Legal
Privacy Policy
Last updated: [REPLACE WITH DATE OF YOUR LAST POLICY REVIEW]
Information We Collect
We collect information you provide directly (name, email, shipping address, payment details) and data generated by your use of the store (browsing history, device type, IP address). We do not sell personal data to third parties.
How We Use Your Data
Your data is used to process orders, personalise your shopping experience, send transactional communications, and improve our storefront. Marketing emails require explicit opt-in and can be withdrawn at any time.
Payment Security
Payment processing is handled by our third-party payment provider [CUSTOMISE: your payment processor]. Noir never stores card numbers. All transactions are encrypted with TLS 1.3 and processed through a provider that is designed to support [CUSTOMISE: your payments compliance posture, e.g. PCI DSS].
Cookies & Tracking
We use essential cookies for cart state and session management. Analytics cookies are loaded only after consent. You can manage preferences through the cookie banner at any time.
Data Retention
Order records are retained for 7 years for tax and legal compliance. Account data is deleted within 30 days of account closure upon request.
Your Rights
You have the right to access your personal data, the right to correct or rectify inaccurate data, the right to delete your data, the right to restrict processing, the right to data portability, the right to object to processing, the right not to be subject to a decision based solely on automated processing — including profiling — that produces legal or similarly significant effects (GDPR Art. 22; you may request human review, contest the decision, and express your point of view), and the right to lodge a complaint with a supervisory authority. Contact privacy@example.com for any data subject request. We respond within 30 days.
Your Rights — California & US State Privacy Laws
If you are a resident of California (CCPA/CPRA), Colorado, Connecticut, Texas, Virginia, Oregon, or another US state with a comprehensive consumer-privacy law, you have the following rights, subject to certain exceptions: Right to Know / Access — you may request the categories and specific pieces of personal information we have collected about you, the sources of that information, the business or commercial purpose for collecting it, and the categories of third parties with whom we share it. Right to Delete — you may request deletion of the personal information we have collected from you, subject to our legal retention obligations. Right to Correct — you may request correction of inaccurate personal information we maintain about you. Right to Opt Out of Sale or Sharing — we do not sell your personal information for money. If we share personal information for cross-context behavioural advertising, you may opt out at any time via our "Do Not Sell or Share My Personal Information" page (linked in the footer where applicable). We also recognise the Global Privacy Control (GPC) signal as an opt-out, as described in our Do Not Track and Global Privacy Control section. Right to Limit Use of Sensitive Personal Information — where we process sensitive personal information, you may direct us to limit its use to that which is necessary to provide the Service. Right to Non-Discrimination — we will not discriminate or retaliate against you for exercising any of these rights. To exercise these rights, contact us at privacy@example.com or use the "Do Not Sell or Share My Personal Information" page. We may need to verify your identity before responding, and you may use an authorised agent. We respond to verifiable requests to know, delete, or correct within 45 days (extendable by a further 45 days where reasonably necessary). Requests to opt out of sale or sharing, or to limit the use of sensitive personal information, are honoured as soon as feasible and no later than 15 business days, consistent with our Do Not Sell or Share My Personal Information page.
Do Not Track and Global Privacy Control
We honour Global Privacy Control (GPC) where legally required. We do not currently respond to Do Not Track (DNT) browser signals because no common technical standard defines how websites should interpret them.