Legal

The Data Controller is Broken Hearts, with operational headquarters in Naples, Italy.

For any requests regarding the processing of personal data, you can contact the Controller at: support@brokenhearts.co

Data Voluntarily Provided

• Identification data — first name, last name
• Contact data — email address, phone number
• Address — shipping and billing address
• Payment data — managed exclusively by certified third-party providers (Shopify Payments, Klarna, etc.)
• Communications — content of emails and messages sent to customer service

Data Collected Automatically

• Technical data — IP address, browser type, operating system, device used
• Navigation data — pages visited, time spent, navigation path
• Interaction data — clicks, scrolls, interactions with site elements
• Cookies and similar technologies — as described in our Cookie Policy

Contract Performance (Art. 6.1.b GDPR)

• Order and shipping management
• Payment processing
• Pre and post-sale customer support
• Returns, refunds and warranty management
• Order-related communications

Legal Obligations (Art. 6.1.c GDPR)

• Tax and accounting compliance
• Mandatory document retention
• Response to judicial or administrative authority requests

Legitimate Interest (Art. 6.1.f GDPR)

• Fraud and illegal activity prevention
• Improvement of our products and services
• Aggregate and anonymized statistical analysis
• Website and IT systems security

Consent (Art. 6.1.a GDPR)

• Newsletter and commercial communications
• Use of profiling and marketing cookies
• Data sharing with partners for promotional purposes

Personal data may be shared with the following categories of recipients:

Service Providers

• E-commerce platform — Shopify Inc. (data processor)
• Carriers — UPS, BRT, DHL, Poste Italiane for order delivery
• Payment providers — Shopify Payments, Klarna for transaction processing
• Email marketing — Klaviyo for newsletter sending (with consent)
• Analytics services — Google Analytics for site usage statistics

Advertising Platforms

• Meta — Facebook/Instagram Pixel for advertising campaigns (with consent)
• TikTok — TikTok Pixel for advertising campaigns (with consent)

Other Recipients

• Competent authorities — when required by law or to protect our rights
• Professional consultants — accountants, lawyers, for specific compliance

We do not sell or rent personal data to third parties for direct marketing purposes.

Some of our service providers are located outside the European Economic Area (EEA), particularly in the United States (Shopify, Google, Meta, Klaviyo).

In such cases, data transfers are based on:

• Adequacy decisions by the European Commission
• Standard Contractual Clauses (SCCs) approved by the European Commission
• Data Privacy Framework EU-US for certified providers

For more information on the safeguards adopted, you can contact us at support@brokenhearts.co.

Personal data is retained for the time strictly necessary for the purposes for which it was collected:

• Order-related data — 10 years from order date (tax and accounting obligations)
• Account data — until account deletion by the user
• Direct marketing data — until consent withdrawal or for a maximum of 24 months from last interaction
• Navigation data — according to durations specified in the Cookie Policy
• Dispute management data — for the time necessary for resolution and in any case not beyond legal limitation periods

At the end of the retention period, data is deleted or irreversibly anonymized.

Under the GDPR, as a data subject you have the right to:

• Access (Art. 15) — obtain confirmation of processing and a copy of your personal data
• Rectification (Art. 16) — correct inaccurate data or complete incomplete data
• Erasure (Art. 17) — request deletion of your data ("right to be forgotten")
• Restriction (Art. 18) — restrict processing in certain cases
• Portability (Art. 20) — receive your data in a structured format and transfer it to another controller
• Objection (Art. 21) — object to processing for direct marketing purposes
• Withdraw consent (Art. 7) — withdraw given consent at any time

How to Exercise Your Rights

To exercise your rights, you can contact us at: support@brokenhearts.co

We will respond to your request within 30 days. For complex or numerous requests, this period may be extended by a further 60 days, with prior notice.

Complaint to Supervisory Authority

You also have the right to lodge a complaint with the Italian Data Protection Authority: www.garanteprivacy.it

We implement appropriate technical and organizational measures to protect personal data from unauthorized access, loss, destruction or alteration:

• Encryption — all communications occur via HTTPS/TLS protocol
• Limited access — data is accessible only to authorized personnel
• Secure hosting — data is hosted on certified servers (Shopify is SOC 1, SOC 2 and PCI DSS compliant)
• Backup — regular backups with disaster recovery procedures
• Monitoring — monitoring systems to detect suspicious activity

Payment card data never passes through our systems but is managed directly by PCI DSS certified payment providers.

Our Site and services are not intended for minors under 16 years of age. We do not knowingly collect personal data from minors.

If a parent or guardian believes their child has provided us with personal data without consent, please contact us at support@brokenhearts.co and we will promptly delete it.

We reserve the right to modify this Privacy Policy at any time. Changes will be published on this page with indication of the update date.

In case of substantial changes that significantly affect data processing, we will inform you via email or prominent notice on the Site.

We encourage you to periodically review this page to stay informed about our privacy practices.

For any questions regarding this Privacy Policy or the processing of your personal data:

Data Controller: Broken Hearts

Location: Naples, Italy

Email: support@brokenhearts.co

Hours: Monday — Friday, 9:00 AM — 6:00 PM CET