Privacy & Security

Heads‑up: This page explains how we ("we", "us", "our") handle your personal data under the EU GDPR and applicable e‑privacy rules. It’s written to be clear and practical, but it’s not legal advice.

What data we collect

Why we process your data (legal bases)

• Contract – to create your account, take payment, fulfil and deliver orders, provide support.
• Legal obligation – tax/audit records, consumer protection, fraud prevention.
• Legitimate interests – run and improve our store, prevent abuse, measure performance, limited direct marketing to customers (you can opt out any time).
• Consent – newsletters/marketing to non‑customers, non‑essential cookies/analytics, back‑in‑stock alerts.

Who we share data with

We share personal data with trusted service providers who act on our instructions, such as:

• Shopify (store platform & hosting)
• Payment processors (e.g., PayPal, card gateways)
• Couriers/fulfilment (to deliver your order)
• IT & analytics tools (site performance, error logs, optional analytics/marketing with consent)
• Anti‑fraud/security providers (to keep our services safe)

We require all processors to keep your data secure and to use it only for the services we’ve requested.

International transfers

Some providers (including Shopify and payment processors) may process data outside the EEA (e.g., Canada/USA). When this happens, transfers are protected by approved safeguards such as adequacy decisions and/or Standard Contractual Clauses (SCCs). See Shopify’s guidance on international data transfers.

How long we keep data

• Orders & invoices: typically 6–10 years (tax/audit rules).
• Account data: for as long as the account is active, then archived/deleted after a defined inactivity period.
• Marketing consents: until you unsubscribe or withdraw consent.
• Support tickets: typically 24 months to improve service and handle follow‑ups.

When retention ends we delete or irreversibly anonymise data.

Your privacy choices & rights

• Access, rectify, or erase your personal data
• Restrict or object to processing
• Data portability
• Withdraw consent at any time (for consent‑based processing)
• Lodge a complaint with a supervisory authority

To exercise your rights, email info@fontanaseeds.com. We may need to verify your identity.

Marketing & communication preferences

You control what you hear from us. Use the unsubscribe link in emails or email us to update preferences. We only send non‑essential marketing with your consent or where permitted under applicable e‑privacy rules (e.g., soft opt‑in for existing customers). You can opt out at any time.

Cookies

We use essential cookies to make the site work (e.g., cart, checkout). With your consent, we also use analytics and advertising cookies to understand performance and show relevant offers. 

Security

• TLS encryption (HTTPS) across our storefront and checkout
• Role‑based access & strong authentication for admin tools
• Regular platform security monitoring & incident response
• Card payments are processed by PCI‑DSS compliant providers (e.g., Shopify Payments/PayPal). We do not store full card numbers.

Automated decisions / profiling

We don’t make decisions with legal or similarly significant effects based solely on automated processing. We may use basic profiling (e.g., purchase history) to suggest products or offers—you can object at any time.

Changes to this notice

We’ll update this page when needed and note the latest date above. For significant changes, we’ll notify you by email or on‑site.