Kysmé GDPR Privacy Policy (DRAFT)

Effective Date: 19 October 2025

This Privacy Policy outlines how **Kysmé** (“we,” “our,” or “us”) collects, uses, and protects your personal data in compliance with the General Data Protection Regulation (GDPR).

1. Data Controller Contact Information

2. Personal Data We Collect and Legal Basis

We collect and process personal data based on the following legal grounds:

2.1. Contractual Necessity (e.g., fulfilling orders)

We process data necessary to fulfill our obligations under a contract with you, or to take steps at your request before entering into a contract.

• Data Collected: Name, shipping address, billing address, phone number, and order details.
• Purpose: Processing and fulfilling your product orders, managing payments, and delivering customer service related to your purchase.

2.2. Legitimate Interest (e.g., improving services)

We process data when it is necessary for our legitimate interests (or those of a third party) and your fundamental rights do not override those interests.

• Data Collected: Browsing history, IP address, and technical device data.
• Purpose: Improving the user experience, enhancing website security, and internal analytics to optimize product offerings.

2.3. Consent (e.g., marketing)

We process data when you have given clear consent for us to process your personal data for a specific purpose.

• Data Collected: Email address.
• Purpose: Sending promotional emails and marketing communications about Kysmé products, collections, and The Journal updates (if you subscribe).

3. Data Storage and Retention

We will retain your personal data only for as long as necessary to fulfill the purposes for which we collected it, including for the purposes of satisfying any legal, accounting, or reporting requirements.

• Transaction Data: Retained for [NUMBER] years to comply with tax and legal requirements.
• Marketing Data: Retained until you withdraw consent (unsubscribe).

4. Sharing and Disclosure of Personal Data

We may share your data with third-party service providers who help us operate our business, such as:

• Payment processors (e.g., Stripe, PayPal) to process transactions.
• Shipping and fulfillment companies (e.g., UPS, DHL) to deliver your orders.
• Analytics providers (e.g., Google Analytics) to help us understand website usage.

We ensure all third-party service providers are contractually bound to comply with GDPR requirements.

5. Your Rights Under GDPR

As a data subject, you have the following rights concerning your personal data:

• The right to access: You can request copies of the personal data we hold about you.
• The right to rectification: You can request that we correct any information you believe is inaccurate or incomplete.
• The right to erasure (‘right to be forgotten’): You can request that we erase your personal data, under certain conditions.
• The right to restrict processing: You can request that we restrict the processing of your personal data, under certain conditions.
• The right to object to processing: You have the right to object to our processing of your personal data, under certain conditions.
• The right to data portability: You can request that we transfer the data that we have collected to another organization, or directly to you, under certain conditions.
• The right to withdraw consent: You have the right to withdraw your consent at any time where we rely on consent to process your personal data.

To exercise any of these rights, please contact us at: contact@kysmé.com.

6. Changes to this Privacy Policy

We may update this Privacy Policy from time to time. The revised version will be indicated by an updated “Effective Date” and will be effective as soon as it is accessible. We encourage you to review this Privacy Policy frequently to be informed of how we are protecting your information.