Privacy Policy

This Privacy Policy explains how we collect, use, share, and protect personal information when you visit our online store, place an order, contact our support team, or interact with our marketing. It applies to customers and visitors in the United States, the United Kingdom, and Canada and is written to satisfy the EU/UK General Data Protection Regulation ("UK GDPR"), the California Consumer Privacy Act as amended by the California Privacy Rights Act ("CCPA/CPRA") and other US state privacy laws, and the Personal Information Protection and Electronic Documents Act ("PIPEDA") in Canada.

1. Information we collect

We collect personal information you give us directly, information collected automatically when you use our store, and information from limited third parties.

Information you provide

• Order and account data: name, billing and shipping address, email, phone number, order history, account login credentials.
• Payment data: payment card details and billing information are entered directly with our payment processors (Shopify Payments, PayPal, Apple Pay, Google Pay, Shop Pay). We do not store full card numbers on our systems.
• Customer support data: the contents of emails, chat messages, photos of damaged goods, and any other information you choose to send us.
• Marketing data: email address, marketing preferences, survey or review responses.

Information collected automatically

• Device and browsing data: IP address, browser type and version, operating system, device identifiers, referring URL, pages viewed, time spent, and clickstream activity.
• Cookies and similar technologies: see our Cookie Policy for the categories of cookies and the third-party providers we work with (including Shopify, Google Analytics, Meta/Facebook, TikTok, Google Ads, and Klaviyo).

Information from third parties

• Order, fraud, and shipping confirmations from payment processors and carriers.
• Authentication confirmations from social or accelerated checkout providers (e.g. Shop Pay, Apple Pay) when you use them.
• Aggregated audience and conversion data from advertising partners.

2. How we use your information

We use personal information for the following purposes:

• To fulfil your order — processing payments, arranging shipping, sending order, dispatch and delivery notifications, and handling returns.
• To provide customer service — answering questions, replacing damaged goods, and resolving complaints.
• To operate and improve the store — analytics on traffic, performance, and product interest.
• To send marketing communications — only where you have opted in (UK/EU/Canada) or where permitted under the soft opt-in rule for similar products to existing customers (UK only). You can unsubscribe at any time using the link in any marketing email.
• To detect, prevent and respond to fraud, abuse and security incidents.
• To comply with legal obligations — tax, accounting, consumer protection and law-enforcement requests.

3. Lawful bases (UK and EU customers)

Where the UK GDPR applies we rely on the following lawful bases: contract (to fulfil your order and provide our service); legitimate interests (to operate, secure and improve the store, prevent fraud, and where permitted, contact existing customers about similar products); consent (for non-essential cookies and marketing emails to non-customers); and legal obligation (tax, accounting, regulatory).

4. Sharing your information

We do not sell your personal information for money. We share it only with the following categories of recipients, and only as needed:

• E-commerce platform: Shopify Inc. (Canada) hosts our store and processes order data on our behalf.
• Payment processors: Shopify Payments, PayPal, Apple, Google.
• Shipping carriers and fulfilment partners who deliver your order.
• Email and SMS service providers (e.g. Klaviyo) that send our transactional and marketing messages.
• Analytics and advertising partners (Google, Meta/Facebook, TikTok) — see the Cookie Policy. Some sharing of online identifiers with these advertising partners may constitute a "sale" or "sharing" under California law; you can opt out using the link in our footer or by enabling the Global Privacy Control signal.
• Professional advisers (lawyers, accountants, auditors) under duty of confidence.
• Government and law-enforcement bodies where we are required by law or where it is necessary to protect our rights or others' safety.
• Successors in interest if we reorganise, merge, or sell part of our business.

5. International transfers

We are based in the United States. When we receive personal information from the United Kingdom, the European Economic Area, or Canada, that information is transferred to and processed in the United States and other countries where our service providers operate. Where required, we rely on the UK International Data Transfer Addendum, the EU Standard Contractual Clauses, or comparable safeguards.

6. How long we keep your information

We retain order, accounting, and tax records for the period required by applicable law (typically 6 to 7 years). Account information is retained while your account is active and for a reasonable period afterward. Marketing data is kept until you unsubscribe and then deleted within a reasonable cleanup period. Customer-service correspondence is kept for up to 3 years.

7. Your rights

Depending on where you live, you have some or all of the following rights:

• Access a copy of the personal information we hold about you.
• Correct information that is inaccurate or out of date.
• Delete your personal information (subject to legal retention obligations).
• Restrict or object to certain processing, including direct marketing.
• Portability — receive your information in a structured, machine-readable format.
• Withdraw consent at any time where we rely on consent.
• Opt out of "sale" or "sharing" of personal information and opt out of targeted advertising (US state laws).
• Non-discrimination for exercising your privacy rights.
• Lodge a complaint with your local data-protection authority (UK ICO, your provincial Privacy Commissioner in Canada, or your US state Attorney General).

To exercise any of these rights, email support@getdermeva.com with the subject line "Privacy Request". We will verify your identity before responding and will reply within the period required by your local law (usually 30 to 45 days).

• United StatesCalifornia / Virginia / Colorado / Connecticut / Utah and other state-law residents may submit access, deletion, correction, and opt-out requests via the contact above. Authorised agents accepted with written proof.
• United KingdomUK data subjects may complain to the Information Commissioner's Office at ico.org.uk.
• CanadaCanadian residents may complain to the Office of the Privacy Commissioner of Canada or to their provincial Commissioner (e.g. CAI Québec, OIPC BC, IPC Ontario).

8. Children

Our store is intended for adults (18+). We do not knowingly collect personal information from children under 16. If you believe a child has provided us with personal information, contact us and we will delete it.

9. Security

We use industry-standard technical and organisational measures, including TLS encryption in transit, access controls, and PCI-DSS compliant payment processing. No system is perfectly secure; if we become aware of a breach affecting your personal information we will notify you and the relevant regulators where required by law.

10. Changes to this policy

We may update this Privacy Policy from time to time. Material changes will be communicated via the store and, where appropriate, by email. The "Last updated" date at the top reflects the most recent revision.