1. Data controller
The data controller is [Legal entity — pending], European Union. Contact for all data protection matters: hello@herbalyao.com. Once the legal entity is incorporated, a Data Protection Officer may be designated if required by applicable law.
2. What data we collect
We collect personal data only when you voluntarily provide it. This includes:
- Order data: name, delivery address, email address, phone number (where provided), and order history.
- Communication data: email content and metadata when you contact us via hello@herbalyao.com or the contact form.
- Newsletter data: email address if you subscribe to our newsletter. Subscription is opt-in only.
- Browsing data: if analytics is active (see §5), anonymised data about pages visited, session duration, and referral source.
We do not collect sensitive data (health data, biometric data, financial card data). Payment processing is handled by third-party providers who are the data controller for card data.
3. Legal bases for processing
- Contract performance (Art. 6(1)(b) GDPR): processing necessary to fulfil your order and deliver products.
- Legitimate interest (Art. 6(1)(f) GDPR): fraud prevention, website security, customer service, and improving our products.
- Consent (Art. 6(1)(a) GDPR): newsletter subscription. You may withdraw consent at any time by clicking "unsubscribe" or emailing us.
- Legal obligation (Art. 6(1)(c) GDPR): retaining accounting records as required by law.
4. How we use your data
We use your data solely for the purposes for which it was collected: fulfilling orders, communicating about your order or inquiry, sending newsletters (if subscribed), and improving our website and product range. We do not sell, rent, or share your data with third parties for their marketing purposes.
5. Cookies and analytics
This website uses a minimal cookie footprint. Strictly necessary cookies (e.g., cart session in localStorage) are used to provide core functionality. No third-party advertising cookies are used. If analytics software is deployed, it will be a privacy-first, cookieless solution (e.g., Plausible or Fathom) that does not track individuals across sites or require consent under GDPR. Analytics data is aggregated and anonymised.
The localStorage key bot_cart stores your cart contents locally on your device. This data never leaves your device.
6. Data sharing and transfers
We share personal data only with:
- Payment processors: to process transactions. These processors are GDPR-compliant and subject to data processing agreements.
- Shipping carriers: name and delivery address only, to fulfil orders.
- Email service providers: to send transactional and newsletter emails. Subject to data processing agreements.
All data processors are located within the EEA, or operate under appropriate transfer mechanisms (Standard Contractual Clauses or adequacy decisions) where located outside the EEA.
7. Data retention
Order data is retained for 10 years as required by EU accounting law. Communication data is retained for 3 years, or until you request deletion. Newsletter data is retained until you unsubscribe. Browsing/analytics data (if any) is retained for 12 months in aggregated, anonymised form only.
8. Your rights
Under GDPR, you have the right to:
- Access: obtain a copy of the personal data we hold about you.
- Rectification: request correction of inaccurate data.
- Erasure: request deletion of your data (subject to legal retention obligations).
- Restriction: request that we restrict processing of your data.
- Portability: receive your data in a structured, machine-readable format.
- Object: object to processing based on legitimate interest.
- Withdraw consent: for any processing based on consent (e.g., newsletter).
To exercise any of these rights, email hello@herbalyao.com. We will respond within 30 days. If you are not satisfied with our response, you have the right to lodge a complaint with your national data protection authority.
9. Data security
We implement appropriate technical and organisational measures to protect personal data against unauthorised access, alteration, disclosure, or destruction. This includes TLS encryption for all data in transit, access controls, and regular security reviews. In the event of a personal data breach, we will notify the relevant supervisory authority within 72 hours and affected individuals without undue delay, as required by GDPR.
10. Changes to this policy
We may update this Privacy Policy from time to time. The "last updated" date at the top of this page reflects the most recent revision. For material changes, we will notify subscribers by email. Continued use of this website after changes constitutes acceptance of the updated policy.