Privacy Policy

At VAIYN we take your privacy seriously. This policy explains what personal data we collect, why we collect it, how long we keep it, and the rights you have under the EU General Data Protection Regulation (GDPR) and the French Data Protection Act. If anything here is unclear, write to us at privacy@vaiyn.com and we will answer in plain language.

Who we are

The data controller is VAIYN, a micro-entreprise based in Strasbourg, France, founded by Litan Alexandru Răzvan and Cherif Sow. Full identification details are available on our legal notice page. Our data protection contact is privacy@vaiyn.com.

What we collect

We only collect what we genuinely need to run our shop and serve you well.

• Account data: first name, email address, password (hashed), and any optional details you add to your profile.
• Order data: shipping address, billing address, telephone number (when required by the carrier), list of items purchased, order total, delivery preferences.
• Payment information: we do not store your card details. Payments are processed by Stripe; we only receive a payment token and transaction reference.
• Communication: messages you send us (contact form, email, chat) and our replies, so we can follow up and improve our service.
• Newsletter: your email address and whether you opened our messages, if you have subscribed.
• Technical data: IP address, browser type, device identifier, pages visited — collected in logs or cookies. See our cookie policy for details.

Why we collect it (legal basis)

• To fulfil your order — processing is necessary for the performance of the contract (GDPR Art. 6(1)(b)).
• To manage your account — performance of the contract and our legitimate interest in providing an account experience (GDPR Art. 6(1)(b) and (f)).
• To send the newsletter — your explicit consent, which you may withdraw at any time (GDPR Art. 6(1)(a)).
• To comply with accounting and tax law — legal obligation (GDPR Art. 6(1)(c)).
• To prevent fraud, secure the site, and improve the experience — our legitimate interest (GDPR Art. 6(1)(f)).

How long we keep it

• Order data: 10 years from the end of the fiscal year, in line with French commercial and tax law.
• Account data: for as long as your account is active, and up to 3 years of inactivity, then deleted or anonymised (you can request deletion at any time).
• Newsletter: until you unsubscribe, plus a short technical retention for proof of consent.
• Customer service emails: up to 3 years after the last contact.
• Technical logs: up to 12 months for security and debugging.

Who we share it with

We never sell your data. We share it only with carefully chosen processors who act on our instructions and are bound by written contracts.

• Payment processor — Stripe (card payments, wallet payments, fraud prevention).
• Shipping carriers — La Poste / Colissimo, Chronopost, DHL Express, and the local carrier chosen for your destination.
• Email service provider — for order confirmations and, with your consent, the newsletter.
• Hosting provider — the company that runs the servers hosting our site.
• Analytics — if enabled, a privacy-respecting analytics tool (e.g. Plausible or Google Analytics) only with your consent. See cookies.
• Authorities — where we are legally required to disclose information (for example, to respond to a court order).

Where data is transferred outside the European Economic Area, we use recognised safeguards such as the European Commission's Standard Contractual Clauses.

Your rights under the GDPR

You have the right to:

• Access — obtain a copy of the data we hold about you.
• Rectification — correct any data that is inaccurate or incomplete.
• Erasure — have your data deleted when it is no longer necessary or when you withdraw consent.
• Restriction — limit our processing of your data in certain cases.
• Portability — receive your data in a structured, commonly used, machine-readable format.
• Objection — object to processing based on our legitimate interests, including profiling.
• Withdraw consent — at any time, where processing is based on consent.
• Lodge a complaint with the French data protection authority, the CNIL (www.cnil.fr), or the supervisory authority of your country of residence.

To exercise these rights, email privacy@vaiyn.com. We will reply within one month and may ask you to prove your identity.

Security

We apply appropriate technical and organisational measures: encrypted connections (HTTPS), hashed passwords, access controls, regular backups, and carefully selected processors. No system is perfectly secure, so we also rely on you to keep your password safe and let us know quickly if something looks off.

Cookies

We use a small number of cookies. Essential ones keep the cart and your session working; analytics cookies only run if you opt in. See our cookie policy for the full list and how to manage your preferences.

Children

Our site is not directed at children under 15. We do not knowingly collect data from minors without parental consent. If you believe we have, please write to us and we will delete it.

Changes to this policy

We may update this policy to reflect changes in the law or in how we operate. When we make a material change we will update the "last updated" date and, where relevant, notify you by email.