Privacy Policy

We use your personal data for the following purposes:

• Fulfilling and shipping your orders, and communicating about order status
• Responding to your support inquiries and contact form submissions
• Processing wholesale applications and managing approved wholesale accounts
• Sending newsletters and promotional emails to subscribers (with your consent)
• Improving our website based on aggregated analytics
• Detecting and preventing fraud, abuse, and security threats
• Complying with legal obligations, such as tax record-keeping

We do not use your personal data for automated decision-making that produces legal or similarly significant effects without human review.

For users in the European Union, we process your personal data on the following legal bases:

• Contract performance: processing necessary to fulfill an order you placed
• Legitimate interests: fraud prevention, website security, and business analytics
• Consent: newsletter subscriptions and non-essential cookies (you may withdraw consent at any time)
• Legal obligation: retaining transaction records as required by tax and accounting laws

We do not sell your personal data. We share it only with the following categories of third parties where necessary to operate our business:

PayPal

Retail payment processing is handled by PayPal. When you proceed to checkout, you are redirected to PayPal's platform. PayPal collects and processes your payment data under their own privacy policy. We do not receive or store your full card details.

TikTok Shop

Purchases made through TikTok Shop are processed and fulfilled under TikTok Shop's terms and privacy policy. If you contact us about a TikTok Shop order, we may receive your contact details but TikTok Shop's platform governs that transaction.

Service Providers

We use third-party services for website hosting (Vercel), database infrastructure (Supabase), and analytics (Google Analytics). These providers process data on our behalf under strict data processing agreements and may not use your data for their own purposes.

Legal Requirements

We may disclose your data to law enforcement, regulators, or courts when required to do so by applicable law, legal process, or to protect the rights and safety of Velvet Warm and its customers.

We retain your data only as long as necessary for the purposes described in this policy:

• Order records: retained for 7 years to comply with tax and accounting obligations
• Contact and support inquiries: retained for 2 years, then deleted unless there is an ongoing matter
• Newsletter subscriptions: retained until you unsubscribe
• Wholesale accounts: retained while the account is active and for 3 years after account closure
• Analytics data: aggregated and anonymized; individual session data is retained per Google Analytics default settings
• Account data: retained until you request deletion

Types of Cookies We Use

• Essential cookies: required for the website to function (session management, cart state, authentication). These cannot be disabled.
• Analytics cookies: Google Analytics tracks page views, session duration, and user behavior in aggregate. You can opt out via your browser settings or the Google Analytics opt-out browser add-on.
• Preference cookies: store your language and theme (light/dark) settings.
• Third-party cookies: PayPal and TikTok may set cookies when you interact with their embedded components. These are governed by their respective privacy policies.

Managing Cookies

You can disable non-essential cookies at any time through your browser settings or our cookie consent banner. Disabling certain cookies may affect website functionality.

Our security measures include:

• TLS/HTTPS encryption for all data in transit
• Encryption at rest for database storage
• Access controls limiting which staff can access personal data
• Row-level security policies on our database to prevent unauthorized data access
• Passwords are hashed and never stored in plain text

Our infrastructure providers (Vercel, Supabase) may process data across multiple regions. Where required by the GDPR, data transfers outside the European Economic Area are protected by appropriate safeguards, such as Standard Contractual Clauses (SCCs). We review our transfer mechanisms as regulations evolve.

Depending on your location, you have specific rights regarding your personal data. To exercise any of these rights, contact us at support@velvet-warm.com.

EU / GDPR Rights

• Right of access: request a copy of the personal data we hold about you
• Right to rectification: ask us to correct inaccurate or incomplete data
• Right to erasure: request deletion of your data where we have no lawful reason to retain it
• Right to portability: receive your data in a structured, machine-readable format
• Right to object: object to processing based on legitimate interests or for direct marketing
• Right to lodge a complaint: file a complaint with your local Data Protection Authority if you believe we have violated your rights

California / CCPA Rights

• Right to know: request disclosure of the personal information we collect, use, and share
• Right to delete: request deletion of your personal information (subject to certain exceptions)
• Right to opt out of sale: we do not sell personal information; no opt-out is required
• Right to non-discrimination: exercising your rights will not result in different service or pricing

We will respond to verified requests within 30 days. We may ask you to verify your identity before processing a request.

Our website and services are not directed at children under the age of 13. We do not knowingly collect personal data from anyone under 13. If we become aware that we have inadvertently collected such data, we will delete it promptly. If you believe a child has submitted personal data to us, please contact us at support@velvet-warm.com.

We may update this Privacy Policy from time to time. When we make material changes, we will update the "Last updated" date at the top of this page. We encourage you to review this page periodically.

Continued use of our website after an update to this policy constitutes your acknowledgment of the changes.

If you are a California resident, you have the rights described in Section 9 under the California Consumer Privacy Act. In addition:

• We do not sell personal information to third parties
• We do not share personal information for cross-context behavioral advertising without consent
• You may designate an authorized agent to submit requests on your behalf

To submit a California privacy request, email support@velvet-warm.com with "CCPA Request" in the subject line.

Your rights under our other policies:

• For information on how we handle returns and refunds, see our Refund & Returns.
• For the full terms governing your use of our website and products, see our Terms & Conditions.