
We are pleased that you are visiting our website and thank you for your interest. This Privacy Policy explains how we collect, use, and protect your personal data when you use our website or purchase our products.
Controller:
Store Name: Avery & Bloom Company Name: Avery & Bloom Email: info@averyandbloom.com
The controller is responsible for determining the purposes and means of processing personal data under applicable data protection laws, including the GDPR where applicable, UK GDPR where applicable, the Privacy Act 1988 (Australia), PIPEDA (Canada), and other applicable data protection laws.
1.2 Secure Data Transmission
For security reasons and to protect the transmission of personal data and other confidential content (e.g., orders or inquiries), this website uses SSL/TLS encryption. You can recognize an encrypted connection by the "https://" prefix and the lock symbol in your browser's address bar.
2. DATA COLLECTION WHEN VISITING OUR WEBSITE
2.1 Server Log Files
When you visit our website purely for informational purposes without registering or providing other information, we automatically collect data that your browser transmits to our server ("server log files"). This technical data is necessary to display the website and includes:
The webpage you visited
Date and time of access
Amount of data sent (in bytes)
Referrer URL (source from which you accessed the page)
Browser type and version
Operating system used
IP address (anonymized where possible)
Legal Basis: Article 6(1)(f) GDPR (legitimate interest in improving website stability and functionality). The data is not passed on to third parties or used for other purposes. We reserve the right to review server log files if there are specific indications of illegal use.
3. COOKIES AND TRACKING TECHNOLOGIES
3.1 What Are Cookies?
Cookies are small text files stored on your device when you visit our website. They help us make our website more functional and user-friendly.
3.2 Types of Cookies We Use
Essential Cookies: Necessary for basic website functionality (e.g., shopping cart)
Functional Cookies: Remember your preferences and settings
Performance Cookies: Analyze how you use our website (e.g., Google Analytics)
Marketing Cookies: Track your browsing to show relevant ads (e.g., Facebook Pixel, Google Ads)
3.3 Cookie Duration
Session Cookies: Deleted when you close your browser
Persistent Cookies: Remain on your device for a predefined period (varies by cookie)
Legal Basis:
Essential cookies: Article 6(1)(b) GDPR (performance of contract)
Other cookies: Article 6(1)(a) GDPR (consent) or Article 6(1)(f) GDPR (legitimate interest)
3.4 Managing Cookies
You can configure your browser to:
Be notified when cookies are set
Accept or reject cookies on a case-by-case basis
Block all cookies
Please note that disabling cookies may limit website functionality. You can also withdraw cookie consent at any time through our cookie banner or browser settings.
4. PERSONAL DATA WE COLLECT
4.1 Information You Provide to Us
When you create an account, place an order, or contact us, we collect:
Account & Order Information:
Full name
Email address
Billing address
Shipping address
Phone number (optional)
Payment information (processed by payment providers)
Order history
Product preferences
Contact Information:
Name
Email address
Phone number (if provided)
Message content
4.2 Information Collected Automatically
IP address
Browser type and version
Device type and operating system
Pages visited and time spent on pages
Referral source
Click patterns and interactions
5. HOW WE USE YOUR DATA
We collect and process your personal data for the following purposes:
5.1 Order Fulfillment (Legal Basis: Article 6(1)(b) GDPR - Performance of Contract)
Process and fulfill your orders
Manage payments and billing
Arrange shipping and delivery
Send order confirmations and shipping notifications
Handle returns and refunds
Provide customer support
5.2 Account Management (Legal Basis: Article 6(1)(b) GDPR)
Create and maintain your customer account
Remember your preferences
Provide personalized shopping experience
5.3 Communication (Legal Basis: Article 6(1)(b) or (f) GDPR)
Respond to inquiries and support requests
Send transactional emails (order updates, shipping notifications)
Handle complaints and disputes
5.4 Marketing (Legal Basis: Article 6(1)(a) GDPR - Consent)
Send newsletters and promotional emails (only with your consent)
Display personalized advertisements
Send review reminders
Inform you about new products and special offers
You can withdraw marketing consent at any time by clicking "unsubscribe" in emails or contacting us.
5.5 Legal Compliance (Legal Basis: Article 6(1)(c) GDPR)
Comply with tax and accounting requirements
Respond to legal requests
Prevent fraud and abuse
Enforce our Terms & Conditions
5.6 Website Improvement (Legal Basis: Article 6(1)(f) GDPR - Legitimate Interest)
Analyze website usage and performance
Improve user experience
Test and develop new features
Conduct research and analytics
6. WHO WE SHARE YOUR DATA WITH
We share your personal data only with trusted third parties necessary for our business operations:
6.1 Service Providers
Shopify Inc. (E-commerce Platform)
Website hosting and management
Order processing
Payment gateway integration
Location: Canada (adequate protection under GDPR)
Privacy Policy: https://www.shopify.com/legal/privacy
Payment Processors
PayPal (Europe) S.Ã r.l. et Cie, S.C.A. (Luxembourg)
Stripe, Inc. (USA - Standard Contractual Clauses)
Credit card processors (PCI DSS compliant)
Purpose: Secure payment processing
Shipping Carriers
International courier services (FedEx, UPS, DHL, local postal services)
Purpose: Deliver products to your address
Data shared: Name, address, phone number, tracking details
Email Service Providers
Purpose: Send transactional and marketing emails
Data shared: Email address, name, order information
6.2 Marketing and Analytics
Google LLC (USA)
Google Analytics (website analytics)
Google Ads (advertising)
Legal basis: Consent (Article 6(1)(a) GDPR)
Privacy Policy: https://policies.google.com/privacy
Meta Platforms (Facebook/Instagram)
Facebook Pixel (conversion tracking)
Instagram integration
Legal basis: Consent (Article 6(1)(a) GDPR)
Privacy Policy: https://www.facebook.com/privacy/policy
6.3 Legal Requirements
We may disclose your data to:
Law enforcement agencies (when legally required)
Courts and regulatory authorities
Legal advisors and accountants
Fraud prevention services
6.4 Business Transfers
In the event of a merger, acquisition, or sale of assets, your data may be transferred to the new owner. You will be notified of any such change.
7. INTERNATIONAL DATA TRANSFERS
As we operate internationally and use service providers in different countries, your data may be transferred outside the European Economic Area (EEA):
7.1 Adequate Protection Mechanisms
Standard Contractual Clauses (SCCs): For transfers to countries without adequacy decisions
Adequacy Decisions: Canada (PIPEDA), Switzerland, New Zealand recognized by EU
Data Privacy Framework or other applicable transfer mechanisms: For US-based processors, where applicable.
7.2 Your Rights
You can request copies of the safeguards we use for international transfers by contacting us at info@averyandbloom.com.
8. DATA RETENTION
We retain your personal data only as long as necessary for the purposes outlined in this policy or as required by law:
8.1 Retention Periods
Order data: 7 years (tax and accounting law requirements)
Account data: Until account deletion + 30 days
Marketing data: Until consent is withdrawn + 30 days
Contact inquiries: 3 years after resolution
Website analytics: 14-26 months (Google Analytics settings)
Cookie data: As specified in cookie settings (varies by type)
8.2 Deletion
After retention periods expire, your data is securely deleted or anonymized unless:
You have consented to further use
We are legally required to retain it
It is necessary for legal claims
9. YOUR RIGHTS UNDER DATA PROTECTION LAWS
Your rights vary depending on your location. Below are the rights applicable to each jurisdiction:
9.1 EU/EEA Customers (GDPR Rights)
Right of Access (Article 15 GDPR): Request a copy of your personal data
Right to Rectification (Article 16 GDPR): Correct inaccurate data
Right to Erasure (Article 17 GDPR): Request deletion ("right to be forgotten")
Right to Restriction (Article 18 GDPR): Limit how we use your data
Right to Data Portability (Article 20 GDPR): Receive your data in a structured format
Right to Object (Article 21 GDPR): Object to processing based on legitimate interests
Right to Withdraw Consent (Article 7(3) GDPR): Withdraw consent at any time
Right to Lodge a Complaint (Article 77 GDPR): File a complaint with your supervisory authority
Supervisory Authority (EU/EEA): the relevant local data protection authority
Website: available from the relevant authority
9.2 UK Customers (UK GDPR & Data Protection Act 2018)
Same rights as EU customers, enforced by: UK Information Commissioner's Office (ICO) Website: https://ico.org.uk
9.3 Canadian Customers (PIPEDA)
Right to access your personal information
Right to correct inaccurate information
Right to withdraw consent
Right to file a complaint with the Privacy Commissioner of Canada Website: https://www.priv.gc.ca
9.4 Australian Customers (Privacy Act 1988)
Right to access your personal information (Australian Privacy Principle 12)
Right to correct inaccurate information (APP 13)
Right to complain to the Office of the Australian Information Commissioner (OAIC) Website: https://www.oaic.gov.au
9.5 New Zealand Customers (Privacy Act 2020)
Right to access your personal information (Principle 6)
Right to correct inaccurate information (Principle 7)
Right to complain to the Privacy Commissioner Website: https://www.privacy.org.nz
9.6 US Customers (State-Specific Rights)
California (CCPA/CPRA):
Right to know what data is collected
Right to delete personal information
Right to opt-out of data sales (we do not sell data)
Right to non-discrimination
Other US States: Similar rights may apply under state laws (Virginia, Colorado, Connecticut, etc.)
10. DIRECT MARKETING
10.1 Email Newsletter
When you subscribe to our newsletter, we send regular updates about products, offers, and promotions.
Process:
Double opt-in: You must confirm your subscription via email
Legal basis: Article 6(1)(a) GDPR (consent)
Data collected: Email address, name (optional), subscription date, IP address
Unsubscribe: Click the unsubscribe link in any newsletter or email info@averyandbloom.com.
10.2 Marketing to Existing Customers
If you've purchased from us, we may send marketing emails about similar products under Article 6(1)(f) GDPR (legitimate interest). You can opt out at any time.
11. SOCIAL MEDIA PLUGINS
11.1 Facebook
We use Facebook plugins with privacy protection. Data transfer occurs only when you click the plugin. Privacy Policy: https://www.facebook.com/privacy/policy
11.2 Instagram
Instagram plugins are embedded using privacy-enhanced methods. Data transfer occurs only upon interaction. Privacy Policy: https://help.instagram.com/155833707900388
12. WEB ANALYTICS
12.1 Google Analytics
We use Google Analytics to analyze website traffic and user behavior. Your IP address is anonymized.
Legal Basis: Article 6(1)(f) GDPR (legitimate interest) or consent
Opt-Out: Use the Google Analytics Opt-out Browser Add-on: https://tools.google.com/dlpage/gaoptout
13. ONLINE ADVERTISING
13.1 Google Ads & DoubleClick
We use Google Ads to display relevant advertisements based on your interests.
Legal Basis: Article 6(1)(a) GDPR (consent via cookie banner)
Opt-Out: Adjust your Google Ads settings: https://adssettings.google.com
13.2 Facebook Pixel
We use Facebook Pixel to track conversions and optimize ad campaigns.
Legal Basis: Article 6(1)(a) GDPR (consent)
Opt-Out: Adjust Facebook ad preferences: https://www.facebook.com/ads/preferences
14. SECURITY MEASURES
We implement industry-standard security measures to protect your data:
SSL/TLS encryption for data transmission
Secure servers with firewall protection
PCI DSS compliance for payment processing
Access controls limiting employee access to data
Regular security audits and vulnerability assessments
Data backup systems to prevent data loss
15. DATA BREACH NOTIFICATION
In the event of a data breach that poses a risk to your rights and freedoms, we will:
Notify affected individuals within 72 hours (GDPR requirement)
Notify relevant supervisory authorities as required by law
Provide information about the breach and remedial actions
16. CHILDREN'S PRIVACY
Our website and services are not directed to individuals under 18 years of age. We do not knowingly collect data from children. If you believe we have collected data from a child, please contact us immediately at info@averyandbloom.com.
17. CHANGES TO THIS PRIVACY POLICY
We may update this Privacy Policy from time to time to reflect changes in our practices or legal requirements. Updates will be posted on this page with a revised "Last Updated" date. Continued use of our website after changes constitutes acceptance of the updated policy.
18. CONTACT US & EXERCISE YOUR RIGHTS
To exercise any of your rights or if you have questions about this Privacy Policy, please contact us:
Email: info@averyandbloom.com Business Hours: Monday – Saturday, 9:00 AM – 5:00 PM CET
We will respond to your request within:
30 days (GDPR/UK)
30 days (PIPEDA Canada)
30 days (Australia Privacy Act)
20 working days (New Zealand Privacy Act)
45 days (CCPA California)
19. SUPERVISORY AUTHORITIES
You have the right to lodge a complaint with the relevant data protection authority in your jurisdiction:
EU/EEA: the relevant local data protection authority UK: Information Commissioner's Office - https://ico.org.uk Canada: Privacy Commissioner of Canada - https://www.priv.gc.ca Australia: OAIC - https://www.oaic.gov.au New Zealand: Privacy Commissioner - https://www.privacy.org.nz US (California): California Attorney General - https://oag.ca.gov
Last Updated: July 8, 2026