Privacy Policy

1. Who is Responsible for Your Data?

Data Controller: The entity responsible for processing your personal data (the “data controller”) is Unstatic Labs (USL), SAS, SIREN 983 982 950, with registered address at 60 rue François Ier, 75008 Paris, France. Good Boys Club and Good Boys Obey are brands of USL. When we say “we” or “us” in this policy, we refer to USL as the operator of GoodBoys.Club.

If you have any questions or requests regarding your personal data, you can contact us at [email protected] or Unstatic Labs, 60 rue François Ier, 75008 Paris, France.

We may not have a designated Data Protection Officer (DPO) given the scale of our operations, but our team handles data protection matters collectively. You can use the above contact for any privacy concerns.

2. What Data We Collect and How

By using the GoodBoys.Club website (the “Site”) or providing personal data to us, you acknowledge that you have read and understood this Privacy Policy. If you do not agree with our practices, please discontinue use of our Site.

We collect various types of personal data from you when you interact with our Site or services.

We do NOT ever sell any kind of personal data.

The categories of data we collect are:

2.1 Data You Provide Directly:

Account Information: When you register for a membership on GoodBoys.Club, we collect information such as your email address (if registering via email), or certain profile details if you use a social login. For example, if you log in via Telegram, we may receive your Telegram user ID, username, and/or name as provided by Telegram for authentication. We do not receive your Telegram contacts or messages (apart from messages you send to our bot) – just the basic info needed to verify your identity. We may also ask or allow you to provide optional profile information such as a display name or avatar. In general, we keep required personal information minimal.

Order and Payment Information: When you make a purchase, we collect information necessary to process the order:

• Contact details: name, shipping address, billing address (if different), email, and phone number (phone may be needed by carriers for delivery updates in some cases).
• Order details: the specific products ordered, sizes, customizations (if any), and order number.
• Payment details: We rely on third-party payment processors (e.g., Stripe, PayPal, Revolut) to handle your payment securely. We ourselves do not collect or store full payment card numbers or bank account details. We may store a transaction ID or confirmation and the payment method used, as provided by the payment processor (e.g., we might record that you paid via PayPal or by Visa ending in 1234). All payments are processed by USL as the merchant of record, and “USL” will appear on your statement.
• If you request a VAT invoice or provide a company name/tax ID for the order, we will collect those details as well.
• Communications: If you contact us (e.g., via email or otherwise), we will collect the information you choose to give us in that communication. This may include your name, contact info, and the contents of your message or any attachments. We keep such correspondence to track support issues and improve our services.
• User-Generated Content: If you submit reviews, comments, photos, or other content on our Site (for example, a product review or a gallery submission), we collect whatever information you include in that content. This could potentially include personal data if you volunteer it (for instance, a photo might reveal your image or other personal details). We also collect your username or display name associated with such content. Keep in mind that content you post might be visible to other members (see Section 7 about data visibility).
• Promotions and Surveys: If we run a promotional contest, loyalty program, or survey, and you choose to participate, we will collect the information needed for that purpose. This could include contact information and whatever responses are involved. We will provide specific terms at that time, but any personal data collected will be treated in line with this Privacy Policy.

2.2 Data We Collect Automatically:

Usage Data: When you browse our Site, we and our analytics providers collect technical data about your interaction. This includes:

• Device and Browser Information: e.g., your device type, operating system, browser type/version.
• IP Address: The Internet Protocol address from which you access our Site. (We use IP for server logs, analytics, and security – and also to infer your region for purposes like showing the correct currency or VAT treatment).
• Cookies and Similar Technologies: We use cookies or similar tracking technologies to provide and improve our services. For instance, cookies are used to keep you logged in (session cookies), to remember preferences (like items in your cart or language choices), and to gather analytics about site usage. See Section 9 below for more on cookies.
• Activity Logs: We may log the pages you visit, the time and date of access, the time spent on pages, links clicked, and actions like adding to cart, etc. We also might log when you perform account-related actions (e.g., when you log in, when you reset password) for security/audit purposes.

Analytics Data: We use an analytics platform (PostHog) to better understand user behavior on our Site (e.g., which pages are most visited, how users navigate, errors and issues). PostHog may collect events about your actions (such as clicking a button or navigating to a page) and aggregate them for us. Importantly, we have configured PostHog in a privacy-friendly manner:

• We host analytics with EU data hosting to ensure data stays within Europe. Our PostHog instance is either self-hosted or on their EU cloud (with servers in Frankfurt, Germany), so personal data from analytics is not transferred outside the EU.
• PostHog by default may use a cookie or device fingerprint to distinguish users, but it can be set to not use cookies. We will respect your cookie consent preferences (see Section 9). If you opt out of analytics cookies, we either disable PostHog for you or use it in a no-cookie mode (where possible).
• The analytics data typically does not include your name or contact info, but it might capture IP address and device info which can be considered personal data. We treat it with care and use it only for statistical purposes and to improve our site.
• Logins via Third Parties: If you log in using a third-party account (like Telegram), that service may send us some data to identify you. As mentioned, Telegram provides us with a basic user ID and name. Telegram may also inform us if you link/unlink your account. We do not receive your Telegram messages except those directed to our bot. Note: by using Telegram login, you also agree to Telegram’s data practices; we encourage you to review Telegram’s privacy policy for how they handle your data.
• Geolocation: We do not actively track precise GPS location, but your IP address may give a general geolocation (country or city level). We use this to auto-select things like language or regional settings (e.g., showing prices with VAT if you are in EU, as we only show VAT to EU users). We do not pinpoint your exact location beyond what's needed for service (shipping addresses you provide for orders are obviously precise and used accordingly).

2.3 Data from Third Parties:

We might receive information about you from third-party sources in certain scenarios:

• If you use an affiliate link or code from a third-party influencer or site, that third party might notify us that you (an anonymous user or an order ID) came through them, for commission calculation.
• If we have to perform fraud prevention checks, we might get data from payment processors or anti-fraud databases (e.g., a risk score or indication that a payment source is high-risk).

We do not buy marketing lists or engage in personal data brokering.

3. How We Use Your Data (Purposes and Legal Bases)

We use the collected personal data for the following purposes, each with a corresponding legal basis under GDPR:

3.1 To Provide the Core Service (Performance of a Contract):

Account creation and management: We use your data to set up and maintain your membership account, let you log in, and provide the membership-only features. For example, your email or Telegram ID serves as your login identifier; we send authentication links or codes to log you in securely.

Processing Orders and Sales: This includes everything needed to fulfill your purchase:

• Recording the order, processing payment (through our payment partners), updating you on order status, and delivering the product to you. We use your name and address for shipping labels, your email to send order confirmations and receipts, and possibly your phone to assist with delivery (some couriers require a phone number).
• If you purchase a personalized product, we use the data you gave (like an engraving text or size measurements) to produce the item.
• Handling returns or refunds (if applicable) also falls here; we’d use your order info and contact to process the return and refund you.

Customer Support: When you reach out with a question or issue, we use your information to assist you. For instance, if you email about a sizing concern, we may look at your past order or cart (if any) to help advise. If you report a defect, we use your order record to verify the purchase and arrange a solution.

These uses are necessary to perform the contract of providing services or goods to you (GDPR Art. 6(1)(b)). If you refuse to provide certain data (like a shipping address for a purchase), we cannot fulfill our contract with you.

3.2 For Legitimate Business Interests:

Improving and Personalizing our Service: We analyze usage data and feedback to improve the Site’s functionality, layout, and content. For example, we might use browsing data to optimize the user interface or to stock more of products that are popular. We may also personalize your experience, such as recommending products you might like based on past interactions.

Analytics and Metrics: We use analytics (via PostHog) to understand user behavior in aggregate – e.g., how many users visit monthly, which pages get the most views, conversion rates from viewing to purchasing, etc. This helps us make informed business decisions. The data is generally aggregated, but even when some personal data (IP, cookie ID) is involved, we consider this processing under legitimate interest for improvement of service. We ensure this does not override your privacy rights by giving you control over cookies and by anonymizing data wherever feasible.

Prevention of Fraud and Misuse: We use data to keep our platform safe. This includes monitoring accounts and transactions for suspicious activity. For example, we might use IP and account data to detect if multiple accounts are being created by the same person to abuse invites, or to flag potentially fraudulent orders (like mismatched name and card info, or high-value orders from risky regions). We may also utilize third-party fraud detection services in the process. Another example: if we suspect a user is underage or sees content they shouldn’t, we might use login data to enforce the age restriction.

Content Moderation: In line with the DSA and our Terms, we may process user content and related personal data for moderation purposes. For instance, if someone posts a review or image, our moderators (or automated filters) might scan it for prohibited content (hate speech, etc.). If illegal content is reported, we will process the report and the user’s identity to address it. This is both our legal obligation and a legitimate interest to maintain a safe community.

Communicating with Members: We might send non-promotional communications that are important for the service:

• Service/administrative emails: e.g., changes to Terms or Privacy Policy, security alerts (like if we detect a new login to your account), or maintenance downtime notices.
• Community updates: since membership is central, we might send updates about new features, or to check in if you’ve been inactive (e.g., “We haven’t seen you in a while, here’s what’s new at GoodBoys.Club”). We consider these light touches to engage our user base, falling under legitimate interest, but we will provide an opt-out if you prefer not to receive them.
• Survey requests or research: occasionally, we may reach out to ask for your feedback. Participation is optional, and you can opt out of such emails.

The above are processed under legitimate interests (GDPR Art. 6(1)(f)). We have a legitimate interest in running and improving our business, preventing fraud, keeping our community safe, and communicating necessary information to users. We have balanced these interests against your rights and believe this data use is proportionate and not intrusive (for example, analytics data is pseudonymous and you can opt out; fraud checks protect both you and us). You have the right to object to processing based on legitimate interests (see Section 10 on your rights).

3.3 With Your Consent:

Marketing Communications: If you are not yet a customer, we will only send email newsletters or promotional communications if you have opted in. For existing customers, we may send product updates or promotions about similar products, relying on soft opt-in rules allowed by certain laws, but we will always provide a clear unsubscribe option in every marketing email. Examples of marketing content: announcements of new product lines, upcoming sales or discount codes, events we participate in, etc. We might also include third-party offers if it’s related (e.g., a partner event), but those will be limited and come from us directly.

Cookies that require consent: We use certain cookies and tracking technologies that are not strictly necessary for site function (like analytics or any potential advertising/affiliate cookies). We will obtain your consent via a cookie banner or similar mechanism, in line with applicable ePrivacy laws, before using such cookies. Section 9 details the cookie usage. You can choose to allow or refuse these cookies. If you refuse, we will honor that (and, for instance, not load PostHog analytics in your session). However, this might mean we need to refuse you service.

Special Data Uses: If we ever need to process your personal data for a purpose that by law requires consent (for example, using a testimonial of yours with your name or image in our marketing materials, beyond the license you grant as per Terms, we might still seek explicit consent out of caution), we will ask for it. Or if in future we introduce features that deal with sensitive personal data (though unlikely), we would only handle that with your consent or as allowed by law.

Geolocation (precise): As noted, we do not gather precise location data. If that changes (say, an app feature that uses your location to find events), we would ask for your consent through the app permissions.

Processing based on consent (GDPR Art. 6(1)(a)). You have the right to withdraw your consent at any time (which will not affect processing already done but will stop future processing of that nature). For instance, you can unsubscribe from marketing emails (link in the footer of each email) or adjust cookie settings on our site to withdraw consent for those.

3.4 To Comply with Legal Obligations:

Accounting and Tax: We keep records of transactions (invoices, amounts, country of customer, etc.) as required by law for accounting, tax reporting, and financial audits. For example, French law requires retention of invoices for 10 years.

Consumer Rights: We handle any data necessary to meet obligations under consumer protection laws, such as honoring warranty claims or product recalls if any (which involve using your contact/order info to notify you or process remedies).

Digital Services Act obligations: We may retain certain data relating to content moderation decisions or user notices of illegal content in order to comply with DSA transparency requirements. For instance, DSA requires maintaining records of illegal content notices and our actions for a certain period, and possibly to produce annual transparency reports if applicable. If we were considered an “online platform” under DSA, we might have to publish numbers of orders removed, etc. We will only include aggregate info in public reports – your personal data is not published, but records (like a database log that user X reported content Y on date Z and we removed it) might be kept internally.

Law Enforcement and Regulatory Compliance: If we are required by a valid legal request (subpoena, court order, or equivalent) or by a digital services coordinator or data protection authority to provide personal data, we will do so to the extent the law compels us. We also might share data to exercise our legal rights or defend against legal claims (see Section 5).

Age Verification: Since our site is 18+, if there were a legal obligation to verify age in certain jurisdictions (some countries might require age verification for adult content), we would process data for that, possibly by asking for an ID verification. We currently rely on self-attestation (you stating you’re 18+ when joining) and the possession of a valid credit card.

These processing activities are mandated by laws or regulations (GDPR Art. 6(1)(c)).

If we intend to process personal data for any purpose not covered by the above, we will update this Privacy Policy and/or seek your consent if required. For example, if we launch a mobile app with additional data collection, or if we integrate AI features that involve user data, etc., we will inform you clearly of the new data uses.

We do not use your personal data for automated decision-making or profiling that produces legal or similarly significant effects on you, as defined in GDPR Art. 22. Any profiling we do (like basic personalization or fraud scoring) is either not legally significant or has human review involved.

4. How We Share Your Data

We treat your personal data with care and confidentiality. We do not sell your personal data to third parties. However, we do share certain data with third parties in the following circumstances:

4.1 Service Providers (Processors)

We utilize third-party companies to perform functions on our behalf, and in doing so, they may process your personal data under our instructions. Key service providers include:

Printful® Inc.: Our print-on-demand fulfillment partner. When you order a product that is fulfilled by Printful (e.g., apparel with our designs), we need to share the necessary information for production and shipping with Printful. This typically includes the product details (design, size, variant), your shipping address, and contact (email/phone for delivery updates). Printful acts as a data processor for us in this context, using the data only to fulfill the order. Printful’s main company is in the USA (11025 Westlake Dr, Charlotte, NC, USA, Tax ID: 90-0674740), but they operate globally. Data Transfer Note: Printful uses facilities in various regions; for EU orders, they often fulfill from EU centers (they have facilities in Latvia, Spain, etc.) and their website is hosted on AWS servers in Luxembourg. We have a Data Processing Agreement with Printful to ensure GDPR compliance. In cases where data is transmitted to the US, we rely on appropriate safeguards such as Standard Contractual Clauses or the EU-US Data Privacy Framework, as applicable.

Payment Processors: We share data with payment gateways to process transactions:

• If you pay by credit/debit card, Revolut (or a similar processor) will receive your card details, payment amount, billing info, and maybe your email (to send receipt on our behalf). They are PCI-DSS compliant and authorized to process payments. We, in return, get a payment confirmation and limited info (like last4 digits of card, card type, country).
• If you pay via PayPal, you are redirected to PayPal, which shares back with us a confirmation of payment and your PayPal-confirmed address and email. We do not see your PayPal login details. Each of these processors is a controller of your payment data for their fraud prevention and regulatory compliance, but also a processor for us in handling the transaction. They have their own privacy policies which cover what they do with your data. We only share what's necessary for payment.

Shipping Carriers and Logistics: We will share your address and contact with shipping companies (e.g. but not limited to, postal services, DHL, FedEx, etc.) and logistics platforms to ship your order. For instance, we might use a platform like SendCloud or a courier’s API to generate labels – these systems will use your name/address and possibly email/phone to create a shipment and provide tracking. They in turn share that data with the actual carrier that delivers (if separate).

Hosting and Infrastructure: The Site is hosted on servers provided by Hetzner Online GmbH (a German-based hosting provider with data centers in the EU). Therefore, any data you provide or we collect (website content, databases) is stored on Hetzner’s servers. Hetzner might technically have access as a host, but they do not use your data; they simply keep it stored and allow our service to run. They are GDPR-compliant and based in Europe.

Analytics Providers: As discussed, we use PostHog for analytics. PostHog (the company) would process the analytics data on our behalf. We opted for EU-hosted analytics, so the data stays in EU jurisdiction.

Email Service: To send out emails (order confirmations, newsletters, etc.), we might use an email delivery service (like SendGrid, Mailgun, AWS SES, or similar). That means your email address and the email content could pass through that service. We choose reputable providers with proper security. For instance, if using Mailgun (US-based with EU options), we’d ensure EU routing or SCCs.

Customer Support Platforms: If we use any CRM or support ticket system (e.g., if we integrate a support widget or use a system to track emails), your communications could be stored there.

Telegram (for notifications): If you engage with our Telegram bot for support or updates, Telegram obviously processes those chat messages as part of their service. We program the bot to handle minimal personal data – typically your Telegram ID and chat content. Telegram is an independent service (based outside the EU at the moment), so your interactions there are subject to their encryption and retention policies. We only use the bot data to respond to you and keep logs of support conversations.

These third parties are bound by contractual agreements to only use your data to provide services to us and not for other purposes. We ensure any processor we use can provide sufficient guarantees of security and confidentiality.

4.2 Within Our Company and Affiliates

Our Company has multiple projects or affiliates, therefore it is agreed that personal data may be shared within the company and its affiliates for internal administrative purposes. For example, if USL launches a sister site or app, your data might be in a common customer database.

4.3 Third-Party Vendors

If you purchase an item that is explicitly sold/shipped by a third-party vendor through our platform, we will share with that vendor the information necessary to fulfill your order (since effectively they are the ones providing the product). This can include your order details and shipping information. We will inform you at purchase time if a product is sold by a third party, and by ordering you consent to us sharing your details with that vendor for fulfillment. That vendor will be required to use your data only for that order and to treat it in compliance with data protection laws. (They may also need to keep records for their legal obligations, e.g., their own accounting.)

Additionally, if you as a consumer have issues (like warranty claims) with a third-party vendor’s product, we may share relevant information about the purchase with the vendor to resolve the issue (or direct you to their support), again with the goal of serving you.

4.4 Legal Requirements and Protection

We may disclose your personal information as necessary to:

Comply with laws or regulations, or respond to a valid subpoena, court order, or governmental request. For instance, under the DSA or local law, authorities can request certain data (like identification of users who posted illegal content, once properly ordered). We will verify any request and only provide data that we are compelled to.

Enforce our rights or agreements: e.g., to apply our Terms of Use or Terms of Sale (CGV), including investigation of potential violations.

Protect against fraud, security issues, or technical problems: If we suspect fraud, we might share data with law enforcement or professional advisors (like lawyers or investigators) to handle the incident.

Protect the rights, property, or safety of USL, our users, or the public: For example, if someone’s postings pose a serious threat or if we believe in good faith that an emergency involving someone’s safety requires disclosure, we might share info with appropriate authorities.

Such disclosures will be made only to the extent required or permitted by law. We will try to notify you if your data is requested by an authority, if allowed (not prohibited by the request or law), so you have a chance to object or seek legal protection, except in cases where notifying you is impossible or counterproductive (e.g., an urgent request for an ongoing investigation).

4.5 Business Transfers

In the event that GoodBoys.Club undergoes a business transaction such as a merger, acquisition by another company, or sale of all or part of its assets, or in the unlikely event of bankruptcy, your personal data might be among the assets transferred to or reviewed by the involved parties. We would ensure that any such party is bound to respect your personal data in a manner consistent with this Privacy Policy. If a transfer results in a material change in how your data is used, we will notify you and you may exercise your rights, including potentially deleting your data before the transfer if you choose (subject to legal allowances).

4.6 Aggregate or Anonymized Data

We may share information that has been aggregated and anonymized (so it can no longer identify you personally) with third parties for various purposes, such as industry analysis, number of visitors, etc. For example, we might publish that “we have customers in 25 countries” or “X% of our users are repeat buyers” in a press release or investor update. This kind of information contains no personal data.

4.7 With Your Consent

Apart from the scenarios above, if we intend to share your personal data with someone else (like a new partner) in a way not covered by this policy, we will obtain your explicit consent. For example, if we ever collaborate with another brand and want to give you an option to sign up for their newsletter at checkout, we would only share your email with them if you explicitly opt in.

We do not engage in cross-marketing where we give your data to other companies for their own direct marketing, unless you explicitly agree (which we currently have no plans for). If you found us through an influencer or affiliate, we do not share your identity with them.

In summary: your data is primarily used internally and by our trusted service partners to serve you. Any broader sharing is limited and usually anonymized or under strict legal/contractual controls.

5. International Data Transfers

We are based in France (EU) and we aim to store and process data within the European Economic Area (EEA) as much as possible. However, some of our service providers or partners are located outside the EEA, which means your personal data might be transferred to or accessed from third countries (countries without an EU adequacy decision for data protection). For example:

United States: Several of our partners (Printful, Stripe, PayPal, PostHog, Telegram's servers partially) and possibly email service or support tools might be US-based. The US currently (as of 2025) benefits from the EU-US Data Privacy Framework which was deemed adequate in July 2023. Where applicable, we ensure our US partners are certified under this framework or have Standard Contractual Clauses (SCCs) in place.

Other countries: Telegram is a unique case, as it’s not clear-cut (offices in UAE, etc.). We consider Telegram communications as initiated by you and you accept their terms by using it. For our part, we don’t transfer our user database to Telegram; only the minimal data to authenticate (like linking your Telegram ID to your account if you choose that login). If our staff or systems access your data while traveling or from a location outside the EEA, that’s also a form of transfer (though internal). We manage access securely through VPNs and policies.

Our safeguards for international transfers:

When we transfer personal data out of the EEA to a country not deemed to have adequate data protection by the EU, we rely on one or more of the following legal mechanisms:

• Standard Contractual Clauses (SCCs): These are template contracts approved by the European Commission to ensure that the recipient of the data (e.g., a US service provider) commits to protecting the data to EU standards.
• Data Privacy Framework Certification: If our US partner is certified under the new EU-US DPF, that is an accepted safeguard.
• Derogations: In some cases, we rely on GDPR Article 49 derogations. For instance, when a transfer is necessary for the performance of a contract between you and us (e.g., sending your address to a US-based shipping partner to deliver your package, because you ordered something to be delivered to the US), or with your explicit consent for specific transfers. Also, if you communicate with us via a service like Telegram, that’s effectively your consent to that cross-border communication.

We also assess on a case-by-case basis if the foreign recipient can comply with the SCC obligations (including any local law access by authorities). If needed, we implement additional technical measures, such as encryption in transit and at rest, and careful access controls, to protect data that moves globally.

If you would like more details about our international data transfer safeguards or copies of the relevant contractual clauses, you can contact us (contact details in Section 1). We may redact some parts for confidentiality, but we can confirm the mechanisms.

6. Data Retention

We retain personal data only for as long as necessary to fulfill the purposes for which it was collected, or to satisfy legal, accounting, or reporting requirements. Retention periods vary depending on the data type and purpose:

Account Data: We keep your account information for as long as you maintain an account with us. If you decide to delete your account or it’s inactive for an extended period (we may consider accounts inactive after 2 years of no login and no orders), we may remove or anonymize the account data, provided we don’t need it for other legitimate purposes (like a purchase record). If you simply stop using the Site, we will eventually purge personal data from inactive accounts in accordance with our data retention schedule. You can also request deletion at any time (see Section 10).

Order and Transaction Data: By law, we must keep records of transactions for a certain time. In France, we are required to retain invoices and sale records for 10 years after the close of the fiscal year, for tax and accounting compliance. Even if you delete your account, we will retain the necessary order data in our financial records (but we will archive it so that it’s not easily accessible except for compliance needs). We also retain records to handle any disputes or warranty issues that might arise within legal periods (for example, the EU legal guarantee period for products is 2 years; we’d keep data at least through that period for those items).

Customer Support Communications: We may retain support emails or chat logs for a few years (usually up to 2 years) to refer back to past communications if you contact us again, and to train our service quality. If you have exercised rights or had significant issues, those communications might be kept longer to show compliance or resolve future matters.

User-Generated Content: If you post a review or other content, it may remain on the Site as long as the item or page is active, or until you ask for its removal (assuming it's your content). If we remove content as part of moderation, we might keep an internal record of the removal (what was removed and why) for a certain time (DSA encourages keeping removal records for 6 months+). If you delete your account, we may anonymize your posts (e.g., the review might say “by a former member” with no personal details).

Marketing data: If you have subscribed to newsletters, we keep your email on the mailing list until you unsubscribe. If an email bounces repeatedly or is inactive, we may remove it in periodic clean-ups. If you unsubscribe, we will stop sending you emails but might keep your email on a suppression list to ensure we don't accidentally re-add you.

Analytics data: Raw web server logs (with IP addresses) are typically kept for a short period – often 1 to 3 months – unless needed for security analysis (in case of an attack, relevant logs might be kept longer). Analytics aggregated data may be kept indefinitely (since it's anonymized or aggregated). If analytics events are stored with identifiers, we set retention limits of up to 2 years.

Legal Requirements: If a law or regulation requires us to keep data for a certain period, we will comply. For instance: Records of consent might be kept as long as the processing continues and beyond to defend against any legal claims ; In the event of a dispute or enforcement action, relevant data will be preserved until the issue is resolved and no further appeal is possible, then depending on outcome, either deleted or retained if needed by law.

When data is no longer needed, we will either delete it securely or anonymize it (so it can no longer be associated with you). Anonymized data may be kept for statistical purposes without further notice.

Backup policy: Note that our systems may have backups that are retained for disaster recovery. If you ask for deletion, we will remove your data from our active systems and make best efforts to scrub from backups. Most backups are overwritten on a rolling basis. We typically won’t restore a backup just to delete an entry, but our backup retention is limited (up to 2 years for data that is not considered archives). Any data in backups will either age out or, if restored for some reason, we will re-delete it then.

7. Data Security

We implement a variety of security measures to protect your personal data from unauthorized access, alteration, disclosure, or destruction. While no website or Internet transmission is completely secure, we are committed to best practices and continuously improving our security posture. Measures we have in place include:

Encryption: Our Site is served over HTTPS, meaning data in transit between your browser and our servers is encrypted using TLS. We also encrypt sensitive data at rest where appropriate. For example, we hash passwords (we never store plain passwords), payment data is not stored by us (or only as tokenized by the payment provider), and any backup storage is protected.

Access Controls: Personal data is accessible only to those within our organization and our processors who need it to perform their job duties. For instance, our team members can only access the admin systems with proper authentication, and access to sensitive data (like full order details or user lists) is limited to authorized personnel. We employ role-based access control so that, e.g., a support agent can see your order info to help with an issue, but they might not have access to edit system configurations.

Two-Factor Authentication: Where possible, we secure administrator and key service accounts with two-factor authentication (2FA) to prevent unauthorized login. Our internal systems and third-party dashboards (like payment or hosting accounts) use 2FA.

Monitoring and Testing: We monitor our systems for suspicious activity, keep software up to date with security patches, and regularly review our practices. We may employ vulnerability scanning or hire security experts to perform penetration tests on our Site to find and fix potential vulnerabilities.

Data Minimization: We aim to only collect data that we truly need. By storing less personal data, we reduce the risk exposure. For example, we do not store sensitive personal identifiers like national ID numbers, and we avoid collecting any special category data (health, etc.).

Employee Training: We educate our team about data protection and security. They are trained to follow good security practices (like using strong passwords, recognizing phishing attempts, and handling user data confidentially).

Anonymization: When feasible, we pseudonymize data. For example, analytics might use a user ID that is not directly tied to your identity. If we perform analysis or share info, we try to strip out personal details.

Secure Development: We follow secure coding guidelines in developing our platform and test features for security issues. We also rely on reputable frameworks and libraries which are maintained for security.

Physical Security: Our own offices (if any physical records or computers storing data) are secured (restricted access). Our hosting provider (Hetzner) maintains robust physical security at data centers (guards, access control, fire suppression, etc.).

Despite our efforts, no security is foolproof. We cannot guarantee that personal data may not be accessed, disclosed, altered, or destroyed by a breach of our safeguards. However, we have incident response plans in place. In the event of a data breach that is likely to result in a high risk to your rights and freedoms, we will notify you and the relevant supervisory authority (like the CNIL in France) as required by GDPR (within 72 hours of becoming aware, for the authority).

Your own role: You also play a role in keeping your data secure. We encourage you to use a unique strong email (and to secure your email account since login links go there), and if you suspect any unauthorized access to your account, let us know immediately. Avoid sharing your login links or letting others access your logged-in sessions.

8. Data Subject Rights

Under GDPR and applicable privacy laws, you have a number of rights concerning the personal data we hold about you. We are committed to honoring these rights. Your principal rights are:

Right of Access: You have the right to obtain confirmation as to whether or not we are processing personal data about you, and if so, to request a copy of that data along with supplementary information (purposes of processing, categories of data, recipients, etc., much of which is already provided in this Privacy Policy). We will provide this in a commonly used format. The first copy is free of charge, but we may charge a reasonable fee for additional copies or excessive requests as allowed by law.

Right to Rectification: If any personal data we have about you is inaccurate or incomplete, you have the right to ask us to correct it. For instance, if your shipping address or email has changed or there’s a typo in our records, please let us know. For some account info, you can directly edit it by logging in.

Right to Erasure (Right to be Forgotten): You have the right to request the deletion of your personal data in certain circumstances: The data is no longer needed for the purposes for which it was collected, You withdraw consent (if the processing was based on consent) and there is no other legal ground, You object to processing based on our legitimate interests, and we have no overriding legitimate grounds to continue, We processed your data unlawfully, There is a legal obligation to erase it. We will honor erasure requests to the extent required. Note that this is not absolute – we may retain certain information if necessary (e.g., we cannot delete order records we must keep by law, or we may keep minimal info to record that you opted out of communications). If you request deletion of your account, we will remove or anonymize personal data, aside from data we must keep.

Right to Restriction of Processing: You can ask us to restrict (temporarily halt) processing of your data in certain scenarios: If you contest the accuracy of the data, we should restrict processing until we verify or correct it, If the processing is unlawful but you don’t want full erasure, you can request restriction, If we no longer need the data but you need it for a legal claim, If you have objected to processing (next paragraph) and await verification of our overriding grounds. During restriction, we will store the data but not use it (except to the extent necessary, such as storing to ensure the restriction is respected).

Right to Object: You have the right to object to our processing of your personal data when it is based on our legitimate interests (Art. 6(1)(f) GDPR), including profiling on that basis. If you object, we will stop processing unless we can demonstrate compelling legitimate grounds that override your interests, rights, and freedoms, or the processing is for the establishment, exercise, or defense of legal claims. Importantly, you have an unconditional right to object to processing for direct marketing purposes. If you object (or unsubscribe), we will stop using your data for marketing immediately. You can contact us to object to any data use you feel doesn’t align with your interests.

Right to Data Portability: For data you provided to us and which we process by automated means based on consent or contract, you can request a copy in a structured, commonly used, machine-readable format (like JSON or CSV) and have the right to transmit that to another controller. This typically applies to things like account data or order history. We will provide the data to you, or directly to another controller if technically feasible, upon your request.

Right Not to Be Subject to Automated Decision Making: We do not engage in fully automated decision-making with legal or similarly significant effects. In case that ever changes, you would have rights related to such processing (like the right to human intervention, to express your point of view, etc.). Currently not applicable.

Right to Withdraw Consent: If we are processing any personal data based on your consent, you have the right to withdraw that consent at any time. Withdrawal will not affect the lawfulness of processing that happened before the withdrawal. If you withdraw consent for a service that requires it (like optional profile data use), we will stop that processing. If you withdraw consent for something essential (like you had consented to some data use needed for service), we will inform you if that means we cannot provide the service and you might need to close your account.

Right to Complain: If you have concerns about our data practices, we would appreciate the chance to address them directly. However, you also have the right to lodge a complaint with a supervisory authority – particularly in the EU country where you live, work, or where you feel the infringement occurred. Our lead supervisory authority is the CNIL (France’s data protection authority), since we are based in France. CNIL’s contact details: www.cnil.fr. If you’re in another country, you may contact your local authority (for example, in Germany the LfDI, in Spain the AEPD, etc.) who may coordinate with CNIL or handle it. Lodging a complaint does not prejudice any other rights or judicial remedies you have.

How to Exercise Your Rights:

You can exercise any of the above rights by contacting us at [email protected] or [email protected] with your request. To ensure we are dealing with the correct person, we may need to verify your identity (e.g., by asking you to send the request from the email associated with your account or asking for some identifying info). This is to protect your data from unauthorized access.

We will respond to your request as soon as possible, generally within one month or as required by GDPR. If your request is complex or if we have received many requests, we may extend this by an additional two months, but we will inform you of the delay and reasons within the first month.

For most requests, there is no fee. However, if a request is manifestly unfounded or excessive (for instance, repetitive with no good reason), we are allowed to either charge a reasonable fee (based on administrative costs) or refuse the request. If we refuse, we will explain our reasons and you have the right to complain as mentioned above.

9. Cookies and Tracking Technologies

Cookies are small text files stored on your device by websites you visit. We use cookies and similar technologies (like localStorage, pixels, or device fingerprints) to ensure our Site functions properly, to enhance user experience, and to collect analytics.

Since we are a Private Sales Boutique, these are necessary for the Site to work correctly. By signing in, you grant us access to store all required cookies and similar tracking data (Session cookies, Cart cookies, Preference cookies, Security cookies, Analytics and Performance cookies, Functionality cookies).

If you do not accept these, please do not use our website. By creating an account and/or signing in with your email or any other form of login , you explicitly consent to this required tracking.

Some cookies are session cookies (they expire once you close your browser or log out). Others are persistent cookies that remain on your device for a defined period or until you delete them. For example, a session ID might last only until you end the session, whereas a cookie remembering you for login might last 30 days or more. Analytics cookies might last several months (e.g., to count you as the same user if you return within 3 months). We configure durations following principle of not keeping longer than needed.

Note on “Cookies” terminology: For simplicity, we use “cookies” to also include similar tracking technologies. By using our Site with cookies enabled in your browser and, where applicable, consenting via sign-in, you consent to our use of cookies as described above. If you have any concerns or questions about specific cookies, feel free to contact us.

10. Additional Considerations and Contact

10.1 Age Limitations: Our Site is not intended for individuals under 18 years of age (or the age of majority in their jurisdiction, if higher). We do not knowingly collect personal data from minors. When someone tries to register or access the site, we ask them to confirm they are of legal age. If we become aware that we have inadvertently collected personal data from someone under the required age, we will take steps to delete that data. If you are a parent or guardian and believe we have information about a minor, please contact us so we can remove it.

10.2 Third-Party Websites: Our Site may contain links to external websites or services that are not operated by us (for example, an informational blog link or a partner’s site for a special sale). This Privacy Policy does not apply to those third-party sites. We encourage you to review the privacy policies of any external sites you visit. We are not responsible for the content, privacy practices, or any issues arising from third-party sites.

10.3 Social Media: We maintain profiles on social media platforms like Instagram, Twitter, etc. If you interact with us on those platforms (by messaging us, commenting, tagging us in photos), those interactions are governed by the privacy policies of the respective platform. We might collect information from our official pages (like aggregate analytics that Instagram provides about our followers’ demographics, or specific messages if you contact support via a social DM). We will use any info obtained via social media in accordance with this policy (e.g., if you ask a support question via Instagram, we might create a support ticket internally with your name and issue to follow up). But fundamentally, what you do on social platforms is also subject to those platforms’ rules.

10.4 Changes to this Privacy Policy: We may update this Privacy Policy from time to time to reflect changes in our practices, legal requirements, or for other operational reasons. If we make material changes (especially any that would expand how we collect or use personal data), we will notify you by appropriate means: for example, by posting a prominent notice on our Site, and/or sending an email to the address associated with your account. Please review any changes carefully. If you continue to use the Site after updates take effect, you will be deemed to have accepted the revised policy. The “Last Updated” date at the top will always indicate the latest revision. For significant changes, we may re-ask for consent where required.

10.5 Contact Us: If you have any questions, concerns, or requests regarding this Privacy Policy or our data practices, please do not hesitate to contact us:

• Email: [email protected] or [email protected]
• Address: Unstatic Labs, 60 rue François Ier, 75008 Paris, France
• Telegram: If you prefer, you can ping our support bot or team @goodboysobey_bot.

We will be happy to assist and we take privacy inquiries seriously. Your trust is important to us, and we aim to be transparent and responsive in addressing any privacy matters.