隐私政策

PRIVACY POLICY (GDPR)
Last updated: January 2026

This Privacy Policy describes how Broken Hearts processes personal data in accordance with Regulation (EU) 2016/679 (“GDPR”) and applicable Italian data protection laws.

1) Data Controller
Data Controller: Broken Hearts (operational headquarters: Naples, Italy)
Contact email for privacy matters: support@brokenhearts.co

2) Personal Data We Collect
A) Data voluntarily provided by you
- Identification data: first name, last name
- Contact data: email address, phone number
- Address data: shipping and billing address
- Order data: items purchased, order notes, communications relating to the order
- Customer support communications: emails/messages you send us and any attachments you provide (e.g., photos)

B) Data collected automatically
- Technical data: IP address, browser type, device identifiers, operating system
- Usage/navigation data: pages visited, time spent, navigation paths, interaction data (clicks, scrolls)
- Cookies and similar technologies: see our Cookie Policy for details and consent preferences

Payment note:
Payment card details are processed by certified payment providers and are not stored by Broken Hearts.

3) Purposes and Legal Bases
We process personal data for the following purposes:

A) Contract performance (Art. 6(1)(b) GDPR)
- Order processing, production, and fulfillment
- Shipping and delivery management
- Customer support (pre- and post-sale)
- Processing eligible returns/resizing, refunds, warranty and repair requests
- Order-related communications

B) Legal obligations (Art. 6(1)(c) GDPR)
- Tax, accounting, and invoicing obligations
- Mandatory document retention
- Compliance with lawful requests by authorities

C) Legitimate interest (Art. 6(1)(f) GDPR)
- Fraud prevention, order security checks, abuse prevention
- Site security and IT security
- Improving products, services, and user experience
- Aggregated analytics and statistical reporting (where feasible)

D) Consent (Art. 6(1)(a) GDPR)
- Newsletter and marketing communications (when you opt in)
- Advertising and profiling cookies (when you opt in)
You can withdraw consent at any time.

4) Data Sharing (Recipients)
We share data only as necessary to operate the website and fulfill your order, including with:
- E‑commerce infrastructure: Shopify
- Payment providers (depending on your chosen method): Shopify Payments, PayPal, Klarna, etc.
- Carriers/logistics partners: for shipment and delivery management
- Email service providers (newsletter): only with consent
- Analytics/advertising platforms: only according to cookie consent settings (e.g., Google Analytics, Meta Pixel, TikTok Pixel)
- Professional advisors (accountants/lawyers) and competent authorities when required by law or to protect our rights

We do not sell or rent your personal data to third parties for their direct marketing.

5) International Transfers (Outside the EEA)
Some service providers may be located outside the EEA (e.g., United States). Where applicable, transfers are carried out using GDPR-compliant safeguards such as:
- European Commission adequacy decisions (when available)
- Standard Contractual Clauses (SCCs)
- EU–US Data Privacy Framework for certified providers (when applicable)

6) Data Retention
We keep personal data only as long as necessary for the purposes above:
- Order / invoicing data: up to 10 years (tax/accounting requirements)
- Account data (if applicable): until you request deletion (subject to legal retention duties)
- Marketing data: until you withdraw consent or as otherwise limited by law/policy
- Support and disputes: as long as necessary to manage the request and within limitation periods
- Cookie data: as described in the Cookie Policy

7) Your Rights
You may request:
- Access, rectification, deletion
- Restriction and objection
- Data portability (where applicable)
- Withdrawal of consent (where processing is based on consent)

To exercise your rights, contact: support@brokenhearts.co

Supervisory authority
You may lodge a complaint with the Italian Data Protection Authority (Garante per la protezione dei dati personali):
https://www.garanteprivacy.it/

8) Security
We implement appropriate technical and organizational measures, including:
- Encrypted communications (HTTPS/TLS)
- Access controls and limited internal access
- Secure hosting and monitoring
- Backup and recovery procedures

9) Minors
The website is not intended for users under 16 years of age. We do not knowingly collect personal data from minors.

10) Changes to This Policy
We may update this Privacy Policy from time to time. The updated version will be published on this page with the new “Last updated” date.

11) Contact
For privacy questions: support@brokenhearts.co
Support hours: Monday–Friday, 9:00 AM – 6:00 PM (CET/CEST)