GDPR Policy - Flavormum

1. Introduction

Flavormum (the “Site”) is committed to safeguarding the privacy and personal data of all users in accordance with the European Union General Data Protection Regulation (GDPR) and applicable national data‑protection laws. This policy explains the types of personal data we collect, how it is used, the legal bases that justify its processing, the safeguards we employ, and your rights as a data subject. By using the Site or providing your personal data, you consent to the processing described herein.

2. Data We Collect

We collect the following categories of personal data:

Email addresses – collected when you register for an account, subscribe to our newsletter, or request contact. This data is used for account management, communication, and marketing purposes.
Cookies and similar tracking technologies – session cookies, functional cookies, and analytics cookies that help us deliver a personalized browsing experience, remember your preferences, and measure traffic.
Analytics data – aggregated and anonymised data collected via Google Analytics, Matomo, or similar tools. This includes page views, session duration, and user behaviour on the Site.

All data is stored in secure, EU‑compliant data centers. Email addresses are retained for a maximum of three years following the last interaction, cookies for up to two years, and analytics data for a maximum of six months. Once the retention period expires, the data is permanently deleted.

3. Legal Basis for Processing

Our processing activities are justified by the following legal bases:

Consent – for marketing communications and optional newsletters. You can withdraw consent at any time by following the unsubscribe link or contacting us.
Legitimate Interest – for improving the Site’s functionality, analysing usage patterns, and ensuring security. We have conducted a legitimate interest assessment and determined that the benefits to the Site outweigh the minimal intrusion on individual privacy.
Contractual Necessity – for maintaining user accounts, processing orders, and providing customer support.

4. How We Protect Your Data

We employ a multi‑layered security strategy that includes:

SSL/TLS Encryption – all data transmitted between your browser and our servers is encrypted using HTTPS.
Secure Servers – all personal data is stored on encrypted servers with restricted access and regular security audits.
Access Controls – only authorised personnel with a legitimate business need can access personal data. Role‑based permissions and two‑factor authentication are in place.
Limited Retention – personal data is deleted or anonymised once the retention period expires or when it is no longer needed for the purpose it was collected.

5. Your GDPR Rights

Under the GDPR, you have the following rights regarding your personal data. Each right is illustrated with an icon for quick reference.

Right to Access

You may request a copy of the personal data we hold about you, including the categories of data, the purposes of processing, and the recipients to whom the data has been disclosed. This request can be made by contacting [email protected].

Right to Rectification

If any of the personal data we hold about you is inaccurate or incomplete, you have the right to request that we correct it. Provide the correct information and we will update our records promptly.

Right to Erasure

Also known as the “right to be forgotten,” you can request the deletion of your personal data, subject to legal obligations and legitimate interests. If we are unable to comply, we will explain the reasons and any alternative options.

Right to Restrict Processing

You may request that we limit the processing of your data (e.g., for accuracy checks or legal disputes). During the restriction period, we will only store the data and not use it for any purpose beyond what is necessary for compliance.

Right to Data Portability

You can obtain your personal data in a structured, commonly used, and machine‑readable format (e.g., CSV or JSON) and transfer it to another controller if desired. We will provide the data in a format that is compatible with standard data‑exchange tools.

Right to Object

You may object to the processing of your data for direct marketing, profiling, or other purposes. Upon receiving your objection, we will stop processing the data unless we can demonstrate compelling legitimate grounds that override your interests.

Right to Withdraw Consent

If we rely on your consent to process your data, you can withdraw it at any time. Withdrawal is treated the same as a refusal to provide consent, and we will cease processing the data immediately, except where we have other legal grounds to continue.

6. How to Exercise Your Rights

To exercise any of the rights described above, please send a written request to [email protected] with the following details:

Your full name and contact details (email address, phone number, or postal address).
Specific request (e.g., “I wish to access all personal data we hold about me.”).
Proof of identity (if required) – a copy of a government‑issued ID or other documentation that confirms your identity.

We will respond to your request within 30 calendar days, as required by the GDPR. If your request is complex or requires additional time, we will inform you of any extension and the reasons for the delay.

7. Response Time

In compliance with the GDPR, we guarantee a response to any lawful request within 30 days of receipt. If we need more time to investigate or verify your request, we will provide you with a written notice explaining the delay and the new estimated date of response.

8. Contact Information

If you have any questions about this policy, your data rights, or if you wish to lodge a complaint, please contact us at:

Email: [email protected]
Address: 42 Culinary Lane, Flavor City, FC 12345, United Kingdom

GDPR Compliance Policy – Flavormum