Privacy Policy

Privacy Policy – Maison Améla

Last updated: 25 August 2025

Maison Améla (“we”, “us”, “our”) is a jewelry brand based in Sweden. We are committed to protecting your privacy and ensuring that your personal information is handled transparently, securely, and in accordance with international data protection laws.

This Privacy Policy explains, in detail, what data we collect, why we collect it, how we use it, how we safeguard it, who we share it with, how long we keep it, and what rights you have. We aim to go beyond the minimum legal requirements, offering clarity and trust to our customers worldwide.

1. Introduction & Scope

1.1 Purpose of this Privacy Policy

This Privacy Policy exists to ensure that you, as a visitor or customer of Maison Améla, understand how your personal data is processed. “Personal data” means any information that can directly or indirectly identify you as a natural person, such as your name, email address, order history, or IP address.

This Policy applies to:

  • Visitors of our website www.maisonamela.com (the “Site”).

  • Customers who purchase products through our Site.

  • Newsletter subscribers and marketing contacts.

  • Individuals contacting us via email, contact forms, or social media.

  • Individuals exercising rights under applicable data protection laws.

This Policy does not apply to:

  • Third-party services accessed through our Site (e.g., PayPal, Klarna, DHL). These providers have their own privacy policies.

  • Offline activities unrelated to our digital services.

1.2 Global applicability

Maison Améla is based in Sweden, within the European Economic Area (EEA). Therefore, we primarily follow the EU General Data Protection Regulation (GDPR). However, because our customers are international, we also comply with:

  • UK GDPR and the UK Data Protection Act 2018 (for UK customers).

  • California Consumer Privacy Act (CCPA/CPRA) (for California residents).

  • Personal Information Protection and Electronic Documents Act (PIPEDA) (Canada).

  • Swiss Federal Act on Data Protection (FADP) (Switzerland).

  • Lei Geral de Proteção de Dados (LGPD) (Brazil).

  • Other regional frameworks where required.

We designed this Policy to meet the highest global standard: GDPR.

1.3 Contact information

Data Controller:
Maison Améla
Based in: Sweden
📧 Email: info.maisonamela@gmail.com

Supervisory authority in Sweden:
Integritetsskyddsmyndigheten (IMY)
https://www.imy.se
Phone: +46 (0)8 657 61 00

Other authorities:

2. Legal Frameworks & Guiding Principles

2.1 GDPR (EU/EEA)

The GDPR is the world’s most comprehensive data protection regulation. It establishes principles such as:

  • Lawfulness, fairness and transparency – data must be processed lawfully and clearly communicated.

  • Purpose limitation – data must be collected for specific purposes.

  • Data minimisation – only necessary data should be collected.

  • Accuracy – data must be kept up to date.

  • Storage limitation – data must not be kept longer than necessary.

  • Integrity and confidentiality – security must be ensured.

  • Accountability – Maison Améla must be able to demonstrate compliance.

Full text: https://gdpr-info.eu

2.2 UK GDPR & Data Protection Act 2018

After Brexit, the UK implemented its own GDPR (“UK GDPR”). It mirrors most GDPR rules but is overseen by the Information Commissioner’s Office (ICO).

Resource: https://ico.org.uk

2.3 CCPA/CPRA (California)

The California Consumer Privacy Act (CCPA), strengthened by the California Privacy Rights Act (CPRA), gives California residents rights such as:

  • Right to know what personal information is collected.

  • Right to delete personal information.

  • Right to opt out of sale/sharing.

  • Right to non-discrimination for exercising rights.

Resource: https://oag.ca.gov/privacy/ccpa

2.4 Other frameworks

2.5 How these frameworks apply to Maison Améla

Because Maison Améla sells jewelry internationally:

  • GDPR applies to all EEA customers (default).

  • UK GDPR applies to UK customers.

  • CCPA/CPRA applies if California residents purchase from us.

  • PIPEDA and FADP apply to Canadian and Swiss customers.

  • LGPD applies to Brazilian customers.

We aim to harmonize all requirements into one unified standard that meets or exceeds expectations globally.

3. Key Definitions

To help you understand this Policy, here are some legal definitions:

  • Personal Data: Any information relating to an identified or identifiable natural person. Examples: name, email, postal address, order number, IP address.

  • Processing: Any operation performed on personal data, such as collection, storage, use, disclosure, or deletion.

  • Controller: The entity that determines the purposes and means of processing. (Maison Améla is the Controller.)

  • Processor: A third-party service provider that processes personal data on behalf of the controller (e.g., Shopify, Stripe, Klarna).

  • Data Subject: The individual whose personal data is processed (you).

  • Profiling: Automated processing to evaluate personal aspects, such as shopping behavior.

  • Consent: Freely given, specific, informed and unambiguous agreement by the data subject to the processing of personal data.

  • Pseudonymisation: Processing personal data so it cannot be attributed to a specific individual without additional information.

  • Anonymisation: Irreversibly removing identifiers from data.

    4. What Personal Data We Collect

    At Maison Améla, we believe in data minimisation: collecting only the information that is necessary for legitimate business purposes, while being transparent about what that data is.

    We categorise the personal data we collect into the following groups:

    4.1 Identity Information

    • First and last name

    • Title (optional, e.g., Ms, Mr, Mx, Dr)

    • Date of birth (optional; only collected if you provide it voluntarily, e.g., for birthday offers)

    4.2 Contact Information

    • Billing address

    • Shipping address

    • Email address

    • Telephone number (used for delivery updates or support)

    4.3 Account Information

    • Username (if you create an account)

    • Password (encrypted; never stored in plain text)

    • Account preferences (e.g., saved shipping addresses, currency, language)

    4.4 Transaction & Order Information

    • Order history (items purchased, date, price)

    • Order status (pending, shipped, delivered, returned)

    • Payment confirmation and receipt details

    • Refund and exchange history

    4.5 Payment Information

    We process but do not store your full credit or debit card details. These are handled by secure third-party providers (e.g., Shopify Payments (Stripe), Klarna, PayPal, Apple Pay, Google Pay).
    We may retain limited metadata such as:

    • Payment method used (e.g., Visa, MasterCard, PayPal)

    • Transaction ID

    • Payment status (approved, pending, failed, refunded)

    4.6 Technical & Device Information

    Collected automatically when you use our Site:

    • IP address

    • Browser type and version

    • Device type and operating system

    • Screen resolution and language

    • Referring and exit pages

    • Clickstream data and session logs

    • Time zone settings

    • Cookie identifiers

    • Approximate geolocation (derived from IP address)

    4.7 Usage Data

    • Pages visited, time spent, and navigation patterns

    • Products viewed, added to cart, or wishlisted

    • Search queries on our website

    • Abandoned cart details

    4.8 Communication Data

    • Emails exchanged with our support team

    • Messages submitted through forms

    • Social media direct messages

    • Feedback or complaints

    4.9 Marketing Data

    • Newsletter subscription status

    • Marketing preferences (e.g., email, SMS, push notifications)

    • Engagement data (e.g., whether emails are opened, links clicked)

    4.10 User-Generated Content

    • Product reviews and ratings

    • Photos or videos shared with us voluntarily (e.g., when tagging Maison Améla on Instagram)

    5. How We Collect Data

    We collect data in three primary ways:

    5.1 Direct Collection

    You provide data when you:

    • Create an account

    • Place an order

    • Subscribe to newsletters

    • Contact customer service

    • Enter a competition or giveaway

    • Submit product reviews

    5.2 Automated Collection

    When you interact with our Site, we automatically collect technical and usage data using:

    • Cookies (small text files stored on your device)

    • Pixels (invisible images that track interactions, e.g., Facebook Pixel)

    • Analytics scripts (Google Analytics, Shopify Analytics, TikTok Pixel)

    5.3 Third-Party Collection

    We receive data from trusted partners:

    • Payment providers (e.g., Klarna provides risk scoring for “Pay Later” transactions)

    • Logistics providers (delivery status and tracking info from DHL, PostNord, UPS)

    • Marketing platforms (aggregated ad performance from Google, Meta, TikTok)

    • Fraud detection services (transaction risk assessment)

    6. Purposes of Processing & Legal Bases

    6.1 Purposes of Processing

    We use your personal data for:

    1. Order Processing & Fulfilment

      • To process payments

      • To ship and deliver products

      • To manage returns and refunds

    2. Customer Service

      • To respond to inquiries, complaints, or requests

      • To provide after-sales support

    3. Account Management

      • To maintain your account preferences

      • To save past orders for convenience

    4. Marketing & Communication

      • To send newsletters, promotions, and personalized offers (if you consent)

      • To show you relevant ads on social media platforms

    5. Website Functionality & Improvement

      • To analyse how users interact with our Site

      • To improve user experience and navigation

    6. Fraud Prevention & Security

      • To protect against fraudulent orders or chargebacks

      • To secure accounts and detect suspicious activity

    7. Legal Compliance

      • To comply with tax and accounting obligations (e.g., storing invoices for 7 years in Sweden)

      • To comply with consumer rights laws

    6.2 Legal Bases under GDPR

    For each processing purpose, the legal basis is:

    Purpose Legal Basis Example
    Order fulfilment Contract (Art. 6(1)(b) GDPR) Processing your name & address to deliver your order
    Customer service Contract; Legitimate interest Responding to your support request
    Account management Contract; Legitimate interest Storing your saved addresses
    Marketing Consent (Art. 6(1)(a)) Sending newsletters if you opted in
    Website analytics Legitimate interest; Consent Using Google Analytics
    Fraud prevention Legitimate interest; Legal obligation Screening high-risk transactions
    Legal compliance Legal obligation (Art. 6(1)(c)) Storing invoices per Swedish accounting law

    7. Cookies & Tracking Technologies

    Cookies are small data files placed on your device to help us improve our website and services. We use cookies for several purposes:

    7.1 Categories of Cookies

    1. Strictly Necessary Cookies – required for core functions like checkout.

    2. Functional Cookies – remember preferences (currency, language).

    3. Performance/Analytics Cookies – measure site usage (Google Analytics).

    4. Marketing/Advertising Cookies – deliver relevant ads (Facebook Pixel, TikTok Pixel).

    7.2 Third-Party Tools Used

    • Google Analytics – traffic analysis.

    • Facebook Pixel – retargeting ads.

    • TikTok Pixel – ad performance measurement.

    • Shopify Analytics – store performance metrics.

    7.3 Cookie Consent

    • We use a cookie banner on our Site to let you accept or decline non-essential cookies.

    • You can change your cookie settings anytime in your browser.

    7.4 Cookie Resources

    8. Sharing of Data

    We never sell your personal data. However, we may share it with:

    8.1 Service Providers

    • Shopify (e-commerce platform)

    • Payment providers (Stripe/Shopify Payments, Klarna, PayPal)

    • Shipping carriers (PostNord, DHL, UPS)

    • Email service providers (for newsletters)

    8.2 Authorities

    We may disclose data when required by law, such as:

    • Tax authorities (invoices)

    • Consumer protection authorities

    • Law enforcement (fraud investigations)

    8.3 Advertising Partners

    Only with your consent, we share pseudonymised identifiers with:

    • Google Ads

    • Meta/Facebook

    • TikTok Ads

    All partners act under data processing agreements (DPAs) that require them to protect your data and comply with GDPR or equivalent safeguards.

    9. International Transfers & Safeguards

    9.1 Why international transfers happen

    As a Sweden-based brand, most of our processing takes place inside the European Economic Area (EEA). However, because we use international service providers such as Shopify (Canada/USA), Google (USA/Ireland), Meta/Facebook (USA/Ireland), and TikTok (Singapore/USA), some of your personal data may be transferred outside the EEA.

    9.2 GDPR requirements for transfers

    Under GDPR, transfers outside the EEA are only lawful if:

    • The country has an adequacy decision by the European Commission (e.g., Canada, Japan).

    • The recipient provides appropriate safeguards, such as Standard Contractual Clauses (SCCs).

    • You have explicitly consented after being informed of risks.

    9.3 Safeguards we use

    • Standard Contractual Clauses (SCCs) approved by the EU Commission.

    • Data minimisation: we transfer the minimum necessary.

    • Encryption in transit (TLS/SSL).

    • Vendor due diligence: ensuring partners comply with GDPR and local law.

    9.4 Schrems II ruling

    In July 2020, the Court of Justice of the EU (CJEU) invalidated the EU–US Privacy Shield (Case C-311/18, “Schrems II”). This means that data transfers to the US require additional safeguards beyond SCCs.

    We follow guidance from the European Data Protection Board (EDPB): https://edpb.europa.eu.

    9.5 Your rights

    You can request details of the safeguards we use by emailing info.maisonamela@gmail.com.

    10. Retention & Deletion of Data

    10.1 Retention principles

    We retain personal data only as long as necessary to fulfil the purposes for which it was collected, unless a longer retention is required by law.

    10.2 Examples of retention periods

    • Orders & invoices: 7 years (per Swedish Bokföringslagen / Bookkeeping Act).

    • Customer service requests: up to 3 years after last contact.

    • Account data: as long as your account remains active.

    • Marketing data: until you withdraw consent/unsubscribe.

    • Analytics data: according to cookie lifespan (usually 13 months to 2 years).

    10.3 Deletion process

    When retention periods expire:

    • Data is securely deleted or anonymised.

    • Backups are purged on a rolling schedule.

    • Some minimal metadata may be kept for security or compliance.

    11. Security Measures

    11.1 Technical measures

    • SSL/TLS encryption on all website traffic.

    • PCI DSS compliant payment gateways (Shopify Payments, Stripe, Klarna, PayPal).

    • Firewalls and intrusion detection systems.

    • Access control: only authorised staff have access to data.

    • Encryption at rest for sensitive fields.

    11.2 Organisational measures

    • Staff training in GDPR and security awareness.

    • Data processing agreements with all vendors.

    • Strict internal policies on access and sharing.

    11.3 Breach response

    • We maintain an incident response plan.

    • Under GDPR, we notify IMY within 72 hours of a serious data breach.

    • Affected individuals will be informed without undue delay if there is a high risk to their rights.

    Resource: https://www.imy.se/other-lang/in-english/data-breaches/

    12. Children & Minors

    12.1 Our policy

    Our services are not directed at persons under 18 years of age. We do not knowingly collect data from minors.

    12.2 If data is collected inadvertently

    If we discover that a child under 18 has submitted personal data:

    • We will delete it immediately.

    • Parents/guardians may contact us to request removal.

    12.3 Legal references

    • GDPR Recital 38 emphasises special protection for children’s data.

    • Under CCPA, businesses must obtain parental consent before selling data of children under 13, and must allow teens (13–16) to opt in.

    13. Automated Decision-Making & Profiling

    13.1 Profiling in marketing

    We may use tools like Facebook Ads and Google Ads to create audience segments. For example, we may target “visitors who viewed rings but did not purchase.”

    13.2 Fraud detection

    Payment processors (e.g., Klarna) use automated decision-making to detect fraud or assess credit risk. These are necessary for transaction security.

    13.3 Your rights

    Under GDPR Article 22, you have the right not to be subject to decisions based solely on automated processing that significantly affect you.
    You can request human review if your transaction was denied.

    14. Your Rights under GDPR & UK GDPR

    As a data subject, you have the following rights:

    1. Right of access (Art. 15 GDPR) – obtain a copy of your data.

    2. Right to rectification (Art. 16) – correct inaccurate data.

    3. Right to erasure (Art. 17, “right to be forgotten”) – delete data under certain conditions.

    4. Right to restriction (Art. 18) – pause processing.

    5. Right to data portability (Art. 20) – receive data in machine-readable format.

    6. Right to object (Art. 21) – to processing based on legitimate interests or direct marketing.

    7. Right not to be subject to automated decision-making (Art. 22).

    8. Right to withdraw consent – at any time.

    14.1 How to exercise rights

    • Email info.maisonamela@gmail.com from the address linked to your account/order.

    • We may verify your identity.

    • We respond within 30 days (extendable to 60 if complex).

    15. Your Rights under CCPA/CPRA

    If you are a resident of California, you have the following rights:

    1. Right to know what data is collected, used, shared.

    2. Right to access personal information in portable format.

    3. Right to delete personal information, with some exceptions.

    4. Right to correct inaccurate personal data.

    5. Right to opt-out of the sale/sharing of personal data.

    6. Right to limit the use of sensitive personal information.

    7. Right to non-discrimination when exercising rights.

    We do not sell personal information for money. However, certain ad cookies may be considered “sharing” under CPRA.

    Resource: https://oag.ca.gov/privacy/ccpa

    16. Marketing, Newsletters & SMS

    • We only send promotional emails if you have opted in.

    • You can unsubscribe anytime using the link in our emails.

    • Transactional emails (e.g., order confirmation) are mandatory service messages.

    • If we offer SMS marketing, you will be asked for explicit consent, and opt-out will always be available.

    17. Social Media & User Content

    17.1 Social media presence

    Maison Améla maintains official accounts on Instagram, TikTok, and Facebook. Interactions there are governed by the respective platforms’ privacy policies.

    17.2 User-generated content

    If you tag us or allow us to repost your content, you grant us a licence to use it for marketing. You can revoke this at any time by contacting us.

    17.3 Risks

    Be aware that data shared publicly on social media may be visible to other users.

    18. Third-Party Links & Apps

    Our Site may include links to third-party sites, apps, or plugins (e.g., Instagram feed). Clicking on those links may allow third parties to collect data.

    We are not responsible for the privacy practices of third-party websites. Please review their policies.

    19. Data Breach Notification

    19.1 Our obligations

    • Under GDPR, notify IMY within 72 hours of becoming aware of a breach.

    • Notify affected individuals if there is a “high risk” to their rights.

    19.2 What information will be included

    • Nature of the breach

    • Categories and number of data subjects affected

    • Likely consequences

    • Measures taken or proposed

    19.3 Your rights

    If you suspect your data may have been compromised, you can contact us at info.maisonamela@gmail.com.

    20. Contact & Complaints

    20.1 Contact us directly

    If you have any concerns about how we process your data, please contact us:
    📧 info.maisonamela@gmail.com

    20.2 Complaints to authorities

    You also have the right to lodge a complaint with: