Privacy Policy
Our commitment to transparency and data protection is outlined below. Please take a moment to review how your information is handled.
Last Updated: June 2025
Governing Law: Estonian Law (Jurisdiction: Tallinn Harju County Court)
Data Controller: Casteloria OÜ (Reg. No. 17135141), Pärnu mnt 139c, 11317 Tallinn
Key Contact Points:
📧 For Privacy Inquiries and all data requests, please email: contact@casteloriawonders.com
1. INTRODUCTION
We operate under these core privacy principles:
🔐 Minimization: Collect only what’s necessary
🎯 Purpose Limitation: Use data only as disclosed
🛡️ Security: Protect with industry-standard measures
🌍 Global Compliance: Meet GDPR, CCPA, KVKK, and other jurisdictional requirements
By accessing our services, you confirm:
✅ You confirm that you are at least 16 years old or have obtained parental/legal guardian consent to use our services. We do not knowingly collect personal data from individuals under 16. If we become aware that we have collected such data, we will delete it immediately.
✅ You understand and accept this policy
✅ You acknowledge our use of cookies (manageable via Section 8)
2. SCOPE & JURISDICTIONAL COMPLIANCE
2.1 Who We Serve
| User Type | Data Collected | Primary Legal Basis |
|---|---|---|
| Retail Customers | Order details, contact info | Contract (GDPR Art. 6(1)(b)) |
| B2B Clients | Company rep. details | Legitimate Interest |
| Newsletter Subs | Email, engagement metrics | Consent (GDPR Art. 6(1)(a)) |
2.2 Legal Frameworks
We comply with:
- EU/EEA: GDPR (General Data Protection Regulation)
- UK: UK GDPR + Data Protection Act 2018
- USA: CCPA/CPRA (California)
- Turkey: KVKK (Law No. 6698)
- Canada: PIPEDA
- Australia: Privacy Act 1988
Safeguards for International Transfers:
- EU → US: 2021 SCCs (Modules 1-3 as applicable)
- UK → Global: IDTA + Addendum
- Turkey → EU: KVKK Adequacy Decisions
3. DATA COLLECTION IN PRACTICE
3.1 What We Collect
A. Directly Provided Data:
- Checkout forms (name, email, address)
- Account registration details
- Customer support tickets
B. Automatically Collected:
| Data Type | Tool/Plugin | Purpose | Retention |
|---|---|---|---|
| IP Address | Google Analytics | Traffic analysis (pseudonymized) | 14 months |
| Device Fingerprint | Wordfence | Fraud prevention | 90 days (encrypted) |
| Cart Activity | WooCommerce | Abandoned cart recovery | 60 days |
3.2 Special Cases
EU Digital Content Waiver:
*”During checkout, EU customers must actively check a box stating:
‘I expressly agree that my 14-day withdrawal right under Directive 2011/83/EU terminates immediately upon accessing downloadable content.’
This is logged with your order timestamp for compliance.”*
California Opt-Out Rights:
“Click our ‘Do Not Sell/Share My Data’ footer link or email us to opt out of analytics-based ‘sales’ under CCPA.”
4. HOW WE SHARE DATA
4.1 Third-Party Processors
| Vendor | Service | Data Shared | Safeguards |
|---|---|---|---|
| PayPal | Payments | Transaction IDs | CCPA-compliant |
| Klaviyo | Email marketing | Email, purchase history | SCCs + Data Protection Addendum |
| Hostinger | Web hosting | Site visitors’ IPs | GDPR Art. 28 DPA |
Key Disclosures:
- We never sell data for monetary gain
- Processors are contractually bound to equal or greater protections
- Request copies of subprocessor agreements via our DSAR portal
5. YOUR RIGHTS & HOW TO EXERCISE THEM
5.1 Global Rights Overview
| Right | How to Request | Response Time |
|---|---|---|
| Access | DSAR portal or email | 30 days (GDPR) |
| Deletion | Account settings or email | 45 days (CCPA) |
| Portability | Email with proof of identity | 30 days |
5.2 Jurisdiction-Specific Mechanisms
EU/UK:
- Withdraw consent via Unsubscribe link (MailPoet/Klaviyo)
- Lodge complaints with Estonian Data Protection Inspectorate
California:
- Opt out of data “sales” via cookie banner or footer link
- Designate authorized agents (form available on request)
Turkey:
- KVKK deletion requests require notarized ID copy (template provided)
6. DATA RETENTION & STORAGE
6.1 Retention Schedule
| Data Category | Retention Period | Legal Basis |
|---|---|---|
| Order Records | 7 years | Estonian Tax Law (§41(1) KMS) |
| Marketing Consents | Until withdrawal + 2 years | GDPR Recital 39 |
| Server Logs | 90 days (encrypted) | Legitimate Interest (Security) |
Deletion Protocol:
- Automated: Inactive accounts purged after 24 months
- Manual: Submit erasure requests via DSAR portal
7. SECURITY MEASURES
We implement:
🔒 Technical Safeguards:
- TLS 1.3 encryption
- Web Application Firewall (Wordfence)
- Daily malware scans (Really Simple Security)
📋 Organizational Protocols:
- Biannual staff training
- Breach response team with 24/7 escalation
- Vendor security audits (annual)
Past Incidents:
“No material breaches occurred in the last 12 months.”
8. COOKIE POLICY
8.1 Cookie Types
| Category | Examples | How to Control |
|---|---|---|
| Essential | WooCommerce session | Cannot be disabled |
| Analytics | GA4 (_ga) | Toggle in [Cookie Settings] |
| Marketing | Klaviyo (_kv_id) | Unsubscribe in email footer |
Browser-Level Controls:
We provide a step-by-step guide for managing cookies in [Chrome], [Firefox], and [Safari].
9. CHILDREN’S PRIVACY
Strict Prohibition:
- No services offered to users under 16
- Age verification during account creation
- Immediate deletion of underage accounts (report to privacy@)
10. BREACH NOTIFICATION
Our 72-Hour Response Protocol:
- Containment: Isolate affected systems
- Assessment: DPO-led risk evaluation
- Notification: Email + on-site alert (if high risk)
- Remediation: Post-mortem with vendors
11. POLICY UPDATES
Change Management:
- Material changes announced via email 30 days in advance
- Archive of past versions available [here]
User Acknowledgement:
“Continued use after updates constitutes acceptance.”
12. CONTACT & RESOURCES
Data Protection Officer:
📧 contact@casteloriawonders.com (Response within 5 business days)