Privacy Policy

Last updated: June 2026 · GDPR-compliant

Data controller: [Legal entity — pending] · hello@ornavau.com · Last revised: June 2026

1. Introduction and data controller

Your privacy matters to us. This privacy policy explains what personal data we collect when you visit or interact with this site, how we use it, and what your rights are, in particular under the EU General Data Protection Regulation (GDPR).

The data controller is [Legal entity — pending], reachable at hello@ornavau.com, registered in Wyoming, United States, at [Address — pending].

2. Data we collect

We may collect the following categories of data:

• Order data: name, email address, delivery address, order contents and payment reference (not the card number — payment data is handled by our payment provider).
• Contact data: name, email address and the content of any message you send via the contact form.
• Newsletter data: email address, if you subscribe.
• Browsing data: IP address, browser and device type, and pages viewed, via server logs and, where applicable, analytics software.
• Preference data: language and cart contents stored locally in your browser (localStorage) — this data does not leave your device unless you place an order.

3. How we use your data

We use your data for the following purposes and legal bases:

• Order fulfilment (contract): processing your order, arranging shipping, issuing invoices and handling returns.
• Customer service (legitimate interest / contract): responding to enquiries and resolving complaints.
• Marketing (consent): sending the newsletter if you are subscribed. You can unsubscribe at any time.
• Legal obligations: retaining order and invoicing data for the period required by applicable tax and commercial law.
• Site improvement (legitimate interest): analysing anonymised browsing data.

4. Data sharing and processors

We do not sell your data. We share it only with the following categories of processors, bound by appropriate data-processing terms:

• Payment providers: handle card payment authorisation.
• Carriers: receive your name and delivery address to perform delivery.
• Email providers: for confirmation emails and the newsletter.
• Hosting and infrastructure: our servers are located in the EU or in jurisdictions with an adequate level of protection.

We will disclose data to authorities if required to do so by law.

5. Cookies and local storage

This site uses browser local storage (localStorage, not cookies) to remember your language preference and your cart. This data stays on your device unless you make a purchase or sign up.

If we introduce third-party analytics or advertising tools, we will update this policy and seek your consent where the law requires it.

6. Data retention

We retain data only as long as necessary for its purpose, unless a longer legal period applies:

• Order data: the period required by accounting obligations.
• Contact messages: 12 months after the last reply, unless needed longer.
• Newsletter subscribers: until you unsubscribe, plus 30 days.
• Server logs: 90 days, on a rolling basis.

7. Your rights

Under the GDPR and equivalent laws, you have the following rights regarding your personal data:

• Access: request a copy of the data we hold about you.
• Rectification: request correction of inaccurate data.
• Erasure: request deletion of your data, subject to legal retention.
• Restriction: ask us to restrict processing in certain cases.
• Portability: receive your data in a machine-readable format.
• Objection: object to processing based on legitimate interest, including direct marketing.
• Withdraw consent: at any time, without affecting the lawfulness of prior processing.

To exercise these rights, contact hello@ornavau.com. We respond within 30 days. You may also lodge a complaint with your country's supervisory authority.

8. International transfers

Where data is transferred outside the European Economic Area, we ensure appropriate safeguards (standard contractual clauses or countries with an adequate level of protection).

9. Data security

We implement appropriate technical and organisational measures: HTTPS encryption in transit, access controls and regular reviews. In the event of a breach presenting a risk, we will notify the competent authority and, where required, the individuals concerned.

10. Changes to this policy

We may update this policy to reflect our practices or the law. The updated version will be posted on this page with a new date. For substantial changes, we will inform customers and subscribers.

For any question about this policy or your data, write to hello@ornavau.com.