Privacy Policy

Privacy Policy

1. INFORMATION ABOUT THE CONTROLLER AND DATA COLLECTION

1.1 Controller Information

We are pleased that you are visiting our website and thank you for your interest. This Privacy Policy explains how we collect, use, and protect your personal data when you use our website or purchase our products.

Controller:

Store Name: Avery & Bloom Company Name: Avery & Bloom Email: info@averyandbloom.com

The controller is responsible for determining the purposes and means of processing personal data under applicable data protection laws, including the GDPR where applicable, UK GDPR where applicable, the Privacy Act 1988 (Australia), PIPEDA (Canada), and other applicable data protection laws.

1.2 Secure Data Transmission

For security reasons and to protect the transmission of personal data and other confidential content (e.g., orders or inquiries), this website uses SSL/TLS encryption. You can recognize an encrypted connection by the "https://" prefix and the lock symbol in your browser's address bar.

2. DATA COLLECTION WHEN VISITING OUR WEBSITE

2.1 Server Log Files

When you visit our website purely for informational purposes without registering or providing other information, we automatically collect data that your browser transmits to our server ("server log files"). This technical data is necessary to display the website and includes:

The webpage you visited

Date and time of access

Amount of data sent (in bytes)

Referrer URL (source from which you accessed the page)

Browser type and version

Operating system used

IP address (anonymized where possible)

Legal Basis: Article 6(1)(f) GDPR (legitimate interest in improving website stability and functionality). The data is not passed on to third parties or used for other purposes. We reserve the right to review server log files if there are specific indications of illegal use.

3. COOKIES AND TRACKING TECHNOLOGIES

3.1 What Are Cookies?

Cookies are small text files stored on your device when you visit our website. They help us make our website more functional and user-friendly.

3.2 Types of Cookies We Use

Essential Cookies: Necessary for basic website functionality (e.g., shopping cart)

Functional Cookies: Remember your preferences and settings

Performance Cookies: Analyze how you use our website (e.g., Google Analytics)

Marketing Cookies: Track your browsing to show relevant ads (e.g., Facebook Pixel, Google Ads)

3.3 Cookie Duration

Session Cookies: Deleted when you close your browser

Persistent Cookies: Remain on your device for a predefined period (varies by cookie)

Legal Basis:

Essential cookies: Article 6(1)(b) GDPR (performance of contract)

Other cookies: Article 6(1)(a) GDPR (consent) or Article 6(1)(f) GDPR (legitimate interest)

3.4 Managing Cookies

You can configure your browser to:

Be notified when cookies are set

Accept or reject cookies on a case-by-case basis

Block all cookies

Please note that disabling cookies may limit website functionality. You can also withdraw cookie consent at any time through our cookie banner or browser settings.

4. PERSONAL DATA WE COLLECT

4.1 Information You Provide to Us

When you create an account, place an order, or contact us, we collect:

Account & Order Information:

Full name

Email address

Billing address

Shipping address

Phone number (optional)

Payment information (processed by payment providers)

Order history

Product preferences

Contact Information:

Name

Email address

Phone number (if provided)

Message content

4.2 Information Collected Automatically

IP address

Browser type and version

Device type and operating system

Pages visited and time spent on pages

Referral source

Click patterns and interactions

5. HOW WE USE YOUR DATA

We collect and process your personal data for the following purposes:

5.1 Order Fulfillment (Legal Basis: Article 6(1)(b) GDPR - Performance of Contract)

Process and fulfill your orders

Manage payments and billing

Arrange shipping and delivery

Send order confirmations and shipping notifications

Handle returns and refunds

Provide customer support

5.2 Account Management (Legal Basis: Article 6(1)(b) GDPR)

Create and maintain your customer account

Remember your preferences

Provide personalized shopping experience

5.3 Communication (Legal Basis: Article 6(1)(b) or (f) GDPR)

Respond to inquiries and support requests

Send transactional emails (order updates, shipping notifications)

Handle complaints and disputes

5.4 Marketing (Legal Basis: Article 6(1)(a) GDPR - Consent)

Send newsletters and promotional emails (only with your consent)

Display personalized advertisements

Send review reminders

Inform you about new products and special offers

You can withdraw marketing consent at any time by clicking "unsubscribe" in emails or contacting us.

5.5 Legal Compliance (Legal Basis: Article 6(1)(c) GDPR)

Comply with tax and accounting requirements

Respond to legal requests

Prevent fraud and abuse

Enforce our Terms & Conditions

5.6 Website Improvement (Legal Basis: Article 6(1)(f) GDPR - Legitimate Interest)

Analyze website usage and performance

Improve user experience

Test and develop new features

Conduct research and analytics

6. WHO WE SHARE YOUR DATA WITH

We share your personal data only with trusted third parties necessary for our business operations:

6.1 Service Providers

Shopify Inc. (E-commerce Platform)

Website hosting and management

Order processing

Payment gateway integration

Location: Canada (adequate protection under GDPR)

Privacy Policy: https://www.shopify.com/legal/privacy

Payment Processors

PayPal (Europe) S.à r.l. et Cie, S.C.A. (Luxembourg)

Stripe, Inc. (USA - Standard Contractual Clauses)

Credit card processors (PCI DSS compliant)

Purpose: Secure payment processing

Shipping Carriers

International courier services (FedEx, UPS, DHL, local postal services)

Purpose: Deliver products to your address

Data shared: Name, address, phone number, tracking details

Email Service Providers

Purpose: Send transactional and marketing emails

Data shared: Email address, name, order information

6.2 Marketing and Analytics

Google LLC (USA)

Google Analytics (website analytics)

Google Ads (advertising)

Legal basis: Consent (Article 6(1)(a) GDPR)

Privacy Policy: https://policies.google.com/privacy

Meta Platforms (Facebook/Instagram)

Facebook Pixel (conversion tracking)

Instagram integration

Legal basis: Consent (Article 6(1)(a) GDPR)

Privacy Policy: https://www.facebook.com/privacy/policy

6.3 Legal Requirements

We may disclose your data to:

Law enforcement agencies (when legally required)

Courts and regulatory authorities

Legal advisors and accountants

Fraud prevention services

6.4 Business Transfers

In the event of a merger, acquisition, or sale of assets, your data may be transferred to the new owner. You will be notified of any such change.

7. INTERNATIONAL DATA TRANSFERS

As we operate internationally and use service providers in different countries, your data may be transferred outside the European Economic Area (EEA):

7.1 Adequate Protection Mechanisms

Standard Contractual Clauses (SCCs): For transfers to countries without adequacy decisions

Adequacy Decisions: Canada (PIPEDA), Switzerland, New Zealand recognized by EU

Data Privacy Framework or other applicable transfer mechanisms: For US-based processors, where applicable.

7.2 Your Rights

You can request copies of the safeguards we use for international transfers by contacting us at info@averyandbloom.com.

8. DATA RETENTION

We retain your personal data only as long as necessary for the purposes outlined in this policy or as required by law:

8.1 Retention Periods

Order data: 7 years (tax and accounting law requirements)

Account data: Until account deletion + 30 days

Marketing data: Until consent is withdrawn + 30 days

Contact inquiries: 3 years after resolution

Website analytics: 14-26 months (Google Analytics settings)

Cookie data: As specified in cookie settings (varies by type)

8.2 Deletion

After retention periods expire, your data is securely deleted or anonymized unless:

You have consented to further use

We are legally required to retain it

It is necessary for legal claims

9. YOUR RIGHTS UNDER DATA PROTECTION LAWS

Your rights vary depending on your location. Below are the rights applicable to each jurisdiction:

9.1 EU/EEA Customers (GDPR Rights)

Right of Access (Article 15 GDPR): Request a copy of your personal data

Right to Rectification (Article 16 GDPR): Correct inaccurate data

Right to Erasure (Article 17 GDPR): Request deletion ("right to be forgotten")

Right to Restriction (Article 18 GDPR): Limit how we use your data

Right to Data Portability (Article 20 GDPR): Receive your data in a structured format

Right to Object (Article 21 GDPR): Object to processing based on legitimate interests

Right to Withdraw Consent (Article 7(3) GDPR): Withdraw consent at any time

Right to Lodge a Complaint (Article 77 GDPR): File a complaint with your supervisory authority

Supervisory Authority (EU/EEA): the relevant local data protection authority

Website: available from the relevant authority

9.2 UK Customers (UK GDPR & Data Protection Act 2018)

Same rights as EU customers, enforced by: UK Information Commissioner's Office (ICO) Website: https://ico.org.uk

9.3 Canadian Customers (PIPEDA)

Right to access your personal information

Right to correct inaccurate information

Right to withdraw consent

Right to file a complaint with the Privacy Commissioner of Canada Website: https://www.priv.gc.ca

9.4 Australian Customers (Privacy Act 1988)

Right to access your personal information (Australian Privacy Principle 12)

Right to correct inaccurate information (APP 13)

Right to complain to the Office of the Australian Information Commissioner (OAIC) Website: https://www.oaic.gov.au

9.5 New Zealand Customers (Privacy Act 2020)

Right to access your personal information (Principle 6)

Right to correct inaccurate information (Principle 7)

Right to complain to the Privacy Commissioner Website: https://www.privacy.org.nz

9.6 US Customers (State-Specific Rights)

California (CCPA/CPRA):

Right to know what data is collected

Right to delete personal information

Right to opt-out of data sales (we do not sell data)

Right to non-discrimination

Other US States: Similar rights may apply under state laws (Virginia, Colorado, Connecticut, etc.)

10. DIRECT MARKETING

10.1 Email Newsletter

When you subscribe to our newsletter, we send regular updates about products, offers, and promotions.

Process:

Double opt-in: You must confirm your subscription via email

Legal basis: Article 6(1)(a) GDPR (consent)

Data collected: Email address, name (optional), subscription date, IP address

Unsubscribe: Click the unsubscribe link in any newsletter or email info@averyandbloom.com.

10.2 Marketing to Existing Customers

If you've purchased from us, we may send marketing emails about similar products under Article 6(1)(f) GDPR (legitimate interest). You can opt out at any time.

11. SOCIAL MEDIA PLUGINS

11.1 Facebook

We use Facebook plugins with privacy protection. Data transfer occurs only when you click the plugin. Privacy Policy: https://www.facebook.com/privacy/policy

11.2 Instagram

Instagram plugins are embedded using privacy-enhanced methods. Data transfer occurs only upon interaction. Privacy Policy: https://help.instagram.com/155833707900388

12. WEB ANALYTICS

12.1 Google Analytics

We use Google Analytics to analyze website traffic and user behavior. Your IP address is anonymized.

Legal Basis: Article 6(1)(f) GDPR (legitimate interest) or consent

Opt-Out: Use the Google Analytics Opt-out Browser Add-on: https://tools.google.com/dlpage/gaoptout

13. ONLINE ADVERTISING

13.1 Google Ads & DoubleClick

We use Google Ads to display relevant advertisements based on your interests.

Legal Basis: Article 6(1)(a) GDPR (consent via cookie banner)

Opt-Out: Adjust your Google Ads settings: https://adssettings.google.com

13.2 Facebook Pixel

We use Facebook Pixel to track conversions and optimize ad campaigns.

Legal Basis: Article 6(1)(a) GDPR (consent)

Opt-Out: Adjust Facebook ad preferences: https://www.facebook.com/ads/preferences

14. SECURITY MEASURES

We implement industry-standard security measures to protect your data:

SSL/TLS encryption for data transmission

Secure servers with firewall protection

PCI DSS compliance for payment processing

Access controls limiting employee access to data

Regular security audits and vulnerability assessments

Data backup systems to prevent data loss

15. DATA BREACH NOTIFICATION

In the event of a data breach that poses a risk to your rights and freedoms, we will:

Notify affected individuals within 72 hours (GDPR requirement)

Notify relevant supervisory authorities as required by law

Provide information about the breach and remedial actions

16. CHILDREN'S PRIVACY

Our website and services are not directed to individuals under 18 years of age. We do not knowingly collect data from children. If you believe we have collected data from a child, please contact us immediately at info@averyandbloom.com.

17. CHANGES TO THIS PRIVACY POLICY

We may update this Privacy Policy from time to time to reflect changes in our practices or legal requirements. Updates will be posted on this page with a revised "Last Updated" date. Continued use of our website after changes constitutes acceptance of the updated policy.

18. CONTACT US & EXERCISE YOUR RIGHTS

To exercise any of your rights or if you have questions about this Privacy Policy, please contact us:

Email: info@averyandbloom.com Business Hours: Monday – Saturday, 9:00 AM – 5:00 PM CET

We will respond to your request within:

30 days (GDPR/UK)

30 days (PIPEDA Canada)

30 days (Australia Privacy Act)

20 working days (New Zealand Privacy Act)

45 days (CCPA California)

19. SUPERVISORY AUTHORITIES

You have the right to lodge a complaint with the relevant data protection authority in your jurisdiction:

EU/EEA: the relevant local data protection authority UK: Information Commissioner's Office - https://ico.org.uk Canada: Privacy Commissioner of Canada - https://www.priv.gc.ca Australia: OAIC - https://www.oaic.gov.au New Zealand: Privacy Commissioner - https://www.privacy.org.nz US (California): California Attorney General - https://oag.ca.gov

Last Updated: July 8, 2026