Privacy Policy

This Privacy Policy explains how Boutique Spiritual We collects, uses, stores, shares, and protects your personal data when you use our website https://boutiquespiritual.com and related services. This Policy complies with the General Data Protection Regulation (GDPR), the Polish Personal Data Protection Act (UODO), and other applicable data protection laws.

By using our Website and Services, you acknowledge that you have read and understood this Policy.

1. Data Controller

The Data Controller responsible for your personal data is:

Boutique Spiritual
Email: support@boutiquespiritual.com

if you have questions or wish to exercise your rights, you may contact us at the above address.

2. Categories of Data We Collect

We may collect and process the following categories of personal data:

Identification data: name, surname, country of residence.
Contact data: email address, phone number, billing and shipping address.
Account data: username, login details, encrypted password, purchase history.
Payment data: processed securely via third-party providers (we do not store full card details).
Technical data: IP address, browser type, operating system, cookies, device identifiers.
User-generated content: feedback, reviews, uploaded files, communications.

We do not knowingly collect data from individuals under the age of 18.

3. Purposes and Legal Bases of Processing

We process your personal data only when permitted by law. The main purposes include:

Contract performance (Art. 6(1)(b) GDPR): creating accounts, processing orders, delivering services.
Legal obligations (Art. 6(1)(c) GDPR): compliance with tax, accounting, anti-money laundering, and payment regulations.
Legitimate interests (Art. 6(1)(f) GDPR): fraud prevention, improving services, securing systems, customer support.
Consent (Art. 6(1)(a) GDPR): sending newsletters, promotional offers, or optional surveys.

You may withdraw your consent at any time without affecting the lawfulness of processing carried out before withdrawal.

4. Payment Processing

We use secure third-party payment processors like Shopify and KOMOJU to process transactions. Your payment data is handled in accordance with PCI DSS standards. We do not store or have direct access to your full payment card.

5. Data Retention

We retain personal data only for as long as necessary:

Account data: until deletion of your account or 5 years after last activity (to comply with financial laws).
Transaction data: minimum 5 years as required by Polish tax and accounting regulations.
Marketing data: until consent is withdrawn.

After these periods, data will be securely deleted or anonymized.

6. Data Sharing and Transfers

We may share data with:

Service providers (IT hosting, payment processors, logistics, marketing) bound by confidentiality and data protection obligations.
Regulatory bodies when legally required (tax authorities, law enforcement, courts).
Affiliates or business partners when necessary to provide our Services.

We do not sell or rent personal data. Data may be transferred outside the EEA only where adequate safeguards (e.g., Standard Contractual Clauses) are in place.

7. Your Rights (GDPR & UODO)

You have the following rights regarding your personal data:

Right to access and obtain a copy of your data.
Right to rectification of inaccurate or incomplete data.
Right to erasure (“right to be forgotten”) in certain circumstances.
Right to restrict processing.
Right to object to processing based on legitimate interests.
Right to data portability.
Right to withdraw consent (where applicable).
Right to lodge a complaint with the President of the Personal Data Protection Office (UODO) in Poland or your local supervisory authority.

8. Cookies and Tracking

Our Website uses cookies and similar technologies to improve your experience. You may control or disable cookies through your browser settings. For details, see our Cookie Policy [link].

9. Data Security

We apply strict security measures including:

Encrypted connections (SSL/TLS).
Firewalls and intrusion detection systems.
Access controls and staff training.
Regular audits and compliance checks.

However, no method of transmission over the Internet is 100% secure. We cannot guarantee absolute protection but commit to best-practice safeguards.

10. Data Breach Notification

In case of a data breach likely to result in risk to your rights and freedoms, we will notify affected users and competent authorities within the timelines required by GDPR (typically within 72 hours).

11. Updates to This Policy

We may update this Policy from time to time. Significant changes will be communicated via email or notice on the Website. Continued use of our Services constitutes acceptance of the updated Policy.