Privacy Policy
Last updated: February 19, 2026 — Effective immediately upon publication
Table of Contents
- Who We Are (Data Controller)
- Scope of This Policy
- What Personal Data We Collect
- How We Collect Your Data
- Why We Use Your Data (Purposes and Legal Bases)
- Cookies and Tracking Technologies
- Who We Share Your Data With
- International Data Transfers
- How Long We Keep Your Data
- How We Protect Your Data
- Your Rights Under GDPR (EU / EEA Residents)
- Your Rights Under CCPA / CPRA (California Residents)
- Rights of UK Residents
- Rights of Canadian Residents
- Children's Privacy
- Third-Party Websites
- Changes to This Policy
- Contact and Complaints
1. WHO WE ARE (DATA CONTROLLER)
This Website, www.shakesband.com, is operated by Shakes Band. Shakes Band is the data controller responsible for the personal data collected through this Website. This means we determine the purposes and means of processing your personal data.
As a business legally established in France (an EU member territory), Shakes Band is subject to the General Data Protection Regulation (GDPR) (EU) 2016/679, the French Data Protection Act (Loi Informatique et Libertés), and other applicable data protection laws.
Full legal identification details of the business operator, including registered name, address, SIRET number, and competent supervisory authority, are available in our Legal Notice.
Data Protection Contact: hello@shakesband.com
2. SCOPE OF THIS POLICY
This Privacy Policy applies to all personal data collected through or in connection with: your use of the www.shakesband.com website; the placement and fulfillment of any order; communications with our customer service team; any marketing communications to which you have subscribed; and any other interaction you may have with Shakes Band.
This Policy does not apply to third-party websites that may be linked to or from our Website. We encourage you to review the privacy policies of any third-party website you visit.
3. WHAT PERSONAL DATA WE COLLECT
3.1 Data You Provide to Us Directly
| Category | Examples of Data Collected | When Collected |
|---|---|---|
| Identity data | First name, last name | At checkout; account creation |
| Contact data | Email address | At checkout; newsletter sign-up; contact form |
| Delivery data | Delivery address (street, city, postal code, country) | At checkout |
| Order data | Products ordered, quantities, bundle type, order total, order number | At checkout |
| Payment data | Payment method type (card, Apple Pay, Google Pay); last 4 digits (for reference only — full card details never stored by us) | At checkout (processed by Shopify Payments) |
| Communication data | Content of emails, messages, or returns/warranty requests you send us | When you contact us |
| Consent records | Record of your consent to marketing communications | At newsletter sign-up or checkout |
3.2 Data Collected Automatically
| Category | Examples of Data Collected | Purpose |
|---|---|---|
| Device and technical data | IP address, browser type and version, operating system, device type (mobile/desktop/tablet) | Security, fraud prevention, site diagnostics |
| Usage / navigation data | Pages visited, products viewed, time spent on pages, clickstream data, referral URL, search terms used on site | Website improvement, analytics |
| Session data | Session ID, shopping cart contents, checkout progress | Functional — to enable shopping cart and checkout |
| Location data | Country and general region inferred from IP address | Displaying correct currency/language; shipping eligibility |
| Transaction data | Purchase history, order frequency, value of purchases | Order management, fraud prevention, customer service |
3.3 Data We Do Not Collect
Shakes Band does not collect sensitive personal data (also known as special category data) such as data revealing racial or ethnic origin, political opinions, religious or philosophical beliefs, trade union membership, genetic data, biometric data, health data, or data concerning a person's sex life or sexual orientation. We do not request or store full payment card numbers — these are processed and secured exclusively by our payment processor.
4. HOW WE COLLECT YOUR DATA
We collect personal data through the following means:
Direct interactions: You actively provide data when you fill in forms, complete a purchase, create an account, sign up for our newsletter, submit a return request, make a warranty claim, or contact our customer service team by email.
Automated technologies: As you browse our Website, we automatically collect technical and usage data through cookies, web beacons, pixel tags, and similar tracking technologies. See Section 6 for full details on our use of cookies.
Third parties: We may receive limited data about you from our technology and logistics partners, including Shopify (order and payment data), shipping carriers (delivery confirmation), and analytics providers (aggregated browsing statistics).
5. WHY WE USE YOUR DATA (PURPOSES AND LEGAL BASES)
Under the GDPR, we are required to have a lawful basis for each purpose for which we process your personal data. The table below sets out our processing activities, their purposes, and the applicable legal basis.
| Purpose of Processing | Legal Basis (GDPR Art. 6) | Details |
|---|---|---|
| Processing, fulfilling, and tracking your order | Contract performance (Art. 6(1)(b)) | Necessary to deliver the product you purchased |
| Sending order confirmation and shipping update emails | Contract performance (Art. 6(1)(b)) | Transactional communication required to complete your purchase |
| Processing returns, refunds, exchanges and warranty claims | Contract performance (Art. 6(1)(b)) | Necessary to honor our contractual and warranty obligations |
| Responding to customer service inquiries and complaints | Contract performance / Legitimate interest (Art. 6(1)(b)/(f)) | Resolving your queries and maintaining service quality |
| Fraud detection and prevention | Legitimate interest (Art. 6(1)(f)) | Protecting our business and customers from fraudulent transactions |
| Compliance with legal and accounting obligations | Legal obligation (Art. 6(1)(c)) | French accounting law requires retention of transaction records for 5 years |
| Analyzing Website performance and improving user experience | Legitimate interest (Art. 6(1)(f)) | Understanding how visitors use our site to improve its design and functionality |
| Sending marketing and promotional emails | Consent (Art. 6(1)(a)) | Only sent where you have explicitly opted in; you can withdraw consent at any time |
| Displaying relevant content based on your browsing behavior | Consent (Art. 6(1)(a)) | Based on cookie consent; you can manage preferences at any time |
| Enforcing our Terms of Service | Legitimate interest (Art. 6(1)(f)) | Protecting our legal rights and the integrity of our platform |
5.1 Legitimate Interests Balancing Test
Where we rely on legitimate interests as our legal basis for processing, we have carefully assessed that our legitimate interests are not overridden by your interests, fundamental rights, or freedoms. You have the right to object to processing based on legitimate interests at any time (see Section 11). When you exercise this right, we will stop processing your data for that purpose unless we can demonstrate compelling legitimate grounds that override your interests.
6. COOKIES AND TRACKING TECHNOLOGIES
6.1 What Are Cookies?
Cookies are small text files placed on your device (computer, tablet, or smartphone) when you visit a website. They allow the website to recognize your device, remember your preferences, and provide certain functionality. In addition to cookies, we may use similar technologies such as web beacons, pixel tags, and local storage objects.
6.2 Categories of Cookies We Use
| Category | Purpose | Can You Opt Out? | Provider |
|---|---|---|---|
| Strictly Necessary | Enable core Website functions: shopping cart, checkout, session management, fraud prevention. Without these, the Website cannot function. | No — technically required | Shopify |
| Functional / Preference | Remember your preferences such as language, currency display, and items left in your cart between sessions. | Yes, via cookie settings | Shopify |
| Analytics / Performance | Collect anonymized data about how visitors use our Website (pages visited, time on site, traffic sources) to help us improve the user experience. | Yes, via cookie consent banner | Shopify Analytics |
| Marketing / Targeting | Used in the future to deliver personalized advertising and measure the effectiveness of marketing campaigns. Currently not active. | Yes, via cookie consent banner | To be confirmed |
6.3 Cookie Consent
When you first visit our Website, you will be presented with a cookie consent banner. You may accept all cookies, reject non-essential cookies, or customize your preferences. Strictly necessary cookies are placed without requiring consent as they are essential for the Website to function. All other categories of cookies require your prior consent.
You may change or withdraw your cookie consent at any time by accessing the cookie settings within the footer of our Website. You may also delete cookies stored on your device at any time through your browser settings. Please note that disabling certain cookies may affect the functionality of the Website and your shopping experience.
6.4 Managing Cookies Through Your Browser
Most web browsers allow you to control cookies through their settings. Instructions for managing cookies in the most common browsers are available at: Chrome: support.google.com — Firefox: support.mozilla.org — Safari: support.apple.com. For more information on cookies, visit www.allaboutcookies.org.
7. WHO WE SHARE YOUR DATA WITH
Shakes Band does not sell, rent, or trade your personal data to third parties for their own commercial purposes. We share your data only with the following categories of trusted service providers where necessary to provide you with the services you have requested, and always under strict contractual data protection obligations.
| Recipient | Role | Data Shared | Purpose |
|---|---|---|---|
| Shopify Inc. | E-commerce platform, payment processor, hosting | Order data, identity data, payment method data, browsing data | Operating the Website, processing payments, fraud prevention |
| Payment processors(Stripe, Apple Pay, Google Pay) | Payment gateway | Payment authorization data only | Secure transaction processing |
| Fulfillment and logistics partner | Order preparation and dispatch | Name, delivery address, product ordered, order number | Picking, packing, and shipping your order |
| International postal and courier services | Last-mile delivery carrier | Name and delivery address | Physical delivery of your package |
| Analytics service providers | Website analytics | Anonymized / aggregated browsing data only | Understanding Website usage and improving user experience |
| Legal and regulatory authorities | Compliance | Data required by applicable law | Complying with legal obligations, court orders, or regulatory requests |
All third-party service providers who process personal data on our behalf do so as data processors under written data processing agreements that require them to: process your data only on our documented instructions; maintain confidentiality; implement appropriate technical and organizational security measures; and not engage sub-processors without our prior written authorization.
8. INTERNATIONAL DATA TRANSFERS
As an e-commerce business serving customers internationally and using global service providers (primarily Shopify, based in Canada, with infrastructure in the United States), your personal data may be transferred to and processed in countries outside the European Economic Area (EEA), including the United States and Canada.
We ensure that all such international transfers are protected by appropriate safeguards in accordance with GDPR requirements. Specifically, transfers to Shopify and its service providers in the United States and Canada are governed by Standard Contractual Clauses (SCCs) approved by the European Commission under GDPR Article 46(2)(c), which impose equivalent data protection obligations on the data importer. Additionally, Canada is recognized by the European Commission as a country providing adequate protection for personal data in respect of commercial entities subject to the Personal Information Protection and Electronic Documents Act (PIPEDA).
You may request a copy of the safeguards we rely on for international transfers by contacting us at hello@shakesband.com.
9. HOW LONG WE KEEP YOUR DATA
| Data Type | Retention Period | Legal Basis for Retention |
|---|---|---|
| Order and transaction records | 5 years from the date of the transaction | French Commercial Code and Tax Code (legal obligation) |
| Customer account data | For the duration of the account + 3 years after last activity | Legitimate interest (customer service continuity) |
| Customer service communications | 3 years after the last interaction | Legitimate interest (dispute resolution) |
| Returns and warranty claim records | 3 years after the claim is resolved, or 2 years after the warranty period expires | Legal obligation / contract performance |
| Marketing consent and email lists | Until consent is withdrawn, then deleted within 30 days | Consent |
| Browsing and analytics data | Maximum 13 months from collection | Legitimate interest (in line with CNIL guidelines) |
| Cookie data | Maximum 13 months (strictly necessary); per session (functional) | Consent / Legitimate interest |
| Fraud prevention records | Up to 5 years where fraud or legal risk is identified | Legitimate interest / legal obligation |
At the end of the applicable retention period, your personal data will be securely deleted or anonymized so that it can no longer be associated with you.
10. HOW WE PROTECT YOUR DATA
Shakes Band implements appropriate technical and organizational measures designed to protect your personal data against unauthorized access, accidental loss, alteration, disclosure, or destruction. These measures include:
Technical measures: SSL/TLS encryption for all data transmitted between your browser and our Website; PCI DSS Level 1 compliance for all payment data (handled by Shopify Payments); access controls restricting access to personal data to authorized personnel only; regular security updates and patching of our platform infrastructure; use of Shopify's enterprise-grade cloud hosting infrastructure with built-in security.
Organizational measures: A privacy-by-design approach to the development of Website features; staff training on data protection obligations; contractual data protection requirements imposed on all third-party service providers; internal procedures for detecting, assessing, and managing personal data breaches.
Despite our best efforts, no method of internet transmission or electronic storage is 100% secure. If we become aware of a personal data breach that is likely to result in a risk to your rights and freedoms, we will notify the relevant supervisory authority within 72 hours and will notify you directly without undue delay where required by applicable law.
11. YOUR RIGHTS UNDER GDPR (EU / EEA RESIDENTS)
If you are located in the European Union or European Economic Area, the GDPR grants you the following rights with respect to your personal data. These rights are not absolute and may be subject to certain conditions or limitations under applicable law.
Request a copy of the personal data we hold about you, as well as information about how we use it.
Request correction of any inaccurate or incomplete personal data we hold about you.
Request deletion of your personal data ("right to be forgotten"), subject to legal retention obligations.
Request that we restrict how we process your data in certain circumstances.
Request your personal data in a structured, machine-readable format and transfer it to another controller.
Object to processing based on legitimate interests or for direct marketing purposes at any time.
Right not to be subject to decisions based solely on automated processing that produce legal or significant effects.
Withdraw any consent given at any time without affecting the lawfulness of prior processing.
How to Exercise Your Rights
To exercise any of the above rights, please submit a written request to hello@shakesband.com with the subject line "GDPR Data Rights Request" and clearly indicate the right(s) you wish to exercise and the data concerned. We may ask you to verify your identity before processing your request. We will respond within 30 days of receipt. If we need additional time (up to a further 60 days for complex requests), we will inform you of the extension and the reasons for it.
Right to Lodge a Complaint: If you believe that our processing of your personal data infringes the GDPR, you have the right to lodge a complaint with the supervisory authority in your country of residence. In France, this is the Commission Nationale de l'Informatique et des Libertés (CNIL): www.cnil.fr. You may also contact the supervisory authority in your EU/EEA country of residence.
12. YOUR RIGHTS UNDER CCPA / CPRA (CALIFORNIA RESIDENTS)
If you are a resident of California, the California Consumer Privacy Act (CCPA) as amended by the California Privacy Rights Act (CPRA) grants you the following rights:
Right to Know: You have the right to request that we disclose the categories of personal information we have collected about you, the categories of sources from which it was collected, the business or commercial purpose for collecting it, the categories of third parties with whom we share it, and the specific pieces of personal information collected about you over the past 12 months.
Right to Delete: You have the right to request deletion of personal information we have collected from you, subject to certain exceptions (e.g., data needed to complete a transaction, comply with a legal obligation, or detect security incidents).
Right to Correct: You have the right to request correction of inaccurate personal information we maintain about you.
Right to Opt Out of Sale or Sharing: You have the right to direct us not to sell or share your personal information. Shakes Band does not sell your personal information and does not share it for cross-context behavioral advertising.
Right to Limit Use of Sensitive Personal Information: We do not collect sensitive personal information as defined under the CPRA.
Right to Non-Discrimination: Shakes Band will not discriminate against you for exercising any of your CCPA/CPRA rights. We will not deny you goods or services, charge you different prices, provide a different level of service quality, or suggest that you will receive a different quality of service as a result of exercising your rights.
How to Submit a CCPA/CPRA Request: Send your request by email to hello@shakesband.com with the subject line "CCPA Privacy Request." Please specify clearly the right(s) you wish to exercise. We will respond within 45 days. If we need additional time (up to a further 45 days), we will notify you.
Authorized Agent: You may designate an authorized agent to submit a CCPA/CPRA request on your behalf. The authorized agent must provide written proof of your authorization and you may be required to verify your identity directly with us.
13. RIGHTS OF UK RESIDENTS
If you are located in the United Kingdom, your personal data is protected by the UK General Data Protection Regulation (UK GDPR) as retained in UK law under the Data Protection Act 2018. Your rights are equivalent to those described in Section 11 above, with the following specifics:
The supervisory authority for data protection in the UK is the Information Commissioner's Office (ICO): ico.org.uk. You have the right to lodge a complaint with the ICO if you believe your data has been processed unlawfully. You also have the right to an effective judicial remedy against the ICO or against a controller or processor.
International transfers to Shakes Band's service providers are conducted under the UK's own international transfer framework, using the UK's International Data Transfer Agreement (IDTA) or equivalent safeguards.
14. RIGHTS OF CANADIAN RESIDENTS
If you are located in Canada, your personal information is protected by the Personal Information Protection and Electronic Documents Act (PIPEDA) at the federal level, and potentially by provincial privacy legislation (such as PIPA in Alberta and BC, and the Act respecting the protection of personal information in the private sector in Quebec, also known as Law 25).
Under applicable Canadian law, you have the right to access your personal information held by Shakes Band, the right to request corrections to inaccurate information, and the right to withdraw consent to collection or use (subject to legal and contractual restrictions). You may exercise these rights by contacting us at hello@shakesband.com.
The supervisory authority for federal privacy matters in Canada is the Office of the Privacy Commissioner of Canada (OPC): www.priv.gc.ca.
15. CHILDREN'S PRIVACY
The Website and our products are not directed to, and we do not knowingly collect personal data from, children under the age of 16 (or the applicable age of digital consent in your country). We do not intentionally market to or collect personal data from minors.
If we become aware that we have inadvertently collected personal data from a child under the applicable age without verifiable parental consent, we will take prompt steps to delete that data. If you are a parent or guardian and believe that your child has provided us with personal data, please contact us immediately at hello@shakesband.com so that we can investigate and take appropriate action.
16. THIRD-PARTY WEBSITES
Our Website may contain links to third-party websites. When you click on such a link, you leave our Website and your activity on the third-party site is governed solely by that site's own privacy policy and terms. Shakes Band has no control over, and accepts no responsibility for, the privacy practices, content, or data protection policies of third-party websites. We encourage you to review the privacy policy of every website you visit.
17. CHANGES TO THIS POLICY
We may update this Privacy Policy from time to time to reflect changes in our data processing practices, new regulatory requirements, or the introduction of new features or services. All changes will be published on this page with a revised "Last updated" date at the top. For material changes that significantly affect your rights or how we use your data, we will make reasonable efforts to notify you by email (if you have an account or have made a purchase) or by means of a prominent notice on the Website.
Your continued use of the Website after the publication of changes constitutes your acknowledgment of the updated Privacy Policy. If you do not agree to the updated policy, you should cease using the Website.
18. CONTACT AND COMPLAINTS
If you have any questions, concerns, or requests relating to this Privacy Policy or our data practices, please contact us:
Email: hello@shakesband.com
Subject line: "Privacy Request" or "Data Protection Inquiry"
Brand: Shakes Band — www.shakesband.com
Legal details: See our Legal Notice
We will acknowledge your request within 72 hours and respond fully within 30 days. If you are not satisfied with our response, you have the right to escalate your complaint to the relevant data protection supervisory authority in your country of residence (CNIL for France, ICO for the UK, OPC for Canada, or your EU member state's authority).