Privacy Policy

 This Privacy Policy describes how and when I collect, use, and share  information when you purchase an item from me, contact me, or otherwise  use my services through thecandleandcardco.com or its related sites and services.
 

This Privacy Policy does not apply to the practices of third parties  that I do not own or control.
 

Information I Collect
To fulfill your order, you must provide me with certain information, such as your name, email  address, postal address, payment information, and the details of the  product that you’re ordering. You may also choose to provide me with  additional personal information (for a custom order of a card, for  example), if you contact me directly.

I rely on a number of legal bases to collect, use, and share your information, including:
 

as needed to provide my services, such as when I use your information to  fulfill your order, to settle disputes, or to provide customer support;
 

when you have provided your affirmative consent, which you may revoke at any time, such as by signing up for my mailing list;
 

if necessary to comply with a legal obligation or court order or in  connection with a legal claim, such as retaining information about your  purchases if required by tax law; and
as necessary for the purpose of my legitimate interests, if those  legitimate interests are not overridden by your rights or interests,  such as 1) providing and improving my services. I use your information  to provide the services you requested and in my legitimate interest to  improve my services.
 

Information Sharing and Disclosure
Information about my customers is important to my business. I share your  personal information for very limited reasons and in limited  circumstances, as follows:

*
Service providers. I engage certain trusted third parties to perform  functions and provide services to my shop, such as delivery companies. I  will share your personal information with these third parties, but only  to the extent necessary to perform these services.
*
Business transfers. If I sell or merge my business, I may disclose your  information as part of that transaction, only to the extent permitted by  law.
 

Compliance with laws. I may collect, use, retain, and share your  information if I have a good faith belief that it is reasonably  necessary to: (a) respond to legal process or to government requests;  (b) enforce my agreements, terms and policies; (c) prevent, investigate,  and address fraud and other illegal activity, security, or technical  issues; or (d) protect the rights, property, and safety of my customers,  or others.
 

Data Retention
I retain your personal information only for as long as necessary to  provide you with my services and as described in my Privacy Policy.  However, I may also be required to retain this information to comply  with my legal and regulatory obligations, to resolve disputes, and to  enforce my agreements. I generally keep your data for the following time  period: 5 years.
 

Transfers of Personal Information Outside the EU
I may store and process your information through third-party hosting  services in the US and other jurisdictions. As a result, I may transfer  your personal information to a jurisdiction with different data  protection and government surveillance laws than your jurisdiction. If I  am deemed to transfer information about you outside of the EU, I rely  on Privacy Shield as the legal basis for the transfer, as Google Cloud  is Privacy Shield certified.
 

Your Rights
If you reside in certain territories, including the EU, you have a  number of rights in relation to your personal information. While some of  these rights apply generally, certain rights apply only in certain  limited cases. I describe these rights below:
 

Access. You may have the right to access and receive a copy of the  personal information I hold about you by contacting me using the contact  information below.
 

Change, restrict, delete. You may also have rights to change, restrict  my use of, or delete your personal information. Absent exceptional  circumstances (like where I am required to store data for legal reasons)  I will generally delete your personal information upon request.
 

Object. You can object to (i) my processing of some of your information  based on my legitimate interests and (ii) receiving marketing messages  from me after providing your express consent to receive them. In such  cases, I will delete your personal information unless I have compelling  and legitimate grounds to continue using that information or if it is  needed for legal reasons.
 

Complain. If you reside in the EU and wish to raise a concern about my  use of your information (and without prejudice to any other rights you  may have), you have the right to do so with your local data protection  authority.
 

How to Contact Me
 

For purposes of EU data protection law, I, Kim Paley, am the data  controller of your personal information. If you have any questions or  concerns, you may contact me at thecandleandcardco@gmail.com.  Alternately, you may mail me at:
 

Kim Paley, 3 Rue du Bourg, Lourdes,  65100, France.