Icons of Skin Maison Privacy Policy
ICONS OF SKIN MAISON
PRIVACY POLICY
(EU / EEA — GDPR Compliant)
1. DATA CONTROLLER
The data controller responsible for the processing of your personal data through this website is:
Legal Entity: Royce Roll Design Group, LLC
Trading As (DBA): Icons of Skin Maison
Registered Office: 1000 Brickell Avenue, Suite #715, Miami, FL 33131, USA
State of Formation: Florida, USA
Registration Number: L19000258194 (Florida Division of Corporations)
Managing Member: Jeffrey Chancellor Roll
Email: privacy@the-ios.maison
General Contact: ClientService@the-ios.maison
Telephone: +1 305 317 4117
Website: www.the-ios.maison
2. EU REPRESENTATIVE (Article 27 GDPR)
As the Data Controller is established outside the European Union and offers goods to individuals within the EU/EEA, we have appointed an EU Representative in accordance with Article 27 of the General Data Protection Regulation (EU) 2016/679:
EU Representative: Pandectus GDPR Representative Services
Address: [To be inserted upon finalization of Pandectus contract]
Email: [To be inserted upon finalization of Pandectus contract]
Our EU Representative can be contacted regarding all matters related to the processing of personal data of individuals in the EU/EEA and the exercise of data subject rights under the GDPR.
3. SCOPE OF THIS PRIVACY POLICY
This Privacy Policy applies to all personal data processed by Icons of Skin Maison through:
· Our online store at www.the-ios.maison (the "Online Store");
· Email communications, including marketing emails and transactional correspondence;
· Customer service interactions;
· Any other interaction with our business in connection with the sale of goods to customers with delivery addresses in Germany (DE), the Netherlands (NL), Sweden (SE), Denmark (DK), Finland (FI), Austria (AT), Luxembourg (LU), and Belgium (BE).
This Privacy Policy is provided in accordance with Articles 13 and 14 of Regulation (EU) 2016/679 (the "GDPR") and applicable national data protection laws of the countries listed above.
4. CATEGORIES OF PERSONAL DATA WE COLLECT
4.1 Data You Provide Directly
|
Category |
Data Elements |
When Collected |
|
Identity Data |
First name, last name |
Account creation, checkout |
|
Contact Data |
Email address, telephone number, delivery address, billing address |
Checkout, account creation, customer service |
|
Transaction Data |
Order number, products purchased, purchase amount, payment method used, date and time of transaction |
Each purchase |
|
Payment Data |
Credit/debit card details (last 4 digits only — full card data is processed by Shopify Payments and never stored by us), PayPal account, Klarna account, iDEAL/Bancontact/Sofort transaction references |
Checkout |
|
Communication Data |
Emails, messages, and correspondence with our customer service team, withdrawal notices, RMA requests |
Customer service interactions |
|
Account Data |
Login credentials (email and encrypted password), order history, saved addresses, communication preferences |
Account creation and use |
|
Consent Records |
Cookie consent preferences, marketing opt-in/opt-out records, withdrawal of consent records |
Cookie banner interaction, newsletter signup |
4.2 Data Collected Automatically
When you visit our Online Store, the following data is collected automatically through cookies and similar technologies (subject to your consent where required):
|
Category |
Data Elements |
Technology |
|
Device & Browser Data |
IP address (anonymized), browser type and version, operating system, screen resolution, device type (desktop/mobile/tablet), language settings |
Server logs, Google Analytics 4 |
|
Usage Data |
Pages visited, time spent on pages, click paths, referral source (URL), search terms used on site |
Google Analytics 4 (consent-gated) |
|
Cookie Data |
Session identifiers, language preferences, shopping cart contents, consent status |
Shopify, Pandectes GDPR Compliance, Weglot |
|
Fraud Prevention Data |
IP address, device fingerprint, geolocation (country/city level), behavioral patterns, order velocity |
ClearSale |
4.3 Data We Do Not Collect
We do not knowingly collect:
· Special categories of personal data (Article 9 GDPR) — including health data, biometric data, racial or ethnic origin, political opinions, religious beliefs, or sexual orientation;
· Data from children under the age of 16 (or the applicable age of digital consent in your country of residence);
· Full credit card numbers, CVV codes, or complete bank account details (these are processed exclusively by our payment service providers and never stored on our systems).
5. PURPOSES OF PROCESSING AND LEGAL BASES
We process your personal data only where we have a lawful basis to do so under Article 6(1) GDPR. The following table sets out each purpose, the data involved, and the legal basis:
|
Purpose |
Data Used |
Legal Basis (Art. 6(1) GDPR) |
Retention |
|
Processing and fulfilling your order (including transmission of name and delivery address to our Fulfillment Partners) |
Identity, Contact, Transaction, Payment Data |
(b) Performance of contract |
Duration of contract + 10 years (statutory retention under German HGB §257 / AO §147) |
|
Issuing invoices and complying with tax/accounting obligations |
Identity, Contact, Transaction Data |
(c) Legal obligation (EU VAT Directive, HGB, AO) |
10 years from end of fiscal year |
|
Fraud prevention and risk assessment |
Identity, Contact, Transaction, Device, Behavioral Data |
(f) Legitimate interest (protection against fraud) |
Duration of transaction review + up to 12 months |
|
Sending transactional emails (order confirmation, shipping updates, withdrawal confirmation) |
Identity, Contact, Transaction Data |
(b) Performance of contract |
Duration of contract + 30 days |
|
Sending marketing emails and newsletters |
Identity, Contact Data, Purchase History |
(a) Consent (double opt-in) |
Until withdrawal of consent |
|
Responding to customer service inquiries, RMA claims, and withdrawal requests |
Identity, Contact, Communication, Transaction Data |
(b) Performance of contract / (c) Legal obligation |
Duration of claim resolution + 3 years (statute of limitations) |
|
Website analytics and performance optimization |
Device, Usage, Cookie Data |
(a) Consent (via cookie banner) |
See Section 8 (Cookies) |
|
Ensuring website security and preventing abuse |
IP address, Device Data, Server Logs |
(f) Legitimate interest (IT security) |
90 days |
|
Compliance with legal obligations (e.g., responding to lawful requests from authorities) |
Any data as required |
(c) Legal obligation |
As required by applicable law |
|
Exercising or defending legal claims |
Any data relevant to the claim |
(f) Legitimate interest |
Duration of legal proceedings + applicable limitation period |
5.1 Marketing Communications — Double Opt-In
We will only send you marketing emails (newsletters, promotions, product recommendations) if you have given your explicit, informed consent through a double opt-in process. This means:
· You actively subscribe by entering your email address and checking a consent box (first opt-in);
· You confirm your subscription by clicking a verification link sent to your email address (second opt-in).
You may withdraw your consent at any time by:
· Clicking the "Unsubscribe" link in any marketing email;
· Emailing us at privacy@the-ios.maison;
· Adjusting your preferences in your account settings.
Withdrawal of consent does not affect the lawfulness of processing based on consent before its withdrawal.
6. RECIPIENTS OF YOUR PERSONAL DATA
We share your personal data only where necessary for the purposes described in Section 5, and only with the following categories of recipients:
|
Recipient |
Purpose |
GDPR Role |
Data Shared |
|
Shopify Inc. |
Platform hosting, order processing, payment processing |
Data Processor |
Identity, Contact, Transaction, Payment, Device Data |
|
BigBuy |
Order fulfillment and shipping (primary Fulfillment Partner) |
Sub-Processor |
Name, delivery address, order details |
|
BTS Wholesaler |
Order fulfillment and shipping (secondary Fulfillment Partner) |
Sub-Processor |
Name, delivery address, order details |
|
Klarna Bank AB |
Payment processing (BNPL, Sofort) |
Independent Controller |
Identity, Contact, Transaction Data |
|
PayPal (Europe) S.à r.l. |
Payment processing |
Independent Controller |
Identity, Contact, Transaction Data |
|
Klaviyo Inc. |
Email marketing and transactional emails |
Data Processor |
Identity, Contact, Transaction Data, Consent Records |
|
Google LLC |
Website analytics (consent-gated) |
Data Processor |
Anonymized IP, Device Data, Usage Data |
|
ClearSale |
Fraud prevention and risk scoring |
Sub-Processor |
Identity, Contact, Transaction, Device, Behavioral Data |
|
Pandectus |
Cookie consent management |
Data Processor |
Consent Records, Cookie Data |
|
Weglot |
Website translation |
Data Processor |
Language preference, IP (if applicable) |
|
Pandectus |
EU GDPR Representative (Art. 27) |
EU Representative |
Data subject requests forwarded to Controller |
We do not sell, rent, or trade your personal data to any third party for their own marketing purposes.
7. INTERNATIONAL DATA TRANSFERS
As the Data Controller is established in the United States, and certain processors are located outside the EU/EEA, your personal data may be transferred to countries outside the European Economic Area. We ensure that all such transfers are protected by appropriate safeguards as required by Chapter V of the GDPR:
|
Recipient / Country |
Transfer Mechanism |
Reference |
|
Royce Roll Design Group, LLC |
EU-US Data Privacy Framework (DPF) |
Art. 45 / Art. 46(2)(c) GDPR |
|
Shopify Inc. |
EU-US Data Privacy Framework |
Shopify DPA |
|
Klaviyo Inc. |
EU-US Data Privacy Framework |
Klaviyo DPA |
|
Google LLC |
EU-US Data Privacy Framework |
Google Data Processing Terms |
|
ClearSale |
Standard Contractual Clauses (SCCs) |
ClearSale DPA |
|
BigBuy, BTS Wholesaler, |
No transfer outside EU/EEA — |
N/A |
You may request a copy of the applicable Standard Contractual Clauses by contacting us at: privacy@the-ios.maison
8. COOKIES AND SIMILAR TECHNOLOGIES
8.1 What Are Cookies?
Cookies are small text files placed on your device when you visit our Online Store. They serve various purposes, from enabling basic website functionality to analyzing how visitors use our site.
8.2 Our Cookie Consent Management
We use Pandectes GDPR Compliance as our Cookie Consent Management Platform (CMP). When you first visit our Online Store, you will be presented with a cookie consent banner that allows you to:
· Accept All cookies;
· Reject All non-essential cookies; or
· Customize your preferences by category.
Non-essential cookies are blocked until you provide your consent. You may change your cookie preferences at any time by clicking the cookie settings link in the footer of our website.
8.3 Cookie Categories
|
Category |
Purpose |
Examples |
Consent Required? |
|
Strictly Necessary |
Essential for the website to function (shopping cart, checkout, session management, security) |
Shopify session cookies, Pandectus consent cookie |
No (Art. 5(3) ePrivacy Directive) |
|
Functional |
Remember your preferences (language, region) |
Weglot language preference cookie |
Yes |
|
Analytics |
Understand how visitors use our website to improve performance |
Google Analytics 4 (_ga, _ga_*) |
Yes |
|
Marketing |
Deliver relevant advertisements and measure campaign effectiveness |
Currently not used. If enabled in future, will require consent. |
Yes |
8.4 Google Analytics 4 — Specific Configuration
We use Google Analytics 4 with the following privacy-protective settings:
· EU data residency enabled (data processed on EU servers);
· IP anonymization active (default in GA4);
· Google Signals disabled;
· Data retention set to minimum period (2 months);
· GA4 only loads after you grant consent via the Pandectes GDPR Compliance cookie banner.
You may opt out of Google Analytics at any time by:
· Rejecting "Analytics" cookies in the Pandectes GDPR Compliance cookie banner;
· Installing the Google Analytics Opt-Out Browser Add-on: https://tools.google.com/dlpage/gaoptout
9. YOUR RIGHTS UNDER THE GDPR
As a data subject in the EU/EEA, you have the following rights under the GDPR. These rights are not absolute and may be subject to conditions and exceptions under applicable law:
Right of Access (Art. 15): You have the right to obtain confirmation as to whether we process your personal data and, if so, to receive a copy of that data together with information about the processing.
Right to Rectification (Art. 16): You have the right to request the correction of inaccurate personal data and the completion of incomplete personal data.
Right to Erasure / "Right to Be Forgotten" (Art. 17): You have the right to request the deletion of your personal data where, among other grounds, the data is no longer necessary for the purposes for which it was collected, you withdraw consent, or the data has been unlawfully processed. This right does not apply where processing is necessary for compliance with a legal obligation (e.g., tax retention requirements) or for the establishment, exercise, or defense of legal claims.
Right to Restriction of Processing (Art. 18): You have the right to request the restriction of processing in certain circumstances, for example, where you contest the accuracy of the data or where the processing is unlawful but you oppose erasure.
Right to Data Portability (Art. 20): You have the right to receive your personal data in a structured, commonly used, and machine-readable format (e.g., CSV or JSON) and to transmit that data to another controller, where the processing is based on consent or contract and is carried out by automated means.
Right to Object (Art. 21): You have the right to object to the processing of your personal data based on legitimate interests (Art. 6(1)(f)), including profiling. Where you object, we will cease processing unless we demonstrate compelling legitimate grounds that override your interests. You have the right to object to processing for direct marketing purposes at any time, without restriction.
Right to Withdraw Consent (Art. 7(3)): Where processing is based on your consent, you have the right to withdraw that consent at any time. Withdrawal does not affect the lawfulness of processing carried out before the withdrawal.
Right Not to Be Subject to Automated Decision-Making (Art. 22): You have the right not to be subject to a decision based solely on automated processing, including profiling, which produces legal effects concerning you or similarly significantly affects you. Our fraud prevention screening via ClearSale involves automated profiling; however, no order is automatically rejected without human review.
Right to Lodge a Complaint (Art. 77): You have the right to lodge a complaint with a supervisory authority in the EU Member State of your habitual residence, place of work, or place of the alleged infringement. See Section 9.2 below for relevant authorities.
9.1 How to Exercise Your Rights
To exercise any of the above rights, please contact us at:
Email: privacy@the-ios.maison
Postal: Icons of Skin Maison — Privacy Department, c/o Royce Roll Design Group, LLC, 1000 Brickell Avenue, Suite #715, Miami, FL 33131, USA
EU Representative: Pandectus — [address to be inserted]
We will respond to your request without undue delay and in any event within one (1) month of receipt. This period may be extended by two (2) further months where necessary, taking into account the complexity and number of requests. We will inform you of any such extension within one month of receipt of the request.
We will verify your identity before processing any request. We will not charge a fee for processing your request unless the request is manifestly unfounded or excessive.
9.2 Supervisory Authorities
You may lodge a complaint with the data protection supervisory authority in your country of residence:
|
Country |
Supervisory Authority |
|
Germany |
The competent Landesdatenschutzbeauftragte of your federal state, or the Bundesbeauftragte für den Datenschutz und die Informationsfreiheit (BfDI) |
|
Netherlands |
Autoriteit Persoonsgegevens (AP) — autoriteitpersoonsgegevens.nl |
|
Sweden |
Integritetsskyddsmyndigheten (IMY) — imy.se |
|
Denmark |
Datatilsynet — datatilsynet.dk |
|
Finland |
Tietosuojavaltuutetun toimisto — tietosuoja.fi |
|
Austria |
Österreichische Datenschutzbehörde (DSB) — dsb.gv.at |
|
Belgium |
Autorité de protection des données / Gegevensbeschermingsautoriteit (APD/GBA) — dataprotectionauthority.be |
10. DATA RETENTION
We retain your personal data only for as long as necessary to fulfill the purposes for which it was collected, or as required by applicable law. The specific retention periods are set out in the table in Section 5.
General principles:
· Order and transaction data: Retained for the duration of the contractual relationship plus 10 years to comply with statutory tax and commercial retention obligations (German HGB §257, AO §147).
· Marketing data: Retained until you withdraw consent or unsubscribe.
· Analytics data: Retained for a maximum of 2 months (GA4 setting).
· Fraud prevention data: Retained for up to 12 months after the transaction.
· Server logs: Retained for 90 days.
· Cookie consent records: Retained for the duration required by applicable law (typically 1–3 years as proof of consent).
When personal data is no longer required, it will be securely deleted or anonymized.
11. DATA SECURITY
We implement appropriate technical and organizational measures to protect your personal data against unauthorized access, alteration, disclosure, or destruction, in accordance with Article 32 GDPR. These measures include:
· SSL/TLS encryption for all data transmitted between your browser and our Online Store;
· PCI DSS compliance for payment processing (via Shopify Payments);
· Access controls limiting employee and contractor access to personal data on a need-to-know basis;
· Regular security assessments of our systems and third-party processors;
· Encrypted storage of sensitive data at rest;
· Data Processing Agreements (DPAs) with all processors and sub-processors requiring equivalent security measures.
11.1 Data Breach Notification
In the event of a personal data breach that is likely to result in a risk to your rights and freedoms, we will:
· Notify the competent supervisory authority without undue delay and, where feasible, within 72 hours of becoming aware of the breach (Article 33 GDPR);
· Notify you directly without undue delay if the breach is likely to result in a high risk to your rights and freedoms (Article 34 GDPR).
12. CHILDREN'S PRIVACY
Our Online Store is not directed at children. We do not knowingly collect personal data from children under the age of 16 (or the applicable age of digital consent in your country of residence, which may be lower in certain Member States). If we become aware that we have collected personal data from a child below the applicable age without valid parental consent, we will take steps to delete that data promptly.
If you believe we may have collected data from a child, please contact us at:
13. LINKS TO THIRD-PARTY WEBSITES
Our Online Store may contain links to third-party websites (e.g., brand manufacturer websites, payment provider pages, social media platforms). These websites operate under their own privacy policies, which we encourage you to review. We are not responsible for the privacy practices or content of third-party websites.
14. SOCIAL MEDIA
If we maintain social media profiles (e.g., Instagram, Facebook), the respective social media platform operator is a joint controller or independent controller for data processing that occurs on their platform. Please refer to the privacy policies of the respective platforms for information about their data processing practices.
15. CHANGES TO THIS PRIVACY POLICY
We may update this Privacy Policy from time to time to reflect changes in our processing activities, legal requirements, or business practices. When we make material changes:
· The updated Privacy Policy will be published on our Online Store with a new "Last Updated" date;
· Registered customers will be notified of material changes by email at least fourteen (14) days before the changes take effect;
· Where changes affect processing based on consent, we will seek renewed consent where required by law.
We encourage you to review this Privacy Policy periodically.
16. CONTACT US
If you have any questions about this Privacy Policy, wish to exercise your data subject rights, or have concerns about how we process your personal data, please contact us:
Data Protection Inquiries: privacy@the-ios.maison
General Customer Service: ClientService@the-ios.maison
Postal Address: Icons of Skin Maison — Privacy Department,
c/o Royce Roll Design Group, LLC
1000 Brickell Avenue, Suite 715, Miami, FL 33131, USA
EU Representative (Art. 27 GDPR): Pandectus — [address to be inserted]
Telephone: +1 305 317 4117