Privacy Policy

1. Who we are (data controller)

This Privacy Policy explains how Demo Fashion Store ("we", "us") collects, uses and protects your personal data when you visit our website, create an account or place an order. We are the data controller responsible for the personal data described here, which means we decide why and how it is processed. Our registered address is Demo Street 1, Vilnius, Lithuania, and you can reach our data protection contact for any privacy question at privacy@example.com or through our Contact page. We aim to respond to every privacy enquiry promptly and, in any event, within the timeframes required by applicable law.

2. What personal data we collect

We collect the data you give us and the data we generate as you use the store. This includes your contact and account details (name, email address and phone number); the delivery and billing addresses you enter at checkout; your order history and payment details (we receive a confirmation of payment from our payment provider but never store full card numbers on our systems); and any messages, reviews or support requests you send us. We also collect technical and usage data automatically — such as your IP address, device and browser type, and how you browse and search the store — largely through cookies and similar technologies. We only collect data that is relevant to the purposes set out below.

3. How and why we use your data

We use your personal data to take and fulfil your orders, arrange delivery, process payments and issue invoices and refunds. It also lets us manage your account, respond to customer-service requests, handle returns and warranty claims, and keep the store secure by detecting and preventing fraud and abuse. Where you have given your consent, we use your data to send you newsletters and tailored offers, and we analyse aggregated usage to improve our products, range and website. We will not use your data for a new, unrelated purpose without first informing you and, where required, obtaining your consent.

4. Legal bases for processing

Under the General Data Protection Regulation (GDPR) we always rely on a lawful basis. We process data to perform our contract with you (to take payment and deliver the orders you place); on the basis of our legitimate interests (to run, secure and improve the store and to prevent fraud, balanced against your rights); with your consent (for marketing emails and non-essential cookies, which you can withdraw at any time); and to comply with a legal obligation (for example, keeping tax, accounting and consumer-protection records). Where we rely on legitimate interests, you have the right to object, as explained below.

5. Sharing with third parties and processors

We share your personal data only where it is necessary, and only with carefully selected service providers who act on our documented instructions as our processors. These include payment providers who handle your transactions, delivery and courier partners who fulfil shipments, IT, hosting and email providers who run our infrastructure, and analytics and marketing tools that we use within the limits of your cookie choices. Each provider is bound by a contract that allows them to use your data only for the purposes we set and requires them to keep it secure. We may also disclose data where the law requires it, for example to tax or law-enforcement authorities. We never sell your personal data to anyone.

6. Cookies and tracking

We use cookies and similar technologies to make the store work, remember your basket and preferences, and — only with your consent — to measure traffic and show you relevant offers. Strictly necessary cookies are always active because the site cannot function without them, while analytics and marketing cookies are set only after you agree. You can review, change or withdraw your cookie consent at any time through the cookie settings on our site. Full detail of every category of cookie we use and how long it lasts is set out in our Cookie Policy.

7. International transfers

We aim to keep your personal data within the European Economic Area (EEA). Some of our service providers, however, may process data in countries outside the EEA. When that happens, we make sure an appropriate safeguard recognised by the GDPR is in place — typically the European Commission's Standard Contractual Clauses, supplemented where necessary by additional technical and organisational measures — so that your data continues to enjoy an equivalent level of protection. You can ask us for more information about these transfers and safeguards using the contact details above.

8. Data retention

We keep your personal data only for as long as it is needed for the purposes described in this policy, and then delete or anonymise it. In practice this means we retain order and accounting records for the period required by Lithuanian tax and commercial law (generally up to ten years), keep your account data for as long as your account remains active, and hold marketing data until you unsubscribe or withdraw your consent. Where data is no longer required for any active purpose and we are not legally obliged to keep it, we securely erase it.

9. Your rights under the GDPR

As a data subject you have strong rights over your personal data. You can request access to the data we hold about you and ask for a copy; have inaccurate data rectified and incomplete data completed; ask us to erase your data ("the right to be forgotten") where there is no overriding reason to keep it; restrict or object to certain processing, including direct marketing; and receive your data in a portable, machine-readable format to reuse or transfer elsewhere. Where we rely on your consent, you can withdraw it at any time without affecting processing that already took place. Exercising any of these rights is free of charge and will never disadvantage you.

10. How to exercise your rights or complain

To exercise any of the rights above, simply contact us through our Contact page or by email at privacy@example.com, telling us which right you wish to use. We may need to verify your identity before we act, to keep your data safe. We will respond within one month, and will explain our reasons if we are unable to meet a request. If you are unhappy with how we handle your data, you also have the right to lodge a complaint with the supervisory authority — in Lithuania, the State Data Protection Inspectorate (Valstybinė duomenų apsaugos inspekcija, vdai.lrv.lt).

11. Children's data

Our store is intended for adults and is not directed at children. We do not knowingly collect personal data from children under the age of 16 without the consent of a parent or guardian. If you believe a child has provided us with personal data, please contact us at privacy@example.com and we will delete it promptly.

12. Data security

We take the security of your personal data seriously and apply appropriate technical and organisational measures to protect it. These include encryption of data in transit, restricted and role-based access to systems, regular software updates, secure backups and the use of vetted, contractually bound service providers. While no method of transmission or storage can be guaranteed to be perfectly secure, we work continuously to safeguard your data against loss, misuse and unauthorised access, and we have procedures in place to deal with any suspected data breach.

13. Changes to this policy

We may update this Privacy Policy from time to time to reflect changes to our store, our service providers or the law. The version published on this page is always the one currently in force, and we recommend reviewing it periodically. Where a change is significant, we will highlight it on this page and, where appropriate, notify you directly so that you stay informed about how your data is handled.