Privacy Policy

1. Introduction and data controller

Your privacy matters to us. This Privacy Policy explains what personal data [Legal entity — pending] ("we", "us", "our") collects when you visit or interact with this website, how we use that data, and what rights you have under applicable law including the EU General Data Protection Regulation (GDPR) and equivalent national legislation.

The data controller is [Legal entity — pending], reachable at hello@cremovo.com. When entity registration is complete, a full registered address and VAT number will be added to this policy.

2. Data we collect

We may collect the following categories of personal data:

• Order data: name, email address, delivery address, order contents and payment reference (not card number — payment data is processed by our payment provider).
• Contact data: name, email address and the content of any message you send us via the contact form.
• Newsletter data: email address, if you subscribe to our newsletter.
• Browsing data: IP address, browser type, device type and pages visited, collected via server logs and, if applicable, analytics software.
• Preference data: language preference and cart contents stored locally in your browser (localStorage) — this data does not leave your device unless you place an order.

3. How we use your data

We use your data for the following purposes and legal bases:

• Order fulfilment (contract performance): processing your order, arranging shipping, issuing invoices and handling returns.
• Customer service (legitimate interest / contract): responding to your enquiries and resolving complaints.
• Marketing (consent): sending newsletters if you have subscribed. You may unsubscribe at any time via the link in any email we send.
• Legal obligations: retaining order and invoice data for the period required by applicable tax and commercial law (typically 7–10 years depending on jurisdiction).
• Website improvement (legitimate interest): analysing anonymised browsing data to understand how the website is used and where it can be improved.

4. Data sharing and processors

We do not sell your personal data. We share data only with the following categories of third-party processors who have agreed to appropriate data processing terms:

• Payment processors: handle card payment authorisation. They do not receive your full card number after processing.
• Shipping carriers: receive your name and delivery address to fulfil delivery.
• Email service providers: used to send order confirmation and newsletter emails.
• Hosting and infrastructure providers: our website and databases are hosted on servers within the EU or in jurisdictions with adequate data protection frameworks.

We will disclose data to law enforcement or regulatory authorities if required to do so by law.

5. Cookies and local storage

This website uses browser localStorage (not cookies) to store your language preference and shopping cart contents. This data is stored on your device only and is not transmitted to our servers unless you complete a purchase or newsletter subscription.

If we implement third-party analytics or advertising services, we will update this policy and request your consent where required by law. Currently, no third-party tracking cookies are set by this website.

6. Data retention

We retain personal data only for as long as necessary for the purpose for which it was collected, unless a longer retention period is required by law:

• Order data: 7 years from the date of the order (statutory accounting requirement).
• Contact form messages: 12 months from the date of the last reply, unless the matter requires longer retention.
• Newsletter subscriber data: until you unsubscribe, plus 30 days to process the request.
• Server logs: 90 days on a rolling basis.

7. Your rights

Under GDPR and equivalent laws, you have the following rights regarding your personal data:

• Access: request a copy of the personal data we hold about you.
• Rectification: request correction of inaccurate data.
• Erasure: request deletion of your data, subject to legal retention obligations.
• Restriction: request that we restrict processing of your data in certain circumstances.
• Portability: receive your data in a structured, machine-readable format.
• Objection: object to processing based on legitimate interest, including for direct marketing.
• Withdrawal of consent: withdraw consent at any time where processing is based on consent, without affecting the lawfulness of prior processing.

To exercise any of these rights, contact hello@cremovo.com. We will respond within 30 days. If you are unsatisfied with our response, you have the right to lodge a complaint with the supervisory authority in your country of residence.

8. International transfers

Where data is transferred outside the European Economic Area (EEA), we ensure appropriate safeguards are in place, including Standard Contractual Clauses approved by the European Commission, or transfer to countries with an adequate level of data protection as determined by the Commission.

9. Data security

We implement appropriate technical and organisational measures to protect your personal data against unauthorised access, loss, alteration or disclosure. These include HTTPS encryption for all data in transit, access controls for our systems, and regular review of our security practices. In the event of a data breach that is likely to result in a risk to your rights and freedoms, we will notify the relevant supervisory authority and, where required, affected individuals within the timeframes required by law.

10. Changes to this policy

We may update this Privacy Policy from time to time to reflect changes in our practices or applicable law. We will post the updated policy on this page with a revised "Last updated" date. If changes are material, we will notify you by email (if you are a customer or subscriber) or by a notice on the website. We encourage you to review this policy periodically.

For questions about this policy or your data, write to hello@cremovo.com.