Legal
Privacy policy
Last updated: [date]
Template reflecting Vaelmar’s actual processors (Stripe, Gelato, Plausible, Resend, Vercel). Confirm each processor you actually use and have it reviewed before launch.
This policy explains how [Vaelmar OÜ] (“we”, the data controller) processes your personal data under the EU General Data Protection Regulation (GDPR). Contact: [hello@vaelmar.com].
What we collect, why, and on what basis
| Data | Purpose | Legal basis |
|---|---|---|
| Order & delivery details (name, address, email, phone) | To take payment, fulfil and ship your order, and contact you about it | Performance of a contract (Art. 6(1)(b)) |
| Payment data | Processed directly by Stripe — we never see or store your full card number | Contract / Stripe as processor |
| Order records & invoices | Accounting and tax retention | Legal obligation (Art. 6(1)(c)) |
| Email address (newsletter, if you opt in) | To send you updates and offers | Consent (Art. 6(1)(a)) — withdrawable anytime |
| Aggregate, anonymous usage stats | To understand traffic. We use Plausible — cookieless, no personal data, EU-hosted | Legitimate interest (Art. 6(1)(f)) |
Who we share it with (processors)
- Stripe — payment processing. (Stripe Payments Europe; transfers under the EU–US Data Privacy Framework / SCCs.)
- Gelato — print-on-demand fulfilment; receives your shipping name and address to produce and deliver your order.
- Vercel — website hosting (server logs).
- Resend — sending your order-confirmation and transactional emails.
- Plausible Analytics — cookieless, EU-hosted, privacy-first statistics (no personal data).
We do not sell your data. We share it only with the processors above, strictly to run the shop, and only what each needs.
International transfers
Where a processor stores data outside the EEA (e.g. some Stripe/Vercel infrastructure), the transfer is covered by EU Standard Contractual Clauses and/or the EU–US Data Privacy Framework.
How long we keep it
Order and invoice data: for the period required by Estonian accounting and tax law (typically 7 years). Newsletter data: until you unsubscribe. Analytics: aggregate only, no personal data retained.
Cookies
We use only strictly necessary storage: a cart saved in your browser’s local storage, and the secure session cookie set by Stripe on its own checkout page. We set no advertising or tracking cookies, which is why you won’t see a cookie banner. If we ever add advertising pixels, we will ask for your consent first.
Your rights
You have the right to access, rectify, erase, restrict, port, and object to the processing of your data, and to withdraw consent at any time. To exercise any of these, email [hello@vaelmar.com]. You may also lodge a complaint with the Estonian Data Protection Inspectorate (Andmekaitse Inspektsioon, aki.ee).
See also our Imprint, Terms of Sale and Returns & Right of Withdrawal.